diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 2 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/check-c.yml | 8 | ||||
-rw-r--r-- | .github/workflows/check-profiles.yml | 2 | ||||
-rw-r--r-- | .github/workflows/check-python.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codespell.yml | 2 | ||||
-rw-r--r-- | .github/workflows/test.yml | 10 | ||||
-rw-r--r-- | README | 39 | ||||
-rw-r--r-- | RELNOTES | 7 | ||||
-rw-r--r-- | contrib/syntax/lists/profile_commands_arg0.list | 1 | ||||
-rw-r--r-- | etc/profile-a-l/default.profile | 1 | ||||
-rw-r--r-- | etc/templates/profile.template | 1 | ||||
-rw-r--r-- | src/fbuilder/build_profile.c | 1 | ||||
-rw-r--r-- | src/firejail/firejail.h | 2 | ||||
-rw-r--r-- | src/firejail/fs_dev.c | 17 | ||||
-rw-r--r-- | src/firejail/main.c | 3 | ||||
-rw-r--r-- | src/firejail/profile.c | 4 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 3 | ||||
-rw-r--r-- | src/firejail/usage.c | 2 | ||||
-rw-r--r-- | src/include/etc_groups.h | 1 | ||||
-rw-r--r-- | src/man/firejail-profile.5.in | 11 | ||||
-rw-r--r-- | src/man/firejail.1.in | 21 | ||||
-rw-r--r-- | src/zsh_completion/_firejail.in | 2 |
23 files changed, 114 insertions, 30 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 76e12116b..ccc5c9bf7 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -44,7 +44,7 @@ jobs: | |||
44 | timeout-minutes: 10 | 44 | timeout-minutes: 10 |
45 | steps: | 45 | steps: |
46 | - name: Harden Runner | 46 | - name: Harden Runner |
47 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 47 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
48 | with: | 48 | with: |
49 | egress-policy: block | 49 | egress-policy: block |
50 | allowed-endpoints: > | 50 | allowed-endpoints: > |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 34545f3b2..e7752f3d3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | timeout-minutes: 10 | 60 | timeout-minutes: 10 |
61 | steps: | 61 | steps: |
62 | - name: Harden Runner | 62 | - name: Harden Runner |
63 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 63 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
64 | with: | 64 | with: |
65 | egress-policy: block | 65 | egress-policy: block |
66 | allowed-endpoints: > | 66 | allowed-endpoints: > |
diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index cfdcc4397..a0b7245e5 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml | |||
@@ -46,7 +46,7 @@ jobs: | |||
46 | timeout-minutes: 10 | 46 | timeout-minutes: 10 |
47 | steps: | 47 | steps: |
48 | - name: Harden Runner | 48 | - name: Harden Runner |
49 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 49 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
50 | with: | 50 | with: |
51 | egress-policy: block | 51 | egress-policy: block |
52 | allowed-endpoints: > | 52 | allowed-endpoints: > |
@@ -79,7 +79,7 @@ jobs: | |||
79 | timeout-minutes: 10 | 79 | timeout-minutes: 10 |
80 | steps: | 80 | steps: |
81 | - name: Harden Runner | 81 | - name: Harden Runner |
82 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 82 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
83 | with: | 83 | with: |
84 | egress-policy: block | 84 | egress-policy: block |
85 | allowed-endpoints: > | 85 | allowed-endpoints: > |
@@ -109,7 +109,7 @@ jobs: | |||
109 | timeout-minutes: 10 | 109 | timeout-minutes: 10 |
110 | steps: | 110 | steps: |
111 | - name: Harden Runner | 111 | - name: Harden Runner |
112 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 112 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
113 | with: | 113 | with: |
114 | egress-policy: block | 114 | egress-policy: block |
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | 143 | ||
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 146 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
147 | with: | 147 | with: |
148 | disable-sudo: true | 148 | disable-sudo: true |
149 | egress-policy: block | 149 | egress-policy: block |
diff --git a/.github/workflows/check-profiles.yml b/.github/workflows/check-profiles.yml index c9d3b037e..38cb1f29b 100644 --- a/.github/workflows/check-profiles.yml +++ b/.github/workflows/check-profiles.yml | |||
@@ -33,7 +33,7 @@ jobs: | |||
33 | 33 | ||
34 | steps: | 34 | steps: |
35 | - name: Harden Runner | 35 | - name: Harden Runner |
36 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 36 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
37 | with: | 37 | with: |
38 | disable-sudo: true | 38 | disable-sudo: true |
39 | egress-policy: block | 39 | egress-policy: block |
diff --git a/.github/workflows/check-python.yml b/.github/workflows/check-python.yml index 2a8e82a62..838414498 100644 --- a/.github/workflows/check-python.yml +++ b/.github/workflows/check-python.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | 31 | ||
32 | steps: | 32 | steps: |
33 | - name: Harden Runner | 33 | - name: Harden Runner |
34 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 34 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
35 | with: | 35 | with: |
36 | disable-sudo: true | 36 | disable-sudo: true |
37 | egress-policy: block | 37 | egress-policy: block |
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 3d8de04f7..6e0fe73d2 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml | |||
@@ -24,7 +24,7 @@ jobs: | |||
24 | timeout-minutes: 5 | 24 | timeout-minutes: 5 |
25 | steps: | 25 | steps: |
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 27 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
28 | with: | 28 | with: |
29 | egress-policy: block | 29 | egress-policy: block |
30 | allowed-endpoints: > | 30 | allowed-endpoints: > |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4de44c2c6..c1ee00934 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml | |||
@@ -54,7 +54,7 @@ jobs: | |||
54 | SHELL: /bin/bash | 54 | SHELL: /bin/bash |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 57 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
@@ -103,7 +103,7 @@ jobs: | |||
103 | SHELL: /bin/bash | 103 | SHELL: /bin/bash |
104 | steps: | 104 | steps: |
105 | - name: Harden Runner | 105 | - name: Harden Runner |
106 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 106 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
107 | with: | 107 | with: |
108 | egress-policy: block | 108 | egress-policy: block |
109 | allowed-endpoints: > | 109 | allowed-endpoints: > |
@@ -143,7 +143,7 @@ jobs: | |||
143 | SHELL: /bin/bash | 143 | SHELL: /bin/bash |
144 | steps: | 144 | steps: |
145 | - name: Harden Runner | 145 | - name: Harden Runner |
146 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 146 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
147 | with: | 147 | with: |
148 | egress-policy: block | 148 | egress-policy: block |
149 | allowed-endpoints: > | 149 | allowed-endpoints: > |
@@ -183,7 +183,7 @@ jobs: | |||
183 | SHELL: /bin/bash | 183 | SHELL: /bin/bash |
184 | steps: | 184 | steps: |
185 | - name: Harden Runner | 185 | - name: Harden Runner |
186 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 186 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
187 | with: | 187 | with: |
188 | egress-policy: block | 188 | egress-policy: block |
189 | allowed-endpoints: > | 189 | allowed-endpoints: > |
@@ -225,7 +225,7 @@ jobs: | |||
225 | SHELL: /bin/bash | 225 | SHELL: /bin/bash |
226 | steps: | 226 | steps: |
227 | - name: Harden Runner | 227 | - name: Harden Runner |
228 | uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 | 228 | uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 |
229 | with: | 229 | with: |
230 | egress-policy: block | 230 | egress-policy: block |
231 | allowed-endpoints: > | 231 | allowed-endpoints: > |
@@ -171,7 +171,7 @@ aoand (https://github.com/aoand) | |||
171 | Arne Welzel (https://github.com/awelzel) | 171 | Arne Welzel (https://github.com/awelzel) |
172 | - ignore SIGTTOU during flush_stdin() | 172 | - ignore SIGTTOU during flush_stdin() |
173 | archaon616 (https://github.com/archaon616) | 173 | archaon616 (https://github.com/archaon616) |
174 | - steam.profile: Allow Factorio | 174 | - steam.profile: allow Factorio, Zomboid |
175 | Atrate (https://github.com/Atrate) | 175 | Atrate (https://github.com/Atrate) |
176 | - BetterDiscord support | 176 | - BetterDiscord support |
177 | Austin Morton (https://github.com/apmorton) | 177 | Austin Morton (https://github.com/apmorton) |
@@ -326,6 +326,8 @@ curiosityseeker (https://github.com/curiosityseeker - new) | |||
326 | - fixed conky profile | 326 | - fixed conky profile |
327 | - thunderbird.profile: harden and enable the rules necessary to make | 327 | - thunderbird.profile: harden and enable the rules necessary to make |
328 | Firefox open links | 328 | Firefox open links |
329 | D357R0Y3R (https://github.com/D357R0Y3R) | ||
330 | - added floorp to firejail.config | ||
329 | da2x (https://github.com/da2x) | 331 | da2x (https://github.com/da2x) |
330 | - matched RPM license tag | 332 | - matched RPM license tag |
331 | Daan Bakker (https://github.com/dbakker) | 333 | Daan Bakker (https://github.com/dbakker) |
@@ -371,6 +373,8 @@ DiGitHubCap (https://github.com/DiGitHubCap) | |||
371 | - fix qt5ct colour schemes and QSS | 373 | - fix qt5ct colour schemes and QSS |
372 | Dieter Plaetinck (https://github.com/Dieterbe) | 374 | Dieter Plaetinck (https://github.com/Dieterbe) |
373 | - qutebrowser: update MPRIS name for qutebrowser-qt6 | 375 | - qutebrowser: update MPRIS name for qutebrowser-qt6 |
376 | - fix email-common.profile | ||
377 | - fix claws-mail profile | ||
374 | Disconnect3d (https://github.com/disconnect3d) | 378 | Disconnect3d (https://github.com/disconnect3d) |
375 | - code cleanup | 379 | - code cleanup |
376 | dm9pZCAq (https://github.com/dm9pZCAq) | 380 | dm9pZCAq (https://github.com/dm9pZCAq) |
@@ -408,13 +412,18 @@ Fabian Würfl (https://github.com/BafDyce) | |||
408 | - Liferea profile | 412 | - Liferea profile |
409 | Felipe Barriga Richards (https://github.com/fbarriga) | 413 | Felipe Barriga Richards (https://github.com/fbarriga) |
410 | - --private-etc fix | 414 | - --private-etc fix |
415 | Felix Pehla (https://github.com/FelixPehla) | ||
416 | - fix fractal profile | ||
411 | fenuks (https://github.com/fenuks) | 417 | fenuks (https://github.com/fenuks) |
412 | - fix sound in games using FMOD | 418 | - fix sound in games using FMOD |
413 | - allow /opt/tor-browser for Tor Browser profile | 419 | - allow /opt/tor-browser for Tor Browser profile |
414 | fkrone (https://github.com/fkrone) | 420 | fkrone (https://github.com/fkrone) |
415 | - fix Zoom profile | 421 | - fix Zoom profile |
416 | Fidel Ramos (https://github.com/haplo) | 422 | Fidel Ramos (https://github.com/haplo) |
417 | - Ledger Live profile | 423 | - added Ledger Live profile |
424 | - fixed geeqie profile | ||
425 | - added rawtherapee profile | ||
426 | - added electron-cache profile | ||
418 | Florian Begusch (https://github.com/florianbegusch) | 427 | Florian Begusch (https://github.com/florianbegusch) |
419 | - (la)tex profiles | 428 | - (la)tex profiles |
420 | - fixed transmission-common.profile | 429 | - fixed transmission-common.profile |
@@ -567,6 +576,9 @@ Haowei Yu (https://github.com/sfc-gh-hyu) | |||
567 | Icaro Perseo (https://github.com/icaroperseo) | 576 | Icaro Perseo (https://github.com/icaroperseo) |
568 | - Icecat profile | 577 | - Icecat profile |
569 | - several profile fixes | 578 | - several profile fixes |
579 | Ilya Pankratov (https://github.com/i-pankrat) | ||
580 | - profstats fix | ||
581 | - fix various memory resource leaks | ||
570 | Igor Bukanov (https://github.com/ibukanov) | 582 | Igor Bukanov (https://github.com/ibukanov) |
571 | - found/fiixed privilege escalation in --hosts-file option | 583 | - found/fiixed privilege escalation in --hosts-file option |
572 | iiotx (https://github.com/iiotx) | 584 | iiotx (https://github.com/iiotx) |
@@ -739,6 +751,8 @@ Liorst4 (https://github.com/Liorst4) | |||
739 | - minetest fixes | 751 | - minetest fixes |
740 | Lockdis (https://github.com/Lockdis) | 752 | Lockdis (https://github.com/Lockdis) |
741 | - Added crow, nyx, and google-earth-pro profiles | 753 | - Added crow, nyx, and google-earth-pro profiles |
754 | luca0N (https://github.com/luca0N) | ||
755 | - fixed crawl profile | ||
742 | Lukáš Krejčí (https://github.com/lskrejci) | 756 | Lukáš Krejčí (https://github.com/lskrejci) |
743 | - fixed parsing of --keep-var-tmp | 757 | - fixed parsing of --keep-var-tmp |
744 | luzpaz (https://github.com/luzpaz) | 758 | luzpaz (https://github.com/luzpaz) |
@@ -794,6 +808,8 @@ Michael Haas (https://github.com/mhaas) | |||
794 | - bugfixes | 808 | - bugfixes |
795 | Michael Hoffmann (https://github.com/brisad) | 809 | Michael Hoffmann (https://github.com/brisad) |
796 | - added support for subdirs in private-etc | 810 | - added support for subdirs in private-etc |
811 | Michele Sorcinelli (https://github.com/michelesr) | ||
812 | - fix ssh profile | ||
797 | Mike Frysinger (vapier@gentoo.org) | 813 | Mike Frysinger (vapier@gentoo.org) |
798 | - Gentoo compile patch | 814 | - Gentoo compile patch |
799 | minus7 (https://github.com/minus7) | 815 | minus7 (https://github.com/minus7) |
@@ -855,6 +871,7 @@ nolanl (https://github.com/nolanl) | |||
855 | nutta-git (https://github.com/nutta-git) | 871 | nutta-git (https://github.com/nutta-git) |
856 | - steam.profile: allow process_vm_readv syscall | 872 | - steam.profile: allow process_vm_readv syscall |
857 | - lutris.profile: allow more syscalls | 873 | - lutris.profile: allow more syscalls |
874 | - steam.profile: update novideo comment for webcam motion trackers | ||
858 | nyancat18 (https://github.com/nyancat18) | 875 | nyancat18 (https://github.com/nyancat18) |
859 | - added ardour4, dooble, karbon, krita profiles | 876 | - added ardour4, dooble, karbon, krita profiles |
860 | nya1 (https://github.com/nya1) | 877 | nya1 (https://github.com/nya1) |
@@ -949,6 +966,8 @@ pszxzsd (https://github.com/pszxzsd) | |||
949 | -uGet profile | 966 | -uGet profile |
950 | pwnage-pineapple (https://github.com/pwnage-pineapple) | 967 | pwnage-pineapple (https://github.com/pwnage-pineapple) |
951 | - update Okular profile | 968 | - update Okular profile |
969 | qdii (https://github.com/qdii) | ||
970 | - added notpm command & keep tpm devices in private-dev | ||
952 | Quentin Retornaz (https://github.com/qretornaz-adapei42) | 971 | Quentin Retornaz (https://github.com/qretornaz-adapei42) |
953 | - microsoft-edge profiles fixes | 972 | - microsoft-edge profiles fixes |
954 | Quentin Minster (https://github.com/laomaiweng) | 973 | Quentin Minster (https://github.com/laomaiweng) |
@@ -1003,6 +1022,8 @@ rootalc (https://github.com/rootalc) | |||
1003 | - add nolocal6.net filter | 1022 | - add nolocal6.net filter |
1004 | Ruan (https://github.com/ruany) | 1023 | Ruan (https://github.com/ruany) |
1005 | - fixed hexchat profile | 1024 | - fixed hexchat profile |
1025 | RundownRhino (https://github.com/RundownRhino) | ||
1026 | - firefox profile fix | ||
1006 | rusty-snake (https://github.com/rusty-snake) | 1027 | rusty-snake (https://github.com/rusty-snake) |
1007 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter | 1028 | - added profiles: thunderbird-wayland, supertuxkart, ghostwriter |
1008 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano | 1029 | - added profiles: klavaro, mypaint, mypaint-ora-thumbnailer, nano |
@@ -1040,18 +1061,17 @@ Serphentas (https://github.com/Serphentas) | |||
1040 | - add Paradox Launcher to Steam profile | 1061 | - add Paradox Launcher to Steam profile |
1041 | Slava Monich (https://github.com/monich) | 1062 | Slava Monich (https://github.com/monich) |
1042 | - added configure option to disable man pages | 1063 | - added configure option to disable man pages |
1043 | Tobias Schmidl (https://github.com/schtobia) | ||
1044 | - added profile for webui-aria2 | ||
1045 | Simon Peter (https://github.com/probonopd) | 1064 | Simon Peter (https://github.com/probonopd) |
1046 | - set $APPIMAGE and $APPDIR environment variables | 1065 | - set $APPIMAGE and $APPDIR environment variables |
1047 | - AppImage version detection | 1066 | - AppImage version detection |
1048 | - Leafppad type v1 and v2 appimage packages in test/appimage | 1067 | - Leafppad type v1 and v2 appimage packages in test/appimage |
1049 | - GitHub/Travis CI integration | 1068 | - GitHub/Travis CI integration |
1069 | Simo Piiroinen (https://github.com/spiiroin) | ||
1070 | - Jolla/SailfishOS patches | ||
1071 | - fix startup race condition for /run/firejail directory | ||
1050 | sinkuu (https://github.com/sinkuu) | 1072 | sinkuu (https://github.com/sinkuu) |
1051 | - blacklisting kwalletd | 1073 | - blacklisting kwalletd |
1052 | - fix symlink invocation for programs placing symlinks in $PATH | 1074 | - fix symlink invocation for programs placing symlinks in $PATH |
1053 | Simo Piiroinen (https://github.com/spiiroin) | ||
1054 | - Jolla/SailfishOS patches | ||
1055 | slowpeek (https://github.com/slowpeek) | 1075 | slowpeek (https://github.com/slowpeek) |
1056 | - refine appimage example in docs | 1076 | - refine appimage example in docs |
1057 | - allow resolution of .local names with avahi-daemon in the apparmor profile | 1077 | - allow resolution of .local names with avahi-daemon in the apparmor profile |
@@ -1059,6 +1079,9 @@ slowpeek (https://github.com/slowpeek) | |||
1059 | - make appimage examples consistent with --appimage option short description | 1079 | - make appimage examples consistent with --appimage option short description |
1060 | - blacklist google-drive-ocamlfuse config | 1080 | - blacklist google-drive-ocamlfuse config |
1061 | - blacklist sendgmail config | 1081 | - blacklist sendgmail config |
1082 | Shahriar Heidrich (https://github.com/smheidrich) | ||
1083 | - fix manpages | ||
1084 | - fix i3 profile and disable-programs.profile | ||
1062 | smitsohu (https://github.com/smitsohu) | 1085 | smitsohu (https://github.com/smitsohu) |
1063 | - read-only kde4 services directory | 1086 | - read-only kde4 services directory |
1064 | - enhanced mediathekview profile | 1087 | - enhanced mediathekview profile |
@@ -1187,6 +1210,8 @@ Tomasz Jan Góralczyk (https://github.com/tjg) | |||
1187 | - fixed Steam profile | 1210 | - fixed Steam profile |
1188 | Tomi Leppänen (https://github.com/Tomin1) | 1211 | Tomi Leppänen (https://github.com/Tomin1) |
1189 | - Jolla/SailfishOS patches | 1212 | - Jolla/SailfishOS patches |
1213 | Tobias Schmidl (https://github.com/schtobia) | ||
1214 | - added profile for webui-aria2 | ||
1190 | Topi Miettinen (https://github.com/topimiettinen) | 1215 | Topi Miettinen (https://github.com/topimiettinen) |
1191 | - improved seccomp printing | 1216 | - improved seccomp printing |
1192 | - improve mount handling, fix /run/user handling | 1217 | - improve mount handling, fix /run/user handling |
@@ -1201,6 +1226,8 @@ Ted Robertson (https://github.com/tredondo) | |||
1201 | - various documentation fixes | 1226 | - various documentation fixes |
1202 | - blacklist Exodus wallet | 1227 | - blacklist Exodus wallet |
1203 | - blacklist monero-project directory | 1228 | - blacklist monero-project directory |
1229 | tools200ms (https://github.com/tools200ms) | ||
1230 | - fixed allow-ssh.inc | ||
1204 | Tus1688 (https://github.com/Tus1688) | 1231 | Tus1688 (https://github.com/Tus1688) |
1205 | - added neovim profile | 1232 | - added neovim profile |
1206 | user1024 (user1024@tut.by) | 1233 | user1024 (user1024@tut.by) |
@@ -17,6 +17,7 @@ firejail (0.9.73) baseline; urgency=low | |||
17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 | 17 | * feature: add Landlock support (#5269 #6078 #6115 #6125 #6187 #6195 #6200 |
