manpages: network configuration

netblue30 · Sep 30, 2020 · 2e914f0 · 2e914f0
1 parent a199fa3
commit 2e914f0
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 26 deletions.
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
@@ -159,6 +159,7 @@ int main(int argc, char **argv) {
  arg_list = 1;
  else if (strcmp(argv[i], "--tree") == 0)
  arg_tree = 1;
+#ifdef HAVE_NETWORK
  else if (strcmp(argv[i], "--netstats") == 0) {
  struct stat s;
  if (getuid() != 0 && stat("/proc/sys/kernel/grsecurity", &s) == 0) {
@@ -167,7 +168,7 @@ int main(int argc, char **argv) {
  }
  arg_netstats = 1;
  }
-
+#endif
 
  // cumulative options with or without a pid argument
  else if (strcmp(argv[i], "--x11") == 0)
@@ -187,10 +188,12 @@ int main(int argc, char **argv) {
  }
  arg_interface = 1;
  }
+#ifdef HAVE_NETWORK
  else if (strcmp(argv[i], "--route") == 0)
  arg_route = 1;
  else if (strcmp(argv[i], "--arp") == 0)
  arg_arp = 1;
+#endif
  else if (strcmp(argv[i], "--apparmor") == 0)
  arg_apparmor = 1;
 

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
@@ -150,9 +150,10 @@ Example: "nowhitelist ~/.config"
 Ignore command.
 
 Example: "ignore seccomp"
+#ifdef HAVE_NETWORK
 .br
 Example: "ignore net eth0"
-
+#endif
 .TP
 \fBquiet
 Disable Firejail's output. This should be the first uncommented command in the profile file.
@@ -671,6 +672,7 @@ Disable video devices.
 Run the program directly, without a shell.
 
 
+#ifdef HAVE_NETWORK
 .SH Networking
 Networking features available in profile files.
 
@@ -863,7 +865,7 @@ a default gateway address also have to be added.
 \fBveth-name name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
 instead of the default one.
-
+#endif
 .SH Other
 .TP
 \fBdeterministic-exit-code

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -20,12 +20,14 @@ File transfer from an existing sandbox
 firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
 .RE
 .PP
+#ifdef HAVE_NETWORK
 Network traffic shaping for an existing sandbox:
 .PP
 .RS
 firejail \-\-bandwidth={name|pid} bandwidth-command
 .RE
 .PP
+#endif
 Monitoring:
 .PP
 .RS
@@ -647,7 +649,7 @@ Debug whitelisting.
 Example:
 .br
 $ firejail \-\-debug-whitelists firefox
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-defaultgw=address
 Use this address as default gateway in the new network namespace.
@@ -657,7 +659,7 @@ Use this address as default gateway in the new network namespace.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
-
+#endif
 .TP
 \fB\-\-disable-mnt
 Blacklist /mnt, /media, /run/mount and /run/media access.
@@ -778,8 +780,12 @@ Ignore command in profile file.
 Example:
 .br
 $ firejail \-\-ignore=shell --ignore=seccomp firefox
+#ifdef HAVE_NETWORK
 .br
 $ firejail \-\-ignore="net eth0" firefox
+#endif
+
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-interface=interface
 Move interface in a new network namespace. Up to four --interface options can be specified.
@@ -901,6 +907,7 @@ for sandboxes started as root.
 Example:
 .br
 $ firejail \-\-ipc-namespace firefox
+#endif
 .TP
 \fB\-\-join=name|pid
 Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
@@ -932,7 +939,7 @@ $ firejail \-\-join=3272
 Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
 If a program is specified, the program is run in the sandbox. This command is available only to root user.
 Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-join-network=name|pid
 Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
@@ -988,7 +995,7 @@ Switching to pid 1932, the first child process inside the sandbox
  inet6 fe80::7458:14ff:fe42:78e4/64 scope link
 .br
  valid_lft forever preferred_lft forever
-
+#endif
 .TP
 \fB\-\-join-or-start=name
 Join the sandbox identified by name or start a new one.
@@ -1027,17 +1034,19 @@ Example:
 $ firejail \-\-list
 .br
 7015:netblue:browser:firejail firefox
+#ifdef HAVE_NETWORK
 .br
 7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk
-.br
+#endif
 #ifdef HAVE_USERNS
+.br
 7064:netblue::firejail \-\-noroot xterm
 .br
 #endif
 .TP
 \fB\-\-ls=name|pid dir_or_filename
 List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-mac=address
 Assign MAC addresses to the last network interface defined by a \-\-net option. This option
@@ -1048,7 +1057,7 @@ is not supported for wireless interfaces.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
-
+#endif
 .TP
 \fB\-\-machine-id
 Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
@@ -1074,7 +1083,7 @@ kills it or log the attempt, see \-\-seccomp-error-action below) if necessary.
 Note: shmat is not implemented
 as a system call on some platforms including i386, and it cannot be
 handled by seccomp-bpf.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-mtu=number
 Assign a MTU value to the last network interface defined by a \-\-net option.
@@ -1084,7 +1093,7 @@ Assign a MTU value to the last network interface defined by a \-\-net option.
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-mtu=1492
-
+#endif
 .TP
 \fB\-\-name=name
 Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
@@ -1109,7 +1118,7 @@ $ firejail --list
 .br
 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
 .br
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=bridge_interface
 Enable a new network namespace and connect it to this bridge interface.
@@ -1150,7 +1159,7 @@ Example:
 $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
 .br
 $ firejail \-\-net=wlan0 firefox
-
+#endif
 .TP
 \fB\-\-net=none
 Enable a new, unconnected network namespace. The only interface
@@ -1168,7 +1177,7 @@ $ firejail \-\-net=none vlc
 .br
 Note: \-\-net=none can crash the application on some platforms.
 In these cases, it can be replaced with \-\-protocol=unix.
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=tap_interface
 Enable a new network namespace and connect it
@@ -1282,9 +1291,6 @@ $ firejail --netfilter=/etc/firejail/nolocal.net \\
 .br
 --net=eth0 firefox
 
