diff options
author | netblue <netblue@debian> | 2022-01-21 10:13:22 -0500 |
---|---|---|
committer | netblue <netblue@debian> | 2022-01-21 10:13:22 -0500 |
commit | 39654d01661ea9310b9b886a572ee24b1e4c9cfb (patch) | |
tree | 88c9787f0cbb50e2c237ade62c89f8dccc5da9f2 /src | |
parent | allow apostrophe in whitelist/blacklist ( #4614) (diff) | |
download | firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.tar.gz firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.tar.zst firejail-39654d01661ea9310b9b886a572ee24b1e4c9cfb.zip |
adding netlink to --protocol list (#4605)
Diffstat (limited to 'src')
-rw-r--r-- | src/fseccomp/protocol.c | 4 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 2 |
3 files changed, 6 insertions, 3 deletions
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c index 25742c173..b072f6ad6 100644 --- a/src/fseccomp/protocol.c +++ b/src/fseccomp/protocol.c | |||
@@ -58,6 +58,7 @@ static char *protocol[] = { | |||
58 | "netlink", | 58 | "netlink", |
59 | "packet", | 59 | "packet", |
60 | "bluetooth", | 60 | "bluetooth", |
61 | "netlink", | ||
61 | NULL | 62 | NULL |
62 | }; | 63 | }; |
63 | 64 | ||
@@ -68,7 +69,8 @@ static struct sock_filter protocol_filter_command[] = { | |||
68 | WHITELIST(AF_INET6), | 69 | WHITELIST(AF_INET6), |
69 | WHITELIST(AF_NETLINK), | 70 | WHITELIST(AF_NETLINK), |
70 | WHITELIST(AF_PACKET), | 71 | WHITELIST(AF_PACKET), |
71 | WHITELIST(AF_BLUETOOTH) | 72 | WHITELIST(AF_BLUETOOTH), |
73 | WHITELIST(AF_NETLINK) | ||
72 | }; | 74 | }; |
73 | #endif | 75 | #endif |
74 | // Note: protocol[] and protocol_filter_command are synchronized | 76 | // Note: protocol[] and protocol_filter_command are synchronized |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 5ce07c2ca..f4f157b9e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -504,7 +504,8 @@ There is no root account (uid 0) defined in the namespace. | |||
504 | \fBprotocol protocol1,protocol2,protocol3 | 504 | \fBprotocol protocol1,protocol2,protocol3 |
505 | Enable protocol filter. The filter is based on seccomp and checks the | 505 | Enable protocol filter. The filter is based on seccomp and checks the |
506 | first argument to socket system call. Recognized values: \fBunix\fR, | 506 | first argument to socket system call. Recognized values: \fBunix\fR, |
507 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR. | 507 | \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, \fBbluetooth\fR and \fBnetlink\fR. |
508 | Multiple protocol commands are allowed. | ||
508 | .TP | 509 | .TP |
509 | \fBseccomp | 510 | \fBseccomp |
510 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. | 511 | Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 9e3bce643..385e8af28 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -2167,7 +2167,7 @@ $ firejail \-\-profile.print=browser | |||
2167 | .TP | 2167 | .TP |
2168 | \fB\-\-protocol=protocol,protocol,protocol | 2168 | \fB\-\-protocol=protocol,protocol,protocol |
2169 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. | 2169 | Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call. |
2170 | Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture. | 2170 | Recognized values: unix, inet, inet6, netlink, packet, bluetooth and netlink. This option is not supported for i386 architecture. |
2171 | .br | 2171 | .br |
2172 | 2172 | ||
2173 | .br | 2173 | .br |