diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-10 04:47:11 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-27 22:27:46 -0300 |
commit | 9cfeb485eb158217e644955bddc42e3bcf42ccbb (patch) | |
tree | f15092bed9d126ea3e651726e7215c8b7ee4c4ae | |
parent | landlock: add _fs prefix to filesystem functions (diff) | |
download | firejail-9cfeb485eb158217e644955bddc42e3bcf42ccbb.tar.gz firejail-9cfeb485eb158217e644955bddc42e3bcf42ccbb.tar.zst firejail-9cfeb485eb158217e644955bddc42e3bcf42ccbb.zip |
landlock: use "landlock.fs." prefix in filesystem commands
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg1.list | 10 | ||||
-rw-r--r-- | etc/inc/landlock-common.inc | 56 | ||||
-rw-r--r-- | etc/templates/profile.template | 10 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 10 | ||||
-rw-r--r-- | src/firejail/main.c | 20 | ||||
-rw-r--r-- | src/firejail/profile.c | 20 | ||||
-rw-r--r-- | src/firejail/usage.c | 10 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 10 | ||||
-rw-r--r-- | src/man/firejail.1.in | 16 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 10 |
10 files changed, 86 insertions, 86 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index 8d5cae7f2..6fd943e57 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -29,11 +29,11 @@ ip6 | |||
29 | iprange | 29 | iprange |
30 | join-or-start | 30 | join-or-start |
31 | keep-fd | 31 | keep-fd |
32 | landlock.execute | 32 | landlock.fs.execute |
33 | landlock.makedev | 33 | landlock.fs.makedev |
34 | landlock.makeipc | 34 | landlock.fs.makeipc |
35 | landlock.read | 35 | landlock.fs.read |
36 | landlock.write | 36 | landlock.fs.write |
37 | mac | 37 | mac |
38 | mkdir | 38 | mkdir |
39 | mkfile | 39 | mkfile |
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index 694d447b5..e147963a6 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc | |||
@@ -2,38 +2,38 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include landlock-common.local | 3 | include landlock-common.local |
4 | 4 | ||
5 | landlock.read / # whole system read | 5 | landlock.fs.read / # whole system read |
6 | landlock.read /proc | 6 | landlock.fs.read /proc |
7 | landlock.makeipc / # sockets etc. | 7 | landlock.fs.makeipc / # sockets etc. |
8 | 8 | ||
9 | # write access | 9 | # write access |
10 | landlock.write ${HOME} | 10 | landlock.fs.write ${HOME} |
11 | landlock.write ${RUNUSER} | 11 | landlock.fs.write ${RUNUSER} |
12 | landlock.write /dev | 12 | landlock.fs.write /dev |
13 | landlock.write /proc | 13 | landlock.fs.write /proc |
14 | landlock.write /run/shm | 14 | landlock.fs.write /run/shm |
15 | landlock.write /tmp | 15 | landlock.fs.write /tmp |
16 | 16 | ||
17 | # exec access | 17 | # exec access |
18 | ## misc | 18 | ## misc |
19 | landlock.execute /opt | 19 | landlock.fs.execute /opt |
20 | landlock.execute /run/firejail # appimage and various firejail features | 20 | landlock.fs.execute /run/firejail # appimage and various firejail features |
21 | ## bin | 21 | ## bin |
22 | landlock.execute /bin | 22 | landlock.fs.execute /bin |
23 | landlock.execute /sbin | 23 | landlock.fs.execute /sbin |
24 | landlock.execute /usr/bin | 24 | landlock.fs.execute /usr/bin |
25 | landlock.execute /usr/sbin | 25 | landlock.fs.execute /usr/sbin |
26 | landlock.execute /usr/games | 26 | landlock.fs.execute /usr/games |
27 | landlock.execute /usr/local/bin | 27 | landlock.fs.execute /usr/local/bin |
28 | landlock.execute /usr/local/sbin | 28 | landlock.fs.execute /usr/local/sbin |
29 | landlock.execute /usr/local/games | 29 | landlock.fs.execute /usr/local/games |
30 | ## lib | 30 | ## lib |
31 | landlock.execute /lib | 31 | landlock.fs.execute /lib |
32 | landlock.execute /lib32 | 32 | landlock.fs.execute /lib32 |
33 | landlock.execute /libx32 | 33 | landlock.fs.execute /libx32 |
34 | landlock.execute /lib64 | 34 | landlock.fs.execute /lib64 |
35 | landlock.execute /usr/lib | 35 | landlock.fs.execute /usr/lib |
36 | landlock.execute /usr/lib32 | 36 | landlock.fs.execute /usr/lib32 |
37 | landlock.execute /usr/libx32 | 37 | landlock.fs.execute /usr/libx32 |
38 | landlock.execute /usr/lib64 | 38 | landlock.fs.execute /usr/lib64 |
39 | landlock.execute /usr/local/lib | 39 | landlock.fs.execute /usr/local/lib |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0e6a5734e..29ea55439 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -138,11 +138,11 @@ include globals.local | |||
138 | #include whitelist-var-common.inc | 138 | #include whitelist-var-common.inc |
139 | 139 | ||
140 | # Landlock commands | 140 | # Landlock commands |
141 | ##landlock.read PATH | 141 | ##landlock.fs.read PATH |
142 | ##landlock.write PATH | 142 | ##landlock.fs.write PATH |
143 | ##landlock.makeipc PATH | 143 | ##landlock.fs.makeipc PATH |
144 | ##landlock.makedev PATH | 144 | ##landlock.fs.makedev PATH |
145 | ##landlock.execute PATH | 145 | ##landlock.fs.execute PATH |
146 | #include landlock-common.inc | 146 | #include landlock-common.inc |
147 | 147 | ||
148 | ##allusers | 148 | ##allusers |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 6c985bc6e..4a1adbc26 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -45,23 +45,23 @@ _firejail() | |||
45 | --landlock.enforce) | 45 | --landlock.enforce) |
46 | return 0 | 46 | return 0 |
47 | ;; | 47 | ;; |
48 | --landlock.read) | 48 | --landlock.fs.read) |
49 | _filedir | 49 | _filedir |
50 | return 0 | 50 | return 0 |
51 | ;; | 51 | ;; |
52 | --landlock.write) | 52 | --landlock.fs.write) |
53 | _filedir | 53 | _filedir |
54 | return 0 | 54 | return 0 |
55 | ;; | 55 | ;; |
56 | --landlock.makeipc) | 56 | --landlock.fs.makeipc) |
57 | _filedir | 57 | _filedir |
58 | return 0 | 58 | return 0 |
59 | ;; | 59 | ;; |
60 | --landlock.makedev) | 60 | --landlock.fs.makedev) |
61 | _filedir | 61 | _filedir |
62 | return 0 | 62 | return 0 |
63 | ;; | 63 | ;; |
64 | --landlock.execute) | 64 | --landlock.fs.execute) |
65 | _filedir | 65 | _filedir |
66 | return 0 | 66 | return 0 |
67 | ;; | 67 | ;; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0d56eeb55..0ce18ab01 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1505,16 +1505,16 @@ int main(int argc, char **argv, char **envp) { | |||
1505 | #ifdef HAVE_LANDLOCK | 1505 | #ifdef HAVE_LANDLOCK |
1506 | else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) | 1506 | else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) |
1507 | arg_landlock_enforce = 1; | 1507 | arg_landlock_enforce = 1; |
1508 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1508 | else if (strncmp(argv[i], "--landlock.fs.read=", 19) == 0) |
1509 | ll_add_profile(LL_FS_READ, argv[i] + 16); | 1509 | ll_add_profile(LL_FS_READ, argv[i] + 19); |
1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1510 | else if (strncmp(argv[i], "--landlock.fs.write=", 20) == 0) |
1511 | ll_add_profile(LL_FS_WRITE, argv[i] + 17); | 1511 | ll_add_profile(LL_FS_WRITE, argv[i] + 20); |
1512 | else if (strncmp(argv[i], "--landlock.makeipc=", 19) == 0) | 1512 | else if (strncmp(argv[i], "--landlock.fs.makeipc=", 22) == 0) |
1513 | ll_add_profile(LL_FS_MAKEIPC, argv[i] + 19); | 1513 | ll_add_profile(LL_FS_MAKEIPC, argv[i] + 22); |
1514 | else if (strncmp(argv[i], "--landlock.makedev=", 19) == 0) | 1514 | else if (strncmp(argv[i], "--landlock.fs.makedev=", 22) == 0) |
1515 | ll_add_profile(LL_FS_MAKEDEV, argv[i] + 19); | 1515 | ll_add_profile(LL_FS_MAKEDEV, argv[i] + 22); |
1516 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1516 | else if (strncmp(argv[i], "--landlock.fs.execute=", 22) == 0) |
1517 | ll_add_profile(LL_FS_EXEC, argv[i] + 19); | 1517 | ll_add_profile(LL_FS_EXEC, argv[i] + 22); |
1518 | #endif | 1518 | #endif |
1519 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1519 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1520 | if (checkcfg(CFG_SECCOMP)) | 1520 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 945ed518e..4e0b17a8c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1078,24 +1078,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1078 | arg_landlock_enforce = 1; | 1078 | arg_landlock_enforce = 1; |
1079 | return 0; | 1079 | return 0; |
1080 | } | 1080 | } |
1081 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1081 | if (strncmp(ptr, "landlock.fs.read ", 17) == 0) { |
1082 | ll_add_profile(LL_FS_READ, ptr + 14); | 1082 | ll_add_profile(LL_FS_READ, ptr + 17); |
1083 | return 0; | 1083 | return 0; |
1084 | } | 1084 | } |
1085 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | 1085 | if (strncmp(ptr, "landlock.fs.write ", 18) == 0) { |
1086 | ll_add_profile(LL_FS_WRITE, ptr + 15); | 1086 | ll_add_profile(LL_FS_WRITE, ptr + 18); |
1087 | return 0; | 1087 | return 0; |
1088 | } | 1088 | } |
1089 | if (strncmp(ptr, "landlock.makeipc ", 17) == 0) { | 1089 | if (strncmp(ptr, "landlock.fs.makeipc ", 20) == 0) { |
1090 | ll_add_profile(LL_FS_MAKEIPC, ptr + 17); | 1090 | ll_add_profile(LL_FS_MAKEIPC, ptr + 20); |
1091 | return 0; | 1091 | return 0; |
1092 | } | 1092 | } |
1093 | if (strncmp(ptr, "landlock.makedev ", 17) == 0) { | 1093 | if (strncmp(ptr, "landlock.fs.makedev ", 20) == 0) { |
1094 | ll_add_profile(LL_FS_MAKEDEV, ptr + 17); | 1094 | ll_add_profile(LL_FS_MAKEDEV, ptr + 20); |
1095 | return 0; | 1095 | return 0; |
1096 | } | 1096 | } |
1097 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1097 | if (strncmp(ptr, "landlock.fs.execute ", 20) == 0) { |
1098 | ll_add_profile(LL_FS_EXEC, ptr + 17); | 1098 | ll_add_profile(LL_FS_EXEC, ptr + 20); |
1099 | return 0; | 1099 | return 0; |
1100 | } | 1100 | } |
1101 | #endif | 1101 | #endif |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c62e8c369..248b35853 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -135,11 +135,11 @@ static const char *const usage_str = | |||
135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
136 | #ifdef HAVE_LANDLOCK | 136 | #ifdef HAVE_LANDLOCK |
137 | " --landlock.enforce - enforce the Landlock ruleset.\n" | 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" |
138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | 138 | " --landlock.fs.read=path - add a read access rule for the path to the Landlock ruleset.\n" |
139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | 139 | " --landlock.fs.write=path - add a write access rule for the path to the Landlock ruleset.\n" |
140 | " --landlock.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" | 140 | " --landlock.fs.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" |
141 | " --landlock.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" | 141 | " --landlock.fs.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" |
142 | " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" | 142 | " --landlock.fs.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" |
143 | #endif | 143 | #endif |
144 | " --list - list all sandboxes.\n" | 144 | " --list - list all sandboxes.\n" |
145 | #ifdef HAVE_FILE_TRANSFER | 145 | #ifdef HAVE_FILE_TRANSFER |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index b6672c16b..e274a91d1 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -514,25 +514,25 @@ Enforce the Landlock ruleset. | |||
514 | .PP | 514 | .PP |
515 | Without it, the other Landlock commands have no effect. | 515 | Without it, the other Landlock commands have no effect. |
516 | .TP | 516 | .TP |
517 | \fBlandlock.read path | 517 | \fBlandlock.fs.read path |
518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
519 | rule for path. | 519 | rule for path. |
520 | .TP | 520 | .TP |
521 | \fBlandlock.write path | 521 | \fBlandlock.fs.write path |
522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
523 | rule for path. | 523 | rule for path. |
524 | .TP | 524 | .TP |
525 | \fBlandlock.makeipc path | 525 | \fBlandlock.fs.makeipc path |
526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
528 | the given path. | 528 | the given path. |
529 | .TP | 529 | .TP |
530 | \fBlandlock.makedev path | 530 | \fBlandlock.fs.makedev path |
531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
532 | allows the creation of block devices and character devices beneath the given | 532 | allows the creation of block devices and character devices beneath the given |
533 | path. | 533 | path. |
534 | .TP | 534 | .TP |
535 | \fBlandlock.execute path | 535 | \fBlandlock.fs.execute path |
536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
537 | permission rule for path. | 537 | permission rule for path. |
538 | #endif | 538 | #endif |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 6548b8e5d..618b4955e 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1241,25 +1241,25 @@ Enforce the Landlock ruleset. | |||
1241 | Without it, the other Landlock commands have no effect. | 1241 | Without it, the other Landlock commands have no effect. |
1242 | See the \fBLANDLOCK\fR section for more information. | 1242 | See the \fBLANDLOCK\fR section for more information. |
1243 | .TP | 1243 | .TP |
1244 | \fB\-\-landlock.read=path | 1244 | \fB\-\-landlock.fs.read=path |
1245 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1245 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1246 | rule for path. | 1246 | rule for path. |
1247 | .TP | 1247 | .TP |
1248 | \fB\-\-landlock.write=path | 1248 | \fB\-\-landlock.fs.write=path |
1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1250 | rule for path. | 1250 | rule for path. |
1251 | .TP | 1251 | .TP |
1252 | \fB\-\-landlock.makeipc=path | 1252 | \fB\-\-landlock.fs.makeipc=path |
1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1255 | the given path. | 1255 | the given path. |
1256 | .TP | 1256 | .TP |
1257 | \fB\-\-landlock.makedev=path | 1257 | \fB\-\-landlock.fs.makedev=path |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1259 | allows the creation of block devices and character devices beneath the given | 1259 | allows the creation of block devices and character devices beneath the given |
1260 | path. | 1260 | path. |
1261 | .TP | 1261 | .TP |
1262 | \fB\-\-landlock.execute=path | 1262 | \fB\-\-landlock.fs.execute=path |
1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
1264 | permission rule for path. | 1264 | permission rule for path. |
1265 | .br | 1265 | .br |
@@ -1267,8 +1267,8 @@ permission rule for path. | |||
1267 | .br | 1267 | .br |
1268 | Example: | 1268 | Example: |
1269 | .br | 1269 | .br |
1270 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home | 1270 | $ firejail \-\-landlock.fs.read=/ \-\-landlock.fs.write=/home |
1271 | \-\-landlock.execute=/usr \-\-landlock.enforce | 1271 | \-\-landlock.fs.execute=/usr \-\-landlock.enforce |
1272 | #endif | 1272 | #endif |
1273 | .TP | 1273 | .TP |
1274 | \fB\-\-list | 1274 | \fB\-\-list |
@@ -3404,7 +3404,7 @@ features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. | |||
3404 | Without it, the other Landlock commands have no effect. | 3404 | Without it, the other Landlock commands have no effect. |
3405 | Example: | 3405 | Example: |
3406 | .PP | 3406 | .PP |
3407 | $ firejail \-\-landlock.enforce \-\-landlock.read=/media mc | 3407 | $ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc |
3408 | .PP | 3408 | .PP |
3409 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | 3409 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. |
3410 | #endif | 3410 | #endif |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 45f24d5f3..15e9a5111 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -108,11 +108,11 @@ _firejail_args=( | |||
108 | '--keep-var-tmp[/var/tmp directory is untouched]' | 108 | '--keep-var-tmp[/var/tmp directory is untouched]' |
109 | #ifdef HAVE_LANDLOCK | 109 | #ifdef HAVE_LANDLOCK |
110 | '--landlock.enforce[enforce the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.fs.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.fs.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' | 113 | '--landlock.fs.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' |
114 | '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' | 114 | '--landlock.fs.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' |
115 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' | 115 | '--landlock.fs.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' |
116 | #endif | 116 | #endif |
117 | '--machine-id[spoof /etc/machine-id with a random id]' | 117 | '--machine-id[spoof /etc/machine-id with a random id]' |
118 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 118 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |