nixnote2: Could not create AF_NETLINK socket

[Rosika2]

ENVIRONMENT:

• Linux distribution and version: Lubuntu 20.04.2 LTS x86_64
• firejail version 0.9.62

Hi altogether,

I have a question as far as terminal output (when running firejail) is concerned:

Whenever I run the command firejail nixnote2 the programme works alright and is sandboxed without any difficulties.
Yet taking a look at the terminal output I realized that as long as nixnote2 is running I get repeated entries of
"Could not create AF_NETLINK socket".

This message gets written to the terminal incessantly (4 entries in about 10 secs) until I quit the programme.

Any idea what´s going on?

Thanks a lot in advance.
Many greetings.
Rosika

P.S.:

Running firejail --noprofile nixnote2 doesn´t produce those logs!

example output:

firejail nixnote2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 16438, child pid 16439
Warning: cleaning all supplementary groups
Child process initialized in 50.11 ms
INFO  2021-02-26 14:48:10.635 src/utilities/crossmemorymapper.cpp:59 Shared memory segment allocated, instance key: "6b7ac843-c142-4e75-8d44-0714514b14c31"
INFO  2021-02-26 14:48:10.636 src/main.cpp:287 NixNote 2.1.5+dfsg1-1build1, build at Mar 23 2020 at 06:20:43, with Qt 5.12.5 running on 5.12.8
INFO  2021-02-26 14:48:10.636 src/main.cpp:290 To get more detailed startup logging use --logLevel=1
Icon theme "elementary" not found.
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
WARN  2021-02-26 14:48:11.108 src/nixnote.cpp:228 encrypt.encrypt failed
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt)
[...]
INFO  2021-02-26 14:48:34.615 src/main.cpp:358 main: Exit: retcode=0

Parent is shutting down, bye...

[rusty-snake]

Could not create AF_NETLINK socket

Fix: Allow nixnote2 to create AF_NETLINK sockets by adding netlink to the protocol set (--protocol=unix,inet,inet6,netlink).

firejail version 0.9.62

You should update, this version is vulnerable to CVE-2021-26910. See #3996 (comment) and #3968 (comment) and #4006 (comment) and #3982 (comment) and [I could not find this one]. Or you set overlayfs no in /etc/firejail/firejail.config as workaround.

firejail nixnote2
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

nixnote2 doesn't have a profile yet. Request one in #1139 or write it yourself.

[Rosika2]

@rusty-snake:
Hi and thank you so much for your quick reply and help.

First of all: I updated firejail to version 0.9.64.4.
I have to admit I hadn´t added the respective ppa after having done a fresh install of Lubuntu a month ago.
That I did now and got the latest version. Great.

Thanks also for the links referring to the vulnerability.

As for my original problem:

firejail --protocol=unix,inet,inet6,netlink nixnote2 works just fine. Thank you for pointing that out.
I myself probably wouldn´t have considered that. Sorry.

This command is well suited for me as I use fish as my default shell and this makes getting hold of specific entries from history a piece of cake.
I just have to enter "nixnote2" ("nixn" would be sufficient as well) and then "ARROW UP" and I have the respective command.

Thank you again so much for your help. It´s greatly appreciated.

Many greetings and keep safe.
Rosika

[rusty-snake]

FYI: You can also create a profile for it with this protocol set. ~/.config/firejail/nixnote2.profile:

protocol unix,inet,inet6,netlink

include default.profile

Or you start writing a profile for it.

profile.tempalte with `protocol unix,inet,inet6,netlink` and the commands from default.profile

# Firejail profile for nixnote2
# Description: DESCRIPTION
# This file is overwritten after every install/update
# --- CUT HERE ---
# This is a generic template to help you create profiles.
# PRs welcome at https://github.com/netblue30/firejail/.
#
# Rules to follow:
#  - lines with one # are often used in profiles
#  - lines with two ## are only needed in special situations
#  - make the profile as restrictive as possible while still keeping the program useful
#    (e.g. a program that is unable to save user's work is considered bad practice)
#  - dedicate ample time (based on the complexity of the application) to profile testing before raising
#    a pull request
#  - keep the sections structure, use a single empty line as separator
#  - entries within sections are alphabetically sorted
#  - consider putting binary into src/firecfg/firecfg.config (keep list sorted) but beware
#    to not do this for essential utilities as this may *break* your OS! (related discussion:
#    https://github.com/netblue30/firejail/issues/2507)
#  - remove this comment section and any generic comment past 'Persistent global definitions'
#
# Sections structure
#   HEADER
#   COMMENTS
#   IGNORES
#   NOBLACKLISTS
#   ALLOW INCLUDES
#   BLACKLISTS
#   DISABLE INCLUDES
#   NOWHITELISTS
#   MKDIRS
#   WHITELISTS
#   WHITELIST INCLUDES
#   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
#   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
#   DBUS FILTER
#   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
#   REDIRECT INCLUDES
#
# The following macros may be used in path names to substitute common locations:
#  ${DESKTOP}
#  ${DOCUMENTS}
#  ${DOWNLOADS}
#  ${HOME} (user's home)
#  ${PATH} (contents of PATH env var)
#  ${MUSIC}
#  ${RUNUSER} (/run/user/UID)
#  ${VIDEOS}
#
# Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths.
#
# --- CUT HERE ---
##quiet
# Persistent local customizations
include nixnote2.local
# Persistent global definitions
include globals.local

##ignore noexec ${HOME}
##ignore noexec /tmp

##blacklist PATH
# Disable X11 (CLI only), see also 'x11 none' below
#blacklist /tmp/.X11-unix
# Disable Wayland
#blacklist ${RUNUSER}/wayland-*
# Disable RUNUSER (cli only)
#blacklist ${RUNUSER}

# It is common practice to add files/dirs containing program-specific configuration
# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
# (keep list sorted) and then disable blacklisting below.
# One way to retrieve the files a program uses is:
#  - launch binary with --private naming a sandbox
#      `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
#  - work with the program, make some configuration changes and save them, open new documents,
#    install plugins if they exists, etc.
#  - join the sandbox with bash:
#      `firejail --join=test bash`
#  - look what has changed and use that information to populate blacklist and whitelist sections
#      `ls -aR`
#noblacklist PATH

# Allows files commonly used by IDEs
#include allow-common-devel.inc

# Allow gjs (blacklisted by disable-interpreters.inc)
#include allow-gjs.inc

# Allow java (blacklisted by disable-devel.inc)
#include allow-java.inc

# Allow lua (blacklisted by disable-interpreters.inc)
#include allow-lua.inc

# Allow perl (blacklisted by disable-interpreters.inc)
#include allow-perl.inc

# Allow python (blacklisted by disable-interpreters.inc)
#include allow-python2.inc
#include allow-python3.inc

# Allow ruby (blacklisted by disable-interpreters.inc)
#include allow-ruby.inc

# Allow ssh (blacklisted by disable-common.inc)
#include allow-ssh.inc

include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
#include disable-shell.inc
#include disable-write-mnt.inc
#include disable-xdg.inc

# This section often mirrors noblacklist section above. The idea is
# that if a user feels too restricted (e.g. unable to save files into
# home directory) they may disable whitelist (nowhitelist)
# in PROFILE.local but still be protected by BLACKLISTS section
# (explanation at https://github.com/netblue30/firejail/issues/1569)
#mkdir PATH
##mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-runuser-common.inc
#include whitelist-usr-share-common.inc
#include whitelist-var-common.inc

##allusers
#apparmor
caps.drop all
##caps.keep CAPS
##hostname NAME
# CLI only
##ipc-namespace
# breaks audio and sometimes dbus related functions
#machine-id
# 'net none' or 'netfilter'
#net none
netfilter
#no3d
##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
#nodvd
#nogroups
nonewprivs
noroot
#nosound
#notv
#nou2f
#novideo
protocol unix,inet,inet6,netlink
seccomp
##seccomp !chroot
##seccomp.drop SYSCALLS (see syscalls.txt)
#seccomp.block-secondary
##seccomp-error-action log (only for debugging seccomp issues)
#shell none
#tracelog
# Prefer 'x11 none' instead of 'blacklist /tmp/.X11-unix' if 'net none' is set
##x11 none

#disable-mnt
##private
# It's common practice to refer to the python executable(s) in private-bin with `python*`, which covers both v2 and v3
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734, #2093)
#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
#    Extra: group,magic,magic.mgc,passwd
#  3D: bumblebee,drirc,glvnd,nvidia
#  Audio: alsa,asound.conf,machine-id,pulse
#  D-Bus: dbus-1,machine-id
#  GUI: fonts,pango,X11
#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
#  KDE: kde4rc,kde5rc
#  Networking: ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,services,rpc,ssl
#    Extra: gai.conf,proxychains.conf
#  Qt: Trolltech.conf
##private-lib LIBS
##private-opt NAME
#private-tmp
##writable-etc
##writable-run-user
##writable-var
##writable-var-log