18 | #6228 #6260 #6302 #6305) | 18 | #6228 #6260 #6302 #6305) |
19 | * feature: add support for comm, coredump, and prctl procevents in firemon | 19 | * feature: add support for comm, coredump, and prctl procevents in firemon |
20 | * feature: add notpm command & keep tpm devices in private-dev (#6379 #6390) | ||
20 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 21 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
21 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 22 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
22 | from containing only digits (#5578 #5741) | 23 | from containing only digits (#5578 #5741) |
@@ -31,7 +32,8 @@ firejail (0.9.73) baseline; urgency=low | |||
31 | * modif: drop deprecated 'shell' option references (#5894) | 32 | * modif: drop deprecated 'shell' option references (#5894) |
32 | * modif: keep pipewire group unless nosound is used (#5992 #5993) | 33 | * modif: keep pipewire group unless nosound is used (#5992 #5993) |
33 | * modif: fcopy: Use lstat when copying directory (#5957) | 34 | * modif: fcopy: Use lstat when copying directory (#5957) |
34 | * modif: populate /run/firejail while holding flock (#6307) | 35 | * modif: private-dev: keep /dev/kfd unless no3d is used (#6380) |
36 | * modif: keep /sys/module/nvidia* if prop driver and no no3d (#6372 #6387) | ||
35 | * removal: LTS and FIRETUNNEL support | 37 | * removal: LTS and FIRETUNNEL support |
36 | * bugfix: fix --hostname and --hosts-file commands | 38 | * bugfix: fix --hostname and --hosts-file commands |
37 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) | 39 | * bugfix: fix examples in firejail-local AppArmor profile (#5717) |
@@ -40,6 +42,7 @@ firejail (0.9.73) baseline; urgency=low | |||
40 | (#5965 #5976) | 42 | (#5965 #5976) |
41 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 | 43 | * bugfix: firejail --ls reports wrong file sizes for large files (#5982 |
42 | #6086) | 44 | #6086) |
45 | * bugfix: fix startup race condition for /run/firejail directory (#6307) | ||
43 | * bugfix: fix various resource leaks (#6367) | 46 | * bugfix: fix various resource leaks (#6367) |
44 | * bugfix: profstats: fix restrict-namespaces max count (#6369) | 47 | * bugfix: profstats: fix restrict-namespaces max count (#6369) |
45 | * build: auto-generate syntax files (#5627) | 48 | * build: auto-generate syntax files (#5627) |
@@ -104,6 +107,8 @@ firejail (0.9.73) baseline; urgency=low | |||
104 | * docs: add uninstall instructions to README.md (#5812) | 107 | * docs: add uninstall instructions to README.md (#5812) |
105 | * docs: add precedence info to manpage & fix noblacklist example (#6358 | 108 | * docs: add precedence info to manpage & fix noblacklist example (#6358 |
106 | #6359) | 109 | #6359) |
110 | * docs: bug_report.md: use absolute path in 'steps to reproduce' (#6382) | ||
111 | * docs: man: format and sort some private- items (#6398) | ||
107 | * legal: selinux.c: Split Copyright notice & use same license as upstream | 112 | * legal: selinux.c: Split Copyright notice & use same license as upstream |
108 | (#5667) | 113 | (#5667) |
109 | * profiles: qutebrowser: fix links not opening in the existing instance | 114 | * profiles: qutebrowser: fix links not opening in the existing instance |
diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list index 0ac70e5cf..13adfeddc 100644 --- a/contrib/syntax/lists/profile_commands_arg0.list +++ b/contrib/syntax/lists/profile_commands_arg0.list | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noprinters | 27 | noprinters |
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notpm | ||
30 | notv | 31 | notv |
31 | nou2f | 32 | nou2f |
32 | novideo | 33 | novideo |
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile index b0ae2d49f..659d9755e 100644 --- a/etc/profile-a-l/default.profile +++ b/etc/profile-a-l/default.profile | |||
@@ -37,6 +37,7 @@ noinput | |||
37 | nonewprivs | 37 | nonewprivs |
38 | noroot | 38 | noroot |
39 | #nosound | 39 | #nosound |
40 | #notpm | ||
40 | notv | 41 | notv |
41 | #nou2f | 42 | #nou2f |
42 | novideo | 43 | novideo |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 459baf51a..d7c170303 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -175,6 +175,7 @@ include globals.local | |||
175 | #noprinters | 175 | #noprinters |
176 | #noroot | 176 | #noroot |
177 | #nosound | 177 | #nosound |
178 | #notpm | ||
178 | #notv | 179 | #notv |
179 | #nou2f | 180 | #nou2f |
180 | #novideo | 181 | #novideo |
diff --git a/src/fbuilder/build_profile.c b/src/fbuilder/build_profile.c index ab6eaf1dd..089dff663 100644 --- a/src/fbuilder/build_profile.c +++ b/src/fbuilder/build_profile.c | |||
@@ -138,6 +138,7 @@ void build_profile(int argc, char **argv, int index, FILE *fp) { | |||
138 | fprintf(fp, "#noinput\t# disable input devices\n"); | 138 | fprintf(fp, "#noinput\t# disable input devices\n"); |
139 | fprintf(fp, "nonewprivs\n"); | 139 | fprintf(fp, "nonewprivs\n"); |
140 | fprintf(fp, "noroot\n"); | 140 | fprintf(fp, "noroot\n"); |
141 | fprintf(fp, "#notpm\t# disable TPM devices\n"); | ||
141 | fprintf(fp, "#notv\t# disable DVB TV devices\n"); | 142 | fprintf(fp, "#notv\t# disable DVB TV devices\n"); |
142 | fprintf(fp, "#nou2f\t# disable U2F devices\n"); | 143 | fprintf(fp, "#nou2f\t# disable U2F devices\n"); |
143 | fprintf(fp, "#novideo\t# disable video capture devices\n"); | 144 | fprintf(fp, "#novideo\t# disable video capture devices\n"); |
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 736af018d..8683e0f77 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h | |||
@@ -368,6 +368,7 @@ extern int arg_noprofile; // use default.profile if none other found/specified | |||
368 | extern int arg_memory_deny_write_execute; // block writable and executable memory | 368 | extern int arg_memory_deny_write_execute; // block writable and executable memory |
369 | extern int arg_notv; // --notv | 369 | extern int arg_notv; // --notv |
370 | extern int arg_nodvd; // --nodvd | 370 | extern int arg_nodvd; // --nodvd |
371 | extern int arg_notpm; // --notpm | ||
371 | extern int arg_nou2f; // --nou2f | 372 | extern int arg_nou2f; // --nou2f |
372 | extern int arg_noinput; // --noinput | 373 | extern int arg_noinput; // --noinput |
373 | extern int arg_deterministic_exit_code; // always exit with first child's exit status | 374 | extern int arg_deterministic_exit_code; // always exit with first child's exit status |
@@ -646,6 +647,7 @@ void fs_dev_disable_3d(void); | |||
646 | void fs_dev_disable_video(void); | 647 | void fs_dev_disable_video(void); |
647 | void fs_dev_disable_tv(void); | 648 | void fs_dev_disable_tv(void); |
648 | void fs_dev_disable_dvd(void); | 649 | void fs_dev_disable_dvd(void); |
650 | void fs_dev_disable_tpm(void); | ||
649 | void fs_dev_disable_u2f(void); | 651 | void fs_dev_disable_u2f(void); |
650 | void fs_dev_disable_input(void); | 652 | void fs_dev_disable_input(void); |
651 | 653 | ||
diff --git a/src/firejail/fs_dev.c b/src/firejail/fs_dev.c index e8e486f12..34a26464a 100644 --- a/src/firejail/fs_dev.c +++ b/src/firejail/fs_dev.c | |||
@@ -39,6 +39,7 @@ typedef enum { | |||
39 | DEV_VIDEO, | 39 | DEV_VIDEO, |
40 | DEV_TV, | 40 | DEV_TV, |
41 | DEV_DVD, | 41 | DEV_DVD, |
42 | DEV_TPM, | ||
42 | DEV_U2F, | 43 | DEV_U2F, |
43 | DEV_INPUT | 44 | DEV_INPUT |
44 | } DEV_TYPE; | 45 | } DEV_TYPE; |
@@ -79,6 +80,12 @@ static DevEntry dev[] = { | |||
79 | {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO}, | 80 | {"/dev/video9", RUN_DEV_DIR "/video9", DEV_VIDEO}, |
80 | {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device | 81 | {"/dev/dvb", RUN_DEV_DIR "/dvb", DEV_TV}, // DVB (Digital Video Broadcasting) - TV device |
81 | {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players | 82 | {"/dev/sr0", RUN_DEV_DIR "/sr0", DEV_DVD}, // for DVD and audio CD players |
83 | {"/dev/tpm0", RUN_DEV_DIR "/tpm0", DEV_TPM}, // TPM (Trusted Platform Module) devices | ||
84 | {"/dev/tpm1", RUN_DEV_DIR "/tpm1", DEV_TPM}, | ||
85 | {"/dev/tpm2", RUN_DEV_DIR "/tpm2", DEV_TPM}, | ||
86 | {"/dev/tpm3", RUN_DEV_DIR "/tpm3", DEV_TPM}, | ||
87 | {"/dev/tpm4", RUN_DEV_DIR "/tpm4", DEV_TPM}, | ||
88 | {"/dev/tpm5", RUN_DEV_DIR "/tpm5", DEV_TPM}, | ||
82 | {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F}, | 89 | {"/dev/hidraw0", RUN_DEV_DIR "/hidraw0", DEV_U2F}, |
83 | {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F}, | 90 | {"/dev/hidraw1", RUN_DEV_DIR "/hidraw1", DEV_U2F}, |
84 | {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F}, | 91 | {"/dev/hidraw2", RUN_DEV_DIR "/hidraw2", DEV_U2F}, |
@@ -105,6 +112,7 @@ static void deventry_mount(void) { | |||
105 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || | 112 | (dev[i].type == DEV_VIDEO && arg_novideo == 0) || |
106 | (dev[i].type == DEV_TV && arg_notv == 0) || | 113 | (dev[i].type == DEV_TV && arg_notv == 0) || |
107 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || | 114 | (dev[i].type == DEV_DVD && arg_nodvd == 0) || |
115 | (dev[i].type == DEV_TPM && arg_notpm == 0) || | ||
108 | (dev[i].type == DEV_U2F && arg_nou2f == 0) || | 116 | (dev[i].type == DEV_U2F && arg_nou2f == 0) || |
109 | (dev[i].type == DEV_INPUT && arg_noinput == 0)) { | 117 | (dev[i].type == DEV_INPUT && arg_noinput == 0)) { |
110 | 118 | ||
@@ -384,6 +392,15 @@ void fs_dev_disable_dvd(void) { | |||
384 | } | 392 | } |
385 | } | 393 | } |
386 | 394 | ||
395 | void fs_dev_disable_tpm(void) { | ||
396 | int i = 0; | ||
397 | while (dev[i].dev_fname != NULL) { | ||
398 | if (dev[i].type == DEV_TPM) | ||
399 | disable_file_or_dir(dev[i].dev_fname); | ||
400 | i++; | ||
401 | } | ||
402 | } | ||
403 | |||
387 | void fs_dev_disable_u2f(void) { | 404 | void fs_dev_disable_u2f(void) { |
388 | int i = 0; | 405 | int i = 0; |
