diff options
author | netblue30 <netblue30@protonmail.com> | 2023-12-04 10:20:51 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2023-12-04 10:20:51 -0500 |
commit | 6d0559de7d34c2f095c70c646f3355b4237ec55b (patch) | |
tree | ae0a0f46fafc1b43f9b01827a7bd181b40d5cf70 /README.md | |
parent | nettrace (diff) | |
download | firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.tar.gz firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.tar.zst firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.zip |
landlock: update README.md, small fix in man firejal; update profile stats in README.md
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 96 |
1 files changed, 71 insertions, 25 deletions
@@ -311,6 +311,50 @@ Discussion: | |||
311 | 311 | ||
312 | * [private-etc rework](https://github.com/netblue30/firejail/discussions/5610) | 312 | * [private-etc rework](https://github.com/netblue30/firejail/discussions/5610) |
313 | 313 | ||
314 | ### Landlock support | ||
315 | * re-merged from #5315 ChrysoliteAzalea/landlock | ||
316 | * Compile time detection based on /usr/include/kernel/landlock.h - if the file is present in the filesystem, the feature is compiled in. | ||
317 | * Run-time detection of kernels 6.1 (debian stable) or newer. | ||
318 | |||
319 | ```text | ||
320 | LANDLOCK | ||
321 | Landlock is a Linux security module first introduced in version 5.13 of | ||
322 | the Linux kernel. It allows unprivileged processes to restrict their | ||
323 | access to the filesystem. Once imposed, these restrictions can never | ||
324 | be removed, and all child processes created by a Landlock-restricted | ||
325 | processes inherit these restrictions. Firejail supports Landlock as an | ||
326 | additional sandboxing feature. It can be used to ensure that a sand‐ | ||
327 | boxed application can only access files and directories that it was ex‐ | ||
328 | plicitly allowed to access. Firejail supports populating the ruleset | ||
329 | with both a basic set of rules (see --landlock) and with a custom set | ||
330 | of rules. | ||
331 | |||
332 | Important notes: | ||
333 | |||
334 | - A process can install a Landlock ruleset only if it has either | ||
335 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
336 | Privileges" restriction enabled. Because of this, enabling the | ||
337 | Landlock feature will also cause Firejail to enable the "No New | ||
338 | Privileges" restriction, regardless of the profile or the | ||
339 | --no-new-privs command line option. | ||
340 | |||
341 | - Access to the /proc directory is managed through the --land‐ | ||
342 | lock.proc command line option. | ||
343 | |||
344 | - Access to the /etc directory is automatically allowed. To | ||
345 | override this, use the --writable-etc command line option. You | ||
346 | can also use the --private-etc option to restrict access to the | ||
347 | /etc directory. | ||
348 | |||
349 | To enable Landlock self-restriction on top of your current Firejail se‐ | ||
350 | curity features, pass --landlock flag to Firejail command line. You | ||
351 | can also use --landlock.read, --landlock.write, --landlock.special and | ||
352 | --landlock.execute options together with --landlock or instead of it. | ||
353 | Example: | ||
354 | |||
355 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro mc | ||
356 | ``` | ||
357 | |||
314 | ### Profile Statistics | 358 | ### Profile Statistics |
315 | 359 | ||
316 | A small tool to print profile statistics. Compile and install as usual. The | 360 | A small tool to print profile statistics. Compile and install as usual. The |
@@ -321,33 +365,35 @@ Run it over the profiles in /etc/profiles: | |||
321 | ```console | 365 | ```console |
322 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile | 366 | $ /usr/lib/firejail/profstats /etc/firejail/*.profile |
323 | No include .local found in /etc/firejail/noprofile.profile | 367 | No include .local found in /etc/firejail/noprofile.profile |
368 | Warning: multiple caps in /etc/firejail/tidal-hifi.profile | ||
324 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 369 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
325 | 370 | ||
326 | Stats: | 371 | Stats: |
327 | profiles 1209 | 372 | profiles 1249 |
328 | include local profile 1208 (include profile-name.local) | 373 | include local profile 1248 (include profile-name.local) |
329 | include globals 1181 (include globals.local) | 374 | include globals 1217 (include globals.local) |
330 | blacklist ~/.ssh 1079 (include disable-common.inc) | 375 | blacklist ~/.ssh 1117 (include disable-common.inc) |
331 | seccomp 1096 | 376 | seccomp 1127 |
332 | capabilities 1202 | 377 | capabilities 1242 |
333 | noexec 1087 (include disable-exec.inc) | 378 | noexec 1125 (include disable-exec.inc) |
334 | noroot 1003 | 379 | noroot 1030 |
335 | memory-deny-write-execute 272 | 380 | memory-deny-write-execute 285 |
336 | restrict-namespaces 958 | 381 | restrict-namespaces 981 |
337 | apparmor 753 | 382 | apparmor 788 |
338 | private-bin 704 | 383 | private-bin 750 |
339 | private-dev 1058 | 384 | private-dev 1090 |
340 | private-etc 550 | 385 | private-etc 763 |
341 | private-lib 71 | 386 | private-lib 78 |
342 | private-tmp 932 | 387 | private-tmp 959 |
343 | whitelist home directory 585 | 388 | whitelist home directory 609 |
344 | whitelist var 870 (include whitelist-var-common.inc) | 389 | whitelist var 907 (include whitelist-var-common.inc) |
345 | whitelist run/user 1176 (include whitelist-runuser-common.inc | 390 | whitelist run/user 1214 (include whitelist-runuser-common.inc |
346 | or blacklist ${RUNUSER}) | 391 | or blacklist ${RUNUSER}) |
347 | whitelist usr/share 640 (include whitelist-usr-share-common.inc | 392 | whitelist usr/share 690 (include whitelist-usr-share-common.inc |
348 | net none 410 | 393 | net none 420 |
349 | dbus-user none 679 | 394 | dbus-user none 705 |
350 | dbus-user filter 141 | 395 | dbus-user filter 164 |
351 | dbus-system none 851 | 396 | dbus-system none 889 |
352 | dbus-system filter 12 | 397 | dbus-system filter 13 |
398 | |||
353 | ``` | 399 | ``` |