diff options
| author |  Азалия Смарагдова <charming.flurry@yandex.ru> | 2022-08-16 12:03:50 +0500 |
|---|---|---|
| committer | Азалия Смарагдова <charming.flurry@yandex.ru> | 2022-08-16 12:03:50 +0500 |
| commit | 460fa7a6f98cc1e7aec2953e6523f32677d546c7 (patch) | |
| tree | eaebba9e4ed52d6ea22b428e98fef42854fc3efb /src/man/firejail-profile.txt | |
| parent | Update quotation marks in src/zsh_completion/_firejail.in (diff) | |
| download | firejail-460fa7a6f98cc1e7aec2953e6523f32677d546c7.tar.gz firejail-460fa7a6f98cc1e7aec2953e6523f32677d546c7.tar.zst firejail-460fa7a6f98cc1e7aec2953e6523f32677d546c7.zip | |
Proposed fixes.
Diffstat (limited to 'src/man/firejail-profile.txt')
| -rw-r--r-- | src/man/firejail-profile.txt | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6e75aceed..1f543980e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -499,23 +499,31 @@ Blacklist all Linux capabilities. | |||
| 499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
| 500 | #ifdef HAVE_LANDLOCK | 500 | #ifdef HAVE_LANDLOCK |
| 501 | .TP | 501 | .TP |
| 502 | \fBlandlock-read path | 502 | \fBlandlock |
| 503 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 503 | Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. |
| 504 | .br | ||
| 505 | .TP | ||
| 506 | \fBlandlock.proc no|ro|rw | ||
| 507 | Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related profile options have no effect. | ||
| 508 | .br | ||
| 509 | .TP | ||
| 510 | \fBlandlock.read path | ||
| 511 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. | ||
| 504 | .br | 512 | .br |
| 505 | 513 | ||
| 506 | .TP | 514 | .TP |
| 507 | \fBlandlock-write path | 515 | \fBlandlock.write path |
| 508 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 516 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. |
| 509 | .br | 517 | .br |
| 510 | 518 | ||
| 511 | .TP | 519 | .TP |
| 512 | \fBlandlock-restricted-write path | 520 | \fBlandlock.special path |
| 513 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 521 | Create a Landlock ruleset (if it doesn't already exist) and add an access rule for creation of FIFO pipes, Unix-domain sockets and block devices beneath given path. |
| 514 | .br | 522 | .br |
| 515 | 523 | ||
| 516 | .TP | 524 | .TP |
| 517 | \fBlandlock-execute path | 525 | \fBlandlock.execute path |
| 518 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 526 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. |
| 519 | .br | 527 | .br |
| 520 | #endif | 528 | #endif |
| 521 | .TP | 529 | .TP |