Merge pull request #4038 from rusty-snake/zsh-comp-improvements

Zsh completion improvements

1 files changed, 198 insertions, 161 deletions

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f58f0d4b9..fd27bb35f 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -1,5 +1,8 @@
 #compdef firejail
 
+# Documentation: man 1 zshcompsys
+# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org
+
 _all_firejails() {
     local -a _all_firejails_list
     for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do
@@ -16,7 +19,7 @@ _all_cpus() {
 }
 
 _profiles() {
-    print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;"
+    print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;"
 }
 _profiles_with_ext() {
     print $1/*.profile
@@ -26,15 +29,40 @@ _all_profiles() {
     _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .)
 }
 
+_session_bus_names() {
+    _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1)
+    # Alternatives to hack on for non-systemd systems:
+    #  dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames
+    #  ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service
+}
+
+_system_bus_names() {
+    _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1)
+}
+
+_caps() {
+    _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')
+}
+
 _firejail_args=(
     '*::arguments:_normal'
-    '(--profile)'{--profile=,--profile=}'[use a custom profile]: :_all_profiles'
-    '--caps[enable default Linux capabilities filter]'
-    '(--caps.drop)'{--caps.drop=,--caps.drop=}'[drop capabilities: all|cap1,cap2,...]: :->caps_drop'
-    '(--caps.keep)'{--caps.keep=,--caps.keep=}'[keep capabilities: cap1,cap2,...]: :->caps_keep'
-    '(--caps.print)'{--caps.print=,--caps.print=}'[print the caps filter name|pid]:firejail:_all_firejails'
-    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
-    '(--debug)'{--debug,--debug}'[print sandbox debug messages]'
+
+    '--appimage[sandbox an AppImage application]'
+    '--build[build a whitelisted profile for the application and print it on stdout]'
+    '--build=-[build a whitelisted profile for the application and save it]: :_files'
+    # Ignore that you can do -? too as it's the only short option
+    '--help[this help screen]'
+    '--join=-[join the sandbox name|pid]: :_all_firejails'
+    '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails'
+    '--list[list all sandboxes]'
+    '(--profile)--noprofile[do not use a security profile]'
+    '(--noprofile)--profile=-[use a custom profile]: :_all_profiles'
+    '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails'
+    '--top[monitor the most CPU-intensive sandboxes]'
+    '--tree[print a tree of all sandboxed processes]'
+    '--version[print program version and exit]'
+
+    '--debug[print sandbox debug messages]'
     '--debug-blacklists[debug blacklisting]'
     '--debug-caps[print all recognized capabilities]'
     '--debug-errnos[print all recognized error numbers]'
@@ -43,197 +71,200 @@ _firejail_args=(
     '--debug-syscalls[print all recognized system calls]'
     '--debug-syscalls32[print all recognized 32 bit system calls]'
     '--debug-whitelists[debug whitelisting]'
-    # Ignore that you can do -? too as it's the only short option
-    '(--help)'{--help,--help}'[this help screen]'
+
+    '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
+    '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
+    '--fs.print=-[print the filesystem log name|pid]: :_all_firejails'
+    '--profile.print=-[print the name of profile file name|pid]: :_all_firejails'
+    '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails'
+    '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails'
+
+    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
     '--allusers[all user home directories are visible inside the sandbox]'
-    '--appimage[sandbox an AppImage application]'
-    '--private[temporary home directory]'
-    '(--private)'{--private=,--private=}'[use directory as user home]: : _files -/'
-    '--seccomp[enable seccomp filter and apply the default blacklist]'
-    '(--seccomp=)'{--seccomp=,--seccomp=}'[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:'
-    '(--seccomp.print)'{--seccomp.print=,--seccomp.print=}'[print the seccomp filter for the sandbox identified by name|pid]: : _all_firejails'
-    '--seccomp.block-secondary[build only the native architecture filters]'
-    '(--seccomp.drop)'{--seccomp.drop=,--seccomp.drop=}'[enable seccomp filter, and blacklist the syscalls specified by the command]: :'
-    '(--seccomp.keep)'{--seccomp.keep=,--seccomp.keep=}'[enable seccomp filter, and whitelist the syscalls specified by the command]: :'
-    '(--seccomp.32.drop)'{--seccomp.32.drop=,--seccomp.32.drop=}'[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
-    '(--seccomp.32.keep)'{--seccomp.32.keep=,--seccomp.32.keep=}'[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
