diff options
author | Азалия Смарагдова <charming.flurry@yandex.ru> | 2022-08-15 12:19:11 +0500 |
---|---|---|
committer | Азалия Смарагдова <charming.flurry@yandex.ru> | 2022-08-15 13:32:24 +0500 |
commit | 61b15442898eeb1db2d23b6b2eb72a705ceb368a (patch) | |
tree | 6d9cb22307941a81f4562dbfd0c00e7b2e96dbcd /src/man/firejail-profile.txt | |
parent | more merges (diff) | |
download | firejail-61b15442898eeb1db2d23b6b2eb72a705ceb368a.tar.gz firejail-61b15442898eeb1db2d23b6b2eb72a705ceb368a.tar.zst firejail-61b15442898eeb1db2d23b6b2eb72a705ceb368a.zip |
Landlock support has been added.
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 138aae8af..6e75aceed 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -497,6 +497,27 @@ Blacklist all Linux capabilities. | |||
497 | .TP | 497 | .TP |
498 | \fBcaps.keep capability,capability,capability | 498 | \fBcaps.keep capability,capability,capability |
499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
500 | #ifdef HAVE_LANDLOCK | ||
501 | .TP | ||
502 | \fBlandlock-read path | ||
503 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
504 | .br | ||
505 | |||
506 | .TP | ||
507 | \fBlandlock-write path | ||
508 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
509 | .br | ||
510 | |||
511 | .TP | ||
512 | \fBlandlock-restricted-write path | ||
513 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
514 | .br | ||
515 | |||
516 | .TP | ||
517 | \fBlandlock-execute path | ||
518 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
519 | .br | ||
520 | #endif | ||
500 | .TP | 521 | .TP |
501 | \fBmemory-deny-write-execute | 522 | \fBmemory-deny-write-execute |
502 | Install a seccomp filter to block attempts to create memory mappings | 523 | Install a seccomp filter to block attempts to create memory mappings |