diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-03-01 20:21:42 +0100 |
---|---|---|
committer | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2021-03-01 20:21:42 +0100 |
commit | c88dbab01db934b36bb13f23f433b3c02852ced1 (patch) | |
tree | 22e8c6da022354fef2debe0904ced44857b13fdf /src | |
parent | zsh-comp: Use easiery syntax (diff) | |
download | firejail-c88dbab01db934b36bb13f23f433b3c02852ced1.tar.gz firejail-c88dbab01db934b36bb13f23f433b3c02852ced1.tar.zst firejail-c88dbab01db934b36bb13f23f433b3c02852ced1.zip |
zsh-comp: order and sort
Diffstat (limited to 'src')
-rw-r--r-- | src/zsh_completion/_firejail.in | 274 |
1 files changed, 145 insertions, 129 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 3640ab129..6d8ed3cfc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -28,12 +28,22 @@ _all_profiles() { | |||
28 | 28 | ||
29 | _firejail_args=( | 29 | _firejail_args=( |
30 | '*::arguments:_normal' | 30 | '*::arguments:_normal' |
31 | |||
32 | '--appimage[sandbox an AppImage application]' | ||
33 | '--build[build a whitelisted profile for the application and print it on stdout]' | ||
34 | '--build=-[build a whitelisted profile for the application and save it]: :_files' | ||
35 | # Ignore that you can do -? too as it's the only short option | ||
36 | '--help[this help screen]' | ||
37 | '--join=-[join the sandbox name|pid]: :_all_firejails' | ||
38 | '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' | ||
39 | '--list[list all sandboxes]' | ||
40 | '--noprofile[do not use a security profile]' | ||
31 | '--profile=-[use a custom profile]: :_all_profiles' | 41 | '--profile=-[use a custom profile]: :_all_profiles' |
32 | '--caps[enable default Linux capabilities filter]' | 42 | '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' |
33 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' | 43 | '--top[monitor the most CPU-intensive sandboxes]' |
34 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' | 44 | '--tree[print a tree of all sandboxed processes]' |
35 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 45 | '--version[print program version and exit]' |
36 | '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' | 46 | |
37 | '--debug[print sandbox debug messages]' | 47 | '--debug[print sandbox debug messages]' |
38 | '--debug-blacklists[debug blacklisting]' | 48 | '--debug-blacklists[debug blacklisting]' |
39 | '--debug-caps[print all recognized capabilities]' | 49 | '--debug-caps[print all recognized capabilities]' |
@@ -43,184 +53,190 @@ _firejail_args=( | |||
43 | '--debug-syscalls[print all recognized system calls]' | 53 | '--debug-syscalls[print all recognized system calls]' |
44 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 54 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
45 | '--debug-whitelists[debug whitelisting]' | 55 | '--debug-whitelists[debug whitelisting]' |
46 | # Ignore that you can do -? too as it's the only short option | 56 | |
47 | '--help[this help screen]' | 57 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
48 | '--allusers[all user home directories are visible inside the sandbox]' | 58 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
49 | '--appimage[sandbox an AppImage application]' | ||
50 | '--private[temporary home directory]' | ||
51 | '--private=-[use directory as user home]: :_files -/' | ||
52 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | ||
53 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' | ||
54 | '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' | ||
55 | '--seccomp.block-secondary[build only the native architecture filters]' | ||
56 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' | ||
57 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' | ||
58 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | ||
59 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | ||
60 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' | ||
61 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | ||
62 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
63 | '--writable-etc[/etc directory is mounted read-write]' | ||
64 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | ||
65 | '--writable-var[/var directory is mounted read-write]' | ||
66 | '--writable-var-log[use the real /var/log directory, not a clone]' | ||
67 | '--build[build a whitelisted profile for the application and print it on stdout]' | ||
68 | '--build=-[build a whitelisted profile for the application and save it]: :_files' | ||
69 | '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' | 59 | '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' |
70 | '--join=-[join the sandbox name|pid]: :_all_firejails' | ||
71 | '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' | ||
72 | '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' | 60 | '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' |
73 | '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' | 61 | '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' |
74 | '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' | 62 | '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' |
75 | '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' | 63 | |
76 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 64 | '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' |
77 | '--list[list all sandboxes]' | 65 | '--allusers[all user home directories are visible inside the sandbox]' |
66 | # Should be _files, a comma and files or files -/ | ||
67 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | ||
68 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
69 | '--caps[enable default Linux capabilities filter]' | ||
70 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' | ||
71 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' | ||
72 | '--cgroup=-[place the sandbox in the specified control group]: :' | ||
73 | '--cpu=-[set cpu affinity]: :->cpus' | ||
74 | "--deterministic-exit-code[always exit with first child's status code]" | ||
78 | '*--dns=-[set DNS server]: :' | 75 | '*--dns=-[set DNS server]: :' |
76 | '*--env=-[set environment variable]: :' | ||
77 | '--hostname=-[set sandbox hostname]: :' | ||
78 | '--hosts-file=-[use file as /etc/hosts]: :_files' | ||
79 | '*--ignore=-[ignore command in profile files]: :' | ||
80 | '--ipc-namespace[enable a new IPC namespace]' | ||
81 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | ||
82 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | ||
83 | '--keep-var-tmp[/var/tmp directory is untouched]' | ||
84 | '--machine-id[preserve /etc/machine-id]' | ||
85 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | ||
79 | '*--mkdir=-[create a directory]:' | 86 | '*--mkdir=-[create a directory]:' |
80 | '*--mkfile=-[create a file]:' | 87 | '*--mkfile=-[create a file]:' |
81 | '*--protocol=-[enable protocol filter]: :' | 88 | '--name=-[set sandbox name]: :' |
82 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | 89 | # Sample values as I don't think |
83 | '--hosts-file=-[use file as /etc/hosts]: :_files' | 90 | # many would enjoy getting a list from -20..20 |
84 | '--shell=none[run the program directly without a user shell]' | 91 | '--nice=-[set nice value]: :(1 10 15 20)' |
85 | '--shell=-[set default user shell]: :_files -g "*(*)"' | ||
86 | '--output=-[stdout logging and log rotation]: :_files' | ||
87 | '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' | ||
88 | '--no3d[disable 3D hardware acceleration]' | 92 | '--no3d[disable 3D hardware acceleration]' |
93 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
94 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | ||
95 | '--nodbus[disable D-Bus access]' | ||
89 | '--nodvd[disable DVD and audio CD devices]' | 96 | '--nodvd[disable DVD and audio CD devices]' |
97 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | ||
90 | '--nogroups[disable supplementary groups]' | 98 | '--nogroups[disable supplementary groups]' |
91 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 99 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
92 | '--noprofile[do not use a security profile]' | 100 | '--nosound[disable sound system]' |
93 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 101 | '--nou2f[disable U2F devices]' |
94 | '--ipc-namespace[enable a new IPC namespace]' | 102 | '--novideo[disable video devices]' |
95 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 103 | '--private[temporary home directory]' |
96 | '--keep-var-tmp[/var/tmp directory is untouched]' | 104 | '--private=-[use directory as user home]: :_files -/' |
97 | '--top[monitor the most CPU-intensive sandboxes]' | 105 | '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' |
98 | '--trace[trace open, access and connect system calls]' | ||
99 | '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | ||
100 | '--tree[print a tree of all sandboxed processes]' | ||
101 | '--cpu=-[set cpu affinity]: :->cpus' | ||
102 | '--private-dev[create a new /dev directory with a small number of common device files]' | ||
103 | '--private-tmp[mount a tmpfs on top of /tmp directory]' | ||
104 | '--private-cwd[do not inherit working directory inside jail]' | 106 | '--private-cwd[do not inherit working directory inside jail]' |
105 | '--private-cwd=-[set working directory inside jail]: :_files -/' | 107 | '--private-cwd=-[set working directory inside jail]: :_files -/' |
108 | '--private-dev[create a new /dev directory with a small number of common device files]' | ||
109 | '*--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' | ||
110 | '--private-opt=-[build a new /opt in a temporary filesystem]: :' | ||
111 | '--private-srv=-[build a new /srv in a temporary filesystem]: :' | ||
112 | '--private-tmp[mount a tmpfs on top of /tmp directory]' | ||
113 | '*--protocol=-[enable protocol filter]: :' | ||
114 | "--quiet[turn off Firejail's output.]" | ||
106 | '*--read-only=-[set directory or file read-only]: :_files' | 115 | '*--read-only=-[set directory or file read-only]: :_files' |
107 | '*--read-write=-[set directory or file read-write]: :_files' | 116 | '*--read-write=-[set directory or file read-write]: :_files' |
108 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 117 | "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" |
109 | '*--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' | 118 | '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' |
110 | "--deterministic-exit-code[always exit with first child's status code]" | 119 | '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' |
111 | '--machine-id[preserve /etc/machine-id]' | 120 | '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' |
112 | # Sample values as I don't think | 121 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
113 | # many would enjoy getting a list from -20..20 | 122 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
114 | '--nice=-[set nice value]: :(1 10 15 20)' | ||
115 | # Should be _files, a comma and files or files -/ | ||
116 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | ||
117 | '--cgroup=-[place the sandbox in the specified control group]: :' | ||
118 | '*--env=-[set environment variable]: :' | ||
119 | '--hostname=-[set sandbox hostname]: :' | ||
120 | '*--ignore=-[ignore command in profile files]: :' | ||
121 | '--name=-[set sandbox name]: :' | ||
122 | '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :" | ||
123 | '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :' | ||
124 | '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :' | ||
125 | '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :' | ||
126 | '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | ||
127 | '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :' | ||
128 | '*--rmenv=-[remove environment variable in the new sandbox]: :' | 123 | '*--rmenv=-[remove environment variable in the new sandbox]: :' |
124 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | ||
125 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' | ||
126 | '--seccomp.block-secondary[build only the native architecture filters]' | ||
127 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' | ||
128 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' | ||
129 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | ||
130 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | ||
131 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' | ||
132 | '--shell=none[run the program directly without a user shell]' | ||
133 | '--shell=-[set default user shell]: :_files -g "*(*)"' | ||
129 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' | 134 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' |
130 | "--quiet[turn off Firejail's output.]" | 135 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
131 | '--version[print program version and exit]' | 136 | '--trace[trace open, access and connect system calls]' |
137 | '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | ||
138 | '--writable-etc[/etc directory is mounted read-write]' | ||
139 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | ||
140 | '--writable-var[/var directory is mounted read-write]' | ||
141 | '--writable-var-log[use the real /var/log directory, not a clone]' | ||
142 | |||
132 | #ifdef HAVE_APPARMOR | 143 | #ifdef HAVE_APPARMOR |
133 | '--apparmor[enable AppArmor confinement]' | 144 | '--apparmor[enable AppArmor confinement]' |
134 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' | 145 | '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' |
135 | #endif | 146 | #endif |
147 | |||
136 | #ifdef HAVE_CHROOT | 148 | #ifdef HAVE_CHROOT |
137 | '--chroot=-[chroot into directory]: :_files -/' | 149 | '--chroot=-[chroot into directory]: :_files -/' |
138 | #endif | 150 | #endif |
151 | |||
152 | #ifdef HAVE_DBUSPROXY | ||
153 | '--dbus-log=-[set DBus log file location]: :_files' | ||
154 | '--dbus-system=-[set system DBus access policy]: :(filter none)' | ||
155 | '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' | ||
156 | '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' | ||
157 | '--dbus-system.own=-[allow ownership of name on the system DBus]: :' | ||
158 | '--dbus-system.see=-[allow seeing name on the system DBus]: :' | ||
159 | '--dbus-system.talk=-[allow talking to name on the system DBus]: :' | ||
160 | '--dbus-user=-[set session DBus access policy or none]: :' | ||
161 | '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' | ||
162 | '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' | ||
163 | '--dbus-user.own=-[allow ownership of name on the session DBus]: :' | ||
164 | '--dbus-user.see=-[allow seeing name on the session DBus]: :' | ||
165 | '--dbus-user.talk=-[allow talking to name on the session DBus]: :' | ||
166 | #endif | ||
167 | |||
139 | #ifdef HAVE_FILE_TRANSFER | 168 | #ifdef HAVE_FILE_TRANSFER |
169 | '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' | ||
140 | '--get=-[get a file from sandbox container name|pid]: :_all_firejails' | 170 | '--get=-[get a file from sandbox container name|pid]: :_all_firejails' |
141 | # --put=name|pid src-filename dest-filename - put a file in sandbox container. | 171 | # --put=name|pid src-filename dest-filename - put a file in sandbox container. |
142 | '--put=-[put a file in sandbox container]: :' | 172 | '--put=-[put a file in sandbox container]: :' |
143 | '--ls=-[list files in sandbox container name|pid]: :_all_firejails' | 173 | '--ls=-[list files in sandbox container name|pid]: :_all_firejails' |
144 | #endif | 174 | #endif |
175 | |||
176 | #ifdef HAVE_FIRETUNNEL | ||
177 | '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' | ||
178 | #endif | ||
179 | |||
145 | #ifdef HAVE_NETWORK | 180 | #ifdef HAVE_NETWORK |
181 | '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' | ||
182 | '--defaultgw=[configure default gateway]: :' | ||
183 | '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' | ||
184 | '--join-network=-[join the network namespace name|pid]: :_all_firejails' | ||
185 | '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' | ||
186 | '--mtu=-[set interface MTU]: :' | ||
146 | # '--net=none[enable a new, unconnected network namespace]' | 187 | # '--net=none[enable a new, unconnected network namespace]' |
147 | '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' | 188 | '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' |
148 | '--net.print=-[print network interface configuration name|pid]: :_all_firejails' | 189 | '--net.print=-[print network interface configuration name|pid]: :_all_firejails' |
190 | '--netfilter=-[enable firewall]: :' | ||
149 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' | 191 | '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' |
192 | '--netfilter6=-[enable IPv6 firewall]: :' | ||
150 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' | 193 | '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' |
151 | '--netstats[monitor network statistics]' | ||
152 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' | 194 | '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' |
153 | '--netns=-[Run the program in a named, persistent network namespace]: :' | 195 | '--netns=-[Run the program in a named, persistent network namespace]: :' |
154 | '--netfilter=-[enable firewall]: :' | 196 | '--netstats[monitor network statistics]' |
155 | '--netfilter6=-[enable IPv6 firewall]: :' | ||
156 | '--veth-name=-[use this name for the interface connected to the bridge]: :' | ||
157 | '--join-network=-[join the network namespace name|pid]: :_all_firejails' | ||
158 | '--defaultgw=[configure default gateway]: :' | ||
159 | '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' | ||
160 | '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' | ||
161 | '--interface=-[move interface in sandbox]: :' | 197 | '--interface=-[move interface in sandbox]: :' |
198 | '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' | ||
162 | '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' | 199 | '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' |
163 | '--iprange=-[configure an IP address in this range]: :' | 200 | '--iprange=-[configure an IP address in this range]: :' |
164 | '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' | ||
165 | '--mtu=-[set interface MTU]: :' | ||
166 | '--scan[ARP-scan all the networks from inside a network namespace]' | 201 | '--scan[ARP-scan all the networks from inside a network namespace]' |
167 | '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' | 202 | '--veth-name=-[use this name for the interface connected to the bridge]: :' |
168 | #endif | ||
169 | #ifdef HAVE_X11 | ||
170 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | ||
171 | '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' | ||
172 | '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' | ||
173 | #endif | 203 | #endif |
174 | #ifdef HAVE_USERNS | 204 | |
175 | '--noroot[install a user namespace with only the current user]' | 205 | #ifdef HAVE_OUTPUT |
206 | '--output=-[stdout logging and log rotation]: :_files' | ||
207 | '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' | ||
176 | #endif | 208 | #endif |
177 | '--nosound[disable sound system]' | 209 | |
178 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
179 | '--novideo[disable video devices]' | ||
180 | '--nou2f[disable U2F devices]' | ||
181 | #ifdef HAVE_OVERLAYFS | 210 | #ifdef HAVE_OVERLAYFS |
182 | '--overlay[mount a filesystem overlay on top of the current filesystem]' | 211 | '--overlay[mount a filesystem overlay on top of the current filesystem]' |
212 | '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' | ||
183 | '--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' | 213 | '--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' |
184 | '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' | 214 | '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' |
185 | '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' | ||
186 | #endif | ||
187 | #ifdef HAVE_WHITELIST | ||
188 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | ||
189 | '*--whitelist=-[whitelist directory or file]: :_files' | ||
190 | #endif | ||
191 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | ||
192 | #ifdef HAVE_DBUSPROXY | ||
193 | '--dbus-system=-[set system DBus access policy or none]: :' | ||
194 | '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' | ||
195 | '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' | ||
196 | '--dbus-system.own=-[allow ownership of name on the system DBus]: :' | ||
197 | '--dbus-system.see=-[allow seeing name on the system DBus]: :' | ||
198 | '--dbus-system.talk=-[allow talking to name on the system DBus]: :' | ||
199 | '--dbus-user=-[set session DBus access policy or none]: :' | ||
200 | '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' | ||
201 | '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' | ||
202 | '--dbus-user.see=-[allow seeing name on the session DBus]: :' | ||
203 | '--dbus-user.talk=-[allow talking to name on the session DBus]: :' | ||
204 | '--dbus-log=-[set DBus log file location]: :_files' | ||
205 | '--dbus-system=-[set system DBus access policy]: :(filter none)' | ||
206 | '--dbus-user.log[turn on logging for the user DBus]' | ||
207 | '--dbus-user.own=-[allow ownership of name on the session DBus]: :' | ||
208 | '--dbus-system.log[turn on logging for the system DBus]' | ||
209 | '--nodbus[disable D-Bus access]' | ||
210 | #endif | 215 | #endif |
216 | |||
211 | #ifdef HAVE_PRIVATE_HOME | 217 | #ifdef HAVE_PRIVATE_HOME |
212 | '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' | 218 | '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' |
213 | #endif | 219 | #endif |
214 | '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' | 220 | |
215 | '--private-opt=-[build a new /opt in a temporary filesystem]: :' | 221 | #ifdef HAVE_USERNS |
216 | '--private-srv=-[build a new /srv in a temporary filesystem]: :' | 222 | '--noroot[install a user namespace with only the current user]' |
223 | #endif | ||
224 | |||
217 | #ifdef HAVE_USERTMPFS | 225 | #ifdef HAVE_USERTMPFS |
218 | '--private-cache[temporary ~/.cache directory]' | 226 | '--private-cache[temporary ~/.cache directory]' |
219 | #endif | 227 | #endif |
220 | #ifdef HAVE_FIRETUNNEL | 228 | |
221 | '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' | 229 | #ifdef HAVE_WHITELIST |
230 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' | ||
231 | '*--whitelist=-[whitelist directory or file]: :_files' | ||
232 | #endif | ||
233 | |||
234 | #ifdef HAVE_X11 | ||
235 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | ||
236 | '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' | ||
237 | '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' | ||
222 | #endif | 238 | #endif |
223 | ) | 239 | ) |
224 | 240 | ||
225 | 241 | ||
226 | _firejail() { | 242 | _firejail() { |