diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-17 19:57:29 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 22:47:11 -0300 |
commit | 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch) | |
tree | 36a091d2740c624c13bbdcc46ab32e295f74b19a /etc/templates/profile.template | |
parent | landlock: avoid landlock syscalls before ll_restrict (diff) | |
download | firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip |
landlock: move commands into profile and add landlock.enforce
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Diffstat (limited to 'etc/templates/profile.template')
-rw-r--r-- | etc/templates/profile.template | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6299d42cd..8882c9012 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -137,6 +137,13 @@ include globals.local | |||
137 | #include whitelist-usr-share-common.inc | 137 | #include whitelist-usr-share-common.inc |
138 | #include whitelist-var-common.inc | 138 | #include whitelist-var-common.inc |
139 | 139 | ||
140 | # Landlock commands | ||
141 | ##landlock.read PATH | ||
142 | ##landlock.write PATH | ||
143 | ##landlock.special PATH | ||
144 | ##landlock.execute PATH | ||
145 | #include landlock-common.inc | ||
146 | |||
140 | ##allusers | 147 | ##allusers |
141 | #apparmor | 148 | #apparmor |
142 | #caps.drop all | 149 | #caps.drop all |