From 39654d01661ea9310b9b886a572ee24b1e4c9cfb Mon Sep 17 00:00:00 2001
From: netblue <netblue@debian>
Date: Fri, 21 Jan 2022 10:13:22 -0500
Subject: adding netlink to --protocol list (#4605)

---
 RELNOTES                     | 1 +
 src/fseccomp/protocol.c      | 4 +++-
 src/man/firejail-profile.txt | 3 ++-
 src/man/firejail.txt         | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/RELNOTES b/RELNOTES
index eefa77ad7..18ff04ba5 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -12,6 +12,7 @@ firejail (0.9.68rc1) baseline; urgency=low
   * build: firecfg.config is now installed to /etc/firejail/ (#4669)
   * removed --disable-whitelist at compile time
   * removed whitelist=yes/no in /etc/firejail/firejail.config
+  * added netlink to --protocol list (#4605)
   * new condition: ALLOW_TRAY (#4510 #4599)
   * remove (some) environment variables with auth-tokens (#4157)
   * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
diff --git a/src/fseccomp/protocol.c b/src/fseccomp/protocol.c
index 25742c173..b072f6ad6 100644
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@@ -58,6 +58,7 @@ static char *protocol[] = {
 	"netlink",
 	"packet",
 	"bluetooth",
+	"netlink",
 	NULL
 };
 
@@ -68,7 +69,8 @@ static struct sock_filter protocol_filter_command[] = {
 	WHITELIST(AF_INET6),
 	WHITELIST(AF_NETLINK),
 	WHITELIST(AF_PACKET),
-	WHITELIST(AF_BLUETOOTH)
+	WHITELIST(AF_BLUETOOTH),
+	WHITELIST(AF_NETLINK)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 5ce07c2ca..f4f157b9e 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -504,7 +504,8 @@ There is no root account (uid 0) defined in the namespace.
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, \fBbluetooth\fR and \fBnetlink\fR.
+Multiple protocol commands are allowed.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 9e3bce643..385e8af28 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2167,7 +2167,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet, bluetooth and netlink. This option is not supported for i386 architecture.
 .br
 
 .br
-- 
cgit v1.2.3-70-g09d2