diff options
author | netblue30 <netblue30@protonmail.com> | 2022-12-21 19:44:42 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-12-21 19:44:42 -0500 |
commit | 43863f64cff5157a447c4e2f56ce4fcd9e8a3de8 (patch) | |
tree | 83446cfd97823c864a93ad50e9c0cb09b196d989 /src | |
parent | gpg: fix private-bin (#5550) (diff) | |
download | firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.tar.gz firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.tar.zst firejail-43863f64cff5157a447c4e2f56ce4fcd9e8a3de8.zip |
add netlock support in profile files
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 10 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 |
4 files changed, 16 insertions, 1 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee..776649131 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -354,6 +354,7 @@ extern int arg_noinput; // --noinput | |||
354 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 354 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
355 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 355 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
356 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | 356 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
357 | extern int arg_netlock; // netlocker | ||
357 | 358 | ||
358 | typedef enum { | 359 | typedef enum { |
359 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 360 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99..c95964503 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -158,6 +158,7 @@ int arg_dbus_log_system = 0; | |||
158 | int arg_tab = 0; | 158 | int arg_tab = 0; |
159 | int login_shell = 0; | 159 | int login_shell = 0; |
160 | int just_run_the_shell = 0; | 160 | int just_run_the_shell = 0; |
161 | int arg_netlock = 0; | ||
161 | 162 | ||
162 | int parent_to_child_fds[2]; | 163 | int parent_to_child_fds[2]; |
163 | int child_to_parent_fds[2]; | 164 | int child_to_parent_fds[2]; |
@@ -1052,7 +1053,6 @@ int main(int argc, char **argv, char **envp) { | |||
1052 | int lockfd_directory = -1; | 1053 | int lockfd_directory = -1; |
1053 | int custom_profile = 0; // custom profile loaded | 1054 | int custom_profile = 0; // custom profile loaded |
1054 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1055 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1055 | int arg_netlock = 0; | ||
1056 | char **ptr; | 1056 | char **ptr; |
1057 | 1057 | ||
1058 | 1058 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d..4e6ebdbca 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -655,6 +655,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
655 | #endif | 655 | #endif |
656 | return 0; | 656 | return 0; |
657 | } | 657 | } |
658 | else if (strcmp(ptr, "netlock") == 0) { | ||
659 | #ifdef HAVE_NETWORK | ||
660 | if (checkcfg(CFG_NETWORK)) { | ||
661 | arg_netlock = 1; | ||
662 | } | ||
663 | else | ||
664 | warning_feature_disabled("networking"); | ||
665 | #endif | ||
666 | return 0; | ||
667 | } | ||
658 | else if (strncmp(ptr, "netns ", 6) == 0) { | 668 | else if (strncmp(ptr, "netns ", 6) == 0) { |
659 | #ifdef HAVE_NETWORK | 669 | #ifdef HAVE_NETWORK |
660 | if (checkcfg(CFG_NETWORK)) { | 670 | if (checkcfg(CFG_NETWORK)) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7fa677ae5..5b16179ac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -977,6 +977,10 @@ If a new network namespace is created, enabled default network filter. | |||
977 | \fBnetfilter filename | 977 | \fBnetfilter filename |
978 | If a new network namespace is created, enabled the network filter in filename. | 978 | If a new network namespace is created, enabled the network filter in filename. |
979 | 979 | ||
980 | .TP | ||
981 | \fBnetlock | ||
982 | Generate a custom network filter and enable it. | ||
983 | |||
980 | 984 | ||
981 | .TP | 985 | .TP |
982 | \fBnetmask address | 986 | \fBnetmask address |