From abe50f280dccc8444e0209816365dfd853bf3c31 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 24 Feb 2016 09:03:11 -0500
Subject: ./configure --enable-network=restricted

---
 README                  |  3 +++
 RELNOTES                |  3 ++-
 configure               | 12 ++++++++++++
 configure.ac            |  2 ++
 test/compile/compile.sh | 22 +++++++++++++++++++++-
 5 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/README b/README
index 5f9215039..6da1775f0 100644
--- a/README
+++ b/README
@@ -18,6 +18,9 @@ License: GPL v2
 Firejail Authors:
 
 netblue30 (netblue30@yahoo.com)
+yumkam (https://github.com/yumkam)
+	- add compile-time option to restrict --net= to root only
+	- man page fixes
 Vasya Novikov (https://github.com/vn971)
 	- Wesnoth profile
 mahdi1234 (https://github.com/mahdi1234)
diff --git a/RELNOTES b/RELNOTES
index 8c31cc973..41edfa0f1 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -5,10 +5,11 @@ firejail (0.9.39) baseline; urgency=low
   * added --nice option
   * addded mkdir profile command
   * --version also prints compile options
+  * added compile-time option to restrict --net= to root only
   * build rpm packages using "make rpms"
   * new profiles: lxterminal, Epiphany, cherrytree, Polari
   * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Tue, 8 Feb 2016 10:00:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Wed, 24 Feb 2016 10:00:00 -0500
 
 firejail (0.9.38) baseline; urgency=low
   * IPv6 support (--ip6 and --netfilter6)
diff --git a/configure b/configure
index 16c62e731..71f421ff4 100755
--- a/configure
+++ b/configure
@@ -1317,6 +1317,8 @@ Optional Features:
   --disable-chroot        disable chroot
   --disable-bind          disable bind
   --disable-network       disable network
+  --enable-network=restricted
+                          restrict --net= to root only
   --disable-userns        disable user namespace
   --disable-x11           disable X11 support
   --enable-fatal-warnings -W -Wall -Werror
@@ -3102,9 +3104,19 @@ if test "${enable_network+set}" = set; then :
   enableval=$enable_network;
 fi
 
+# Check whether --enable-network was given.
+if test "${enable_network+set}" = set; then :
+  enableval=$enable_network;
+fi
+
 if test "x$enable_network" != "xno"; then :
 
 	HAVE_NETWORK="-DHAVE_NETWORK"
+	if test "x$enable_network" = "xrestricted"; then :
+
+	       HAVE_NETWORK="$HAVE_NETWORK -DHAVE_NETWORK_RESTRICTED"
+
+fi
 
 
 fi
diff --git a/configure.ac b/configure.ac
index 9b717d333..512159568 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,6 +36,8 @@ AS_IF([test "x$enable_bind" != "xno"], [
 HAVE_NETWORK=""
 AC_ARG_ENABLE([network],
     AS_HELP_STRING([--disable-network], [disable network]))
+AC_ARG_ENABLE([network],
+    AS_HELP_STRING([--enable-network=restricted], [ restrict --net= to root only]))
 AS_IF([test "x$enable_network" != "xno"], [
 	HAVE_NETWORK="-DHAVE_NETWORK"
 	AS_IF([test "x$enable_network" = "xrestricted"], [
diff --git a/test/compile/compile.sh b/test/compile/compile.sh
index d191b4d2b..40d37a990 100755
--- a/test/compile/compile.sh
+++ b/test/compile/compile.sh
@@ -7,6 +7,7 @@ arr[4]="TEST 4: compile bind disabled"
 arr[5]="TEST 5: compile user namespace disabled"
 arr[6]="TEST 6: compile network disabled"
 arr[7]="TEST 7: compile X11 disabled"
+arr[8]="TEST 8: compile network restricted"
 
 
 # remove previous reports and output file
@@ -153,7 +154,7 @@ rm output-configure output-make
 # - disable X11 support
 # - check compilation
 #*****************************************************************
-print_title "${arr[6]}"
+print_title "${arr[7]}"
 # seccomp
 cd firejail
 make distclean
@@ -165,6 +166,24 @@ grep Error output-configure output-make >> ./report-test7
 rm output-configure output-make
 
 
+#*****************************************************************
+# TEST 8
+#*****************************************************************
+# - enable network restricted
+# - check compilation
+#*****************************************************************
+print_title "${arr[8]}"
+# seccomp
+cd firejail
+make distclean
+./configure --prefix=/usr --enable-network=restricted  --enable-fatal-warnings 2>&1 | tee ../output-configure
+make -j4 2>&1 | tee ../output-make
+cd ..
+grep Warning output-configure output-make > ./report-test8
+grep Error output-configure output-make >> ./report-test8
+rm output-configure output-make
+
+
 #*****************************************************************
 # PRINT REPORTS
 #*****************************************************************
@@ -186,3 +205,4 @@ echo ${arr[4]}
 echo ${arr[5]}
 echo ${arr[6]}
 echo ${arr[7]}
+echo ${arr[8]}
-- 
cgit v1.2.3-70-g09d2