Merge pull request #6125 from kmk3/landlock-enforce

landlock: move commands into profile and add landlock.enforce
author: netblue30 <netblue30@protonmail.com> 2023-12-21 09:50:22 -0500
committer: GitHub <noreply@github.com> 2023-12-21 09:50:22 -0500
commit: c245fec2d475b86c03fd8c8a6b9013ed5bdab91b (patch)
tree: 5f76b7f8ec59519d15c40f5260fb7e8711f847f4 /etc/inc/landlock-common.inc
parent: Merge pull request #6118 from NetSysFire/patch-4 (diff)
parent: landlock: move commands into profile and add landlock.enforce (diff)
download: firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.gz
firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.zst
firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.zip
1 files changed, 39 insertions, 0 deletions
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc
new file mode 100644
index 000000000..ebe9f98dc
--- /dev/null
+++ b/etc/inc/landlock-common.inc
@@ -0,0 +1,39 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include landlock-common.local
+landlock.read /          # whole system read
+landlock.read /proc
+landlock.special /       # sockets etc.
+# write access
+landlock.write ${HOME}
+landlock.write ${RUNUSER}
+landlock.write /dev
+landlock.write /proc
+landlock.write /run/shm
+landlock.write /tmp
+# exec access
+## misc
+landlock.execute /opt
+landlock.execute /run/firejail # appimage and various firejail features
+## bin
+landlock.execute /bin
+landlock.execute /sbin
+landlock.execute /usr/bin
+landlock.execute /usr/sbin
+landlock.execute /usr/games
+landlock.execute /usr/local/bin
+landlock.execute /usr/local/sbin
+landlock.execute /usr/local/games
+## lib
+landlock.execute /lib
+landlock.execute /lib32
+landlock.execute /libx32
+landlock.execute /lib64
+landlock.execute /usr/lib
+landlock.execute /usr/lib32
+landlock.execute /usr/libx32
+landlock.execute /usr/lib64
+landlock.execute /usr/local/lib
author	netblue30 <netblue30@protonmail.com>	2023-12-21 09:50:22 -0500
committer	GitHub <noreply@github.com>	2023-12-21 09:50:22 -0500
commit	c245fec2d475b86c03fd8c8a6b9013ed5bdab91b (patch)
tree	5f76b7f8ec59519d15c40f5260fb7e8711f847f4 /etc/inc/landlock-common.inc
parent	Merge pull request #6118 from NetSysFire/patch-4 (diff)
parent	landlock: move commands into profile and add landlock.enforce (diff)
download	firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.gz firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.zst firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.zip

diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc new file mode 100644 index 000000000..ebe9f98dc --- /dev/null +++ b/etc/inc/landlock-common.inc
@@ -0,0 +1,39 @@
	1	# This file is overwritten during software install.
	2	# Persistent customizations should go in a .local file.
	3	include landlock-common.local
	4
	5	landlock.read / # whole system read
	6	landlock.read /proc
	7	landlock.special / # sockets etc.
	8
	9	# write access
	10	landlock.write ${HOME}
	11	landlock.write ${RUNUSER}
	12	landlock.write /dev
	13	landlock.write /proc
	14	landlock.write /run/shm
	15	landlock.write /tmp
	16
	17	# exec access
	18	## misc
	19	landlock.execute /opt
	20	landlock.execute /run/firejail # appimage and various firejail features
	21	## bin
	22	landlock.execute /bin
	23	landlock.execute /sbin
	24	landlock.execute /usr/bin
	25	landlock.execute /usr/sbin
	26	landlock.execute /usr/games
	27	landlock.execute /usr/local/bin
	28	landlock.execute /usr/local/sbin
	29	landlock.execute /usr/local/games
	30	## lib
	31	landlock.execute /lib
	32	landlock.execute /lib32
	33	landlock.execute /libx32
	34	landlock.execute /lib64
	35	landlock.execute /usr/lib
	36	landlock.execute /usr/lib32
	37	landlock.execute /usr/libx32
	38	landlock.execute /usr/lib64
	39	landlock.execute /usr/local/lib