From 61b15442898eeb1db2d23b6b2eb72a705ceb368a Mon Sep 17 00:00:00 2001
From: Азалия Смарагдова <charming.flurry@yandex.ru>
Date: Mon, 15 Aug 2022 12:19:11 +0500
Subject: Landlock support has been added.

---
 src/man/firejail.txt | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'src/man/firejail.txt')

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 2d8adb0b7..7082fe0ab 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1144,6 +1144,33 @@ Example:
 .br
 $ firejail --keep-var-tmp
 
+#ifdef HAVE_LANDLOCK
+.TP
+\fB\-\-landlock-read=path
+Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+
+.TP
+\fB\-\-landlock-write=path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+
+.TP
+\fB\-\-landlock-restricted-write=path
+Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. This type of write access doesn't include the permission to create Unix domain sockets, FIFO pipes and block devices. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+
+.TP
+\fB\-\-landlock-execute=path
+Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. Note: if a process doesn't have CAP_SYS_ADMIN and the "No New Privileges" restriction is not enabled, the Landlock self-restriction will fail and Firejail will exit with an error.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-landlock-read=/ \-\-landlock-restricted-write=/home \-\-landlock-execute=/usr
+#endif
+
 .TP
 \fB\-\-list
 List all sandboxes, see \fBMONITORING\fR section for more details.
@@ -1261,6 +1288,7 @@ $ firejail --list
 .br
 1312:netblue:browser-1312:firejail --name=browser --private firefox --no-remote
 .br
+
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-net=bridge_interface
-- 
cgit v1.2.3-54-g00ecf