github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4013] nixnote2: Could not create AF_NETLINK socket #2503

New issue
Closed
opened 2026-05-05 09:11:19 -06:00 by gitea-mirror · 9 comments
gitea-mirror commented 2026-05-05 09:11:19 -06:00
Owner
Copy link

Originally created by @Rosika2 on GitHub (Feb 26, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4013

ENVIRONMENT:

  • Linux distribution and version: Lubuntu 20.04.2 LTS x86_64
  • firejail version 0.9.62

Hi altogether,

I have a question as far as terminal output (when running firejail) is concerned:

Whenever I run the command firejail nixnote2 the programme works alright and is sandboxed without any difficulties.
Yet taking a look at the terminal output I realized that as long as nixnote2 is running I get repeated entries of
"Could not create AF_NETLINK socket".

This message gets written to the terminal incessantly (4 entries in about 10 secs) until I quit the programme.

Any idea what´s going on?

Thanks a lot in advance.
Many greetings.
Rosika

P.S.:

Running firejail --noprofile nixnote2 doesn´t produce those logs!

example output:

firejail nixnote2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 16438, child pid 16439
Warning: cleaning all supplementary groups
Child process initialized in 50.11 ms
INFO  2021-02-26 14:48:10.635 src/utilities/crossmemorymapper.cpp:59 Shared memory segment allocated, instance key: "6b7ac843-c142-4e75-8d44-0714514b14c31"
INFO  2021-02-26 14:48:10.636 src/main.cpp:287 NixNote 2.1.5+dfsg1-1build1, build at Mar 23 2020 at 06:20:43, with Qt 5.12.5 running on 5.12.8
INFO  2021-02-26 14:48:10.636 src/main.cpp:290 To get more detailed startup logging use --logLevel=1
Icon theme "elementary" not found.
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
WARN  2021-02-26 14:48:11.108 src/nixnote.cpp:228 encrypt.encrypt failed
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
[...]
INFO  2021-02-26 14:48:34.615 src/main.cpp:358 main: Exit: retcode=0

Parent is shutting down, bye...
Originally created by @Rosika2 on GitHub (Feb 26, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4013 ENVIRONMENT: - Linux distribution and version: Lubuntu 20.04.2 LTS x86_64 - firejail version 0.9.62 Hi altogether, I have a question as far as terminal output (when running firejail) is concerned: Whenever I run the command `firejail nixnote2` the programme works alright and is sandboxed without any difficulties. Yet taking a look at the **terminal output** I realized that as long as nixnote2 is running I get repeated entries of "Could not create AF_NETLINK socket". This message gets written to the terminal incessantly (4 entries in about 10 secs) until I quit the programme. Any idea what´s going on? Thanks a lot in advance. Many greetings. Rosika P.S.: Running `firejail --noprofile nixnote2 `doesn´t produce those logs! example output: ``` firejail nixnote2 Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file ** Note: you can use --noprofile to disable default.profile ** Parent pid 16438, child pid 16439 Warning: cleaning all supplementary groups Child process initialized in 50.11 ms INFO 2021-02-26 14:48:10.635 src/utilities/crossmemorymapper.cpp:59 Shared memory segment allocated, instance key: "6b7ac843-c142-4e75-8d44-0714514b14c31" INFO 2021-02-26 14:48:10.636 src/main.cpp:287 NixNote 2.1.5+dfsg1-1build1, build at Mar 23 2020 at 06:20:43, with Qt 5.12.5 running on 5.12.8 INFO 2021-02-26 14:48:10.636 src/main.cpp:290 To get more detailed startup logging use --logLevel=1 Icon theme "elementary" not found. Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) WARN 2021-02-26 14:48:11.108 src/nixnote.cpp:228 encrypt.encrypt failed Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt) [...] INFO 2021-02-26 14:48:34.615 src/main.cpp:358 main: Exit: retcode=0 Parent is shutting down, bye... ```
gitea-mirror 2026-05-05 09:11:19 -06:00
gitea-mirror commented 2026-05-05 09:11:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 26, 2021):

