add netlock support in profile files

author: netblue30 <netblue30@protonmail.com> 2022-12-21 19:44:42 -0500
committer: netblue30 <netblue30@protonmail.com> 2022-12-21 19:44:42 -0500
commit: 43863f64cff5157a447c4e2f56ce4fcd9e8a3de8 (patch)
tree: 83446cfd97823c864a93ad50e9c0cb09b196d989
parent: gpg: fix private-bin (#5550) (diff)
download: firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.tar.gz
firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.tar.zst
firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.zip
5 files changed, 17 insertions, 1 deletions
diff --git a/RELNOTES b/RELNOTES
index e11ffb3e4..4d01e9651 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -15,6 +15,7 @@ firejail (0.9.72rc1) baseline; urgency=low
    highlighting for profiles) (#5502)
  * feature: add restrict-namespaces to (almost) all applicable profiles (#5440
    #5537)
+  * feature: add support for netlock in profile files
  * modif: removed --cgroup= command (#5190 #5200)
  * modif: set --shell=none as the default (#5190)
  * modif: removed --shell= command (#5190 #5196 #5209)
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 65907e8ee..776649131 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -354,6 +354,7 @@ extern int arg_noinput;	// --noinput
 extern int arg_deterministic_exit_code; // always exit with first child's exit status
 extern int arg_deterministic_shutdown;  // shut down the sandbox if first child dies
 extern int arg_keep_fd_all;     // inherit all file descriptors to sandbox
+extern int arg_netlock; // netlocker
 typedef enum {
        DBUS_POLICY_ALLOW,      // Allow unrestricted access to the bus
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1eda26f99..c95964503 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -158,6 +158,7 @@ int arg_dbus_log_system = 0;
 int arg_tab = 0;
 int login_shell = 0;
 int just_run_the_shell = 0;
+int arg_netlock = 0;
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -1052,7 +1053,6 @@ int main(int argc, char **argv, char **envp) {
        int lockfd_directory = -1;
        int custom_profile = 0; // custom profile loaded
        int arg_caps_cmdline = 0;       // caps requested on command line (used to break out of --chroot)
-        int arg_netlock = 0;
        char **ptr;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 24964d40d..4e6ebdbca 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -655,6 +655,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 #endif
                return 0;
        }
+        else if (strcmp(ptr, "netlock") == 0) {
+#ifdef HAVE_NETWORK
+                if (checkcfg(CFG_NETWORK)) {
+                        arg_netlock = 1;
+                }
+                else
+                        warning_feature_disabled("networking");
+#endif
+                return 0;
+        }
        else if (strncmp(ptr, "netns ", 6) == 0) {
 #ifdef HAVE_NETWORK
                if (checkcfg(CFG_NETWORK)) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7fa677ae5..5b16179ac 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -977,6 +977,10 @@ If a new network namespace is created, enabled default network filter.
 \fBnetfilter filename
 If a new network namespace is created, enabled the network filter in filename.
+.TP
+\fBnetlock
+Generate a custom network filter and enable it.
 .TP
 \fBnetmask address
author	netblue30 <netblue30@protonmail.com>	2022-12-21 19:44:42 -0500
committer	netblue30 <netblue30@protonmail.com>	2022-12-21 19:44:42 -0500
commit	43863f64cff5157a447c4e2f56ce4fcd9e8a3de8 (patch)
tree	83446cfd97823c864a93ad50e9c0cb09b196d989
parent	gpg: fix private-bin (#5550) (diff)
download	firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.tar.gz firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.tar.zst firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.zip