diff --git a/contrib/syntax/lists/profile_commands_arg1.list b/contrib/syntax/lists/profile_commands_arg1.list index 8d5cae7f2ce..6fd943e57f1 100644 --- a/contrib/syntax/lists/profile_commands_arg1.list +++ b/contrib/syntax/lists/profile_commands_arg1.list @@ -29,11 +29,11 @@ ip6 iprange join-or-start keep-fd -landlock.execute -landlock.makedev -landlock.makeipc -landlock.read -landlock.write +landlock.fs.execute +landlock.fs.makedev +landlock.fs.makeipc +landlock.fs.read +landlock.fs.write mac mkdir mkfile diff --git a/etc/inc/landlock-common.inc b/etc/inc/landlock-common.inc index 694d447b594..e147963a688 100644 --- a/etc/inc/landlock-common.inc +++ b/etc/inc/landlock-common.inc @@ -2,38 +2,38 @@ # Persistent customizations should go in a .local file. include landlock-common.local -landlock.read / # whole system read -landlock.read /proc -landlock.makeipc / # sockets etc. +landlock.fs.read / # whole system read +landlock.fs.read /proc +landlock.fs.makeipc / # sockets etc. # write access -landlock.write ${HOME} -landlock.write ${RUNUSER} -landlock.write /dev -landlock.write /proc -landlock.write /run/shm -landlock.write /tmp +landlock.fs.write ${HOME} +landlock.fs.write ${RUNUSER} +landlock.fs.write /dev +landlock.fs.write /proc +landlock.fs.write /run/shm +landlock.fs.write /tmp # exec access ## misc -landlock.execute /opt -landlock.execute /run/firejail # appimage and various firejail features +landlock.fs.execute /opt +landlock.fs.execute /run/firejail # appimage and various firejail features ## bin -landlock.execute /bin -landlock.execute /sbin -landlock.execute /usr/bin -landlock.execute /usr/sbin -landlock.execute /usr/games -landlock.execute /usr/local/bin -landlock.execute /usr/local/sbin -landlock.execute /usr/local/games +landlock.fs.execute /bin +landlock.fs.execute /sbin +landlock.fs.execute /usr/bin +landlock.fs.execute /usr/sbin +landlock.fs.execute /usr/games +landlock.fs.execute /usr/local/bin +landlock.fs.execute /usr/local/sbin +landlock.fs.execute /usr/local/games ## lib -landlock.execute /lib -landlock.execute /lib32 -landlock.execute /libx32 -landlock.execute /lib64 -landlock.execute /usr/lib -landlock.execute /usr/lib32 -landlock.execute /usr/libx32 -landlock.execute /usr/lib64 -landlock.execute /usr/local/lib +landlock.fs.execute /lib +landlock.fs.execute /lib32 +landlock.fs.execute /libx32 +landlock.fs.execute /lib64 +landlock.fs.execute /usr/lib +landlock.fs.execute /usr/lib32 +landlock.fs.execute /usr/libx32 +landlock.fs.execute /usr/lib64 +landlock.fs.execute /usr/local/lib diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 0e6a5734ec5..29ea55439b4 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -138,11 +138,11 @@ include globals.local #include whitelist-var-common.inc # Landlock commands -##landlock.read PATH -##landlock.write PATH -##landlock.makeipc PATH -##landlock.makedev PATH -##landlock.execute PATH +##landlock.fs.read PATH +##landlock.fs.write PATH +##landlock.fs.makeipc PATH +##landlock.fs.makedev PATH +##landlock.fs.execute PATH #include landlock-common.inc ##allusers diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 6c985bc6ef6..4a1adbc26ba 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in @@ -45,23 +45,23 @@ _firejail() --landlock.enforce) return 0 ;; - --landlock.read) + --landlock.fs.read) _filedir return 0 ;; - --landlock.write) + --landlock.fs.write) _filedir return 0 ;; - --landlock.makeipc) + --landlock.fs.makeipc) _filedir return 0 ;; - --landlock.makedev) + --landlock.fs.makedev) _filedir return 0 ;; - --landlock.execute) + --landlock.fs.execute) _filedir return 0 ;; diff --git a/src/firejail/main.c b/src/firejail/main.c index 0d56eeb55e6..0ce18ab010a 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1505,16 +1505,16 @@ int main(int argc, char **argv, char **envp) { #ifdef HAVE_LANDLOCK else if (strncmp(argv[i], "--landlock.enforce", 18) == 0) arg_landlock_enforce = 1; - else if (strncmp(argv[i], "--landlock.read=", 16) == 0) - ll_add_profile(LL_FS_READ, argv[i] + 16); - else if (strncmp(argv[i], "--landlock.write=", 17) == 0) - ll_add_profile(LL_FS_WRITE, argv[i] + 17); - else if (strncmp(argv[i], "--landlock.makeipc=", 19) == 0) - ll_add_profile(LL_FS_MAKEIPC, argv[i] + 19); - else if (strncmp(argv[i], "--landlock.makedev=", 19) == 0) - ll_add_profile(LL_FS_MAKEDEV, argv[i] + 19); - else if (strncmp(argv[i], "--landlock.execute=", 19) == 0) - ll_add_profile(LL_FS_EXEC, argv[i] + 19); + else if (strncmp(argv[i], "--landlock.fs.read=", 19) == 0) + ll_add_profile(LL_FS_READ, argv[i] + 19); + else if (strncmp(argv[i], "--landlock.fs.write=", 20) == 0) + ll_add_profile(LL_FS_WRITE, argv[i] + 20); + else if (strncmp(argv[i], "--landlock.fs.makeipc=", 22) == 0) + ll_add_profile(LL_FS_MAKEIPC, argv[i] + 22); + else if (strncmp(argv[i], "--landlock.fs.makedev=", 22) == 0) + ll_add_profile(LL_FS_MAKEDEV, argv[i] + 22); + else if (strncmp(argv[i], "--landlock.fs.execute=", 22) == 0) + ll_add_profile(LL_FS_EXEC, argv[i] + 22); #endif else if (strcmp(argv[i], "--memory-deny-write-execute") == 0) { if (checkcfg(CFG_SECCOMP)) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 945ed518e30..4e0b17a8c07 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1078,24 +1078,24 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_landlock_enforce = 1; return 0; } - if (strncmp(ptr, "landlock.read ", 14) == 0) { - ll_add_profile(LL_FS_READ, ptr + 14); + if (strncmp(ptr, "landlock.fs.read ", 17) == 0) { + ll_add_profile(LL_FS_READ, ptr + 17); return 0; } - if (strncmp(ptr, "landlock.write ", 15) == 0) { - ll_add_profile(LL_FS_WRITE, ptr + 15); + if (strncmp(ptr, "landlock.fs.write ", 18) == 0) { + ll_add_profile(LL_FS_WRITE, ptr + 18); return 0; } - if (strncmp(ptr, "landlock.makeipc ", 17) == 0) { - ll_add_profile(LL_FS_MAKEIPC, ptr + 17); + if (strncmp(ptr, "landlock.fs.makeipc ", 20) == 0) { + ll_add_profile(LL_FS_MAKEIPC, ptr + 20); return 0; } - if (strncmp(ptr, "landlock.makedev ", 17) == 0) { - ll_add_profile(LL_FS_MAKEDEV, ptr + 17); + if (strncmp(ptr, "landlock.fs.makedev ", 20) == 0) { + ll_add_profile(LL_FS_MAKEDEV, ptr + 20); return 0; } - if (strncmp(ptr, "landlock.execute ", 17) == 0) { - ll_add_profile(LL_FS_EXEC, ptr + 17); + if (strncmp(ptr, "landlock.fs.execute ", 20) == 0) { + ll_add_profile(LL_FS_EXEC, ptr + 20); return 0; } #endif diff --git a/src/firejail/usage.c b/src/firejail/usage.c index c62e8c3691d..248b3585332 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -135,11 +135,11 @@ static const char *const usage_str = " --keep-var-tmp - /var/tmp directory is untouched.\n" #ifdef HAVE_LANDLOCK " --landlock.enforce - enforce the Landlock ruleset.\n" - " --landlock.read=path - add a read access rule for the path to the Landlock ruleset.\n" - " --landlock.write=path - add a write access rule for the path to the Landlock ruleset.\n" - " --landlock.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" - " --landlock.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" - " --landlock.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" + " --landlock.fs.read=path - add a read access rule for the path to the Landlock ruleset.\n" + " --landlock.fs.write=path - add a write access rule for the path to the Landlock ruleset.\n" + " --landlock.fs.makeipc=path - add an access rule for the path to the Landlock ruleset for creating named pipes and sockets.\n" + " --landlock.fs.makedev=path - add an access rule for the path to the Landlock ruleset for creating block/char devices.\n" + " --landlock.fs.execute=path - add an execute access rule for the path to the Landlock ruleset.\n" #endif " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index b6672c16b84..e274a91d171 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -514,25 +514,25 @@ Enforce the Landlock ruleset. .PP Without it, the other Landlock commands have no effect. .TP -\fBlandlock.read path +\fBlandlock.fs.read path Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. .TP -\fBlandlock.write path +\fBlandlock.fs.write path Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. .TP -\fBlandlock.makeipc path +\fBlandlock.fs.makeipc path Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of named pipes (FIFOs) and Unix domain sockets beneath the given path. .TP -\fBlandlock.makedev path +\fBlandlock.fs.makedev path Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of block devices and character devices beneath the given path. .TP -\fBlandlock.execute path +\fBlandlock.fs.execute path Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. #endif diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 6548b8e5d26..618b4955e2a 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -1241,25 +1241,25 @@ Enforce the Landlock ruleset. Without it, the other Landlock commands have no effect. See the \fBLANDLOCK\fR section for more information. .TP -\fB\-\-landlock.read=path +\fB\-\-landlock.fs.read=path Create a Landlock ruleset (if it doesn't already exist) and add a read access rule for path. .TP -\fB\-\-landlock.write=path +\fB\-\-landlock.fs.write=path Create a Landlock ruleset (if it doesn't already exist) and add a write access rule for path. .TP -\fB\-\-landlock.makeipc=path +\fB\-\-landlock.fs.makeipc=path Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of named pipes (FIFOs) and Unix domain sockets beneath the given path. .TP -\fB\-\-landlock.makedev=path +\fB\-\-landlock.fs.makedev=path Create a Landlock ruleset (if it doesn't already exist) and add a rule that allows the creation of block devices and character devices beneath the given path. .TP -\fB\-\-landlock.execute=path +\fB\-\-landlock.fs.execute=path Create a Landlock ruleset (if it doesn't already exist) and add an execution permission rule for path. .br @@ -1267,8 +1267,8 @@ permission rule for path. .br Example: .br -$ firejail \-\-landlock.read=/ \-\-landlock.write=/home -\-\-landlock.execute=/usr \-\-landlock.enforce +$ firejail \-\-landlock.fs.read=/ \-\-landlock.fs.write=/home +\-\-landlock.fs.execute=/usr \-\-landlock.enforce #endif .TP \fB\-\-list @@ -3404,7 +3404,7 @@ features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line. Without it, the other Landlock commands have no effect. Example: .PP -$ firejail \-\-landlock.enforce \-\-landlock.read=/media mc +$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc .PP To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR. #endif diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 45f24d5f3b4..15e9a511162 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -108,11 +108,11 @@ _firejail_args=( '--keep-var-tmp[/var/tmp directory is untouched]' #ifdef HAVE_LANDLOCK '--landlock.enforce[enforce the Landlock ruleset]' - '--landlock.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' - '--landlock.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' - '--landlock.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' - '--landlock.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' - '--landlock.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' + '--landlock.fs.read=-[add a read access rule for the path to the Landlock ruleset]: :_files' + '--landlock.fs.write=-[add a write access rule for the path to the Landlock ruleset]: :_files' + '--landlock.fs.makeipc=-[add an access rule for the path to the Landlock ruleset for creating named pipes and sockets]: :_files' + '--landlock.fs.makedev=-[add an access rule for the path to the Landlock ruleset for creating block/char devices]: :_files' + '--landlock.fs.execute=-[add an execute access rule for the path to the Landlock ruleset]: :_files' #endif '--machine-id[spoof /etc/machine-id with a random id]' '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'