diff options
Diffstat (limited to 'src/zsh_completion')
-rw-r--r-- | src/zsh_completion/_firejail.in | 87 |
1 files changed, 51 insertions, 36 deletions
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index df5ac0138..fd27bb35f 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in | |||
@@ -19,7 +19,7 @@ _all_cpus() { | |||
19 | } | 19 | } |
20 | 20 | ||
21 | _profiles() { | 21 | _profiles() { |
22 | print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;" | 22 | print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" |
23 | } | 23 | } |
24 | _profiles_with_ext() { | 24 | _profiles_with_ext() { |
25 | print $1/*.profile | 25 | print $1/*.profile |
@@ -29,6 +29,21 @@ _all_profiles() { | |||
29 | _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) | 29 | _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) |
30 | } | 30 | } |
31 | 31 | ||
32 | _session_bus_names() { | ||
33 | _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) | ||
34 | # Alternatives to hack on for non-systemd systems: | ||
35 | # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames | ||
36 | # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service | ||
37 | } | ||
38 | |||
39 | _system_bus_names() { | ||
40 | _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) | ||
41 | } | ||
42 | |||
43 | _caps() { | ||
44 | _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') | ||
45 | } | ||
46 | |||
32 | _firejail_args=( | 47 | _firejail_args=( |
33 | '*::arguments:_normal' | 48 | '*::arguments:_normal' |
34 | 49 | ||
@@ -70,8 +85,9 @@ _firejail_args=( | |||
70 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' | 85 | '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' |
71 | '*--blacklist=-[blacklist directory or file]: :_files' | 86 | '*--blacklist=-[blacklist directory or file]: :_files' |
72 | '--caps[enable default Linux capabilities filter]' | 87 | '--caps[enable default Linux capabilities filter]' |
73 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' | 88 | '--caps.drop=all[drop all capabilities]' |
74 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' | 89 | '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' |
90 | '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' | ||
75 | '--cgroup=-[place the sandbox in the specified control group]: :' | 91 | '--cgroup=-[place the sandbox in the specified control group]: :' |
76 | '--cpu=-[set cpu affinity]: :->cpus' | 92 | '--cpu=-[set cpu affinity]: :->cpus' |
77 | "--deterministic-exit-code[always exit with first child's status code]" | 93 | "--deterministic-exit-code[always exit with first child's status code]" |
@@ -89,6 +105,7 @@ _firejail_args=( | |||
89 | '*--mkdir=-[create a directory]:' | 105 | '*--mkdir=-[create a directory]:' |
90 | '*--mkfile=-[create a file]:' | 106 | '*--mkfile=-[create a file]:' |
91 | '--name=-[set sandbox name]: :' | 107 | '--name=-[set sandbox name]: :' |
108 | '--net=none[enable a new, unconnected network namespace]' | ||
92 | # Sample values as I don't think | 109 | # Sample values as I don't think |
93 | # many would enjoy getting a list from -20..20 | 110 | # many would enjoy getting a list from -20..20 |
94 | '--nice=-[set nice value]: :(1 10 15 20)' | 111 | '--nice=-[set nice value]: :(1 10 15 20)' |
@@ -105,15 +122,15 @@ _firejail_args=( | |||
105 | '--novideo[disable video devices]' | 122 | '--novideo[disable video devices]' |
106 | '--private[temporary home directory]' | 123 | '--private[temporary home directory]' |
107 | '--private=-[use directory as user home]: :_files -/' | 124 | '--private=-[use directory as user home]: :_files -/' |
108 | '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' | 125 | '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' |
109 | '--private-cwd[do not inherit working directory inside jail]' | 126 | '--private-cwd[do not inherit working directory inside jail]' |
110 | '--private-cwd=-[set working directory inside jail]: :_files -/' | 127 | '--private-cwd=-[set working directory inside jail]: :_files -/' |
111 | '--private-dev[create a new /dev directory with a small number of common device files]' | 128 | '--private-dev[create a new /dev directory with a small number of common device files]' |
112 | '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' | 129 | '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' |
113 | '--private-opt=-[build a new /opt in a temporary filesystem]: :' | 130 | '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' |
114 | '--private-srv=-[build a new /srv in a temporary filesystem]: :' | 131 | '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' |
115 | '--private-tmp[mount a tmpfs on top of /tmp directory]' | 132 | '--private-tmp[mount a tmpfs on top of /tmp directory]' |
116 | '*--protocol=-[enable protocol filter]: :' | 133 | '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' |
117 | "--quiet[turn off Firejail's output.]" | 134 | "--quiet[turn off Firejail's output.]" |
118 | '*--read-only=-[set directory or file read-only]: :_files' | 135 | '*--read-only=-[set directory or file read-only]: :_files' |
119 | '*--read-write=-[set directory or file read-write]: :_files' | 136 | '*--read-write=-[set directory or file read-write]: :_files' |
@@ -123,18 +140,19 @@ _firejail_args=( | |||
123 | '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' | 140 | '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' |
124 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' | 141 | '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' |
125 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' | 142 | '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' |
126 | '*--rmenv=-[remove environment variable in the new sandbox]: :' | 143 | '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' |
127 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' | 144 | '--seccomp[enable seccomp filter and apply the default blacklist]: :' |
