From 45d5fe7c2aa0d6e08f19dc9eacd50314530958fd Mon Sep 17 00:00:00 2001
From: startx2017 <vradu.startx@yandex.com>
Date: Thu, 26 Jul 2018 09:58:50 -0400
Subject: removed compile time --enable-network=restricted, --net=none allowed
 even if networking was disabled at compile time or at run time, fixed issue
 #2061

---
 RELNOTES                |  3 +++
 configure               | 12 ----------
 configure.ac            |  5 ----
 src/firejail/checkcfg.c | 11 +++++----
 src/firejail/main.c     | 61 ++++++++++---------------------------------------
 src/firejail/profile.c  | 37 ++++++++----------------------
 test/compile/compile.sh | 21 +----------------
 7 files changed, 32 insertions(+), 118 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index b1cf333dd..6af251850 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,9 @@
 firejail (0.9.55) baseline; urgency=low
   * work in progress
   * modif: removed CFG_CHROOT_DESKTOP configuration option
+  * modif: removed compile time --enable-network=restricted
+  * modif: --net=none allowed even if networking was disabled at compile
+     time or at run time
   * support wireless devices in --net option
   * support tap devices in --net option (tunneling support)
   * allow IP address configuration if the parent interface specified
diff --git a/configure b/configure
index 2a7efcb6f..b57720fd1 100755
--- a/configure
+++ b/configure
@@ -1356,8 +1356,6 @@ Optional Features:
   --disable-globalcfg     if the global config file firejail.cfg is not
                           present, continue the program using defaults
   --disable-network       disable network
-  --enable-network=restricted
-                          restrict --net= to root only
   --disable-userns        disable user namespace
   --disable-x11           disable X11 sandboxing support
   --disable-file-transfer disable file transfer
@@ -3660,19 +3658,9 @@ if test "${enable_network+set}" = set; then :
   enableval=$enable_network;
 fi
 
-# Check whether --enable-network was given.
-if test "${enable_network+set}" = set; then :
-  enableval=$enable_network;
-fi
-
 if test "x$enable_network" != "xno"; then :
 
 	HAVE_NETWORK="-DHAVE_NETWORK"
-	if test "x$enable_network" = "xrestricted"; then :
-
-	       HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-
-fi
 
 
 fi
diff --git a/configure.ac b/configure.ac
index c5243ed55..253749cd5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -102,13 +102,8 @@ AS_IF([test "x$enable_globalcfg" != "xno"], [
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
     AS_HELP_STRING([--disable-network], [disable network]))
-AC_ARG_ENABLE([network],
-    AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only]))
 AS_IF([test "x$enable_network" != "xno"], [
 	HAVE_NETWORK="-DHAVE_NETWORK"
-	AS_IF([test "x$enable_network" = "xrestricted"], [
-	       HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
-	])
 	AC_SUBST(HAVE_NETWORK)
 ])
 
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index 42ff31976..7483136f4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -373,6 +373,13 @@ int checkcfg(int val) {
 		initialized = 1;
 	}
 
+
+	// merge CFG_RESTRICTED_NETWORK into CFG_NETWORK
+	if (val == CFG_NETWORK) {
+		if (cfg_val[CFG_RESTRICTED_NETWORK] && getuid() != 0)
+			return 0;
+	}
+
 	return cfg_val[val];
 
 errout:
@@ -443,10 +450,6 @@ void print_compiletime_support(void) {
 #endif
 		);
 
-#ifdef HAVE_NETWORK_RESTRICTED
-	printf("\t- networking features are available only to root user\n");
-#endif
-
 	printf("\t- overlayfs support is %s\n",
 #ifdef HAVE_OVERLAYFS
 		"enabled"
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 8e4fc6f38..3e092a3cc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1745,22 +1745,21 @@ int main(int argc, char **argv) {
 		//*************************************
 		// network
 		//*************************************
+		else if (strcmp(argv[i], "--net=none") == 0) {
+			arg_nonetwork  = 1;
+			cfg.bridge0.configured = 0;
+			cfg.bridge1.configured = 0;
+			cfg.bridge2.configured = 0;
+			cfg.bridge3.configured = 0;
+			cfg.interface0.configured = 0;
+			cfg.interface1.configured = 0;
+			cfg.interface2.configured = 0;
+			cfg.interface3.configured = 0;
+			continue;
+		}
 #ifdef HAVE_NETWORK
 		else if (strncmp(argv[i], "--interface=", 12) == 0) {
 			if (checkcfg(CFG_NETWORK)) {
-#ifdef HAVE_NETWORK_RESTRICTED
-				// compile time restricted networking
-				if (getuid() != 0) {
-					fprintf(stderr, "Error: --interface is allowed only to root user\n");
-					exit(1);
-				}
-#endif
-				// run time restricted networking
-				if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-					fprintf(stderr, "Error: --interface is allowed only to root user\n");
-					exit(1);
-				}
-
 				// checks
 				if (arg_nonetwork) {
 					fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
@@ -1818,18 +1817,6 @@ int main(int argc, char **argv) {
 					continue;
 				}
 
-#ifdef HAVE_NETWORK_RESTRICTED
-				// compile time restricted networking
-				if (getuid() != 0) {
-					fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-					exit(1);
-				}
-#endif
-				// run time restricted networking
-				if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-					fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
-					exit(1);
-				}
 				if (strcmp(argv[i] + 6, "lo") == 0) {
 					fprintf(stderr, "Error: cannot attach to lo device\n");
 					exit(1);
@@ -2072,18 +2059,6 @@ int main(int argc, char **argv) {
 
 #ifdef HAVE_NETWORK
 		else if (strcmp(argv[i], "--netfilter") == 0) {
-#ifdef HAVE_NETWORK_RESTRICTED
-			// compile time restricted networking
-			if (getuid() != 0) {
-				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-				exit(1);
-			}
-#endif
-			// run time restricted networking
-			if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-				exit(1);
-			}
 			if (checkcfg(CFG_NETWORK)) {
 				arg_netfilter = 1;
 			}
@@ -2092,18 +2067,6 @@ int main(int argc, char **argv) {
 		}
 
 		else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
-#ifdef HAVE_NETWORK_RESTRICTED
-			// compile time restricted networking
-			if (getuid() != 0) {
-				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-				exit(1);
-			}
-#endif
-			// run time restricted networking
-			if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
-				exit(1);
-			}
 			if (checkcfg(CFG_NETWORK)) {
 				arg_netfilter = 1;
 				arg_netfilter_file = argv[i] + 12;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 425f8f5c9..4b2fb3abd 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -307,39 +307,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "net none") == 0) {
-#ifdef HAVE_NETWORK
-		if (checkcfg(CFG_NETWORK)) {
-			arg_nonetwork  = 1;
-			cfg.bridge0.configured = 0;
-			cfg.bridge1.configured = 0;
-			cfg.bridge2.configured = 0;
-			cfg.bridge3.configured = 0;
-			cfg.interface0.configured = 0;
-			cfg.interface1.configured = 0;
-			cfg.interface2.configured = 0;
-			cfg.interface3.configured = 0;
-		}
-		else
-			warning_feature_disabled("networking");
-#endif
+		arg_nonetwork  = 1;
+		cfg.bridge0.configured = 0;
+		cfg.bridge1.configured = 0;
+		cfg.bridge2.configured = 0;
+		cfg.bridge3.configured = 0;
+		cfg.interface0.configured = 0;
+		cfg.interface1.configured = 0;
+		cfg.interface2.configured = 0;
+		cfg.interface3.configured = 0;
 		return 0;
 	}
 	else if (strncmp(ptr, "net ", 4) == 0) {
 #ifdef HAVE_NETWORK
 		if (checkcfg(CFG_NETWORK)) {
-#ifdef HAVE_NETWORK_RESTRICTED
-			// compile time restricted networking
-			if (getuid() != 0) {
-				fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
-				exit(1);
-			}
-#endif
-			// run time restricted networking
-			if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
-				fprintf(stderr, "Error: only \"net none\" is allowed to non-root users\n");
-				exit(1);
-			}
-
 			if (strcmp(ptr + 4, "lo") == 0) {
 				fprintf(stderr, "Error: cannot attach to lo device\n");
 				exit(1);
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index 9b7d19057..9d35bbcde 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -7,7 +7,7 @@ arr[4]="TEST 4: compile bind disabled"
 arr[5]="TEST 5: compile user namespace disabled"
 arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
-arr[8]="TEST 8: compile network restricted"
+arr[8]="deprecated: TEST 8: compile network restricted"
 arr[9]="TEST 9: compile file transfer disabled"
 arr[10]="TEST 10: compile disable whitelist"
 arr[11]="TEST 11: compile disable global config"
@@ -181,25 +181,6 @@ cp output-make om7
 rm output-configure output-make
 
 
-#*****************************************************************
-# TEST 8
-#*****************************************************************
-# - enable network restricted
-#*****************************************************************
-print_title "${arr[8]}"
-# seccomp
-cd firejail
-make distclean
-./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
-make -j4 2>&1 | tee ../output-make
-cd ..
-grep Warning output-configure output-make > ./report-test8
-grep Error output-configure output-make >> ./report-test8
-cp output-configure oc8
-cp output-make om8
-rm output-configure output-make
-
-
 #*****************************************************************
 # TEST 9
 #*****************************************************************
-- 
cgit v1.2.3-70-g09d2