diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-07-07 12:01:48 +0200 |
|---|---|---|
| committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-07-07 12:01:48 +0200 |
| commit | 1021fb9e5d32a48698c0c8c913d44a048b12db7f (patch) | |
| tree | 9cb4e19f58b74a6a399e838b1369a82ec8555cb2 /src/zsh_completion | |
| parent | allow/deny fbuilder (diff) | |
| download | firejail-1021fb9e5d32a48698c0c8c913d44a048b12db7f.tar.gz firejail-1021fb9e5d32a48698c0c8c913d44a048b12db7f.tar.zst firejail-1021fb9e5d32a48698c0c8c913d44a048b12db7f.zip | |
allow/deny in zsh completion
Diffstat (limited to 'src/zsh_completion')
| -rw-r--r-- | src/zsh_completion/_firejail.in | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index cede9c101..b703783b0 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
| @@ -48,8 +48,8 @@ _firejail_args=( | |||
| 48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
| 49 | 49 | ||
| 50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
| 51 | '--build[build a whitelisted profile for the application and print it on stdout]' | 51 | '--build[build a profile for the application and print it on stdout]' |
| 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' | 52 | '--build=-[build a profile for the application and save it]: :_files' |
| 53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
| 54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
| 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
| @@ -63,14 +63,14 @@ _firejail_args=( | |||
| 63 | '--version[print program version and exit]' | 63 | '--version[print program version and exit]' |
| 64 | 64 | ||
| 65 | '--debug[print sandbox debug messages]' | 65 | '--debug[print sandbox debug messages]' |
| 66 | '--debug-blacklists[debug blacklisting]' | 66 | '--debug-allow[debug file system access]' |
| 67 | '--debug-caps[print all recognized capabilities]' | 67 | '--debug-caps[print all recognized capabilities]' |
| 68 | '--debug-deny[debug file system access]' | ||
| 68 | '--debug-errnos[print all recognized error numbers]' | 69 | '--debug-errnos[print all recognized error numbers]' |
| 69 | '--debug-private-lib[debug for --private-lib option]' | 70 | '--debug-private-lib[debug for --private-lib option]' |
| 70 | '--debug-protocols[print all recognized protocols]' | 71 | '--debug-protocols[print all recognized protocols]' |
| 71 | '--debug-syscalls[print all recognized system calls]' | 72 | '--debug-syscalls[print all recognized system calls]' |
| 72 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 73 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
| 73 | '--debug-whitelists[debug whitelisting]' | ||
| 74 | 74 | ||
| 75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
| 76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
| @@ -83,13 +83,13 @@ _firejail_args=( | |||
| 83 | '--allusers[all user home directories are visible inside the sandbox]' | 83 | '--allusers[all user home directories are visible inside the sandbox]' |
| 84 | # Should be _files, a comma and files or files -/ | 84 | # Should be _files, a comma and files or files -/ |
| 85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
| 86 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
| 87 | '--caps[enable default Linux capabilities filter]' | 86 | '--caps[enable default Linux capabilities filter]' |
| 88 | '--caps.drop=all[drop all capabilities]' | 87 | '--caps.drop=all[drop all capabilities]' |
| 89 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 88 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
| 90 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 89 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
| 91 | '--cgroup=-[place the sandbox in the specified control group]: :' | 90 | '--cgroup=-[place the sandbox in the specified control group]: :' |
| 92 | '--cpu=-[set cpu affinity]: :->cpus' | 91 | '--cpu=-[set cpu affinity]: :->cpus' |
| 92 | '*--deny=-[deny access to directory or file]: :_files' | ||
| 93 | "--deterministic-exit-code[always exit with first child's status code]" | 93 | "--deterministic-exit-code[always exit with first child's status code]" |
| 94 | '*--dns=-[set DNS server]: :' | 94 | '*--dns=-[set DNS server]: :' |
| 95 | '*--env=-[set environment variable]: :' | 95 | '*--env=-[set environment variable]: :' |
| @@ -112,7 +112,7 @@ _firejail_args=( | |||
| 112 | '--nice=-[set nice value]: :(1 10 15 20)' | 112 | '--nice=-[set nice value]: :(1 10 15 20)' |
| 113 | '--no3d[disable 3D hardware acceleration]' | 113 | '--no3d[disable 3D hardware acceleration]' |
| 114 | '--noautopulse[disable automatic ~/.config/pulse init]' | 114 | '--noautopulse[disable automatic ~/.config/pulse init]' |
| 115 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | 115 | '--nodeny=-[disable deny command for file or directory]: :_files' |
| 116 | '--nodbus[disable D-Bus access]' | 116 | '--nodbus[disable D-Bus access]' |
| 117 | '--nodvd[disable DVD and audio CD devices]' | 117 | '--nodvd[disable DVD and audio CD devices]' |
| 118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
| @@ -143,13 +143,13 @@ _firejail_args=( | |||
| 143 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 143 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
| 144 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 144 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
| 145 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 145 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
| 146 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | 146 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' |
| 147 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' | 147 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' |
| 148 | '--seccomp.block-secondary[build only the native architecture filters]' | 148 | '--seccomp.block-secondary[build only the native architecture filters]' |
| 149 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' | 149 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' |
| 150 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' | 150 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' |
| 151 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | 151 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' |
| 152 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | 152 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' |
| 153 | # FIXME: Add errnos | 153 | # FIXME: Add errnos |
| 154 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 154 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
| 155 | '--shell=none[run the program directly without a user shell]' | 155 | '--shell=none[run the program directly without a user shell]' |
| @@ -157,7 +157,7 @@ _firejail_args=( | |||
| 157 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 157 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
| 158 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 158 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
| 159 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 159 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
| 160 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | 160 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' |
| 161 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 161 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
| 162 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 162 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
| 163 | '--writable-var[/var directory is mounted read-write]' | 163 | '--writable-var[/var directory is mounted read-write]' |
| @@ -251,8 +251,8 @@ _firejail_args=( | |||
| 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
| 252 | #endif | 252 | #endif |
| 253 | 253 | ||
| 254 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | 254 | '*--noallow=-[disable allow command for file or directory]: :_files' |
| 255 | '*--whitelist=-[whitelist directory or file]: :_files' | 255 | '*--allow=-[allow file system access]: :_files' |
| 256 | 256 | ||
| 257 | #ifdef HAVE_X11 | 257 | #ifdef HAVE_X11 |
| 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |