diff options
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 1 | ||||
-rw-r--r-- | src/firejail/main.c | 2 | ||||
-rw-r--r-- | src/firejail/profile.c | 10 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 4 |
5 files changed, 17 insertions, 1 deletions
@@ -15,6 +15,7 @@ firejail (0.9.72rc1) baseline; urgency=low | |||
15 | highlighting for profiles) (#5502) | 15 | highlighting for profiles) (#5502) |
16 | * feature: add restrict-namespaces to (almost) all applicable profiles (#5440 | 16 | * feature: add restrict-namespaces to (almost) all applicable profiles (#5440 |
17 | #5537) | 17 | #5537) |
18 | * feature: add support for netlock in profile files | ||
18 | * modif: removed --cgroup= command (#5190 #5200) | 19 | * modif: removed --cgroup= command (#5190 #5200) |
19 | * modif: set --shell=none as the default (#5190) | 20 | * modif: set --shell=none as the default (#5190) |
20 | * modif: removed --shell= command (#5190 #5196 #5209) | 21 | * modif: removed --shell= command (#5190 #5196 #5209) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee..776649131 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -354,6 +354,7 @@ extern int arg_noinput; // --noinput | |||
354 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 354 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
355 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies | 355 | extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies |
356 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox | 356 | extern int arg_keep_fd_all; // inherit all file descriptors to sandbox |
357 | extern int arg_netlock; // netlocker | ||
357 | 358 | ||
358 | typedef enum { | 359 | typedef enum { |
359 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus | 360 | DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99..c95964503 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -158,6 +158,7 @@ int arg_dbus_log_system = 0; | |||
158 | int arg_tab = 0; | 158 | int arg_tab = 0; |
159 | int login_shell = 0; | 159 | int login_shell = 0; |
160 | int just_run_the_shell = 0; | 160 | int just_run_the_shell = 0; |
161 | int arg_netlock = 0; | ||
161 | 162 | ||
162 | int parent_to_child_fds[2]; | 163 | int parent_to_child_fds[2]; |
163 | int child_to_parent_fds[2]; | 164 | int child_to_parent_fds[2]; |
@@ -1052,7 +1053,6 @@ int main(int argc, char **argv, char **envp) { | |||
1052 | int lockfd_directory = -1; | 1053 | int lockfd_directory = -1; |
1053 | int custom_profile = 0; // custom profile loaded | 1054 | int custom_profile = 0; // custom profile loaded |
1054 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) | 1055 | int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) |
1055 | int arg_netlock = 0; | ||
1056 | char **ptr; | 1056 | char **ptr; |
1057 | 1057 | ||
1058 | 1058 | ||
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d..4e6ebdbca 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -655,6 +655,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
655 | #endif | 655 | #endif |
656 | return 0; | 656 | return 0; |
657 | } | 657 | } |
658 | else if (strcmp(ptr, "netlock") == 0) { | ||
659 | #ifdef HAVE_NETWORK | ||
660 | if (checkcfg(CFG_NETWORK)) { | ||
661 | arg_netlock = 1; | ||
662 | } | ||
663 | else | ||
664 | warning_feature_disabled("networking"); | ||
665 | #endif | ||
666 | return 0; | ||
667 | } | ||
658 | else if (strncmp(ptr, "netns ", 6) == 0) { | 668 | else if (strncmp(ptr, "netns ", 6) == 0) { |
659 | #ifdef HAVE_NETWORK | 669 | #ifdef HAVE_NETWORK |
660 | if (checkcfg(CFG_NETWORK)) { | 670 | if (checkcfg(CFG_NETWORK)) { |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7fa677ae5..5b16179ac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -977,6 +977,10 @@ If a new network namespace is created, enabled default network filter. | |||
977 | \fBnetfilter filename | 977 | \fBnetfilter filename |
978 | If a new network namespace is created, enabled the network filter in filename. | 978 | If a new network namespace is created, enabled the network filter in filename. |
979 | 979 | ||
980 | .TP | ||
981 | \fBnetlock | ||
982 | Generate a custom network filter and enable it. | ||
983 | |||
980 | 984 | ||
981 | .TP | 985 | .TP |
982 | \fBnetmask address | 986 | \fBnetmask address |