1 files changed, 12 insertions, 29 deletions
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 39f12b005..c63cf350d 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -1245,31 +1245,15 @@ $ firejail --keep-var-tmp
 #ifdef HAVE_LANDLOCK
 .TP
-\fB\-\-landlock
+\fB\-\-landlock.enforce
-Create a Landlock ruleset (if it doesn't already exist) and add basic access
+Enforce the Landlock ruleset.
-rules to it.
-The basic set of rules applies the following access permissions:
 .PP
-.RS
+Without it, the other Landlock commands have no effect.
- read:  /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var
-.br
- write: /dev, /proc
-.br
- exec:  /bin, /lib, /opt, /usr
-.RE
 .PP
 .RS
 See the \fBLANDLOCK\fR section for more information.
 .RE
 .TP
-\fB\-\-landlock.proc=no|ro|rw
-Add an access rule for /proc directory (read-only if set to \fBro\fR and
-read-write if set to \fBrw\fR).
-The access rule for /proc is added after this directory is set up in the
-sandbox.
-Access rules for /proc set up with other Landlock-related command-line options
-have no effect.
-.TP
 \fB\-\-landlock.read=path
 Create a Landlock ruleset (if it doesn't already exist) and add a read access
 rule for path.
@@ -1291,7 +1275,9 @@ permission rule for path.
 .br
 Example:
 .br
-$ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr
+$ firejail \-\-landlock.read=/ \-\-landlock.write=/home
+\-\-landlock.execute=/usr \-\-landlock.enforce
+.PP
 #endif
 .TP
 \fB\-\-list
@@ -3426,7 +3412,7 @@ Firejail supports Landlock as an additional sandboxing feature.
 It can be used to ensure that a sandboxed application can only access files and
 directories that it was explicitly allowed to access.
 Firejail supports populating the ruleset with both a basic set of rules (see
-\fB\-\-landlock\fR) and with a custom set of rules.
+landlock-common.inc) and with a custom set of rules.
 .TP
 Important notes:
 .PP
@@ -3438,9 +3424,6 @@ Because of this, enabling the Landlock feature will also cause Firejail to
 enable the "No New Privileges" restriction, regardless of the profile or the
 \fB\-\-nonewprivs\fR command line option.
 .PP
- Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR
-command line option.
-.PP
 - Access to the /etc directory is automatically allowed.
 To override this, use the \fB\-\-writable\-etc\fR command line option.
 You can also use the \fB\-\-private\-etc\fR option to restrict access to the
@@ -3448,13 +3431,13 @@ You can also use the \fB\-\-private\-etc\fR option to restrict access to the
 .RE
 .PP
 To enable Landlock self-restriction on top of your current Firejail security
-features, pass \fB\-\-landlock\fR flag to Firejail command line.
+features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
-You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR,
+Without it, the other Landlock commands have no effect.
-\fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with
-\fB\-\-landlock\fR or instead of it.
 Example:
 .PP
-$ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc
+$ firejail \-\-landlock.enforce \-\-landlock.read=/media mc
+.PP
+To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
 #endif
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.

diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 39f12b005..c63cf350d 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in
@@ -1245,31 +1245,15 @@ $ firejail --keep-var-tmp
1245		1245
1246	#ifdef HAVE_LANDLOCK	1246	#ifdef HAVE_LANDLOCK
1247	.TP	1247	.TP
1248	\fB\-\-landlock	1248	\fB\-\-landlock.enforce
1249	Create a Landlock ruleset (if it doesn't already exist) and add basic access	1249	Enforce the Landlock ruleset.
1250	rules to it.
1251	The basic set of rules applies the following access permissions:
1252	.PP	1250	.PP
1253	.RS	1251	Without it, the other Landlock commands have no effect.
1254	- read: /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var
1255	.br
1256	- write: /dev, /proc
1257	.br
1258	- exec: /bin, /lib, /opt, /usr
1259	.RE
1260	.PP	1252	.PP
1261	.RS	1253	.RS
1262	See the \fBLANDLOCK\fR section for more information.	1254	See the \fBLANDLOCK\fR section for more information.
1263	.RE	1255	.RE
1264	.TP	1256	.TP
1265	\fB\-\-landlock.proc=no\|ro\|rw
1266	Add an access rule for /proc directory (read-only if set to \fBro\fR and
1267	read-write if set to \fBrw\fR).
1268	The access rule for /proc is added after this directory is set up in the
1269	sandbox.
1270	Access rules for /proc set up with other Landlock-related command-line options
1271	have no effect.
1272	.TP
1273	\fB\-\-landlock.read=path	1257	\fB\-\-landlock.read=path
1274	Create a Landlock ruleset (if it doesn't already exist) and add a read access	1258	Create a Landlock ruleset (if it doesn't already exist) and add a read access
1275	rule for path.	1259	rule for path.
@@ -1291,7 +1275,9 @@ permission rule for path.
1291	.br	1275	.br
1292	Example:	1276	Example:
1293	.br	1277	.br
1294	$ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr	1278	$ firejail \-\-landlock.read=/ \-\-landlock.write=/home
		1279	\-\-landlock.execute=/usr \-\-landlock.enforce
		1280	.PP
1295	#endif	1281	#endif
1296	.TP	1282	.TP
1297	\fB\-\-list	1283	\fB\-\-list
@@ -3426,7 +3412,7 @@ Firejail supports Landlock as an additional sandboxing feature.
3426	It can be used to ensure that a sandboxed application can only access files and	3412	It can be used to ensure that a sandboxed application can only access files and
3427	directories that it was explicitly allowed to access.	3413	directories that it was explicitly allowed to access.
3428	Firejail supports populating the ruleset with both a basic set of rules (see	3414	Firejail supports populating the ruleset with both a basic set of rules (see
3429	\fB\-\-landlock\fR) and with a custom set of rules.	3415	landlock-common.inc) and with a custom set of rules.
3430	.TP	3416	.TP
3431	Important notes:	3417	Important notes:
3432	.PP	3418	.PP
@@ -3438,9 +3424,6 @@ Because of this, enabling the Landlock feature will also cause Firejail to
3438	enable the "No New Privileges" restriction, regardless of the profile or the	3424	enable the "No New Privileges" restriction, regardless of the profile or the
3439	\fB\-\-nonewprivs\fR command line option.	3425	\fB\-\-nonewprivs\fR command line option.
3440	.PP	3426	.PP
3441	- Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR
3442	command line option.
3443	.PP
3444	- Access to the /etc directory is automatically allowed.	3427	- Access to the /etc directory is automatically allowed.
3445	To override this, use the \fB\-\-writable\-etc\fR command line option.	3428	To override this, use the \fB\-\-writable\-etc\fR command line option.
3446	You can also use the \fB\-\-private\-etc\fR option to restrict access to the	3429	You can also use the \fB\-\-private\-etc\fR option to restrict access to the
@@ -3448,13 +3431,13 @@ You can also use the \fB\-\-private\-etc\fR option to restrict access to the
3448	.RE	3431	.RE
3449	.PP	3432	.PP
3450	To enable Landlock self-restriction on top of your current Firejail security	3433	To enable Landlock self-restriction on top of your current Firejail security
3451	features, pass \fB\-\-landlock\fR flag to Firejail command line.	3434	features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
3452	You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR,	3435	Without it, the other Landlock commands have no effect.
3453	\fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with
3454	\fB\-\-landlock\fR or instead of it.
3455	Example:	3436	Example:
3456	.PP	3437	.PP
3457	$ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc	3438	$ firejail \-\-landlock.enforce \-\-landlock.read=/media mc
		3439	.PP
		3440	To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
3458	#endif	3441	#endif
3459	.SH DESKTOP INTEGRATION	3442	.SH DESKTOP INTEGRATION
3460	A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.	3443	A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.