diff options
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common.profile | 3 | ||||
-rw-r--r-- | src/firejail/main.c | 36 | ||||
-rw-r--r-- | src/firejail/profile.c | 38 | ||||
-rw-r--r-- | src/tools/profcleaner.c | 75 | ||||
-rwxr-xr-x | src/tools/profcleaner.sh | 45 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 30 |
7 files changed, 21 insertions, 209 deletions
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index 7bfb61688..2992a2d6f 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -53,6 +53,9 @@ private-cache | |||
53 | ?BROWSER_DISABLE_U2F: private-dev | 53 | ?BROWSER_DISABLE_U2F: private-dev |
54 | #private-tmp - issues when using multiple browser sessions | 54 | #private-tmp - issues when using multiple browser sessions |
55 | 55 | ||
56 | blacklist ${PATH}/curl | ||
57 | blacklist ${PATH}/wget | ||
58 | |||
56 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 59 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
57 | dbus-system none | 60 | dbus-system none |
58 | 61 | ||
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index ef647b5a0..e7d438b46 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -59,6 +59,9 @@ disable-mnt | |||
59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 59 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | blacklist ${PATH}/curl | ||
63 | blacklist ${PATH}/wget | ||
64 | |||
62 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, | 65 | # 'dbus-user none' breaks various desktop integration features like global menus, native notifications, |
63 | # Gnome connector, KDE connect and power management on KDE Plasma. | 66 | # Gnome connector, KDE connect and power management on KDE Plasma. |
64 | dbus-user none | 67 | dbus-user none |
diff --git a/src/firejail/main.c b/src/firejail/main.c index 0262db608..58e374b8b 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -1574,7 +1574,6 @@ int main(int argc, char **argv, char **envp) { | |||
1574 | profile_add(line); | 1574 | profile_add(line); |
1575 | } | 1575 | } |
1576 | 1576 | ||
1577 | // blacklist/deny | ||
1578 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { | 1577 | else if (strncmp(argv[i], "--blacklist=", 12) == 0) { |
1579 | char *line; | 1578 | char *line; |
1580 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) | 1579 | if (asprintf(&line, "blacklist %s", argv[i] + 12) == -1) |
@@ -1583,14 +1582,6 @@ int main(int argc, char **argv, char **envp) { | |||
1583 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1582 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1584 | profile_add(line); | 1583 | profile_add(line); |
1585 | } | 1584 | } |
1586 | else if (strncmp(argv[i], "--deny=", 7) == 0) { | ||
1587 | char *line; | ||
1588 | if (asprintf(&line, "blacklist %s", argv[i] + 7) == -1) | ||
1589 | errExit("asprintf"); | ||
1590 | |||
1591 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1592 | profile_add(line); | ||
1593 | } | ||
1594 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { | 1585 | else if (strncmp(argv[i], "--noblacklist=", 14) == 0) { |
1595 | char *line; | 1586 | char *line; |
1596 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) | 1587 | if (asprintf(&line, "noblacklist %s", argv[i] + 14) == -1) |
@@ -1599,16 +1590,6 @@ int main(int argc, char **argv, char **envp) { | |||
1599 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1590 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1600 | profile_add(line); | 1591 | profile_add(line); |
1601 | } | 1592 | } |
1602 | else if (strncmp(argv[i], "--nodeny=", 9) == 0) { | ||
1603 | char *line; | ||
1604 | if (asprintf(&line, "noblacklist %s", argv[i] + 9) == -1) | ||
1605 | errExit("asprintf"); | ||
1606 | |||
1607 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1608 | profile_add(line); | ||
1609 | } | ||
1610 | |||
1611 | // whitelist | ||
1612 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { | 1593 | else if (strncmp(argv[i], "--whitelist=", 12) == 0) { |
1613 | char *line; | 1594 | char *line; |
