diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2022-09-06 11:20:55 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2022-09-06 11:20:55 +0000 |
| commit | 60db9f7851698fcccb3dd2dbd130523014e65699 (patch) | |
| tree | 70c31e6b005a07eb59e7720fad4c446547c78afe /README.md | |
| parent | Merge pull request #5361 from glitsj16/irc (diff) | |
| parent | README/README.md (diff) | |
| download | firejail-60db9f7851698fcccb3dd2dbd130523014e65699.tar.gz firejail-60db9f7851698fcccb3dd2dbd130523014e65699.tar.zst firejail-60db9f7851698fcccb3dd2dbd130523014e65699.zip | |
Merge pull request #5347 from kmk3/revert-landlock
Revert "Add Landlock support to Firejail"
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 84 |
1 files changed, 0 insertions, 84 deletions
| @@ -230,90 +230,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 | |||
| 230 | kernel. For more information, please see APPARMOR section be‐ | 230 | kernel. For more information, please see APPARMOR section be‐ |
| 231 | ````` | 231 | ````` |
| 232 | 232 | ||
| 233 | ### Landlock support - EXPERIMENTAL | ||
| 234 | For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build | ||
| 235 | or in the executable archives we provide. It will be "officially" released | ||
| 236 | in 0.9.74, sometime early next year. For now, use --enable-landlock during software compile: | ||
| 237 | ````` | ||
| 238 | $ ./configure --enable-landlock | ||
| 239 | ````` | ||
| 240 | The functionality is segragated with ifdefs in the code, at times it might not even compile! | ||
| 241 | Work in progress, the interface described in the man page below could change. | ||
| 242 | ````` | ||
| 243 | --landlock | ||
| 244 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
| 245 | basic access rules to it. See LANDLOCK section for more informa‐ | ||
| 246 | tion. | ||
| 247 | |||
| 248 | --landlock.proc=no|ro|rw | ||
| 249 | Add an access rule for /proc directory (read-only if set to ro | ||
| 250 | and read-write if set to rw). The access rule for /proc is added | ||
| 251 | after this directory is set up in the sandbox. Access rules for | ||
| 252 | /proc set up with other Landlock-related command-line options | ||
| 253 | have no effect. | ||
| 254 | |||
| 255 | --landlock.read=path | ||
| 256 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
| 257 | a read access rule for path. | ||
| 258 | |||
| 259 | --landlock.write=path | ||
| 260 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
| 261 | a write access rule for path. | ||
| 262 | |||
| 263 | --landlock.special=path | ||
| 264 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
| 265 | a permission rule to create FIFO pipes, Unix domain sockets and | ||
| 266 | block devices beneath given path. | ||
| 267 | |||
| 268 | --landlock.execute=path | ||
| 269 | Create a Landlock ruleset (if it doesn't already exist) and add | ||
| 270 | an execution permission rule for path. | ||
| 271 | |||
| 272 | Example: | ||
| 273 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | ||
| 274 | lock.execute=/usr | ||
| 275 | |||
| 276 | LANDLOCK | ||
| 277 | Landlock is a Linux security module first introduced in the 5.13 ver‐ | ||
| 278 | sion of Linux kernel. It allows unprivileged processes to restrict | ||
| 279 | their access to the filesystem. Once imposed, these restrictions can | ||
| 280 | never be removed, and all child processes created by a Landlock-re‐ | ||
| 281 | stricted processes inherit these restrictions. Firejail supports Land‐ | ||
| 282 | lock as an additional sandboxing feature. It can be used to ensure that | ||
| 283 | a sandboxed application can only access files and directories that it | ||
| 284 | was explicitly allowed to access. Firejail supports populating the | ||
| 285 | ruleset with both basic set of rules and with custom set of rules. Ba‐ | ||
| 286 | sic set of rules allows read-only access to /bin, /dev, /etc, /lib, | ||
| 287 | /opt, /proc, /usr and /var, read-write access to the home directory, | ||
| 288 | and allows execution of binaries located in /bin, /opt and /usr. | ||
| 289 | |||
| 290 | Important notes: | ||
| 291 | |||
| 292 | - A process can install a Landlock ruleset only if it has either | ||
| 293 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
| 294 | Privileges" restriction enabled. Because of this, enabling the | ||
| 295 | Landlock feature will also cause Firejail to enable the "No New | ||
| 296 | Privileges" restriction, regardless of the profile or the | ||
| 297 | --no-new-privs command line option. | ||
| 298 | |||
| 299 | - Access to the /proc directory is managed through the --land‐ | ||
| 300 | lock.proc command line option. | ||
| 301 | |||
| 302 | - Access to the /etc directory is automatically allowed. To | ||
| 303 | override this, use the --writable-etc command line option. You | ||
| 304 | can also use the --private-etc option to restrict access to the | ||
| 305 | /etc directory. | ||
| 306 | |||
| 307 | To enable Landlock self-restriction on top of your current Firejail se‐ | ||
| 308 | curity features, pass --landlock flag to Firejail command line. You can | ||
| 309 | also use --landlock.read, --landlock.write, --landlock.special and | ||
| 310 | --landlock.execute options together with --landlock or instead of it. | ||
| 311 | Example: | ||
| 312 | |||
| 313 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro | ||
| 314 | mc | ||
| 315 | ````` | ||
| 316 | |||
| 317 | ### Profile Statistics | 233 | ### Profile Statistics |
| 318 | 234 | ||
| 319 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. | 235 | A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. |