Could not create AF_NETLINK socket

Fix: Allow nixnote2 to create AF_NETLINK sockets by adding netlink to the protocol set (--protocol=unix,inet,inet6,netlink).

firejail version 0.9.62

You should update, this version is vulnerable to CVE-2021-26910. See https://github.com/netblue30/firejail/issues/3996#issuecomment-780910781 and https://github.com/netblue30/firejail/issues/3968#issuecomment-777167840 and https://github.com/netblue30/firejail/issues/4006#issuecomment-785140992 and https://github.com/netblue30/firejail/issues/3982#issuecomment-778480897 and [I could not find this one]. Or you set overlayfs no in /etc/firejail/firejail.config as workaround.

firejail nixnote2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

nixnote2 doesn't have a profile yet. Request one in #1139 or write it yourself.

<!-- gh-comment-id:786680364 --> @rusty-snake commented on GitHub (Feb 26, 2021): > Could not create AF_NETLINK socket Fix: Allow nixnote2 to create AF_NETLINK sockets by adding `netlink` to the protocol set (`--protocol=unix,inet,inet6,netlink`). > firejail version 0.9.62 You should update, this version is vulnerable to CVE-2021-26910. See https://github.com/netblue30/firejail/issues/3996#issuecomment-780910781 and https://github.com/netblue30/firejail/issues/3968#issuecomment-777167840 and https://github.com/netblue30/firejail/issues/4006#issuecomment-785140992 and https://github.com/netblue30/firejail/issues/3982#issuecomment-778480897 and [I could not find this one]. Or you set `overlayfs no` in `/etc/firejail/firejail.config` as workaround. > firejail nixnote2 >Reading profile /etc/firejail/default.profile >Reading profile /etc/firejail/disable-common.inc >Reading profile /etc/firejail/disable-passwdmgr.inc >Reading profile /etc/firejail/disable-programs.inc >Warning: networking feature is disabled in Firejail configuration file > > ** Note: you can use --noprofile to disable default.profile ** nixnote2 doesn't have a profile yet. Request one in #1139 or write it yourself.
gitea-mirror commented 2026-05-05 09:11:24 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Feb 26, 2021):

@rusty-snake:
Hi and thank you so much for your quick reply and help.

First of all: I updated firejail to version 0.9.64.4.
I have to admit I hadn´t added the respective ppa after having done a fresh install of Lubuntu a month ago.
That I did now and got the latest version. Great.

Thanks also for the links referring to the vulnerability.

As for my original problem:

firejail --protocol=unix,inet,inet6,netlink nixnote2 works just fine. Thank you for pointing that out.
I myself probably wouldn´t have considered that. Sorry.

This command is well suited for me as I use fish as my default shell and this makes getting hold of specific entries from history a piece of cake.
I just have to enter "nixnote2" ("nixn" would be sufficient as well) and then "ARROW UP" and I have the respective command.

Thank you again so much for your help. It´s greatly appreciated.

Many greetings and keep safe.
Rosika

<!-- gh-comment-id:786716026 --> @Rosika2 commented on GitHub (Feb 26, 2021): @rusty-snake: Hi and thank you so much for your quick reply and help. First of all: I updated **firejail** to version 0.9.64.4. I have to admit I hadn´t added the respective ppa after having done a fresh install of Lubuntu a month ago. That I did now and got the latest version. Great. Thanks also for the links referring to the vulnerability. As for my original problem: `firejail --protocol=unix,inet,inet6,netlink nixnote2` works just fine. Thank you for pointing that out. I myself probably wouldn´t have considered that. Sorry. This command is well suited for me as I use **fish** as my default shell and this makes getting hold of specific entries from history a piece of cake. I just have to enter "nixnote2" ("nixn" would be sufficient as well) and then "ARROW UP" and I have the respective command. Thank you again so much for your help. It´s greatly appreciated. Many greetings and keep safe. Rosika
gitea-mirror commented 2026-05-05 09:11:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 26, 2021):

FYI: You can also create a profile for it with this protocol set. ~/.config/firejail/nixnote2.profile:

protocol unix,inet,inet6,netlink

include default.profile

Or you start writing a profile for it.

profile.tempalte with `protocol unix,inet,inet6,netlink` and the commands from default.profile 
# Firejail profile for nixnote2
# Description: DESCRIPTION
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you create profiles.
# PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
#  - lines with one # are often used in profiles
#  - lines with two ## are only needed in special situations
#  - make the profile as restrictive as possible while still keeping the program useful
#    (e.g. a program that is unable to save user's work is considered bad practice)
#  - dedicate ample time (based on the complexity of the application) to profile testing before raising
#    a pull request
#  - keep the sections structure, use a single empty line as separator
#  - entries within sections are alphabetically sorted
#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
#    to not do this for essential utilities as this may *break* your OS! (related discussion:
#    https://github.com/netblue30/firejail/issues/2507)
#  - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
#   HEADER
#   COMMENTS
#   IGNORES
#   NOBLACKLISTS
#   ALLOW INCLUDES
#   BLACKLISTS
#   DISABLE INCLUDES
#   NOWHITELISTS
#   MKDIRS
#   WHITELISTS
#   WHITELIST INCLUDES
#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
#   DBUS FILTER
#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
#   REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
#  ${DESKTOP}
#  ${DOCUMENTS}
#  ${DOWNLOADS}
#  ${HOME} (user's home)
#  ${PATH} (contents of PATH env var)
#  ${MUSIC}
#  ${RUNUSER} (/run/user/UID)
#  ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include nixnote2.local
# Persistent global definitions
include globals.local

##ignore noexec ${HOME}
##ignore noexec /tmp

##blacklist PATH
# Disable X11 (CLI only), see also 'x11 none' below
#blacklist /tmp/.X11-unix
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only)
#blacklist ${RUNUSER}

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
#  - launch binary with --private naming a sandbox
#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
#  - work with the program, make some configuration changes and save them, open new documents,
#    install plugins if they exists, etc.
#  - join the sandbox with bash:
#      `firejail --join=test bash`
#  - look what has changed and use that information to populate blacklist and whitelist sections
#      `ls -aR`
#noblacklist PATH

# Allows files commonly used by IDEs
#include allow-common-devel.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc

include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
#include disable-xdg.inc

# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (e.g. unable to save files into
# home directory) they may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

##allusers
#apparmor
caps.drop all
##caps.keep CAPS
##hostname NAME
# CLI only
##ipc-namespace
# breaks audio and sometimes dbus related functions
#machine-id
# 'net none' or 'netfilter'
#net none
netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
#nodvd
#nogroups
nonewprivs
noroot
#nosound
#notv
#nou2f
#novideo
protocol unix,inet,inet6,netlink
seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
##seccomp-error-action log (only for debugging seccomp issues)
#shell none
#tracelog
# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
##x11 none

#disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
#    Extra: group,magic,magic.mgc,passwd
#  3D: bumblebee,drirc,glvnd,nvidia
#  Audio: alsa,asound.conf,machine-id,pulse
#  D-Bus: dbus-1,machine-id
#  GUI: fonts,pango,X11
#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
#  KDE: kde4rc,kde5rc
#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
#    Extra: gai.conf,proxychains.conf
#  Qt: Trolltech.conf
##private-lib LIBS
##private-opt NAME
#private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log

# Since 0.9.63 also a more granular control of dbus is supported.
# To get the dbus-addresses an application needs access to you can
# check with flatpak (when the application is distriputed that way):
#    flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
#  - Some features like native notifications are implemented as portal too.
#  - In order to make dconf work (when used by the app) you need to allow
#    'ca.desrt.dconf' even when not allowed by flatpak.
# Notes and Policiy about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none

