adding netlink to --protocol list (#4605)

2026-05-15 14:16:14 -06:00 · 2022-01-21 10:13:22 -05:00 · 2022-01-21 10:13:22 -05:00 · 39654d0166
commit 39654d0166
parent de879e88c9
4 changed files with 7 additions and 3 deletions
--- a/1
+++ b/1
@ -12,6 +12,7 @@ firejail (0.9.68rc1) baseline; urgency=low
  * build: firecfg.config is now installed to /etc/firejail/ (#4669)
  * removed --disable-whitelist at compile time
  * removed whitelist=yes/no in /etc/firejail/firejail.config
+  * added netlink to --protocol list (#4605)
  * new condition: ALLOW_TRAY (#4510 #4599)
  * remove (some) environment variables with auth-tokens (#4157)
  * new includes: whitelist-run-common.inc (#4288), disable-X11.inc (#4462)
--- a/src/fseccomp/protocol.c
+++ b/src/fseccomp/protocol.c
@ -58,6 +58,7 @@ static char *protocol[] = {
 	"netlink",
 	"packet",
 	"bluetooth",
+	"netlink",
 	NULL
 };

@ -68,7 +69,8 @@ static struct sock_filter protocol_filter_command[] = {
 	WHITELIST(AF_INET6),
 	WHITELIST(AF_NETLINK),
 	WHITELIST(AF_PACKET),
-	WHITELIST(AF_BLUETOOTH)
+	WHITELIST(AF_BLUETOOTH),
+	WHITELIST(AF_NETLINK)
 };
 #endif
 // Note: protocol[] and protocol_filter_command are synchronized
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -504,7 +504,8 @@ There is no root account (uid 0) defined in the namespace.
 \fBprotocol protocol1,protocol2,protocol3
 Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
-\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR and \fBbluetooth\fR.
+\fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, \fBbluetooth\fR and \fBnetlink\fR.
+Multiple protocol commands are allowed.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -2167,7 +2167,7 @@ $ firejail \-\-profile.print=browser
 .TP
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
-Recognized values: unix, inet, inet6, netlink, packet and bluetooth. This option is not supported for i386 architecture.
+Recognized values: unix, inet, inet6, netlink, packet, bluetooth and netlink. This option is not supported for i386 architecture.
 .br

 .br