diff options
author | netblue30 <netblue30@protonmail.com> | 2022-01-08 22:28:47 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-08 22:28:47 +0000 |
commit | cdd5c06b0e22cff844048c24580a4640d0a9e524 (patch) | |
tree | 3c6ea08c1efafcac843ecd963cc582719bae4a38 | |
parent | Merge pull request #4831 from vinc17fr/blacklist-rxvt (diff) | |
parent | profile.template: add noprinters (diff) | |
download | firejail-cdd5c06b0e22cff844048c24580a4640d0a9e524.tar.gz firejail-cdd5c06b0e22cff844048c24580a4640d0a9e524.tar.zst firejail-cdd5c06b0e22cff844048c24580a4640d0a9e524.zip |
Merge pull request #4827 from kmk3/noprinters-add-missing
noprinters: add missing items & add to profile.template
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | etc/templates/profile.template | 1 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
6 files changed, 11 insertions, 1 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index bcaa85a9c..57c7b371d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | 57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 1a4c8fef9..aefb75c2c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -155,6 +155,7 @@ include globals.local | |||
155 | #nogroups | 155 | #nogroups |
156 | #noinput | 156 | #noinput |
157 | #nonewprivs | 157 | #nonewprivs |
158 | #noprinters | ||
158 | #noroot | 159 | #noroot |
159 | #nosound | 160 | #nosound |
160 | #notv | 161 | #notv |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 183259f16..24c8e3194 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -161,6 +161,7 @@ static char *usage_str = | |||
161 | " --nogroups - disable supplementary groups.\n" | 161 | " --nogroups - disable supplementary groups.\n" |
162 | " --noinput - disable input devices.\n" | 162 | " --noinput - disable input devices.\n" |
163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" | 163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
164 | " --noprinters - disable printers.\n" | ||
164 | " --noprofile - do not use a security profile.\n" | 165 | " --noprofile - do not use a security profile.\n" |
165 | #ifdef HAVE_USERNS | 166 | #ifdef HAVE_USERNS |
166 | " --noroot - install a user namespace with only the current user.\n" | 167 | " --noroot - install a user namespace with only the current user.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e35f2837b..71dab18ba 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
489 | cannot acquire new privileges using execve(2); in particular, | 489 | cannot acquire new privileges using execve(2); in particular, |
490 | this means that calling a suid binary (or one with file capabilities) | 490 | this means that calling a suid binary (or one with file capabilities) |
491 | does not result in an increase of privilege. | 491 | does not result in an increase of privilege. |
492 | .TP | ||
493 | \fBnoprinters | ||
494 | Disable printers. | ||
492 | #ifdef HAVE_USERNS | 495 | #ifdef HAVE_USERNS |
493 | .TP | 496 | .TP |
494 | \fBnoroot | 497 | \fBnoroot |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5a005ea5c..80487a49d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1635,6 +1635,10 @@ does not result in an increase of privilege. This option | |||
1635 | is enabled by default if seccomp filter is activated. | 1635 | is enabled by default if seccomp filter is activated. |
1636 | 1636 | ||
1637 | .TP | 1637 | .TP |
1638 | \fB\-\-noprinters | ||
1639 | Disable printers. | ||
1640 | |||
1641 | .TP | ||
1638 | \fB\-\-noprofile | 1642 | \fB\-\-noprofile |
1639 | Do not use a security profile. | 1643 | Do not use a security profile. |
1640 | .br | 1644 | .br |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 8c1d758cc..334812dd6 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -123,6 +123,7 @@ _firejail_args=( | |||
123 | '--nogroups[disable supplementary groups]' | 123 | '--nogroups[disable supplementary groups]' |
124 | '--noinput[disable input devices]' | 124 | '--noinput[disable input devices]' |
125 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 125 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
126 | '--noprinters[disable printers]' | ||
126 | '--nosound[disable sound system]' | 127 | '--nosound[disable sound system]' |
127 | '--nou2f[disable U2F devices]' | 128 | '--nou2f[disable U2F devices]' |
128 | '--novideo[disable video devices]' | 129 | '--novideo[disable video devices]' |