diff options
author | netblue30 <netblue30@protonmail.com> | 2023-10-24 12:43:46 -0400 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-07 17:55:13 -0300 |
commit | 13b2c566df883269b55f77757bb50a5d2890ec20 (patch) | |
tree | 5c7ccc9d00886b93c4429a91671161fa6464f1f9 /src/man/firejail-profile.5.in | |
parent | cleanup (diff) | |
download | firejail-13b2c566df883269b55f77757bb50a5d2890ec20.tar.gz firejail-13b2c566df883269b55f77757bb50a5d2890ec20.tar.zst firejail-13b2c566df883269b55f77757bb50a5d2890ec20.zip |
feature: add Landlock support
Based on 5315 by ChrysoliteAzalea.
It is based on the same underlying structure, but with a lot of
refactoring/simplification and with bugfixes and improvements.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
Co-authored-by: Азалия Смарагдова <charming.flurry@yandex.ru>
Diffstat (limited to 'src/man/firejail-profile.5.in')
-rw-r--r-- | src/man/firejail-profile.5.in | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 3a678b14f..76f5e4d20 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -507,6 +507,37 @@ Blacklist all Linux capabilities. | |||
507 | .TP | 507 | .TP |
508 | \fBcaps.keep capability,capability,capability | 508 | \fBcaps.keep capability,capability,capability |
509 | Whitelist given Linux capabilities. | 509 | Whitelist given Linux capabilities. |
510 | #ifdef HAVE_LANDLOCK | ||
511 | .TP | ||
512 | \fBlandlock | ||
513 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | ||
514 | rules to it. | ||
515 | .TP | ||
516 | \fBlandlock.proc no|ro|rw | ||
517 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
518 | read-write if set to \fBrw\fR). | ||
519 | The access rule for /proc is added after this directory is set up in the | ||
520 | sandbox. | ||
521 | Access rules for /proc set up with other Landlock-related profile options have | ||
522 | no effect. | ||
523 | .TP | ||
524 | \fBlandlock.read path | ||
525 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | ||
526 | rule for path. | ||
527 | .TP | ||
528 | \fBlandlock.write path | ||
529 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | ||
530 | rule for path. | ||
531 | .TP | ||
532 | \fBlandlock.special path | ||
533 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
534 | allows the creation of block devices, character devices, named pipes (FIFOs) | ||
535 | and Unix domain sockets beneath given path. | ||
536 | .TP | ||
537 | \fBlandlock.execute path | ||
538 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | ||
539 | permission rule for path. | ||
540 | #endif | ||
510 | .TP | 541 | .TP |
511 | \fBmemory-deny-write-execute | 542 | \fBmemory-deny-write-execute |
512 | Install a seccomp filter to block attempts to create memory mappings | 543 | Install a seccomp filter to block attempts to create memory mappings |