support net none in profile files

2026-05-21 06:45:29 -06:00 · 2015-08-22 07:21:50 -04:00 · 2015-08-22 07:21:50 -04:00 · 7f84ed7a38
commit 7f84ed7a38
parent 9d91a26a15
7 changed files with 57 additions and 2 deletions
--- a/5
+++ b/5
@ -5,8 +5,11 @@ firejail (0.9.29) baseline; urgency=low
  * added --private-etc option
  * support ${HOME} token in include directive in profile files
  * --private.keep is transitioned to --private-home
+  * support ~ and blanks in blacklist option
+  * support "net none" command in profile files
+  * added "net none" to Evince PDF viewer
  * bugfixes
- -- netblue30 <netblue30@yahoo.com>  Sat, 12 Aug 2015 20:25:00 -0500
+ -- netblue30 <netblue30@yahoo.com>  Sat, 22 Aug 2015 20:25:00 -0500

 firejail (0.9.28) baseline; urgency=low
  * network scanning, --scan option
--- a/etc/evince.profile
+++ b/etc/evince.profile
@ -5,5 +5,5 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-history.inc
 caps.drop all
 seccomp
-netfilter
+net none
 noroot
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -128,6 +128,14 @@ int profile_check_line(char *ptr, int lineno) {
 		check_netfilter_file(arg_netfilter_file);
 		return 0;
 	}
+	else if (strcmp(ptr, "net none") == 0) {
+		arg_nonetwork  = 1;
+		cfg.bridge0.configured = 0;
+		cfg.bridge1.configured = 0;
+		cfg.bridge2.configured = 0;
+		cfg.bridge3.configured = 0;
+		return 0;
+	}
 	
 	// seccomp drop list on top of default list
 	if (strncmp(ptr, "seccomp ", 8) == 0) {
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -179,6 +179,13 @@ If a new network namespace is created, enabled default network filter.
 netfilter filename
 If a new network namespace is created, enabled the network filter in filename.

+.TP
+net none
+Enable  a new, unconnected network namespace. The only interface
+available in the new namespace is a new loopback interface (lo).
+Use  this  option  to deny network access to programs that don't
+really need network access.
+
 .TP
 dns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -97,6 +97,10 @@ Blacklist directory or file.
 Example:
 .br
 $ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
+.br
+$ firejail \-\-blacklist=~/.mozilla
+.br
+$ firejail "\-\-blacklist=My Virtual Machines"
 .TP
 \fB\-c
 Execute command and exit.
--- a/test/net_none.exp
+++ b/test/net_none.exp
@ -4,6 +4,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000

+# options
 send -- "firejail --net=none\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
@ -30,7 +31,38 @@ expect {
 	"eth0" {puts "TESTING ERROR 2.1\n";exit}
 	"home"
 }
+send -- "exit\r"
+sleep 1
+send -- "exit\r"
 sleep 1

+# profile
+send -- "firejail --profile=net_none.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	"eth0" {puts "TESTING ERROR 3.1\n";exit}
+	"Child process initialized"
+}
+sleep 1
+
+# test default gw
+send -- "bash\r"
+sleep 1
+send -- "netstat -rn; pwd\r"
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"0.0.0.0" {puts "TESTING ERROR 4.1\n";exit}
+	"home"
+}
+sleep 1
+
+# check again devices
+send -- "cat /proc/1/net/dev;pwd\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"eth0" {puts "TESTING ERROR 5.1\n";exit}
+	"home"
+}
+sleep 1

 puts "\n"
--- a/test/net_none.profile
+++ b/test/net_none.profile
@ -0,0 +1 @@
+net none