From 901f73ef75c0fb519242743815aed557d81b0dc2 Mon Sep 17 00:00:00 2001 From: avoidr Date: Wed, 6 Apr 2016 22:18:11 +0200 Subject: profile.c: add --net --- src/firejail/profile.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'src') diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d2894d463..c3fb37558 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -228,6 +228,34 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { #endif return 0; } + else if (strncmp(ptr, "net ", 4) == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + if (strcmp(ptr + 4, "lo") == 0) { + fprintf(stderr, "Error: cannot attach to lo device\n"); + exit(1); + } + + Bridge *br; + if (cfg.bridge0.configured == 0) + br = &cfg.bridge0; + else if (cfg.bridge1.configured == 0) + br = &cfg.bridge1; + else if (cfg.bridge2.configured == 0) + br = &cfg.bridge2; + else if (cfg.bridge3.configured == 0) + br = &cfg.bridge3; + else { + fprintf(stderr, "Error: maximum 4 network devices are allowed\n"); + exit(1); + } + net_configure_bridge(br, ptr + 4); + } + else + fprintf(stderr, "Warning: networking features are disabled in Firejail configuration file\n"); +#endif + return 0; + } if (strncmp(ptr, "protocol ", 9) == 0) { #ifdef HAVE_SECCOMP -- cgit v1.2.3-54-g00ecf From 8cbeea768037d6ec4dded7396734c9afdecadb0d Mon Sep 17 00:00:00 2001 From: avoidr Date: Wed, 6 Apr 2016 23:22:04 +0200 Subject: firejail-profile.txt: add --net --- src/man/firejail-profile.txt | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index b135ee615..ddfae5948 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -295,11 +295,31 @@ If a new network namespace is created, enabled default network filter. \fBnetfilter filename If a new network namespace is created, enabled the network filter in filename. +.TP +\fBnet bridge_interface +Enable a new network namespace and connect it to this bridge interface. +Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned +automatically to the sandbox. The IP address is verified using ARP before assignment. The address +configured as default gateway is the bridge device IP address. Up to four \-\-net +bridge devices can be defined. Mixing bridge and macvlan devices is allowed. + +.TP +\fBnet ethernet_interface +Enable a new network namespace and connect it +to this ethernet interface using the standard Linux macvlan +driver. Unless specified with option \-\-ip and \-\-defaultgw, an +IP address and a default gateway will be assigned automatically +to the sandbox. The IP address is verified using ARP before +assignment. The address configured as default gateway is the +default gateway of the host. Up to four \-\-net devices can +be defined. Mixing bridge and macvlan devices is allowed. +Note: wlan devices are not supported for this option. + .TP \fBnet none -Enable a new, unconnected network namespace. The only interface +Enable a new, unconnected network namespace. The only interface available in the new namespace is a new loopback interface (lo). -Use this option to deny network access to programs that don't +Use this option to deny network access to programs that don't really need network access. .TP -- cgit v1.2.3-54-g00ecf