From 56481386538977f006fd0579bb0acef9347a53cd Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 24 Feb 2016 11:08:08 -0500
Subject: allow --interface only to root user for --enable-network=restricted

---
 src/firejail/main.c | 9 +++++++++
 todo                | 1 +
 2 files changed, 10 insertions(+)

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 3cbaf658e..5a8f564f4 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -249,6 +249,9 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 #ifndef HAVE_NETWORK
 		printf("Networking support is disabled.\n");
 #endif
+#ifdef HAVE_NETWORK_RESTRICTED
+		printf("Networking support is allowed only to root user.\n");
+#endif
 #ifndef HAVE_USERNS
 		printf("User namespace support is disabled.\n");
 #endif
@@ -1044,6 +1047,12 @@ int main(int argc, char **argv) {
 		//*************************************
 #ifdef HAVE_NETWORK	
 		else if (strncmp(argv[i], "--interface=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+			if (getuid() != 0) {
+				fprintf(stderr, "Error: --interface is allowed only to root user\n");
+				exit(1);
+			}
+#endif
 			// checks
 			if (arg_nonetwork) {
 				fprintf(stderr, "Error: --network=none and --interface are incompatible\n");
diff --git a/todo b/todo
index 662ca935b..438637d24 100644
--- a/todo
+++ b/todo
@@ -30,4 +30,5 @@ socat ABSTRACT-LISTEN:/tmp/dbus-awBoQTCc,fork UNIX-CONNECT:/tmp/mysock
 
 6. --shutdown does not clear sandboxes started with --join
 
+7. profile for okular
 
-- 
cgit v1.2.3-70-g09d2