Merge pull request #6302 from kmk3/docs-warn-landlock

docs: warn about limitations of landlock
author: netblue30 <netblue30@protonmail.com> 2024-04-11 09:39:44 -0400
committer: GitHub <noreply@github.com> 2024-04-11 09:39:44 -0400
commit: 27cd032bed923d01edd859bcebe79b33c3ee18fd (patch)
tree: a8de89a8a96e34cdd05f11b364b9839da45b0da5
parent: Merge pull request #6305 from kmk3/landlock-amend-empty (diff)
parent: docs: warn about limitations of landlock (diff)
download: firejail-27cd032bed923d01edd859bcebe79b33c3ee18fd.tar.gz
firejail-27cd032bed923d01edd859bcebe79b33c3ee18fd.tar.zst
firejail-27cd032bed923d01edd859bcebe79b33c3ee18fd.zip
2 files changed, 32 insertions, 12 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index e274a91d1..8c039eb46 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -509,30 +509,30 @@ Blacklist all Linux capabilities.
 Whitelist given Linux capabilities.
 #ifdef HAVE_LANDLOCK
 .TP
-\fBlandlock.enforce
+\fBlandlock.enforce (experimental)
 Enforce the Landlock ruleset.
 .PP
 Without it, the other Landlock commands have no effect.
 .TP
-\fBlandlock.fs.read path
+\fBlandlock.fs.read path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a read access
 rule for path.
 .TP
-\fBlandlock.fs.write path
+\fBlandlock.fs.write path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fBlandlock.fs.makeipc path
+\fBlandlock.fs.makeipc path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
 the given path.
 .TP
-\fBlandlock.fs.makedev path
+\fBlandlock.fs.makedev path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of block devices and character devices beneath the given
 path.
 .TP
-\fBlandlock.fs.execute path
+\fBlandlock.fs.execute path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
 permission rule for path.
 #endif
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 618b4955e..87bd6fcc2 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -1236,30 +1236,30 @@ $ firejail --keep-var-tmp
 #ifdef HAVE_LANDLOCK
 .TP
-\fB\-\-landlock.enforce
+\fB\-\-landlock.enforce (experimental)
 Enforce the Landlock ruleset.
 Without it, the other Landlock commands have no effect.
 See the \fBLANDLOCK\fR section for more information.
 .TP
-\fB\-\-landlock.fs.read=path
+\fB\-\-landlock.fs.read=path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a read access
 rule for path.
 .TP
-\fB\-\-landlock.fs.write=path
+\fB\-\-landlock.fs.write=path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fB\-\-landlock.fs.makeipc=path
+\fB\-\-landlock.fs.makeipc=path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
 the given path.
 .TP
-\fB\-\-landlock.fs.makedev=path
+\fB\-\-landlock.fs.makedev=path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
 allows the creation of block devices and character devices beneath the given
 path.
 .TP
-\fB\-\-landlock.fs.execute=path
+\fB\-\-landlock.fs.execute=path (experimental)
 Create a Landlock ruleset (if it doesn't already exist) and add an execution
 permission rule for path.
 .br
@@ -3372,6 +3372,21 @@ $ firejail --apparmor firefox
 #ifdef HAVE_LANDLOCK
 .SH LANDLOCK
+Warning: Landlock support in firejail is considered experimental and unstable.
+The contents of landlock-common.inc are likely to change and the feature is
+still being expanded upon in the Linux kernel.
+Also, note that its functionality overlaps with existing firejail features,
+such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
+Its filesystem access rules can currently only restrict direct access to paths;
+it is not able to make only select paths appear in the sandbox such as with the
+\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
+Lastly, note that depending on the Linux kernel version, Landlock may not
+protect all of the relevant syscalls (see the kernel's Landlock documentation
+for details).
+Therefore, it is recommended to treat Landlock as an extra layer of protection,
+to be used together with other firejail features (rather than as a bulletproof
+mechanism by itself).
+.PP
 Landlock is a Linux security module first introduced in version 5.13 of the
 Linux kernel.
 It allows unprivileged processes to restrict their access to the filesystem.
@@ -3386,6 +3401,11 @@ landlock-common.inc) and with a custom set of rules.
 Important notes:
 .PP
 .RS
+- Currently only Landlock ABI version 1 is supported.
+.PP
+- If "lsm=" is used in the kernel command line, it should contain "landlock"
+(such as "lsm=apparmor,landlock"), or else it will be disabled.
+.PP
 - A process can install a Landlock ruleset only if it has either
 \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
 Privileges" restriction enabled.
author	netblue30 <netblue30@protonmail.com>	2024-04-11 09:39:44 -0400
committer	GitHub <noreply@github.com>	2024-04-11 09:39:44 -0400
commit	27cd032bed923d01edd859bcebe79b33c3ee18fd (patch)
tree	a8de89a8a96e34cdd05f11b364b9839da45b0da5
parent	Merge pull request #6305 from kmk3/landlock-amend-empty (diff)
parent	docs: warn about limitations of landlock (diff)
download	firejail-27cd032bed923d01edd859bcebe79b33c3ee18fd.tar.gz firejail-27cd032bed923d01edd859bcebe79b33c3ee18fd.tar.zst firejail-27cd032bed923d01edd859bcebe79b33c3ee18fd.zip