-    '(--seccomp-error-action)'{--seccomp-error-action=,--seccomp-error-action=}'[change error code, kill process or log the attempt]: :(ERRNO kill log)'
+    # Should be _files, a comma and files or files -/
+    '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
+    '*--blacklist=-[blacklist directory or file]: :_files'
+    '--caps[enable default Linux capabilities filter]'
+    '--caps.drop=all[drop all capabilities]'
+    '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
+    '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
+    '--cgroup=-[place the sandbox in the specified control group]: :'
+    '--cpu=-[set cpu affinity]: :->cpus'
+    "--deterministic-exit-code[always exit with first child's status code]"
+    '*--dns=-[set DNS server]: :'
+    '*--env=-[set environment variable]: :'
+    '--hostname=-[set sandbox hostname]: :'
+    '--hosts-file=-[use file as /etc/hosts]: :_files'
+    '*--ignore=-[ignore command in profile files]: :'
+    '--ipc-namespace[enable a new IPC namespace]'
+    '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--keep-var-tmp[/var/tmp directory is untouched]'
+    '--machine-id[preserve /etc/machine-id]'
     '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
-    '*'{--blacklist=,--blacklist=}'[blacklist directory or file]: : _files'
-    '--writable-etc[/etc directory is mounted read-write]'
-    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
-    '--writable-var[/var directory is mounted read-write]'
-    '--writable-var-log[use the real /var/log directory, not a clone]'
-    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '(--build)'{--build=,--build=}'[build a whitelisted profile for the application and save it]: : _files'
-    '(--fs.print)'{--fs.print=,--fs.print=}'[print the filesystem log name|pid]: : _all_firejails'
-    '(--join)'{--join=,--join=}'[join the sandbox name|pid]: : _all_firejails'
-    '(--join-filesystem)'{--join-filesystem=,--join-filesystem=}'[join the mount namespace name|pid]: : _all_firejails'
-    '(--profile.print)'{--profile.print=,--profile.print=}'[print the name of profile file name|pid]: : _all_firejails'
-    '(--protocol.print)'{--protocol.print=,--protocol.print=}'[print the protocol filter name|pid]: : _all_firejails'
-    '(--shutdown)'{--shutdown=,--shutdown=}'[shutdown the sandbox identified by name|pid]: : _all_firejails'
-    '(--cat)'{--cat=,--cat=}'[print content of file from sandbox container name|pid]: : _all_firejails'
-    '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails'
-    '--list[list all sandboxes]'
-    '(--dns)'{--dns=,--dns=}'[set DNS server]: :'
     '*--mkdir=-[create a directory]:'
     '*--mkfile=-[create a file]:'
-    '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :'
-    '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails'
-    '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files'
-    '--shell=none[run the program directly without a user shell]'
-    '(--shell)'{--shell=,--shell=}'[set default user shell]: : _files -g "*(*)"'
-    '(--output)'{--output=,--output=}'[stdout logging and log rotation]: : _files'
-    '(--output-stderr)'{--output-stderr=,--output-stderr=}'[stdout and stderr logging and log rotation]: : _files'
+    '--name=-[set sandbox name]: :'
+    '--net=none[enable a new, unconnected network namespace]'
+    # Sample values as I don't think
+    # many would enjoy getting a list from -20..20
+    '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
+    '--noautopulse[disable automatic ~/.config/pulse init]'
+    '--noblacklist=-[disable blacklist for file or directory]: :_files'
+    '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
+    '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
     '--nogroups[disable supplementary groups]'
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
-    '--noprofile[do not use a security profile]'
-    '(--noexec)'{--noexec=,--noexec=}'[remount the file or directory noexec nosuid and nodev]: : _files'
-    '--ipc-namespace[enable a new IPC namespace]'
-    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
-    '--keep-var-tmp[/var/tmp directory is untouched]'
-    '--top[monitor the most CPU-intensive sandboxes]'
-    '--trace[trace open, access and connect system calls]'
-    '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
-    '--tree[print a tree of all sandboxed processes]'
-    '(--cpu)'{--cpu=,--cpu=}'[set cpu affinity]: :->cpus'
+    '--nosound[disable sound system]'
+    '--nou2f[disable U2F devices]'
+    '--novideo[disable video devices]'
+    '--private[temporary home directory]'
+    '--private=-[use directory as user home]: :_files -/'
+    '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin'
+    '--private-cwd[do not inherit working directory inside jail]'
+    '--private-cwd=-[set working directory inside jail]: :_files -/'
     '--private-dev[create a new /dev directory with a small number of common device files]'
+    '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc'
+    '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt'
+    '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv'
     '--private-tmp[mount a tmpfs on top of /tmp directory]'
-    '--private-cwd[do not inherit working directory inside jail]'
-    '(--private-cwd)'{--private-cwd=,--private-cwd=}'[set working directory inside jail]: : _files -/'
-    '*'{--read-only=,--read-only=}'[set directory or file read-only]: : _files'
-    '*'{--read-write=,--read-write=}'[set directory or file read-write]: : _files'
-    '(--tmpfs)'{--tmpfs=,--tmpfs=}'[mount a tmpfs filesystem on directory dirname]: : _files -/'
-    '(--private-etc)'{--private-etc=,--private-etc=}'[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: : _files'
-    "--deterministic-exit-code[always exit with first child's status code]"
-    '--machine-id[preserve /etc/machine-id]'
-    # Sample values as I don't think
-    # many would enjoy getting a list from -20..20
-    '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)'
-    # Should be _files, a comma and files or files -/
-    '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :'
-    '*'{--env=,--env=}'[set environment variable]: :'
-    '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :'
-    '(--ignore)'{--ignore=,--ignore=}'[ignore command in profile files]: :'
-    '(--name)'{--name=,--name=}'[set sandbox name]: :'
-    '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :"
-    '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :'
-    '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :'
-    '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :'
-    '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
-    '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :'
-    '*'{--rmenv=,--rmenv=}'[remove environment variable in the new sandbox]: :'
-    '(--timeout)'{--timeout=,--timeout=}'[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)'
+    '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth'
     "--quiet[turn off Firejail's output.]"
-    '--version[print program version and exit]'
+    '*--read-only=-[set directory or file read-only]: :_files'
+    '*--read-write=-[set directory or file read-write]: :_files'
+    "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :"
+    '--rlimit-cpu=-[set the maximum CPU time in seconds]: :'
+    '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :'
+    '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :'
+    '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
+    '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
+    '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
+    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
+    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp.block-secondary[build only the native architecture filters]'
+    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
+    # FIXME: Add errnos
+    '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
+    '--shell=none[run the program directly without a user shell]'
+    '--shell=-[set default user shell]: :_values $(cat /etc/shells)'
+    '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
+    #'(--tracelog)--trace[trace open, access and connect system calls]'
+    '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
+    '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
+    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
+    '--writable-var[/var directory is mounted read-write]'
+    '--writable-var-log[use the real /var/log directory, not a clone]'
+
 #ifdef HAVE_APPARMOR
     '--apparmor[enable AppArmor confinement]'
-    '(--apparmor.print=)'{--apparmor.print=,--apparmor.print=}'[print apparmor status name|pid]:firejail:_all_firejails'
+    '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
 #endif
+
 #ifdef HAVE_CHROOT
-    '(--chroot)'{--chroot=,--chroot=}'[chroot into directory]: : _files -/'
+    '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/'
 #endif
+
+#ifdef HAVE_DBUSPROXY
+    # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}.
+    # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl
+    '--dbus-log=-[set DBus log file location]: :_files'
+    '--dbus-system=-[set system DBus access policy]: :(filter none)'
+    '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names'
+    '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names'
+    '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names'
+    '--dbus-user=-[set session DBus access policy or none]: :(filter none)'
+    '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names'
+    '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names'
+    '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names'
+#endif
+
 #ifdef HAVE_FILE_TRANSFER
-    '(--get)'{--get=,--get=}'[get a file from sandbox container name|pid]: : _all_firejails'
+    '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails'
+    '--get=-[get a file from sandbox container name|pid]: :_all_firejails'