##env VAR=VALUE
##join-or-start NAME
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}
<!-- gh-comment-id:786731066 --> @rusty-snake commented on GitHub (Feb 26, 2021): FYI: You can also create a profile for it with this `protocol` set. `~/.config/firejail/nixnote2.profile`: ``` protocol unix,inet,inet6,netlink include default.profile ``` Or you start writing a profile for it. <details><summary>profile.tempalte with `protocol unix,inet,inet6,netlink` and the commands from default.profile</summary> ``` # Firejail profile for nixnote2 # Description: DESCRIPTION # This file is overwritten after every install/update # --- CUT HERE --- # This is a generic template to help you create profiles. # PRs welcome at https://github.com/netblue30/firejail/. # # Rules to follow: # - lines with one # are often used in profiles # - lines with two ## are only needed in special situations # - make the profile as restrictive as possible while still keeping the program useful # (e.g. a program that is unable to save user's work is considered bad practice) # - dedicate ample time (based on the complexity of the application) to profile testing before raising # a pull request # - keep the sections structure, use a single empty line as separator # - entries within sections are alphabetically sorted # - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware # to not do this for essential utilities as this may *break* your OS! (related discussion: # https://github.com/netblue30/firejail/issues/2507) # - remove this comment section and any generic comment past 'Persistent global definitions' # # Sections structure # HEADER # COMMENTS # IGNORES # NOBLACKLISTS # ALLOW INCLUDES # BLACKLISTS # DISABLE INCLUDES # NOWHITELISTS # MKDIRS # WHITELISTS # WHITELIST INCLUDES # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) # DBUS FILTER # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) # REDIRECT INCLUDES # # The following macros may be used in path names to substitute common locations: # ${DESKTOP} # ${DOCUMENTS} # ${DOWNLOADS} # ${HOME} (user's home) # ${PATH} (contents of PATH env var) # ${MUSIC} # ${RUNUSER} (/run/user/UID) # ${VIDEOS} # # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. # # --- CUT HERE --- ##quiet # Persistent local customizations include nixnote2.local # Persistent global definitions include globals.local ##ignore noexec ${HOME} ##ignore noexec /tmp ##blacklist PATH # Disable X11 (CLI only), see also 'x11 none' below #blacklist /tmp/.X11-unix # Disable Wayland #blacklist ${RUNUSER}/wayland-* # Disable RUNUSER (cli only) #blacklist ${RUNUSER} # It is common practice to add files/dirs containing program-specific configuration # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc # (keep list sorted) and then disable blacklisting below. # One way to retrieve the files a program uses is: # - launch binary with --private naming a sandbox # `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY` # - work with the program, make some configuration changes and save them, open new documents, # install plugins if they exists, etc. # - join the sandbox with bash: # `firejail --join=test bash` # - look what has changed and use that information to populate blacklist and whitelist sections # `ls -aR` #noblacklist PATH # Allows files commonly used by IDEs #include allow-common-devel.inc # Allow gjs (blacklisted by disable-interpreters.inc) #include allow-gjs.inc # Allow java (blacklisted by disable-devel.inc) #include allow-java.inc # Allow lua (blacklisted by disable-interpreters.inc) #include allow-lua.inc # Allow perl (blacklisted by disable-interpreters.inc) #include allow-perl.inc # Allow python (blacklisted by disable-interpreters.inc) #include allow-python2.inc #include allow-python3.inc # Allow ruby (blacklisted by disable-interpreters.inc) #include allow-ruby.inc # Allow ssh (blacklisted by disable-common.inc) #include allow-ssh.inc include disable-common.inc #include disable-devel.inc #include disable-exec.inc #include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc #include disable-shell.inc #include disable-write-mnt.inc #include disable-xdg.inc # This section often mirrors noblacklist section above. The idea is # that if a user feels too restricted (e.g. unable to save files into # home directory) they may disable whitelist (nowhitelist) # in PROFILE.local but still be protected by BLACKLISTS section # (explanation at https://github.com/netblue30/firejail/issues/1569) #mkdir PATH ##mkfile PATH #whitelist PATH #include whitelist-common.inc #include whitelist-runuser-common.inc #include whitelist-usr-share-common.inc #include whitelist-var-common.inc ##allusers #apparmor caps.drop all ##caps.keep CAPS ##hostname NAME # CLI only ##ipc-namespace # breaks audio and sometimes dbus related functions #machine-id # 'net none' or 'netfilter' #net none netfilter #no3d ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) #nodvd #nogroups nonewprivs noroot #nosound #notv #nou2f #novideo protocol unix,inet,inet6,netlink seccomp ##seccomp !chroot ##seccomp.drop SYSCALLS (see syscalls.txt) #seccomp.block-secondary ##seccomp-error-action log (only for debugging seccomp issues) #shell none #tracelog # Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set ##x11 none #disable-mnt ##private # It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3 #private-bin PROGRAMS #private-cache #private-dev #private-etc FILES # private-etc templates (see also #1734, #2093) # Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg # Extra: group,magic,magic.mgc,passwd # 3D: bumblebee,drirc,glvnd,nvidia # Audio: alsa,asound.conf,machine-id,pulse # D-Bus: dbus-1,machine-id # GUI: fonts,pango,X11 # GTK: dconf,gconf,gtk-2.0,gtk-3.0 # KDE: kde4rc,kde5rc # Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl # Extra: gai.conf,proxychains.conf # Qt: Trolltech.conf ##private-lib LIBS ##private-opt NAME #private-tmp ##writable-etc ##writable-run-user ##writable-var ##writable-var-log # Since 0.9.63 also a more granular control of dbus is supported. # To get the dbus-addresses an application needs access to you can # check with flatpak (when the application is distriputed that way): # flatpak remote-info --show-metadata flathub <APP-ID> # Notes: # - flatpak implicitly allows an app to own <APP-ID> on the session bus # - Some features like native notifications are implemented as portal too. # - In order to make dconf work (when used by the app) you need to allow # 'ca.desrt.dconf' even when not allowed by flatpak. # Notes and Policiy about addresses can be found at # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> #dbus-user filter #dbus-user.own com.github.netblue30.firejail #dbus-user.talk ca.desrt.dconf #dbus-user.talk org.freedesktop.Notifications #dbus-system none ##env VAR=VALUE ##join-or-start NAME #memory-deny-write-execute ##noexec PATH ##read-only ${HOME} ``` </details>
gitea-mirror commented 2026-05-05 09:11:26 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Feb 26, 2021):

