support for firetunnel utility

README.md

@@ -162,6 +162,24 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
               Example:
               $ firejail --private-cache
+
+       --tunnel[=devname]
+              Connect  the sandbox to a network overlay/VPN tunnel created by
+              firetunnel utility. This options tries first the client side of
+              the  tunnel. If this fails, it tries the server side. If multi‐
+              ple tunnels are active, please specify the tunnel device  using
+              --tunnel=devname.
+
+              The  available  tunnel  devices  are  listed in /etc/firetunnel
+              directory, one file for each device.   The  files  are  regular
+              firejail  profile  files  containing the network configuration,
+              and are created and managed by firetunnel utility.  By  default
+              ftc  is  the  client-side  device  and  fts  is the server-side
+              device. For more information please see man 1 firetunnel.
+
+              Example:
+              $ firejail --tunnel firefox
+
 `````
 
 ## New profiles

RELNOTES

@@ -10,6 +10,7 @@ firejail (0.9.56~rc1) baseline; urgency=low
   * support tap devices in --net option (tunneling support)
   * allow IP address configuration if the parent interface specified
      by --net is not configured (--netmask)
+  * support for firetunnel utility
   * disable U2F devices (--nou2f)
   * add --private-cache to support private ~/.cache
   * support full paths in private-lib

src/firejail/main.c

@@ -1447,6 +1447,32 @@ int main(int argc, char **argv) {
 				exit_err_feature("overlayfs");
 		}
 #endif
+		else if (strcmp(argv[i], "--tunnel") == 0) {
+			// try to connect to the default client side of the tunnel
+			// if this fails, try the default server side of the tunnel
+			if (access("/run/firetunnel/ftc", R_OK) == 0)
+				profile_read("/run/firetunnel/ftc");
+			else if (access("/run/firetunnel/fts", R_OK) == 0)
+				profile_read("/run/firetunnel/fts");
+			else {
+				fprintf(stderr, "Error: no default firetunnel found, please specify it using --tunnel=devname option\n");
+				exit(1);
+			}
+		}
+		else if (strncmp(argv[i], "--tunnel=", 9) == 0) {
+			char *fname;
+
+			if (asprintf(&fname, "/run/firetunnel/%s", argv[i] + 9) == -1)
+				errExit("asprintf");
+			invalid_filename(fname, 0); // no globbing
+			if (access(fname, R_OK) == 0)
+				profile_read(fname);
+			else {
+				fprintf(stderr, "Error: tunnel not found\n");
+				exit(1);
+			}
+		}
+
 		else if (strncmp(argv[i], "--profile=", 10) == 0) {
 			// multiple profile files are allowed!
 

src/firejail/usage.c

@@ -214,6 +214,8 @@ static char *usage_str =
 	"    --tracelog - add a syslog message for every access to files or\n"
 	"\tdirectories blacklisted by the security profile.\n"
 	"    --tree - print a tree of all sandboxed processes.\n"
+	"    --tunnel[=devname] - connect the sandbox to a tunnel created by\n"
+	"\tfiretunnel utility.\n"
 	"    --version - print program version and exit.\n"
 #ifdef HAVE_NETWORK
 	"    --veth-name=name - use this name for the interface connected to the bridge.\n"

src/man/firejail.txt

@@ -2129,6 +2129,26 @@ $ firejail \-\-tree
 .br
   11970:netblue:transmission-gtk
 
+.TP
+\fB\-\-tunnel[=devname]
+Connect the sandbox to a network overlay/VPN tunnel created by firetunnel utility. This options
+tries first the client side of the tunnel. If this fails, it tries the server side. If multiple tunnels are active,
+please specify the tunnel device using \-\-tunnel=devname.
+.br
+
+.br
+The available tunnel devices are listed in /etc/firetunnel directory, one file for each device.
+The files are regular firejail profile files containing the network configuration,
+and are created and managed by firetunnel utility.
+By default ftc is the client-side device and fts is the server-side device. For more information
+please see man 1 firetunnel.
+.br
+
+.br
+Example:
+.br
+$ firejail --tunnel firefox
+.br
 .TP
 \fB\-\-version
 Print program version and exit.