diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 40 |
1 files changed, 40 insertions, 0 deletions
@@ -270,6 +270,46 @@ Work in progress, the interface described in the man page below could change. | |||
270 | Example: | 270 | Example: |
271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ | 271 | $ firejail --landlock.read=/ --landlock.write=/home --land‐ |
272 | lock.execute=/usr | 272 | lock.execute=/usr |
273 | |||
274 | LANDLOCK | ||
275 | Landlock is a Linux security module first introduced in the 5.13 ver‐ | ||
276 | sion of Linux kernel. It allows unprivileged processes to restrict | ||
277 | their access to the filesystem. Once imposed, these restrictions can | ||
278 | never be removed, and all child processes created by a Landlock-re‐ | ||
279 | stricted processes inherit these restrictions. Firejail supports Land‐ | ||
280 | lock as an additional sandboxing feature. It can be used to ensure that | ||
281 | a sandboxed application can only access files and directories that it | ||
282 | was explicitly allowed to access. Firejail supports populating the | ||
283 | ruleset with both basic set of rules and with custom set of rules. Ba‐ | ||
284 | sic set of rules allows read-only access to /bin, /dev, /etc, /lib, | ||
285 | /opt, /proc, /usr and /var, read-write access to the home directory, | ||
286 | and allows execution of binaries located in /bin, /opt and /usr. | ||
287 | |||
288 | Important notes: | ||
289 | |||
290 | - A process can install a Landlock ruleset only if it has either | ||
291 | CAP_SYS_ADMIN in its effective capability set, or the "No New | ||
292 | Privileges" restriction enabled. Because of this, enabling the | ||
293 | Landlock feature will also cause Firejail to enable the "No New | ||
294 | Privileges" restriction, regardless of the profile or the | ||
295 | --no-new-privs command line option. | ||
296 | |||
297 | - Access to the /proc directory is managed through the --land‐ | ||
298 | lock.proc command line option. | ||
299 | |||
300 | - Access to the /etc directory is automatically allowed. To | ||
301 | override this, use the --writable-etc command line option. You | ||
302 | can also use the --private-etc option to restrict access to the | ||
303 | /etc directory. | ||
304 | |||
305 | To enable Landlock self-restriction on top of your current Firejail se‐ | ||
306 | curity features, pass --landlock flag to Firejail command line. You can | ||
307 | also use --landlock.read, --landlock.write, --landlock.special and | ||
308 | --landlock.execute options together with --landlock or instead of it. | ||
309 | Example: | ||
310 | |||
311 | $ firejail --landlock --landlock.read=/media --landlock.proc=ro | ||
312 | mc | ||
273 | ````` | 313 | ````` |
274 | 314 | ||
275 | ### Profile Statistics | 315 | ### Profile Statistics |