[PR #5315] [MERGED] Add Landlock support to Firejail #5441

New issue

Closed

opened 2026-05-05 10:38:27 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:38:27 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/5315
Author: @ChrysoliteAzalea
Created: 8/15/2022
Status: ✅ Merged
Merged: 8/29/2022
Merged by: @netblue30

Base: master ← Head: landlock

📝 Commits (5)

61b1544 Landlock support has been added.
ba828be Landlock functions are added to the code of Firejail, removing the dependency on tinyLL
877fc99 Update quotation marks in src/zsh_completion/_firejail.in
460fa7a Proposed fixes.
c6d7474 tinyLL has been removed as it's no longer needed

📊 Changes

15 files changed (+447 additions, -5 deletions)

View changed files

📝 config.mk.in (+2 -1)
📝 configure (+16 -0)
📝 configure.ac (+9 -1)
📝 contrib/vim/syntax/firejail.vim (+1 -1)
📝 src/bash_completion/firejail.bash_completion.in (+16 -0)
📝 src/firejail/firejail.h (+26 -0)
➕ src/firejail/landlock.c (+79 -0)
📝 src/firejail/main.c (+81 -0)
📝 src/firejail/profile.c (+84 -0)
📝 src/firejail/sandbox.c (+25 -2)
📝 src/firejail/usage.c (+6 -0)
📝 src/firejail/util.c (+4 -0)
📝 src/man/firejail-profile.txt (+29 -0)
📝 src/man/firejail.txt (+63 -0)
📝 src/zsh_completion/_firejail.in (+6 -0)

📄 Description

Hello everyone!

In Linux kernel 5.13 version, a new LSM was added called "Landlock" that allows unprivileged processes to impose filesystem access self-restrictions (similar to the "unveil" in OpenBSD). It's similar to another Linux kernel feature -- seccomp, that allows unprivileged processes to impose system call access self-restrictions. I propose using this LSM in Firejail, and I've added support for four options (for both command-line and profiles) that create and populate the ruleset. I think it's a feature worth having, if we plan to make Firejail usable without SUID bit.

Landlock support was proposed in issues #3992 and #5269.

Enabling Landlock self-restriction requires a process to have either CAP_SYS_ADMIN in an effective capability set, or the "No New Privileges" enabled.

~~P.S. I'd like to note, that this PR uses my tinyLL library that has to be built before the version of Firejail in this PR, and has to be located in a directory like /usr/lib.~~ Necessary functions have been added to Firejail's code.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/5315 **Author:** [@ChrysoliteAzalea](https://github.com/ChrysoliteAzalea) **Created:** 8/15/2022 **Status:** ✅ Merged **Merged:** 8/29/2022 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `landlock` --- ### 📝 Commits (5) - [`61b1544`](https://github.com/netblue30/firejail/commit/61b15442898eeb1db2d23b6b2eb72a705ceb368a) Landlock support has been added. - [`ba828be`](https://github.com/netblue30/firejail/commit/ba828befe06b99b7dc2d504085cb40aa2d710998) Landlock functions are added to the code of Firejail, removing the dependency on tinyLL - [`877fc99`](https://github.com/netblue30/firejail/commit/877fc99d541af83a9486dfff43580e33dedd8b4c) Update quotation marks in src/zsh_completion/_firejail.in - [`460fa7a`](https://github.com/netblue30/firejail/commit/460fa7a6f98cc1e7aec2953e6523f32677d546c7) Proposed fixes. - [`c6d7474`](https://github.com/netblue30/firejail/commit/c6d7474c138f92b3cb3992b5c57750af89eb3b77) tinyLL has been removed as it's no longer needed ### 📊 Changes **15 files changed** (+447 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `config.mk.in` (+2 -1) 📝 `configure` (+16 -0) 📝 `configure.ac` (+9 -1) 📝 `contrib/vim/syntax/firejail.vim` (+1 -1) 📝 `src/bash_completion/firejail.bash_completion.in` (+16 -0) 📝 `src/firejail/firejail.h` (+26 -0) ➕ `src/firejail/landlock.c` (+79 -0) 📝 `src/firejail/main.c` (+81 -0) 📝 `src/firejail/profile.c` (+84 -0) 📝 `src/firejail/sandbox.c` (+25 -2) 📝 `src/firejail/usage.c` (+6 -0) 📝 `src/firejail/util.c` (+4 -0) 📝 `src/man/firejail-profile.txt` (+29 -0) 📝 `src/man/firejail.txt` (+63 -0) 📝 `src/zsh_completion/_firejail.in` (+6 -0) </details> ### 📄 Description Hello everyone! In Linux kernel 5.13 version, a new LSM was added called "Landlock" that allows unprivileged processes to impose filesystem access self-restrictions (similar to the "unveil" in OpenBSD). It's similar to another Linux kernel feature -- seccomp, that allows unprivileged processes to impose system call access self-restrictions. I propose using this LSM in Firejail, and I've added support for four options (for both command-line and profiles) that create and populate the ruleset. I think it's a feature worth having, if we plan to make Firejail usable without SUID bit. Landlock support was proposed in issues #3992 and #5269. Enabling Landlock self-restriction requires a process to have either CAP_SYS_ADMIN in an effective capability set, or the "No New Privileges" enabled. ~P.S. I'd like to note, that this PR uses my [tinyLL](https://github.com/ChrysoliteAzalea/libtinyLL) library that has to be built before the version of Firejail in this PR, and has to be located in a directory like /usr/lib.~ Necessary functions have been added to Firejail's code. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:38:27 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5441

No description provided.

Rows
Columns