aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar Kelvin M. Klann <kmk3.code@protonmail.com>2021-05-16 15:19:15 +0000
committerLibravatar GitHub <noreply@github.com>2021-05-16 15:19:15 +0000
commit89ed706450d1c08d96652de3f245785038572ed5 (patch)
tree7964ab1e5bfc012b8eac4ccad5c29a2c35c253a2
parentO_CLOEXEC follow-up (diff)
parentrename arg_noautopulse var to arg_keep_config_pulse (diff)
downloadfirejail-89ed706450d1c08d96652de3f245785038572ed5.tar.gz
firejail-89ed706450d1c08d96652de3f245785038572ed5.tar.zst
firejail-89ed706450d1c08d96652de3f245785038572ed5.zip
Merge pull request #4278 from kmk3/rename-noautopulse
rename noautopulse to keep-config-pulse
Diffstat
-rw-r--r--contrib/vim/syntax/firejail.vim2
-rw-r--r--src/firejail/firejail.h2
-rw-r--r--src/firejail/main.c11
-rw-r--r--src/firejail/profile.c8
-rw-r--r--src/firejail/sandbox.c2
-rw-r--r--src/firejail/usage.c3
-rw-r--r--src/man/firejail-profile.txt9
-rw-r--r--src/man/firejail.txt22
-rw-r--r--src/zsh_completion/_firejail.in1
9 files changed, 39 insertions, 21 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index e4d219e68..8775ae71d 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
49" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) 49" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
50syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained 50syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
51" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below 51" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
52syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained 52syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
53syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained 53syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
54syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained 54syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
55syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained 55syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e07035ae6..ac2fd279e 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -314,7 +314,6 @@ extern int arg_private_cwd; // private working directory
314extern int arg_scan; // arp-scan all interfaces 314extern int arg_scan; // arp-scan all interfaces
315extern int arg_whitelist; // whitelist command 315extern int arg_whitelist; // whitelist command
316extern int arg_nosound; // disable sound 316extern int arg_nosound; // disable sound
317extern int arg_noautopulse; // disable automatic ~/.config/pulse init
318extern int arg_novideo; //disable video devices in /dev 317extern int arg_novideo; //disable video devices in /dev
319extern int arg_no3d; // disable 3d hardware acceleration 318extern int arg_no3d; // disable 3d hardware acceleration
320extern int arg_quiet; // no output for scripting 319extern int arg_quiet; // no output for scripting
@@ -323,6 +322,7 @@ extern int arg_join_filesystem; // join only the mount namespace
323extern int arg_nice; // nice value configured 322extern int arg_nice; // nice value configured
324extern int arg_ipc; // enable ipc namespace 323extern int arg_ipc; // enable ipc namespace
325extern int arg_writable_etc; // writable etc 324extern int arg_writable_etc; // writable etc
325extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init
326extern int arg_writable_var; // writable var 326extern int arg_writable_var; // writable var
327extern int arg_keep_var_tmp; // don't overwrite /var/tmp 327extern int arg_keep_var_tmp; // don't overwrite /var/tmp
328extern int arg_writable_run_user; // writable /run/user 328extern int arg_writable_run_user; // writable /run/user
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 025442035..593835843 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -116,7 +116,6 @@ int arg_private_cwd = 0; // private working directory
116int arg_scan = 0; // arp-scan all interfaces 116int arg_scan = 0; // arp-scan all interfaces
117int arg_whitelist = 0; // whitelist command 117int arg_whitelist = 0; // whitelist command
118int arg_nosound = 0; // disable sound 118int arg_nosound = 0; // disable sound
119int arg_noautopulse = 0; // disable automatic ~/.config/pulse init
120int arg_novideo = 0; //disable video devices in /dev 119int arg_novideo = 0; //disable video devices in /dev
121int arg_no3d; // disable 3d hardware acceleration 120int arg_no3d; // disable 3d hardware acceleration
122int arg_quiet = 0; // no output for scripting 121int arg_quiet = 0; // no output for scripting
@@ -125,6 +124,7 @@ int arg_join_filesystem = 0; // join only the mount namespace
125int arg_nice = 0; // nice value configured 124int arg_nice = 0; // nice value configured
126int arg_ipc = 0; // enable ipc namespace 125int arg_ipc = 0; // enable ipc namespace
127int arg_writable_etc = 0; // writable etc 126int arg_writable_etc = 0; // writable etc
127int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init
128int arg_writable_var = 0; // writable var 128int arg_writable_var = 0; // writable var
129int arg_keep_var_tmp = 0; // don't overwrite /var/tmp 129int arg_keep_var_tmp = 0; // don't overwrite /var/tmp
130int arg_writable_run_user = 0; // writable /run/user 130int arg_writable_run_user = 0; // writable /run/user
@@ -1824,8 +1824,8 @@ int main(int argc, char **argv, char **envp) {
1824 exit(1); 1824 exit(1);
1825 } 1825 }
1826 arg_noprofile = 1; 1826 arg_noprofile = 1;
1827 // force noautopulse in order to keep ~/.config/pulse as is 1827 // force keep-config-pulse in order to keep ~/.config/pulse as is
1828 arg_noautopulse = 1; 1828 arg_keep_config_pulse = 1;
1829 } 1829 }
1830 else if (strncmp(argv[i], "--ignore=", 9) == 0) { 1830 else if (strncmp(argv[i], "--ignore=", 9) == 0) {
1831 if (custom_profile) { 1831 if (custom_profile) {
@@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) {
1876 } 1876 }
1877 arg_writable_etc = 1; 1877 arg_writable_etc = 1;
1878 } 1878 }
1879 else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
1880 arg_keep_config_pulse = 1;
1881 }
1879 else if (strcmp(argv[i], "--writable-var") == 0) { 1882 else if (strcmp(argv[i], "--writable-var") == 0) {
1880 arg_writable_var = 1; 1883 arg_writable_var = 1;
1881 } 1884 }
@@ -2078,7 +2081,7 @@ int main(int argc, char **argv, char **envp) {
2078 else if (strcmp(argv[i], "--nosound") == 0) 2081 else if (strcmp(argv[i], "--nosound") == 0)
2079 arg_nosound = 1; 2082 arg_nosound = 1;
2080 else if (strcmp(argv[i], "--noautopulse") == 0) 2083 else if (strcmp(argv[i], "--noautopulse") == 0)
2081 arg_noautopulse = 1; 2084 arg_keep_config_pulse = 1;
2082 else if (strcmp(argv[i], "--novideo") == 0) 2085 else if (strcmp(argv[i], "--novideo") == 0)
2083 arg_novideo = 1; 2086 arg_novideo = 1;
2084 else if (strcmp(argv[i], "--no3d") == 0) 2087 else if (strcmp(argv[i], "--no3d") == 0)
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index d94e24ef6..dd4506ac1 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
423 return 0; 423 return 0;
424 } 424 }
425 else if (strcmp(ptr, "noautopulse") == 0) { 425 else if (strcmp(ptr, "noautopulse") == 0) {
426 arg_noautopulse = 1; 426 arg_keep_config_pulse = 1;
427 return 0; 427 return 0;
428 } 428 }
429 else if (strcmp(ptr, "notv") == 0) { 429 else if (strcmp(ptr, "notv") == 0) {
@@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
1143 arg_machineid = 1; 1143 arg_machineid = 1;
1144 return 0; 1144 return 0;
1145 } 1145 }
1146
1147 if (strcmp(ptr, "keep-config-pulse") == 0) {
1148 arg_keep_config_pulse = 1;
1149 return 0;
1150 }
1151
1146 // writable-var 1152 // writable-var
1147 if (strcmp(ptr, "writable-var") == 0) { 1153 if (strcmp(ptr, "writable-var") == 0) {
1148 arg_writable_var = 1; 1154 arg_writable_var = 1;
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 2c751809e..08f0f32c9 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) {
1015 // disable /dev/snd 1015 // disable /dev/snd
1016 fs_dev_disable_sound(); 1016 fs_dev_disable_sound();
1017 } 1017 }
1018 else if (!arg_noautopulse) 1018 else if (!arg_keep_config_pulse)
1019 pulseaudio_init(); 1019 pulseaudio_init();
1020 1020
1021 if (arg_no3d) 1021 if (arg_no3d)
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index baa015a6c..888a6ffed 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -114,7 +114,8 @@ static char *usage_str =
114 " --join-network=name|pid - join the network namespace.\n" 114 " --join-network=name|pid - join the network namespace.\n"
115#endif 115#endif
116 " --join-or-start=name|pid - join the sandbox or start a new one.\n" 116 " --join-or-start=name|pid - join the sandbox or start a new one.\n"
117 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" 117 " --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
118 " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
118 " --keep-var-tmp - /var/tmp directory is untouched.\n" 119 " --keep-var-tmp - /var/tmp directory is untouched.\n"
119 " --list - list all sandboxes.\n" 120 " --list - list all sandboxes.\n"
120#ifdef HAVE_FILE_TRANSFER 121#ifdef HAVE_FILE_TRANSFER
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9d59328f5..49be8d0b0 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as
271\fBdisable-mnt 271\fBdisable-mnt
272Disable /mnt, /media, /run/mount and /run/media access. 272Disable /mnt, /media, /run/mount and /run/media access.
273.TP 273.TP
274\fBkeep-config-pulse
275Disable automatic ~/.config/pulse init, for complex setups such as remote
276pulse servers or non-standard socket paths.
277.TP
274\fBkeep-dev-shm 278\fBkeep-dev-shm
275/dev/shm directory is untouched (even with private-dev). 279/dev/shm directory is untouched (even with private-dev).
276.TP 280.TP
@@ -718,9 +722,8 @@ name browser
718\fBno3d 722\fBno3d
719Disable 3D hardware acceleration. 723Disable 3D hardware acceleration.
720.TP 724.TP
721\fBnoautopulse 725\fBnoautopulse \fR(deprecated)
722Disable automatic ~/.config/pulse init, for complex setups such as remote 726See keep-config-pulse.
723pulse servers or non-standard socket paths.
724.TP 727.TP
725\fBnodvd 728\fBnodvd
726Disable DVD and audio CD devices. 729Disable DVD and audio CD devices.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 397ce5e17..68aea5857 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1052,6 +1052,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
1052Note that in contrary to other join options there is respective profile option. 1052Note that in contrary to other join options there is respective profile option.
1053 1053
1054.TP 1054.TP
1055\fB\-\-keep-config-pulse
1056Disable automatic ~/.config/pulse init, for complex setups such as remote
1057pulse servers or non-standard socket paths.
1058.br
1059
1060.br
1061Example:
1062.br
1063$ firejail \-\-keep-config-pulse firefox
1064
1065.TP
1055\fB\-\-keep-dev-shm 1066\fB\-\-keep-dev-shm
1056/dev/shm directory is untouched (even with --private-dev) 1067/dev/shm directory is untouched (even with --private-dev)
1057.br 1068.br
@@ -1460,15 +1471,8 @@ Example:
1460$ firejail --no3d firefox 1471$ firejail --no3d firefox
1461 1472
1462.TP 1473.TP
1463\fB\-\-noautopulse 1474\fB\-\-noautopulse \fR(deprecated)
1464Disable automatic ~/.config/pulse init, for complex setups such as remote 1475See --keep-config-pulse.
1465pulse servers or non-standard socket paths.
1466.br
1467
1468.br
1469Example:
1470.br
1471$ firejail \-\-noautopulse firefox
1472 1476
1473.TP 1477.TP
1474\fB\-\-noblacklist=dirname_or_filename 1478\fB\-\-noblacklist=dirname_or_filename
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index a9a32e9d4..f1a19b86d 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -98,6 +98,7 @@ _firejail_args=(
98 '*--ignore=-[ignore command in profile files]: :' 98 '*--ignore=-[ignore command in profile files]: :'
99 '--ipc-namespace[enable a new IPC namespace]' 99 '--ipc-namespace[enable a new IPC namespace]'
100 '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' 100 '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
101 '--keep-config-pulse[disable automatic ~/.config/pulse init]'
101 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' 102 '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
102 '--keep-var-tmp[/var/tmp directory is untouched]' 103 '--keep-var-tmp[/var/tmp directory is untouched]'
103 '--machine-id[preserve /etc/machine-id]' 104 '--machine-id[preserve /etc/machine-id]'
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-28 21:20:32 +0000