landlock: split .special into .makeipc and .makedev

As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices.  Also,
`landlock.special` is not very descriptive of what it allows.

So split `landlock.special` into:

* `landlock.makeipc`: allow creating named pipes and sockets (which are
  usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices

Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices.  `ipc` was suggested by
@rusty-snake[2].

Relates to #6078.

[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294

1 files changed, 8 insertions, 3 deletions

diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in
index e1d7fde94..b6672c16b 100644
--- a/src/man/firejail-profile.5.in
+++ b/src/man/firejail-profile.5.in
@@ -522,10 +522,15 @@ rule for path.
 Create a Landlock ruleset (if it doesn't already exist) and add a write access
 rule for path.
 .TP
-\fBlandlock.special path
+\fBlandlock.makeipc path
 Create a Landlock ruleset (if it doesn't already exist) and add a rule that
-allows the creation of block devices, character devices, named pipes (FIFOs)
-and Unix domain sockets beneath given path.
+allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
+the given path.
+.TP
+\fBlandlock.makedev path
+Create a Landlock ruleset (if it doesn't already exist) and add a rule that
+allows the creation of block devices and character devices beneath the given
+path.
 .TP
 \fBlandlock.execute path
 Create a Landlock ruleset (if it doesn't already exist) and add an execution