From 20b920a46ef099a269cd06276f89e016a158b9ec Mon Sep 17 00:00:00 2001
From: "Yuriy M. Kaminskiy" <yumkam@gmail.com>
Date: Tue, 23 Feb 2016 17:11:27 +0300
Subject: man/firejail.txt: note you don't need --ip6= with SLAAC

---
 src/man/firejail.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c4f0dbd3e..681a105af 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -471,6 +471,8 @@ Example:
 .br
 $ firejail \-\-net=eth0 \-\-ip6=2001:0db8:0:f101::1/64 firefox
 
+Note: you don't need this option if you obtain your ip6 address from router via SLAAC (your ip6 address and default route will be configured by kernel automatically).
+
 .TP
 \fB\-\-iprange=address,address
 Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A
-- 
cgit v1.2.3-70-g09d2


From 4db1a65a0775ce3cc65febc41ac84f5cfc81a51c Mon Sep 17 00:00:00 2001
From: "Yuriy M. Kaminskiy" <yumkam@gmail.com>
Date: Mon, 22 Feb 2016 02:15:45 +0300
Subject: Add compile-time option to restrict --net= to root only

./configure --enable-network=restricted allows only --net=none to
non-root users.

Other variants delegate too much power to non-root users and dangerous (it
completely bypasses system-wide firewall and routing, it allows introducing
arbitrary-chosen MAC and IP interfaces on LAN [disregarding DHCP
policy], etc).
Root already had power to twiddle with anything, so no sense to restrain
her, and --net=none looks safe enough (and still useful) for ordinary
users.
---
 configure.ac        | 3 +++
 src/firejail/main.c | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/configure.ac b/configure.ac
index f9d0a3f65..f39b0d780 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,6 +38,9 @@ AC_ARG_ENABLE([network],
     AS_HELP_STRING([--disable-network], [disable network]))
 AS_IF([test "x$enable_network" != "xno"], [
 	HAVE_NETWORK="-DHAVE_NETWORK"
+	AS_IF([test "x$enable_network" = "xrestricted"], [
+	       HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
+	])
 	AC_SUBST(HAVE_NETWORK)
 ])
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 2a5ded984..be3dbd324 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1090,6 +1090,12 @@ int main(int argc, char **argv) {
 				cfg.interface3.configured = 0;
 				continue;
 			}
+#ifdef HAVE_NETWORK_RESTRICTED
+			if (getuid() != 0) {
+				fprintf(stderr, "Error: only --net=none is allowed to non-root users\n");
+				exit(1);
+			}
+#endif
 			if (strcmp(argv[i] + 6, "lo") == 0) {
 				fprintf(stderr, "Error: cannot attach to lo device\n");
 				exit(1);
-- 
cgit v1.2.3-70-g09d2