@rusty-snake:

Hi again,

thank you for pointing out the two methods of achieving the goal. That´s certainly the professional way of doing it. :)

BTW:
Using thunar as my default file-manager I take advantage of the possibility of creating user-defined actions (from right-click-menu).

To this end I downloaded firewarden (quite a while ago now) and created entries like this one (example):

lxterminal --command="/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/Ergänzungen_zu_Programmen/zu_firewarden_focal/firewarden lximage-qt %f"

This example should demonstrate how I use firejail (with the help of firewarden) to safely display pictures with lximage-qt.

I noticed this one created the same "AF_NETLINK socket" messages.
To verify this issue I ran "firejail lximage-qt" in a terminal and it produced those messages as well. Despite the fact that there´s a lximage-qt.profile available.

I looked at the contents of the profile and found out there´s an entry protocol unix.
So wouldn´t it be best to replace it by protocol unix,inet,inet6,netlink?

Thanks again for your help.
Many greetings.
Rosika

<!-- gh-comment-id:786752508 --> @Rosika2 commented on GitHub (Feb 26, 2021): @rusty-snake: Hi again, thank you for pointing out the two methods of achieving the goal. That´s certainly the professional way of doing it. :) BTW: Using **thunar** as my default file-manager I take advantage of the possibility of creating user-defined actions (from right-click-menu). To this end I downloaded **firewarden** (quite a while ago now) and created entries like this one (example): `lxterminal --command="/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/Ergänzungen_zu_Programmen/zu_firewarden_focal/firewarden lximage-qt %f"` This example should demonstrate how I use **firejail** (with the help of **firewarden**) to safely display pictures with **lximage-qt**. I noticed this one created the same "AF_NETLINK socket" messages. To verify this issue I ran "firejail lximage-qt" in a terminal and it produced those messages as well. Despite the fact that there´s a **lximage-qt.profile** available. I looked at the contents of the profile and found out there´s an entry `protocol unix`. So wouldn´t it be best to replace it by `protocol unix,inet,inet6,netlink`? Thanks again for your help. Many greetings. Rosika
gitea-mirror commented 2026-05-05 09:11:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 26, 2021):

So wouldn´t it be best to replace it by protocol unix,inet,inet6,netlink?

First of all: Here it would be protocol unix,netlink because lximage-qt does not need internet access (it has net none).

Netlink adds some more permissions (but IDK exactly for what it can be used), so it's always better to not add it as long as nothing is broken. But how do you know that nothing is? If the program complains about it, it misses something it wants.

<!-- gh-comment-id:786762799 --> @rusty-snake commented on GitHub (Feb 26, 2021): > So wouldn´t it be best to replace it by `protocol unix,inet,inet6,netlink`? First of all: Here it would be `protocol unix,netlink` because lximage-qt does not need internet access (it has `net none`). Netlink adds some more permissions (but IDK exactly for what it can be used), so it's always better to not add it as long as nothing is broken. But how do you know that nothing is? If the program complains about it, it misses something it wants.
gitea-mirror commented 2026-05-05 09:11:27 -06:00
Author
Owner
Copy link

@kris7t commented on GitHub (Feb 26, 2021):

Please do note that AF_NETLINK is generic communication interface for the kernel, and as such, allowing it potentially exposes a huge kernel API surface. Of course, most of these APIs are only for privileged processes, but there sill might be an opportunity for a sandbox escape (or exploitation of a kernel bug). So it'd certainly be a lot safer if nixnote could be fixed to be a good citizen and not to require such APIs.

(There's also a case for using something like eBPF to filter AF_NETLINK traffic in firejail, but I'd guess that it'd be a monstrous task to implement.)

<!-- gh-comment-id:786780504 --> @kris7t commented on GitHub (Feb 26, 2021): Please do note that `AF_NETLINK` is generic communication interface for the kernel, and as such, allowing it potentially exposes a huge kernel API surface. Of course, most of these APIs are only for privileged processes, but there sill might be an opportunity for a sandbox escape (or exploitation of a kernel bug). So it'd certainly be a lot safer if nixnote could be fixed to be a good citizen and not to require such APIs. (There's also a case for using something like eBPF to filter AF_NETLINK traffic in firejail, but I'd guess that it'd be a monstrous task to implement.)
gitea-mirror commented 2026-05-05 09:11:27 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Feb 27, 2021):

Hi all and thanks a lot for your replies.

@rusty-snake:

as long as nothing is broken. But how do you know that nothing is?

Good point. Well, the message I get is Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt).
So basically it says: "Operation is not supported".

@kris7t:

AF_NETLINK is generic communication interface for the kernel, and as such, allowing it potentially exposes a huge kernel API surface.

I see. Well, perhaps it´s better not to allow it.

The thing is: Those repeated "Could not create AF_NETLINK socket"-messages don´t really bother me much.
I just wanted to what they were all about. So thanks for the information.

It´s only when I run the command firejail lximage-qt from the terminal that I even noticed it. Were I to run the same command from the "enter-command-field" ("WIN-key+R" in Lubuntu 20.04) I wouldn´t have been aware of that in the first place.