1614 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) | 1595 | if (asprintf(&line, "whitelist %s", argv[i] + 12) == -1) |
@@ -1617,14 +1598,6 @@ int main(int argc, char **argv, char **envp) { | |||
1617 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1598 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1618 | profile_add(line); | 1599 | profile_add(line); |
1619 | } | 1600 | } |
1620 | else if (strncmp(argv[i], "--allow=", 8) == 0) { | ||
1621 | char *line; | ||
1622 | if (asprintf(&line, "whitelist %s", argv[i] + 8) == -1) | ||
1623 | errExit("asprintf"); | ||
1624 | |||
1625 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1626 | profile_add(line); | ||
1627 | } | ||
1628 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { | 1601 | else if (strncmp(argv[i], "--nowhitelist=", 14) == 0) { |
1629 | char *line; | 1602 | char *line; |
1630 | if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1) | 1603 | if (asprintf(&line, "nowhitelist %s", argv[i] + 14) == -1) |
@@ -1633,15 +1606,6 @@ int main(int argc, char **argv, char **envp) { | |||
1633 | profile_check_line(line, 0, NULL); // will exit if something wrong | 1606 | profile_check_line(line, 0, NULL); // will exit if something wrong |
1634 | profile_add(line); | 1607 | profile_add(line); |
1635 | } | 1608 | } |
1636 | else if (strncmp(argv[i], "--noallow=", 10) == 0) { | ||
1637 | char *line; | ||
1638 | if (asprintf(&line, "nowhitelist %s", argv[i] + 10) == -1) | ||
1639 | errExit("asprintf"); | ||
1640 | |||
1641 | profile_check_line(line, 0, NULL); // will exit if something wrong | ||
1642 | profile_add(line); | ||
1643 | } | ||
1644 | |||
1645 | 1609 | ||
1646 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { | 1610 | else if (strncmp(argv[i], "--mkdir=", 8) == 0) { |
1647 | char *line; | 1611 | char *line; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 5e24591fa..9504b26de 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -1752,44 +1752,6 @@ void profile_read(const char *fname) { | |||
1752 | continue; | 1752 | continue; |
1753 | } | 1753 | } |
1754 | 1754 | ||
1755 | // translate allow/deny to whitelist/blacklist | ||
1756 | if (strncmp(ptr, "allow ", 6) == 0) { | ||
1757 | char *tmp; | ||
1758 | if (asprintf(&tmp, "whitelist %s", ptr + 6) == -1) | ||
1759 | errExit("asprintf"); | ||
1760 | free(ptr); | ||
1761 | ptr = tmp; | ||
1762 | } | ||
1763 | else if (strncmp(ptr, "deny ", 5) == 0) { | ||
1764 | char *tmp; | ||
1765 | if (asprintf(&tmp, "blacklist %s", ptr + 5) == -1) | ||
1766 | errExit("asprintf"); | ||
1767 | free(ptr); | ||
1768 | ptr = tmp; | ||
1769 | } | ||
1770 | else if (strncmp(ptr, "deny-nolog ", 11) == 0) { | ||
1771 | char *tmp; | ||
1772 | if (asprintf(&tmp, "blacklist-nolog %s", ptr + 11) == -1) | ||
1773 | errExit("asprintf"); | ||
1774 | free(ptr); | ||
1775 | ptr = tmp; | ||
1776 | } | ||
1777 | // translate noallow/nodeny to nowhitelist/noblacklist | ||
1778 | else if (strncmp(ptr, "noallow ", 8) == 0) { | ||
1779 | char *tmp; | ||
1780 | if (asprintf(&tmp, "nowhitelist %s", ptr + 8) == -1) | ||
1781 | errExit("asprintf"); | ||
1782 | free(ptr); | ||
1783 | ptr = tmp; | ||
1784 | } | ||
1785 | else if (strncmp(ptr, "nodeny ", 7) == 0) { | ||
1786 | char *tmp; | ||
1787 | if (asprintf(&tmp, "noblacklist %s", ptr + 7) == -1) | ||
1788 | errExit("asprintf"); | ||
1789 | free(ptr); | ||
1790 | ptr = tmp; | ||
1791 | } | ||
1792 | |||
1793 | // process quiet | 1755 | // process quiet |
1794 | // todo: a quiet in the profile file cannot be disabled by --ignore on command line | 1756 | // todo: a quiet in the profile file cannot be disabled by --ignore on command line |
1795 | if (strcmp(ptr, "quiet") == 0) { | 1757 | if (strcmp(ptr, "quiet") == 0) { |
diff --git a/src/tools/profcleaner.c b/src/tools/profcleaner.c deleted file mode 100644 index beff93199..000000000 --- a/src/tools/profcleaner.c +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2014-2021 Firejail Authors | ||
3 | * | ||
4 | * This file is part of firejail project | ||
5 | * | ||
6 | * This program is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU General Public License as published by | ||
8 | * the Free Software Foundation; either version 2 of the License, or | ||
9 | * (at your option) any later version. | ||
10 | * | ||
11 | * This program is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU General Public License along | ||
17 | * with this program; if not, write to the Free Software Foundation, Inc., | ||
18 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
19 | */ | ||
20 | |||
21 | //************************************************************* | ||
22 | // Small utility program to convert profiles from blacklist/whitelist to deny/allow | ||
23 | // Compile: | ||
24 | // gcc -o profcleaner profcleaner.c | ||
25 | // Usage: | ||
26 | // profcleaner *.profile | ||
27 | //************************************************************* | ||
28 | |||
29 | #include <stdio.h> | ||
30 | #include <stdlib.h> | ||
31 | #include <string.h> | ||
32 | #include <unistd.h> | ||
33 | #define MAXBUF 4096 | ||
34 | |||
35 | int main(int argc, char **argv) { | ||
36 | printf("Usage: profcleaner files\n"); | ||
37 | int i; | ||
38 | |||
39 | for (i = 1; i < argc; i++) { | ||
40 | FILE *fp = fopen(argv[i], "r"); | ||
41 | if (!fp) { | ||
42 | fprintf(stderr, "Error: cannot open %s\n", argv[i]); | ||
43 | return 1; | ||
44 | } | ||
45 | |||
46 | FILE *fpout = fopen("profcleaner-tmp", "w"); | ||
47 | if (!fpout) { | ||
48 | fprintf(stderr, "Error: cannot open output file\n"); | ||
49 | return 1; | ||
50 | } | ||
51 | |||
52 | char buf[MAXBUF]; | ||
53 | while (fgets(buf, MAXBUF, fp)) { | ||
54 | if (strncmp(buf, "blacklist-nolog", 15) == 0) | ||
55 | fprintf(fpout, "deny-nolog %s", buf + 15); | ||
56 | else if (strncmp(buf, "blacklist", 9) == 0) | ||
57 | fprintf(fpout, "deny %s", buf + 9); | ||
58 | else if (strncmp(buf, "noblacklist", 11) == 0) | ||
59 | fprintf(fpout, "nodeny %s", buf + 11); | ||
60 | else if (strncmp(buf, "whitelist", 9) == 0) | ||
61 | fprintf(fpout, "allow %s", buf + 9); | ||
62 | else if (strncmp(buf, "nowhitelist", 11) == 0) | ||
63 | fprintf(fpout, "noallow %s", buf + 11); | ||
64 | else | ||
65 | fprintf(fpout, "%s", buf); | ||
66 | } | ||
67 | |||
68 | fclose(fp); | ||
69 | fclose(fpout); | ||
70 | unlink(argv[i]); | ||
71 | rename("profcleaner-tmp", argv[i]); | ||
72 | } | ||
73 | |||
74 | return 0; | ||
75 | } | ||
diff --git a/src/tools/profcleaner.sh b/src/tools/profcleaner.sh deleted file mode 100755 index 96402aed6..000000000 --- a/src/tools/profcleaner.sh +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | #!/bin/bash | ||
2 | |||
3 | # Copyright (C) 2021 Firejail Authors | ||
4 | # | ||
5 | # This file is part of firejail project | ||
6 | # | ||
7 | # This program is free software; you can redistribute it and/or modify | ||
8 | # it under the terms of the GNU General Public License as published by | ||
9 | # the Free Software Foundation; either version 2 of the License, or | ||
10 | # (at your option) any later version. | ||
11 | # | ||
12 | # This program is distributed in the hope that it will be useful, | ||
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
15 | # GNU General Public License for more details. | ||
16 | # | ||
17 | # You should have received a copy of the GNU General Public License along | ||
18 | # with this program; if not, write to the Free Software Foundation, Inc., | ||
19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
20 | |||
21 | if [[ $1 == --help ]]; then | ||
22 | cat <<-EOM | ||
23 | USAGE: | ||
24 | profcleaner.sh --help Show this help message and exit | ||
25 | profcleaner.sh --system Clean all profiles in /etc/firejail | ||
26 | profcleaner.sh --user Clean all profiles in ~/.config/firejail | ||
27 | profcleaner.sh /path/to/profile1 /path/to/profile2 ... | ||
28 | EOM | ||
29 | exit 0 | ||
30 | fi | ||
31 | |||
32 | if [[ $1 == --system ]]; then | ||
33 | profiles=(/etc/firejail/*.{inc,local,profile}) | ||
34 | elif [[ $1 == --user ]]; then | ||
35 | profiles=("$HOME"/.config/firejail/*.{inc,local,profile}) | ||
36 | else | ||
37 | profiles=("$@") | ||
38 | fi | ||
39 | |||
40 | sed -i -E \ | ||
41 | -e "s/^(# |#)?(ignore )?blacklist/\1\2deny/" \ | ||
42 | -e "s/^(# |#)?(ignore )?noblacklist/\1\2nodeny/" \ | ||
43 | -e "s/^(# |#)?(ignore )?whitelist/\1\2allow/" \ | ||
44 | -e "s/^(# |#)?(ignore )?nowhitelist/\1\2noallow/" \ | ||
45 | "${profiles[@]}" | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8..8c1d758cc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -48,8 +48,8 @@ _firejail_args=( | |||
48 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
49 | 49 | ||
50 | '--appimage[sandbox an AppImage application]' | 50 | '--appimage[sandbox an AppImage application]' |
51 | '--build[build a profile for the application and print it on stdout]' | 51 | '--build[build a whitelisted profile for the application and print it on stdout]' |
52 | '--build=-[build a profile for the application and save it]: :_files' | 52 | '--build=-[build a whitelisted profile for the application and save it]: :_files' |
53 | # Ignore that you can do -? too as it's the only short option | 53 | # Ignore that you can do -? too as it's the only short option |
54 | '--help[this help screen]' | 54 | '--help[this help screen]' |
55 | '--join=-[join the sandbox name|pid]: :_all_firejails' | 55 | '--join=-[join the sandbox name|pid]: :_all_firejails' |
@@ -66,14 +66,14 @@ _firejail_args=( | |||
66 | '--ids-init[initialize IDS database]' | 66 | '--ids-init[initialize IDS database]' |
67 | 67 | ||
68 | '--debug[print sandbox debug messages]' | 68 | '--debug[print sandbox debug messages]' |
69 | '--debug-allow[debug file system access]' | 69 | '--debug-blacklists[debug blacklisting]' |
70 | '--debug-caps[print all recognized capabilities]' | 70 | '--debug-caps[print all recognized capabilities]' |
71 | '--debug-deny[debug file system access]' | ||
72 | '--debug-errnos[print all recognized error numbers]' | 71 | '--debug-errnos[print all recognized error numbers]' |
73 | '--debug-private-lib[debug for --private-lib option]' | 72 | '--debug-private-lib[debug for --private-lib option]' |
74 | '--debug-protocols[print all recognized protocols]' | 73 | '--debug-protocols[print all recognized protocols]' |
75 | '--debug-syscalls[print all recognized system calls]' | 74 | '--debug-syscalls[print all recognized system calls]' |
76 | '--debug-syscalls32[print all recognized 32 bit system calls]' | 75 | '--debug-syscalls32[print all recognized 32 bit system calls]' |
76 | '--debug-whitelists[debug whitelisting]' | ||
77 | 77 | ||
78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' | 78 | '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' |
79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' | 79 | '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' |
@@ -86,13 +86,13 @@ _firejail_args=( | |||
86 | '--allusers[all user home directories are visible inside the sandbox]' | 86 | '--allusers[all user home directories are visible inside the sandbox]' |
87 | # Should be _files, a comma and files or files -/ | 87 | # Should be _files, a comma and files or files -/ |
88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 88 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
89 | '*--blacklist=-[blacklist directory or file]: :_files' | ||
89 | '--caps[enable default Linux capabilities filter]' | 90 | '--caps[enable default Linux capabilities filter]' |
90 | '--caps.drop=all[drop all capabilities]' | 91 | '--caps.drop=all[drop all capabilities]' |
91 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' | 92 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
92 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | 93 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' |
93 | '--cgroup=-[place the sandbox in the specified control group]: :' | 94 | '--cgroup=-[place the sandbox in the specified control group]: :' |
94 | '--cpu=-[set cpu affinity]: :->cpus' | 95 | '--cpu=-[set cpu affinity]: :->cpus' |
95 | '*--deny=-[deny access to directory or file]: :_files' | ||
96 | "--deterministic-exit-code[always exit with first child's status code]" | 96 | "--deterministic-exit-code[always exit with first child's status code]" |
97 | '--deterministic-shutdown[terminate orphan processes]' | 97 | '--deterministic-shutdown[terminate orphan processes]' |
98 | '*--dns=-[set DNS server]: :' | 98 | '*--dns=-[set DNS server]: :' |
@@ -116,7 +116,7 @@ _firejail_args=( | |||
116 | '--nice=-[set nice value]: :(1 10 15 20)' | 116 | '--nice=-[set nice value]: :(1 10 15 20)' |
117 | '--no3d[disable 3D hardware acceleration]' | 117 | '--no3d[disable 3D hardware acceleration]' |
118 | '--noautopulse[disable automatic ~/.config/pulse init]' | 118 | '--noautopulse[disable automatic ~/.config/pulse init]' |
119 | '--nodeny=-[disable deny command for file or directory]: :_files' | 119 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
120 | '--nodbus[disable D-Bus access]' | 120 | '--nodbus[disable D-Bus access]' |
121 | '--nodvd[disable DVD and audio CD devices]' | 121 | '--nodvd[disable DVD and audio CD devices]' |
122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' | 122 | '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' |
@@ -147,13 +147,13 @@ _firejail_args=( | |||
147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 147 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 148 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' | 149 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
150 | '--seccomp[enable seccomp filter and drop the default syscalls]: :' | 150 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' |
151 | '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' | 151 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' |
152 | '--seccomp.block-secondary[build only the native architecture filters]' | 152 | '--seccomp.block-secondary[build only the native architecture filters]' |
153 | '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' | 153 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' |
154 | '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' | 154 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' |
155 | '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 155 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' |
156 | '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' | 156 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
157 | # FIXME: Add errnos | 157 | # FIXME: Add errnos |
158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | 158 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' |
159 | '--shell=none[run the program directly without a user shell]' | 159 | '--shell=none[run the program directly without a user shell]' |
@@ -161,7 +161,7 @@ _firejail_args=( | |||
161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' | 161 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
162 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 162 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 163 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
164 | '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' | 164 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' |
165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' | 165 | '(--private-etc)--writable-etc[/etc directory is mounted read-write]' |
166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | 166 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' |
167 | '--writable-var[/var directory is mounted read-write]' | 167 | '--writable-var[/var directory is mounted read-write]' |
@@ -255,8 +255,8 @@ _firejail_args=( | |||
255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' | 255 | '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' |
256 | #endif | 256 | #endif |
257 | 257 | ||
258 | '*--noallow=-[disable allow command for file or directory]: :_files' | 258 | '*--nowhitelist=-[disable whitelist for file or directory]: :_files' |
259 | '*--allow=-[allow file system access]: :_files' | 259 | '*--whitelist=-[whitelist directory or file]: :_files' |
260 | 260 | ||
261 | #ifdef HAVE_X11 | 261 | #ifdef HAVE_X11 |
262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | 262 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' |