389 | while (dev[i].dev_fname != NULL) { | 406 | while (dev[i].dev_fname != NULL) { |
diff --git a/src/firejail/main.c b/src/firejail/main.c index acbb4bf38..27ae68eb0 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -155,6 +155,7 @@ int arg_noprofile = 0; // use default.profile if none other found/specified | |||
155 | int arg_memory_deny_write_execute = 0; // block writable and executable memory | 155 | int arg_memory_deny_write_execute = 0; // block writable and executable memory |
156 | int arg_notv = 0; // --notv | 156 | int arg_notv = 0; // --notv |
157 | int arg_nodvd = 0; // --nodvd | 157 | int arg_nodvd = 0; // --nodvd |
158 | int arg_notpm = 0; // --notpm | ||
158 | int arg_nou2f = 0; // --nou2f | 159 | int arg_nou2f = 0; // --nou2f |
159 | int arg_noinput = 0; // --noinput | 160 | int arg_noinput = 0; // --noinput |
160 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status | 161 | int arg_deterministic_exit_code = 0; // always exit with first child's exit status |
@@ -2209,6 +2210,8 @@ int main(int argc, char **argv, char **envp) { | |||
2209 | arg_notv = 1; | 2210 | arg_notv = 1; |
2210 | else if (strcmp(argv[i], "--nodvd") == 0) | 2211 | else if (strcmp(argv[i], "--nodvd") == 0) |
2211 | arg_nodvd = 1; | 2212 | arg_nodvd = 1; |
2213 | else if (strcmp(argv[i], "--notpm") == 0) | ||
2214 | arg_notpm = 1; | ||
2212 | else if (strcmp(argv[i], "--nou2f") == 0) | 2215 | else if (strcmp(argv[i], "--nou2f") == 0) |
2213 | arg_nou2f = 1; | 2216 | arg_nou2f = 1; |
2214 | else if (strcmp(argv[i], "--noinput") == 0) | 2217 | else if (strcmp(argv[i], "--noinput") == 0) |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 4c6830250..1bb008f5f 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -618,6 +618,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
618 | #endif | 618 | #endif |
619 | return 1; | 619 | return 1; |
620 | } | 620 | } |
621 | else if (strcmp(ptr, "notpm") == 0) { | ||
622 | arg_notpm = 1; | ||
623 | return 0; | ||
624 | } | ||
621 | else if (strcmp(ptr, "nou2f") == 0) { | 625 | else if (strcmp(ptr, "nou2f") == 0) { |
622 | arg_nou2f = 1; | 626 | arg_nou2f = 1; |
623 | return 0; | 627 | return 0; |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 9e2b10d9c..57c90d489 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1101,6 +1101,9 @@ int sandbox(void* sandbox_arg) { | |||
1101 | if (arg_nodvd) | 1101 | if (arg_nodvd) |
1102 | fs_dev_disable_dvd(); | 1102 | fs_dev_disable_dvd(); |
1103 | 1103 | ||
1104 | if (arg_notpm) | ||
1105 | fs_dev_disable_tpm(); | ||
1106 | |||
1104 | if (arg_nou2f) | 1107 | if (arg_nou2f) |
1105 | fs_dev_disable_u2f(); | 1108 | fs_dev_disable_u2f(); |
1106 | 1109 | ||
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 248b35853..01a7330fd 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
@@ -189,8 +189,8 @@ static const char *const usage_str = | |||
189 | " --noroot - install a user namespace with only the current user.\n" | 189 | " --noroot - install a user namespace with only the current user.\n" |
190 | #endif | 190 | #endif |
191 | " --nosound - disable sound system.\n" | 191 | " --nosound - disable sound system.\n" |
192 | " --noautopulse - disable automatic ~/.config/pulse init.\n" | ||
193 | " --novideo - disable video devices.\n" | 192 | " --novideo - disable video devices.\n" |
193 | " --notpm - disable TPM devices.\n" | ||
194 | " --nou2f - disable U2F devices.\n" | 194 | " --nou2f - disable U2F devices.\n" |
195 | " --nowhitelist=filename - disable whitelist for file or directory.\n" | 195 | " --nowhitelist=filename - disable whitelist for file or directory.\n" |
196 | " --oom=value - configure OutOfMemory killer for the sandbox\n" | 196 | " --oom=value - configure OutOfMemory killer for the sandbox\n" |
diff --git a/src/include/etc_groups.h b/src/include/etc_groups.h index 359dd5656..491dc18c8 100644 --- a/src/include/etc_groups.h +++ b/src/include/etc_groups.h | |||
@@ -70,6 +70,7 @@ static char *etc_group_sound[] = { | |||
70 | "alsa", | 70 | "alsa", |
71 | "asound.conf", | 71 | "asound.conf", |
72 | "machine-id", // required by PulseAudio | 72 | "machine-id", // required by PulseAudio |
73 | "pipewire", | ||
73 | "pulse", | 74 | "pulse", |
74 | NULL | 75 | NULL |
75 | }; | 76 | }; |
diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 8c039eb46..89784a984 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in | |||
@@ -382,9 +382,11 @@ Set working directory inside jail to the home directory, and failing that, the r | |||
382 | Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed. | 382 | Set working directory inside the jail. Full directory path is required. Symbolic links are not allowed. |
383 | .TP | 383 | .TP |
384 | \fBprivate-dev | 384 | \fBprivate-dev |
385 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, | 385 | Create a new /dev directory. |
386 | random, snd, urandom, video, log, shm and usb devices are available. | 386 | Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm, |
387 | Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions. | 387 | tty, urandom, usb, video and zero devices are available. |
388 | Use the options no3d, nodvd, nosound, notpm, notv, nou2f and novideo for | ||
389 | additional restrictions. | ||
388 | 390 | ||
389 | .TP | 391 | .TP |
390 | \fBprivate-etc file,directory | 392 | \fBprivate-etc file,directory |
@@ -817,6 +819,9 @@ Disable input devices. | |||
817 | \fBnosound | 819 | \fBnosound |
818 | Disable sound system. | 820 | Disable sound system. |
819 | .TP | 821 | .TP |
822 | \fBnotpm | ||
823 | Disable Trusted Platform Module (TPM) devices. | ||
824 | .TP | ||
820 | \fBnotv | 825 | \fBnotv |
821 | Disable DVB (Digital Video Broadcasting) TV devices. | 826 | Disable DVB (Digital Video Broadcasting) TV devices. |
822 | .TP | 827 | .TP |
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index fa2329d67..f14eb6ec0 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in | |||
@@ -1919,6 +1919,16 @@ Example: | |||
1919 | $ firejail \-\-nosound firefox | 1919 | $ firejail \-\-nosound firefox |
1920 | 1920 | ||
1921 | .TP | 1921 | .TP |
1922 | \fB\-\-notpm | ||
1923 | Disable Trusted Platform Module (TPM) devices. | ||
1924 | .br | ||
1925 | |||
1926 | .br | ||
1927 | Example: | ||
1928 | .br | ||
1929 | $ firejail \-\-notpm | ||
1930 | |||
1931 | .TP | ||
1922 | \fB\-\-notv | 1932 | \fB\-\-notv |
1923 | Disable DVB (Digital Video Broadcasting) TV devices. | 1933 | Disable DVB (Digital Video Broadcasting) TV devices. |
1924 | .br | 1934 | .br |
@@ -2108,7 +2118,7 @@ File globbing is supported, see \fBFILE GLOBBING\fR section for more details. | |||
2108 | .br | 2118 | .br |
2109 | Example: | 2119 | Example: |
2110 | .br | 2120 | .br |
2111 | $ firejail \-\-private-bin=bash,sed,ls,cat | 2121 | $ firejail \-\-private-bin=bash,cat,ls,sed |
2112 | .br | 2122 | .br |
2113 | Parent pid 20841, child pid 20842 | 2123 | Parent pid 20841, child pid 20842 |
2114 | .br | 2124 | .br |
@@ -2172,8 +2182,11 @@ $ pwd | |||
2172 | 2182 | ||
2173 | .TP | 2183 | .TP |
2174 | \fB\-\-private-dev | 2184 | \fB\-\-private-dev |
2175 | Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available. | 2185 | Create a new /dev directory. |
2176 | Use the options --no3d, --nodvd, --nosound, --notv, --nou2f and --novideo for additional restrictions. | 2186 | Only disc, dri, dvb, full, hidraw, log, null, ptmx, pts, random, shm, snd, tpm, |
2187 | tty, urandom, usb, video and zero devices are available. | ||
2188 | Use the options \-\-no3d, \-\-nodvd, \-\-nosound, \-\-notpm, \-\-notv, | ||
2189 | \-\-nou2f and \-\-novideo for additional restrictions. | ||
2177 | .br | 2190 | .br |
2178 | 2191 | ||
2179 | .br | 2192 | .br |
@@ -2191,7 +2204,7 @@ cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 | |||
2191 | .br | 2204 | .br |
2192 | $ | 2205 | $ |
2193 | .TP | 2206 | .TP |
2194 | \fB\-\-private-etc, \-\-private-etc=file,directory,@group | 2207 | \fB\-\-private-etc, \-\-private-etc=@group,file,directory |
2195 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. | 2208 | The files installed by \-\-private-etc are copies of the original system files from /etc directory. |
2196 | By default, the command brings in a skeleton of files and directories used by most console tools: | 2209 | By default, the command brings in a skeleton of files and directories used by most console tools: |
2197 | 2210 | ||
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 15e9a5111..ecfe2ffdf 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -124,7 +124,6 @@ _firejail_args=( | |||
124 | # many would enjoy getting a list from -20..20 | 124 | # many would enjoy getting a list from -20..20 |
125 | '--nice=-[set nice value]: :(1 10 15 20)' | 125 | '--nice=-[set nice value]: :(1 10 15 20)' |
126 | '--no3d[disable 3D hardware acceleration]' | 126 | '--no3d[disable 3D hardware acceleration]' |
127 | '--noautopulse[disable automatic ~/.config/pulse init]' | ||
128 | '--noblacklist=-[disable blacklist for file or directory]: :_files' | 127 | '--noblacklist=-[disable blacklist for file or directory]: :_files' |
129 | '--nodbus[disable D-Bus access]' | 128 | '--nodbus[disable D-Bus access]' |
130 | '--nodvd[disable DVD and audio CD devices]' | 129 | '--nodvd[disable DVD and audio CD devices]' |
@@ -134,6 +133,7 @@ _firejail_args=( | |||
134 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' | 133 | '--nonewprivs[sets the NO_NEW_PRIVS prctl]' |
135 | '--noprinters[disable printers]' | 134 | '--noprinters[disable printers]' |
136 | '--nosound[disable sound system]' | 135 | '--nosound[disable sound system]' |
136 | '--notpm[disable TPM devices]' | ||
137 | '--nou2f[disable U2F devices]' | 137 | '--nou2f[disable U2F devices]' |
138 | '--novideo[disable video devices]' | 138 | '--novideo[disable video devices]' |
139 | '--private[temporary home directory]' | 139 | '--private[temporary home directory]' |