diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-09-06 11:20:55 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-06 11:20:55 +0000 |
commit | 60db9f7851698fcccb3dd2dbd130523014e65699 (patch) | |
tree | 70c31e6b005a07eb59e7720fad4c446547c78afe /README.md | |
parent | Merge pull request #5361 from glitsj16/irc (diff) | |
parent | README/README.md (diff) | |
download | firejail-60db9f7851698fcccb3dd2dbd130523014e65699.tar.gz firejail-60db9f7851698fcccb3dd2dbd130523014e65699.tar.zst firejail-60db9f7851698fcccb3dd2dbd130523014e65699.zip |
Merge pull request #5347 from kmk3/revert-landlock
Revert "Add Landlock support to Firejail"
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 84 |
1 files changed, 0 insertions, 84 deletions
@@ -230,90 +230,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
230 | kernel. For more information, please see APPARMOR section be‐ | 230 | kernel. For more information, please see APPARMOR section be‐ |
231 | ````` | 231 | ````` |
232 | 232 | ||
233 | ### Landlock support - EXPERIMENTAL | ||
234 | For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build | ||
235 | or in the executable archives we provide. It will be "officially" released | ||
236 | in 0.9.74, sometime early next year. For now, use --enable-landlock during software compile: | ||
237 | ````` | ||
238 | $ ./configure --enable-landlock | ||
239 | ````` | ||
240 | The functionality is segragated with ifdefs in the code, at times it might not even compile! | ||
241 | Work in progress, the interface described in the man page below could change. | ||
242 | ````` | ||
243 | --landlock | ||
244 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
245 | basic access rules to it. See LANDLOCK section for more informa‐ | ||
246 | tion. | ||
247 | |||
248 | --landlock.proc=no|ro|rw | ||
249 | Add an access rule for /proc directory (read-only if set to ro | ||
250 | and read-write if set to rw). The access rule for /proc is added | ||
251 | after this directory is set up in the sandbox. Access rules for | ||
252 | /proc set up with other Landlock-related command-line options | ||
253 | have no effect. | ||
254 | |||
255 | --landlock.read=path | ||
256 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
257 | a read access rule for path. | ||
258 | |||
259 | --landlock.write=path | ||
260 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
261 | a write access rule for path. | ||
262 | |||
263 | --landlock.special=path | ||
264 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
265 | a permission rule to create FIFO pipes, Unix domain sockets and | ||
266 | block devices beneath given path. | ||
267 | |||
268 | --landlock.execute=path | ||
269 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
270 | an execution permission rule for path. | ||
271 | |||
272 | Example: | ||
273 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | ||
274 | lock.execute=/usr | ||
275 | |||
276 | LANDLOCK | ||
277 | Landlock is a Linux security module first introduced in the 5.13 ver‐ | ||
278 | sion of Linux kernel. It allows unprivileged processes to restrict | ||
279 | their access to the filesystem. Once imposed, these restrictions can | ||
280 | never be removed, and all child processes created by a Landlock-re‐ | ||
281 | stricted processes inherit these restrictions. Firejail supports Land‐ | ||
282 | lock as an additional sandboxing feature. It can be used to ensure that | ||
283 | a sandboxed application can only access files and directories that it | ||
284 | was explicitly allowed to access. Firejail supports populating the | ||
285 | ruleset with both basic set of rules and with custom set of rules. Ba‐ | ||
286 | sic set of rules allows read-only access to /bin, /dev, /etc, /lib, | ||
287 | /opt, /proc, /usr and /var, read-write access to the home directory, | ||
288 | and allows execution of binaries located in /bin, /opt and /usr. | ||
289 | |||
290 | Important notes: | ||
291 | |||
292 | - A process can install a Landlock ruleset only if it has either | ||
293 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
294 | Privileges" restriction enabled. Because of this, enabling the | ||
295 | Landlock feature will also cause Firejail to enable the "No New | ||
296 | Privileges" restriction, regardless of the profile or the | ||
297 | --no-new-privs command line option. | ||
298 | |||
299 | - Access to the /proc directory is managed through the --land‐ | ||
300 | lock.proc command line option. | ||
301 | |||
302 | - Access to the /etc directory is automatically allowed. To | ||
303 | override this, use the --writable-etc command line option. You | ||
304 | can also use the --private-etc option to restrict access to the | ||
305 | /etc directory. | ||
306 | |||
307 | To enable Landlock self-restriction on top of your current Firejail se‐ | ||
308 | curity features, pass --landlock flag to Firejail command line. You can | ||
309 | also use --landlock.read, --landlock.write, --landlock.special and | ||
310 | --landlock.execute options together with --landlock or instead of it. | ||
311 | Example: | ||
312 | |||
313 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro | ||
314 | mc | ||
315 | ````` | ||
316 | |||
317 | ### Profile Statistics | 233 | ### Profile Statistics |
318 | 234 | ||
319 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 235 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |