docs: warn about limitations of landlock

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox

https://firejail.wordpress.com

GNU General Public License v2.0

5.83k stars 568 forks source link

docs: warn about limitations of landlock #6302

Closed kmk3 closed 7 months ago

kmk3 commented 7 months ago

And mark it as experimental.

Relates to #6078.

glitsj16 commented 7 months ago

@kmk3 Although the Firejail/Landlock status is made much clearer in this PR it might still be nice to note that without having landlock in the lsm=x,y,z kernel parameter (cfr. apparmor) Firejail will ignore landlock commands.

Example bootloader lsm param for good Firejail support: lsm=landlock,lockdown,yama,integrity,apparmor,bpf

kmk3 commented 7 months ago

Although the Firejail/Landlock status is made much clearer in this PR it might still be nice to note that without having landlock in the lsm=x,y,z kernel parameter (cfr. apparmor) Firejail will ignore landlock commands.

Example bootloader lsm param for good Firejail support: lsm=landlock,lockdown,yama,integrity,apparmor,bpf

Landlock should work by default without needing to enable it.

Is there any distribution that disables it?

Example to check if it works:

$ firejail --quiet --noprofile true
$ firejail --quiet --noprofile --landlock.enforce --landlock.fs.read=/foo true
Cannot start application: Permission denied

glitsj16 commented 7 months ago

Is there any distribution that disables it?

Not that I know of. I wasn't clear enough though, let me try to explain what I mean. If a user enables AppArmor as default security model on every boot via the lsm kernel parameter and landlock isn't part of that param, it does get disabled.

kmk3 commented 7 months ago

If a user enables AppArmor as default security model on every boot via the lsm kernel parameter and landlock isn't part of that param, it does get disabled.

I see it now; added an item about it.

netblue30 commented 7 months ago

all set, thanks!