Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: warn about limitations of landlock #6302

Merged
merged 1 commit into from
Apr 11, 2024
Merged

docs: warn about limitations of landlock #6302

merged 1 commit into from
Apr 11, 2024

Conversation

kmk3
Copy link
Collaborator

@kmk3 kmk3 commented Apr 5, 2024

And mark it as experimental.

Relates to #6078.

@kmk3 kmk3 added this to In progress in Release 0.9.74 via automation Apr 5, 2024
@glitsj16
Copy link
Collaborator

glitsj16 commented Apr 9, 2024

@kmk3 Although the Firejail/Landlock status is made much clearer in this PR it might still be nice to note that without having landlock in the lsm=x,y,z kernel parameter (cfr. apparmor) Firejail will ignore landlock commands.

Example bootloader lsm param for good Firejail support: lsm=landlock,lockdown,yama,integrity,apparmor,bpf

@kmk3
Copy link
Collaborator Author

kmk3 commented Apr 10, 2024

Although the Firejail/Landlock status is made much clearer in this PR it
might still be nice to note that without having landlock in the lsm=x,y,z
kernel parameter (cfr. apparmor) Firejail will ignore landlock commands.

Example bootloader lsm param for good Firejail support:
lsm=landlock,lockdown,yama,integrity,apparmor,bpf

Landlock should work by default without needing to enable it.

Is there any distribution that disables it?

Example to check if it works:

$ firejail --quiet --noprofile true
$ firejail --quiet --noprofile --landlock.enforce --landlock.fs.read=/foo true
Cannot start application: Permission denied

@glitsj16
Copy link
Collaborator

Is there any distribution that disables it?

Not that I know of. I wasn't clear enough though, let me try to explain what I mean. If a user enables AppArmor as default security model on every boot via the lsm kernel parameter and landlock isn't part of that param, it does get disabled.

@kmk3
docs: warn about limitations of landlock
d79547c 
And mark it as experimental.

Relates to netblue30#6078.
@kmk3
Copy link
Collaborator Author

kmk3 commented Apr 11, 2024

If a user enables AppArmor as default security model on every boot via the
lsm kernel parameter and landlock isn't part of that param, it does get
disabled.

I see it now; added an item about it.

@netblue30
Copy link
Owner

all set, thanks!

@netblue30 netblue30 merged commit 27cd032 into netblue30:master Apr 11, 2024
2 checks passed
@kmk3 kmk3 deleted the docs-warn-landlock branch April 12, 2024 21:27
@kmk3 kmk3 added the documentation Issues and pull requests related to the documentation label Apr 12, 2024
kmk3 added a commit that referenced this pull request Apr 25, 2024
@kmk3
RELNOTES: add feature, modif and profile items
8b49fe5 
Relates to #6302 #6305 #6307 #6308 #6309.
@kmk3 kmk3 moved this from In progress to Done (on RELNOTES) in Release 0.9.74 Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glitsj16 glitsj16 glitsj16 approved these changes

@topimiettinen topimiettinen topimiettinen approved these changes

@rusty-snake rusty-snake Awaiting requested review from rusty-snake

Assignees
No one assigned
Labels
documentation Issues and pull requests related to the documentation
Projects
Release 0.9.74
  
Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kmk3 @glitsj16 @netblue30 @topimiettinen