mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
landlock: use "landlock.fs." prefix in filesystem commands
Since Landlock ABI v4 it is possible to restrict actions related to the network and potentially more areas will be added in the future. So use `landlock.fs.` as the prefix in the current filesystem-related commands (and later `landlock.net.` for the network-related commands) to keep them organized and to match what is used in the kernel. Examples of filesystem and network access flags: * `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file. * `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content. * `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port. * `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a remote port. Relates to #6078.
This commit is contained in:
Kelvin M. Klann
parent
1758765ca6
commit
9cfeb485eb
10 changed files with 86 additions and 86 deletions
|
|
@ -2,38 +2,38 @@
|
|||
# Persistent customizations should go in a .local file.
|
||||
include landlock-common.local
|
||||
|
||||
landlock.read / # whole system read
|
||||
landlock.read /proc
|
||||
landlock.makeipc / # sockets etc.
|
||||
landlock.fs.read / # whole system read
|
||||
landlock.fs.read /proc
|
||||
landlock.fs.makeipc / # sockets etc.
|
||||
|
||||
# write access
|
||||
landlock.write ${HOME}
|
||||
landlock.write ${RUNUSER}
|
||||
landlock.write /dev
|
||||
landlock.write /proc
|
||||
landlock.write /run/shm
|
||||
landlock.write /tmp
|
||||
landlock.fs.write ${HOME}
|
||||
landlock.fs.write ${RUNUSER}
|
||||
landlock.fs.write /dev
|
||||
landlock.fs.write /proc
|
||||
landlock.fs.write /run/shm
|
||||
landlock.fs.write /tmp
|
||||
|
||||
# exec access
|
||||
## misc
|
||||
landlock.execute /opt
|
||||
landlock.execute /run/firejail # appimage and various firejail features
|
||||
landlock.fs.execute /opt
|
||||
landlock.fs.execute /run/firejail # appimage and various firejail features
|
||||
## bin
|
||||
landlock.execute /bin
|
||||
landlock.execute /sbin
|
||||
landlock.execute /usr/bin
|
||||
landlock.execute /usr/sbin
|
||||
landlock.execute /usr/games
|
||||
landlock.execute /usr/local/bin
|
||||
landlock.execute /usr/local/sbin
|
||||
landlock.execute /usr/local/games
|
||||
landlock.fs.execute /bin
|
||||
landlock.fs.execute /sbin
|
||||
landlock.fs.execute /usr/bin
|
||||
landlock.fs.execute /usr/sbin
|
||||
landlock.fs.execute /usr/games
|
||||
landlock.fs.execute /usr/local/bin
|
||||
landlock.fs.execute /usr/local/sbin
|
||||
landlock.fs.execute /usr/local/games
|
||||
## lib
|
||||
landlock.execute /lib
|
||||
landlock.execute /lib32
|
||||
landlock.execute /libx32
|
||||
landlock.execute /lib64
|
||||
landlock.execute /usr/lib
|
||||
landlock.execute /usr/lib32
|
||||
landlock.execute /usr/libx32
|
||||
landlock.execute /usr/lib64
|
||||
landlock.execute /usr/local/lib
|
||||
landlock.fs.execute /lib
|
||||
landlock.fs.execute /lib32
|
||||
landlock.fs.execute /libx32
|
||||
landlock.fs.execute /lib64
|
||||
landlock.fs.execute /usr/lib
|
||||
landlock.fs.execute /usr/lib32
|
||||
landlock.fs.execute /usr/libx32
|
||||
landlock.fs.execute /usr/lib64
|
||||
landlock.fs.execute /usr/local/lib
|
||||
|
|
|
|||
|
|
@ -138,11 +138,11 @@ include globals.local
|
|||
#include whitelist-var-common.inc
|
||||
|
||||
# Landlock commands
|
||||
##landlock.read PATH
|
||||
##landlock.write PATH
|
||||
##landlock.makeipc PATH
|
||||
##landlock.makedev PATH
|
||||
##landlock.execute PATH
|
||||
##landlock.fs.read PATH
|
||||
##landlock.fs.write PATH
|
||||
##landlock.fs.makeipc PATH
|
||||
##landlock.fs.makedev PATH
|
||||
##landlock.fs.execute PATH
|
||||
#include landlock-common.inc
|
||||
|
||||
##allusers
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue