landlock: move commands into profile and add landlock.enforce

Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to #6078.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-11-17 19:57:29 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-12-11 22:47:11 -0300
commit: 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch)
tree: 36a091d2740c624c13bbdcc46ab32e295f74b19a /contrib
parent: landlock: avoid landlock syscalls before ll_restrict (diff)
download: firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz
firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst
firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip
2 files changed, 1 insertions, 2 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
index 4d49e96d9..0ac70e5cf 100644
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -12,7 +12,7 @@ keep-config-pulse
 keep-dev-shm
 keep-shell-rc
 keep-var-tmp
-landlock
+landlock.enforce
 machine-id
 memory-deny-write-execute
 netfilter
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list
index cce37efa0..e76b6ef40 100644
--- a/contrib/syntax/lists/profile_commands_arg1.list
+++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -30,7 +30,6 @@ iprange
 join-or-start
 keep-fd
 landlock.execute
-landlock.proc
 landlock.read
 landlock.special
 landlock.write
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-11-17 19:57:29 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-12-11 22:47:11 -0300
commit	760f50f78ad13664d7a32b4577381c0341ab2d4a (patch)
tree	36a091d2740c624c13bbdcc46ab32e295f74b19a /contrib
parent	landlock: avoid landlock syscalls before ll_restrict (diff)
download	firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip

diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index 4d49e96d9..0ac70e5cf 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -12,7 +12,7 @@ keep-config-pulse
12	keep-dev-shm	12	keep-dev-shm
13	keep-shell-rc	13	keep-shell-rc
14	keep-var-tmp	14	keep-var-tmp
15	landlock	15	landlock.enforce
16	machine-id	16	machine-id
17	memory-deny-write-execute	17	memory-deny-write-execute
18	netfilter	18	netfilter


diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index cce37efa0..e76b6ef40 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list
@@ -30,7 +30,6 @@ iprange
30	join-or-start	30	join-or-start
31	keep-fd	31	keep-fd
32	landlock.execute	32	landlock.execute
33	landlock.proc
34	landlock.read	33	landlock.read
35	landlock.special	34	landlock.special
36	landlock.write	35	landlock.write