Skip to content

Commit

Permalink
docs: warn about limitations of landlock
Browse files Browse the repository at this point in the history
And mark it as experimental.

Relates to netblue30#6078.
  • Loading branch information
kmk3 committed Apr 11, 2024
1 parent 04c458c commit d79547c
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 12 deletions.
12 changes: 6 additions & 6 deletions src/man/firejail-profile.5.in
Original file line number Diff line number Diff line change
Expand Up @@ -509,30 +509,30 @@ Blacklist all Linux capabilities.
Whitelist given Linux capabilities.
#ifdef HAVE_LANDLOCK
.TP
\fBlandlock.enforce
\fBlandlock.enforce (experimental)
Enforce the Landlock ruleset.
.PP
Without it, the other Landlock commands have no effect.
.TP
\fBlandlock.fs.read path
\fBlandlock.fs.read path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a read access
rule for path.
.TP
\fBlandlock.fs.write path
\fBlandlock.fs.write path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a write access
rule for path.
.TP
\fBlandlock.fs.makeipc path
\fBlandlock.fs.makeipc path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
the given path.
.TP
\fBlandlock.fs.makedev path
\fBlandlock.fs.makedev path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of block devices and character devices beneath the given
path.
.TP
\fBlandlock.fs.execute path
\fBlandlock.fs.execute path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add an execution
permission rule for path.
#endif
Expand Down
32 changes: 26 additions & 6 deletions src/man/firejail.1.in
Original file line number Diff line number Diff line change
Expand Up @@ -1236,30 +1236,30 @@ $ firejail --keep-var-tmp

#ifdef HAVE_LANDLOCK
.TP
\fB\-\-landlock.enforce
\fB\-\-landlock.enforce (experimental)
Enforce the Landlock ruleset.
Without it, the other Landlock commands have no effect.
See the \fBLANDLOCK\fR section for more information.
.TP
\fB\-\-landlock.fs.read=path
\fB\-\-landlock.fs.read=path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a read access
rule for path.
.TP
\fB\-\-landlock.fs.write=path
\fB\-\-landlock.fs.write=path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a write access
rule for path.
.TP
\fB\-\-landlock.fs.makeipc=path
\fB\-\-landlock.fs.makeipc=path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of named pipes (FIFOs) and Unix domain sockets beneath
the given path.
.TP
\fB\-\-landlock.fs.makedev=path
\fB\-\-landlock.fs.makedev=path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add a rule that
allows the creation of block devices and character devices beneath the given
path.
.TP
\fB\-\-landlock.fs.execute=path
\fB\-\-landlock.fs.execute=path (experimental)
Create a Landlock ruleset (if it doesn't already exist) and add an execution
permission rule for path.
.br
Expand Down Expand Up @@ -3372,6 +3372,21 @@ $ firejail --apparmor firefox

#ifdef HAVE_LANDLOCK
.SH LANDLOCK
Warning: Landlock support in firejail is considered experimental and unstable.
The contents of landlock-common.inc are likely to change and the feature is
still being expanded upon in the Linux kernel.
Also, note that its functionality overlaps with existing firejail features,
such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
Its filesystem access rules can currently only restrict direct access to paths;
it is not able to make only select paths appear in the sandbox such as with the
\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
Lastly, note that depending on the Linux kernel version, Landlock may not
protect all of the relevant syscalls (see the kernel's Landlock documentation
for details).
Therefore, it is recommended to treat Landlock as an extra layer of protection,
to be used together with other firejail features (rather than as a bulletproof
mechanism by itself).
.PP
Landlock is a Linux security module first introduced in version 5.13 of the
Linux kernel.
It allows unprivileged processes to restrict their access to the filesystem.
Expand All @@ -3386,6 +3401,11 @@ landlock-common.inc) and with a custom set of rules.
Important notes:
.PP
.RS
- Currently only Landlock ABI version 1 is supported.
.PP
- If "lsm=" is used in the kernel command line, it should contain "landlock"
(such as "lsm=apparmor,landlock"), or else it will be disabled.
.PP
- A process can install a Landlock ruleset only if it has either
\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
Privileges" restriction enabled.
Expand Down

0 comments on commit d79547c

Please sign in to comment.