diff options
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Makefile.in | 7 | ||||
-rwxr-xr-x | configure | 2 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | src/bash_completion/Makefile.in | 14 | ||||
-rw-r--r-- | src/bash_completion/firejail.bash_completion.in (renamed from src/bash_completion/firejail.bash_completion) | 13 | ||||
-rw-r--r-- | src/zsh_completion/Makefile.in | 14 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 246 |
8 files changed, 296 insertions, 4 deletions
diff --git a/.gitignore b/.gitignore index 76ce6c7ec..0c803b135 100644 --- a/.gitignore +++ b/.gitignore | |||
@@ -38,6 +38,8 @@ src/fcopy/fcopy | |||
38 | src/fldd/fldd | 38 | src/fldd/fldd |
39 | src/fbuilder/fbuilder | 39 | src/fbuilder/fbuilder |
40 | src/profstats/profstats | 40 | src/profstats/profstats |
41 | src/bash_completion/firejail.bash_completion | ||
42 | src/zsh_completion/_firejail | ||
41 | uids.h | 43 | uids.h |
42 | seccomp | 44 | seccomp |
43 | seccomp.debug | 45 | seccomp.debug |
diff --git a/Makefile.in b/Makefile.in index 623c8bd39..8d4dbc430 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -21,12 +21,14 @@ MAN_TARGET = man | |||
21 | MAN_SRC = src/man | 21 | MAN_SRC = src/man |
22 | endif | 22 | endif |
23 | 23 | ||
24 | COMPLETIONDIRS = src/zsh_completion src/bash_completion | ||
24 | all: all_items mydirs $(MAN_TARGET) filters | 25 | all: all_items mydirs $(MAN_TARGET) filters |
25 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats | 26 | APPS = src/firecfg/firecfg src/firejail/firejail src/firemon/firemon src/profstats/profstats |
26 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee | 27 | SBOX_APPS = src/faudit/faudit src/fbuilder/fbuilder src/ftee/ftee |
27 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter | 28 | SBOX_APPS_NON_DUMPABLE = src/fcopy/fcopy src/fldd/fldd src/fnet/fnet src/fnetfilter/fnetfilter |
28 | MYDIRS = src/lib $(MAN_SRC) | 29 | MYDIRS = src/lib $(MAN_SRC) $(COMPLETIONDIRS) |
29 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so | 30 | MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so |
31 | COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion | ||
30 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 | 32 | MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 |
31 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp | 33 | SBOX_APPS_NON_DUMPABLE += src/fsec-optimize/fsec-optimize src/fsec-print/fsec-print src/fseccomp/fseccomp |
32 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 | 34 | SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 |
@@ -158,6 +160,9 @@ endif | |||
158 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail | 160 | install -m 0644 src/bash_completion/firejail.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firejail |
159 | install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon | 161 | install -m 0644 src/bash_completion/firemon.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firemon |
160 | install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg | 162 | install -m 0644 src/bash_completion/firecfg.bash_completion $(DESTDIR)$(datarootdir)/bash-completion/completions/firecfg |
163 | # zsh completion | ||
164 | install -m 0755 -d $(DESTDIR)$(datarootdir)/zsh/site-functions | ||
165 | install -m 0644 src/zsh_completion/_firejail $(DESTDIR)$(datarootdir)/zsh/site-functions/ | ||
161 | 166 | ||
162 | install: all | 167 | install: all |
163 | $(MAKE) realinstall | 168 | $(MAKE) realinstall |
@@ -4273,7 +4273,7 @@ fi | |||
4273 | 4273 | ||
4274 | ac_config_files="$ac_config_files mkdeb.sh" | 4274 | ac_config_files="$ac_config_files mkdeb.sh" |
4275 | 4275 | ||
4276 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile test/Makefile" | 4276 | ac_config_files="$ac_config_files Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile" |
4277 | 4277 | ||
4278 | cat >confcache <<\_ACEOF | 4278 | cat >confcache <<\_ACEOF |
4279 | # This file is a shell script that caches the results of configure | 4279 | # This file is a shell script that caches the results of configure |
diff --git a/configure.ac b/configure.ac index e21e4a01f..5c2456a6a 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -231,7 +231,7 @@ AC_CONFIG_FILES([mkdeb.sh], [chmod +x mkdeb.sh]) | |||
231 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ | 231 | AC_OUTPUT(Makefile src/common.mk src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \ |
232 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ | 232 | src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/fsec-print/Makefile \ |
233 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ | 233 | src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile src/fsec-optimize/Makefile \ |
234 | src/profstats/Makefile src/man/Makefile test/Makefile) | 234 | src/profstats/Makefile src/man/Makefile src/zsh_completion/Makefile src/bash_completion/Makefile test/Makefile) |
235 | 235 | ||
236 | echo | 236 | echo |
237 | echo "Configuration options:" | 237 | echo "Configuration options:" |
diff --git a/src/bash_completion/Makefile.in b/src/bash_completion/Makefile.in new file mode 100644 index 000000000..d8a393aa4 --- /dev/null +++ b/src/bash_completion/Makefile.in | |||
@@ -0,0 +1,14 @@ | |||
1 | all: firejail.bash_completion | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | firejail.bash_completion: firejail.bash_completion.in | ||
6 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | ||
7 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | ||
8 | rm $@.tmp | ||
9 | |||
10 | clean: | ||
11 | rm -fr firejail.bash_completion | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/bash_completion/firejail.bash_completion b/src/bash_completion/firejail.bash_completion.in index 0a1b34d7d..00f04c310 100644 --- a/src/bash_completion/firejail.bash_completion +++ b/src/bash_completion/firejail.bash_completion.in | |||
@@ -9,6 +9,17 @@ __interfaces(){ | |||
9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs | 9 | cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs |
10 | } | 10 | } |
11 | 11 | ||
12 | _profiles() { | ||
13 | if [[ -d "$1" ]] ; then | ||
14 | ls -1 $1/*.profile 2>/dev/null | sed -E 's;^.*\/;;g' | ||
15 | fi | ||
16 | } | ||
17 | _all_profiles() { | ||
18 | local sys_profiles=$(_profiles _SYSCONFDIR_/firejail) | ||
19 | local user_profiles=$(_profiles $HOME/.config/firejail) | ||
20 | COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur")) | ||
21 | } | ||
22 | |||
12 | 23 | ||
13 | _firejail() | 24 | _firejail() |
14 | { | 25 | { |
@@ -20,7 +31,7 @@ _firejail() | |||
20 | return 0 | 31 | return 0 |
21 | ;; | 32 | ;; |
22 | --profile) | 33 | --profile) |
23 | _filedir | 34 | _all_profiles |
24 | return 0 | 35 | return 0 |
25 | ;; | 36 | ;; |
26 | --hosts-file) | 37 | --hosts-file) |
diff --git a/src/zsh_completion/Makefile.in b/src/zsh_completion/Makefile.in new file mode 100644 index 000000000..3f756aa5f --- /dev/null +++ b/src/zsh_completion/Makefile.in | |||
@@ -0,0 +1,14 @@ | |||
1 | all: _firejail | ||
2 | |||
3 | include ../common.mk | ||
4 | |||
5 | _firejail: _firejail.in | ||
6 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | ||
7 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | ||
8 | rm $@.tmp | ||
9 | |||
10 | clean: | ||
11 | rm -fr _firejail | ||
12 | |||
13 | distclean: clean | ||
14 | rm -fr Makefile | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in new file mode 100644 index 000000000..7e8df138e --- /dev/null +++ b/src/zsh_completion/_firejail.in | |||
@@ -0,0 +1,246 @@ | |||
1 | #compdef firejail | ||
2 | |||
3 | _all_firejails() { | ||
4 | local -a _all_firejails_list | ||
5 | for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do | ||
6 | _all_firejails_list+=${jail%% *} | ||
7 | done | ||
8 | _describe 'firejails list' _all_firejails_list | ||
9 | } | ||
10 | |||
11 | _all_cpus() { | ||
12 | _cpu_count=$(getconf _NPROCESSORS_ONLN) | ||
13 | for i in {0..$((_cpu_count-1))} ; do | ||
14 | print $i | ||
15 | done | ||
16 | } | ||
17 | |||
18 | _profiles() { | ||
19 | print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;" | ||
20 | } | ||
21 | _profiles_with_ext() { | ||
22 | print $1/*.profile | ||
23 | } | ||
24 | |||
25 | _all_profiles() { | ||
26 | _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) | ||
27 | } | ||
28 | |||
29 | _firejail_args=( | ||
30 | '*::arguments:_normal' | ||
31 | '(--profile)'{--profile=,--profile=}'[use a custom profile]: :_all_profiles' | ||
32 | '--caps[enable default Linux capabilities filter]' | ||
33 | '(--caps.drop)'{--caps.drop=,--caps.drop=}'[drop capabilities: all|cap1,cap2,...]: :->caps_drop' | ||
34 | '(--caps.keep)'{--caps.keep=,--caps.keep=}'[keep capabilities: cap1,cap2,...]: :->caps_keep' | ||
35 | '(--caps.print)'{--caps.print=,--caps.print=}'[print the caps filter name|pid]:firejail:_all_firejails' | ||
36 | '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' | ||
37 | '(--debug)'{--debug,--debug}'[print sandbox debug messages]' | ||
38 | '--debug-blacklists[debug blacklisting]' | ||
39 | '--debug-caps[print all recognized capabilities]' | ||
40 | '--debug-errnos[print all recognized error numbers]' | ||
41 | '--debug-private-lib[debug for --private-lib option]' | ||
42 | '--debug-protocols[print all recognized protocols]' | ||
43 | '--debug-syscalls[print all recognized system calls]' | ||
44 | '--debug-syscalls32[print all recognized 32 bit system calls]' | ||
45 | '--debug-whitelists[debug whitelisting]' | ||
46 | # Ignore that you can do -? too as it's the only short option | ||
47 | '(--help)'{--help,--help}'[this help screen]' | ||
48 | '--allusers[all user home directories are visible inside the sandbox]' | ||
49 | '--appimage[sandbox an AppImage application]' | ||
50 | '--private[temporary home directory]' | ||
51 | '(--private)'{--private=,--private=}'[use directory as user home]: : _files -/' | ||
52 | '--seccomp[enable seccomp filter and apply the default blacklist]' | ||
53 | '(--seccomp=)'{--seccomp=,--seccomp=}'[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' | ||
54 | '(--seccomp.print)'{--seccomp.print=,--seccomp.print=}'[print the seccomp filter for the sandbox identified by name|pid]: : _all_firejails' | ||
55 | '--seccomp.block-secondary[build only the native architecture filters]' | ||
56 | '(--seccomp.drop)'{--seccomp.drop=,--seccomp.drop=}'[enable seccomp filter, and blacklist the syscalls specified by the command]: :' | ||
57 | '(--seccomp.keep)'{--seccomp.keep=,--seccomp.keep=}'[enable seccomp filter, and whitelist the syscalls specified by the command]: :' | ||
58 | '(--seccomp.32.drop)'{--seccomp.32.drop=,--seccomp.32.drop=}'[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | ||
59 | '(--seccomp.32.keep)'{--seccomp.32.keep=,--seccomp.32.keep=}'[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | ||
60 | '(--seccomp-error-action)'{--seccomp-error-action=,--seccomp-error-action=}'[change error code, kill process or log the attempt]: :(ERRNO kill log)' | ||
61 | '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' | ||
62 | '*'{--blacklist=,--blacklist=}'[blacklist directory or file]: : _files' | ||
63 | '--writable-etc[/etc directory is mounted read-write]' | ||
64 | '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' | ||
65 | '--writable-var[/var directory is mounted read-write]' | ||
66 | '--writable-var-log[use the real /var/log directory, not a clone]' | ||
67 | '--build[build a whitelisted profile for the application and print it on stdout]' | ||
68 | '(--build)'{--build=,--build=}'[build a whitelisted profile for the application and save it]: : _files' | ||
69 | '(--fs.print)'{--fs.print=,--fs.print=}'[print the filesystem log name|pid]: : _all_firejails' | ||
70 | '(--join)'{--join=,--join=}'[join the sandbox name|pid]: : _all_firejails' | ||
71 | '(--join-filesystem)'{--join-filesystem=,--join-filesystem=}'[join the mount namespace name|pid]: : _all_firejails' | ||
72 | '(--profile.print)'{--profile.print=,--profile.print=}'[print the name of profile file name|pid]: : _all_firejails' | ||
73 | '(--protocol.print)'{--protocol.print=,--protocol.print=}'[print the protocol filter name|pid]: : _all_firejails' | ||
74 | '(--shutdown)'{--shutdown=,--shutdown=}'[shutdown the sandbox identified by name|pid]: : _all_firejails' | ||
75 | '(--cat)'{--cat=,--cat=}'[print content of file from sandbox container name|pid]: : _all_firejails' | ||
76 | '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails' | ||
77 | '--list[list all sandboxes]' | ||
78 | '(--dns)'{--dns=,--dns=}'[set DNS server]: :' | ||
79 | '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :' | ||
80 | '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails' | ||
81 | '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files' | ||
82 | '--shell=none[run the program directly without a user shell]' | ||
83 | '(--shell)'{--shell=,--shell=}'[set default user shell]: : _files -g "*(*)"' | ||
84 | '(--output)'{--output=,--output=}'[stdout logging and log rotation]: : _files' | ||
85 | '(--output-stderr)'{--output-stderr=,--output-stderr=}'[stdout and stderr logging and log rotation]: : _files' | ||
86 | '--no3d[disable 3D hardware acceleration]' | ||
87 | '--nodvd[disable DVD and audio CD devices]' | ||
88 | '--nogroups[disable supplementary groups]' | ||
89 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | ||
90 | '--noprofile[do not use a security profile]' | ||
91 | '(--noexec)'{--noexec=,--noexec=}'[remount the file or directory noexec nosuid and nodev]: : _files' | ||
92 | '--ipc-namespace[enable a new IPC namespace]' | ||
93 | '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' | ||
94 | '--keep-var-tmp[/var/tmp directory is untouched]' | ||
95 | '--top[monitor the most CPU-intensive sandboxes]' | ||
96 | '--trace[trace open, access and connect system calls]' | ||
97 | '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | ||
98 | '--tree[print a tree of all sandboxed processes]' | ||
99 | '(--cpu)'{--cpu=,--cpu=}'[set cpu affinity]: :->cpus' | ||
100 | '--private-dev[create a new /dev directory with a small number of common device files]' | ||
101 | '--private-tmp[mount a tmpfs on top of /tmp directory]' | ||
102 | '--private-cwd[do not inherit working directory inside jail]' | ||
103 | '(--private-cwd)'{--private-cwd=,--private-cwd=}'[set working directory inside jail]: : _files -/' | ||
104 | '*'{--read-only=,--read-only=}'[set directory or file read-only]: : _files' | ||
105 | '*'{--read-write=,--read-write=}'[set directory or file read-write]: : _files' | ||
106 | '(--tmpfs)'{--tmpfs=,--tmpfs=}'[mount a tmpfs filesystem on directory dirname]: : _files -/' | ||
107 | '(--private-etc)'{--private-etc=,--private-etc=}'[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: : _files' | ||
108 | "--deterministic-exit-code[always exit with first child's status code]" | ||
109 | '--machine-id[preserve /etc/machine-id]' | ||
110 | # Sample values as I don't think | ||
111 | # many would enjoy getting a list from -20..20 | ||
112 | '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)' | ||
113 | # Should be _files, a comma and files or files -/ | ||
114 | '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | ||
115 | '--audit[audit the sandbox]' | ||
116 | '(--audit)'{--audit=,--audit=}'[audit the sandbox with a test-program]: :' | ||
117 | '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :' | ||
118 | '*'{--env=,--env=}'[set environment variable]: :' | ||
119 | '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :' | ||
120 | '(--ignore)'{--ignore=,--ignore=}'[ignore command in profile files]: :' | ||
121 | '(--name)'{--name=,--name=}'[set sandbox name]: :' | ||
122 | '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :" | ||
123 | '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :' | ||
124 | '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :' | ||
125 | '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :' | ||
126 | '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | ||
127 | '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :' | ||
128 | '*'{--rmenv=,--rmenv=}'[remove environment variable in the new sandbox]: :' | ||
129 | '(--timeout)'{--timeout=,--timeout=}'[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' | ||
130 | "--quiet[turn off Firejail's output.]" | ||
131 | '--version[print program version and exit]' | ||
132 | #ifdef HAVE_APPARMOR | ||
133 | '--apparmor[enable AppArmor confinement]' | ||
134 | '(--apparmor.print=)'{--apparmor.print=,--apparmor.print=}'[print apparmor status name|pid]:firejail:_all_firejails' | ||
135 | #endif | ||
136 | #ifdef HAVE_CHROOT | ||
137 | '(--chroot)'{--chroot=,--chroot=}'[chroot into directory]: : _files -/' | ||
138 | #endif | ||
139 | #ifdef HAVE_FILE_TRANSFER | ||
140 | '(--get)'{--get=,--get=}'[get a file from sandbox container name|pid]: : _all_firejails' | ||
141 | # --put=name|pid src-filename dest-filename - put a file in sandbox container. | ||
142 | '(--put)'{--put=,--put=}'[put a file in sandbox container]: :' | ||
143 | '(--ls)'{--ls=,--ls=}'[list files in sandbox container name|pid]: : _all_firejails' | ||
144 | #endif | ||
145 | #ifdef HAVE_NETWORK | ||
146 | # '--net=none[enable a new, unconnected network namespace]' | ||
147 | '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' | ||
148 | '(--net.print)'{--net.print=,--net.print=}'[print network interface configuration name|pid]: : _all_firejails' | ||
149 | '(--netfilter.print)'{--netfilter.print=,--netfilter.print=}'[print the firewall name|pid]: : _all_firejails' | ||
150 | '(--netfilter6.print)'{--netfilter6.print=,--netfilter6.print=}'[print the IPv6 firewall name|pid]: : _all_firejails' | ||
151 | '--netstats[monitor network statistics]' | ||
152 | '(--netmask)'{--netmask=,--netmask=}'[define a network mask when dealing with unconfigured parrent interfaces]: :' | ||
153 | '(--netns)'{--netns=,--netns=}'[Run the program in a named, persistent network namespace]: :' | ||
154 | '(--netfilter)'{--netfilter=,--netfilter=}'[enable firewall]: :' | ||
155 | '(--netfilter6)'{--netfilter6=,--netfilter6=}'[enable IPv6 firewall]: :' | ||
156 | '(--veth-name)'{--veth-name=,--veth-name=}'[use this name for the interface connected to the bridge]: :' | ||
157 | '(--join-network)'{--join-network=,--join-network=}'[join the network namespace name|pid]: : _all_firejails' | ||
158 | '(--defaultgw)'{--defaultgw=,--defaultgw=}'[configure default gateway]: :' | ||
159 | '(--ip)'{--ip=,--ip=}'[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' | ||
160 | '(--dns.print)'{--dns.print=,--dns.print=}'[print DNS configuration name|pid]: : _all_firejails' | ||
161 | '(--interface)'{--interface=,--interface=}'[move interface in sandbox]: :' | ||
162 | '(--ip6)'{--ip6=,--ip6=}'[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' | ||
163 | '(--iprange)'{--iprange=,--iprange=}'[configure an IP address in this range]: :' | ||
164 | '(--mac)'{--mac=,--mac=}'[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' | ||
165 | '(--mtu)'{--mtu=,--mtu=}'[set interface MTU]: :' | ||
166 | '--scan[ARP-scan all the networks from inside a network namespace]' | ||
167 | '(--bandwidth)'{--bandwidth=,--bandwidth=}'[set bandwidth limits name|pid]: : _all_firejails' | ||
168 | #endif | ||
169 | #ifdef HAVE_X11 | ||
170 | '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' | ||
171 | '(--x11)'{--x11=,--x11=}'[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' | ||
172 | '(--xephyr-screen)'{--xephyr-screen=,--xephyr-screen=}'[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' | ||
173 | #endif | ||
174 | #ifdef HAVE_USERNS | ||
175 | '--noroot[install a user namespace with only the current user]' | ||
176 | #endif | ||
177 | '--nosound[disable sound system]' | ||
178 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
179 | '--novideo[disable video devices]' | ||
180 | '--nou2f[disable U2F devices]' | ||
181 | #ifdef HAVE_OVERLAYFS | ||
182 | '--overlay[mount a filesystem overlay on top of the current filesystem]' | ||
183 | '(--overlay-named)'{--overlay-named=,--overlay-named=}'[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: : _files -/' | ||
184 | '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' | ||
185 | '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' | ||
186 | #endif | ||
187 | #ifdef HAVE_WHITELIST | ||
188 | '(--nowhitelist)'{--nowhitelist=,--nowhitelist=}'[disable whitelist for file or directory]: : _files' | ||
189 | '*'{--whitelist=,--whitelist=}'[whitelist directory or file]: : _files' | ||
190 | #endif | ||
191 | '(--noblacklist)'{--noblacklist=,--noblacklist=}'[disable blacklist for file or directory]: : _files' | ||
192 | #ifdef HAVE_DBUSPROXY | ||
193 | '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy or none]: :' | ||
194 | '(--dbus-system.broadcast)'{--dbus-system.broadcast=,--dbus-system.broadcast=}'[allow signals on the system DBus according to rule]: :' | ||
195 | '(--dbus-system.call)'{--dbus-system.call=,--dbus-system.call=}'[allow calls on the system DBus according to rule]: :' | ||
196 | '(--dbus-system.own)'{--dbus-system.own=,--dbus-system.own=}'[allow ownership of name on the system DBus]: :' | ||
197 | '(--dbus-system.see)'{--dbus-system.see=,--dbus-system.see=}'[allow seeing name on the system DBus]: :' | ||
198 | '(--dbus-system.talk)'{--dbus-system.talk=,--dbus-system.talk=}'[allow talking to name on the system DBus]: :' | ||
199 | '(--dbus-user)'{--dbus-user=,--dbus-user=}'[set session DBus access policy or none]: :' | ||
200 | '(--dbus-user.broadcast)'{--dbus-user.broadcast=,--dbus-user.broadcast=}'[allow signals on the session DBus according to rule]: :' | ||
201 | '(--dbus-user.call)'{--dbus-user.call=,--dbus-user.call=}'[allow calls on the session DBus according to rule]: :' | ||
202 | '(--dbus-user.see)'{--dbus-user.see=,--dbus-user.see=}'[allow seeing name on the session DBus]: :' | ||
203 | '(--dbus-user.talk)'{--dbus-user.talk=,--dbus-user.talk=}'[allow talking to name on the session DBus]: :' | ||
204 | '(--dbus-log)'{--dbus-log=,--dbus-log=}'[set DBus log file location]: : _files' | ||
205 | '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy]: :(filter none)' | ||
206 | '--dbus-user.log[turn on logging for the user DBus]' | ||
207 | '(--dbus-user.own)'{--dbus-user.own=,--dbus-user.own=}'[allow ownership of name on the session DBus]: :' | ||
208 | '--dbus-system.log[turn on logging for the system DBus]' | ||
209 | '--nodbus[disable D-Bus access]' | ||
210 | #endif | ||
211 | #ifdef HAVE_PRIVATE_HOME | ||
212 | '(--private-home)'{--private-home=,--private-home=}'[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :' | ||
213 | #endif | ||
214 | '(--private-bin)'{--private-bin=,--private-bin=}'[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' | ||
215 | '(--private-opt)'{--private-opt=,--private-opt=}'[build a new /opt in a temporary filesystem]: :' | ||
216 | '(--private-srv)'{--private-srv=,--private-srv=}'[build a new /srv in a temporary filesystem]: :' | ||
217 | #ifdef HAVE_USERTMPFS | ||
218 | '--private-cache[temporary ~/.cache directory]' | ||
219 | #endif | ||
220 | #ifdef HAVE_FIRETUNNEL | ||
221 | '(--tunnel)'{--tunnel=,--tunnel=}'[connect the sandbox to a tunnel created by firetunnel utility]: :' | ||
222 | #endif | ||
223 | ) | ||
224 | |||
225 | |||
226 | _firejail() { | ||
227 | _arguments -S $_firejail_args | ||
228 | case "$state" in | ||
229 | caps_drop) | ||
230 | local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) | ||
231 | _values -s "," 'caps_drop' $caps_and_all | ||
232 | ;; | ||
233 | caps_keep) | ||
234 | local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) | ||
235 | _values -s "," 'caps_keep' $caps | ||
236 | ;; | ||
237 | cpus) | ||
238 | _values -s "," 'cpus' $(_all_cpus) | ||
239 | ;; | ||
240 | net_or_none) | ||
241 | local netdevs=($(ip link | awk '{print $2}' | grep '^.*:$' | tr -d ':')) | ||
242 | local net_and_none=(none $netdevs) | ||
243 | _values 'net' $net_and_none | ||
244 | ;; | ||
245 | esac | ||
246 | } | ||