1 files changed, 21 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 138aae8af..6e75aceed 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -497,6 +497,27 @@ Blacklist all Linux capabilities.
 .TP
 \fBcaps.keep capability,capability,capability
 Whitelist given Linux capabilities.
+#ifdef HAVE_LANDLOCK
+.TP
+\fBlandlock-read path
+Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.TP
+\fBlandlock-write path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.TP
+\fBlandlock-restricted-write path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.TP
+\fBlandlock-execute path
+Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+#endif
 .TP
 \fBmemory-deny-write-execute
 Install a seccomp filter to block attempts to create memory mappings

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 138aae8af..6e75aceed 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -497,6 +497,27 @@ Blacklist all Linux capabilities.
497	.TP	497	.TP
498	\fBcaps.keep capability,capability,capability	498	\fBcaps.keep capability,capability,capability
499	Whitelist given Linux capabilities.	499	Whitelist given Linux capabilities.
		500	#ifdef HAVE_LANDLOCK
		501	.TP
		502	\fBlandlock-read path
		503	Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		504	.br
		505
		506	.TP
		507	\fBlandlock-write path
		508	Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		509	.br
		510
		511	.TP
		512	\fBlandlock-restricted-write path
		513	Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		514	.br
		515
		516	.TP
		517	\fBlandlock-execute path
		518	Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		519	.br
		520	#endif
500	.TP	521	.TP
501	\fBmemory-deny-write-execute	522	\fBmemory-deny-write-execute
502	Install a seccomp filter to block attempts to create memory mappings	523	Install a seccomp filter to block attempts to create memory mappings