diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-11-17 19:57:29 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2023-12-11 22:47:11 -0300 |
commit | 760f50f78ad13664d7a32b4577381c0341ab2d4a (patch) | |
tree | 36a091d2740c624c13bbdcc46ab32e295f74b19a /src/zsh_completion | |
parent | landlock: avoid landlock syscalls before ll_restrict (diff) | |
download | firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.gz firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.tar.zst firejail-760f50f78ad13664d7a32b4577381c0341ab2d4a.zip |
landlock: move commands into profile and add landlock.enforce
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
Diffstat (limited to 'src/zsh_completion')
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index ac0554bc5..bea5df2be 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -107,8 +107,7 @@ _firejail_args=( | |||
107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' | 107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' |
108 | '--keep-var-tmp[/var/tmp directory is untouched]' | 108 | '--keep-var-tmp[/var/tmp directory is untouched]' |
109 | #ifdef HAVE_LANDLOCK | 109 | #ifdef HAVE_LANDLOCK |
110 | '--landlock[add basic rules to the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.proc=-[add an access rule for /proc to the Landlock ruleset]: :(no ro rw)' | ||
112 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
114 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' | 113 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' |