Would there be any argument aginst ignoring those messages and just running e.g. firejail lximage-qt anyway?
I mean: After closing the terminal nothing serious would´ve happened, would it?

Thanks for your opinions on the matter.
Greetings.
Rosika

<!-- gh-comment-id:787078332 --> @Rosika2 commented on GitHub (Feb 27, 2021): Hi all and thanks a lot for your replies. @rusty-snake: > as long as nothing is broken. But how do you know that nothing is? Good point. Well, the message I get is ` Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)`. So basically it says: "Operation is not supported". @kris7t: > AF_NETLINK is generic communication interface for the kernel, and as such, allowing it potentially exposes a huge kernel API surface. I see. Well, perhaps it´s better not to allow it. The thing is: Those repeated "Could not create AF_NETLINK socket"-messages don´t really bother me much. I just wanted to what they were all about. So thanks for the information. It´s only when I run the command `firejail lximage-qt `**from the terminal** that I even noticed it. Were I to run the same command from the "enter-command-field" ("WIN-key+R" in Lubuntu 20.04) I wouldn´t have been aware of that in the first place. Would there be any argument aginst ignoring those messages and just running e.g. `firejail lximage-qt ` anyway? I mean: After closing the terminal nothing serious would´ve happened, would it? Thanks for your opinions on the matter. Greetings. Rosika
gitea-mirror commented 2026-05-05 09:11:27 -06:00
Author
Owner
Copy link

@kris7t commented on GitHub (Feb 27, 2021):

The worst thing that could happen is that the application doesn't expect that AF_NETLINK is disabled and crashes.

Although I guess application functionality might be limited in some way... Netlink is usually used for stuff like modifying routing tables, accessing the kernel audit log, etc. that "normal" application shouldn't be doing, anyways, so I'd be suprised if any functionality would be broken (my best guess is that some library is trying to use Netlink to detect whenever the internet connection is lost and try to reconnect or something like that). Technically, you can use Netlink as a generic IPC interface between user-space applications, but D-Bus is much more popular for that (and is used by Qt by default and can be filtered by firejail).

<!-- gh-comment-id:787081660 --> @kris7t commented on GitHub (Feb 27, 2021): The worst thing that could happen is that the application doesn't expect that AF_NETLINK is disabled and crashes. Although I guess application functionality might be limited in some way... Netlink is usually used for stuff like modifying routing tables, accessing the kernel audit log, etc. that "normal" application shouldn't be doing, anyways, so I'd be suprised if any functionality would be broken (my best guess is that some library is trying to use Netlink to detect whenever the internet connection is lost and try to reconnect or something like that). Technically, you can use Netlink as a generic IPC interface between user-space applications, but D-Bus is much more popular for that (and is used by Qt by default and can be filtered by firejail).
gitea-mirror commented 2026-05-05 09:11:28 -06:00
Author
Owner
Copy link

@Rosika2 commented on GitHub (Feb 27, 2021):

@kris7t:

Thanks for the information.

Well, nothing has crashed. It´s just those terminal-messages that I hadn´t been able to interpret.
I even had dmesg -w running at the same time but no output (referring to this topic) there either.
So I hope it´s o.k. then.

BTW: adding --noprofile to the firejail command eliminates those messages. I guess that´s to be expected.

Thank you again for explaining the matter in such detail. I always like to learn something new.

Many greetings.
Rosika

<!-- gh-comment-id:787084968 --> @Rosika2 commented on GitHub (Feb 27, 2021): @kris7t: Thanks for the information. Well, nothing has crashed. It´s just those terminal-messages that I hadn´t been able to interpret. I even had `dmesg -w` running at the same time but no output (referring to this topic) there either. So I hope it´s o.k. then. BTW: adding **--noprofile** to the firejail command eliminates those messages. I guess that´s to be expected. Thank you again for explaining the matter in such detail. I always like to learn something new. Many greetings. Rosika
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2503
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?