From a04bf5ae8ddbac980656c628b9f2ff1ebbf07b47 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 25 Aug 2024 19:39:29 +0000 Subject: [PATCH] docs: man: sort LANDLOCK section (firejail.1) Added on commit 13b2c566d ("feature: add Landlock support", 2023-10-24) / PR #6078. Relates to #6451. --- src/man/firejail.1.in | 117 +++++++++++++++++++++--------------------- 1 file changed, 59 insertions(+), 58 deletions(-) diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 4edb0902e8..f024b19daf 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -3408,64 +3408,6 @@ To enable AppArmor confinement on top of your current Firejail security features $ firejail --apparmor firefox #endif -#ifdef HAVE_LANDLOCK -.SH LANDLOCK -Warning: Landlock support in firejail is considered experimental and unstable. -The contents of landlock-common.inc are likely to change and the feature is -still being expanded upon in the Linux kernel. -Also, note that its functionality overlaps with existing firejail features, -such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. -Its filesystem access rules can currently only restrict direct access to paths; -it is not able to make only select paths appear in the sandbox such as with the -\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). -Lastly, note that depending on the Linux kernel version, Landlock may not -protect all of the relevant syscalls (see the kernel's Landlock documentation -for details). -Therefore, it is recommended to treat Landlock as an extra layer of protection, -to be used together with other firejail features (rather than as a bulletproof -mechanism by itself). -.PP -Landlock is a Linux security module first introduced in version 5.13 of the -Linux kernel. -It allows unprivileged processes to restrict their access to the filesystem. -Once imposed, these restrictions can never be removed, and all child processes -created by a Landlock-restricted processes inherit these restrictions. -Firejail supports Landlock as an additional sandboxing feature. -It can be used to ensure that a sandboxed application can only access files and -directories that it was explicitly allowed to access. -Firejail supports populating the ruleset with both a basic set of rules (see -landlock-common.inc) and with a custom set of rules. -.TP -Important notes: -.PP -.RS -- Currently only Landlock ABI version 1 is supported. -.PP -- If "lsm=" is used in the kernel command line, it should contain "landlock" -(such as "lsm=apparmor,landlock"), or else it will be disabled. -.PP -- A process can install a Landlock ruleset only if it has either -\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New -Privileges" restriction enabled. -Because of this, enabling the Landlock feature will also cause Firejail to -enable the "No New Privileges" restriction, regardless of the profile or the -\fB\-\-nonewprivs\fR command line option. -.PP -- Access to the /etc directory is automatically allowed. -To override this, use the \fB\-\-writable\-etc\fR command line option. -You can also use the \fB\-\-private\-etc\fR option to restrict access to the -/etc directory. -.RE -.PP -To enable Landlock self-restriction on top of your current Firejail security -features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. -Without it, the other Landlock commands have no effect. -Example: -.PP -$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc -.PP -To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. -#endif .SH DESKTOP INTEGRATION A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox. The symbolic link should be placed in the first $PATH position. On most systems, a good place @@ -3713,6 +3655,65 @@ Currently while scanning the file system, symbolic links are not followed, and f The program can also be run as root (sudo firejail --ids-init/--ids-check). #endif +#ifdef HAVE_LANDLOCK +.SH LANDLOCK +Warning: Landlock support in firejail is considered experimental and unstable. +The contents of landlock-common.inc are likely to change and the feature is +still being expanded upon in the Linux kernel. +Also, note that its functionality overlaps with existing firejail features, +such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands. +Its filesystem access rules can currently only restrict direct access to paths; +it is not able to make only select paths appear in the sandbox such as with the +\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD). +Lastly, note that depending on the Linux kernel version, Landlock may not +protect all of the relevant syscalls (see the kernel's Landlock documentation +for details). +Therefore, it is recommended to treat Landlock as an extra layer of protection, +to be used together with other firejail features (rather than as a bulletproof +mechanism by itself). +.PP +Landlock is a Linux security module first introduced in version 5.13 of the +Linux kernel. +It allows unprivileged processes to restrict their access to the filesystem. +Once imposed, these restrictions can never be removed, and all child processes +created by a Landlock-restricted processes inherit these restrictions. +Firejail supports Landlock as an additional sandboxing feature. +It can be used to ensure that a sandboxed application can only access files and +directories that it was explicitly allowed to access. +Firejail supports populating the ruleset with both a basic set of rules (see +landlock-common.inc) and with a custom set of rules. +.TP +Important notes: +.PP +.RS +- Currently only Landlock ABI version 1 is supported. +.PP +- If "lsm=" is used in the kernel command line, it should contain "landlock" +(such as "lsm=apparmor,landlock"), or else it will be disabled. +.PP +- A process can install a Landlock ruleset only if it has either +\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New +Privileges" restriction enabled. +Because of this, enabling the Landlock feature will also cause Firejail to +enable the "No New Privileges" restriction, regardless of the profile or the +\fB\-\-nonewprivs\fR command line option. +.PP +- Access to the /etc directory is automatically allowed. +To override this, use the \fB\-\-writable\-etc\fR command line option. +You can also use the \fB\-\-private\-etc\fR option to restrict access to the +/etc directory. +.RE +.PP +To enable Landlock self-restriction on top of your current Firejail security +features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. +Without it, the other Landlock commands have no effect. +Example: +.PP +$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc +.PP +To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. +#endif + .SH MONITORING Option \-\-list prints a list of all sandboxes. The format for each process entry is as follows: