diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-17 19:57:29 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 22:47:11 -0300 |
commit | 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch) | |
tree | 36a091d2740c624c13bbdcc46ab32e295f74b19a /contrib | |
parent | landlock: avoid landlock syscalls before ll_restrict (diff) | |
download | firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip |
landlock: move commands into profile and add landlock.enforce
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg0.list | 2 | ||||
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg1.list | 1 |
2 files changed, 1 insertions, 2 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index 4d49e96d9..0ac70e5cf 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list | |||
@@ -12,7 +12,7 @@ keep-config-pulse | |||
12 | keep-dev-shm | 12 | keep-dev-shm |
13 | keep-shell-rc | 13 | keep-shell-rc |
14 | keep-var-tmp | 14 | keep-var-tmp |
15 | landlock | 15 | landlock.enforce |
16 | machine-id | 16 | machine-id |
17 | memory-deny-write-execute | 17 | memory-deny-write-execute |
18 | netfilter | 18 | netfilter |
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index cce37efa0..e76b6ef40 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -30,7 +30,6 @@ iprange | |||
30 | join-or-start | 30 | join-or-start |
31 | keep-fd | 31 | keep-fd |
32 | landlock.execute | 32 | landlock.execute |
33 | landlock.proc | ||
34 | landlock.read | 33 | landlock.read |
35 | landlock.special | 34 | landlock.special |
36 | landlock.write | 35 | landlock.write |