From 26c74796f3c76b8f0ea0b95a863eb707ecced195 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 5 Sep 2022 01:06:38 -0300 Subject: Revert "landlock: check for landlock support in glibc" This reverts commit c5a052ffa4e2ccaf240635db116a49986808a2b6. Part of reverting commits with Landlock-related changes. --- README.md | 40 ---------------------------------------- 1 file changed, 40 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 5ea2cf39f..fa3f81ffd 100644 --- a/README.md +++ b/README.md @@ -270,46 +270,6 @@ Work in progress, the interface described in the man page below could change. Example: $ firejail --landlock.read=/ --landlock.write=/home --land‐ lock.execute=/usr - -LANDLOCK - Landlock is a Linux security module first introduced in the 5.13 ver‐ - sion of Linux kernel. It allows unprivileged processes to restrict - their access to the filesystem. Once imposed, these restrictions can - never be removed, and all child processes created by a Landlock-re‐ - stricted processes inherit these restrictions. Firejail supports Land‐ - lock as an additional sandboxing feature. It can be used to ensure that - a sandboxed application can only access files and directories that it - was explicitly allowed to access. Firejail supports populating the - ruleset with both basic set of rules and with custom set of rules. Ba‐ - sic set of rules allows read-only access to /bin, /dev, /etc, /lib, - /opt, /proc, /usr and /var, read-write access to the home directory, - and allows execution of binaries located in /bin, /opt and /usr. - - Important notes: - - - A process can install a Landlock ruleset only if it has either - CAP_SYS_ADMIN in its effective capability set, or the "No New - Privileges" restriction enabled. Because of this, enabling the - Landlock feature will also cause Firejail to enable the "No New - Privileges" restriction, regardless of the profile or the - --no-new-privs command line option. - - - Access to the /proc directory is managed through the --land‐ - lock.proc command line option. - - - Access to the /etc directory is automatically allowed. To - override this, use the --writable-etc command line option. You - can also use the --private-etc option to restrict access to the - /etc directory. - - To enable Landlock self-restriction on top of your current Firejail se‐ - curity features, pass --landlock flag to Firejail command line. You can - also use --landlock.read, --landlock.write, --landlock.special and - --landlock.execute options together with --landlock or instead of it. - Example: - - $ firejail --landlock --landlock.read=/media --landlock.proc=ro - mc ````` ### Profile Statistics -- cgit v1.2.3-54-g00ecf From 67348ac9c2cdf9d30efbf9fd13eaf0a4adc3be00 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 31 Aug 2022 14:55:03 -0300 Subject: Revert "typos" This reverts commit 0594c5d3d0f1ddc4049cf2ed38676a1cdc8d6843. Part of reverting commits with Landlock-related changes. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'README.md') diff --git a/README.md b/README.md index fa3f81ffd..d5db45284 100644 --- a/README.md +++ b/README.md @@ -231,7 +231,7 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 ### Landlock support - EXPERIMENTAL For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build or in the executable archives we provide. It will be "officially" released -in 0.9.74, sometime early next year. For now, use --enable-landlock during software compile: +in 0.9.74, sometime early next year. For now, use --enable-landlock durring software compile: ````` $ ./configure --enable-landlock ````` -- cgit v1.2.3-54-g00ecf From 2a79f3a2689711e6151187063bb55a6af3160b6f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Wed, 31 Aug 2022 14:55:13 -0300 Subject: Revert "README/README.md" This reverts commit 796fa09636195d8751a7bbc1e1bc88bf8c3ac95a. Part of reverting commits with Landlock-related changes. --- README | 1 - README.md | 88 ++++++++++++++++----------------------------------------------- 2 files changed, 22 insertions(+), 67 deletions(-) (limited to 'README.md') diff --git a/README b/README index 39087d987..1aa2b4260 100644 --- a/README +++ b/README @@ -43,7 +43,6 @@ Maintainer: Committers - chiraag-nataraj (https://github.com/chiraag-nataraj) - crass (https://github.com/crass) -- ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) - curiosityseeker (https://github.com/curiosityseeker) - glitsj16 (https://github.com/glitsj16) - Fred-Barclay (https://github.com/Fred-Barclay) diff --git a/README.md b/README.md index d5db45284..50b120c4a 100644 --- a/README.md +++ b/README.md @@ -214,7 +214,7 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 $ firejail --restrict-namespaces=user,net ````` -### Support for custom AppArmor profiles +#### Support for custom AppArmor profiles ````` --apparmor @@ -228,50 +228,6 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 kernel. For more information, please see APPARMOR section be‐ ````` -### Landlock support - EXPERIMENTAL -For the next release (0.9.72), landlock support is experimental. It is disabled in the normal build -or in the executable archives we provide. It will be "officially" released -in 0.9.74, sometime early next year. For now, use --enable-landlock durring software compile: -````` -$ ./configure --enable-landlock -````` -The functionality is segragated with ifdefs in the code, at times it might not even compile! -Work in progress, the interface described in the man page below could change. -````` - --landlock - Create a Landlock ruleset (if