diff options
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg1.list | 10 | ||||
-rw-r--r-- | etc/inc/landlock-common.inc | 56 | ||||
-rw-r--r-- | etc/templates/profile.template | 10 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 10 | ||||
-rw-r--r-- | src/firejail/firejail.h | 10 | ||||
-rw-r--r-- | src/firejail/landlock.c | 20 | ||||
-rw-r--r-- | src/firejail/main.c | 20 | ||||
-rw-r--r-- | src/firejail/profile.c | 20 | ||||
-rw-r--r-- | src/firejail/usage.c | 10 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 10 | ||||
-rw-r--r-- | src/man/firejail.1.in | 16 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 10 |
12 files changed, 101 insertions, 101 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index 8d5cae7f2..6fd943e57 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -29,11 +29,11 @@ ip6 | |||
29 | iprange | 29 | iprange |
30 | join-or-start | 30 | join-or-start |
31 | keep-fd | 31 | keep-fd |
32 | landlock.execute | 32 | landlock.fs.execute |
33 | landlock.makedev | 33 | landlock.fs.makedev |
34 | landlock.makeipc | 34 | landlock.fs.makeipc |
35 | landlock.read | 35 | landlock.fs.read |
36 | landlock.write | 36 | landlock.fs.write |
37 | mac | 37 | mac |
38 | mkdir | 38 | mkdir |
39 | mkfile | 39 | mkfile |
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index 694d447b5..e147963a6 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc | |||
@@ -2,38 +2,38 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include landlock-common.local | 3 | include landlock-common.local |
4 | 4 | ||
5 | landlock.read / # whole system read | 5 | landlock.fs.read / # whole system read |
6 | landlock.read /proc | 6 | landlock.fs.read /proc |
7 | landlock.makeipc / # sockets etc. | 7 | landlock.fs.makeipc / # sockets etc. |
8 | 8 | ||
9 | # write access | 9 | # write access |
10 | landlock.write ${HOME} | 10 | landlock.fs.write ${HOME} |
11 | landlock.write ${RUNUSER} | 11 | landlock.fs.write ${RUNUSER} |
12 | landlock.write /dev | 12 | landlock.fs.write /dev |
13 | landlock.write /proc | 13 | landlock.fs.write /proc |
14 | landlock.write /run/shm | 14 | landlock.fs.write /run/shm |
15 | landlock.write /tmp | 15 | landlock.fs.write /tmp |
16 | 16 | ||
17 | # exec access | 17 | # exec access |
18 | ## misc | 18 | ## misc |
19 | landlock.execute /opt | 19 | landlock.fs.execute /opt |
20 | landlock.execute /run/firejail # appimage and various firejail features | 20 | landlock.fs.execute /run/firejail # appimage and various firejail features |
21 | ## bin | 21 | ## bin |
22 | landlock.execute /bin | 22 | landlock.fs.execute /bin |
23 | landlock.execute /sbin | 23 | landlock.fs.execute /sbin |
24 | landlock.execute /usr/bin | 24 | landlock.fs.execute /usr/bin |
25 | landlock.execute /usr/sbin | 25 | landlock.fs.execute /usr/sbin |
26 | landlock.execute /usr/games | 26 | landlock.fs.execute /usr/games |
27 | landlock.execute /usr/local/bin | 27 | landlock.fs.execute /usr/local/bin |
28 | landlock.execute /usr/local/sbin | 28 | landlock.fs.execute /usr/local/sbin |
29 | landlock.execute /usr/local/games | 29 | landlock.fs.execute /usr/local/games |
30 | ## lib | 30 | ## lib |
31 | landlock.execute /lib | 31 | landlock.fs.execute /lib |
32 | landlock.execute /lib32 | 32 | landlock.fs.execute /lib32 |
33 | landlock.execute /libx32 | 33 | landlock.fs.execute /libx32 |
34 | landlock.execute /lib64 | 34 | landlock.fs.execute /lib64 |
35 | landlock.execute /usr/lib | 35 | landlock.fs.execute /usr/lib |
36 | landlock.execute /usr/lib32 | 36 | landlock.fs.execute /usr/lib32 |
37 | landlock.execute /usr/libx32 | 37 | landlock.fs.execute /usr/libx32 |
38 | landlock.execute /usr/lib64 | 38 | landlock.fs.execute /usr/lib64 |
39 | landlock.execute /usr/local/lib | 39 | landlock.fs.execute /usr/local/lib |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0e6a5734e..29ea55439 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -138,11 +138,11 @@ include globals.local | |||
138 | #include whitelist-var-common.inc | 138 | #include whitelist-var-common.inc |
139 | 139 | ||
140 | # Landlock commands | 140 | # Landlock commands |