128 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' | 145 | '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' |
129 | '--seccomp.block-secondary[build only the native architecture filters]' | 146 | '--seccomp.block-secondary[build only the native architecture filters]' |
130 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' | 147 | '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' |
131 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' | 148 | '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' |
132 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' | 149 | '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' |
133 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' | 150 | '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' |
134 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' | 151 | # FIXME: Add errnos |
152 | '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' | ||
135 | '--shell=none[run the program directly without a user shell]' | 153 | '--shell=none[run the program directly without a user shell]' |
136 | '--shell=-[set default user shell]: :_files -g "*(*)"' | 154 | '--shell=-[set default user shell]: :_values $(cat /etc/shells)' |
137 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' | 155 | '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' |
138 | #'(--tracelog)--trace[trace open, access and connect system calls]' | 156 | #'(--tracelog)--trace[trace open, access and connect system calls]' |
139 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' | 157 | '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' |
140 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' | 158 | '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' |
@@ -153,19 +171,21 @@ _firejail_args=( | |||
153 | #endif | 171 | #endif |
154 | 172 | ||
155 | #ifdef HAVE_DBUSPROXY | 173 | #ifdef HAVE_DBUSPROXY |
174 | # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. | ||
175 | # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl | ||
156 | '--dbus-log=-[set DBus log file location]: :_files' | 176 | '--dbus-log=-[set DBus log file location]: :_files' |
157 | '--dbus-system=-[set system DBus access policy]: :(filter none)' | 177 | '--dbus-system=-[set system DBus access policy]: :(filter none)' |
158 | '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' | 178 | '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' |
159 | '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' | 179 | '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' |
160 | '--dbus-system.own=-[allow ownership of name on the system DBus]: :' | 180 | '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' |
161 | '--dbus-system.see=-[allow seeing name on the system DBus]: :' | 181 | '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' |
162 | '--dbus-system.talk=-[allow talking to name on the system DBus]: :' | 182 | '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' |
163 | '--dbus-user=-[set session DBus access policy or none]: :' | 183 | '--dbus-user=-[set session DBus access policy or none]: :(filter none)' |
164 | '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' | 184 | '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' |
165 | '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' | 185 | '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' |
166 | '--dbus-user.own=-[allow ownership of name on the session DBus]: :' | 186 | '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' |
167 | '--dbus-user.see=-[allow seeing name on the session DBus]: :' | 187 | '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' |
168 | '--dbus-user.talk=-[allow talking to name on the session DBus]: :' | 188 | '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' |
169 | #endif | 189 | #endif |
170 | 190 | ||
171 | #ifdef HAVE_FILE_TRANSFER | 191 | #ifdef HAVE_FILE_TRANSFER |
@@ -187,7 +207,6 @@ _firejail_args=( | |||
187 | '--join-network=-[join the network namespace name|pid]: :_all_firejails' | 207 | '--join-network=-[join the network namespace name|pid]: :_all_firejails' |
188 | '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' | 208 | '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' |
189 | '--mtu=-[set interface MTU]: :' | 209 | '--mtu=-[set interface MTU]: :' |
190 | # '--net=none[enable a new, unconnected network namespace]' | ||
191 | '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' | 210 | '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' |
192 | '--net.print=-[print network interface configuration name|pid]: :_all_firejails' | 211 | '--net.print=-[print network interface configuration name|pid]: :_all_firejails' |
193 | '--netfilter=-[enable firewall]: :' | 212 | '--netfilter=-[enable firewall]: :' |
@@ -246,14 +265,6 @@ _firejail_args=( | |||
246 | _firejail() { | 265 | _firejail() { |
247 | _arguments -S $_firejail_args | 266 | _arguments -S $_firejail_args |
248 | case "$state" in | 267 | case "$state" in |
249 | caps_drop) | ||
250 | local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) | ||
251 | _values -s "," 'caps_drop' $caps_and_all | ||
252 | ;; | ||
253 | caps_keep) | ||
254 | local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) | ||
255 | _values -s "," 'caps_keep' $caps | ||
256 | ;; | ||
257 | cpus) | 268 | cpus) |
258 | _values -s "," 'cpus' $(_all_cpus) | 269 | _values -s "," 'cpus' $(_all_cpus) |
259 | ;; | 270 | ;; |
@@ -262,7 +273,11 @@ _firejail() { | |||
262 | local net_and_none=(none $netdevs) | 273 | local net_and_none=(none $netdevs) |
263 | _values 'net' $net_and_none | 274 | _values 'net' $net_and_none |
264 | ;; | 275 | ;; |
276 | seccomp) | ||
277 | # TODO: syscall groups | ||
278 | _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) | ||
279 | ;; | ||
265 | esac | 280 | esac |
266 | } | 281 | } |
267 | 282 | ||
268 | # vim: ft=zsh sw=2 ts=2 et | 283 | # vim: ft=zsh sw=4 ts=4 et sts=4 ai |