landlock: move commands into profile and add landlock.enforce #6125
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
glitsj16
approved these changes
Dec 11, 2023
This includes macros such as `${HOME}` and `${RUNUSER}`, but not
`${PATH}`, which may expand to multiple strings.
Relates to netblue30#6078.
Relates to netblue30#6078.
Avoid checking if Landlock is supported in ll_add_profile(), as it may result in a warning being printed in ll_is_supported() in the next commit. Relates to netblue30#6078.
Changes: * Move commands from --landlock and --landlock.proc= into etc/inc/landlock-common.inc * Remove --landlock and --landlock.proc= * Add --landlock.enforce Instead of hard-coding the default commands (and having a separate command just for /proc), move them into a dedicated profile to make it easier for users to interact with the entries (view, copy, add ignore entries, etc). Only enforce the Landlock commands if --landlock.enforce is supplied. This allows safely adding Landlock commands to (upstream) profiles while keeping their enforcement opt-in. It also makes it simpler to effectively disable all Landlock commands, by using `--ignore=landlock.enforce`. Relates to netblue30#6078.
kmk3
force-pushed
the
landlock-enforce
branch
from
bf9d9fb
to
760f50f
Compare
|
All merged, thanks! |
kmk3
added a commit
that referenced
this pull request
Feb 12, 2024
kmk3
added a commit
to kmk3/firejail
that referenced
this pull request
Mar 3, 2024
To reduce duplication. Support for it was added on commit bf5a993 ("landlock: add support for PATH macro", 2023-12-22). See also commit 19e1082 ("landlock: expand simple macros in commands", 2023-11-11) / PR netblue30#6125. Relates to netblue30#6078.
kmk3
added a commit
that referenced
this pull request
Mar 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes:
etc/inc/landlock-common.inc
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
--ignore=landlock.enforce.Relates to #6078.