diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-12-10 13:11:18 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-12-10 14:04:30 -0300 |
commit | b0290153afba7d0d13579a2af45d37587330335c (patch) | |
tree | 0ddbe1dcb8e12c6cf4cbce7512b375c02e756ac1 /src | |
parent | profstats fix (#4733) (diff) | |
download | firejail-b0290153afba7d0d13579a2af45d37587330335c.tar.gz firejail-b0290153afba7d0d13579a2af45d37587330335c.tar.zst firejail-b0290153afba7d0d13579a2af45d37587330335c.zip |
Revert "allow/deny in zsh completion"
Diffstat (limited to 'src')
-rw-r--r-- | src/zsh_completion/_firejail.in | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8..8c1d758cc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -48,8 +48,8 @@ _firejail_args=( | |||
48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
49 | 49 | ||
50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
51 | '--build[build a profile for the application and print it on stdout]' | 51 | '--build[build a whitelisted profile for the application and print it on stdout]' |
52 | '--build=-[build a profile for the application and save it]: :_files' | 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' |
53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
@@ -66,14 +66,14 @@ _firejail_args=( | |||
66 | '--ids-init[initialize IDS database]' | 66 | '--ids-init[initialize IDS database]' |
67 | 67 | ||
68 | '--debug[print sandbox debug messages]' | 68 | '--debug[print sandbox debug messages]' |
69 | '--debug-allow[debug file system access]' | 69 | '--debug-blacklists[debug blacklisting]' |
70 | '--debug-caps[print all recognized capabilities]' | 70 | '--debug-caps[print all recognized capabilities]' |
71 | '--debug-deny[debug file system access]' | ||
72 | '--debug-errnos[print all recognized error numbers]' | 71 | '--debug-errnos[print all recognized error numbers]' |
73 | '--debug-private-lib[debug for --private-lib option]' | 72 | '--debug-private-lib[debug for --private-lib option]' |
74 | '--debug-protocols[print all recognized protocols]' | 73 | '--debug-protocols[print all recognized protocols]' |
75 | '--debug-syscalls[print all recognized system calls]' | 74 | '--debug-syscalls[print all recognized system calls]' |
76 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 75 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
76 | '--debug-whitelists[debug whitelisting]' | ||
77 | 77 | ||
78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
@@ -86,13 +86,13 @@ _firejail_args=( | |||
86 | '--allusers[all user home directories are visible inside the sandbox]' | 86 | '--allusers[all user home directories are visible inside the sandbox]' |
87 | # Should be _files, a comma and files or files -/ | 87 | # Should be _files, a comma and files or files -/ |
88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
89 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
89 | '--caps[enable default Linux capabilities filter]' | 90 | '--caps[enable default Linux capabilities filter]' |
90 | '--caps.drop=all[drop all capabilities]' | 91 | '--caps.drop=all[drop all capabilities]' |
91 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
92 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
93 | '--cgroup=-[place the sandbox in the specified control group]: :' | 94 | '--cgroup=-[place the sandbox in the specified control group]: :' |
94 | '--cpu=-[set cpu affinity]: :->cpus' | 95 | '--cpu=-[set cpu affinity]: :->cpus' |
95 | '*--deny=-[deny access to directory or file]: :_files' | ||
96 | "--deterministic-exit-code[always exit with first child's status code]" | 96 | "--deterministic-exit-code[always exit with first child's status code]" |
97 | '--deterministic-shutdown[terminate orphan processes]' | 97 | '--deterministic-shutdown[terminate orphan processes]' |
98 | '*--dns=-[set DNS server]: :' | 98 | '*--dns=-[set DNS server]: :' |
@@ -116,7 +116,7 @@ _firejail_args=( | |||
116 | '--nice=-[set nice value]: :(1 10 15 20)' | 116 | '--nice=-[set nice value]: :(1 10 15 20)' |
117 | '--no3d[disable 3D hardware acceleration]' | 117 | '--no3d[disable 3D hardware acceleration]' |
118 | '--noautopulse[disable automatic ~/.config/pulse init]' | 118 | '--noautopulse[disable automatic ~/.config/pulse init]' |
119 | '--nodeny=-[disable deny command for file or directory]: :_files' | 119 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
120 | '--nodbus[disable D-Bus access]' | 120 | '--nodbus[disable D-Bus access]' |
121 | '--nodvd[disable DVD and audio CD devices]' | 121 | '--nodvd[disable DVD and audio CD devices]' |
122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
@@ -147,13 +147,13 @@ _firejail_args=( | |||
147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
150 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' | 150 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' |
151 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' | 151 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' |
152 | '--seccomp.block-secondary[build only the native architecture filters]' | 152 | '--seccomp.block-secondary[build only the native architecture filters]' |
153 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' | 153 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' |
154 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' | 154 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' |
155 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 155 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' |
156 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 156 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
157 | # FIXME: Add errnos | 157 | # FIXME: Add errnos |
158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
159 | '--shell=none[run the program directly without a user shell]' | 159 | '--shell=none[run the program directly without a user shell]' |
@@ -161,7 +161,7 @@ _firejail_args=( | |||
161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
162 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 162 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
164 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' | 164 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' |
165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
167 | '--writable-var[/var directory is mounted read-write]' | 167 | '--writable-var[/var directory is mounted read-write]' |
@@ -255,8 +255,8 @@ _firejail_args=( | |||
255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
256 | #endif | 256 | #endif |
257 | 257 | ||
258 | '*--noallow=-[disable allow command for file or directory]: :_files' | 258 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
259 | '*--allow=-[allow file system access]: :_files' | 259 | '*--whitelist=-[whitelist directory or file]: :_files' |
260 | 260 | ||
261 | #ifdef HAVE_X11 | 261 | #ifdef HAVE_X11 |
262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |