[GH-ISSUE #5354] landlock: Leftover from #5315

gitea-mirror commented

2026-05-05 09:37:54 -06:00

Owner

Copy link

Originally created by @rusty-snake on GitHub (Sep 1, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5354

Code
Move MAKE_CHAR from write to "special"
https://github.com/netblue30/firejail/pull/5315#discussion_r946957099
Improve --landlock
- https://github.com/netblue30/firejail/pull/5315#discussion_r946974912
- https://github.com/netblue30/firejail/pull/5315#discussion_r946978046
- What else?
- Mark it unstable, it will change in the future.
  https://github.com/netblue30/firejail/pull/5315#discussion_r946980440
https://github.com/netblue30/firejail/pull/5315#discussion_r946983201
Rename special to something else. write-all, write-any, full-write, write-speial, ...
Support ABIv2 REFER from Linux 5.19
manpage: landlock will get more features (network, signals, ...). Describe it as a way to restrict resources not only filesystem

cc @kmk3 @ChrysoliteAzalea

Originally created by @rusty-snake on GitHub (Sep 1, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5354 - [ ] Code - [ ] https://github.com/netblue30/firejail/pull/5315#pullrequestreview-1073973090 - [ ] https://github.com/netblue30/firejail/pull/5315#pullrequestreview-1074357756 - [ ] https://github.com/netblue30/firejail/pull/5315#pullrequestreview-1074864387 - [ ] Move `MAKE_CHAR` from `write` to "`special`" https://github.com/netblue30/firejail/pull/5315#discussion_r946957099 - [ ] Improve `--landlock` - [ ] https://github.com/netblue30/firejail/pull/5315#discussion_r946974912 - [ ] https://github.com/netblue30/firejail/pull/5315#discussion_r946978046 - [ ] What else? - [ ] Mark it unstable, it will change in the future. https://github.com/netblue30/firejail/pull/5315#discussion_r946980440 - [ ] https://github.com/netblue30/firejail/pull/5315#discussion_r946983201 - [ ] Rename `special` to something else. `write-all`, `write-any`, `full-write`, `write-speial`, ... - [ ] Support ABIv2 REFER from Linux 5.19 - [ ] manpage: landlock will get more features (network, signals, ...). Describe it as a way to restrict resources not only filesystem cc @kmk3 @ChrysoliteAzalea

gitea-mirror commented

2026-05-05 09:37:56 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Sep 2, 2022):

@rusty-snake

Thanks for making a checklist.

To be clear, I still think that reverting #5315 now and letting
@ChrysoliteAzalea resubmit it afterwards is the way to go, especially
considering the amount of discussions and issues raised.

@ChrysoliteAzalea

In which case, I'd say to feel free to only make the changes that you feel
confident in making before resubmitting and to leave the rest for after
resubmitting, as we might end up discussing them on the pull request anyway.

@kmk3 commented on GitHub (Sep 2, 2022): @rusty-snake Thanks for making a checklist. To be clear, I still think that reverting #5315 now and letting @ChrysoliteAzalea resubmit it afterwards is the way to go, especially considering the amount of discussions and issues raised. @ChrysoliteAzalea In which case, I'd say to feel free to only make the changes that you feel confident in making before resubmitting and to leave the rest for after resubmitting, as we might end up discussing them on the pull request anyway.

gitea-mirror commented

2026-05-05 09:37:57 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Feb 16, 2023):

@netblue30 on Feb 16:

Landlock support.

I'll start by re-merging #5315 from @ChrysoliteAzalea. Probably there will be
some small changes. A Linux kernel 5.13 or newer will be detected at run
time. Disable the feature and print a warning if the kernel is older.

I had created a landlock_v2 branch and fixed most of the issues in the
original PR. It's from a few months back, so it would have to be rebased.

Agreed on the runtime check; I didn't get around to adding it, so we could use
your version of it.

The idea would be to rebase the landlock_v2 branch and then open it as a PR.
Then after reviewing it with @ChrysoliteAzalea and merging it, we could add
the runtime check and other improvements.

Thoughts?

@kmk3 commented on GitHub (Feb 16, 2023): @netblue30 [on Feb 16](https://github.com/netblue30/firejail/discussions/5597#discussioncomment-4996399): > **Landlock support.** > > I'll start by re-merging #5315 from @ChrysoliteAzalea. Probably there will be > some small changes. A Linux kernel 5.13 or newer will be detected at run > time. Disable the feature and print a warning if the kernel is older. I had created a `landlock_v2` branch and fixed most of the issues in the original PR. It's from a few months back, so it would have to be rebased. Agreed on the runtime check; I didn't get around to adding it, so we could use your version of it. The idea would be to rebase the `landlock_v2` branch and then open it as a PR. Then after reviewing it with @ChrysoliteAzalea and merging it, we could add the runtime check and other improvements. Thoughts?

gitea-mirror commented

2026-05-05 09:37:58 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 18, 2023):

Adding a reminder about Fix spacing & typo in Landlock section of README.md. Might not be needed anymore depending on how #5315 is re-merged.

@ghost commented on GitHub (Feb 18, 2023): Adding a reminder about [Fix spacing & typo in Landlock section of README.md](https://github.com/netblue30/firejail/pull/5359). Might not be needed anymore depending on how #5315 is re-merged.

No Branch/Tag specified