1 files changed, 87 insertions, 0 deletions

diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 06969e851..d5a00c41b 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -1243,6 +1243,52 @@ Example:
 .br
 $ firejail --keep-var-tmp
 
+#ifdef HAVE_LANDLOCK
+.TP
+\fB\-\-landlock
+Create a Landlock ruleset (if it doesn't already exist) and add basic access
+rules to it.
+The basic set of rules applies the following access permissions:
+.PP
+.RS
+- read:  /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var
+.br
+- write: /dev, /proc
+.br
+- exec:  /bin, /lib, /opt, /usr
+.RE
+.PP
+See the \fBLANDLOCK\fR section for more information.
+.TP
+\fB\-\-landlock.proc=no|ro|rw
+Add an access rule for /proc directory (read-only if set to \fBro\fR and
+read-write if set to \fBrw\fR).
+The access rule for /proc is added after this directory is set up in the
+sandbox.
+Access rules for /proc set up with other Landlock-related command-line options
+have no effect.
+.TP
+\fB\-\-landlock.read=path
+Create a Landlock ruleset (if it doesn't already exist) and add a read access
+rule for path.
+.TP
+\fB\-\-landlock.write=path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access
+rule for path.
+.TP
+\fB\-\-landlock.special=path
+Create a Landlock ruleset (if it doesn't already exist) and add a rule that
+allows the creation of block devices, character devices, named pipes (FIFOs)
+and Unix domain sockets beneath given path.
+.TP
+\fB\-\-landlock.execute=path
+Create a Landlock ruleset (if it doesn't already exist) and add an execution
+permission rule for path.
+.PP
+Example:
+.PP
+$ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr
+#endif
 .TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -3365,6 +3411,47 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
 
+#ifdef HAVE_LANDLOCK
+.SH LANDLOCK
+Landlock is a Linux security module first introduced in version 5.13 of the
+Linux kernel.
+It allows unprivileged processes to restrict their access to the filesystem.
+Once imposed, these restrictions can never be removed, and all child processes
+created by a Landlock-restricted processes inherit these restrictions.
+Firejail supports Landlock as an additional sandboxing feature.
+It can be used to ensure that a sandboxed application can only access files and
+directories that it was explicitly allowed to access.
+Firejail supports populating the ruleset with both a basic set of rules (see
+\fB\-\-landlock\fR) and with a custom set of rules.
+.TP
+Important notes:
+.PP
+.RS
+- A process can install a Landlock ruleset only if it has either
+\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
+Privileges" restriction enabled.
+Because of this, enabling the Landlock feature will also cause Firejail to
+enable the "No New Privileges" restriction, regardless of the profile or the
+\fB\-\-no\-new\-privs\fR command line option.
+.PP
+- Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR
+command line option.
+.PP
+- Access to the /etc directory is automatically allowed.
+To override this, use the \fB\-\-writable\-etc\fR command line option.
+You can also use the \fB\-\-private\-etc\fR option to restrict access to the
+/etc directory.
+.RE
+.PP
+To enable Landlock self-restriction on top of your current Firejail security
+features, pass \fB\-\-landlock\fR flag to Firejail command line.
+You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR,
+\fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with
+\fB\-\-landlock\fR or instead of it.
+Example:
+.PP
+$ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc
+#endif
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place