diff options
-rw-r--r-- | contrib/vim/syntax/firejail.vim | 2 | ||||
-rw-r--r-- | src/firejail/usage.c | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.txt | 3 | ||||
-rw-r--r-- | src/man/firejail.txt | 4 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 1 |
5 files changed, 10 insertions, 1 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index bcaa85a9c..57c7b371d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim | |||
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES | |||
51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) | 51 | " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) |
52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained | 52 | syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained |
53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below | 53 | " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below |
54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained | 54 | syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained |
55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained | 55 | syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained |
56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained | 56 | syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained |
57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained | 57 | syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained |
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index b993cb80c..d74840441 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -161,6 +161,7 @@ static char *usage_str = | |||
161 | " --nogroups - disable supplementary groups.\n" | 161 | " --nogroups - disable supplementary groups.\n" |
162 | " --noinput - disable input devices.\n" | 162 | " --noinput - disable input devices.\n" |
163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" | 163 | " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n" |
164 | " --noprinters - disable printers.\n" | ||
164 | " --noprofile - do not use a security profile.\n" | 165 | " --noprofile - do not use a security profile.\n" |
165 | #ifdef HAVE_USERNS | 166 | #ifdef HAVE_USERNS |
166 | " --noroot - install a user namespace with only the current user.\n" | 167 | " --noroot - install a user namespace with only the current user.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e35f2837b..71dab18ba 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes | |||
489 | cannot acquire new privileges using execve(2); in particular, | 489 | cannot acquire new privileges using execve(2); in particular, |
490 | this means that calling a suid binary (or one with file capabilities) | 490 | this means that calling a suid binary (or one with file capabilities) |
491 | does not result in an increase of privilege. | 491 | does not result in an increase of privilege. |
492 | .TP | ||
493 | \fBnoprinters | ||
494 | Disable printers. | ||
492 | #ifdef HAVE_USERNS | 495 | #ifdef HAVE_USERNS |
493 | .TP | 496 | .TP |
494 | \fBnoroot | 497 | \fBnoroot |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index b366fed7c..4fa20c70f 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -1634,6 +1634,10 @@ does not result in an increase of privilege. This option | |||
1634 | is enabled by default if seccomp filter is activated. | 1634 | is enabled by default if seccomp filter is activated. |
1635 | 1635 | ||
1636 | .TP | 1636 | .TP |
1637 | \fB\-\-noprinters | ||
1638 | Disable printers. | ||
1639 | |||
1640 | .TP | ||
1637 | \fB\-\-noprofile | 1641 | \fB\-\-noprofile |
1638 | Do not use a security profile. | 1642 | Do not use a security profile. |
1639 | .br | 1643 | .br |
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 8c1d758cc..334812dd6 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -123,6 +123,7 @@ _firejail_args=( | |||
123 | '--nogroups[disable supplementary groups]' | 123 | '--nogroups[disable supplementary groups]' |
124 | '--noinput[disable input devices]' | 124 | '--noinput[disable input devices]' |
125 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 125 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
126 | '--noprinters[disable printers]' | ||
126 | '--nosound[disable sound system]' | 127 | '--nosound[disable sound system]' |
127 | '--nou2f[disable U2F devices]' | 128 | '--nou2f[disable U2F devices]' |
128 | '--novideo[disable video devices]' | 129 | '--novideo[disable video devices]' |