diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-01 23:21:26 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2024-02-02 19:37:06 -0300 |
commit | f70ffbe76cd06c03442132f06d503846a415f24c (patch) | |
tree | f48b2cf278c3b60717ca9ff3b9c3dd26ab2c7ef2 /src/zsh_completion | |
parent | crawl.profile: allow lua (#6182) (diff) | |
download | firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.gz firejail-f70ffbe76cd06c03442132f06d503846a415f24c.tar.zst firejail-f70ffbe76cd06c03442132f06d503846a415f24c.zip |
landlock: split .special into .makeipc and .makedev
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
Diffstat (limited to 'src/zsh_completion')
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index c4056b902..45f24d5f3 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -110,7 +110,8 @@ _firejail_args=( | |||
110 | '--landlock.enforce[enforce the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' | 113 | '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' |
114 | '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' | ||
114 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' | 115 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' |
115 | #endif | 116 | #endif |
116 | '--machine-id[spoof /etc/machine-id with a random id]' | 117 | '--machine-id[spoof /etc/machine-id with a random id]' |