diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-12-10 13:11:18 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-12-10 14:04:30 -0300 |
| commit | b0290153afba7d0d13579a2af45d37587330335c (patch) | |
| tree | 0ddbe1dcb8e12c6cf4cbce7512b375c02e756ac1 /src/zsh_completion | |
| parent | profstats fix (#4733) (diff) | |
| download | firejail-b0290153afba7d0d13579a2af45d37587330335c.tar.gz firejail-b0290153afba7d0d13579a2af45d37587330335c.tar.zst firejail-b0290153afba7d0d13579a2af45d37587330335c.zip | |
Revert "allow/deny in zsh completion"
Diffstat (limited to 'src/zsh_completion')
| -rw-r--r-- | src/zsh_completion/_firejail.in | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8..8c1d758cc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
| @@ -48,8 +48,8 @@ _firejail_args=( | |||
| 48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
| 49 | 49 | ||
| 50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
| 51 | '--build[build a profile for the application and print it on stdout]' | 51 | '--build[build a whitelisted profile for the application and print it on stdout]' |
| 52 | '--build=-[build a profile for the application and save it]: :_files' | 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' |
| 53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
| 54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
| 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
| @@ -66,14 +66,14 @@ _firejail_args=( | |||
| 66 | '--ids-init[initialize IDS database]' | 66 | '--ids-init[initialize IDS database]' |
| 67 | 67 | ||
| 68 | '--debug[print sandbox debug messages]' | 68 | '--debug[print sandbox debug messages]' |
| 69 | '--debug-allow[debug file system access]' | 69 | '--debug-blacklists[debug blacklisting]' |
| 70 | '--debug-caps[print all recognized capabilities]' | 70 | '--debug-caps[print all recognized capabilities]' |
| 71 | '--debug-deny[debug file system access]' | ||
| 72 | '--debug-errnos[print all recognized error numbers]' | 71 | '--debug-errnos[print all recognized error numbers]' |
| 73 | '--debug-private-lib[debug for --private-lib option]' | 72 | '--debug-private-lib[debug for --private-lib option]' |
| 74 | '--debug-protocols[print all recognized protocols]' | 73 | '--debug-protocols[print all recognized protocols]' |
| 75 | '--debug-syscalls[print all recognized system calls]' | 74 | '--debug-syscalls[print all recognized system calls]' |
| 76 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 75 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
| 76 | '--debug-whitelists[debug whitelisting]' | ||
| 77 | 77 | ||
| 78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
| 79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
| @@ -86,13 +86,13 @@ _firejail_args=( | |||
| 86 | '--allusers[all user home directories are visible inside the sandbox]' | 86 | '--allusers[all user home directories are visible inside the sandbox]' |
| 87 | # Should be _files, a comma and files or files -/ | 87 | # Should be _files, a comma and files or files -/ |
| 88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
| 89 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
| 89 | '--caps[enable default Linux capabilities filter]' | 90 | '--caps[enable default Linux capabilities filter]' |
| 90 | '--caps.drop=all[drop all capabilities]' | 91 | '--caps.drop=all[drop all capabilities]' |
| 91 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
| 92 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
| 93 | '--cgroup=-[place the sandbox in the specified control group]: :' | 94 | '--cgroup=-[place the sandbox in the specified control group]: :' |
| 94 | '--cpu=-[set cpu affinity]: :->cpus' | 95 | '--cpu=-[set cpu affinity]: :->cpus' |
| 95 | '*--deny=-[deny access to directory or file]: :_files' | ||
| 96 | "--deterministic-exit-code[always exit with first child's status code]" | 96 | "--deterministic-exit-code[always exit with first child's status code]" |
| 97 | '--deterministic-shutdown[terminate orphan processes]' | 97 | '--deterministic-shutdown[terminate orphan processes]' |
| 98 | '*--dns=-[set DNS server]: :' | 98 | '*--dns=-[set DNS server]: :' |
| @@ -116,7 +116,7 @@ _firejail_args=( | |||
| 116 | '--nice=-[set nice value]: :(1 10 15 20)' | 116 | '--nice=-[set nice value]: :(1 10 15 20)' |
| 117 | '--no3d[disable 3D hardware acceleration]' | 117 | '--no3d[disable 3D hardware acceleration]' |
| 118 | '--noautopulse[disable automatic ~/.config/pulse init]' | 118 | '--noautopulse[disable automatic ~/.config/pulse init]' |
| 119 | '--nodeny=-[disable deny command for file or directory]: :_files' | 119 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
| 120 | '--nodbus[disable D-Bus access]' | 120 | '--nodbus[disable D-Bus access]' |
| 121 | '--nodvd[disable DVD and audio CD devices]' | 121 | '--nodvd[disable DVD and audio CD devices]' |
| 122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
| @@ -147,13 +147,13 @@ _firejail_args=( | |||
| 147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
| 148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
| 149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
| 150 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' | 150 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' |
| 151 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' | 151 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' |
| 152 | '--seccomp.block-secondary[build only the native architecture filters]' | 152 | '--seccomp.block-secondary[build only the native architecture filters]' |
| 153 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' | 153 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' |
| 154 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' | 154 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' |
| 155 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 155 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' |
| 156 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 156 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
| 157 | # FIXME: Add errnos | 157 | # FIXME: Add errnos |
| 158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
| 159 | '--shell=none[run the program directly without a user shell]' | 159 | '--shell=none[run the program directly without a user shell]' |
| @@ -161,7 +161,7 @@ _firejail_args=( | |||
| 161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
| 162 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 162 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
| 163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
| 164 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' | 164 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' |
| 165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
| 166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
| 167 | '--writable-var[/var directory is mounted read-write]' | 167 | '--writable-var[/var directory is mounted read-write]' |
| @@ -255,8 +255,8 @@ _firejail_args=( | |||
| 255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
| 256 | #endif | 256 | #endif |
| 257 | 257 | ||
| 258 | '*--noallow=-[disable allow command for file or directory]: :_files' | 258 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
| 259 | '*--allow=-[allow file system access]: :_files' | 259 | '*--whitelist=-[whitelist directory or file]: :_files' |
| 260 | 260 | ||
| 261 | #ifdef HAVE_X11 | 261 | #ifdef HAVE_X11 |
| 262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |