aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--README2
-rw-r--r--README.md84
-rw-r--r--RELNOTES1
-rw-r--r--config.mk.in3
-rwxr-xr-xconfigure688
-rw-r--r--configure.ac11
-rw-r--r--contrib/vim/syntax/firejail.vim2
-rw-r--r--src/bash_completion/firejail.bash_completion.in16
-rw-r--r--src/firejail/checkcfg.c8
-rw-r--r--src/firejail/firejail.h21
-rw-r--r--src/firejail/landlock.c101
-rw-r--r--src/firejail/main.c81
-rw-r--r--src/firejail/profile.c84
-rw-r--r--src/firejail/sandbox.c27
-rw-r--r--src/firejail/usage.c6
-rw-r--r--src/firejail/util.c4
-rw-r--r--src/man/firejail-profile.txt29
-rw-r--r--src/man/firejail.txt63
-rw-r--r--src/zsh_completion/_firejail.in6
19 files changed, 338 insertions, 899 deletions
diff --git a/README b/README
index 39087d987..054d88cce 100644
--- a/README
+++ b/README
@@ -253,8 +253,6 @@ cayday (https://github.com/caydey)
253Christian Pinedo (https://github.com/chrpinedo) 253Christian Pinedo (https://github.com/chrpinedo)
254 - added nicotine profile 254 - added nicotine profile
255 - allow python3 in totem profile 255 - allow python3 in totem profile
256ChrysoliteAzalea (https://github.com/ChrysoliteAzalea)
257 - Landlock support
258creideiki (https://github.com/creideiki) 256creideiki (https://github.com/creideiki)
259 - make the sandbox process reap all children 257 - make the sandbox process reap all children
260 - tor browser profile fix 258 - tor browser profile fix
diff --git a/README.md b/README.md
index ba45d27ae..6eecbf317 100644
--- a/README.md
+++ b/README.md
@@ -230,90 +230,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1
230 kernel. For more information, please see APPARMOR section be‐ 230 kernel. For more information, please see APPARMOR section be‐
231````` 231`````
232 232
233### Landlock support - EXPERIMENTAL
234For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build
235or in the executable archives we provide. It will be "officially" released
236in 0.9.74, sometime early next year. For now, use --enable-landlock during software compile:
237`````
238$ ./configure --enable-landlock
239`````
240The functionality is segragated with ifdefs in the code, at times it might not even compile!
241Work in progress, the interface described in the man page below could change.
242`````
243 --landlock
244 Create a Landlock ruleset (if it doesn't already exist) and add
245 basic access rules to it. See LANDLOCK section for more informa‐
246 tion.
247
248 --landlock.proc=no|ro|rw
249 Add an access rule for /proc directory (read-only if set to ro
250 and read-write if set to rw). The access rule for /proc is added
251 after this directory is set up in the sandbox. Access rules for
252 /proc set up with other Landlock-related command-line options
253 have no effect.
254
255 --landlock.read=path
256 Create a Landlock ruleset (if it doesn't already exist) and add
257 a read access rule for path.
258
259 --landlock.write=path
260 Create a Landlock ruleset (if it doesn't already exist) and add
261 a write access rule for path.
262
263 --landlock.special=path
264 Create a Landlock ruleset (if it doesn't already exist) and add
265 a permission rule to create FIFO pipes, Unix domain sockets and
266 block devices beneath given path.
267
268 --landlock.execute=path
269 Create a Landlock ruleset (if it doesn't already exist) and add
270 an execution permission rule for path.
271
272 Example:
273 $ firejail --landlock.read=/ --landlock.write=/home --land‐
274 lock.execute=/usr
275
276LANDLOCK
277 Landlock is a Linux security module first introduced in the 5.13 ver‐
278 sion of Linux kernel. It allows unprivileged processes to restrict
279 their access to the filesystem. Once imposed, these restrictions can
280 never be removed, and all child processes created by a Landlock-re‐
281 stricted processes inherit these restrictions. Firejail supports Land‐
282 lock as an additional sandboxing feature. It can be used to ensure that
283 a sandboxed application can only access files and directories that it
284 was explicitly allowed to access. Firejail supports populating the
285 ruleset with both basic set of rules and with custom set of rules. Ba‐
286 sic set of rules allows read-only access to /bin, /dev, /etc, /lib,
287 /opt, /proc, /usr and /var, read-write access to the home directory,
288 and allows execution of binaries located in /bin, /opt and /usr.
289
290 Important notes:
291
292 - A process can install a Landlock ruleset only if it has either
293 CAP_SYS_ADMIN in its effective capability set, or the "No New
294 Privileges" restriction enabled. Because of this, enabling the
295 Landlock feature will also cause Firejail to enable the "No New
296 Privileges" restriction, regardless of the profile or the
297 --no-new-privs command line option.
298
299 - Access to the /proc directory is managed through the --land‐
300 lock.proc command line option.
301
302 - Access to the /etc directory is automatically allowed. To
303 override this, use the --writable-etc command line option. You
304 can also use the --private-etc option to restrict access to the
305 /etc directory.
306
307 To enable Landlock self-restriction on top of your current Firejail se‐
308 curity features, pass --landlock flag to Firejail command line. You can
309 also use --landlock.read, --landlock.write, --landlock.special and
310 --landlock.execute options together with --landlock or instead of it.
311 Example:
312
313 $ firejail --landlock --landlock.read=/media --landlock.proc=ro
314 mc
315`````
316
317### Profile Statistics 233### Profile Statistics
318 234
319A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. 235A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.
diff --git a/RELNOTES b/RELNOTES
index 757ebd94f..f78586da9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,7 +16,6 @@ firejail (0.9.71) baseline; urgency=low
16 a seccomp filter for both 64 and 32 bit architectures (#4939 #5259) 16 a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
17 * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316 17 * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
18 #5317) 18 #5317)
19 * feature: Landlock support (#5269)
20 * bugfix: Flood of seccomp audit log entries (#5207) 19 * bugfix: Flood of seccomp audit log entries (#5207)
21 * build: deduplicate configure-time vars into new config files (#5140 #5284) 20 * build: deduplicate configure-time vars into new config files (#5140 #5284)
22 * build: fix file mode of shell scripts (644 -> 755) (#5206) 21 * build: fix file mode of shell scripts (644 -> 755) (#5206)
diff --git a/config.mk.in b/config.mk.in
index 150ac8e15..9973b7eaa 100644
--- a/config.mk.in
+++ b/config.mk.in
@@ -41,7 +41,6 @@ HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
41HAVE_IDS=@HAVE_IDS@ 41HAVE_IDS=@HAVE_IDS@
42HAVE_GCOV=@HAVE_GCOV@ 42HAVE_GCOV=@HAVE_GCOV@
43HAVE_SELINUX=@HAVE_SELINUX@ 43HAVE_SELINUX=@HAVE_SELINUX@
44HAVE_LANDLOCK=@HAVE_LANDLOCK@
45HAVE_SUID=@HAVE_SUID@ 44HAVE_SUID=@HAVE_SUID@
46HAVE_DBUSPROXY=@HAVE_DBUSPROXY@ 45HAVE_DBUSPROXY=@HAVE_DBUSPROXY@
47HAVE_USERTMPFS=@HAVE_USERTMPFS@ 46HAVE_USERTMPFS=@HAVE_USERTMPFS@
@@ -50,7 +49,7 @@ HAVE_LTS=@HAVE_LTS@
50HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@ 49HAVE_FORCE_NONEWPRIVS=@HAVE_FORCE_NONEWPRIVS@
51HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@ 50HAVE_ONLY_SYSCFG_PROFILES=@HAVE_ONLY_SYSCFG_PROFILES@
52 51
53MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_LANDLOCK) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES) 52MANFLAGS = $(HAVE_LTS) $(HAVE_OUTPUT) $(HAVE_X11) $(HAVE_PRIVATE_HOME) $(HAVE_APPARMOR) $(HAVE_IDS) $(HAVE_OVERLAYFS) $(HAVE_USERTMPFS) $(HAVE_DBUSPROXY) $(HAVE_FIRETUNNEL) $(HAVE_GLOBALCFG) $(HAVE_CHROOT) $(HAVE_NETWORK) $(HAVE_USERNS) $(HAVE_FILE_TRANSFER) $(HAVE_SELINUX) $(HAVE_SUID) $(HAVE_FORCE_NONEWPRIVS) $(HAVE_ONLY_SYSCFG_PROFILES)
54 53
55CC=@CC@ 54CC=@CC@
56CFLAGS=@CFLAGS@ 55CFLAGS=@CFLAGS@
diff --git a/configure b/configure
index ab000762d..f3bd77169 100755
--- a/configure
+++ b/configure
@@ -624,6 +624,9 @@ ac_includes_default="\
624 624
625ac_subst_vars='LTLIBOBJS 625ac_subst_vars='LTLIBOBJS
626LIBOBJS 626LIBOBJS
627EGREP
628GREP
629CPP
627HAVE_LTS 630HAVE_LTS
628HAVE_ONLY_SYSCFG_PROFILES 631HAVE_ONLY_SYSCFG_PROFILES
629HAVE_FORCE_NONEWPRIVS 632HAVE_FORCE_NONEWPRIVS
@@ -648,10 +651,6 @@ HAVE_OVERLAYFS
648HAVE_DBUSPROXY 651HAVE_DBUSPROXY
649EXTRA_LDFLAGS 652EXTRA_LDFLAGS
650EXTRA_CFLAGS 653EXTRA_CFLAGS
651EGREP
652GREP
653CPP
654HAVE_LANDLOCK
655HAVE_SELINUX 654HAVE_SELINUX
656AA_LIBS 655AA_LIBS
657AA_CFLAGS 656AA_CFLAGS
@@ -714,7 +713,6 @@ enable_sanitizer
714enable_ids 713enable_ids
715enable_apparmor 714enable_apparmor
716enable_selinux 715enable_selinux
717enable_landlock
718enable_dbusproxy 716enable_dbusproxy
719enable_output 717enable_output
720enable_usertmpfs 718enable_usertmpfs
@@ -1376,7 +1374,6 @@ Optional Features:
1376 --enable-ids enable ids 1374 --enable-ids enable ids
1377 --enable-apparmor enable apparmor 1375 --enable-apparmor enable apparmor
1378 --enable-selinux SELinux labeling support 1376 --enable-selinux SELinux labeling support
1379 --enable-landlock Landlock self-restriction support
1380 --disable-dbusproxy disable dbus proxy 1377 --disable-dbusproxy disable dbus proxy
1381 --disable-output disable --output logging 1378 --disable-output disable --output logging
1382 --disable-usertmpfs disable tmpfs as regular user 1379 --disable-usertmpfs disable tmpfs as regular user
@@ -3345,11 +3342,336 @@ if test "x$enable_selinux" = "xyes"; then :
3345 3342
3346fi 3343fi
3347 3344
3348HAVE_LANDLOCK=""
3349 3345
3350# Check whether --enable-landlock was given. 3346
3351if test "${enable_landlock+set}" = set; then : 3347
3352 enableval=$enable_landlock; 3348
3349HAVE_DBUSPROXY=""
3350
3351# Check whether --enable-dbusproxy was given.
3352if test "${enable_dbusproxy+set}" = set; then :
3353 enableval=$enable_dbusproxy;
3354fi
3355
3356if test "x$enable_dbusproxy" != "xno"; then :
3357
3358 HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
3359
3360fi
3361
3362# overlayfs features temporarily disabled pending fixes
3363HAVE_OVERLAYFS=""
3364
3365#AC_ARG_ENABLE([overlayfs],
3366# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
3367#AS_IF([test "x$enable_overlayfs" != "xno"], [
3368# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
3369#])
3370
3371HAVE_OUTPUT=""
3372
3373# Check whether --enable-output was given.
3374if test "${enable_output+set}" = set; then :
3375 enableval=$enable_output;
3376fi
3377
3378if test "x$enable_output" != "xno"; then :
3379
3380 HAVE_OUTPUT="-DHAVE_OUTPUT"
3381
3382fi
3383
3384HAVE_USERTMPFS=""
3385
3386# Check whether --enable-usertmpfs was given.
3387if test "${enable_usertmpfs+set}" = set; then :
3388 enableval=$enable_usertmpfs;
3389fi
3390
3391if test "x$enable_usertmpfs" != "xno"; then :
3392
3393 HAVE_USERTMPFS="-DHAVE_USERTMPFS"
3394
3395fi
3396
3397HAVE_MAN="no"
3398
3399# Check whether --enable-man was given.
3400if test "${enable_man+set}" = set; then :
3401 enableval=$enable_man;
3402fi
3403
3404if test "x$enable_man" != "xno"; then :
3405
3406 HAVE_MAN="-DHAVE_MAN"
3407 # Extract the first word of "gawk", so it can be a program name with args.
3408set dummy gawk; ac_word=$2
3409{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
3410$as_echo_n "checking for $ac_word... " >&6; }
3411if ${ac_cv_prog_HAVE_GAWK+:} false; then :
3412 $as_echo_n "(cached) " >&6
3413else
3414 if test -n "$HAVE_GAWK"; then
3415 ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
3416else
3417as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
3418for as_dir in $PATH
3419do
3420 IFS=$as_save_IFS
3421 test -z "$as_dir" && as_dir=.
3422 for ac_exec_ext in '' $ac_executable_extensions; do
3423 if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
3424 ac_cv_prog_HAVE_GAWK="yes"
3425 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
3426 break 2
3427 fi
3428done
3429 done
3430IFS=$as_save_IFS
3431
3432 test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
3433fi
3434fi
3435HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
3436if test -n "$HAVE_GAWK"; then
3437 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
3438$as_echo "$HAVE_GAWK" >&6; }
3439else
3440 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
3441$as_echo "no" >&6; }
3442fi
3443
3444
3445 if test "x$HAVE_GAWK" != "xyes"; then :
3446 as_fn_error $? "*** gawk not found ***" "$LINENO" 5
3447fi
3448
3449fi
3450
3451HAVE_FIRETUNNEL=""
3452
3453# Check whether --enable-firetunnel was given.
3454if test "${enable_firetunnel+set}" = set; then :
3455 enableval=$enable_firetunnel;
3456fi
3457
3458if test "x$enable_firetunnel" = "xyes"; then :
3459
3460 HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
3461
3462fi
3463
3464HAVE_PRIVATE_HOME=""
3465
3466# Check whether --enable-private-home was given.
3467if test "${enable_private_home+set}" = set; then :
3468 enableval=$enable_private_home;
3469fi
3470
3471if test "x$enable_private_home" != "xno"; then :
3472
3473 HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
3474
3475fi
3476
3477HAVE_CHROOT=""
3478
3479# Check whether --enable-chroot was given.
3480if test "${enable_chroot+set}" = set; then :
3481 enableval=$enable_chroot;
3482fi
3483
3484if test "x$enable_chroot" != "xno"; then :
3485
3486 HAVE_CHROOT="-DHAVE_CHROOT"
3487
3488fi
3489
3490HAVE_GLOBALCFG=""
3491
3492# Check whether --enable-globalcfg was given.
3493if test "${enable_globalcfg+set}" = set; then :
3494 enableval=$enable_globalcfg;
3495fi
3496
3497if test "x$enable_globalcfg" != "xno"; then :
3498
3499 HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
3500
3501fi
3502
3503HAVE_NETWORK=""
3504
3505# Check whether --enable-network was given.
3506if test "${enable_network+set}" = set; then :
3507 enableval=$enable_network;
3508fi
3509
3510if test "x$enable_network" != "xno"; then :
3511
3512 HAVE_NETWORK="-DHAVE_NETWORK"
3513
3514fi
3515
3516HAVE_USERNS=""
3517
3518# Check whether --enable-userns was given.
3519if test "${enable_userns+set}" = set; then :
3520 enableval=$enable_userns;
3521fi
3522
3523if test "x$enable_userns" != "xno"; then :
3524
3525 HAVE_USERNS="-DHAVE_USERNS"
3526
3527fi
3528
3529HAVE_X11=""
3530
3531# Check whether --enable-x11 was given.
3532if test "${enable_x11+set}" = set; then :
3533 enableval=$enable_x11;
3534fi
3535
3536if test "x$enable_x11" != "xno"; then :
3537
3538 HAVE_X11="-DHAVE_X11"
3539
3540fi
3541
3542HAVE_FILE_TRANSFER=""
3543
3544# Check whether --enable-file-transfer was given.
3545if test "${enable_file_transfer+set}" = set; then :
3546 enableval=$enable_file_transfer;
3547fi
3548
3549if test "x$enable_file_transfer" != "xno"; then :
3550
3551 HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
3552
3553fi
3554
3555HAVE_SUID=""
3556
3557# Check whether --enable-suid was given.
3558if test "${enable_suid+set}" = set; then :
3559 enableval=$enable_suid;
3560fi
3561
3562if test "x$enable_suid" != "xno"; then :
3563
3564 HAVE_SUID="-DHAVE_SUID"
3565
3566fi
3567
3568HAVE_FATAL_WARNINGS=""
3569
3570# Check whether --enable-fatal_warnings was given.
3571if test "${enable_fatal_warnings+set}" = set; then :
3572 enableval=$enable_fatal_warnings;
3573fi
3574
3575if test "x$enable_fatal_warnings" = "xyes"; then :
3576
3577 HAVE_FATAL_WARNINGS="-W -Wall -Werror"
3578
3579fi
3580
3581BUSYBOX_WORKAROUND="no"
3582
3583# Check whether --enable-busybox-workaround was given.
3584if test "${enable_busybox_workaround+set}" = set; then :
3585 enableval=$enable_busybox_workaround;
3586fi
3587
3588if test "x$enable_busybox_workaround" = "xyes"; then :
3589
3590 BUSYBOX_WORKAROUND="yes"
3591
3592fi
3593
3594
3595HAVE_GCOV=""
3596
3597# Check whether --enable-gcov was given.
3598if test "${enable_gcov+set}" = set; then :
3599 enableval=$enable_gcov;
3600fi
3601
3602if test "x$enable_gcov" = "xyes"; then :
3603
3604 HAVE_GCOV="--coverage -DHAVE_GCOV"
3605 EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage"
3606
3607fi
3608
3609HAVE_CONTRIB_INSTALL="yes"
3610
3611# Check whether --enable-contrib-install was given.
3612if test "${enable_contrib_install+set}" = set; then :
3613 enableval=$enable_contrib_install;
3614fi
3615
3616if test "x$enable_contrib_install" = "xno"; then :
3617
3618 HAVE_CONTRIB_INSTALL="no"
3619
3620fi
3621
3622HAVE_FORCE_NONEWPRIVS=""
3623
3624# Check whether --enable-force-nonewprivs was given.
3625if test "${enable_force_nonewprivs+set}" = set; then :
3626 enableval=$enable_force_nonewprivs;
3627fi
3628
3629if test "x$enable_force_nonewprivs" = "xyes"; then :
3630
3631 HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
3632
3633fi
3634
3635HAVE_ONLY_SYSCFG_PROFILES=""
3636
3637# Check whether --enable-only-syscfg-profiles was given.
3638if test "${enable_only_syscfg_profiles+set}" = set; then :
3639 enableval=$enable_only_syscfg_profiles;
3640fi
3641
3642if test "x$enable_only_syscfg_profiles" = "xyes"; then :
3643
3644 HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
3645
3646fi
3647
3648HAVE_LTS=""
3649
3650# Check whether --enable-lts was given.
3651if test "${enable_lts+set}" = set; then :
3652 enableval=$enable_lts;
3653fi
3654
3655if test "x$enable_lts" = "xyes"; then :
3656
3657 HAVE_LTS="-DHAVE_LTS"
3658 HAVE_IDS=""
3659 HAVE_DBUSPROXY=""
3660 HAVE_OVERLAYFS=""
3661 HAVE_OUTPUT=""
3662 HAVE_USERTMPFS=""
3663 HAVE_MAN="-DHAVE_MAN"
3664 HAVE_FIRETUNNEL=""
3665 HAVE_PRIVATE_HOME=""
3666 HAVE_CHROOT=""
3667 HAVE_GLOBALCFG=""
3668 HAVE_USERNS=""
3669 HAVE_X11=""
3670 HAVE_FILE_TRANSFER=""
3671 HAVE_SUID="-DHAVE_SUID"
3672 BUSYBOX_WORKAROUND="no"
3673 HAVE_CONTRIB_INSTALL="no",
3674
3353fi 3675fi
3354 3676
3355ac_ext=c 3677ac_ext=c
@@ -3749,352 +4071,6 @@ fi
3749done 4071done
3750 4072
3751 4073
3752if test "x$enable_landlock" = "xyes"; then :
3753
3754 ac_fn_c_check_header_mongrel "$LINENO" "linux/landlock.h" "ac_cv_header_linux_landlock_h" "$ac_includes_default"
3755if test "x$ac_cv_header_linux_landlock_h" = xyes; then :
3756
3757else
3758 as_fn_error $? "*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***" "$LINENO" 5
3759fi
3760
3761
3762 HAVE_LANDLOCK="-DHAVE_LANDLOCK"
3763 EXTRA_LDFLAGS="$EXTRA_LDFLAGS"
3764
3765fi
3766
3767
3768
3769
3770HAVE_DBUSPROXY=""
3771
3772# Check whether --enable-dbusproxy was given.
3773if test "${enable_dbusproxy+set}" = set; then :
3774 enableval=$enable_dbusproxy;
3775fi
3776
3777if test "x$enable_dbusproxy" != "xno"; then :
3778
3779 HAVE_DBUSPROXY="-DHAVE_DBUSPROXY"
3780
3781fi
3782
3783# overlayfs features temporarily disabled pending fixes
3784HAVE_OVERLAYFS=""
3785
3786#AC_ARG_ENABLE([overlayfs],
3787# [AS_HELP_STRING([--disable-overlayfs], [disable overlayfs])])
3788#AS_IF([test "x$enable_overlayfs" != "xno"], [
3789# HAVE_OVERLAYFS="-DHAVE_OVERLAYFS"
3790#])
3791
3792HAVE_OUTPUT=""
3793
3794# Check whether --enable-output was given.
3795if test "${enable_output+set}" = set; then :
3796 enableval=$enable_output;
3797fi
3798
3799if test "x$enable_output" != "xno"; then :
3800
3801 HAVE_OUTPUT="-DHAVE_OUTPUT"
3802
3803fi
3804
3805HAVE_USERTMPFS=""
3806
3807# Check whether --enable-usertmpfs was given.
3808if test "${enable_usertmpfs+set}" = set; then :
3809 enableval=$enable_usertmpfs;
3810fi
3811
3812if test "x$enable_usertmpfs" != "xno"; then :
3813
3814 HAVE_USERTMPFS="-DHAVE_USERTMPFS"
3815
3816fi
3817
3818HAVE_MAN="no"
3819
3820# Check whether --enable-man was given.
3821if test "${enable_man+set}" = set; then :
3822 enableval=$enable_man;
3823fi
3824
3825if test "x$enable_man" != "xno"; then :
3826
3827 HAVE_MAN="-DHAVE_MAN"
3828 # Extract the first word of "gawk", so it can be a program name with args.
3829set dummy gawk; ac_word=$2
3830{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
3831$as_echo_n "checking for $ac_word... " >&6; }
3832if ${ac_cv_prog_HAVE_GAWK+:} false; then :
3833 $as_echo_n "(cached) " >&6
3834else
3835 if test -n "$HAVE_GAWK"; then
3836 ac_cv_prog_HAVE_GAWK="$HAVE_GAWK" # Let the user override the test.
3837else
3838as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
3839for as_dir in $PATH
3840do
3841 IFS=$as_save_IFS
3842 test -z "$as_dir" && as_dir=.
3843 for ac_exec_ext in '' $ac_executable_extensions; do
3844 if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
3845 ac_cv_prog_HAVE_GAWK="yes"
3846 $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
3847 break 2
3848 fi
3849done
3850 done
3851IFS=$as_save_IFS
3852
3853 test -z "$ac_cv_prog_HAVE_GAWK" && ac_cv_prog_HAVE_GAWK="no"
3854fi
3855fi
3856HAVE_GAWK=$ac_cv_prog_HAVE_GAWK
3857if test -n "$HAVE_GAWK"; then
3858 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_GAWK" >&5
3859$as_echo "$HAVE_GAWK" >&6; }
3860else
3861 { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
3862$as_echo "no" >&6; }
3863fi
3864
3865
3866 if test "x$HAVE_GAWK" != "xyes"; then :
3867 as_fn_error $? "*** gawk not found ***" "$LINENO" 5
3868fi
3869
3870fi
3871
3872HAVE_FIRETUNNEL=""
3873
3874# Check whether --enable-firetunnel was given.
3875if test "${enable_firetunnel+set}" = set; then :
3876 enableval=$enable_firetunnel;
3877fi
3878
3879if test "x$enable_firetunnel" = "xyes"; then :
3880
3881 HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
3882
3883fi
3884
3885HAVE_PRIVATE_HOME=""
3886
3887# Check whether --enable-private-home was given.
3888if test "${enable_private_home+set}" = set; then :
3889 enableval=$enable_private_home;
3890fi
3891
3892if test "x$enable_private_home" != "xno"; then :
3893
3894 HAVE_PRIVATE_HOME="-DHAVE_PRIVATE_HOME"
3895
3896fi
3897
3898HAVE_CHROOT=""
3899
3900# Check whether --enable-chroot was given.
3901if test "${enable_chroot+set}" = set; then :
3902 enableval=$enable_chroot;
3903fi
3904
3905if test "x$enable_chroot" != "xno"; then :
3906
3907 HAVE_CHROOT="-DHAVE_CHROOT"
3908
3909fi
3910
3911HAVE_GLOBALCFG=""
3912
3913# Check whether --enable-globalcfg was given.
3914if test "${enable_globalcfg+set}" = set; then :
3915 enableval=$enable_globalcfg;
3916fi
3917
3918if test "x$enable_globalcfg" != "xno"; then :
3919
3920 HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
3921
3922fi
3923
3924HAVE_NETWORK=""
3925
3926# Check whether --enable-network was given.
3927if test "${enable_network+set}" = set; then :
3928 enableval=$enable_network;
3929fi
3930
3931if test "x$enable_network" != "xno"; then :
3932
3933 HAVE_NETWORK="-DHAVE_NETWORK"
3934
3935fi
3936
3937HAVE_USERNS=""
3938
3939# Check whether --enable-userns was given.
3940if test "${enable_userns+set}" = set; then :
3941 enableval=$enable_userns;
3942fi
3943
3944if test "x$enable_userns" != "xno"; then :
3945
3946 HAVE_USERNS="-DHAVE_USERNS"
3947
3948fi
3949
3950HAVE_X11=""
3951
3952# Check whether --enable-x11 was given.
3953if test "${enable_x11+set}" = set; then :
3954 enableval=$enable_x11;
3955fi
3956
3957if test "x$enable_x11" != "xno"; then :
3958
3959 HAVE_X11="-DHAVE_X11"
3960
3961fi
3962
3963HAVE_FILE_TRANSFER=""
3964
3965# Check whether --enable-file-transfer was given.
3966if test "${enable_file_transfer+set}" = set; then :
3967 enableval=$enable_file_transfer;
3968fi
3969
3970if test "x$enable_file_transfer" != "xno"; then :
3971
3972 HAVE_FILE_TRANSFER="-DHAVE_FILE_TRANSFER"
3973
3974fi
3975
3976HAVE_SUID=""
3977
3978# Check whether --enable-suid was given.
3979if test "${enable_suid+set}" = set; then :
3980 enableval=$enable_suid;
3981fi
3982
3983if test "x$enable_suid" != "xno"; then :
3984
3985 HAVE_SUID="-DHAVE_SUID"
3986
3987fi
3988
3989HAVE_FATAL_WARNINGS=""
3990
3991# Check whether --enable-fatal_warnings was given.
3992if test "${enable_fatal_warnings+set}" = set; then :
3993 enableval=$enable_fatal_warnings;
3994fi
3995
3996if test "x$enable_fatal_warnings" = "xyes"; then :
3997
3998 HAVE_FATAL_WARNINGS="-W -Wall -Werror"
3999
4000fi
4001
4002BUSYBOX_WORKAROUND="no"
4003
4004# Check whether --enable-busybox-workaround was given.
4005if test "${enable_busybox_workaround+set}" = set; then :
4006 enableval=$enable_busybox_workaround;
4007fi
4008
4009if test "x$enable_busybox_workaround" = "xyes"; then :
4010
4011 BUSYBOX_WORKAROUND="yes"
4012
4013fi
4014
4015
4016HAVE_GCOV=""
4017
4018# Check whether --enable-gcov was given.
4019if test "${enable_gcov+set}" = set; then :
4020 enableval=$enable_gcov;
4021fi
4022
4023if test "x$enable_gcov" = "xyes"; then :
4024
4025 HAVE_GCOV="--coverage -DHAVE_GCOV"
4026 EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage"
4027
4028fi
4029
4030HAVE_CONTRIB_INSTALL="yes"
4031
4032# Check whether --enable-contrib-install was given.
4033if test "${enable_contrib_install+set}" = set; then :
4034 enableval=$enable_contrib_install;
4035fi
4036
4037if test "x$enable_contrib_install" = "xno"; then :
4038
4039 HAVE_CONTRIB_INSTALL="no"
4040
4041fi
4042
4043HAVE_FORCE_NONEWPRIVS=""
4044
4045# Check whether --enable-force-nonewprivs was given.
4046if test "${enable_force_nonewprivs+set}" = set; then :
4047 enableval=$enable_force_nonewprivs;
4048fi
4049
4050if test "x$enable_force_nonewprivs" = "xyes"; then :
4051
4052 HAVE_FORCE_NONEWPRIVS="-DHAVE_FORCE_NONEWPRIVS"
4053
4054fi
4055
4056HAVE_ONLY_SYSCFG_PROFILES=""
4057
4058# Check whether --enable-only-syscfg-profiles was given.
4059if test "${enable_only_syscfg_profiles+set}" = set; then :
4060 enableval=$enable_only_syscfg_profiles;
4061fi
4062
4063if test "x$enable_only_syscfg_profiles" = "xyes"; then :
4064
4065 HAVE_ONLY_SYSCFG_PROFILES="-DHAVE_ONLY_SYSCFG_PROFILES"
4066
4067fi
4068
4069HAVE_LTS=""
4070
4071# Check whether --enable-lts was given.
4072if test "${enable_lts+set}" = set; then :
4073 enableval=$enable_lts;
4074fi
4075
4076if test "x$enable_lts" = "xyes"; then :
4077
4078 HAVE_LTS="-DHAVE_LTS"
4079 HAVE_IDS=""
4080 HAVE_DBUSPROXY=""
4081 HAVE_OVERLAYFS=""
4082 HAVE_OUTPUT=""
4083 HAVE_USERTMPFS=""
4084 HAVE_MAN="-DHAVE_MAN"
4085 HAVE_FIRETUNNEL=""
4086 HAVE_PRIVATE_HOME=""
4087 HAVE_CHROOT=""
4088 HAVE_GLOBALCFG=""
4089 HAVE_USERNS=""
4090 HAVE_X11=""
4091 HAVE_FILE_TRANSFER=""
4092 HAVE_SUID="-DHAVE_SUID"
4093 BUSYBOX_WORKAROUND="no"
4094 HAVE_CONTRIB_INSTALL="no",
4095
4096fi
4097
4098ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default" 4074ac_fn_c_check_header_mongrel "$LINENO" "linux/seccomp.h" "ac_cv_header_linux_seccomp_h" "$ac_includes_default"
4099if test "x$ac_cv_header_linux_seccomp_h" = xyes; then : 4075if test "x$ac_cv_header_linux_seccomp_h" = xyes; then :
4100 4076
diff --git a/configure.ac b/configure.ac
index 58a399597..8a488ff43 100644
--- a/configure.ac
+++ b/configure.ac
@@ -81,19 +81,10 @@ AS_IF([test "x$enable_selinux" = "xyes"], [
81 EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux" 81 EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux"
82]) 82])
83 83
84HAVE_LANDLOCK=""
85AC_SUBST([HAVE_LANDLOCK])
86AC_ARG_ENABLE([landlock],
87 [AS_HELP_STRING([--enable-landlock], [Landlock self-restriction support])])
88AS_IF([test "x$enable_landlock" = "xyes"], [
89 AC_CHECK_HEADER([linux/landlock.h], [], AC_MSG_ERROR([*** LANDLOCK support is not installed (/usr/include/linux/landlock.h missing) ***]))
90 HAVE_LANDLOCK="-DHAVE_LANDLOCK"
91 EXTRA_LDFLAGS="$EXTRA_LDFLAGS"
92])
93
94AC_SUBST([EXTRA_CFLAGS]) 84AC_SUBST([EXTRA_CFLAGS])
95AC_SUBST([EXTRA_LDFLAGS]) 85AC_SUBST([EXTRA_LDFLAGS])
96 86
87
97HAVE_DBUSPROXY="" 88HAVE_DBUSPROXY=""
98AC_SUBST([HAVE_DBUSPROXY]) 89AC_SUBST([HAVE_DBUSPROXY])
99AC_ARG_ENABLE([dbusproxy], 90AC_ARG_ENABLE([dbusproxy],
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index 7c1c33421..0c8ebdbd8 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -52,7 +52,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
52 52
53" Commands grabbed from: src/firejail/profile.c 53" Commands grabbed from: src/firejail/profile.c
54" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) 54" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|restrict-namespaces|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
55syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|landlock|landlock.proc|landlock.read|landlock.write|landlock.special|landlock.execute|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained 55syn match fjCommand /\v(apparmor|bind|blacklist|blacklist-nolog|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
56" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below 56" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
57syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained 57syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-fd|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
58syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained 58syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in
index 4829f1fde..8e047ce90 100644
--- a/src/bash_completion/firejail.bash_completion.in
+++ b/src/bash_completion/firejail.bash_completion.in
@@ -42,22 +42,6 @@ _firejail()
42 _filedir -d 42 _filedir -d
43 return 0 43 return 0
44 ;; 44 ;;
45 --landlock.read)
46 _filedir
47 return 0
48 ;;
49 --landlock.write)
50 _filedir
51 return 0
52 ;;
53 --landlock.special)
54 _filedir
55 return 0
56 ;;
57 --landlock.execute)
58 _filedir
59 return 0
60 ;;
61 --tmpfs) 45 --tmpfs)
62 _filedir 46 _filedir
63 return 0 47 return 0
diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c
index fd2f3621e..62b8c4dc4 100644
--- a/src/firejail/checkcfg.c
+++ b/src/firejail/checkcfg.c
@@ -378,14 +378,6 @@ void print_compiletime_support(void) {
378#endif 378#endif
379 ); 379 );
380 380
381 printf("\t- Landlock support is %s\n",
382#ifdef HAVE_LANDLOCK
383 "enabled"
384#else
385 "disabled"
386#endif
387 );
388
389 printf("\t- networking support is %s\n", 381 printf("\t- networking support is %s\n",
390#ifdef HAVE_NETWORK 382#ifdef HAVE_NETWORK
391 "enabled" 383 "enabled"
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index a3b38b5e0..94f970eb8 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -22,9 +22,6 @@
22#include "../include/common.h" 22#include "../include/common.h"
23#include "../include/euid_common.h" 23#include "../include/euid_common.h"
24#include "../include/rundefs.h" 24#include "../include/rundefs.h"
25#ifdef HAVE_LANDLOCK
26#include <linux/landlock.h>
27#endif
28#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583) 25#include <linux/limits.h> // Note: Plain limits.h may break ARG_MAX (see #4583)
29#include <stdarg.h> 26#include <stdarg.h>
30#include <sys/stat.h> 27#include <sys/stat.h>
@@ -33,6 +30,7 @@
33//#define DEBUG_RESTRICTED_SHELL 30//#define DEBUG_RESTRICTED_SHELL
34 31
35 32
33
36// profiles 34// profiles
37#define DEFAULT_USER_PROFILE "default" 35#define DEFAULT_USER_PROFILE "default"
38#define DEFAULT_ROOT_PROFILE "server" 36#define DEFAULT_ROOT_PROFILE "server"
@@ -288,11 +286,6 @@ extern int arg_seccomp32; // enable default seccomp filter for 32 bit arch
288extern int arg_seccomp_postexec; // need postexec ld.preload library? 286extern int arg_seccomp_postexec; // need postexec ld.preload library?
289extern int arg_seccomp_block_secondary; // block any secondary architectures 287extern int arg_seccomp_block_secondary; // block any secondary architectures
290 288
291#ifdef HAVE_LANDLOCK
292extern int arg_landlock; // Landlock ruleset file descriptor
293extern int arg_landlock_proc; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write)
294#endif
295
296extern int arg_caps_default_filter; // enable default capabilities filter 289extern int arg_caps_default_filter; // enable default capabilities filter
297extern int arg_caps_drop; // drop list 290extern int arg_caps_drop; // drop list
298extern int arg_caps_drop_all; // drop all capabilities 291extern int arg_caps_drop_all; // drop all capabilities
@@ -945,16 +938,4 @@ void run_ids(int argc, char **argv);
945// oom.c 938// oom.c
946void oom_set(const char *oom_string); 939void oom_set(const char *oom_string);
947 940
948// landlock.c
949#ifdef HAVE_LANDLOCK
950int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags);
951int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags);
952int landlock_restrict_self(int fd,__u32 flags);
953int create_full_ruleset();
954int add_read_access_rule_by_path(int rset_fd,char *allowed_path);
955int add_write_access_rule_by_path(int rset_fd,char *allowed_path);
956int add_create_special_rule_by_path(int rset_fd,char *allowed_path);
957int add_execute_rule_by_path(int rset_fd,char *allowed_path);
958#endif
959
960#endif 941#endif
diff --git a/src/firejail/landlock.c b/src/firejail/landlock.c
deleted file mode 100644
index e79d03280..000000000
--- a/src/firejail/landlock.c
+++ /dev/null
@@ -1,101 +0,0 @@
1/*
2 * Copyright (C) 2014-2022 Firejail Authors
3 *
4 * This file is part of firejail project
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19*/
20
21#ifdef HAVE_LANDLOCK
22#define _GNU_SOURCE
23#include <stdio.h>
24#include <stddef.h>
25#include <stdlib.h>
26#include <unistd.h>
27#include <fcntl.h>
28#include <sys/syscall.h>
29#include <sys/types.h>
30#include <sys/prctl.h>
31#include <linux/prctl.h>
32#include <linux/landlock.h>
33
34int landlock_create_ruleset(struct landlock_ruleset_attr *rsattr,size_t size,__u32 flags) {
35 return syscall(__NR_landlock_create_ruleset,rsattr,size,flags);
36}
37
38int landlock_add_rule(int fd,enum landlock_rule_type t,void *attr,__u32 flags) {
39 return syscall(__NR_landlock_add_rule,fd,t,attr,flags);
40}
41
42int landlock_restrict_self(int fd,__u32 flags) {
43 prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
44 int result = syscall(__NR_landlock_restrict_self,fd,flags);
45 if (result!=0) return result;
46 else {
47 close(fd);
48 return 0;
49 }
50}
51
52int create_full_ruleset() {
53 struct landlock_ruleset_attr attr;
54 attr.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_EXECUTE;
55 return landlock_create_ruleset(&attr,sizeof(attr),0);
56}
57
58int add_read_access_rule_by_path(int rset_fd,char *allowed_path) {
59 int result;
60 int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
61 struct landlock_path_beneath_attr target;
62 target.parent_fd = allowed_fd;
63 target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR;
64 result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
65 close(allowed_fd);
66 return result;
67}
68
69int add_write_access_rule_by_path(int rset_fd,char *allowed_path) {
70 int result;
71 int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
72 struct landlock_path_beneath_attr target;
73 target.parent_fd = allowed_fd;
74 target.allowed_access = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
75 result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
76 close(allowed_fd);
77 return result;
78}
79
80int add_create_special_rule_by_path(int rset_fd,char *allowed_path) {
81 int result;
82 int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
83 struct landlock_path_beneath_attr target;
84 target.parent_fd = allowed_fd;
85 target.allowed_access = LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK;
86 result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
87 close(allowed_fd);
88 return result;
89}
90
91int add_execute_rule_by_path(int rset_fd,char *allowed_path) {
92 int result;
93 int allowed_fd = open(allowed_path,O_PATH | O_CLOEXEC);
94 struct landlock_path_beneath_attr target;
95 target.parent_fd = allowed_fd;
96 target.allowed_access = LANDLOCK_ACCESS_FS_EXECUTE;
97 result = landlock_add_rule(rset_fd,LANDLOCK_RULE_PATH_BENEATH,&target,0);
98 close(allowed_fd);
99 return result;
100}
101#endif
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 1daf0da35..c7da3c95c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -81,11 +81,6 @@ int arg_seccomp_postexec = 0; // need postexec ld.preload library?
81int arg_seccomp_block_secondary = 0; // block any secondary architectures 81int arg_seccomp_block_secondary = 0; // block any secondary architectures
82int arg_seccomp_error_action = 0; 82int arg_seccomp_error_action = 0;
83 83
84#ifdef HAVE_LANDLOCK
85int arg_landlock = -1; // Landlock ruleset file descriptor (-1 if it doesn't exist)
86int arg_landlock_proc = 0; // Landlock rule for accessing /proc (0 for no access, 1 for read-only and 2 for read-write)
87#endif
88
89int arg_caps_default_filter = 0; // enable default capabilities filter 84int arg_caps_default_filter = 0; // enable default capabilities filter
90int arg_caps_drop = 0; // drop list 85int arg_caps_drop = 0; // drop list
91int arg_caps_drop_all = 0; // drop all capabilities 86int arg_caps_drop_all = 0; // drop all capabilities
@@ -1407,82 +1402,6 @@ int main(int argc, char **argv, char **envp) {
1407 else 1402 else
1408 exit_err_feature("seccomp"); 1403 exit_err_feature("seccomp");
1409 } 1404 }
1410#ifdef HAVE_LANDLOCK
1411 else if (strcmp(argv[i], "--landlock") == 0) {
1412 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1413 const char *home_dir = env_get("HOME");
1414 int home_fd = open(home_dir,O_PATH | O_CLOEXEC);
1415 struct landlock_path_beneath_attr target;
1416 target.parent_fd = home_fd;
1417 target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
1418 if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) {
1419 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1420 }
1421 close(home_fd);
1422 if (add_read_access_rule_by_path(arg_landlock, "/bin/")) {
1423 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1424 }
1425 if (add_execute_rule_by_path(arg_landlock, "/bin/")) {
1426 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1427 }
1428 if (add_read_access_rule_by_path(arg_landlock, "/dev/")) {
1429 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1430 }
1431 if (add_read_access_rule_by_path(arg_landlock, "/etc/")) {
1432 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1433 }
1434 if (add_read_access_rule_by_path(arg_landlock, "/lib/")) {
1435 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1436 }
1437 if (add_execute_rule_by_path(arg_landlock, "/lib/")) {
1438 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1439 }
1440 if (add_read_access_rule_by_path(arg_landlock, "/opt/")) {
1441 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1442 }
1443 if (add_execute_rule_by_path(arg_landlock, "/opt/")) {
1444 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1445 }
1446 if (add_read_access_rule_by_path(arg_landlock, "/usr/")) {
1447 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1448 }
1449 if (add_execute_rule_by_path(arg_landlock, "/usr/")) {
1450 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1451 }
1452 if (add_read_access_rule_by_path(arg_landlock, "/var/")) {
1453 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1454 }
1455 }
1456 else if (strncmp(argv[i], "--landlock.proc=", 16) == 0) {
1457 if (strncmp(argv[i]+16, "no", 2) == 0) arg_landlock_proc = 0;
1458 else if (strncmp(argv[i]+16, "ro", 2) == 0) arg_landlock_proc = 1;
1459 else if (strncmp(argv[i]+16, "rw", 2) == 0) arg_landlock_proc = 2;
1460 }
1461 else if (strncmp(argv[i], "--landlock.read=", 16) == 0) {
1462 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1463 if (add_read_access_rule_by_path(arg_landlock, argv[i]+16)) {
1464 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1465 }
1466 }
1467 else if (strncmp(argv[i], "--landlock.write=", 17) == 0) {
1468 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1469 if (add_write_access_rule_by_path(arg_landlock, argv[i]+17)) {
1470 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1471 }
1472 }
1473 else if (strncmp(argv[i], "--landlock.special=", 17) == 0) {
1474 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1475 if (add_create_special_rule_by_path(arg_landlock, argv[i]+17)) {
1476 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1477 }
1478 }
1479 else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) {
1480 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1481 if (add_execute_rule_by_path(arg_landlock, argv[i]+19)) {
1482 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1483 }
1484 }
1485#endif
1486 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { 1405 else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) {
1487 if (checkcfg(CFG_SECCOMP)) 1406 if (checkcfg(CFG_SECCOMP))
1488 arg_memory_deny_write_execute = 1; 1407 arg_memory_deny_write_execute = 1;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index 9f677c11d..641bb09b1 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1047,90 +1047,6 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1047 return 0; 1047 return 0;
1048 } 1048 }
1049 1049
1050#ifdef HAVE_LANDLOCK
1051 // Landlock ruleset paths
1052 if (strcmp(ptr, "landlock") == 0) {
1053 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1054 const char *home_dir = env_get("HOME");
1055 int home_fd = open(home_dir,O_PATH | O_CLOEXEC);
1056 struct landlock_path_beneath_attr target;
1057 target.parent_fd = home_fd;
1058 target.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_REMOVE_FILE | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SYM;
1059 if (landlock_add_rule(arg_landlock,LANDLOCK_RULE_PATH_BENEATH,&target,0)) {
1060 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1061 }
1062 close(home_fd);
1063 if (add_read_access_rule_by_path(arg_landlock, "/bin/")) {
1064 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1065 }
1066 if (add_execute_rule_by_path(arg_landlock, "/bin/")) {
1067 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1068 }
1069 if (add_read_access_rule_by_path(arg_landlock, "/dev/")) {
1070 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1071 }
1072 if (add_read_access_rule_by_path(arg_landlock, "/etc/")) {
1073 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1074 }
1075 if (add_read_access_rule_by_path(arg_landlock, "/lib/")) {
1076 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1077 }
1078 if (add_execute_rule_by_path(arg_landlock, "/lib/")) {
1079 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1080 }
1081 if (add_read_access_rule_by_path(arg_landlock, "/opt/")) {
1082 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1083 }
1084 if (add_execute_rule_by_path(arg_landlock, "/opt/")) {
1085 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1086 }
1087 if (add_read_access_rule_by_path(arg_landlock, "/usr/")) {
1088 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1089 }
1090 if (add_execute_rule_by_path(arg_landlock, "/usr/")) {
1091 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1092 }
1093 if (add_read_access_rule_by_path(arg_landlock, "/var/")) {
1094 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1095 }
1096 return 0;
1097 }
1098 if (strncmp(ptr, "landlock.proc ", 14) == 0) {
1099 if (strncmp(ptr+14, "no", 2) == 0) arg_landlock_proc = 0;
1100 else if (strncmp(ptr+14, "ro", 2) == 0) arg_landlock_proc = 1;
1101 else if (strncmp(ptr+14, "rw", 2) == 0) arg_landlock_proc = 2;
1102 return 0;
1103 }
1104 if (strncmp(ptr, "landlock.read ", 14) == 0) {
1105 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1106 if (add_read_access_rule_by_path(arg_landlock, ptr+14)) {
1107 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1108 }
1109 return 0;
1110 }
1111 if (strncmp(ptr, "landlock.write ", 15) == 0) {
1112 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1113 if (add_write_access_rule_by_path(arg_landlock, ptr+15)) {
1114 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1115 }
1116 return 0;
1117 }
1118 if (strncmp(ptr, "landlock.special ", 26) == 0) {
1119 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1120 if (add_create_special_rule_by_path(arg_landlock, ptr+26)) {
1121 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1122 }
1123 return 0;
1124 }
1125 if (strncmp(ptr, "landlock.execute ", 17) == 0) {
1126 if (arg_landlock == -1) arg_landlock = create_full_ruleset();
1127 if (add_execute_rule_by_path(arg_landlock, ptr+17)) {
1128 fprintf(stderr,"An error has occured while adding a rule to the Landlock ruleset.\n");
1129 }
1130 return 0;
1131 }
1132#endif
1133
1134 // memory deny write&execute 1050 // memory deny write&execute
1135 if (strcmp(ptr, "memory-deny-write-execute") == 0) { 1051 if (strcmp(ptr, "memory-deny-write-execute") == 0) {
1136 if (checkcfg(CFG_SECCOMP)) 1052 if (checkcfg(CFG_SECCOMP))
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 5fcccbd92..9299268a3 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -488,7 +488,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
488#ifdef HAVE_APPARMOR 488#ifdef HAVE_APPARMOR
489 set_apparmor(); 489 set_apparmor();
490#endif 490#endif
491
492 close_file_descriptors(); 491 close_file_descriptors();
493 492
494 // set nice and rlimits 493 // set nice and rlimits
@@ -510,16 +509,6 @@ void start_application(int no_sandbox, int fd, char *set_sandbox_status) {
510 printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD")); 509 printf("LD_PRELOAD=%s\n", getenv("LD_PRELOAD"));
511 } 510 }
512 511
513#ifdef HAVE_LANDLOCK
514 // set Landlock
515 if (arg_landlock >= 0) {
516 if (landlock_restrict_self(arg_landlock,0)) {
517 fprintf(stderr,"An error has occured while enabling Landlock self-restriction. Exiting...\n");
518 exit(1); // it isn't safe to continue if Landlock self-restriction was enabled and the "landlock_restrict_self" syscall has failed
519 }
520 }
521#endif
522
523 if (just_run_the_shell) { 512 if (just_run_the_shell) {
524 char *arg[2]; 513 char *arg[2];
525 arg[0] = cfg.usershell; 514 arg[0] = cfg.usershell;
@@ -1010,15 +999,6 @@ int sandbox(void* sandbox_arg) {
1010 fs_proc_sys_dev_boot(); 999 fs_proc_sys_dev_boot();
1011 1000
1012 //**************************** 1001 //****************************
1013 // Allow access to /proc
1014 //****************************
1015#ifdef HAVE_LANDLOCK
1016 if (arg_landlock>-1) {
1017 if (arg_landlock_proc >= 1) add_read_access_rule_by_path(arg_landlock, "/proc/");
1018 if (arg_landlock_proc == 2) add_write_access_rule_by_path(arg_landlock, "/proc/");
1019}
1020#endif
1021 //****************************
1022 // handle /mnt and /media 1002 // handle /mnt and /media
1023 //**************************** 1003 //****************************
1024 if (checkcfg(CFG_DISABLE_MNT)) 1004 if (checkcfg(CFG_DISABLE_MNT))
@@ -1113,12 +1093,9 @@ int sandbox(void* sandbox_arg) {
1113 //**************************** 1093 //****************************
1114 // rebuild etc directory, set dns 1094 // rebuild etc directory, set dns
1115 //**************************** 1095 //****************************
1116 if (!arg_writable_etc){ 1096 if (!arg_writable_etc)
1117 fs_rebuild_etc(); 1097 fs_rebuild_etc();
1118#ifdef HAVE_LANDLOCK 1098
1119 if (arg_landlock>-1) add_read_access_rule_by_path(arg_landlock, "/etc/");
1120#endif
1121 }
1122 //**************************** 1099 //****************************
1123 // start dhcp client 1100 // start dhcp client
1124 //**************************** 1101 //****************************
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index e0751ef5c..e11081eed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -122,12 +122,6 @@ static char *usage_str =
122 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" 122 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
123 " --keep-fd - inherit open file descriptors to sandbox.\n" 123 " --keep-fd - inherit open file descriptors to sandbox.\n"
124 " --keep-var-tmp - /var/tmp directory is untouched.\n" 124 " --keep-var-tmp - /var/tmp directory is untouched.\n"
125 " --landlock - add basic rules to the Landlock ruleset.\n"
126 " --landlock.proc=no|ro|rw - add an access rule for /proc to the Landlock ruleset.\n"
127 " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n"
128 " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n"
129 " --landlock.special=path - add an access rule for creating FIFO pipes, Unix domain sockets and block devices for the path to the Landlock ruleset.\n"
130 " --landlock.execute=path - add an execution-permitting rule for the path to the Landlock ruleset.\n"
131 " --list - list all sandboxes.\n" 125 " --list - list all sandboxes.\n"
132#ifdef HAVE_FILE_TRANSFER 126#ifdef HAVE_FILE_TRANSFER
133 " --ls=name|pid dir_or_filename - list files in sandbox container.\n" 127 " --ls=name|pid dir_or_filename - list files in sandbox container.\n"
diff --git a/src/firejail/util.c b/src/firejail/util.c
index b6a7ca08c..a01290cf2 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -1338,10 +1338,6 @@ void close_all(int *keep_list, size_t sz) {
1338 if (keep) 1338 if (keep)
1339 continue; 1339 continue;
1340 1340
1341 // don't close the file descriptor of the Landlock ruleset -- it will be automatically closed by the landlock_restrict_self wrapper function
1342#ifdef HAVE_LANDLOCK
1343 if (fd == arg_landlock) continue;
1344#endif
1345 close(fd); 1341 close(fd);
1346 } 1342 }
1347 closedir(dir); 1343 closedir(dir);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 1f543980e..138aae8af 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -497,35 +497,6 @@ Blacklist all Linux capabilities.
497.TP 497.TP
498\fBcaps.keep capability,capability,capability 498\fBcaps.keep capability,capability,capability
499Whitelist given Linux capabilities. 499Whitelist given Linux capabilities.
500#ifdef HAVE_LANDLOCK
501.TP
502\fBlandlock
503Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it.
504.br
505.TP
506\fBlandlock.proc no|ro|rw
507Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related profile options have no effect.
508.br
509.TP
510\fBlandlock.read path
511Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path.
512.br
513
514.TP
515\fBlandlock.write path
516Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path.
517.br
518
519.TP
520\fBlandlock.special path
521Create a Landlock ruleset (if it doesn't already exist) and add an access rule for creation of FIFO pipes, Unix-domain sockets and block devices beneath given path.
522.br
523
524.TP
525\fBlandlock.execute path
526Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path.
527.br
528#endif
529.TP 500.TP
530\fBmemory-deny-write-execute 501\fBmemory-deny-write-execute
531Install a seccomp filter to block attempts to create memory mappings 502Install a seccomp filter to block attempts to create memory mappings
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 0b78203d7..1dd5508b3 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1151,41 +1151,6 @@ Example:
1151.br 1151.br
1152$ firejail --keep-var-tmp 1152$ firejail --keep-var-tmp
1153 1153
1154#ifdef HAVE_LANDLOCK
1155.TP
1156\fB\-\-landlock
1157Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. See \fBLANDLOCK\fR section for more information.
1158.br
1159.TP
1160\fB\-\-landlock.proc=no|ro|rw
1161Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related command-line options have no effect.
1162.br
1163.TP
1164\fB\-\-landlock.read=path
1165Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path.
1166.br
1167
1168.TP
1169\fB\-\-landlock.write=path
1170Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path.
1171.br
1172
1173.TP
1174\fB\-\-landlock.special=path
1175Create a Landlock ruleset (if it doesn't already exist) and add a permission rule to create FIFO pipes, Unix domain sockets and block devices beneath given path.
1176.br
1177
1178.TP
1179\fB\-\-landlock.execute=path
1180Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path.
1181.br
1182
1183.br
1184Example:
1185.br
1186$ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr
1187#endif
1188
1189.TP 1154.TP
1190\fB\-\-list 1155\fB\-\-list
1191List all sandboxes, see \fBMONITORING\fR section for more details. 1156List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1303,7 +1268,6 @@ $ firejail --list
1303.br 1268.br
13041312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote 12691312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
1305.br 1270.br
1306
1307#ifdef HAVE_NETWORK 1271#ifdef HAVE_NETWORK
1308.TP 1272.TP
1309\fB\-\-net=bridge_interface 1273\fB\-\-net=bridge_interface
@@ -3237,34 +3201,7 @@ To enable AppArmor confinement on top of your current Firejail security features
3237.br 3201.br
3238$ firejail --apparmor firefox 3202$ firejail --apparmor firefox
3239#endif 3203#endif
3240#ifdef HAVE_LANDLOCK
3241.SH LANDLOCK
3242.TP
3243Landlock is a Linux security module first introduced in the 5.13 version of Linux kernel. It allows unprivileged processes to restrict their access to the filesystem. Once imposed, these restrictions can never be removed, and all child processes created by a Landlock-restricted processes inherit these restrictions. Firejail supports Landlock as an additional sandboxing feature. It can be used to ensure that a sandboxed application can only access files and directories that it was explicitly allowed to access. Firejail supports populating the ruleset with both basic set of rules and with custom set of rules. Basic set of rules allows read-only access to /bin, /dev, /etc, /lib, /opt, /proc, /usr and /var, read-write access to the home directory, and allows execution of binaries located in /bin, /opt and /usr.
3244.br
3245
3246.TP
3247Important notes:
3248.br
3249
3250.br
3251- A process can install a Landlock ruleset only if it has either \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New Privileges" restriction enabled. Because of this, enabling the Landlock feature will also cause Firejail to enable the "No New Privileges" restriction, regardless of the profile or the \fB\-\-no\-new\-privs\fR command line option.
3252.br
3253 3204
3254.br
3255- Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR command line option.
3256
3257.br
3258- Access to the /etc directory is automatically allowed. To override this, use the \fB\-\-writable\-etc\fR command line option. You can also use the \fB\-\-private\-etc\fR option to restrict access to the /etc directory.
3259.br
3260
3261.TP
3262To enable Landlock self-restriction on top of your current Firejail security features, pass \fB\-\-landlock\fR flag to Firejail command line. You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with \fB\-\-landlock\fR or instead of it. Example:
3263.br
3264
3265.br
3266$ firejail --landlock --landlock.read=/media --landlock.proc=ro mc
3267#endif
3268.SH DESKTOP INTEGRATION 3205.SH DESKTOP INTEGRATION
3269A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. 3206A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
3270The symbolic link should be placed in the first $PATH position. On most systems, a good place 3207The symbolic link should be placed in the first $PATH position. On most systems, a good place
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index ed7337762..2b67c2a00 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -105,12 +105,6 @@ _firejail_args=(
105 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' 105 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
106 '--keep-fd[inherit open file descriptors to sandbox]: :' 106 '--keep-fd[inherit open file descriptors to sandbox]: :'
107 '--keep-var-tmp[/var/tmp directory is untouched]' 107 '--keep-var-tmp[/var/tmp directory is untouched]'
108 '--landlock[Basic Landlock ruleset]'
109 '--landlock.proc=-[Access to the /proc directory]: :(no ro rw)'
110 '--landlock.read=-[Landlock read access rule]: :_files'
111 '--landlock.write=-[Landlock write access rule]: :_files'
112 "--landlock.special=-[Landlock access rule for creation of FIFO pipes, sockets and block devices]: :_files"
113 '--landlock.execute=-[Landlock execution-permitting rule]: :_files'
114 '--machine-id[spoof /etc/machine-id with a random id]' 108 '--machine-id[spoof /etc/machine-id with a random id]'
115 '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' 109 '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
116 '*--mkdir=-[create a directory]:' 110 '*--mkdir=-[create a directory]:'
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-05-28 02:20:15 +0000