From 43863f64cff5157a447c4e2f56ce4fcd9e8a3de8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 21 Dec 2022 19:44:42 -0500 Subject: add netlock support in profile files --- RELNOTES | 1 + src/firejail/firejail.h | 1 + src/firejail/main.c | 2 +- src/firejail/profile.c | 10 ++++++++++ src/man/firejail-profile.txt | 4 ++++ 5 files changed, 17 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index e11ffb3e4..4d01e9651 100644 --- a/RELNOTES +++ b/RELNOTES @@ -15,6 +15,7 @@ firejail (0.9.72rc1) baseline; urgency=low highlighting for profiles) (#5502) * feature: add restrict-namespaces to (almost) all applicable profiles (#5440 #5537) + * feature: add support for netlock in profile files * modif: removed --cgroup= command (#5190 #5200) * modif: set --shell=none as the default (#5190) * modif: removed --shell= command (#5190 #5196 #5209) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 65907e8ee..776649131 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -354,6 +354,7 @@ extern int arg_noinput; // --noinput extern int arg_deterministic_exit_code; // always exit with first child's exit status extern int arg_deterministic_shutdown; // shut down the sandbox if first child dies extern int arg_keep_fd_all; // inherit all file descriptors to sandbox +extern int arg_netlock; // netlocker typedef enum { DBUS_POLICY_ALLOW, // Allow unrestricted access to the bus diff --git a/src/firejail/main.c b/src/firejail/main.c index 1eda26f99..c95964503 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -158,6 +158,7 @@ int arg_dbus_log_system = 0; int arg_tab = 0; int login_shell = 0; int just_run_the_shell = 0; +int arg_netlock = 0; int parent_to_child_fds[2]; int child_to_parent_fds[2]; @@ -1052,7 +1053,6 @@ int main(int argc, char **argv, char **envp) { int lockfd_directory = -1; int custom_profile = 0; // custom profile loaded int arg_caps_cmdline = 0; // caps requested on command line (used to break out of --chroot) - int arg_netlock = 0; char **ptr; diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 24964d40d..4e6ebdbca 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -652,6 +652,16 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } else warning_feature_disabled("networking"); +#endif + return 0; + } + else if (strcmp(ptr, "netlock") == 0) { +#ifdef HAVE_NETWORK + if (checkcfg(CFG_NETWORK)) { + arg_netlock = 1; + } + else + warning_feature_disabled("networking"); #endif return 0; } diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 7fa677ae5..5b16179ac 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -977,6 +977,10 @@ If a new network namespace is created, enabled default network filter. \fBnetfilter filename If a new network namespace is created, enabled the network filter in filename. +.TP +\fBnetlock +Generate a custom network filter and enable it. + .TP \fBnetmask address -- cgit v1.2.3-54-g00ecf