fix shell=none for --audit (#3116)

2 files changed, 6 insertions, 0 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 841aa47a7..da842e17b 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2564,6 +2564,7 @@ int main(int argc, char **argv, char **envp) {
                         cfg.timeout = extract_timeout(argv[i] + 10);
                 else if (strcmp(argv[i], "--audit") == 0) {
                         arg_audit_prog = LIBDIR "/firejail/faudit";
+                        profile_add_ignore("shell none");
                         arg_audit = 1;
                 }
                 else if (strncmp(argv[i], "--audit=", 8) == 0) {
@@ -2580,6 +2581,7 @@ int main(int argc, char **argv, char **envp) {
                                 fprintf(stderr, "Error: cannot find the audit program %s\n", arg_audit_prog);
                                 exit(1);
                         }
+                        profile_add_ignore("shell none");
                         arg_audit = 1;
                 }
                 else if (strcmp(argv[i], "--appimage") == 0)
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index c4b0d384b..b602bcada 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2930,6 +2930,10 @@ In the examples above, the sandbox configures transmission-gtk profile and
 starts the test program. The real program, transmission-gtk, will not be
 started.
 
+You can also audit a specific profile without specifying a program.
+.br
+        $ firejail --audit --profile=/etc/firejail/zoom.profile
+
 Limitations: audit feature is not implemented for --x11 commands.
 
 .SH DESKTOP INTEGRATION