diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-01 23:21:26 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-02 19:37:06 -0300 |
commit | f70ffbe76cd06c03442132f06d503846a415f24c (patch) | |
tree | f48b2cf278c3b60717ca9ff3b9c3dd26ab2c7ef2 /src/man/firejail-profile.5.in | |
parent | crawl.profile: allow lua (#6182) (diff) | |
download | firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.gz firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.zst firejail-f70ffbe76cd06c03442132f06d503846a415f24c.zip |
landlock: split .special into .makeipc and .makedev
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
Diffstat (limited to 'src/man/firejail-profile.5.in')
-rw-r--r-- | src/man/firejail-profile.5.in | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index e1d7fde94..b6672c16b 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -522,10 +522,15 @@ rule for path. | |||
522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
523 | rule for path. | 523 | rule for path. |
524 | .TP | 524 | .TP |
525 | \fBlandlock.special path | 525 | \fBlandlock.makeipc path |
526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
527 | allows the creation of block devices, character devices, named pipes (FIFOs) | 527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
528 | and Unix domain sockets beneath given path. | 528 | the given path. |
529 | .TP | ||
530 | \fBlandlock.makedev path | ||
531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
532 | allows the creation of block devices and character devices beneath the given | ||
533 | path. | ||
529 | .TP | 534 | .TP |
530 | \fBlandlock.execute path | 535 | \fBlandlock.execute path |
531 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |