From 419d876d9fef926e183c0b3bc0961a9abe9e7ba5 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Sun, 9 Sep 2018 13:04:32 -0400
Subject: support for firetunnel utility

---
 src/firejail/main.c  | 26 ++++++++++++++++++++++++++
 src/firejail/usage.c |  2 ++
 src/man/firejail.txt | 20 ++++++++++++++++++++
 3 files changed, 48 insertions(+)

(limited to 'src')

diff --git a/src/firejail/main.c b/src/firejail/main.c
index fe9118580..da052320c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1447,6 +1447,32 @@ int main(int argc, char **argv) {
 				exit_err_feature("overlayfs");
 		}
 #endif
+		else if (strcmp(argv[i], "--tunnel") == 0) {
+			// try to connect to the default client side of the tunnel
+			// if this fails, try the default server side of the tunnel
+			if (access("/run/firetunnel/ftc", R_OK) == 0)
+				profile_read("/run/firetunnel/ftc");
+			else if (access("/run/firetunnel/fts", R_OK) == 0)
+				profile_read("/run/firetunnel/fts");
+			else {
+				fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
+				exit(1);
+			}
+		}
+		else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
+			char *fname;
+
+			if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
+				errExit("asprintf");
+			invalid_filename(fname, 0); // no globbing
+			if (access(fname, R_OK) == 0)
+				profile_read(fname);
+			else {
+				fprintf(stderr, "Error: tunnel not found\n");
+				exit(1);
+			}
+		}
+
 		else if (strncmp(argv[i], "--profile=", 10) == 0) {
 			// multiple profile files are allowed!
 
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index c8866da3a..f54e6f744 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -214,6 +214,8 @@ static char *usage_str =
 	"    --tracelog - add a syslog message for every access to files or\n"
 	"\tdirectories blacklisted by the security profile.\n"
 	"    --tree - print a tree of all sandboxed processes.\n"
+	"    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
+	"\tfiretunnel utility.\n"
 	"    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
 	"    --veth-name=name - use this name for the interface connected to the bridge.\n"
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c09684596..4d24bdd7e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2129,6 +2129,26 @@ $ firejail \-\-tree
 .br
   11970:netblue:transmission-gtk
 
+.TP
+\fB\-\-tunnel[=devname]
+Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
+tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
+please specify the tunnel device using \-\-tunnel=devname.
+.br
+
+.br
+The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
+The files are regular firejail profile files containing the network configuration,
+and are created and managed by firetunnel utility.
+By default ftc is the client-side device and fts is the server-side device. For more information
+please see man 1 firetunnel.
+.br
+
+.br
+Example:
+.br
+$ firejail --tunnel firefox
+.br
 .TP
 \fB\-\-version
 Print program version and exit.
-- 
cgit v1.2.3-70-g09d2