diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-17 19:57:29 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 22:47:11 -0300 |
commit | 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch) | |
tree | 36a091d2740c624c13bbdcc46ab32e295f74b19a /src/man | |
parent | landlock: avoid landlock syscalls before ll_restrict (diff) | |
download | firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip |
landlock: move commands into profile and add landlock.enforce
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.5.in | 15 | ||||
-rw-r--r-- | src/man/firejail.1.in | 41 |
2 files changed, 16 insertions, 40 deletions
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 76f5e4d20..e1d7fde94 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -509,17 +509,10 @@ Blacklist all Linux capabilities. | |||
509 | Whitelist given Linux capabilities. | 509 | Whitelist given Linux capabilities. |
510 | #ifdef HAVE_LANDLOCK | 510 | #ifdef HAVE_LANDLOCK |
511 | .TP | 511 | .TP |
512 | \fBlandlock | 512 | \fBlandlock.enforce |
513 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 513 | Enforce the Landlock ruleset. |
514 | rules to it. | 514 | .PP |
515 | .TP | 515 | Without it, the other Landlock commands have no effect. |
516 | \fBlandlock.proc no|ro|rw | ||
517 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
518 | read-write if set to \fBrw\fR). | ||
519 | The access rule for /proc is added after this directory is set up in the | ||
520 | sandbox. | ||
521 | Access rules for /proc set up with other Landlock-related profile options have | ||
522 | no effect. | ||
523 | .TP | 516 | .TP |
524 | \fBlandlock.read path | 517 | \fBlandlock.read path |
525 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 39f12b005..c63cf350d 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1245,31 +1245,15 @@ $ firejail --keep-var-tmp | |||
1245 | 1245 | ||
1246 | #ifdef HAVE_LANDLOCK | 1246 | #ifdef HAVE_LANDLOCK |
1247 | .TP | 1247 | .TP |
1248 | \fB\-\-landlock | 1248 | \fB\-\-landlock.enforce |
1249 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 1249 | Enforce the Landlock ruleset. |
1250 | rules to it. | ||
1251 | The basic set of rules applies the following access permissions: | ||
1252 | .PP | 1250 | .PP |
1253 | .RS | 1251 | Without it, the other Landlock commands have no effect. |
1254 | - read: /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var | ||
1255 | .br | ||
1256 | - write: /dev, /proc | ||
1257 | .br | ||
1258 | - exec: /bin, /lib, /opt, /usr | ||
1259 | .RE | ||
1260 | .PP | 1252 | .PP |
1261 | .RS | 1253 | .RS |
1262 | See the \fBLANDLOCK\fR section for more information. | 1254 | See the \fBLANDLOCK\fR section for more information. |
1263 | .RE | 1255 | .RE |
1264 | .TP | 1256 | .TP |
1265 | \fB\-\-landlock.proc=no|ro|rw | ||
1266 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
1267 | read-write if set to \fBrw\fR). | ||
1268 | The access rule for /proc is added after this directory is set up in the | ||
1269 | sandbox. | ||
1270 | Access rules for /proc set up with other Landlock-related command-line options | ||
1271 | have no effect. | ||
1272 | .TP | ||
1273 | \fB\-\-landlock.read=path | 1257 | \fB\-\-landlock.read=path |
1274 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1275 | rule for path. | 1259 | rule for path. |
@@ -1291,7 +1275,9 @@ permission rule for path. | |||
1291 | .br | 1275 | .br |
1292 | Example: | 1276 | Example: |
1293 | .br | 1277 | .br |
1294 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr | 1278 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home |
1279 | \-\-landlock.execute=/usr \-\-landlock.enforce | ||
1280 | .PP | ||
1295 | #endif | 1281 | #endif |
1296 | .TP | 1282 | .TP |
1297 | \fB\-\-list | 1283 | \fB\-\-list |
@@ -3426,7 +3412,7 @@ Firejail supports Landlock as an additional sandboxing feature. | |||
3426 | It can be used to ensure that a sandboxed application can only access files and | 3412 | It can be used to ensure that a sandboxed application can only access files and |
3427 | directories that it was explicitly allowed to access. | 3413 | directories that it was explicitly allowed to access. |
3428 | Firejail supports populating the ruleset with both a basic set of rules (see | 3414 | Firejail supports populating the ruleset with both a basic set of rules (see |
3429 | \fB\-\-landlock\fR) and with a custom set of rules. | 3415 | landlock-common.inc) and with a custom set of rules. |
3430 | .TP | 3416 | .TP |
3431 | Important notes: | 3417 | Important notes: |
3432 | .PP | 3418 | .PP |
@@ -3438,9 +3424,6 @@ Because of this, enabling the Landlock feature will also cause Firejail to | |||
3438 | enable the "No New Privileges" restriction, regardless of the profile or the | 3424 | enable the "No New Privileges" restriction, regardless of the profile or the |
3439 | \fB\-\-nonewprivs\fR command line option. | 3425 | \fB\-\-nonewprivs\fR command line option. |
3440 | .PP | 3426 | .PP |
3441 | - Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR | ||
3442 | command line option. | ||
3443 | .PP | ||
3444 | - Access to the /etc directory is automatically allowed. | 3427 | - Access to the /etc directory is automatically allowed. |
3445 | To override this, use the \fB\-\-writable\-etc\fR command line option. | 3428 | To override this, use the \fB\-\-writable\-etc\fR command line option. |
3446 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | 3429 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the |
@@ -3448,13 +3431,13 @@ You can also use the \fB\-\-private\-etc\fR option to restrict access to the | |||
3448 | .RE | 3431 | .RE |
3449 | .PP | 3432 | .PP |
3450 | To enable Landlock self-restriction on top of your current Firejail security | 3433 | To enable Landlock self-restriction on top of your current Firejail security |
3451 | features, pass \fB\-\-landlock\fR flag to Firejail command line. | 3434 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. |
3452 | You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, | 3435 | Without it, the other Landlock commands have no effect. |
3453 | \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with | ||
3454 | \fB\-\-landlock\fR or instead of it. | ||
3455 | Example: | 3436 | Example: |
3456 | .PP | 3437 | .PP |
3457 | $ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc | 3438 | $ firejail \-\-landlock.enforce \-\-landlock.read=/media mc |
3439 | .PP | ||
3440 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3458 | #endif | 3441 | #endif |
3459 | .SH DESKTOP INTEGRATION | 3442 | .SH DESKTOP INTEGRATION |
3460 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3443 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |