diff options
author | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-05-13 20:39:21 -0300 |
---|---|---|
committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-05-14 08:56:02 -0300 |
commit | 5a612029b6c88000eba3b1195eedb7169553b7fa (patch) | |
tree | 6cb34c5e4cc9a87bd687af880e1dcd1d83ca5f4e /src | |
parent | CI: build with clang 11 (#4277) (diff) | |
download | firejail-5a612029b6c88000eba3b1195eedb7169553b7fa.tar.gz firejail-5a612029b6c88000eba3b1195eedb7169553b7fa.tar.zst firejail-5a612029b6c88000eba3b1195eedb7169553b7fa.zip |
rename noautopulse to keep-config-pulse
Changes:
* add the keep-config-pulse option
* make noautopulse an alias for keep-config-pulse
* deprecate the noautopulse option
* misc: fix indentation of --keep-dev-shm on src/firejail/usage.c
Even though noautopulse is not intended for hardening, it looks like it
is, because it starts with "no", just like no3d, noroot, etc). In fact,
it is the only "no" option that differs in such a way.
And it has been accidentally misused as such before; see PR #4269 and
commit e4beaeaa8 ("drop noautopulse from agetpkg").
So effectively rename it to keep-config-pulse in order to avoid
confusion. This is similar to the keep-var-tmp and keep-dev-shm
options, which are used to "leave a path alone", just like noautopulse.
Note: The changes on this patch are based on the ones from commit
617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854.
See #4269 for the discussion.
Diffstat (limited to 'src')
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 6 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
6 files changed, 31 insertions, 13 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index a0ee1e433..389eeeae9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) { | |||
1876 | } | 1876 | } |
1877 | arg_writable_etc = 1; | 1877 | arg_writable_etc = 1; |
1878 | } | 1878 | } |
1879 | else if (strcmp(argv[i], "--keep-config-pulse") == 0) { | ||
1880 | arg_noautopulse = 1; | ||
1881 | } | ||
1879 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1882 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1880 | arg_writable_var = 1; | 1883 | arg_writable_var = 1; |
1881 | } | 1884 | } |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2ea32b665..3f90d7c1d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1143 | arg_machineid = 1; | 1143 | arg_machineid = 1; |
1144 | return 0; | 1144 | return 0; |
1145 | } | 1145 | } |
1146 | |||
1147 | if (strcmp(ptr, "keep-config-pulse") == 0) { | ||
1148 | arg_noautopulse = 1; | ||
1149 | return 0; | ||
1150 | } | ||
1151 | |||
1146 | // writable-var | 1152 | // writable-var |
1147 | if (strcmp(ptr, "writable-var") == 0) { | 1153 | if (strcmp(ptr, "writable-var") == 0) { |
1148 | arg_writable_var = 1; | 1154 | arg_writable_var = 1; |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 397150158..15e4bd3ab 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -114,7 +114,8 @@ static char *usage_str = | |||
114 | " --join-network=name|pid - join the network namespace.\n" | 114 | " --join-network=name|pid - join the network namespace.\n" |
115 | #endif | 115 | #endif |
116 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 116 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
117 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 117 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" |
118 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | ||
118 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 119 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
119 | " --list - list all sandboxes.\n" | 120 | " --list - list all sandboxes.\n" |
120 | #ifdef HAVE_FILE_TRANSFER | 121 | #ifdef HAVE_FILE_TRANSFER |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9d59328f5..49be8d0b0 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as | |||
271 | \fBdisable-mnt | 271 | \fBdisable-mnt |
272 | Disable /mnt, /media, /run/mount and /run/media access. | 272 | Disable /mnt, /media, /run/mount and /run/media access. |
273 | .TP | 273 | .TP |
274 | \fBkeep-config-pulse | ||
275 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
276 | pulse servers or non-standard socket paths. | ||
277 | .TP | ||
274 | \fBkeep-dev-shm | 278 | \fBkeep-dev-shm |
275 | /dev/shm directory is untouched (even with private-dev). | 279 | /dev/shm directory is untouched (even with private-dev). |
276 | .TP | 280 | .TP |
@@ -718,9 +722,8 @@ name browser | |||
718 | \fBno3d | 722 | \fBno3d |
719 | Disable 3D hardware acceleration. | 723 | Disable 3D hardware acceleration. |
720 | .TP | 724 | .TP |
721 | \fBnoautopulse | 725 | \fBnoautopulse \fR(deprecated) |
722 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 726 | See keep-config-pulse. |
723 | pulse servers or non-standard socket paths. | ||
724 | .TP | 727 | .TP |
725 | \fBnodvd | 728 | \fBnodvd |
726 | Disable DVD and audio CD devices. | 729 | Disable DVD and audio CD devices. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 397ce5e17..68aea5857 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1052,6 +1052,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise | |||
1052 | Note that in contrary to other join options there is respective profile option. | 1052 | Note that in contrary to other join options there is respective profile option. |
1053 | 1053 | ||
1054 | .TP | 1054 | .TP |
1055 | \fB\-\-keep-config-pulse | ||
1056 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
1057 | pulse servers or non-standard socket paths. | ||
1058 | .br | ||
1059 | |||
1060 | .br | ||
1061 | Example: | ||
1062 | .br | ||
1063 | $ firejail \-\-keep-config-pulse firefox | ||
1064 | |||
1065 | .TP | ||
1055 | \fB\-\-keep-dev-shm | 1066 | \fB\-\-keep-dev-shm |
1056 | /dev/shm directory is untouched (even with --private-dev) | 1067 | /dev/shm directory is untouched (even with --private-dev) |
1057 | .br | 1068 | .br |
@@ -1460,15 +1471,8 @@ Example: | |||
1460 | $ firejail --no3d firefox | 1471 | $ firejail --no3d firefox |
1461 | 1472 | ||
1462 | .TP | 1473 | .TP |
1463 | \fB\-\-noautopulse | 1474 | \fB\-\-noautopulse \fR(deprecated) |
1464 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 1475 | See --keep-config-pulse. |
1465 | pulse servers or non-standard socket paths. | ||
1466 | .br | ||
1467 | |||
1468 | .br | ||
1469 | Example: | ||
1470 | .br | ||
1471 | $ firejail \-\-noautopulse firefox | ||
1472 | 1476 | ||
1473 | .TP | 1477 | .TP |
1474 | \fB\-\-noblacklist=dirname_or_filename | 1478 | \fB\-\-noblacklist=dirname_or_filename |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index fd27bb35f..a70a7fdf4 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -98,6 +98,7 @@ _firejail_args=( | |||
98 | '*--ignore=-[ignore command in profile files]: :' | 98 | '*--ignore=-[ignore command in profile files]: :' |
99 | '--ipc-namespace[enable a new IPC namespace]' | 99 | '--ipc-namespace[enable a new IPC namespace]' |
100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | 100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' |
101 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' | ||
101 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 102 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
102 | '--keep-var-tmp[/var/tmp directory is untouched]' | 103 | '--keep-var-tmp[/var/tmp directory is untouched]' |
103 | '--machine-id[preserve /etc/machine-id]' | 104 | '--machine-id[preserve /etc/machine-id]' |