diff options
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg0.list | 2 | ||||
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg1.list | 1 | ||||
-rw-r--r-- | etc/inc/landlock-common.inc | 39 | ||||
-rw-r--r-- | etc/profile-a-l/default.profile | 2 | ||||
-rw-r--r-- | etc/templates/profile.template | 7 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 4 | ||||
-rw-r--r-- | src/firejail/landlock.c | 50 | ||||
-rw-r--r-- | src/firejail/main.c | 20 | ||||
-rw-r--r-- | src/firejail/profile.c | 21 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 15 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 15 | ||||
-rw-r--r-- | src/man/firejail.1.in | 41 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 3 |
15 files changed, 79 insertions, 146 deletions
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index 4d49e96d9..0ac70e5cf 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list | |||
@@ -12,7 +12,7 @@ keep-config-pulse | |||
12 | keep-dev-shm | 12 | keep-dev-shm |
13 | keep-shell-rc | 13 | keep-shell-rc |
14 | keep-var-tmp | 14 | keep-var-tmp |
15 | landlock | 15 | landlock.enforce |
16 | machine-id | 16 | machine-id |
17 | memory-deny-write-execute | 17 | memory-deny-write-execute |
18 | netfilter | 18 | netfilter |
diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index cce37efa0..e76b6ef40 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list | |||
@@ -30,7 +30,6 @@ iprange | |||
30 | join-or-start | 30 | join-or-start |
31 | keep-fd | 31 | keep-fd |
32 | landlock.execute | 32 | landlock.execute |
33 | landlock.proc | ||
34 | landlock.read | 33 | landlock.read |
35 | landlock.special | 34 | landlock.special |
36 | landlock.write | 35 | landlock.write |
diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc new file mode 100644 index 000000000..ebe9f98dc --- /dev/null +++ b/etc/inc/landlock-common.inc | |||
@@ -0,0 +1,39 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include landlock-common.local | ||
4 | |||
5 | landlock.read / # whole system read | ||
6 | landlock.read /proc | ||
7 | landlock.special / # sockets etc. | ||
8 | |||
9 | # write access | ||
10 | landlock.write ${HOME} | ||
11 | landlock.write ${RUNUSER} | ||
12 | landlock.write /dev | ||
13 | landlock.write /proc | ||
14 | landlock.write /run/shm | ||
15 | landlock.write /tmp | ||
16 | |||
17 | # exec access | ||
18 | ## misc | ||
19 | landlock.execute /opt | ||
20 | landlock.execute /run/firejail # appimage and various firejail features | ||
21 | ## bin | ||
22 | landlock.execute /bin | ||
23 | landlock.execute /sbin | ||
24 | landlock.execute /usr/bin | ||
25 | landlock.execute /usr/sbin | ||
26 | landlock.execute /usr/games | ||
27 | landlock.execute /usr/local/bin | ||
28 | landlock.execute /usr/local/sbin | ||
29 | landlock.execute /usr/local/games | ||
30 | ## lib | ||
31 | landlock.execute /lib | ||
32 | landlock.execute /lib32 | ||
33 | landlock.execute /libx32 | ||
34 | landlock.execute /lib64 | ||
35 | landlock.execute /usr/lib | ||
36 | landlock.execute /usr/lib32 | ||
37 | landlock.execute /usr/libx32 | ||
38 | landlock.execute /usr/lib64 | ||
39 | landlock.execute /usr/local/lib | ||
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index c071da4b7..b0ae2d49f 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -22,6 +22,8 @@ include disable-programs.inc | |||
22 | #include whitelist-usr-share-common.inc | 22 | #include whitelist-usr-share-common.inc |
23 | #include whitelist-var-common.inc | 23 | #include whitelist-var-common.inc |
24 | 24 | ||
25 | include landlock-common.inc | ||
26 | |||
25 | #apparmor | 27 | #apparmor |
26 | caps.drop all | 28 | caps.drop all |
27 | #ipc-namespace | 29 | #ipc-namespace |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 6299d42cd..8882c9012 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -137,6 +137,13 @@ include globals.local | |||
137 | #include whitelist-usr-share-common.inc | 137 | #include whitelist-usr-share-common.inc |
138 | #include whitelist-var-common.inc | 138 | #include whitelist-var-common.inc |
139 | 139 | ||
140 | # Landlock commands | ||
141 | ##landlock.read PATH | ||
142 | ##landlock.write PATH | ||
143 | ##landlock.special PATH | ||
144 | ##landlock.execute PATH | ||
145 | #include landlock-common.inc | ||
146 | |||
140 | ##allusers | 147 | ##allusers |
141 | #apparmor | 148 | #apparmor |
142 | #caps.drop all | 149 | #caps.drop all |
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index eab0f7df6..76667ca0c 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -42,7 +42,7 @@ _firejail() | |||
42 | _filedir -d | 42 | _filedir -d |
43 | return 0 | 43 | return 0 |
44 | ;; | 44 | ;; |
45 | --landlock) | 45 | --landlock.enforce) |
46 | return 0 | 46 | return 0 |
47 | ;; | 47 | ;; |
48 | --landlock.read) | 48 | --landlock.read) |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index d0b903fb4..95b25b658 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -293,8 +293,7 @@ extern int arg_overlay; // overlay option | |||
293 | extern int arg_overlay_keep; // place overlay diff in a known directory | 293 | extern int arg_overlay_keep; // place overlay diff in a known directory |
294 | extern int arg_overlay_reuse; // allow the reuse of overlays | 294 | extern int arg_overlay_reuse; // allow the reuse of overlays |
295 | 295 | ||
296 | extern int arg_landlock; // add basic Landlock rules | 296 | extern int arg_landlock_enforce; // enforce the Landlock ruleset |
297 | extern int arg_landlock_proc; // 0 - no access; 1 -read-only; 2 - read-write | ||
298 | 297 | ||
299 | extern int arg_seccomp; // enable default seccomp filter | 298 | extern int arg_seccomp; // enable default seccomp filter |
300 | extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch | 299 | extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch |
@@ -973,7 +972,6 @@ int ll_read(const char *allowed_path); | |||
973 | int ll_write(const char *allowed_path); | 972 | int ll_write(const char *allowed_path); |
974 | int ll_special(const char *allowed_path); | 973 | int ll_special(const char *allowed_path); |
975 | int ll_exec(const char *allowed_path); | 974 | int ll_exec(const char *allowed_path); |
976 | int ll_basic_system(void); | ||
977 | int ll_restrict(uint32_t flags); | 975 | int ll_restrict(uint32_t flags); |
978 | void ll_add_profile(int type, const char *data); | 976 | void ll_add_profile(int type, const char *data); |
979 | #endif /* HAVE_LANDLOCK */ | 977 | #endif /* HAVE_LANDLOCK */ |
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c index e93bde402..11de2e297 100644 --- a/src/firejail/landlock.c +++ b/src/firejail/landlock.c | |||
@@ -202,56 +202,6 @@ int ll_exec(const char *allowed_path) { | |||
202 | return ll_fs(allowed_path, allowed_access, __func__); | 202 | return ll_fs(allowed_path, allowed_access, __func__); |
203 | } | 203 | } |
204 | 204 | ||
205 | int ll_basic_system(void) { | ||
206 | if (!ll_is_supported()) | ||
207 | return 0; | ||
208 | |||
209 | if (ll_ruleset_fd == -1) | ||
210 | ll_ruleset_fd = ll_create_full_ruleset(); | ||
211 | |||
212 | int error = | ||
213 | ll_read("/") || // whole system read | ||
214 | ll_special("/") || // sockets etc. | ||
215 | |||
216 | // write access | ||
217 | ll_write("${HOME}") || | ||
218 | ll_write("${RUNUSER}") || | ||
219 | ll_write("/dev") || | ||
220 | ll_write("/run/shm") || | ||
221 | ll_write("/tmp") || | ||
222 | |||
223 | // exec access | ||
224 | /// misc | ||
225 | ll_exec("/opt") || | ||
226 | ll_exec("/run/firejail") || // appimage and various firejail features | ||
227 | /// bin | ||
228 | ll_exec("/bin") || | ||
229 | ll_exec("/sbin") || | ||
230 | ll_exec("/usr/bin") || | ||
231 | ll_exec("/usr/sbin") || | ||
232 | ll_exec("/usr/games") || | ||
233 | ll_exec("/usr/local/bin") || | ||
234 | ll_exec("/usr/local/sbin") || | ||
235 | ll_exec("/usr/local/games") || | ||
236 | /// lib | ||
237 | ll_exec("/lib") || | ||
238 | ll_exec("/lib32") || | ||
239 | ll_exec("/libx32") || | ||
240 | ll_exec("/lib64") || | ||
241 | ll_exec("/usr/lib") || | ||
242 | ll_exec("/usr/lib32") || | ||
243 | ll_exec("/usr/libx32") || | ||
244 | ll_exec("/usr/lib64") || | ||
245 | ll_exec("/usr/local/lib"); | ||
246 | |||
247 | if (error) { | ||
248 | fprintf(stderr, "Error: %s: failed to set --landlock rules\n", | ||
249 | __func__); | ||
250 | } | ||
251 | |||
252 | return error; | ||
253 | } | ||
254 | |||
255 | int ll_restrict(uint32_t flags) { | 205 | int ll_restrict(uint32_t flags) { |
256 | if (!ll_is_supported()) | 206 | if (!ll_is_supported()) |
257 | return 0; | 207 | return 0; |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 5bcc3a0e5..aaa7c8a2f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -75,8 +75,7 @@ int arg_overlay = 0; // overlay option | |||
75 | int arg_overlay_keep = 0; // place overlay diff in a known directory | 75 | int arg_overlay_keep = 0; // place overlay diff in a known directory |
76 | int arg_overlay_reuse = 0; // allow the reuse of overlays | 76 | int arg_overlay_reuse = 0; // allow the reuse of overlays |
77 | 77 | ||
78 | int arg_landlock = 0; // add basic Landlock rules | 78 | int arg_landlock_enforce = 0; // enforce the Landlock ruleset |
79 | int arg_landlock_proc = 2; // 0 - no access; 1 -read-only; 2 - read-write | ||
80 | 79 | ||
81 | int arg_seccomp = 0; // enable default seccomp filter | 80 | int arg_seccomp = 0; // enable default seccomp filter |
82 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch | 81 | int arg_seccomp32 = 0; // enable default seccomp filter for 32 bit arch |
@@ -1504,21 +1503,8 @@ int main(int argc, char **argv, char **envp) { | |||
1504 | exit_err_feature("seccomp"); | 1503 | exit_err_feature("seccomp"); |
1505 | } | 1504 | } |
1506 | #ifdef HAVE_LANDLOCK | 1505 | #ifdef HAVE_LANDLOCK |
1507 | else if (strcmp(argv[i], "--landlock") == 0) | 1506 | else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) |
1508 | arg_landlock = 1; | 1507 | arg_landlock_enforce = 1; |
1509 | else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) { | ||
1510 | if (strncmp(argv[i] + 16, "no", 2) == 0) | ||
1511 | arg_landlock_proc = 0; | ||
1512 | else if (strncmp(argv[i] + 16, "ro", 2) == 0) | ||
1513 | arg_landlock_proc = 1; | ||
1514 | else if (strncmp(argv[i] + 16, "rw", 2) == 0) | ||
1515 | arg_landlock_proc = 2; | ||
1516 | else { | ||
1517 | fprintf(stderr, "Error: invalid landlock.proc value: %s\n", | ||
1518 | argv[i] + 16); | ||
1519 | exit(1); | ||
1520 | } | ||
1521 | } | ||
1522 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) | 1508 | else if (strncmp(argv[i], "--landlock.read=", 16) == 0) |
1523 | ll_add_profile(LL_READ, argv[i] + 16); | 1509 | ll_add_profile(LL_READ, argv[i] + 16); |
1524 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) | 1510 | else if (strncmp(argv[i], "--landlock.write=", 17) == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 62d3c78e7..ddcaa5382 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1074,24 +1074,9 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1074 | } | 1074 | } |
1075 | 1075 | ||
1076 | #ifdef HAVE_LANDLOCK | 1076 | #ifdef HAVE_LANDLOCK |
1077 | // Landlock ruleset paths | 1077 | if (strncmp(ptr, "landlock.enforce", 16) == 0) { |
1078 | if (strcmp(ptr, "landlock") == 0) { | 1078 | arg_landlock_enforce = 1; |
1079 | arg_landlock = 1; | 1079 | return 0; |
1080 | return 0; | ||
1081 | } | ||
1082 | if (strncmp(ptr, "landlock.proc ", 14) == 0) { | ||
1083 | if (strncmp(ptr + 14, "no", 2) == 0) | ||
1084 | arg_landlock_proc = 0; | ||
1085 | else if (strncmp(ptr + 14, "ro", 2) == 0) | ||
1086 | arg_landlock_proc = 1; | ||
1087 | else if (strncmp(ptr + 14, "rw", 2) == 0) | ||
1088 | arg_landlock_proc = 2; | ||
1089 | else { | ||
1090 | fprintf(stderr, "Error: invalid landlock.proc value: %s\n", | ||
1091 | ptr + 14); | ||
1092 | exit(1); | ||
1093 | } | ||
1094 | return 0; | ||
1095 | } | 1080 | } |
1096 | if (strncmp(ptr, "landlock.read ", 14) == 0) { | 1081 | if (strncmp(ptr, "landlock.read ", 14) == 0) { |
1097 | ll_add_profile(LL_READ, ptr + 14); | 1082 | ll_add_profile(LL_READ, ptr + 14); |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index dbc115137..516f1187e 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -520,21 +520,14 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) { | |||
520 | //**************************** | 520 | //**************************** |
521 | // Configure Landlock | 521 | // Configure Landlock |
522 | //**************************** | 522 | //**************************** |
523 | if (arg_landlock) | 523 | if (arg_landlock_enforce && ll_restrict(0)) { |
524 | ll_basic_system(); | ||
525 | |||
526 | if (ll_get_fd() != -1) { | ||
527 | if (arg_landlock_proc >= 1) | ||
528 | ll_read("/proc/"); | ||
529 | if (arg_landlock_proc == 2) | ||
530 | ll_write("/proc/"); | ||
531 | } | ||
532 | |||
533 | if (ll_restrict(0)) { | ||
534 | // It isn't safe to continue if Landlock self-restriction was | 524 | // It isn't safe to continue if Landlock self-restriction was |
535 | // enabled and the "landlock_restrict_self" syscall has failed. | 525 | // enabled and the "landlock_restrict_self" syscall has failed. |
536 | fprintf(stderr, "Error: ll_restrict() failed, exiting...\n"); | 526 | fprintf(stderr, "Error: ll_restrict() failed, exiting...\n"); |
537 | exit(1); | 527 | exit(1); |
528 | } else { | ||
529 | if (arg_debug) | ||
530 | fprintf(stderr, "Not enforcing Landlock\n"); | ||
538 | } | 531 | } |
539 | #endif | 532 | #endif |
540 | 533 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 5f9185da9..f0f148900 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -134,8 +134,7 @@ static const char *const usage_str = | |||
134 | " --keep-shell-rc - do not copy shell rc files from /etc/skel\n" | 134 | " --keep-shell-rc - do not copy shell rc files from /etc/skel\n" |
135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 135 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
136 | #ifdef HAVE_LANDLOCK | 136 | #ifdef HAVE_LANDLOCK |
137 | " --landlock - add basic rules to the Landlock ruleset.\n" | 137 | " --landlock.enforce - enforce the Landlock ruleset.\n" |
138 | " --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n" | ||
139 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" | 138 | " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" |
140 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" | 139 | " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" |
141 | " --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n" | 140 | " --landlock.special=path - add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets.\n" |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 76f5e4d20..e1d7fde94 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -509,17 +509,10 @@ Blacklist all Linux capabilities. | |||
509 | Whitelist given Linux capabilities. | 509 | Whitelist given Linux capabilities. |
510 | #ifdef HAVE_LANDLOCK | 510 | #ifdef HAVE_LANDLOCK |
511 | .TP | 511 | .TP |
512 | \fBlandlock | 512 | \fBlandlock.enforce |
513 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 513 | Enforce the Landlock ruleset. |
514 | rules to it. | 514 | .PP |
515 | .TP | 515 | Without it, the other Landlock commands have no effect. |
516 | \fBlandlock.proc no|ro|rw | ||
517 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
518 | read-write if set to \fBrw\fR). | ||
519 | The access rule for /proc is added after this directory is set up in the | ||
520 | sandbox. | ||
521 | Access rules for /proc set up with other Landlock-related profile options have | ||
522 | no effect. | ||
523 | .TP | 516 | .TP |
524 | \fBlandlock.read path | 517 | \fBlandlock.read path |
525 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 518 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 39f12b005..c63cf350d 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1245,31 +1245,15 @@ $ firejail --keep-var-tmp | |||
1245 | 1245 | ||
1246 | #ifdef HAVE_LANDLOCK | 1246 | #ifdef HAVE_LANDLOCK |
1247 | .TP | 1247 | .TP |
1248 | \fB\-\-landlock | 1248 | \fB\-\-landlock.enforce |
1249 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | 1249 | Enforce the Landlock ruleset. |
1250 | rules to it. | ||
1251 | The basic set of rules applies the following access permissions: | ||
1252 | .PP | 1250 | .PP |
1253 | .RS | 1251 | Without it, the other Landlock commands have no effect. |
1254 | - read: /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var | ||
1255 | .br | ||
1256 | - write: /dev, /proc | ||
1257 | .br | ||
1258 | - exec: /bin, /lib, /opt, /usr | ||
1259 | .RE | ||
1260 | .PP | 1252 | .PP |
1261 | .RS | 1253 | .RS |
1262 | See the \fBLANDLOCK\fR section for more information. | 1254 | See the \fBLANDLOCK\fR section for more information. |
1263 | .RE | 1255 | .RE |
1264 | .TP | 1256 | .TP |
1265 | \fB\-\-landlock.proc=no|ro|rw | ||
1266 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
1267 | read-write if set to \fBrw\fR). | ||
1268 | The access rule for /proc is added after this directory is set up in the | ||
1269 | sandbox. | ||
1270 | Access rules for /proc set up with other Landlock-related command-line options | ||
1271 | have no effect. | ||
1272 | .TP | ||
1273 | \fB\-\-landlock.read=path | 1257 | \fB\-\-landlock.read=path |
1274 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1275 | rule for path. | 1259 | rule for path. |
@@ -1291,7 +1275,9 @@ permission rule for path. | |||
1291 | .br | 1275 | .br |
1292 | Example: | 1276 | Example: |
1293 | .br | 1277 | .br |
1294 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr | 1278 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home |
1279 | \-\-landlock.execute=/usr \-\-landlock.enforce | ||
1280 | .PP | ||
1295 | #endif | 1281 | #endif |
1296 | .TP | 1282 | .TP |
1297 | \fB\-\-list | 1283 | \fB\-\-list |
@@ -3426,7 +3412,7 @@ Firejail supports Landlock as an additional sandboxing feature. | |||
3426 | It can be used to ensure that a sandboxed application can only access files and | 3412 | It can be used to ensure that a sandboxed application can only access files and |
3427 | directories that it was explicitly allowed to access. | 3413 | directories that it was explicitly allowed to access. |
3428 | Firejail supports populating the ruleset with both a basic set of rules (see | 3414 | Firejail supports populating the ruleset with both a basic set of rules (see |
3429 | \fB\-\-landlock\fR) and with a custom set of rules. | 3415 | landlock-common.inc) and with a custom set of rules. |
3430 | .TP | 3416 | .TP |
3431 | Important notes: | 3417 | Important notes: |
3432 | .PP | 3418 | .PP |
@@ -3438,9 +3424,6 @@ Because of this, enabling the Landlock feature will also cause Firejail to | |||
3438 | enable the "No New Privileges" restriction, regardless of the profile or the | 3424 | enable the "No New Privileges" restriction, regardless of the profile or the |
3439 | \fB\-\-nonewprivs\fR command line option. | 3425 | \fB\-\-nonewprivs\fR command line option. |
3440 | .PP | 3426 | .PP |
3441 | - Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR | ||
3442 | command line option. | ||
3443 | .PP | ||
3444 | - Access to the /etc directory is automatically allowed. | 3427 | - Access to the /etc directory is automatically allowed. |
3445 | To override this, use the \fB\-\-writable\-etc\fR command line option. | 3428 | To override this, use the \fB\-\-writable\-etc\fR command line option. |
3446 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | 3429 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the |
@@ -3448,13 +3431,13 @@ You can also use the \fB\-\-private\-etc\fR option to restrict access to the | |||
3448 | .RE | 3431 | .RE |
3449 | .PP | 3432 | .PP |
3450 | To enable Landlock self-restriction on top of your current Firejail security | 3433 | To enable Landlock self-restriction on top of your current Firejail security |
3451 | features, pass \fB\-\-landlock\fR flag to Firejail command line. | 3434 | features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. |
3452 | You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, | 3435 | Without it, the other Landlock commands have no effect. |
3453 | \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with | ||
3454 | \fB\-\-landlock\fR or instead of it. | ||
3455 | Example: | 3436 | Example: |
3456 | .PP | 3437 | .PP |
3457 | $ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc | 3438 | $ firejail \-\-landlock.enforce \-\-landlock.read=/media mc |
3439 | .PP | ||
3440 | To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. | ||
3458 | #endif | 3441 | #endif |
3459 | .SH DESKTOP INTEGRATION | 3442 | .SH DESKTOP INTEGRATION |
3460 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3443 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index ac0554bc5..bea5df2be 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -107,8 +107,7 @@ _firejail_args=( | |||
107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' | 107 | '--keep-shell-rc[do not copy shell rc files from /etc/skel]' |
108 | '--keep-var-tmp[/var/tmp directory is untouched]' | 108 | '--keep-var-tmp[/var/tmp directory is untouched]' |
109 | #ifdef HAVE_LANDLOCK | 109 | #ifdef HAVE_LANDLOCK |
110 | '--landlock[add basic rules to the Landlock ruleset]' | 110 | '--landlock.enforce[enforce the Landlock ruleset]' |
111 | '--landlock.proc=-[add an access rule for /proc to the Landlock ruleset]: :(no ro rw)' | ||
112 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' | 111 | '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' |
113 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' | 112 | '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' |
114 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' | 113 | '--landlock.special=-[add an access rule for the path to the Landlock ruleset for creating block/char devices, named pipes and sockets]: :_files' |