it doesn't already exist) and add - basic access rules to it. See LANDLOCK section for more informa‐ - tion. - - --landlock.proc=no|ro|rw - Add an access rule for /proc directory (read-only if set to ro - and read-write if set to rw). The access rule for /proc is added - after this directory is set up in the sandbox. Access rules for - /proc set up with other Landlock-related command-line options - have no effect. - - --landlock.read=path - Create a Landlock ruleset (if it doesn't already exist) and add - a read access rule for path. - - --landlock.write=path - Create a Landlock ruleset (if it doesn't already exist) and add - a write access rule for path. - - --landlock.special=path - Create a Landlock ruleset (if it doesn't already exist) and add - a permission rule to create FIFO pipes, Unix domain sockets and - block devices beneath given path. - - --landlock.execute=path - Create a Landlock ruleset (if it doesn't already exist) and add - an execution permission rule for path. - - Example: - $ firejail --landlock.read=/ --landlock.write=/home --land‐ - lock.execute=/usr -````` - ### Profile Statistics A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory. @@ -282,30 +238,30 @@ No include .local found in /etc/firejail/noprofile.profile Warning: multiple caps in /etc/firejail/transmission-daemon.profile Stats: - profiles 1196 - include local profile 1195 (include profile-name.local) - include globals 1169 (include globals.local) - blacklist ~/.ssh 1067 (include disable-common.inc) - seccomp 1087 - capabilities 1190 - noexec 1075 (include disable-exec.inc) - noroot 995 - memory-deny-write-execute 269 - apparmor 713 - private-bin 695 - private-dev 1045 - private-etc 542 + profiles 1191 + include local profile 1190 (include profile-name.local) + include globals 1164 (include globals.local) + blacklist ~/.ssh 1063 (include disable-common.inc) + seccomp 1082 + capabilities 1185 + noexec 1070 (include disable-exec.inc) + noroot 991 + memory-deny-write-execute 267 + apparmor 710 + private-bin 689 + private-dev 1041 + private-etc 539 private-lib 70 - private-tmp 918 - whitelist home directory 575 - whitelist var 858 (include whitelist-var-common.inc) - whitelist run/user 1164 (include whitelist-runuser-common.inc + private-tmp 915 + whitelist home directory 573 + whitelist var 855 (include whitelist-var-common.inc) + whitelist run/user 1159 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 630 (include whitelist-usr-share-common.inc - net none 404 - dbus-user none 677 + whitelist usr/share 628 (include whitelist-usr-share-common.inc + net none 403 + dbus-user none 673 dbus-user filter 123 - dbus-system none 837 + dbus-system none 833 dbus-system filter 12 ``` -- cgit v1.2.3-54-g00ecf From d900d531969512a13204f19dd5a67238bc59800c Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 30 Aug 2022 09:10:55 -0400 Subject: README/README.md Committer note: This is the same as commit 796fa0963 ("README/README.md", 2022-08-30) and commit 0594c5d3d ("typos", 2022-08-30) but without the Landlock-related changes. --- README | 1 + README.md | 44 ++++++++++++++++++++++---------------------- 2 files changed, 23 insertions(+), 22 deletions(-) (limited to 'README.md') diff --git a/README b/README index 3e0f043a6..054d88cce 100644 --- a/README +++ b/README @@ -43,6 +43,7 @@ Maintainer: Committers - chiraag-nataraj (https://github.com/chiraag-nataraj) - crass (https://github.com/crass) +- ChrysoliteAzalea (https://github.com/ChrysoliteAzalea) - curiosityseeker (https://github.com/curiosityseeker) - glitsj16 (https://github.com/glitsj16) - Fred-Barclay (https://github.com/Fred-Barclay) diff --git a/README.md b/README.md index 50b120c4a..bc032c3df 100644 --- a/README.md +++ b/README.md @@ -214,7 +214,7 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1 $ firejail --restrict-namespaces=user,net ````` -#### Support for custom AppArmor profiles +### Support for custom AppArmor profiles ````` --apparmor @@ -238,30 +238,30 @@ No include .local found in /etc/firejail/noprofile.profile Warning: multiple caps in /etc/firejail/transmission-daemon.profile Stats: - profiles 1191 - include local profile 1190 (include profile-name.local) - include globals 1164 (include globals.local) - blacklist ~/.ssh 1063 (include disable-common.inc) - seccomp 1082 - capabilities 1185 - noexec 1070 (include disable-exec.inc) - noroot 991 - memory-deny-write-execute 267 - apparmor 710 - private-bin 689 - private-dev 1041 - private-etc 539 + profiles 1196 + include local profile 1195 (include profile-name.local) + include globals 1169 (include globals.local) + blacklist ~/.ssh 1067 (include disable-common.inc) + seccomp 1087 + capabilities 1190 + noexec 1075 (include disable-exec.inc) + noroot 995 + memory-deny-write-execute 269 + apparmor 713 + private-bin 695 + private-dev 1045 + private-etc 542 private-lib 70 - private-tmp 915 - whitelist home directory 573 - whitelist var 855 (include whitelist-var-common.inc) - whitelist run/user 1159 (include whitelist-runuser-common.inc + private-tmp 918 + whitelist home directory 575 + whitelist var 858 (include whitelist-var-common.inc) + whitelist run/user 1164 (include whitelist-runuser-common.inc or blacklist ${RUNUSER}) - whitelist usr/share 628 (include whitelist-usr-share-common.inc - net none 403 - dbus-user none 673 + whitelist usr/share 630 (include whitelist-usr-share-common.inc + net none 404 + dbus-user none 677 dbus-user filter 123 - dbus-system none 833 + dbus-system none 837 dbus-system filter 12 ``` -- cgit v1.2.3-54-g00ecf