landlock: move commands into profile and add landlock.enforce

Changes:

* Move commands from --landlock and --landlock.proc= into
  etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce

Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).

Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in.  It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.

Relates to #6078.

1 files changed, 1 insertions, 2 deletions

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index ac0554bc5..bea5df2be 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -107,8 +107,7 @@ _firejail_args=(
     '--keep-shell-rc[do not copy shell rc files from /etc/skel]'
     '--keep-var-tmp[/var/tmp directory is untouched]'
 #ifdef HAVE_LANDLOCK
-    '--landlock[add basic rules to the Landlock ruleset]'
-    '--landlock.proc=-[add an access rule for /proc to the Landlock ruleset]: :(no ro rw)'
+    '--landlock.enforce[enforce the Landlock ruleset]'
     '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files'
     '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files'
     '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files'