landlock: update README.md, small fix in man firejal; update profile stats in README.md

author: netblue30 <netblue30@protonmail.com> 2023-12-04 10:20:51 -0500
committer: netblue30 <netblue30@protonmail.com> 2023-12-04 10:20:51 -0500
commit: 6d0559de7d34c2f095c70c646f3355b4237ec55b (patch)
tree: ae0a0f46fafc1b43f9b01827a7bd181b40d5cf70 /README.md
parent: nettrace (diff)
download: firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.tar.gz
firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.tar.zst
firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.zip
1 files changed, 71 insertions, 25 deletions
diff --git a/README.md b/README.md
index c51137808..a33098f01 100644
--- a/README.md
+++ b/README.md
@@ -311,6 +311,50 @@ Discussion:
 * [private-etc rework](https://github.com/netblue30/firejail/discussions/5610)
+### Landlock support
+* re-merged from #5315 ChrysoliteAzalea/landlock
+* Compile time detection based on /usr/include/kernel/landlock.h - if the file is present in the filesystem, the feature is compiled in.
+* Run-time detection of kernels 6.1 (debian stable) or newer.
+```text
+LANDLOCK
+       Landlock is a Linux security module first introduced in version 5.13 of
+       the  Linux  kernel.  It allows unprivileged processes to restrict their
+       access to the filesystem.  Once imposed, these restrictions  can  never
+       be  removed,  and  all child processes created by a Landlock-restricted
+       processes inherit these restrictions.  Firejail supports Landlock as an
+       additional  sandboxing  feature.  It can be used to ensure that a sand‐
+       boxed application can only access files and directories that it was ex‐
+       plicitly  allowed  to access.  Firejail supports populating the ruleset
+       with both a basic set of rules (see --landlock) and with a  custom  set
+       of rules.
+       Important notes:
+              - A process can install a Landlock ruleset only if it has either
+              CAP_SYS_ADMIN in its effective capability set, or  the  "No  New
+              Privileges"  restriction enabled.  Because of this, enabling the
+              Landlock feature will also cause Firejail to enable the "No  New
+              Privileges"  restriction,  regardless  of  the  profile  or  the
+              --no-new-privs command line option.
+              - Access to the /proc directory is managed through  the  --land‐
+              lock.proc command line option.
+              -  Access  to  the  /etc directory is automatically allowed.  To
+              override this, use the --writable-etc command line option.   You
+              can  also use the --private-etc option to restrict access to the
+              /etc directory.
+       To enable Landlock self-restriction on top of your current Firejail se‐
+       curity  features,  pass  --landlock flag to Firejail command line.  You
+       can also use --landlock.read, --landlock.write, --landlock.special  and
+       --landlock.execute  options  together with --landlock or instead of it.
+       Example:
+       $ firejail --landlock --landlock.read=/media --landlock.proc=ro mc
+```
 ### Profile Statistics
 A small tool to print profile statistics.  Compile and install as usual.  The
@@ -321,33 +365,35 @@ Run it over the profiles in /etc/profiles:
 ```console
 $ /usr/lib/firejail/profstats /etc/firejail/*.profile
 No include .local found in /etc/firejail/noprofile.profile
+Warning: multiple caps in /etc/firejail/tidal-hifi.profile
 Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 Stats:
-    profiles                    1209
+    profiles                    1249
-    include local profile       1208   (include profile-name.local)
+    include local profile       1248   (include profile-name.local)
-    include globals             1181   (include globals.local)
+    include globals             1217   (include globals.local)
-    blacklist ~/.ssh            1079   (include disable-common.inc)
+    blacklist ~/.ssh            1117   (include disable-common.inc)
-    seccomp                     1096
+    seccomp                     1127
-    capabilities                1202
+    capabilities                1242
-    noexec                      1087   (include disable-exec.inc)
+    noexec                      1125   (include disable-exec.inc)
-    noroot                      1003
+    noroot                      1030
-    memory-deny-write-execute   272
+    memory-deny-write-execute   285
-    restrict-namespaces         958
+    restrict-namespaces         981
-    apparmor                    753
+    apparmor                    788
-    private-bin                 704
+    private-bin                 750
-    private-dev                 1058
+    private-dev                 1090
-    private-etc                 550
+    private-etc                 763
-    private-lib                 71
+    private-lib                 78
-    private-tmp                 932
+    private-tmp                 959
-    whitelist home directory    585
+    whitelist home directory    609
-    whitelist var               870   (include whitelist-var-common.inc)
+    whitelist var               907   (include whitelist-var-common.inc)
-    whitelist run/user          1176   (include whitelist-runuser-common.inc
+    whitelist run/user          1214   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         640   (include whitelist-usr-share-common.inc
+    whitelist usr/share         690   (include whitelist-usr-share-common.inc
-    net none                    410
+    net none                    420
-    dbus-user none              679
+    dbus-user none              705
-    dbus-user filter            141
+    dbus-user filter            164
-    dbus-system none            851
+    dbus-system none            889
-    dbus-system filter          12
+    dbus-system filter          13
 ```
author	netblue30 <netblue30@protonmail.com>	2023-12-04 10:20:51 -0500
committer	netblue30 <netblue30@protonmail.com>	2023-12-04 10:20:51 -0500
commit	6d0559de7d34c2f095c70c646f3355b4237ec55b (patch)
tree	ae0a0f46fafc1b43f9b01827a7bd181b40d5cf70 /README.md
parent	nettrace (diff)
download	firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.tar.gz firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.tar.zst firejail-6d0559de7d34c2f095c70c646f3355b4237ec55b.zip

diff --git a/README.md b/README.md index c51137808..a33098f01 100644 --- a/README.md +++ b/README.md
@@ -311,6 +311,50 @@ Discussion:
311		311
312	* [private-etc rework](https://github.com/netblue30/firejail/discussions/5610)	312	* [private-etc rework](https://github.com/netblue30/firejail/discussions/5610)
313		313
		314	### Landlock support
		315	* re-merged from #5315 ChrysoliteAzalea/landlock
		316	* Compile time detection based on /usr/include/kernel/landlock.h - if the file is present in the filesystem, the feature is compiled in.
		317	* Run-time detection of kernels 6.1 (debian stable) or newer.
		318
		319	```text
		320	LANDLOCK
		321	Landlock is a Linux security module first introduced in version 5.13 of
		322	the Linux kernel. It allows unprivileged processes to restrict their
		323	access to the filesystem. Once imposed, these restrictions can never
		324	be removed, and all child processes created by a Landlock-restricted
		325	processes inherit these restrictions. Firejail supports Landlock as an
		326	additional sandboxing feature. It can be used to ensure that a sand‐
		327	boxed application can only access files and directories that it was ex‐
		328	plicitly allowed to access. Firejail supports populating the ruleset
		329	with both a basic set of rules (see --landlock) and with a custom set
		330	of rules.
		331
		332	Important notes:
		333
		334	- A process can install a Landlock ruleset only if it has either
		335	CAP_SYS_ADMIN in its effective capability set, or the "No New
		336	Privileges" restriction enabled. Because of this, enabling the
		337	Landlock feature will also cause Firejail to enable the "No New
		338	Privileges" restriction, regardless of the profile or the
		339	--no-new-privs command line option.
		340
		341	- Access to the /proc directory is managed through the --land‐
		342	lock.proc command line option.
		343
		344	- Access to the /etc directory is automatically allowed. To
		345	override this, use the --writable-etc command line option. You
		346	can also use the --private-etc option to restrict access to the
		347	/etc directory.
		348
		349	To enable Landlock self-restriction on top of your current Firejail se‐
		350	curity features, pass --landlock flag to Firejail command line. You
		351	can also use --landlock.read, --landlock.write, --landlock.special and
		352	--landlock.execute options together with --landlock or instead of it.
		353	Example:
		354
		355	$ firejail --landlock --landlock.read=/media --landlock.proc=ro mc
		356	```
		357
314	### Profile Statistics	358	### Profile Statistics
315		359
316	A small tool to print profile statistics. Compile and install as usual. The	360	A small tool to print profile statistics. Compile and install as usual. The
@@ -321,33 +365,35 @@ Run it over the profiles in /etc/profiles:
321	```console	365	```console
322	$ /usr/lib/firejail/profstats /etc/firejail/*.profile	366	$ /usr/lib/firejail/profstats /etc/firejail/*.profile
323	No include .local found in /etc/firejail/noprofile.profile	367	No include .local found in /etc/firejail/noprofile.profile
		368	Warning: multiple caps in /etc/firejail/tidal-hifi.profile
324	Warning: multiple caps in /etc/firejail/transmission-daemon.profile	369	Warning: multiple caps in /etc/firejail/transmission-daemon.profile
325		370
326	Stats:	371	Stats:
327	profiles 1209	372	profiles 1249
328	include local profile 1208 (include profile-name.local)	373	include local profile 1248 (include profile-name.local)
329	include globals 1181 (include globals.local)	374	include globals 1217 (include globals.local)
330	blacklist ~/.ssh 1079 (include disable-common.inc)	375	blacklist ~/.ssh 1117 (include disable-common.inc)
331	seccomp 1096	376	seccomp 1127
332	capabilities 1202	377	capabilities 1242
333	noexec 1087 (include disable-exec.inc)	378	noexec 1125 (include disable-exec.inc)
334	noroot 1003	379	noroot 1030
335	memory-deny-write-execute 272	380	memory-deny-write-execute 285
336	restrict-namespaces 958	381	restrict-namespaces 981
337	apparmor 753	382	apparmor 788
338	private-bin 704	383	private-bin 750
339	private-dev 1058	384	private-dev 1090
340	private-etc 550	385	private-etc 763
341	private-lib 71	386	private-lib 78
342	private-tmp 932	387	private-tmp 959
343	whitelist home directory 585	388	whitelist home directory 609
344	whitelist var 870 (include whitelist-var-common.inc)	389	whitelist var 907 (include whitelist-var-common.inc)
345	whitelist run/user 1176 (include whitelist-runuser-common.inc	390	whitelist run/user 1214 (include whitelist-runuser-common.inc
346	or blacklist ${RUNUSER})	391	or blacklist ${RUNUSER})
347	whitelist usr/share 640 (include whitelist-usr-share-common.inc	392	whitelist usr/share 690 (include whitelist-usr-share-common.inc
348	net none 410	393	net none 420
349	dbus-user none 679	394	dbus-user none 705
350	dbus-user filter 141	395	dbus-user filter 164
351	dbus-system none 851	396	dbus-system none 889
352	dbus-system filter 12	397	dbus-system filter 13
		398
353	```	399	```