diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-09-05 01:06:38 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-09-05 01:07:39 -0300 |
commit | 26c74796f3c76b8f0ea0b95a863eb707ecced195 (patch) | |
tree | 41219c5a69f0dd47db55b0a847741414533cb6e1 /README.md | |
parent | Revert "landlock: support in firejail --version" (diff) | |
download | firejail-26c74796f3c76b8f0ea0b95a863eb707ecced195.tar.gz firejail-26c74796f3c76b8f0ea0b95a863eb707ecced195.tar.zst firejail-26c74796f3c76b8f0ea0b95a863eb707ecced195.zip |
Revert "landlock: check for landlock support in glibc"
This reverts commit c5a052ffa4e2ccaf240635db116a49986808a2b6.
Part of reverting commits with Landlock-related changes.
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 40 |
1 files changed, 0 insertions, 40 deletions
@@ -270,46 +270,6 @@ Work in progress, the interface described in the man page below could change. | |||
270 | Example: | 270 | Example: |
271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | 271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ |
272 | lock.execute=/usr | 272 | lock.execute=/usr |
273 | |||
274 | LANDLOCK | ||
275 | Landlock is a Linux security module first introduced in the 5.13 ver‐ | ||
276 | sion of Linux kernel. It allows unprivileged processes to restrict | ||
277 | their access to the filesystem. Once imposed, these restrictions can | ||
278 | never be removed, and all child processes created by a Landlock-re‐ | ||
279 | stricted processes inherit these restrictions. Firejail supports Land‐ | ||
280 | lock as an additional sandboxing feature. It can be used to ensure that | ||
281 | a sandboxed application can only access files and directories that it | ||
282 | was explicitly allowed to access. Firejail supports populating the | ||
283 | ruleset with both basic set of rules and with custom set of rules. Ba‐ | ||
284 | sic set of rules allows read-only access to /bin, /dev, /etc, /lib, | ||
285 | /opt, /proc, /usr and /var, read-write access to the home directory, | ||
286 | and allows execution of binaries located in /bin, /opt and /usr. | ||
287 | |||
288 | Important notes: | ||
289 | |||
290 | - A process can install a Landlock ruleset only if it has either | ||
291 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
292 | Privileges" restriction enabled. Because of this, enabling the | ||
293 | Landlock feature will also cause Firejail to enable the "No New | ||
294 | Privileges" restriction, regardless of the profile or the | ||
295 | --no-new-privs command line option. | ||
296 | |||
297 | - Access to the /proc directory is managed through the --land‐ | ||
298 | lock.proc command line option. | ||
299 | |||
300 | - Access to the /etc directory is automatically allowed. To | ||
301 | override this, use the --writable-etc command line option. You | ||
302 | can also use the --private-etc option to restrict access to the | ||
303 | /etc directory. | ||
304 | |||
305 | To enable Landlock self-restriction on top of your current Firejail se‐ | ||
306 | curity features, pass --landlock flag to Firejail command line. You can | ||
307 | also use --landlock.read, --landlock.write, --landlock.special and | ||
308 | --landlock.execute options together with --landlock or instead of it. | ||
309 | Example: | ||
310 | |||
311 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro | ||
312 | mc | ||
313 | ````` | 273 | ````` |
314 | 274 | ||
315 | ### Profile Statistics | 275 | ### Profile Statistics |