diff options
Diffstat (limited to 'src/man/firejail.1.in')
-rw-r--r-- | src/man/firejail.1.in | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 06969e851..d5a00c41b 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1243,6 +1243,52 @@ Example: | |||
1243 | .br | 1243 | .br |
1244 | $ firejail --keep-var-tmp | 1244 | $ firejail --keep-var-tmp |
1245 | 1245 | ||
1246 | #ifdef HAVE_LANDLOCK | ||
1247 | .TP | ||
1248 | \fB\-\-landlock | ||
1249 | Create a Landlock ruleset (if it doesn't already exist) and add basic access | ||
1250 | rules to it. | ||
1251 | The basic set of rules applies the following access permissions: | ||
1252 | .PP | ||
1253 | .RS | ||
1254 | - read: /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var | ||
1255 | .br | ||
1256 | - write: /dev, /proc | ||
1257 | .br | ||
1258 | - exec: /bin, /lib, /opt, /usr | ||
1259 | .RE | ||
1260 | .PP | ||
1261 | See the \fBLANDLOCK\fR section for more information. | ||
1262 | .TP | ||
1263 | \fB\-\-landlock.proc=no|ro|rw | ||
1264 | Add an access rule for /proc directory (read-only if set to \fBro\fR and | ||
1265 | read-write if set to \fBrw\fR). | ||
1266 | The access rule for /proc is added after this directory is set up in the | ||
1267 | sandbox. | ||
1268 | Access rules for /proc set up with other Landlock-related command-line options | ||
1269 | have no effect. | ||
1270 | .TP | ||
1271 | \fB\-\-landlock.read=path | ||
1272 | Create a Landlock ruleset (if it doesn't already exist) and add a read access | ||
1273 | rule for path. | ||
1274 | .TP | ||
1275 | \fB\-\-landlock.write=path | ||
1276 | Create a Landlock ruleset (if it doesn't already exist) and add a write access | ||
1277 | rule for path. | ||
1278 | .TP | ||
1279 | \fB\-\-landlock.special=path | ||
1280 | Create a Landlock ruleset (if it doesn't already exist) and add a rule that | ||
1281 | allows the creation of block devices, character devices, named pipes (FIFOs) | ||
1282 | and Unix domain sockets beneath given path. | ||
1283 | .TP | ||
1284 | \fB\-\-landlock.execute=path | ||
1285 | Create a Landlock ruleset (if it doesn't already exist) and add an execution | ||
1286 | permission rule for path. | ||
1287 | .PP | ||
1288 | Example: | ||
1289 | .PP | ||
1290 | $ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr | ||
1291 | #endif | ||
1246 | .TP | 1292 | .TP |
1247 | \fB\-\-list | 1293 | \fB\-\-list |
1248 | List all sandboxes, see \fBMONITORING\fR section for more details. | 1294 | List all sandboxes, see \fBMONITORING\fR section for more details. |
@@ -3365,6 +3411,47 @@ To enable AppArmor confinement on top of your current Firejail security features | |||
3365 | $ firejail --apparmor firefox | 3411 | $ firejail --apparmor firefox |
3366 | #endif | 3412 | #endif |
3367 | 3413 | ||
3414 | #ifdef HAVE_LANDLOCK | ||
3415 | .SH LANDLOCK | ||
3416 | Landlock is a Linux security module first introduced in version 5.13 of the | ||
3417 | Linux kernel. | ||
3418 | It allows unprivileged processes to restrict their access to the filesystem. | ||
3419 | Once imposed, these restrictions can never be removed, and all child processes | ||
3420 | created by a Landlock-restricted processes inherit these restrictions. | ||
3421 | Firejail supports Landlock as an additional sandboxing feature. | ||
3422 | It can be used to ensure that a sandboxed application can only access files and | ||
3423 | directories that it was explicitly allowed to access. | ||
3424 | Firejail supports populating the ruleset with both a basic set of rules (see | ||
3425 | \fB\-\-landlock\fR) and with a custom set of rules. | ||
3426 | .TP | ||
3427 | Important notes: | ||
3428 | .PP | ||
3429 | .RS | ||
3430 | - A process can install a Landlock ruleset only if it has either | ||
3431 | \fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New | ||
3432 | Privileges" restriction enabled. | ||
3433 | Because of this, enabling the Landlock feature will also cause Firejail to | ||
3434 | enable the "No New Privileges" restriction, regardless of the profile or the | ||
3435 | \fB\-\-no\-new\-privs\fR command line option. | ||
3436 | .PP | ||
3437 | - Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR | ||
3438 | command line option. | ||
3439 | .PP | ||
3440 | - Access to the /etc directory is automatically allowed. | ||
3441 | To override this, use the \fB\-\-writable\-etc\fR command line option. | ||
3442 | You can also use the \fB\-\-private\-etc\fR option to restrict access to the | ||
3443 | /etc directory. | ||
3444 | .RE | ||
3445 | .PP | ||
3446 | To enable Landlock self-restriction on top of your current Firejail security | ||
3447 | features, pass \fB\-\-landlock\fR flag to Firejail command line. | ||
3448 | You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, | ||
3449 | \fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with | ||
3450 | \fB\-\-landlock\fR or instead of it. | ||
3451 | Example: | ||
3452 | .PP | ||
3453 | $ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc | ||
3454 | #endif | ||
3368 | .SH DESKTOP INTEGRATION | 3455 | .SH DESKTOP INTEGRATION |
3369 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. | 3456 | A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. |
3370 | The symbolic link should be placed in the first $PATH position. On most systems, a good place | 3457 | The symbolic link should be placed in the first $PATH position. On most systems, a good place |