diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-01 23:21:26 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-02 19:37:06 -0300 |
commit | f70ffbe76cd06c03442132f06d503846a415f24c (patch) | |
tree | f48b2cf278c3b60717ca9ff3b9c3dd26ab2c7ef2 /src/man/firejail.1.in | |
parent | crawl.profile: allow lua (#6182) (diff) | |
download | firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.gz firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.zst firejail-f70ffbe76cd06c03442132f06d503846a415f24c.zip |
landlock: split .special into .makeipc and .makedev
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
Diffstat (limited to 'src/man/firejail.1.in')
-rw-r--r-- | src/man/firejail.1.in | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index ccc9a50a5..ed1b0bd4a 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1249,10 +1249,15 @@ rule for path. | |||
1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1250 | rule for path. | 1250 | rule for path. |
1251 | .TP | 1251 | .TP |
1252 | \fB\-\-landlock.special=path | 1252 | \fB\-\-landlock.makeipc=path |
1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1254 | allows the creation of block devices, character devices, named pipes (FIFOs) | 1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1255 | and Unix domain sockets beneath given path. | 1255 | the given path. |
1256 | .TP | ||
1257 | \fB\-\-landlock.makedev=path | ||
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
1259 | allows the creation of block devices and character devices beneath the given | ||
1260 | path. | ||
1256 | .TP | 1261 | .TP |
1257 | \fB\-\-landlock.execute=path | 1262 | \fB\-\-landlock.execute=path |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |