From 13b2c566df883269b55f77757bb50a5d2890ec20 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 24 Oct 2023 12:43:46 -0400 Subject: feature: add Landlock support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on 5315 by ChrysoliteAzalea. It is based on the same underlying structure, but with a lot of refactoring/simplification and with bugfixes and improvements. Co-authored-by: Kelvin M. Klann Co-authored-by: Азалия Смарагдова --- src/man/firejail-profile.5.in | 31 +++++++++++++++ src/man/firejail.1.in | 87 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+) (limited to 'src/man') diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 3a678b14f..76f5e4d20 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -507,6 +507,37 @@ Blacklist all Linux capabilities. .TP \fBcaps.keep capability,capability,capability Whitelist given Linux capabilities. +#ifdef HAVE_LANDLOCK +.TP +\fBlandlock +Create a Landlock ruleset (if it doesn't already exist) and add basic access +rules to it. +.TP +\fBlandlock.proc no|ro|rw +Add an access rule for /proc directory (read-only if set to \fBro\fR and +read-write if set to \fBrw\fR). +The access rule for /proc is added after this directory is set up in the +sandbox. +Access rules for /proc set up with other Landlock-related profile options have +no effect. +.TP +\fBlandlock.read path +Create a Landlock ruleset (if it doesn't already exist) and add a read access +rule for path. +.TP +\fBlandlock.write path +Create a Landlock ruleset (if it doesn't already exist) and add a write access +rule for path. +.TP +\fBlandlock.special path +Create a Landlock ruleset (if it doesn't already exist) and add a rule that +allows the creation of block devices, character devices, named pipes (FIFOs) +and Unix domain sockets beneath given path. +.TP +\fBlandlock.execute path +Create a Landlock ruleset (if it doesn't already exist) and add an execution +permission rule for path. +#endif .TP \fBmemory-deny-write-execute Install a seccomp filter to block attempts to create memory mappings diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 06969e851..d5a00c41b 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -1243,6 +1243,52 @@ Example: .br $ firejail --keep-var-tmp +#ifdef HAVE_LANDLOCK +.TP +\fB\-\-landlock +Create a Landlock ruleset (if it doesn't already exist) and add basic access +rules to it. +The basic set of rules applies the following access permissions: +.PP +.RS +- read: /bin, /dev, /etc, /lib, /opt, /proc, /usr, /var +.br +- write: /dev, /proc +.br +- exec: /bin, /lib, /opt, /usr +.RE +.PP +See the \fBLANDLOCK\fR section for more information. +.TP +\fB\-\-landlock.proc=no|ro|rw +Add an access rule for /proc directory (read-only if set to \fBro\fR and +read-write if set to \fBrw\fR). +The access rule for /proc is added after this directory is set up in the +sandbox. +Access rules for /proc set up with other Landlock-related command-line options +have no effect. +.TP +\fB\-\-landlock.read=path +Create a Landlock ruleset (if it doesn't already exist) and add a read access +rule for path. +.TP +\fB\-\-landlock.write=path +Create a Landlock ruleset (if it doesn't already exist) and add a write access +rule for path. +.TP +\fB\-\-landlock.special=path +Create a Landlock ruleset (if it doesn't already exist) and add a rule that +allows the creation of block devices, character devices, named pipes (FIFOs) +and Unix domain sockets beneath given path. +.TP +\fB\-\-landlock.execute=path +Create a Landlock ruleset (if it doesn't already exist) and add an execution +permission rule for path. +.PP +Example: +.PP +$ firejail \-\-landlock.read=/ \-\-landlock.write=/home \-\-landlock.execute=/usr +#endif .TP \fB\-\-list List all sandboxes, see \fBMONITORING\fR section for more details. @@ -3365,6 +3411,47 @@ To enable AppArmor confinement on top of your current Firejail security features $ firejail --apparmor firefox #endif +#ifdef HAVE_LANDLOCK +.SH LANDLOCK +Landlock is a Linux security module first introduced in version 5.13 of the +Linux kernel. +It allows unprivileged processes to restrict their access to the filesystem. +Once imposed, these restrictions can never be removed, and all child processes +created by a Landlock-restricted processes inherit these restrictions. +Firejail supports Landlock as an additional sandboxing feature. +It can be used to ensure that a sandboxed application can only access files and +directories that it was explicitly allowed to access. +Firejail supports populating the ruleset with both a basic set of rules (see +\fB\-\-landlock\fR) and with a custom set of rules. +.TP +Important notes: +.PP +.RS +- A process can install a Landlock ruleset only if it has either +\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New +Privileges" restriction enabled. +Because of this, enabling the Landlock feature will also cause Firejail to +enable the "No New Privileges" restriction, regardless of the profile or the +\fB\-\-no\-new\-privs\fR command line option. +.PP +- Access to the /proc directory is managed through the \fB\-\-landlock.proc\fR +command line option. +.PP +- Access to the /etc directory is automatically allowed. +To override this, use the \fB\-\-writable\-etc\fR command line option. +You can also use the \fB\-\-private\-etc\fR option to restrict access to the +/etc directory. +.RE +.PP +To enable Landlock self-restriction on top of your current Firejail security +features, pass \fB\-\-landlock\fR flag to Firejail command line. +You can also use \fB\-\-landlock.read\fR, \fB\-\-landlock.write\fR, +\fB\-\-landlock.special\fR and \fB\-\-landlock.execute\fR options together with +\fB\-\-landlock\fR or instead of it. +Example: +.PP +$ firejail \-\-landlock \-\-landlock.read=/media \-\-landlock.proc=ro mc +#endif .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place -- cgit v1.2.3-54-g00ecf