-
-
-
 .TP
 \fB\-\-netfilter=filename,arg1,arg2,arg3 ...
 This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script
@@ -1298,8 +1304,6 @@ $ firejail --net=eth0 --ip=192.168.1.105 \\
 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
 .br
 
-
-
 .TP
 \fB\-\-netfilter.print=name|pid
 Print the firewall installed in the sandbox specified by name or PID. Example:
@@ -1363,7 +1367,7 @@ PID User RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission
-
+#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -2066,7 +2070,7 @@ Remove environment variable in the new sandbox.
 Example:
 .br
 $ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
-
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-scan
 ARP-scan all the networks from inside a network namespace.
@@ -2077,6 +2081,7 @@ This makes it possible to detect macvlan kernel device drivers running on the cu
 Example:
 .br
 $ firejail \-\-net=eth0 \-\-scan
+#endif
 .TP
 \fB\-\-seccomp
 Enable seccomp filter and blacklist the syscalls in the default list,
@@ -2556,8 +2561,10 @@ $ firejail \-\-tree
  11904:netblue:iceweasel
 .br
  11957:netblue:/usr/lib/iceweasel/plugin-container
+#ifdef HAVE_NETWORK
 .br
 11969:netblue:firejail \-\-net=eth0 transmission-gtk
+#endif
 .br
  11970:netblue:transmission-gtk
 
@@ -2609,6 +2616,7 @@ Compile time support:
  - user namespace support is enabled
  - X11 sandboxing support is enabled
 .br
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-veth-name=name
 Use this name for the interface connected to the bridge for --net=bridge_interface commands,
@@ -2619,7 +2627,7 @@ instead of the default one.
 Example:
 .br
 $ firejail \-\-net=br0 --veth-name=if0
-
+#endif
 .TP
 \fB\-\-whitelist=dirname_or_filename
 Whitelist directory or file. A temporary file system is mounted on the top directory, and the
@@ -2987,6 +2995,7 @@ Start Firefox with a new, empty home directory.
 .TP
 \f\firejail --net=none vlc
 Start VLC in an unconnected network namespace.
+#ifdef HAVE_NETWORK
 .TP
 \f\firejail \-\-net=eth0 firefox
 Start Firefox in a new network namespace. An IP address is
@@ -2996,6 +3005,7 @@ assigned automatically.
 Start a /bin/bash session in a new network namespace and connect it
 to br0, br1, and br2 host bridge devices. IP addresses are assigned
 automatically for the interfaces connected to br1 and b2
+#endif
 .TP
 \f\firejail \-\-list
 List all sandboxed processes.
@@ -3115,7 +3125,6 @@ sandboxes.
 
 Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces.
 
-
 Listed below are the available fields (columns) in alphabetical
 order for \-\-top and \-\-netstats options:
 
@@ -3233,7 +3242,7 @@ Child process initialized
 .RE
 
 See \fBman 5 firejail-profile\fR for profile file syntax information.
-
+#ifdef HAVE_NETWORK
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.
 Traffic shaping allows the user to increase network performance by controlling
@@ -3275,7 +3284,7 @@ Example:
  $ firejail \-\-bandwidth=mybrowser status
 .br
  $ firejail \-\-bandwidth=mybrowser clear eth0
-
+#endif
 .SH LICENSE
 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
 .PP

diff --git a/src/man/firemon.txt b/src/man/firemon.txt
@@ -12,9 +12,11 @@ can run this program.
 .TP
 \fB\-\-apparmor
 Print AppArmor confinement status for each sandbox.
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-arp
 Print ARP table for each sandbox.
+#endif
 .TP
 \fB\-\-caps
 Print capabilities configuration for each sandbox.
@@ -39,15 +41,19 @@ List all sandboxes.
 .TP
 \fB\-\-name=name
 Print information only about named sandbox.
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-netstats
 Monitor network statistics for sandboxes creating a new network namespace.
+#endif
 .TP
 \fB\-\-nowrap
 Enable line wrapping in terminals. By default the lines are trimmed.
+#ifdef HAVE_NETWORK
 .TP
 \fB\-\-route
 Print route table for each sandbox.
+#endif
 .TP
 \fB\-\-seccomp
 Print seccomp configuration for each sandbox.