From 760f50f78ad13664d7a32b4577381c0341ab2d4a Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 17 Nov 2023 19:57:29 -0300 Subject: landlock: move commands into profile and add landlock.enforce Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to #6078. --- contrib/syntax/lists/profile_commands_arg0.list | 2 +- contrib/syntax/lists/profile_commands_arg1.list | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'contrib') diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index 4d49e96d9..0ac70e5cf 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list @@ -12,7 +12,7 @@ keep-config-pulse keep-dev-shm keep-shell-rc keep-var-tmp -landlock +landlock.enforce machine-id memory-deny-write-execute netfilter diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index cce37efa0..e76b6ef40 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list @@ -30,7 +30,6 @@ iprange join-or-start keep-fd landlock.execute -landlock.proc landlock.read landlock.special landlock.write -- cgit v1.2.3-54-g00ecf