From 99d9a32bfabe97a6eeeccb024a68feed331d8f74 Mon Sep 17 00:00:00 2001
From: The Fox in the Shell <KellerFuchs@hashbang.sh>
Date: Wed, 25 May 2016 15:51:26 +0200
Subject: Make `restricted-network` prevent use of netfilter

---
 src/firejail/main.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'src')

diff --git a/src/firejail/main.c b/src/firejail/main.c
index a540d468b..a2342843b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -1675,6 +1675,18 @@ int main(int argc, char **argv) {
 
 #ifdef HAVE_NETWORK
 		else if (strcmp(argv[i], "--netfilter") == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+			// compile time restricted networking
+			if (getuid() != 0) {
+				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+				exit(1);
+			}
+#endif
+			// run time restricted networking
+			if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+				exit(1);
+			}
 			if (checkcfg(CFG_NETWORK)) {
 				arg_netfilter = 1;
 			}
@@ -1685,6 +1697,18 @@ int main(int argc, char **argv) {
 		}
 
 		else if (strncmp(argv[i], "--netfilter=", 12) == 0) {
+#ifdef HAVE_NETWORK_RESTRICTED
+			// compile time restricted networking
+			if (getuid() != 0) {
+				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+				exit(1);
+			}
+#endif
+			// run time restricted networking
+			if (checkcfg(CFG_RESTRICTED_NETWORK) && getuid() != 0) {
+				fprintf(stderr, "Error: --netfilter is only allowed for root\n");
+				exit(1);
+			}
 			if (checkcfg(CFG_NETWORK)) {
 				arg_netfilter = 1;
 				arg_netfilter_file = argv[i] + 12;
-- 
cgit v1.2.3-70-g09d2