adding netlink to --protocol list (#4605)

author: netblue <netblue@debian> 2022-01-21 10:13:22 -0500
committer: netblue <netblue@debian> 2022-01-21 10:13:22 -0500
commit: 39654d01661ea9310b9b886a572ee24b1e4c9cfb (patch)
tree: 88c9787f0cbb50e2c237ade62c89f8dccc5da9f2
parent: allow apostrophe in whitelist/blacklist ( #4614) (diff)
download: firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.tar.gz
firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.tar.zst
firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.zip
4 files changed, 7 insertions, 3 deletions
diff --git a/RELNOTES b/RELNOTES
index eefa77ad7..18ff04ba5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -12,6 +12,7 @@ firejail (0.9.68rc1) baseline; urgency=low
  * build: firecfg.config is now installed to /etc/firejail/ (#4669)
  * removed --disable-whitelist at compile time
  * removed whitelist=yes/no in /etc/firejail/firejail.config
+  * added netlink to --protocol list (#4605)
  * new condition: ALLOW_TRAY (#4510 #4599)
  * remove (some) environment variables with auth-tokens (#4157)
  * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 25742c173..b072f6ad6 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -58,6 +58,7 @@ static char *protocol[] = {
        "netlink",
        "packet",
        "bluetooth",
+        "netlink",
        NULL
 };
@@ -68,7 +69,8 @@ static struct sock_filter protocol_filter_command[] = {
        WHITELIST(AF_INET6),
        WHITELIST(AF_NETLINK),
        WHITELIST(AF_PACKET),
-        WHITELIST(AF_BLUETOOTH)
+        WHITELIST(AF_BLUETOOTH),
+        WHITELIST(AF_NETLINK)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5ce07c2ca..f4f157b9e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -504,7 +504,8 @@ There is no root account (uid 0) defined in the namespace.
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, \fBbluetooth\fR and \fBnetlink\fR.
+Multiple protocol commands are allowed.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9e3bce643..385e8af28 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2167,7 +2167,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet, bluetooth and netlink. This option is not supported for i386 architecture.
 .br
 .br
author	netblue <netblue@debian>	2022-01-21 10:13:22 -0500
committer	netblue <netblue@debian>	2022-01-21 10:13:22 -0500
commit	39654d01661ea9310b9b886a572ee24b1e4c9cfb (patch)
tree	88c9787f0cbb50e2c237ade62c89f8dccc5da9f2
parent	allow apostrophe in whitelist/blacklist ( #4614) (diff)
download	firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.tar.gz firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.tar.zst firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.zip