diff options
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 138aae8af..6e75aceed 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -497,6 +497,27 @@ Blacklist all Linux capabilities. | |||
497 | .TP | 497 | .TP |
498 | \fBcaps.keep capability,capability,capability | 498 | \fBcaps.keep capability,capability,capability |
499 | Whitelist given Linux capabilities. | 499 | Whitelist given Linux capabilities. |
500 | #ifdef HAVE_LANDLOCK | ||
501 | .TP | ||
502 | \fBlandlock-read path | ||
503 | Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
504 | .br | ||
505 | |||
506 | .TP | ||
507 | \fBlandlock-write path | ||
508 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
509 | .br | ||
510 | |||
511 | .TP | ||
512 | \fBlandlock-restricted-write path | ||
513 | Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
514 | .br | ||
515 | |||
516 | .TP | ||
517 | \fBlandlock-execute path | ||
518 | Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error. | ||
519 | .br | ||
520 | #endif | ||
500 | .TP | 521 | .TP |
501 | \fBmemory-deny-write-execute | 522 | \fBmemory-deny-write-execute |
502 | Install a seccomp filter to block attempts to create memory mappings | 523 | Install a seccomp filter to block attempts to create memory mappings |