diff options
| author |  netblue30 <netblue30@protonmail.com> | 2022-09-04 10:51:26 -0400 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2022-09-04 10:51:26 -0400 |
| commit | c5a052ffa4e2ccaf240635db116a49986808a2b6 (patch) | |
| tree | 14a9e860dc00cbb16cd6ec14602e4709c63caba8 /README.md | |
| parent | fix syntax in configure.ac (diff) | |
| download | firejail-c5a052ffa4e2ccaf240635db116a49986808a2b6.tar.gz firejail-c5a052ffa4e2ccaf240635db116a49986808a2b6.tar.zst firejail-c5a052ffa4e2ccaf240635db116a49986808a2b6.zip | |
landlock: check for landlock support in glibc
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 40 |
1 files changed, 40 insertions, 0 deletions
| @@ -270,6 +270,46 @@ Work in progress, the interface described in the man page below could change. | |||
| 270 | Example: | 270 | Example: |
| 271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | 271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ |
| 272 | lock.execute=/usr | 272 | lock.execute=/usr |
| 273 | |||
| 274 | LANDLOCK | ||
| 275 | Landlock is a Linux security module first introduced in the 5.13 ver‐ | ||
| 276 | sion of Linux kernel. It allows unprivileged processes to restrict | ||
| 277 | their access to the filesystem. Once imposed, these restrictions can | ||
| 278 | never be removed, and all child processes created by a Landlock-re‐ | ||
| 279 | stricted processes inherit these restrictions. Firejail supports Land‐ | ||
| 280 | lock as an additional sandboxing feature. It can be used to ensure that | ||
| 281 | a sandboxed application can only access files and directories that it | ||
| 282 | was explicitly allowed to access. Firejail supports populating the | ||
| 283 | ruleset with both basic set of rules and with custom set of rules. Ba‐ | ||
| 284 | sic set of rules allows read-only access to /bin, /dev, /etc, /lib, | ||
| 285 | /opt, /proc, /usr and /var, read-write access to the home directory, | ||
| 286 | and allows execution of binaries located in /bin, /opt and /usr. | ||
| 287 | |||
| 288 | Important notes: | ||
| 289 | |||
| 290 | - A process can install a Landlock ruleset only if it has either | ||
| 291 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
| 292 | Privileges" restriction enabled. Because of this, enabling the | ||
| 293 | Landlock feature will also cause Firejail to enable the "No New | ||
| 294 | Privileges" restriction, regardless of the profile or the | ||
| 295 | --no-new-privs command line option. | ||
| 296 | |||
| 297 | - Access to the /proc directory is managed through the --land‐ | ||
| 298 | lock.proc command line option. | ||
| 299 | |||
| 300 | - Access to the /etc directory is automatically allowed. To | ||
| 301 | override this, use the --writable-etc command line option. You | ||
| 302 | can also use the --private-etc option to restrict access to the | ||
| 303 | /etc directory. | ||
| 304 | |||
| 305 | To enable Landlock self-restriction on top of your current Firejail se‐ | ||
| 306 | curity features, pass --landlock flag to Firejail command line. You can | ||
| 307 | also use --landlock.read, --landlock.write, --landlock.special and | ||
| 308 | --landlock.execute options together with --landlock or instead of it. | ||
| 309 | Example: | ||
| 310 | |||
| 311 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro | ||
| 312 | mc | ||
| 273 | ````` | 313 | ````` |
| 274 | 314 | ||
| 275 | ### Profile Statistics | 315 | ### Profile Statistics |