# Since 0.9.63 also a more granular control of dbus is supported.
# To get the dbus-addresses an application needs access to you can
# check with flatpak (when the application is distriputed that way):
#    flatpak remote-info --show-metadata flathub <APP-ID>
# Notes:
#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
#  - Some features like native notifications are implemented as portal too.
#  - In order to make dconf work (when used by the app) you need to allow
#    'ca.desrt.dconf' even when not allowed by flatpak.
# Notes and Policiy about addresses can be found at
# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
#dbus-user filter
#dbus-user.own com.github.netblue30.firejail
#dbus-user.talk ca.desrt.dconf
#dbus-user.talk org.freedesktop.Notifications
#dbus-system none

##env VAR=VALUE
##join-or-start NAME
#memory-deny-write-execute
##noexec PATH
##read-only ${HOME}

[Rosika2]

@rusty-snake:

Hi again,

thank you for pointing out the two methods of achieving the goal. That´s certainly the professional way of doing it. :)

BTW:
Using thunar as my default file-manager I take advantage of the possibility of creating user-defined actions (from right-click-menu).

To this end I downloaded firewarden (quite a while ago now) and created entries like this one (example):

lxterminal --command="/media/rosika/f14a27c2-0b49-4607-94ea-2e56bbf76fe1/DATEN-PARTITION/Dokumente/Ergänzungen_zu_Programmen/zu_firewarden_focal/firewarden lximage-qt %f"

This example should demonstrate how I use firejail (with the help of firewarden) to safely display pictures with lximage-qt.

I noticed this one created the same "AF_NETLINK socket" messages.
To verify this issue I ran "firejail lximage-qt" in a terminal and it produced those messages as well. Despite the fact that there´s a lximage-qt.profile available.

I looked at the contents of the profile and found out there´s an entry protocol unix.
So wouldn´t it be best to replace it by protocol unix,inet,inet6,netlink?

Thanks again for your help.
Many greetings.
Rosika

[rusty-snake]

So wouldn´t it be best to replace it by protocol unix,inet,inet6,netlink?

First of all: Here it would be protocol unix,netlink because lximage-qt does not need internet access (it has net none).

Netlink adds some more permissions (but IDK exactly for what it can be used), so it's always better to not add it as long as nothing is broken. But how do you know that nothing is? If the program complains about it, it misses something it wants.

[kris7t]

Please do note that AF_NETLINK is generic communication interface for the kernel, and as such, allowing it potentially exposes a huge kernel API surface. Of course, most of these APIs are only for privileged processes, but there sill might be an opportunity for a sandbox escape (or exploitation of a kernel bug). So it'd certainly be a lot safer if nixnote could be fixed to be a good citizen and not to require such APIs.

(There's also a case for using something like eBPF to filter AF_NETLINK traffic in firejail, but I'd guess that it'd be a monstrous task to implement.)

[Rosika2]

Hi all and thanks a lot for your replies.

@rusty-snake:

as long as nothing is broken. But how do you know that nothing is?

Good point. Well, the message I get is Could not create AF_NETLINK socket (Vorgang wird nicht unterstützt).
So basically it says: "Operation is not supported".

@kris7t:

AF_NETLINK is generic communication interface for the kernel, and as such, allowing it potentially exposes a huge kernel API surface.

I see. Well, perhaps it´s better not to allow it.

The thing is: Those repeated "Could not create AF_NETLINK socket"-messages don´t really bother me much.
I just wanted to what they were all about. So thanks for the information.

It´s only when I run the command firejail lximage-qt from the terminal that I even noticed it. Were I to run the same command from the "enter-command-field" ("WIN-key+R" in Lubuntu 20.04) I wouldn´t have been aware of that in the first place.

Would there be any argument aginst ignoring those messages and just running e.g. firejail lximage-qt anyway?
I mean: After closing the terminal nothing serious would´ve happened, would it?

Thanks for your opinions on the matter.
Greetings.
Rosika

[kris7t]

The worst thing that could happen is that the application doesn't expect that AF_NETLINK is disabled and crashes.

Although I guess application functionality might be limited in some way... Netlink is usually used for stuff like modifying routing tables, accessing the kernel audit log, etc. that "normal" application shouldn't be doing, anyways, so I'd be suprised if any functionality would be broken (my best guess is that some library is trying to use Netlink to detect whenever the internet connection is lost and try to reconnect or something like that). Technically, you can use Netlink as a generic IPC interface between user-space applications, but D-Bus is much more popular for that (and is used by Qt by default and can be filtered by firejail).

[Rosika2]

@kris7t:

Thanks for the information.

Well, nothing has crashed. It´s just those terminal-messages that I hadn´t been able to interpret.
I even had dmesg -w running at the same time but no output (referring to this topic) there either.
So I hope it´s o.k. then.

BTW: adding --noprofile to the firejail command eliminates those messages. I guess that´s to be expected.

Thank you again for explaining the matter in such detail. I always like to learn something new.

Many greetings.
Rosika