landlock: split .special into .makeipc and .makedev

As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices.  Also,
`landlock.special` is not very descriptive of what it allows.

So split `landlock.special` into:

* `landlock.makeipc`: allow creating named pipes and sockets (which are
  usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices

Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices.  `ipc` was suggested by
@rusty-snake[2].

Relates to #6078.

[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294

2 files changed, 3 insertions, 2 deletions

diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc
index ebe9f98dc..694d447b5 100644
--- a/etc/inc/landlock-common.inc
+++ b/etc/inc/landlock-common.inc
@@ -4,7 +4,7 @@ include landlock-common.local
 
 landlock.read /          # whole system read
 landlock.read /proc
-landlock.special /       # sockets etc.
+landlock.makeipc /       # sockets etc.
 
 # write access
 landlock.write ${HOME}
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 8882c9012..0e6a5734e 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -140,7 +140,8 @@ include globals.local
 # Landlock commands
 ##landlock.read PATH
 ##landlock.write PATH
-##landlock.special PATH
+##landlock.makeipc PATH
+##landlock.makedev PATH
 ##landlock.execute PATH
 #include landlock-common.inc