diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-17 19:57:29 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 22:47:11 -0300 |
commit | 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch) | |
tree | 36a091d2740c624c13bbdcc46ab32e295f74b19a /src/man/firejail-profile.5.in | |
parent | landlock: avoid landlock syscalls before ll_restrict (diff) | |
download | firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip |
landlock: move commands into profile and add landlock.enforce
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Diffstat (limited to 'src/man/firejail-profile.5.in')
-rw-r--r-- | src/man/firejail-profile.5.in | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 76f5e4d20..e1d7fde94 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -509,17 +509,10 @@ Blacklist all Linux capabilities. | |||
509 | Whitelist given Linux capabilities. | 509 | Whitelist given Linux capabilities. |
510 | #ifdef HAVE_LANDLOCK | 510 | #ifdef HAVE_LANDLOCK |
511 | .TP | 511 | .TP |
512 | \fBlandlock | 512 | \fBlandlock.enforce |
513 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 513 | Enforce the Landlock ruleset. |
514 | rules to it. | 514 | .PP |
515 | .TP | 515 | Without it, the other Landlock commands have no effect. |
516 | \fBlandlock.proc no|ro|rw | ||
517 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
518 | read-write if set to \fBrw\fR). | ||
519 | The access rule for /proc is added after this directory is set up in the | ||
520 | sandbox. | ||
521 | Access rules for /proc set up with other Landlock-related profile options have | ||
522 | no effect. | ||
523 | .TP | 516 | .TP |
524 | \fBlandlock.read path | 517 | \fBlandlock.read path |
525 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |