github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

docs: man: sort LANDLOCK section (firejail.1)

Browse source 
Added on commit 13b2c566d ("feature: add Landlock support", 2023-10-24)
/ PR #6078.

Relates to #6451.
This commit is contained in:
glitsj16 2024-08-25 19:39:29 +00:00 committed by Kelvin M. Klann
parent 897f12dd88
commit a04bf5ae8d
1 changed files with 59 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

117
src/man/firejail.1.in
View file

@ -3408,64 +3408,6 @@ To enable AppArmor confinement on top of your current Firejail security features
$ firejail --apparmor firefox
#endif
#ifdef HAVE_LANDLOCK
.SH LANDLOCK
Warning: Landlock support in firejail is considered experimental and unstable.
The contents of landlock-common.inc are likely to change and the feature is
still being expanded upon in the Linux kernel.
Also, note that its functionality overlaps with existing firejail features,
such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
Its filesystem access rules can currently only restrict direct access to paths;
it is not able to make only select paths appear in the sandbox such as with the
\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
Lastly, note that depending on the Linux kernel version, Landlock may not
protect all of the relevant syscalls (see the kernel's Landlock documentation
for details).
Therefore, it is recommended to treat Landlock as an extra layer of protection,
to be used together with other firejail features (rather than as a bulletproof
mechanism by itself).
.PP
Landlock is a Linux security module first introduced in version 5.13 of the
Linux kernel.
It allows unprivileged processes to restrict their access to the filesystem.
Once imposed, these restrictions can never be removed, and all child processes
created by a Landlock-restricted processes inherit these restrictions.
Firejail supports Landlock as an additional sandboxing feature.
It can be used to ensure that a sandboxed application can only access files and
directories that it was explicitly allowed to access.
Firejail supports populating the ruleset with both a basic set of rules (see
landlock-common.inc) and with a custom set of rules.
.TP
Important notes:
.PP
.RS
- Currently only Landlock ABI version 1 is supported.
.PP
- If "lsm=" is used in the kernel command line, it should contain "landlock"
(such as "lsm=apparmor,landlock"), or else it will be disabled.
.PP
- A process can install a Landlock ruleset only if it has either
\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
Privileges" restriction enabled.
Because of this, enabling the Landlock feature will also cause Firejail to
enable the "No New Privileges" restriction, regardless of the profile or the
\fB\-\-nonewprivs\fR command line option.
.PP
- Access to the /etc directory is automatically allowed.
To override this, use the \fB\-\-writable\-etc\fR command line option.
You can also use the \fB\-\-private\-etc\fR option to restrict access to the
/etc directory.
.RE
.PP
To enable Landlock self-restriction on top of your current Firejail security
features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
Without it, the other Landlock commands have no effect.
Example:
.PP
$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
.PP
To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
#endif
.SH DESKTOP INTEGRATION
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
The symbolic link should be placed in the first $PATH position. On most systems, a good place
@ -3713,6 +3655,65 @@ Currently while scanning the file system, symbolic links are not followed, and f
The program can also be run as root (sudo firejail --ids-init/--ids-check).
#endif
#ifdef HAVE_LANDLOCK
.SH LANDLOCK
Warning: Landlock support in firejail is considered experimental and unstable.
The contents of landlock-common.inc are likely to change and the feature is
still being expanded upon in the Linux kernel.
Also, note that its functionality overlaps with existing firejail features,
such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
Its filesystem access rules can currently only restrict direct access to paths;
it is not able to make only select paths appear in the sandbox such as with the
\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
Lastly, note that depending on the Linux kernel version, Landlock may not
protect all of the relevant syscalls (see the kernel's Landlock documentation
for details).
Therefore, it is recommended to treat Landlock as an extra layer of protection,
to be used together with other firejail features (rather than as a bulletproof
mechanism by itself).
.PP
Landlock is a Linux security module first introduced in version 5.13 of the
Linux kernel.
It allows unprivileged processes to restrict their access to the filesystem.
Once imposed, these restrictions can never be removed, and all child processes
created by a Landlock-restricted processes inherit these restrictions.
Firejail supports Landlock as an additional sandboxing feature.
It can be used to ensure that a sandboxed application can only access files and
directories that it was explicitly allowed to access.
Firejail supports populating the ruleset with both a basic set of rules (see
landlock-common.inc) and with a custom set of rules.
.TP
Important notes:
.PP
.RS
- Currently only Landlock ABI version 1 is supported.
.PP
- If "lsm=" is used in the kernel command line, it should contain "landlock"
(such as "lsm=apparmor,landlock"), or else it will be disabled.
.PP
- A process can install a Landlock ruleset only if it has either
\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
Privileges" restriction enabled.
Because of this, enabling the Landlock feature will also cause Firejail to
enable the "No New Privileges" restriction, regardless of the profile or the
\fB\-\-nonewprivs\fR command line option.
.PP
- Access to the /etc directory is automatically allowed.
To override this, use the \fB\-\-writable\-etc\fR command line option.
You can also use the \fB\-\-private\-etc\fR option to restrict access to the
/etc directory.
.RE
.PP
To enable Landlock self-restriction on top of your current Firejail security
features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
Without it, the other Landlock commands have no effect.
Example:
.PP
$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
.PP
To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
#endif
.SH MONITORING
Option \-\-list prints a list of all sandboxes. The format
for each process entry is as follows: