landlock: check for landlock support in glibc

kmk3 · Sep 4, 2022 · c5a052f · c5a052f
1 parent 2d885e5
commit c5a052f
Show file tree

Hide file tree

Showing 4 changed files with 601 additions and 551 deletions.
diff --git a/README.md b/README.md
@@ -270,6 +270,46 @@ Work in progress, the interface described in the man page below could change.
               Example:
               $   firejail  --landlock.read=/  --landlock.write=/home  --land‐
               lock.execute=/usr
+
+LANDLOCK
+       Landlock is a Linux security module first introduced in the  5.13  ver‐
+       sion  of  Linux  kernel.  It  allows unprivileged processes to restrict
+       their access to the filesystem. Once imposed,  these  restrictions  can
+       never  be  removed,  and  all child processes created by a Landlock-re‐
+       stricted processes inherit these restrictions. Firejail supports  Land‐
+       lock as an additional sandboxing feature. It can be used to ensure that
+       a sandboxed application can only access files and directories  that  it
+       was  explicitly  allowed  to  access.  Firejail supports populating the
+       ruleset with both basic set of rules and with custom set of rules.  Ba‐
+       sic  set  of  rules  allows read-only access to /bin, /dev, /etc, /lib,
+       /opt, /proc, /usr and /var, read-write access to  the  home  directory,
+       and allows execution of binaries located in /bin, /opt and /usr.
+
+       Important notes:
+
+              - A process can install a Landlock ruleset only if it has either
+              CAP_SYS_ADMIN in its effective capability set, or  the  "No  New
+              Privileges"  restriction  enabled. Because of this, enabling the
+              Landlock feature will also cause Firejail to enable the "No  New
+              Privileges"  restriction,  regardless  of  the  profile  or  the
+              --no-new-privs command line option.
+
+              - Access to the /proc directory is managed through  the  --land‐
+              lock.proc command line option.
+
+              -  Access  to  the  /etc  directory is automatically allowed. To
+              override this, use the --writable-etc command line  option.  You
+              can  also use the --private-etc option to restrict access to the
+              /etc directory.
+
+       To enable Landlock self-restriction on top of your current Firejail se‐
+       curity features, pass --landlock flag to Firejail command line. You can
+       also  use  --landlock.read,  --landlock.write,  --landlock.special  and
+       --landlock.execute  options  together with --landlock or instead of it.
+       Example:
+
+              $ firejail --landlock --landlock.read=/media  --landlock.proc=ro
+              mc
 `````
 
 ### Profile Statistics

diff --git a/RELNOTES b/RELNOTES
@@ -16,6 +16,7 @@ firejail (0.9.71) baseline; urgency=low
     a seccomp filter for both 64 and 32 bit architectures (#4939 #5259)
   * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
     #5317)
+  * feature: Landlock support (#5269)
   * bugfix: Flood of seccomp audit log entries (#5207)
   * build: deduplicate configure-time vars into new config files (#5140 #5284)
   * build: fix file mode of shell scripts (644 -> 755) (#5206)