diff options
Diffstat (limited to 'src/man/firejail.1.in')
-rw-r--r-- | src/man/firejail.1.in | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 618b4955e..87bd6fcc2 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1236,30 +1236,30 @@ $ firejail --keep-var-tmp | |||
1236 | 1236 | ||
1237 | #ifdef HAVE_LANDLOCK | 1237 | #ifdef HAVE_LANDLOCK |
1238 | .TP | 1238 | .TP |
1239 | \fB\-\-landlock.enforce | 1239 | \fB\-\-landlock.enforce (experimental) |
1240 | Enforce the Landlock ruleset. | 1240 | Enforce the Landlock ruleset. |
1241 | Without it, the other Landlock commands have no effect. | 1241 | Without it, the other Landlock commands have no effect. |
1242 | See the \fBLANDLOCK\fR section for more information. | 1242 | See the \fBLANDLOCK\fR section for more information. |
1243 | .TP | 1243 | .TP |
1244 | \fB\-\-landlock.fs.read=path | 1244 | \fB\-\-landlock.fs.read=path (experimental) |
1245 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | 1245 | Create a Landlock ruleset (if it doesn't already exist) and add a read access |
1246 | rule for path. | 1246 | rule for path. |
1247 | .TP | 1247 | .TP |
1248 | \fB\-\-landlock.fs.write=path | 1248 | \fB\-\-landlock.fs.write=path (experimental) |
1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | 1249 | Create a Landlock ruleset (if it doesn't already exist) and add a write access |
1250 | rule for path. | 1250 | rule for path. |
1251 | .TP | 1251 | .TP |
1252 | \fB\-\-landlock.fs.makeipc=path | 1252 | \fB\-\-landlock.fs.makeipc=path (experimental) |
1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1253 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath | 1254 | allows the creation of named pipes (FIFOs) and Unix domain sockets beneath |
1255 | the given path. | 1255 | the given path. |
1256 | .TP | 1256 | .TP |
1257 | \fB\-\-landlock.fs.makedev=path | 1257 | \fB\-\-landlock.fs.makedev=path (experimental) |
1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | 1258 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that |
1259 | allows the creation of block devices and character devices beneath the given | 1259 | allows the creation of block devices and character devices beneath the given |
1260 | path. | 1260 | path. |
1261 | .TP | 1261 | .TP |
1262 | \fB\-\-landlock.fs.execute=path | 1262 | \fB\-\-landlock.fs.execute=path (experimental) |
1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | 1263 | Create a Landlock ruleset (if it doesn't already exist) and add an execution |
1264 | permission rule for path. | 1264 | permission rule for path. |
1265 | .br | 1265 | .br |
@@ -3372,6 +3372,21 @@ $ firejail --apparmor firefox | |||
3372 | 3372 | ||
3373 | #ifdef HAVE_LANDLOCK | 3373 | #ifdef HAVE_LANDLOCK |
3374 | .SH LANDLOCK | 3374 | .SH LANDLOCK |
3375 | Warning: Landlock support in firejail is considered experimental and unstable. | ||
3376 | The contents of landlock-common.inc are likely to change and the feature is | ||
3377 | still being expanded upon in the Linux kernel. | ||
3378 | Also, note that its functionality overlaps with existing firejail features, | ||
3379 | such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. | ||
3380 | Its filesystem access rules can currently only restrict direct access to paths; | ||
3381 | it is not able to make only select paths appear in the sandbox such as with the | ||
3382 | \fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). | ||
3383 | Lastly, note that depending on the Linux kernel version, Landlock may not | ||
3384 | protect all of the relevant syscalls (see the kernel's Landlock documentation | ||
3385 | for details). | ||
3386 | Therefore, it is recommended to treat Landlock as an extra layer of protection, | ||
3387 | to be used together with other firejail features (rather than as a bulletproof | ||
3388 | mechanism by itself). | ||
3389 | .PP | ||
3375 | Landlock is a Linux security module first introduced in version 5.13 of the | 3390 | Landlock is a Linux security module first introduced in version 5.13 of the |
3376 | Linux kernel. | 3391 | Linux kernel. |
3377 | It allows unprivileged processes to restrict their access to the filesystem. | 3392 | It allows unprivileged processes to restrict their access to the filesystem. |
@@ -3386,6 +3401,11 @@ landlock-common.inc) and with a custom set of rules. | |||
3386 | Important notes: | 3401 | Important notes: |
3387 | .PP | 3402 | .PP |
3388 | .RS | 3403 | .RS |
3404 | - Currently only Landlock ABI version 1 is supported. | ||
3405 | .PP | ||
3406 | - If "lsm=" is used in the kernel command line, it should contain "landlock" | ||
3407 | (such as "lsm=apparmor,landlock"), or else it will be disabled. | ||
3408 | .PP | ||
3389 | - A process can install a Landlock ruleset only if it has either | 3409 | - A process can install a Landlock ruleset only if it has either |
3390 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New | 3410 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New |
3391 | Privileges" restriction enabled. | 3411 | Privileges" restriction enabled. |