141 | ##landlock.read PATH | 141 | ##landlock.fs.read PATH |
142 | ##landlock.write PATH | 142 | ##landlock.fs.write PATH |
143 | ##landlock.makeipc PATH | 143 | ##landlock.fs.makeipc PATH |
144 | ##landlock.makedev PATH | 144 | ##landlock.fs.makedev PATH |
145 | ##landlock.execute PATH | 145 | ##landlock.fs.execute PATH |
146 | #include landlock-common.inc | 146 | #include landlock-common.inc |
147 | 147 | ||
148 | ##allusers | 148 | ##allusers |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 6c985bc6e..4a1adbc26 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -45,23 +45,23 @@ _firejail() | |||
45 | --landlock.enforce) | 45 | --landlock.enforce) |
46 | return 0 | 46 | return 0 |
47 | ;; | 47 | ;; |
48 | --landlock.read) | 48 | --landlock.fs.read) |
49 | _filedir | 49 | _filedir |
50 | return 0 | 50 | return 0 |
51 | ;; | 51 | ;; |
52 | --landlock.write) | 52 | --landlock.fs.write) |
53 | _filedir | 53 | _filedir |
54 | return 0 | 54 | return 0 |
55 | ;; | 55 | ;; |
56 | --landlock.makeipc) | 56 | --landlock.fs.makeipc) |
57 | _filedir | 57 | _filedir |
58 | return 0 | 58 | return 0 |
59 | ;; | 59 | ;; |
60 | --landlock.makedev) | 60 | --landlock.fs.makedev) |
61 | _filedir | 61 | _filedir |
62 | return 0 | 62 | return 0 |
63 | ;; | 63 | ;; |
64 | --landlock.execute) | 64 | --landlock.fs.execute) |
65 | _filedir | 65 | _filedir |
66 | return 0 | 66 | return 0 |
67 | ;; | 67 | ;; |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2122649cf..4e018476e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -152,11 +152,11 @@ typedef struct profile_entry_t { | |||
152 | 152 | ||
153 | typedef struct landlock_entry_t { | 153 | typedef struct landlock_entry_t { |
154 | struct landlock_entry_t *next; | 154 | struct landlock_entry_t *next; |
155 | #define LL_READ 0 | 155 | #define LL_FS_READ 0 |
156 | #define LL_WRITE 1 | 156 | #define LL_FS_WRITE 1 |
157 | #define LL_MAKEIPC 2 | 157 | #define LL_FS_MAKEIPC 2 |
158 | #define LL_MAKEDEV 3 | 158 | #define LL_FS_MAKEDEV 3 |
159 | #define LL_EXEC 4 | 159 | #define LL_FS_EXEC 4 |
160 | #define LL_MAX 5 | 160 | #define LL_MAX 5 |
161 | int type; | 161 | int type; |
162 | char *data; | 162 | char *data; |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index ce222624b..453ad8f10 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -174,7 +174,7 @@ static void ll_fs(const char *allowed_path, const __u64 allowed_access, | |||
174 | free(expanded_path); | 174 | free(expanded_path); |
175 | } | 175 | } |
176 | 176 | ||
177 | static void ll_read(const char *allowed_path) { | 177 | static void ll_fs_read(const char *allowed_path) { |
178 | __u64 allowed_access = | 178 | __u64 allowed_access = |
179 | LANDLOCK_ACCESS_FS_READ_DIR | | 179 | LANDLOCK_ACCESS_FS_READ_DIR | |
180 | LANDLOCK_ACCESS_FS_READ_FILE; | 180 | LANDLOCK_ACCESS_FS_READ_FILE; |
@@ -182,7 +182,7 @@ static void ll_read(const char *allowed_path) { | |||
182 | ll_fs(allowed_path, allowed_access, __func__); | 182 | ll_fs(allowed_path, allowed_access, __func__); |
183 | } | 183 | } |
184 | 184 | ||
185 | static void ll_write(const char *allowed_path) { | 185 | static void ll_fs_write(const char *allowed_path) { |
186 | __u64 allowed_access = | 186 | __u64 allowed_access = |
187 | LANDLOCK_ACCESS_FS_MAKE_DIR | | 187 | LANDLOCK_ACCESS_FS_MAKE_DIR | |
188 | LANDLOCK_ACCESS_FS_MAKE_REG | | 188 | LANDLOCK_ACCESS_FS_MAKE_REG | |
@@ -194,7 +194,7 @@ static void ll_write(const char *allowed_path) { | |||
194 | ll_fs(allowed_path, allowed_access, __func__); | 194 | ll_fs(allowed_path, allowed_access, __func__); |
195 | } | 195 | } |
196 | 196 | ||
197 | static void ll_makeipc(const char *allowed_path) { | 197 | static void ll_fs_makeipc(const char *allowed_path) { |
198 | __u64 allowed_access = | 198 | __u64 allowed_access = |
199 | LANDLOCK_ACCESS_FS_MAKE_FIFO | | 199 | LANDLOCK_ACCESS_FS_MAKE_FIFO | |
200 | LANDLOCK_ACCESS_FS_MAKE_SOCK; | 200 | LANDLOCK_ACCESS_FS_MAKE_SOCK; |
@@ -202,7 +202,7 @@ static void ll_makeipc(const char *allowed_path) { | |||
202 | ll_fs(allowed_path, allowed_access, __func__); | 202 | ll_fs(allowed_path, allowed_access, __func__); |
203 | } | 203 | } |
204 | 204 | ||
205 | static void ll_makedev(const char *allowed_path) { | 205 | static void ll_fs_makedev(const char *allowed_path) { |
206 | __u64 allowed_access = | 206 | __u64 allowed_access = |
207 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | | 207 | LANDLOCK_ACCESS_FS_MAKE_BLOCK | |
208 | LANDLOCK_ACCESS_FS_MAKE_CHAR; | 208 | LANDLOCK_ACCESS_FS_MAKE_CHAR; |
@@ -210,7 +210,7 @@ static void ll_makedev(const char *allowed_path) { | |||
210 | ll_fs(allowed_path, allowed_access, __func__); | 210 | ll_fs(allowed_path, allowed_access, __func__); |
211 | } | 211 | } |
212 | 212 | ||
213 | static void ll_exec(const char *allowed_path) { | 213 | static void ll_fs_exec(const char *allowed_path) { |
214 | __u64 allowed_access = | 214 | __u64 allowed_access = |
215 | LANDLOCK_ACCESS_FS_EXECUTE; | 215 | LANDLOCK_ACCESS_FS_EXECUTE; |
216 | 216 | ||
@@ -227,11 +227,11 @@ int ll_restrict(uint32_t flags) { | |||
227 | fprintf(stderr, "%s: Starting Landlock restrict\n", __func__); | 227 | fprintf(stderr, "%s: Starting Landlock restrict\n", __func__); |
228 | 228 | ||
229 | void (*fnc[])(const char *) = { | 229 | void (*fnc[])(const char *) = { |
230 | ll_read, | 230 | ll_fs_read, |
231 | ll_write, | 231 | ll_fs_write, |
232 | ll_makeipc, | 232 | ll_fs_makeipc, |
233 | ll_makedev, | 233 | ll_fs_makedev, |
234 | ll_exec, | 234 | ll_fs_exec, |
235 | NULL | 235 | NULL |
236 | }; | 236 | }; |
237 | 237 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 4d8ea20c3..0ce18ab01 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1505,16 +1505,16 @@ int main(int argc, char **argv, char **envp) { | |||
1505 | #ifdef HAVE_LANDLOCK | 1505 | #ifdef HAVE_LANDLOCK |
1506 | else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) | 1506 | else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) |
1507 | arg_landlock_enforce = 1; | 1507 | arg_landlock_enforce = 1; |
1508 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1508 | else if (strncmp(argv[i], "--landlock.fs.read=", 19) == 0) |
1509 | ll_add_profile(LL_READ, argv[i] + 16); | 1509 | ll_add_profile(LL_FS_READ, argv[i] + 19); |
1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1510 | else if (strncmp(argv[i], "--landlock.fs.write=", 20) == 0) |
1511 | ll_add_profile(LL_WRITE, argv[i] + 17); | 1511 | ll_add_profile(LL_FS_WRITE, argv[i] + 20); |
1512 | else if (strncmp(argv[i], "--landlock.makeipc=", 19) == 0) | 1512 | else if (strncmp(argv[i], "--landlock.fs.makeipc=", 22) == 0) |
1513 | ll_add_profile(LL_MAKEIPC, argv[i] + 19); | 1513 | ll_add_profile(LL_FS_MAKEIPC, argv[i] + 22); |
1514 | else if (strncmp(argv[i], "--landlock.makedev=", 19) == 0) | 1514 | else if (strncmp(argv[i], "--landlock.fs.makedev=", 22) == 0) |
1515 | ll_add_profile(LL_MAKEDEV, argv[i] + 19); | 1515 | ll_add_profile(LL_FS_MAKEDEV, argv[i] + 22); |
1516 | else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) | 1516 | else if (strncmp(argv[i], "--landlock.fs.execute=", 22) == 0) |
1517 | ll_add_profile(LL_EXEC, argv[i] + 19); | 1517 | ll_add_profile(LL_FS_EXEC, argv[i] + 22); |
1518 | #endif | 1518 | #endif |
1519 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { | 1519 | else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { |
1520 | if (checkcfg(CFG_SECCOMP)) | 1520 | if (checkcfg(CFG_SECCOMP)) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index a5a8393e9..4e0b17a8c 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1078,24 +1078,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1078 | arg_landlock_enforce = 1; | 1078 | arg_landlock_enforce = 1; |
1079 | return 0; | 1079 | return 0; |
1080 | } | 1080 | } |
1081 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1081 | if (strncmp(ptr, "landlock.fs.read ", 17) == 0) { |
1082 | ll_add_profile(LL_READ, ptr + 14); | 1082 | ll_add_profile(LL_FS_READ, ptr + 17); |
1083 | return 0; | 1083 | return 0; |
1084 | } | 1084 | } |
1085 | if (strncmp(ptr, "landlock.write ", 15) == 0) { | 1085 | if (strncmp(ptr, "landlock.fs.write ", 18) == 0) { |
1086 | ll_add_profile(LL_WRITE, ptr + 15); | 1086 | ll_add_profile(LL_FS_WRITE, ptr + 18); |
1087 | return 0; | 1087 | return 0; |
1088 | } | 1088 | } |
1089 | if (strncmp(ptr, "landlock.makeipc ", 17) == 0) { | 1089 | if (strncmp(ptr, "landlock.fs.makeipc ", 20) == 0) { |
1090 | ll_add_profile(LL_MAKEIPC, ptr + 17); | 1090 | ll_add_profile(LL_FS_MAKEIPC, ptr + 20); |
1091 | return 0; | 1091 | return 0; |
1092 | } | 1092 | } |
1093 | if (strncmp(ptr, "landlock.makedev ", 17) == 0) { | 1093 | if (strncmp(ptr, "landlock.fs.makedev ", 20) == 0) { |
1094 | ll_add_profile(LL_MAKEDEV, ptr + 17); | 1094 | ll_add_profile(LL_FS_MAKEDEV, ptr + 20); |
1095 | return 0; | 1095 | return 0; |
1096 | } | 1096 | } |
1097 | if (strncmp(ptr, "landlock.execute ", 17) == 0) { | 1097 | if (strncmp(ptr, "landlock.fs.execute ", 20) == 0) { |
1098 | ll_add_profile(LL_EXEC, ptr + 17); | 1098 | ll_add_profile(LL_FS_EXEC, ptr + 20); |
1099 | return 0; | 1099 | return 0; |
1100 | } | 1100 | } |
1101 | #endif | 1101 | #endif |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c62e8c369..248b35853 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -135,11 +135,11 @@ static const char *const usage_str = | |||
135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
136 | #ifdef HAVE_LANDLOCK | 136 | #ifdef HAVE_LANDLOCK |
137 | " --landlock.enforce - enforce the Landlock ruleset.\n" | 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" |
138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | 138 | " --landlock.fs.read=path - add a read access rule for the path to the Landlock ruleset.\n" |
139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | 139 | " --landlock.fs.write=path - add a write access rule for the path to the Landlock ruleset.\n" |
140 | " --landlock.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" | 140 | " --landlock.fs.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" |
141 | " --landlock.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" | 141 | " --landlock.fs.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" |
142 | " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" | 142 | " --landlock.fs.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" |
143 | #endif | 143 | #endif |
144 | " --list - list all sandboxes.\n" | 144 | " --list - list all sandboxes.\n" |
145 | #ifdef HAVE_FILE_TRANSFER | 145 | #ifdef HAVE_FILE_TRANSFER |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index b6672c16b..e274a91d1 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -514,25 +514,25 @@ Enforce the Landlock ruleset. | |||
514 | .PP | 514 | .PP |
515 | Without it, the other Landlock commands have no effect. | 515 | Without it, the other Landlock commands have no effect. |
516 | .TP | 516 | .TP |
517 | \fBlandlock.read path | 517 | \fBlandlock.fs.read path |
518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
519 | rule for path. | 519 | rule for path. |
520 | .TP | 520 | .TP |
521 | \fBlandlock.write path | 521 | \fBlandlock.fs.write path |
522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 522 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
523 | rule for path. | 523 | rule for path. |
524 | .TP | 524 | .TP |
525 | \fBlandlock.makeipc path | 525 | \fBlandlock.fs.makeipc path |
526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 526 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 527 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
528 | the given path. | 528 | the given path. |
529 | .TP | 529 | .TP |
530 | \fBlandlock.makedev path | 530 | \fBlandlock.fs.makedev path |
531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 531 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
532 | allows the creation of block devices and character devices beneath the given | 532 | allows the creation of block devices and character devices beneath the given |
533 | path. | 533 | path. |
534 | .TP | 534 | .TP |
535 | \fBlandlock.execute path | 535 | \fBlandlock.fs.execute path |
536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 536 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
537 | permission rule for path. | 537 | permission rule for path. |
538 | #endif | 538 | #endif |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 6548b8e5d..618b4955e 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1241,25 +1241,25 @@ Enforce the Landlock ruleset. | |||
1241 | Without it, the other Landlock commands have no effect. | 1241 | Without it, the other Landlock commands have no effect. |
1242 | See the \fBLANDLOCK\fR section for more information. | 1242 | See the \fBLANDLOCK\fR section for more information. |
1243 | .TP | 1243 | .TP |
1244 | \fB\-\-landlock.read=path | 1244 | \fB\-\-landlock.fs.read=path |
1245 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1245 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1246 | rule for path. | 1246 | rule for path. |
1247 | .TP | 1247 | .TP |
1248 | \fB\-\-landlock.write=path | 1248 | \fB\-\-landlock.fs.write=path |
1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1250 | rule for path. | 1250 | rule for path. |
1251 | .TP | 1251 | .TP |
1252 | \fB\-\-landlock.makeipc=path | 1252 | \fB\-\-landlock.fs.makeipc=path |
1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1255 | the given path. | 1255 | the given path. |
1256 | .TP | 1256 | .TP |
1257 | \fB\-\-landlock.makedev=path | 1257 | \fB\-\-landlock.fs.makedev=path |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1259 | allows the creation of block devices and character devices beneath the given | 1259 | allows the creation of block devices and character devices beneath the given |
1260 | path. | 1260 | path. |
1261 | .TP | 1261 | .TP |
1262 | \fB\-\-landlock.execute=path | 1262 | \fB\-\-landlock.fs.execute=path |
1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
1264 | permission rule for path. | 1264 | permission rule for path. |
1265 | .br | 1265 | .br |
@@ -1267,8 +1267,8 @@ permission rule for path. | |||
1267 | .br | 1267 | .br |
1268 | Example: | 1268 | Example: |
1269 | .br | 1269 | .br |
1270 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home | 1270 | $ firejail \-\-landlock.fs.read=/ \-\-landlock.fs.write=/home |
1271 | \-\-landlock.execute=/usr \-\-landlock.enforce | 1271 | \-\-landlock.fs.execute=/usr \-\-landlock.enforce |
1272 | #endif | 1272 | #endif |
1273 | .TP | 1273 | .TP |
1274 | \fB\-\-list | 1274 | \fB\-\-list |
@@ -3404,7 +3404,7 @@ features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. | |||
3404 | Without it, the other Landlock commands have no effect. | 3404 | Without it, the other Landlock commands have no effect. |
3405 | Example: | 3405 | Example: |
3406 | .PP | 3406 | .PP |
3407 | $ firejail \-\-landlock.enforce \-\-landlock.read=/media mc | 3407 | $ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc |
3408 | .PP | 3408 | .PP |
3409 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | 3409 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. |
3410 | #endif | 3410 | #endif |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 45f24d5f3..15e9a5111 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -108,11 +108,11 @@ _firejail_args=( | |||
108 | '--keep-var-tmp[/var/tmp directory is untouched]' | 108 | '--keep-var-tmp[/var/tmp directory is untouched]' |
109 | #ifdef HAVE_LANDLOCK | 109 | #ifdef HAVE_LANDLOCK |
110 | '--landlock.enforce[enforce the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.fs.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.fs.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' | 113 | '--landlock.fs.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' |
114 | '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' | 114 | '--landlock.fs.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' |
115 | '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' | 115 | '--landlock.fs.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' |
116 | #endif | 116 | #endif |
117 | '--machine-id[spoof /etc/machine-id with a random id]' | 117 | '--machine-id[spoof /etc/machine-id with a random id]' |
118 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | 118 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' |