landlock: split .special into .makeipc and .makedev

As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices.  Also,
`landlock.special` is not very descriptive of what it allows.

So split `landlock.special` into:

* `landlock.makeipc`: allow creating named pipes and sockets (which are
  usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices

Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices.  `ipc` was suggested by
@rusty-snake[2].

Relates to #6078.

[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294

1 files changed, 2 insertions, 1 deletions

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index c4056b902..45f24d5f3 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -110,7 +110,8 @@ _firejail_args=(
     '--landlock.enforce[enforce the Landlock ruleset]'
     '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files'
     '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files'
-    '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files'
+    '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files'
+    '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files'
     '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files'
 #endif
     '--machine-id[spoof /etc/machine-id with a random id]'