From 13b2c566df883269b55f77757bb50a5d2890ec20 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 24 Oct 2023 12:43:46 -0400 Subject: feature: add Landlock support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on 5315 by ChrysoliteAzalea. It is based on the same underlying structure, but with a lot of refactoring/simplification and with bugfixes and improvements. Co-authored-by: Kelvin M. Klann Co-authored-by: Азалия Смарагдова --- src/man/firejail-profile.5.in | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'src/man/firejail-profile.5.in') diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 3a678b14f..76f5e4d20 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -507,6 +507,37 @@ Blacklist all Linux capabilities. .TP \fBcaps.keep capability,capability,capability Whitelist given Linux capabilities. +#ifdef HAVE_LANDLOCK +.TP +\fBlandlock +Create a Landlock ruleset (if it doesn't already exist) and add basic access +rules to it. +.TP +\fBlandlock.proc no|ro|rw +Add an access rule for /proc directory (read-only if set to \fBro\fR and +read-write if set to \fBrw\fR). +The access rule for /proc is added after this directory is set up in the +sandbox. +Access rules for /proc set up with other Landlock-related profile options have +no effect. +.TP +\fBlandlock.read path +Create a Landlock ruleset (if it doesn't already exist) and add a read access +rule for path. +.TP +\fBlandlock.write path +Create a Landlock ruleset (if it doesn't already exist) and add a write access +rule for path. +.TP +\fBlandlock.special path +Create a Landlock ruleset (if it doesn't already exist) and add a rule that +allows the creation of block devices, character devices, named pipes (FIFOs) +and Unix domain sockets beneath given path. +.TP +\fBlandlock.execute path +Create a Landlock ruleset (if it doesn't already exist) and add an execution +permission rule for path. +#endif .TP \fBmemory-deny-write-execute Install a seccomp filter to block attempts to create memory mappings -- cgit v1.2.3-70-g09d2