diff options
Diffstat (limited to '')
-rw-r--r-- | sys-utils/setpriv.1 | 36 | ||||
-rw-r--r-- | sys-utils/setpriv.1.adoc | 27 |
2 files changed, 60 insertions, 3 deletions
diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1 index c1bf933..dd82a1e 100644 --- a/sys-utils/setpriv.1 +++ b/sys-utils/setpriv.1 @@ -2,12 +2,12 @@ .\" Title: setpriv .\" Author: [see the "AUTHOR(S)" section] .\" Generator: Asciidoctor 2.0.20 -.\" Date: 2023-10-23 +.\" Date: 2024-03-27 .\" Manual: User Commands -.\" Source: util-linux 2.39.3 +.\" Source: util-linux 2.40 .\" Language: English .\" -.TH "SETPRIV" "1" "2023-10-23" "util\-linux 2.39.3" "User Commands" +.TH "SETPRIV" "1" "2024-03-27" "util\-linux 2.40" "User Commands" .ie \n(.g .ds Aq \(aq .el .ds Aq ' .ss \n[.ss] 0 @@ -156,6 +156,35 @@ Request a particular SELinux transition (using a transition on exec, not dyntran Request a particular AppArmor profile (using a transition on exec). This will fail and cause \fBsetpriv\fP to abort if AppArmor is not in use, and the transition may be ignored or cause \fBexecve\fP(2) to fail at AppArmor\(cqs whim. .RE .sp +\fB\-\-landlock\-access\fP \fIaccess\fP +.RS 4 +Enable landlock restrictions for a specific set of system accesses. +To allow specific subgroups of accesses use \fB\-\-landlock\-rule\fP. +.sp +Block all filesystem access: +.sp +\fBsetpriv \-\-landlock\-access fs\fP +.sp +Block all file deletions and directory creations: +.sp +\fBsetpriv \-\-landlock\-access fs:remove\-file,make\-dir\fP +.sp +For a complete set of supported access categories use \fBsetpriv \-\-help\fP. +.RE +.sp +\fB\-\-landlock\-rule\fP \fIrule\fP +.RS 4 +Allow one specific access from the categories blocked by \fB\-\-landlock\-access\fP. +.sp +The syntax is as follows: +.sp +\fB\-\-landlock\-rule $ruletype:$access:$rulearg\fP +.sp +For example grant file read access to everything under \fB/boot\fP: +.sp +\fB\-\-landlock\-rule path\-beneath:read\-file:/boot\fP +.RE +.sp \fB\-\-reset\-env\fP .RS 4 Clears all the environment variables except \fBTERM\fP; initializes the environment variables \fBHOME\fP, \fBSHELL\fP, \fBUSER\fP, \fBLOGNAME\fP according to the user\(cqs passwd entry; sets \fBPATH\fP to \fI/usr/local/bin:/bin:/usr/bin\fP for a regular user and to \fI/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\fP for root. @@ -195,6 +224,7 @@ If you want to mimic daemontools\*(Aq \fBsetuid\fP(8), try: \fBsu\fP(1), \fBprctl\fP(2), \fBcapabilities\fP(7) +\fBlandlock\fP(7) .SH "REPORTING BUGS" .sp For bug reports, use the issue tracker at \c diff --git a/sys-utils/setpriv.1.adoc b/sys-utils/setpriv.1.adoc index a0ad6f8..9029346 100644 --- a/sys-utils/setpriv.1.adoc +++ b/sys-utils/setpriv.1.adoc @@ -84,6 +84,32 @@ Request a particular SELinux transition (using a transition on exec, not dyntran *--apparmor-profile* _profile_:: Request a particular AppArmor profile (using a transition on exec). This will fail and cause *setpriv* to abort if AppArmor is not in use, and the transition may be ignored or cause *execve*(2) to fail at AppArmor's whim. +*--landlock-access* _access_:: +Enable landlock restrictions for a specific set of system accesses. +To allow specific subgroups of accesses use *--landlock-rule*. ++ +Block all filesystem access: ++ +*setpriv --landlock-access fs* ++ +Block all file deletions and directory creations: ++ +*setpriv --landlock-access fs:remove-file,make-dir* ++ +For a complete set of supported access categories use *setpriv --help*. + +*--landlock-rule* _rule_:: + +Allow one specific access from the categories blocked by *--landlock-access*. ++ +The syntax is as follows: ++ +*--landlock-rule $ruletype:$access:$rulearg* ++ +For example grant file read access to everything under */boot*: ++ +*--landlock-rule path-beneath:read-file:/boot* + *--reset-env*:: Clears all the environment variables except *TERM*; initializes the environment variables *HOME*, *SHELL*, *USER*, *LOGNAME* according to the user's passwd entry; sets *PATH* to _/usr/local/bin:/bin:/usr/bin_ for a regular user and to _/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_ for root. + @@ -117,6 +143,7 @@ mailto:luto@amacapital.net[Andy Lutomirski] *su*(1), *prctl*(2), *capabilities*(7) +*landlock*(7) include::man-common/bugreports.adoc[] |