     # --put=name|pid src-filename dest-filename - put a file in sandbox container.
-    '(--put)'{--put=,--put=}'[put a file in sandbox container]: :'
-    '(--ls)'{--ls=,--ls=}'[list files in sandbox container name|pid]: : _all_firejails'
+    '--put=-[put a file in sandbox container]: :'
+    '--ls=-[list files in sandbox container name|pid]: :_all_firejails'
+#endif
+
+#ifdef HAVE_FIRETUNNEL
+    '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :'
 #endif
+
 #ifdef HAVE_NETWORK
-    # '--net=none[enable a new, unconnected network namespace]'
-    '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
-    '(--net.print)'{--net.print=,--net.print=}'[print network interface configuration name|pid]: : _all_firejails'
-    '(--netfilter.print)'{--netfilter.print=,--netfilter.print=}'[print the firewall name|pid]: : _all_firejails'
-    '(--netfilter6.print)'{--netfilter6.print=,--netfilter6.print=}'[print the IPv6 firewall name|pid]: : _all_firejails'
+    '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails'
+    '--defaultgw=[configure default gateway]: :'
+    '--dns.print=-[print DNS configuration name|pid]: :_all_firejails'
+    '--join-network=-[join the network namespace name|pid]: :_all_firejails'
+    '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
+    '--mtu=-[set interface MTU]: :'
+    '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
+    '--net.print=-[print network interface configuration name|pid]: :_all_firejails'
+    '--netfilter=-[enable firewall]: :'
+    '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
+    '--netfilter6=-[enable IPv6 firewall]: :'
+    '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
+    '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :'
+    '--netns=-[Run the program in a named, persistent network namespace]: :'
     '--netstats[monitor network statistics]'
-    '(--netmask)'{--netmask=,--netmask=}'[define a network mask when dealing with unconfigured parrent interfaces]: :'
-    '(--netns)'{--netns=,--netns=}'[Run the program in a named, persistent network namespace]: :'
-    '(--netfilter)'{--netfilter=,--netfilter=}'[enable firewall]: :'
-    '(--netfilter6)'{--netfilter6=,--netfilter6=}'[enable IPv6 firewall]: :'
-    '(--veth-name)'{--veth-name=,--veth-name=}'[use this name for the interface connected to the bridge]: :'
-    '(--join-network)'{--join-network=,--join-network=}'[join the network namespace name|pid]: : _all_firejails'
-    '(--defaultgw)'{--defaultgw=,--defaultgw=}'[configure default gateway]: :'
-    '(--ip)'{--ip=,--ip=}'[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
-    '(--dns.print)'{--dns.print=,--dns.print=}'[print DNS configuration name|pid]: : _all_firejails'
-    '(--interface)'{--interface=,--interface=}'[move interface in sandbox]: :'
-    '(--ip6)'{--ip6=,--ip6=}'[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
-    '(--iprange)'{--iprange=,--iprange=}'[configure an IP address in this range]: :'
-    '(--mac)'{--mac=,--mac=}'[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
-    '(--mtu)'{--mtu=,--mtu=}'[set interface MTU]: :'
+    '--interface=-[move interface in sandbox]: :'
+    '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
+    '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
+    '--iprange=-[configure an IP address in this range]: :'
     '--scan[ARP-scan all the networks from inside a network namespace]'
-    '(--bandwidth)'{--bandwidth=,--bandwidth=}'[set bandwidth limits name|pid]: : _all_firejails'
-#endif
-#ifdef HAVE_X11
-    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
-    '(--x11)'{--x11=,--x11=}'[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
-    '(--xephyr-screen)'{--xephyr-screen=,--xephyr-screen=}'[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
+    '--veth-name=-[use this name for the interface connected to the bridge]: :'
 #endif
-#ifdef HAVE_USERNS
-    '--noroot[install a user namespace with only the current user]'
+
+#ifdef HAVE_OUTPUT
+    '--output=-[stdout logging and log rotation]: :_files'
+    '--output-stderr=-[stdout and stderr logging and log rotation]: :_files'
 #endif
-    '--nosound[disable sound system]'
-    '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--novideo[disable video devices]'
-    '--nou2f[disable U2F devices]'
+
 #ifdef HAVE_OVERLAYFS
-    '--overlay[mount a filesystem overlay on top of the current filesystem]'
-    '(--overlay-named)'{--overlay-named=,--overlay-named=}'[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: : _files -/'
-    '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
+    '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]'
     '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]'
+    '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/'
+    '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
 #endif
-#ifdef HAVE_WHITELIST
-    '(--nowhitelist)'{--nowhitelist=,--nowhitelist=}'[disable whitelist for file or directory]: : _files'
-    '*'{--whitelist=,--whitelist=}'[whitelist directory or file]: : _files'
-#endif
-    '(--noblacklist)'{--noblacklist=,--noblacklist=}'[disable blacklist for file or directory]: : _files'
-#ifdef HAVE_DBUSPROXY
-    '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy or none]: :'
-    '(--dbus-system.broadcast)'{--dbus-system.broadcast=,--dbus-system.broadcast=}'[allow signals on the system DBus according to rule]: :'
-    '(--dbus-system.call)'{--dbus-system.call=,--dbus-system.call=}'[allow calls on the system DBus according to rule]: :'
-    '(--dbus-system.own)'{--dbus-system.own=,--dbus-system.own=}'[allow ownership of name on the system DBus]: :'
-    '(--dbus-system.see)'{--dbus-system.see=,--dbus-system.see=}'[allow seeing name on the system DBus]: :'
-    '(--dbus-system.talk)'{--dbus-system.talk=,--dbus-system.talk=}'[allow talking to name on the system DBus]: :'
-    '(--dbus-user)'{--dbus-user=,--dbus-user=}'[set session DBus access policy or none]: :'
-    '(--dbus-user.broadcast)'{--dbus-user.broadcast=,--dbus-user.broadcast=}'[allow signals on the session DBus according to rule]: :'
-    '(--dbus-user.call)'{--dbus-user.call=,--dbus-user.call=}'[allow calls on the session DBus according to rule]: :'
-    '(--dbus-user.see)'{--dbus-user.see=,--dbus-user.see=}'[allow seeing name on the session DBus]: :'
-    '(--dbus-user.talk)'{--dbus-user.talk=,--dbus-user.talk=}'[allow talking to name on the session DBus]: :'
-    '(--dbus-log)'{--dbus-log=,--dbus-log=}'[set DBus log file location]: : _files'
-    '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy]: :(filter none)'
-    '--dbus-user.log[turn on logging for the user DBus]'
-    '(--dbus-user.own)'{--dbus-user.own=,--dbus-user.own=}'[allow ownership of name on the session DBus]: :'
-    '--dbus-system.log[turn on logging for the system DBus]'
-    '--nodbus[disable D-Bus access]'
-#endif
+
 #ifdef HAVE_PRIVATE_HOME
-    '(--private-home)'{--private-home=,--private-home=}'[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :'
+    '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files'
+#endif
+
+#ifdef HAVE_USERNS
+    '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]'
 #endif
-    '(--private-bin)'{--private-bin=,--private-bin=}'[build a new /bin in a temporary filesystem, and copy the programs in the list]: :'
-    '(--private-opt)'{--private-opt=,--private-opt=}'[build a new /opt in a temporary filesystem]: :'
-    '(--private-srv)'{--private-srv=,--private-srv=}'[build a new /srv in a temporary filesystem]: :'
+
 #ifdef HAVE_USERTMPFS
     '--private-cache[temporary ~/.cache directory]'
+    '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
-#ifdef HAVE_FIRETUNNEL
-    '(--tunnel)'{--tunnel=,--tunnel=}'[connect the sandbox to a tunnel created by firetunnel utility]: :'
+
+#ifdef HAVE_WHITELIST
+    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
+    '*--whitelist=-[whitelist directory or file]: :_files'
 #endif
-    )
+
+#ifdef HAVE_X11
+    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
+    '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
+    '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
+#endif
+)
 
 
 _firejail() {
     _arguments -S $_firejail_args
     case "$state" in
-        caps_drop)
-            local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}'))
-            _values -s "," 'caps_drop' $caps_and_all
-            ;;
-        caps_keep)
-            local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}'))
-            _values -s "," 'caps_keep' $caps
-            ;;
         cpus)
             _values -s "," 'cpus' $(_all_cpus)
             ;;
@@ -242,5 +273,11 @@ _firejail() {
             local net_and_none=(none $netdevs)
             _values 'net' $net_and_none
             ;;
+        seccomp)
+            # TODO: syscall groups
+            _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2)
+            ;;
     esac
 }
+
+# vim: ft=zsh sw=4 ts=4 et sts=4 ai