docs: man: sort LANDLOCK section (firejail.1)

Added on commit 13b2c56 ("feature: add Landlock support", 2023-10-24)
/ PR #6078.

Relates to #6451.

src/man/firejail.1.in

@@ -3408,64 +3408,6 @@ To enable AppArmor confinement on top of your current Firejail security features
 $ firejail --apparmor firefox
 #endif
 
-#ifdef HAVE_LANDLOCK
-.SH LANDLOCK
-Warning: Landlock support in firejail is considered experimental and unstable.
-The contents of landlock-common.inc are likely to change and the feature is
-still being expanded upon in the Linux kernel.
-Also, note that its functionality overlaps with existing firejail features,
-such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
-Its filesystem access rules can currently only restrict direct access to paths;
-it is not able to make only select paths appear in the sandbox such as with the
-\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
-Lastly, note that depending on the Linux kernel version, Landlock may not
-protect all of the relevant syscalls (see the kernel's Landlock documentation
-for details).
-Therefore, it is recommended to treat Landlock as an extra layer of protection,
-to be used together with other firejail features (rather than as a bulletproof
-mechanism by itself).
-.PP
-Landlock is a Linux security module first introduced in version 5.13 of the
-Linux kernel.
-It allows unprivileged processes to restrict their access to the filesystem.
-Once imposed, these restrictions can never be removed, and all child processes
-created by a Landlock-restricted processes inherit these restrictions.
-Firejail supports Landlock as an additional sandboxing feature.
-It can be used to ensure that a sandboxed application can only access files and
-directories that it was explicitly allowed to access.
-Firejail supports populating the ruleset with both a basic set of rules (see
-landlock-common.inc) and with a custom set of rules.
-.TP
-Important notes:
-.PP
-.RS
-- Currently only Landlock ABI version 1 is supported.
-.PP
-- If "lsm=" is used in the kernel command line, it should contain "landlock"
-(such as "lsm=apparmor,landlock"), or else it will be disabled.
-.PP
-- A process can install a Landlock ruleset only if it has either
-\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
-Privileges" restriction enabled.
-Because of this, enabling the Landlock feature will also cause Firejail to
-enable the "No New Privileges" restriction, regardless of the profile or the
-\fB\-\-nonewprivs\fR command line option.
-.PP
-- Access to the /etc directory is automatically allowed.
-To override this, use the \fB\-\-writable\-etc\fR command line option.
-You can also use the \fB\-\-private\-etc\fR option to restrict access to the
-/etc directory.
-.RE
-.PP
-To enable Landlock self-restriction on top of your current Firejail security
-features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
-Without it, the other Landlock commands have no effect.
-Example:
-.PP
-$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
-.PP
-To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
-#endif
 .SH DESKTOP INTEGRATION
 A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
 The symbolic link should be placed in the first $PATH position. On most systems, a good place
@@ -3713,6 +3655,65 @@ Currently while scanning the file system, symbolic links are not followed, and f
 The program can also be run as root (sudo firejail --ids-init/--ids-check).
 #endif
 
+#ifdef HAVE_LANDLOCK
+.SH LANDLOCK
+Warning: Landlock support in firejail is considered experimental and unstable.
+The contents of landlock-common.inc are likely to change and the feature is
+still being expanded upon in the Linux kernel.
+Also, note that its functionality overlaps with existing firejail features,
+such as the \fBblacklist\fR, \fBread-only\fR and \fBread-write\fR commands.
+Its filesystem access rules can currently only restrict direct access to paths;
+it is not able to make only select paths appear in the sandbox such as with the
+\fBwhitelist\fR and \fBprivate-etc\fR commands (see also unveil(2) on OpenBSD).
+Lastly, note that depending on the Linux kernel version, Landlock may not
+protect all of the relevant syscalls (see the kernel's Landlock documentation
+for details).
+Therefore, it is recommended to treat Landlock as an extra layer of protection,
+to be used together with other firejail features (rather than as a bulletproof
+mechanism by itself).
+.PP
+Landlock is a Linux security module first introduced in version 5.13 of the
+Linux kernel.
+It allows unprivileged processes to restrict their access to the filesystem.
+Once imposed, these restrictions can never be removed, and all child processes
+created by a Landlock-restricted processes inherit these restrictions.
+Firejail supports Landlock as an additional sandboxing feature.
+It can be used to ensure that a sandboxed application can only access files and
+directories that it was explicitly allowed to access.
+Firejail supports populating the ruleset with both a basic set of rules (see
+landlock-common.inc) and with a custom set of rules.
+.TP
+Important notes:
+.PP
+.RS
+- Currently only Landlock ABI version 1 is supported.
+.PP
+- If "lsm=" is used in the kernel command line, it should contain "landlock"
+(such as "lsm=apparmor,landlock"), or else it will be disabled.
+.PP
+- A process can install a Landlock ruleset only if it has either
+\fBCAP_SYS_ADMIN\fR in its effective capability set, or the "No New
+Privileges" restriction enabled.
+Because of this, enabling the Landlock feature will also cause Firejail to
+enable the "No New Privileges" restriction, regardless of the profile or the
+\fB\-\-nonewprivs\fR command line option.
+.PP
+- Access to the /etc directory is automatically allowed.
+To override this, use the \fB\-\-writable\-etc\fR command line option.
+You can also use the \fB\-\-private\-etc\fR option to restrict access to the
+/etc directory.
+.RE
+.PP
+To enable Landlock self-restriction on top of your current Firejail security
+features, pass \fB\-\-landlock.enforce\fR flag to Firejail command line.
+Without it, the other Landlock commands have no effect.
+Example:
+.PP
+$ firejail \-\-landlock.enforce \-\-landlock.fs.read=/media mc
+.PP
+To disable Landlock self-restriction, use \fB\-\-ignore=landlock.enforce\fR.
+#endif
+
 .SH MONITORING
 Option \-\-list prints a list of all sandboxes. The format
 for each process entry is as follows: