Merge pull request #6125 from kmk3/landlock-enforce

landlock: move commands into profile and add landlock.enforce
author: netblue30 <netblue30@protonmail.com> 2023-12-21 09:50:22 -0500
committer: GitHub <noreply@github.com> 2023-12-21 09:50:22 -0500
commit: c245fec2d475b86c03fd8c8a6b9013ed5bdab91b (patch)
tree: 5f76b7f8ec59519d15c40f5260fb7e8711f847f4 /etc
parent: Merge pull request #6118 from NetSysFire/patch-4 (diff)
parent: landlock: move commands into profile and add landlock.enforce (diff)
download: firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.gz
firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.zst
firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.zip
3 files changed, 48 insertions, 0 deletions
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc
new file mode 100644
index 000000000..ebe9f98dc
--- /dev/null
+++ b/etc/inc/landlock-common.inc
@@ -0,0 +1,39 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include landlock-common.local
+landlock.read /          # whole system read
+landlock.read /proc
+landlock.special /       # sockets etc.
+# write access
+landlock.write ${HOME}
+landlock.write ${RUNUSER}
+landlock.write /dev
+landlock.write /proc
+landlock.write /run/shm
+landlock.write /tmp
+# exec access
+## misc
+landlock.execute /opt
+landlock.execute /run/firejail # appimage and various firejail features
+## bin
+landlock.execute /bin
+landlock.execute /sbin
+landlock.execute /usr/bin
+landlock.execute /usr/sbin
+landlock.execute /usr/games
+landlock.execute /usr/local/bin
+landlock.execute /usr/local/sbin
+landlock.execute /usr/local/games
+## lib
+landlock.execute /lib
+landlock.execute /lib32
+landlock.execute /libx32
+landlock.execute /lib64
+landlock.execute /usr/lib
+landlock.execute /usr/lib32
+landlock.execute /usr/libx32
+landlock.execute /usr/lib64
+landlock.execute /usr/local/lib
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index c071da4b7..b0ae2d49f 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -22,6 +22,8 @@ include disable-programs.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
+include landlock-common.inc
 #apparmor
 caps.drop all
 #ipc-namespace
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 6299d42cd..8882c9012 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -137,6 +137,13 @@ include globals.local
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
+# Landlock commands
+##landlock.read PATH
+##landlock.write PATH
+##landlock.special PATH
+##landlock.execute PATH
+#include landlock-common.inc
 ##allusers
 #apparmor
 #caps.drop all
author	netblue30 <netblue30@protonmail.com>	2023-12-21 09:50:22 -0500
committer	GitHub <noreply@github.com>	2023-12-21 09:50:22 -0500
commit	c245fec2d475b86c03fd8c8a6b9013ed5bdab91b (patch)
tree	5f76b7f8ec59519d15c40f5260fb7e8711f847f4 /etc
parent	Merge pull request #6118 from NetSysFire/patch-4 (diff)
parent	landlock: move commands into profile and add landlock.enforce (diff)
download	firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.gz firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.tar.zst firejail-c245fec2d475b86c03fd8c8a6b9013ed5bdab91b.zip

diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc new file mode 100644 index 000000000..ebe9f98dc --- /dev/null +++ b/etc/inc/landlock-common.inc
@@ -0,0 +1,39 @@
		1	# This file is overwritten during software install.
		2	# Persistent customizations should go in a .local file.
		3	include landlock-common.local
		4
		5	landlock.read / # whole system read
		6	landlock.read /proc
		7	landlock.special / # sockets etc.
		8
		9	# write access
		10	landlock.write ${HOME}
		11	landlock.write ${RUNUSER}
		12	landlock.write /dev
		13	landlock.write /proc
		14	landlock.write /run/shm
		15	landlock.write /tmp
		16
		17	# exec access
		18	## misc
		19	landlock.execute /opt
		20	landlock.execute /run/firejail # appimage and various firejail features
		21	## bin
		22	landlock.execute /bin
		23	landlock.execute /sbin
		24	landlock.execute /usr/bin
		25	landlock.execute /usr/sbin
		26	landlock.execute /usr/games
		27	landlock.execute /usr/local/bin
		28	landlock.execute /usr/local/sbin
		29	landlock.execute /usr/local/games
		30	## lib
		31	landlock.execute /lib
		32	landlock.execute /lib32
		33	landlock.execute /libx32
		34	landlock.execute /lib64
		35	landlock.execute /usr/lib
		36	landlock.execute /usr/lib32
		37	landlock.execute /usr/libx32
		38	landlock.execute /usr/lib64
		39	landlock.execute /usr/local/lib


diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index c071da4b7..b0ae2d49f 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile
@@ -22,6 +22,8 @@ include disable-programs.inc
22	#include whitelist-usr-share-common.inc	22	#include whitelist-usr-share-common.inc
23	#include whitelist-var-common.inc	23	#include whitelist-var-common.inc
24		24
		25	include landlock-common.inc
		26
25	#apparmor	27	#apparmor
26	caps.drop all	28	caps.drop all
27	#ipc-namespace	29	#ipc-namespace


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6299d42cd..8882c9012 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -137,6 +137,13 @@ include globals.local
137	#include whitelist-usr-share-common.inc	137	#include whitelist-usr-share-common.inc
138	#include whitelist-var-common.inc	138	#include whitelist-var-common.inc
139		139
		140	# Landlock commands
		141	##landlock.read PATH
		142	##landlock.write PATH
		143	##landlock.special PATH
		144	##landlock.execute PATH
		145	#include landlock-common.inc
		146
140	##allusers	147	##allusers
141	#apparmor	148	#apparmor
142	#caps.drop all	149	#caps.drop all