1 files changed, 28 insertions, 0 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2d8adb0b7..7082fe0ab 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1144,6 +1144,33 @@ Example:
 .br
 $ firejail --keep-var-tmp
+#ifdef HAVE_LANDLOCK
+.TP
+\fB\-\-landlock-read=path
+Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.TP
+\fB\-\-landlock-write=path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.TP
+\fB\-\-landlock-restricted-write=path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.TP
+\fB\-\-landlock-execute=path
+Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+.br
+Example:
+.br
+$ firejail \-\-landlock-read=/ \-\-landlock-restricted-write=/home \-\-landlock-execute=/usr
+#endif
 .TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1261,6 +1288,7 @@ $ firejail --list
 .br
 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
 .br
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=bridge_interface

diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 2d8adb0b7..7082fe0ab 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1144,6 +1144,33 @@ Example:
1144	.br	1144	.br
1145	$ firejail --keep-var-tmp	1145	$ firejail --keep-var-tmp
1146		1146
		1147	#ifdef HAVE_LANDLOCK
		1148	.TP
		1149	\fB\-\-landlock-read=path
		1150	Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		1151	.br
		1152
		1153	.TP
		1154	\fB\-\-landlock-write=path
		1155	Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		1156	.br
		1157
		1158	.TP
		1159	\fB\-\-landlock-restricted-write=path
		1160	Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		1161	.br
		1162
		1163	.TP
		1164	\fB\-\-landlock-execute=path
		1165	Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
		1166	.br
		1167
		1168	.br
		1169	Example:
		1170	.br
		1171	$ firejail \-\-landlock-read=/ \-\-landlock-restricted-write=/home \-\-landlock-execute=/usr
		1172	#endif
		1173
1147	.TP	1174	.TP
1148	\fB\-\-list	1175	\fB\-\-list
1149	List all sandboxes, see \fBMONITORING\fR section for more details.	1176	List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1261,6 +1288,7 @@ $ firejail --list
1261	.br	1288	.br
1262	1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote	1289	1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
1263	.br	1290	.br
		1291
1264	#ifdef HAVE_NETWORK	1292	#ifdef HAVE_NETWORK
1265	.TP	1293	.TP
1266	\fB\-\-net=bridge_interface	1294	\fB\-\-net=bridge_interface