diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-07-07 12:01:48 +0200 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-07-07 12:01:48 +0200 |
commit | 1021fb9e5d32a48698c0c8c913d44a048b12db7f (patch) | |
tree | 9cb4e19f58b74a6a399e838b1369a82ec8555cb2 /src | |
parent | allow/deny fbuilder (diff) | |
download | firejail-1021fb9e5d32a48698c0c8c913d44a048b12db7f.tar.gz firejail-1021fb9e5d32a48698c0c8c913d44a048b12db7f.tar.zst firejail-1021fb9e5d32a48698c0c8c913d44a048b12db7f.zip |
allow/deny in zsh completion
Diffstat (limited to 'src')
-rw-r--r-- | src/zsh_completion/_firejail.in | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index cede9c101..b703783b0 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -48,8 +48,8 @@ _firejail_args=( | |||
48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
49 | 49 | ||
50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
51 | '--build[build a whitelisted profile for the application and print it on stdout]' | 51 | '--build[build a profile for the application and print it on stdout]' |
52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' | 52 | '--build=-[build a profile for the application and save it]: :_files' |
53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
@@ -63,14 +63,14 @@ _firejail_args=( | |||
63 | '--version[print program version and exit]' | 63 | '--version[print program version and exit]' |
64 | 64 | ||
65 | '--debug[print sandbox debug messages]' | 65 | '--debug[print sandbox debug messages]' |
66 | '--debug-blacklists[debug blacklisting]' | 66 | '--debug-allow[debug file system access]' |
67 | '--debug-caps[print all recognized capabilities]' | 67 | '--debug-caps[print all recognized capabilities]' |
68 | '--debug-deny[debug file system access]' | ||
68 | '--debug-errnos[print all recognized error numbers]' | 69 | '--debug-errnos[print all recognized error numbers]' |
69 | '--debug-private-lib[debug for --private-lib option]' | 70 | '--debug-private-lib[debug for --private-lib option]' |
70 | '--debug-protocols[print all recognized protocols]' | 71 | '--debug-protocols[print all recognized protocols]' |
71 | '--debug-syscalls[print all recognized system calls]' | 72 | '--debug-syscalls[print all recognized system calls]' |
72 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 73 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
73 | '--debug-whitelists[debug whitelisting]' | ||
74 | 74 | ||
75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 75 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
@@ -83,13 +83,13 @@ _firejail_args=( | |||
83 | '--allusers[all user home directories are visible inside the sandbox]' | 83 | '--allusers[all user home directories are visible inside the sandbox]' |
84 | # Should be _files, a comma and files or files -/ | 84 | # Should be _files, a comma and files or files -/ |
85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
86 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
87 | '--caps[enable default Linux capabilities filter]' | 86 | '--caps[enable default Linux capabilities filter]' |
88 | '--caps.drop=all[drop all capabilities]' | 87 | '--caps.drop=all[drop all capabilities]' |
89 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 88 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
90 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 89 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
91 | '--cgroup=-[place the sandbox in the specified control group]: :' | 90 | '--cgroup=-[place the sandbox in the specified control group]: :' |
92 | '--cpu=-[set cpu affinity]: :->cpus' | 91 | '--cpu=-[set cpu affinity]: :->cpus' |
92 | '*--deny=-[deny access to directory or file]: :_files' | ||
93 | "--deterministic-exit-code[always exit with first child's status code]" | 93 | "--deterministic-exit-code[always exit with first child's status code]" |
94 | '*--dns=-[set DNS server]: :' | 94 | '*--dns=-[set DNS server]: :' |
95 | '*--env=-[set environment variable]: :' | 95 | '*--env=-[set environment variable]: :' |
@@ -112,7 +112,7 @@ _firejail_args=( | |||
112 | '--nice=-[set nice value]: :(1 10 15 20)' | 112 | '--nice=-[set nice value]: :(1 10 15 20)' |
113 | '--no3d[disable 3D hardware acceleration]' | 113 | '--no3d[disable 3D hardware acceleration]' |
114 | '--noautopulse[disable automatic ~/.config/pulse init]' | 114 | '--noautopulse[disable automatic ~/.config/pulse init]' |
115 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | 115 | '--nodeny=-[disable deny command for file or directory]: :_files' |
116 | '--nodbus[disable D-Bus access]' | 116 | '--nodbus[disable D-Bus access]' |
117 | '--nodvd[disable DVD and audio CD devices]' | 117 | '--nodvd[disable DVD and audio CD devices]' |
118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 118 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
@@ -143,13 +143,13 @@ _firejail_args=( | |||
143 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 143 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
144 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 144 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
145 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 145 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
146 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | 146 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' |
147 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' | 147 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' |
148 | '--seccomp.block-secondary[build only the native architecture filters]' | 148 | '--seccomp.block-secondary[build only the native architecture filters]' |
149 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' | 149 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' |
150 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' | 150 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' |
151 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | 151 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' |
152 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | 152 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' |
153 | # FIXME: Add errnos | 153 | # FIXME: Add errnos |
154 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 154 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
155 | '--shell=none[run the program directly without a user shell]' | 155 | '--shell=none[run the program directly without a user shell]' |
@@ -157,7 +157,7 @@ _firejail_args=( | |||
157 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 157 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
158 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 158 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
159 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 159 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
160 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | 160 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' |
161 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 161 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
162 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 162 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
163 | '--writable-var[/var directory is mounted read-write]' | 163 | '--writable-var[/var directory is mounted read-write]' |
@@ -251,8 +251,8 @@ _firejail_args=( | |||
251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 251 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
252 | #endif | 252 | #endif |
253 | 253 | ||
254 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | 254 | '*--noallow=-[disable allow command for file or directory]: :_files' |
255 | '*--whitelist=-[whitelist directory or file]: :_files' | 255 | '*--allow=-[allow file system access]: :_files' |
256 | 256 | ||
257 | #ifdef HAVE_X11 | 257 | #ifdef HAVE_X11 |
258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 258 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |