diff options
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/main.c | 11 | ||||
-rw-r--r-- | src/firejail/profile.c | 8 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 3 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 9 | ||||
-rw-r--r-- | src/man/firejail.txt | 22 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
9 files changed, 39 insertions, 21 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index e4d219e68..8775ae71d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
49 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 49 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
50 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 50 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
51 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 51 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
52 | syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 52 | syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
53 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 53 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
54 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 54 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
55 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | 55 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e07035ae6..ac2fd279e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -314,7 +314,6 @@ extern int arg_private_cwd; // private working directory | |||
314 | extern int arg_scan; // arp-scan all interfaces | 314 | extern int arg_scan; // arp-scan all interfaces |
315 | extern int arg_whitelist; // whitelist command | 315 | extern int arg_whitelist; // whitelist command |
316 | extern int arg_nosound; // disable sound | 316 | extern int arg_nosound; // disable sound |
317 | extern int arg_noautopulse; // disable automatic ~/.config/pulse init | ||
318 | extern int arg_novideo; //disable video devices in /dev | 317 | extern int arg_novideo; //disable video devices in /dev |
319 | extern int arg_no3d; // disable 3d hardware acceleration | 318 | extern int arg_no3d; // disable 3d hardware acceleration |
320 | extern int arg_quiet; // no output for scripting | 319 | extern int arg_quiet; // no output for scripting |
@@ -323,6 +322,7 @@ extern int arg_join_filesystem; // join only the mount namespace | |||
323 | extern int arg_nice; // nice value configured | 322 | extern int arg_nice; // nice value configured |
324 | extern int arg_ipc; // enable ipc namespace | 323 | extern int arg_ipc; // enable ipc namespace |
325 | extern int arg_writable_etc; // writable etc | 324 | extern int arg_writable_etc; // writable etc |
325 | extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init | ||
326 | extern int arg_writable_var; // writable var | 326 | extern int arg_writable_var; // writable var |
327 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp | 327 | extern int arg_keep_var_tmp; // don't overwrite /var/tmp |
328 | extern int arg_writable_run_user; // writable /run/user | 328 | extern int arg_writable_run_user; // writable /run/user |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 025442035..593835843 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -116,7 +116,6 @@ int arg_private_cwd = 0; // private working directory | |||
116 | int arg_scan = 0; // arp-scan all interfaces | 116 | int arg_scan = 0; // arp-scan all interfaces |
117 | int arg_whitelist = 0; // whitelist command | 117 | int arg_whitelist = 0; // whitelist command |
118 | int arg_nosound = 0; // disable sound | 118 | int arg_nosound = 0; // disable sound |
119 | int arg_noautopulse = 0; // disable automatic ~/.config/pulse init | ||
120 | int arg_novideo = 0; //disable video devices in /dev | 119 | int arg_novideo = 0; //disable video devices in /dev |
121 | int arg_no3d; // disable 3d hardware acceleration | 120 | int arg_no3d; // disable 3d hardware acceleration |
122 | int arg_quiet = 0; // no output for scripting | 121 | int arg_quiet = 0; // no output for scripting |
@@ -125,6 +124,7 @@ int arg_join_filesystem = 0; // join only the mount namespace | |||
125 | int arg_nice = 0; // nice value configured | 124 | int arg_nice = 0; // nice value configured |
126 | int arg_ipc = 0; // enable ipc namespace | 125 | int arg_ipc = 0; // enable ipc namespace |
127 | int arg_writable_etc = 0; // writable etc | 126 | int arg_writable_etc = 0; // writable etc |
127 | int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init | ||
128 | int arg_writable_var = 0; // writable var | 128 | int arg_writable_var = 0; // writable var |
129 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp | 129 | int arg_keep_var_tmp = 0; // don't overwrite /var/tmp |
130 | int arg_writable_run_user = 0; // writable /run/user | 130 | int arg_writable_run_user = 0; // writable /run/user |
@@ -1824,8 +1824,8 @@ int main(int argc, char **argv, char **envp) { | |||
1824 | exit(1); | 1824 | exit(1); |
1825 | } | 1825 | } |
1826 | arg_noprofile = 1; | 1826 | arg_noprofile = 1; |
1827 | // force noautopulse in order to keep ~/.config/pulse as is | 1827 | // force keep-config-pulse in order to keep ~/.config/pulse as is |
1828 | arg_noautopulse = 1; | 1828 | arg_keep_config_pulse = 1; |
1829 | } | 1829 | } |
1830 | else if (strncmp(argv[i], "--ignore=", 9) == 0) { | 1830 | else if (strncmp(argv[i], "--ignore=", 9) == 0) { |
1831 | if (custom_profile) { | 1831 | if (custom_profile) { |
@@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) { | |||
1876 | } | 1876 | } |
1877 | arg_writable_etc = 1; | 1877 | arg_writable_etc = 1; |
1878 | } | 1878 | } |
1879 | else if (strcmp(argv[i], "--keep-config-pulse") == 0) { | ||
1880 | arg_keep_config_pulse = 1; | ||
1881 | } | ||
1879 | else if (strcmp(argv[i], "--writable-var") == 0) { | 1882 | else if (strcmp(argv[i], "--writable-var") == 0) { |
1880 | arg_writable_var = 1; | 1883 | arg_writable_var = 1; |
1881 | } | 1884 | } |
@@ -2078,7 +2081,7 @@ int main(int argc, char **argv, char **envp) { | |||
2078 | else if (strcmp(argv[i], "--nosound") == 0) | 2081 | else if (strcmp(argv[i], "--nosound") == 0) |
2079 | arg_nosound = 1; | 2082 | arg_nosound = 1; |
2080 | else if (strcmp(argv[i], "--noautopulse") == 0) | 2083 | else if (strcmp(argv[i], "--noautopulse") == 0) |
2081 | arg_noautopulse = 1; | 2084 | arg_keep_config_pulse = 1; |
2082 | else if (strcmp(argv[i], "--novideo") == 0) | 2085 | else if (strcmp(argv[i], "--novideo") == 0) |
2083 | arg_novideo = 1; | 2086 | arg_novideo = 1; |
2084 | else if (strcmp(argv[i], "--no3d") == 0) | 2087 | else if (strcmp(argv[i], "--no3d") == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index d94e24ef6..dd4506ac1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
423 | return 0; | 423 | return 0; |
424 | } | 424 | } |
425 | else if (strcmp(ptr, "noautopulse") == 0) { | 425 | else if (strcmp(ptr, "noautopulse") == 0) { |
426 | arg_noautopulse = 1; | 426 | arg_keep_config_pulse = 1; |
427 | return 0; | 427 | return 0; |
428 | } | 428 | } |
429 | else if (strcmp(ptr, "notv") == 0) { | 429 | else if (strcmp(ptr, "notv") == 0) { |
@@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1143 | arg_machineid = 1; | 1143 | arg_machineid = 1; |
1144 | return 0; | 1144 | return 0; |
1145 | } | 1145 | } |
1146 | |||
1147 | if (strcmp(ptr, "keep-config-pulse") == 0) { | ||
1148 | arg_keep_config_pulse = 1; | ||
1149 | return 0; | ||
1150 | } | ||
1151 | |||
1146 | // writable-var | 1152 | // writable-var |
1147 | if (strcmp(ptr, "writable-var") == 0) { | 1153 | if (strcmp(ptr, "writable-var") == 0) { |
1148 | arg_writable_var = 1; | 1154 | arg_writable_var = 1; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 2c751809e..08f0f32c9 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) { | |||
1015 | // disable /dev/snd | 1015 | // disable /dev/snd |
1016 | fs_dev_disable_sound(); | 1016 | fs_dev_disable_sound(); |
1017 | } | 1017 | } |
1018 | else if (!arg_noautopulse) | 1018 | else if (!arg_keep_config_pulse) |
1019 | pulseaudio_init(); | 1019 | pulseaudio_init(); |
1020 | 1020 | ||
1021 | if (arg_no3d) | 1021 | if (arg_no3d) |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index baa015a6c..888a6ffed 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -114,7 +114,8 @@ static char *usage_str = | |||
114 | " --join-network=name|pid - join the network namespace.\n" | 114 | " --join-network=name|pid - join the network namespace.\n" |
115 | #endif | 115 | #endif |
116 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" | 116 | " --join-or-start=name|pid - join the sandbox or start a new one.\n" |
117 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | 117 | " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" |
118 | " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" | ||
118 | " --keep-var-tmp - /var/tmp directory is untouched.\n" | 119 | " --keep-var-tmp - /var/tmp directory is untouched.\n" |
119 | " --list - list all sandboxes.\n" | 120 | " --list - list all sandboxes.\n" |
120 | #ifdef HAVE_FILE_TRANSFER | 121 | #ifdef HAVE_FILE_TRANSFER |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9d59328f5..49be8d0b0 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as | |||
271 | \fBdisable-mnt | 271 | \fBdisable-mnt |
272 | Disable /mnt, /media, /run/mount and /run/media access. | 272 | Disable /mnt, /media, /run/mount and /run/media access. |
273 | .TP | 273 | .TP |
274 | \fBkeep-config-pulse | ||
275 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
276 | pulse servers or non-standard socket paths. | ||
277 | .TP | ||
274 | \fBkeep-dev-shm | 278 | \fBkeep-dev-shm |
275 | /dev/shm directory is untouched (even with private-dev). | 279 | /dev/shm directory is untouched (even with private-dev). |
276 | .TP | 280 | .TP |
@@ -718,9 +722,8 @@ name browser | |||
718 | \fBno3d | 722 | \fBno3d |
719 | Disable 3D hardware acceleration. | 723 | Disable 3D hardware acceleration. |
720 | .TP | 724 | .TP |
721 | \fBnoautopulse | 725 | \fBnoautopulse \fR(deprecated) |
722 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 726 | See keep-config-pulse. |
723 | pulse servers or non-standard socket paths. | ||
724 | .TP | 727 | .TP |
725 | \fBnodvd | 728 | \fBnodvd |
726 | Disable DVD and audio CD devices. | 729 | Disable DVD and audio CD devices. |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 397ce5e17..68aea5857 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1052,6 +1052,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise | |||
1052 | Note that in contrary to other join options there is respective profile option. | 1052 | Note that in contrary to other join options there is respective profile option. |
1053 | 1053 | ||
1054 | .TP | 1054 | .TP |
1055 | \fB\-\-keep-config-pulse | ||
1056 | Disable automatic ~/.config/pulse init, for complex setups such as remote | ||
1057 | pulse servers or non-standard socket paths. | ||
1058 | .br | ||
1059 | |||
1060 | .br | ||
1061 | Example: | ||
1062 | .br | ||
1063 | $ firejail \-\-keep-config-pulse firefox | ||
1064 | |||
1065 | .TP | ||
1055 | \fB\-\-keep-dev-shm | 1066 | \fB\-\-keep-dev-shm |
1056 | /dev/shm directory is untouched (even with --private-dev) | 1067 | /dev/shm directory is untouched (even with --private-dev) |
1057 | .br | 1068 | .br |
@@ -1460,15 +1471,8 @@ Example: | |||
1460 | $ firejail --no3d firefox | 1471 | $ firejail --no3d firefox |
1461 | 1472 | ||
1462 | .TP | 1473 | .TP |
1463 | \fB\-\-noautopulse | 1474 | \fB\-\-noautopulse \fR(deprecated) |
1464 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 1475 | See --keep-config-pulse. |
1465 | pulse servers or non-standard socket paths. | ||
1466 | .br | ||
1467 | |||
1468 | .br | ||
1469 | Example: | ||
1470 | .br | ||
1471 | $ firejail \-\-noautopulse firefox | ||
1472 | 1476 | ||
1473 | .TP | 1477 | .TP |
1474 | \fB\-\-noblacklist=dirname_or_filename | 1478 | \fB\-\-noblacklist=dirname_or_filename |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index a9a32e9d4..f1a19b86d 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -98,6 +98,7 @@ _firejail_args=( | |||
98 | '*--ignore=-[ignore command in profile files]: :' | 98 | '*--ignore=-[ignore command in profile files]: :' |
99 | '--ipc-namespace[enable a new IPC namespace]' | 99 | '--ipc-namespace[enable a new IPC namespace]' |
100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' | 100 | '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' |
101 | '--keep-config-pulse[disable automatic ~/.config/pulse init]' | ||
101 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | 102 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' |
102 | '--keep-var-tmp[/var/tmp directory is untouched]' | 103 | '--keep-var-tmp[/var/tmp directory is untouched]' |
103 | '--machine-id[preserve /etc/machine-id]' | 104 | '--machine-id[preserve /etc/machine-id]' |