diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 6e75aceed..1f543980e 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -499,23 +499,31 @@ Blacklist all Linux capabilities. | |||
499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
500 | #ifdef HAVE_LANDLOCK | 500 | #ifdef HAVE_LANDLOCK |
501 | .TP | 501 | .TP |
502 | \fBlandlock-read path | 502 | \fBlandlock |
503 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 503 | Create a Landlock ruleset (if it doesn't already exist) and add basic access rules to it. |
504 | .br | ||
505 | .TP | ||
506 | \fBlandlock.proc no|ro|rw | ||
507 | Add an access rule for /proc directory (read-only if set to \fBro\fR and read-write if set to \fBrw\fR). The access rule for /proc is added after this directory is set up in the sandbox. Access rules for /proc set up with other Landlock-related profile options have no effect. | ||
508 | .br | ||
509 | .TP | ||
510 | \fBlandlock.read path | ||
511 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. | ||
504 | .br | 512 | .br |
505 | 513 | ||
506 | .TP | 514 | .TP |
507 | \fBlandlock-write path | 515 | \fBlandlock.write path |
508 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 516 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. |
509 | .br | 517 | .br |
510 | 518 | ||
511 | .TP | 519 | .TP |
512 | \fBlandlock-restricted-write path | 520 | \fBlandlock.special path |
513 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 521 | Create a Landlock ruleset (if it doesn't already exist) and add an access rule for creation of FIFO pipes, Unix-domain sockets and block devices beneath given path. |
514 | .br | 522 | .br |
515 | 523 | ||
516 | .TP | 524 | .TP |
517 | \fBlandlock-execute path | 525 | \fBlandlock.execute path |
518 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | 526 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. |
519 | .br | 527 | .br |
520 | #endif | 528 | #endif |
521 | .TP | 529 | .TP |