landlock: move commands into profile and add landlock.enforce

Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to #6078.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-11-17 19:57:29 -0300
committer: Kelvin M. Klann <kmk3.code@protonmail.com> 2023-12-11 22:47:11 -0300
commit: 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch)
tree: 36a091d2740c624c13bbdcc46ab32e295f74b19a /etc/templates
parent: landlock: avoid landlock syscalls before ll_restrict (diff)
download: firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz
firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst
firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 6299d42cd..8882c9012 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -137,6 +137,13 @@ include globals.local
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
+# Landlock commands
+##landlock.read PATH
+##landlock.write PATH
+##landlock.special PATH
+##landlock.execute PATH
+#include landlock-common.inc
 ##allusers
 #apparmor
 #caps.drop all
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-11-17 19:57:29 -0300
committer	Kelvin M. Klann <kmk3.code@protonmail.com>	2023-12-11 22:47:11 -0300
commit	760f50f78ad13664d7a32b4577381c0341ab2d4a (patch)
tree	36a091d2740c624c13bbdcc46ab32e295f74b19a /etc/templates
parent	landlock: avoid landlock syscalls before ll_restrict (diff)
download	firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip

diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6299d42cd..8882c9012 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -137,6 +137,13 @@ include globals.local
137	#include whitelist-usr-share-common.inc	137	#include whitelist-usr-share-common.inc
138	#include whitelist-var-common.inc	138	#include whitelist-var-common.inc
139		139
		140	# Landlock commands
		141	##landlock.read PATH
		142	##landlock.write PATH
		143	##landlock.special PATH
		144	##landlock.execute PATH
		145	#include landlock-common.inc
		146
140	##allusers	147	##allusers
141	#apparmor	148	#apparmor
142	#caps.drop all	149	#caps.drop all