From f70ffbe76cd06c03442132f06d503846a415f24c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 1 Feb 2024 23:21:26 -0300 Subject: landlock: split .special into .makeipc and .makedev As discussed with @topimiettinen[1], it is unlikely that an unprivileged process would need to directly create block or character devices. Also, `landlock.special` is not very descriptive of what it allows. So split `landlock.special` into: * `landlock.makeipc`: allow creating named pipes and sockets (which are usually used for inter-process communication) * `landlock.makedev`: allow creating block and character devices Misc: The `makedev` name is based on `nodev` from mount(8), which makes mount not interpret block and character devices. `ipc` was suggested by @rusty-snake[2]. Relates to #6078. [1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786 [2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294 --- etc/inc/landlock-common.inc | 2 +- etc/templates/profile.template | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index ebe9f98dc..694d447b5 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc @@ -4,7 +4,7 @@ include landlock-common.local landlock.read / # whole system read landlock.read /proc -landlock.special / # sockets etc. +landlock.makeipc / # sockets etc. # write access landlock.write ${HOME} diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 8882c9012..0e6a5734e 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -140,7 +140,8 @@ include globals.local # Landlock commands ##landlock.read PATH ##landlock.write PATH -##landlock.special PATH +##landlock.makeipc PATH +##landlock.makedev PATH ##landlock.execute PATH #include landlock-common.inc -- cgit v1.2.3-70-g09d2