support net none in profile files

3 files changed, 19 insertions, 0 deletions

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e9a2e55a3..86db82da0 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -128,6 +128,14 @@ int profile_check_line(char *ptr, int lineno) {
                 check_netfilter_file(arg_netfilter_file);
                 return 0;
         }
+        else if (strcmp(ptr, "net none") == 0) {
+                arg_nonetwork  = 1;
+                cfg.bridge0.configured = 0;
+                cfg.bridge1.configured = 0;
+                cfg.bridge2.configured = 0;
+                cfg.bridge3.configured = 0;
+                return 0;
+        }
         
         // seccomp drop list on top of default list
         if (strncmp(ptr, "seccomp ", 8) == 0) {
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 7be5304c1..58ba39b00 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -180,6 +180,13 @@ netfilter filename
 If a new network namespace is created, enabled the network filter in filename.
 
 .TP
+net none
+Enable  a new, unconnected network namespace. The only interface
+available in the new namespace is a new loopback interface (lo).
+Use  this  option  to deny network access to programs that don't
+really need network access.
+
+.TP
 dns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0b7ed1434..ffc698edd 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -97,6 +97,10 @@ Blacklist directory or file.
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
+.br
+$ firejail \-\-blacklist=~/.mozilla
+.br
+$ firejail "\-\-blacklist=My Virtual Machines"
 .TP
 \fB\-c
 Execute command and exit.