[PR #6187] [MERGED] landlock: split .special into .makeipc and .makedev #5866

New issue

Closed

opened 2026-05-05 10:46:22 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:46:22 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/6187
Author: @kmk3
Created: 2/2/2024
Status: ✅ Merged
Merged: 2/5/2024
Merged by: @kmk3

Base: master ← Head: landlock-add-dev

📝 Commits (1)

f70ffbe landlock: split .special into .makeipc and .makedev

📊 Changes

12 files changed (+55 additions, -23 deletions)

View changed files

📝 contrib/syntax/lists/profile_commands_arg1.list (+2 -1)
📝 etc/inc/landlock-common.inc (+1 -1)
📝 etc/templates/profile.template (+2 -1)
📝 src/bash_completion/firejail.bash_completion.in (+5 -1)
📝 src/firejail/firejail.h (+4 -3)
📝 src/firejail/landlock.c (+11 -4)
📝 src/firejail/main.c (+4 -2)
📝 src/firejail/profile.c (+6 -2)
📝 src/firejail/usage.c (+2 -1)
📝 src/man/firejail-profile.5.in (+8 -3)
📝 src/man/firejail.1.in (+8 -3)
📝 src/zsh_completion/_firejail.in (+2 -1)

📄 Description

As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
landlock.special is not very descriptive of what it allows.

So split landlock.special into:

landlock.makeipc: allow creating named pipes and sockets (which are
usually used for inter-process communication)
landlock.makedev: allow creating block and character devices

Misc: The makedev name is based on nodev from mount(8), which makes
mount not interpret block and character devices. ipc was suggested by
@rusty-snake[2].

Relates to #6078.

[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/6187 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 2/2/2024 **Status:** ✅ Merged **Merged:** 2/5/2024 **Merged by:** [@kmk3](https://github.com/kmk3) **Base:** `master` ← **Head:** `landlock-add-dev` --- ### 📝 Commits (1) - [`f70ffbe`](https://github.com/netblue30/firejail/commit/f70ffbe76cd06c03442132f06d503846a415f24c) landlock: split .special into .makeipc and .makedev ### 📊 Changes **12 files changed** (+55 additions, -23 deletions) <details> <summary>View changed files</summary> 📝 `contrib/syntax/lists/profile_commands_arg1.list` (+2 -1) 📝 `etc/inc/landlock-common.inc` (+1 -1) 📝 `etc/templates/profile.template` (+2 -1) 📝 `src/bash_completion/firejail.bash_completion.in` (+5 -1) 📝 `src/firejail/firejail.h` (+4 -3) 📝 `src/firejail/landlock.c` (+11 -4) 📝 `src/firejail/main.c` (+4 -2) 📝 `src/firejail/profile.c` (+6 -2) 📝 `src/firejail/usage.c` (+2 -1) 📝 `src/man/firejail-profile.5.in` (+8 -3) 📝 `src/man/firejail.1.in` (+8 -3) 📝 `src/zsh_completion/_firejail.in` (+2 -1) </details> ### 📄 Description As discussed with @topimiettinen[1], it is unlikely that an unprivileged process would need to directly create block or character devices. Also, `landlock.special` is not very descriptive of what it allows. So split `landlock.special` into: * `landlock.makeipc`: allow creating named pipes and sockets (which are usually used for inter-process communication) * `landlock.makedev`: allow creating block and character devices Misc: The `makedev` name is based on `nodev` from mount(8), which makes mount not interpret block and character devices. `ipc` was suggested by @rusty-snake[2]. Relates to #6078. [1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786 [2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:46:22 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#5866

No description provided.

Rows
Columns