8 files changed, 275 insertions, 203 deletions

diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index b44a1bc85..16cd59aa5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -553,6 +553,8 @@ neverputt
 newsbeuter
 newsboat
 newsflash
+nextcloud
+nextcloud-desktop
 nheko
 nicotine
 nitroshare
diff --git a/src/firejail/fs_lib.c b/src/firejail/fs_lib.c
index 7e9666fc0..99d57fbbb 100644
--- a/src/firejail/fs_lib.c
+++ b/src/firejail/fs_lib.c
@@ -34,6 +34,31 @@ extern void fslib_install_system(void);
 static int lib_cnt = 0;
 static int dir_cnt = 0;
 
+static const char *lib_dirs[] = {
+        "/usr/lib64",
+        "/lib64",
+        "/usr/lib",
+        "/lib",
+        "/usr/local/lib64",
+        "/usr/local/lib",
+        NULL,
+};
+
+// return 1 if the file is in lib_dirs[]
+static int valid_full_path(const char *full_path) {
+        if (strstr(full_path, ".."))
+                return 0;
+
+        int i = 0;
+        while (lib_dirs[i]) {
+                if (strncmp(full_path, lib_dirs[i], strlen(lib_dirs[i])) == 0 &&
+                    full_path[strlen(lib_dirs[i])] == '/')
+                        return 1;
+                i++;
+        }
+        return 0;
+}
+
 char *find_in_path(const char *program) {
         EUID_ASSERT();
         if (arg_debug)
@@ -108,7 +133,8 @@ void fslib_duplicate(const char *full_path) {
         assert(full_path);
 
         struct stat s;
-        if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK))
+        if (stat(full_path, &s) != 0 || s.st_uid != 0 || access(full_path, R_OK)
+           || !valid_full_path(full_path))
                 return;
 
         char *dest_dir = build_dest_dir(full_path);
@@ -208,7 +234,8 @@ void fslib_copy_dir(const char *full_path) {
 
         // do nothing if the directory does not exist or is not owned by root
         struct stat s;
-        if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK))
+        if (stat(full_path, &s) != 0 || s.st_uid != 0 || !S_ISDIR(s.st_mode) || access(full_path, R_OK)
+           || !valid_full_path(full_path))
                 return;
 
         char *dir_name = strrchr(full_path, '/');
@@ -334,34 +361,20 @@ void fslib_install_list(const char *lib_list) {
         fs_logger_print();
 }
 
-
-
 static void mount_directories(void) {
-        if (arg_debug || arg_debug_private_lib)
-                printf("Mount-bind %s on top of /lib /lib64 /usr/lib\n", RUN_LIB_DIR);
-
-        if (is_dir("/lib")) {
-                if (mount(RUN_LIB_DIR, "/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                        mount(NULL, "/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                fs_logger2("tmpfs", "/lib");
-                fs_logger("mount /lib");
-        }
-
-        if (is_dir("/lib64")) {
-                if (mount(RUN_LIB_DIR, "/lib64", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                        mount(NULL, "/lib64", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                fs_logger2("tmpfs", "/lib64");
-                fs_logger("mount /lib64");
-        }
-
-        if (is_dir("/usr/lib")) {
-                if (mount(RUN_LIB_DIR, "/usr/lib", NULL, MS_BIND|MS_REC, NULL) < 0 ||
-                        mount(NULL, "/usr/lib", NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NODEV|MS_REC, NULL) < 0)
-                        errExit("mount bind");
-                fs_logger2("tmpfs", "/usr/lib");
-                fs_logger("mount /usr/lib");
+        fs_remount(RUN_LIB_DIR, MOUNT_READONLY, 1); // should be redundant except for RUN_LIB_DIR itself
+
+        int i = 0;
+        while (lib_dirs[i]) {
+                if (is_dir(lib_dirs[i])) {
+                        if (arg_debug || arg_debug_private_lib)
+                                printf("Mount-bind %s on top of %s\n", RUN_LIB_DIR, lib_dirs[i]);
+                        if (mount(RUN_LIB_DIR, lib_dirs[i], NULL, MS_BIND|MS_REC, NULL) < 0)
+                                errExit("mount bind");
+                        fs_logger2("tmpfs", lib_dirs[i]);
+                        fs_logger2("mount", lib_dirs[i]);
+                }
+                i++;
         }
 
         // for amd64 only - we'll deal with i386 later
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index f3266c23e..351b760df 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -157,6 +157,10 @@ static int check_nosound(void) {
         return arg_nosound != 0;
 }
 
+static int check_private(void) {
+        return arg_private;
+}
+
 static int check_x11(void) {
         return (arg_x11_block || arg_x11_xorg || env_get("FIREJAIL_X11"));
 }
@@ -174,6 +178,7 @@ Cond conditionals[] = {
         {"HAS_NET", check_netoptions},
         {"HAS_NODBUS", check_nodbus},
         {"HAS_NOSOUND", check_nosound},
+        {"HAS_PRIVATE", check_private},
         {"HAS_X11", check_x11},
         {"BROWSER_DISABLE_U2F", check_disable_u2f},
         {"BROWSER_ALLOW_DRM", check_allow_drm},
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index b6e0468c6..36a54d6fe 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1029,23 +1029,11 @@ int sandbox(void* sandbox_arg) {
                 fs_dev_disable_video();
 
         //****************************
-        // install trace
-        //****************************
-        if (need_preload)
-                fs_trace();
-
-        //****************************
         // set dns
         //****************************
         fs_resolvconf();
 
         //****************************
-        // fs post-processing
-        //****************************
-        fs_logger_print();
-        fs_logger_change_owner();
-
-        //****************************
         // start dhcp client
         //****************************
         dhcp_start();
@@ -1094,6 +1082,12 @@ int sandbox(void* sandbox_arg) {
         save_umask();
 
         //****************************
+        // fs post-processing
+        //****************************
+        fs_logger_print();
+        fs_logger_change_owner();
+
+        //****************************
         // set security filters
         //****************************
         // save state of nonewprivs
@@ -1150,6 +1144,16 @@ int sandbox(void* sandbox_arg) {
         fs_remount(RUN_SECCOMP_DIR, MOUNT_READONLY, 0);
         seccomp_debug();
 
+        //****************************
+        // install trace - still need capabilities
+        //****************************
+        if (need_preload)
+                fs_trace();
+
+        //****************************
+        // continue security filters
+        //****************************
+
         // set capabilities
         set_caps();
 
diff --git a/src/lib/ldd_utils.c b/src/lib/ldd_utils.c
index adde4a9b9..43fee4f21 100644
--- a/src/lib/ldd_utils.c
+++ b/src/lib/ldd_utils.c
@@ -30,6 +30,7 @@ const char * const default_lib_paths[] = {
         "/lib",
         "/lib64",
         LIBDIR,
+        "/usr/local/lib64",
         "/usr/local/lib",
         "/usr/lib/x86_64-linux-gnu/mesa", // libGL.so is sometimes a symlink into this directory
         "/usr/lib/x86_64-linux-gnu/mesa-egl", // libGL.so is sometimes a symlink into this directory
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b25fc9181..b0b390507 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -103,7 +103,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
 
 This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line.
 
-Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
+Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM
 can be enabled or disabled globally in Firejail's configuration file.
 
 The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 68deb85ec..ad11843ce 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -821,6 +821,16 @@ $ firejail \-\-ignore=shell --ignore=seccomp firefox
 $ firejail \-\-ignore="net eth0" firefox
 #endif
 
+.TP
+\fB\-\-\include=file.profile
+Include a profile file before the regular profiles are used.
+.br
+
+.br
+Example:
+.br
+$ firejail --include=/etc/firejail/disable-devel.inc gedit
+
 #ifdef HAVE_NETWORK
 .TP
 \fB\-\-interface=interface
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index f58f0d4b9..fd27bb35f 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -1,5 +1,8 @@
 #compdef firejail
 
+# Documentation: man 1 zshcompsys
+# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org
+
 _all_firejails() {
     local -a _all_firejails_list
     for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do
@@ -16,7 +19,7 @@ _all_cpus() {
 }
 
 _profiles() {
-    print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;"
+    print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;"
 }
 _profiles_with_ext() {
     print $1/*.profile
@@ -26,15 +29,40 @@ _all_profiles() {
     _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .)
 }
 
+_session_bus_names() {
+    _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1)
+    # Alternatives to hack on for non-systemd systems:
+    #  dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames
+    #  ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service
+}
+
+_system_bus_names() {
+    _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1)
+}
+
+_caps() {
+    _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')
+}
+
 _firejail_args=(
     '*::arguments:_normal'
-    '(--profile)'{--profile=,--profile=}'[use a custom profile]: :_all_profiles'
-    '--caps[enable default Linux capabilities filter]'
-    '(--caps.drop)'{--caps.drop=,--caps.drop=}'[drop capabilities: all|cap1,cap2,...]: :->caps_drop'
-    '(--caps.keep)'{--caps.keep=,--caps.keep=}'[keep capabilities: cap1,cap2,...]: :->caps_keep'
-    '(--caps.print)'{--caps.print=,--caps.print=}'[print the caps filter name|pid]:firejail:_all_firejails'
-    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
-    '(--debug)'{--debug,--debug}'[print sandbox debug messages]'
+
+    '--appimage[sandbox an AppImage application]'
+    '--build[build a whitelisted profile for the application and print it on stdout]'
+    '--build=-[build a whitelisted profile for the application and save it]: :_files'
+    # Ignore that you can do -? too as it's the only short option
+    '--help[this help screen]'
+    '--join=-[join the sandbox name|pid]: :_all_firejails'
+    '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails'
+    '--list[list all sandboxes]'
+    '(--profile)--noprofile[do not use a security profile]'
+    '(--noprofile)--profile=-[use a custom profile]: :_all_profiles'
+    '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails'
+    '--top[monitor the most CPU-intensive sandboxes]'
+    '--tree[print a tree of all sandboxed processes]'
+    '--version[print program version and exit]'
+
+    '--debug[print sandbox debug messages]'
     '--debug-blacklists[debug blacklisting]'
     '--debug-caps[print all recognized capabilities]'
     '--debug-errnos[print all recognized error numbers]'
@@ -43,197 +71,200 @@ _firejail_args=(
     '--debug-syscalls[print all recognized system calls]'
     '--debug-syscalls32[print all recognized 32 bit system calls]'
     '--debug-whitelists[debug whitelisting]'
-    # Ignore that you can do -? too as it's the only short option
-    '(--help)'{--help,--help}'[this help screen]'
+
+    '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails'
+    '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails'
+    '--fs.print=-[print the filesystem log name|pid]: :_all_firejails'
+    '--profile.print=-[print the name of profile file name|pid]: :_all_firejails'
+    '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails'
+    '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails'
+
+    '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]'
     '--allusers[all user home directories are visible inside the sandbox]'
-    '--appimage[sandbox an AppImage application]'
-    '--private[temporary home directory]'
-    '(--private)'{--private=,--private=}'[use directory as user home]: : _files -/'
-    '--seccomp[enable seccomp filter and apply the default blacklist]'
-    '(--seccomp=)'{--seccomp=,--seccomp=}'[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:'
-    '(--seccomp.print)'{--seccomp.print=,--seccomp.print=}'[print the seccomp filter for the sandbox identified by name|pid]: : _all_firejails'
-    '--seccomp.block-secondary[build only the native architecture filters]'
-    '(--seccomp.drop)'{--seccomp.drop=,--seccomp.drop=}'[enable seccomp filter, and blacklist the syscalls specified by the command]: :'
-    '(--seccomp.keep)'{--seccomp.keep=,--seccomp.keep=}'[enable seccomp filter, and whitelist the syscalls specified by the command]: :'
-    '(--seccomp.32.drop)'{--seccomp.32.drop=,--seccomp.32.drop=}'[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
-    '(--seccomp.32.keep)'{--seccomp.32.keep=,--seccomp.32.keep=}'[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
-    '(--seccomp-error-action)'{--seccomp-error-action=,--seccomp-error-action=}'[change error code, kill process or log the attempt]: :(ERRNO kill log)'
+    # Should be _files, a comma and files or files -/
+    '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
+    '*--blacklist=-[blacklist directory or file]: :_files'
+    '--caps[enable default Linux capabilities filter]'
+    '--caps.drop=all[drop all capabilities]'
+    '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps'
+    '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps'
+    '--cgroup=-[place the sandbox in the specified control group]: :'
+    '--cpu=-[set cpu affinity]: :->cpus'
+    "--deterministic-exit-code[always exit with first child's status code]"
+    '*--dns=-[set DNS server]: :'
+    '*--env=-[set environment variable]: :'
+    '--hostname=-[set sandbox hostname]: :'
+    '--hosts-file=-[use file as /etc/hosts]: :_files'
+    '*--ignore=-[ignore command in profile files]: :'
+    '--ipc-namespace[enable a new IPC namespace]'
+    '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
+    '--keep-var-tmp[/var/tmp directory is untouched]'
+    '--machine-id[preserve /etc/machine-id]'
     '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]'
-    '*'{--blacklist=,--blacklist=}'[blacklist directory or file]: : _files'
-    '--writable-etc[/etc directory is mounted read-write]'
-    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
-    '--writable-var[/var directory is mounted read-write]'
-    '--writable-var-log[use the real /var/log directory, not a clone]'
-    '--build[build a whitelisted profile for the application and print it on stdout]'
-    '(--build)'{--build=,--build=}'[build a whitelisted profile for the application and save it]: : _files'
-    '(--fs.print)'{--fs.print=,--fs.print=}'[print the filesystem log name|pid]: : _all_firejails'
-    '(--join)'{--join=,--join=}'[join the sandbox name|pid]: : _all_firejails'
-    '(--join-filesystem)'{--join-filesystem=,--join-filesystem=}'[join the mount namespace name|pid]: : _all_firejails'
-    '(--profile.print)'{--profile.print=,--profile.print=}'[print the name of profile file name|pid]: : _all_firejails'
-    '(--protocol.print)'{--protocol.print=,--protocol.print=}'[print the protocol filter name|pid]: : _all_firejails'
-    '(--shutdown)'{--shutdown=,--shutdown=}'[shutdown the sandbox identified by name|pid]: : _all_firejails'
-    '(--cat)'{--cat=,--cat=}'[print content of file from sandbox container name|pid]: : _all_firejails'
-    '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails'
-    '--list[list all sandboxes]'
-    '(--dns)'{--dns=,--dns=}'[set DNS server]: :'
     '*--mkdir=-[create a directory]:'
     '*--mkfile=-[create a file]:'
-    '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :'
-    '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails'
-    '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files'
-    '--shell=none[run the program directly without a user shell]'
-    '(--shell)'{--shell=,--shell=}'[set default user shell]: : _files -g "*(*)"'
-    '(--output)'{--output=,--output=}'[stdout logging and log rotation]: : _files'
-    '(--output-stderr)'{--output-stderr=,--output-stderr=}'[stdout and stderr logging and log rotation]: : _files'
+    '--name=-[set sandbox name]: :'
+    '--net=none[enable a new, unconnected network namespace]'
+    # Sample values as I don't think
+    # many would enjoy getting a list from -20..20
+    '--nice=-[set nice value]: :(1 10 15 20)'
     '--no3d[disable 3D hardware acceleration]'
+    '--noautopulse[disable automatic ~/.config/pulse init]'
+    '--noblacklist=-[disable blacklist for file or directory]: :_files'
+    '--nodbus[disable D-Bus access]'
     '--nodvd[disable DVD and audio CD devices]'
+    '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files'
     '--nogroups[disable supplementary groups]'
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
-    '--noprofile[do not use a security profile]'
-    '(--noexec)'{--noexec=,--noexec=}'[remount the file or directory noexec nosuid and nodev]: : _files'
-    '--ipc-namespace[enable a new IPC namespace]'
-    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
-    '--keep-var-tmp[/var/tmp directory is untouched]'
-    '--top[monitor the most CPU-intensive sandboxes]'
-    '--trace[trace open, access and connect system calls]'
-    '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
-    '--tree[print a tree of all sandboxed processes]'
-    '(--cpu)'{--cpu=,--cpu=}'[set cpu affinity]: :->cpus'
+    '--nosound[disable sound system]'
+    '--nou2f[disable U2F devices]'
+    '--novideo[disable video devices]'
+    '--private[temporary home directory]'
+    '--private=-[use directory as user home]: :_files -/'
+    '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin'
+    '--private-cwd[do not inherit working directory inside jail]'
+    '--private-cwd=-[set working directory inside jail]: :_files -/'
     '--private-dev[create a new /dev directory with a small number of common device files]'
+    '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc'
+    '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt'
+    '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv'
     '--private-tmp[mount a tmpfs on top of /tmp directory]'
-    '--private-cwd[do not inherit working directory inside jail]'
-    '(--private-cwd)'{--private-cwd=,--private-cwd=}'[set working directory inside jail]: : _files -/'
-    '*'{--read-only=,--read-only=}'[set directory or file read-only]: : _files'
-    '*'{--read-write=,--read-write=}'[set directory or file read-write]: : _files'
-    '(--tmpfs)'{--tmpfs=,--tmpfs=}'[mount a tmpfs filesystem on directory dirname]: : _files -/'
-    '(--private-etc)'{--private-etc=,--private-etc=}'[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: : _files'
-    "--deterministic-exit-code[always exit with first child's status code]"
-    '--machine-id[preserve /etc/machine-id]'
-    # Sample values as I don't think
-    # many would enjoy getting a list from -20..20
-    '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)'
-    # Should be _files, a comma and files or files -/
-    '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)'
-    '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :'
-    '*'{--env=,--env=}'[set environment variable]: :'
-    '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :'
-    '(--ignore)'{--ignore=,--ignore=}'[ignore command in profile files]: :'
-    '(--name)'{--name=,--name=}'[set sandbox name]: :'
-    '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :"
-    '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :'
-    '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :'
-    '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :'
-    '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
-    '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :'
-    '*'{--rmenv=,--rmenv=}'[remove environment variable in the new sandbox]: :'
-    '(--timeout)'{--timeout=,--timeout=}'[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)'
+    '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth'
     "--quiet[turn off Firejail's output.]"
-    '--version[print program version and exit]'
+    '*--read-only=-[set directory or file read-only]: :_files'
+    '*--read-write=-[set directory or file read-write]: :_files'
+    "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :"
+    '--rlimit-cpu=-[set the maximum CPU time in seconds]: :'
+    '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :'
+    '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :'
+    '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :'
+    '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :'
+    '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)'
+    '--seccomp[enable seccomp filter and apply the default blacklist]: :'
+    '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp'
+    '--seccomp.block-secondary[build only the native architecture filters]'
+    '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp'
+    '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :'
+    '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :'
+    # FIXME: Add errnos
+    '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)'
+    '--shell=none[run the program directly without a user shell]'
+    '--shell=-[set default user shell]: :_values $(cat /etc/shells)'
+    '--timeout=-[kill the sandbox automatically after the time has elapsed]: :'
+    #'(--tracelog)--trace[trace open, access and connect system calls]'
+    '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files'
+    '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]'
+    '(--private-etc)--writable-etc[/etc directory is mounted read-write]'
+    '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]'
+    '--writable-var[/var directory is mounted read-write]'
+    '--writable-var-log[use the real /var/log directory, not a clone]'
+
 #ifdef HAVE_APPARMOR
     '--apparmor[enable AppArmor confinement]'
-    '(--apparmor.print=)'{--apparmor.print=,--apparmor.print=}'[print apparmor status name|pid]:firejail:_all_firejails'
+    '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails'
 #endif
+
 #ifdef HAVE_CHROOT
-    '(--chroot)'{--chroot=,--chroot=}'[chroot into directory]: : _files -/'
+    '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/'
 #endif
+
+#ifdef HAVE_DBUSPROXY
+    # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}.
+    # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl
+    '--dbus-log=-[set DBus log file location]: :_files'
+    '--dbus-system=-[set system DBus access policy]: :(filter none)'
+    '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names'
+    '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names'
+    '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names'
+    '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names'
+    '--dbus-user=-[set session DBus access policy or none]: :(filter none)'
+    '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names'
+    '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names'
+    '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names'
+    '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names'
+#endif
+
 #ifdef HAVE_FILE_TRANSFER
-    '(--get)'{--get=,--get=}'[get a file from sandbox container name|pid]: : _all_firejails'
+    '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails'
+    '--get=-[get a file from sandbox container name|pid]: :_all_firejails'
     # --put=name|pid src-filename dest-filename - put a file in sandbox container.
-    '(--put)'{--put=,--put=}'[put a file in sandbox container]: :'
-    '(--ls)'{--ls=,--ls=}'[list files in sandbox container name|pid]: : _all_firejails'
+    '--put=-[put a file in sandbox container]: :'
+    '--ls=-[list files in sandbox container name|pid]: :_all_firejails'
+#endif
+
+#ifdef HAVE_FIRETUNNEL
+    '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :'
 #endif
+
 #ifdef HAVE_NETWORK
-    # '--net=none[enable a new, unconnected network namespace]'
-    '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
-    '(--net.print)'{--net.print=,--net.print=}'[print network interface configuration name|pid]: : _all_firejails'
-    '(--netfilter.print)'{--netfilter.print=,--netfilter.print=}'[print the firewall name|pid]: : _all_firejails'
-    '(--netfilter6.print)'{--netfilter6.print=,--netfilter6.print=}'[print the IPv6 firewall name|pid]: : _all_firejails'
+    '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails'
+    '--defaultgw=[configure default gateway]: :'
+    '--dns.print=-[print DNS configuration name|pid]: :_all_firejails'
+    '--join-network=-[join the network namespace name|pid]: :_all_firejails'
+    '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
+    '--mtu=-[set interface MTU]: :'
+    '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none'
+    '--net.print=-[print network interface configuration name|pid]: :_all_firejails'
+    '--netfilter=-[enable firewall]: :'
+    '--netfilter.print=-[print the firewall name|pid]: :_all_firejails'
+    '--netfilter6=-[enable IPv6 firewall]: :'
+    '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails'
+    '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :'
+    '--netns=-[Run the program in a named, persistent network namespace]: :'
     '--netstats[monitor network statistics]'
-    '(--netmask)'{--netmask=,--netmask=}'[define a network mask when dealing with unconfigured parrent interfaces]: :'
-    '(--netns)'{--netns=,--netns=}'[Run the program in a named, persistent network namespace]: :'
-    '(--netfilter)'{--netfilter=,--netfilter=}'[enable firewall]: :'
-    '(--netfilter6)'{--netfilter6=,--netfilter6=}'[enable IPv6 firewall]: :'
-    '(--veth-name)'{--veth-name=,--veth-name=}'[use this name for the interface connected to the bridge]: :'
-    '(--join-network)'{--join-network=,--join-network=}'[join the network namespace name|pid]: : _all_firejails'
-    '(--defaultgw)'{--defaultgw=,--defaultgw=}'[configure default gateway]: :'
-    '(--ip)'{--ip=,--ip=}'[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
-    '(--dns.print)'{--dns.print=,--dns.print=}'[print DNS configuration name|pid]: : _all_firejails'
-    '(--interface)'{--interface=,--interface=}'[move interface in sandbox]: :'
-    '(--ip6)'{--ip6=,--ip6=}'[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
-    '(--iprange)'{--iprange=,--iprange=}'[configure an IP address in this range]: :'
-    '(--mac)'{--mac=,--mac=}'[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)'
-    '(--mtu)'{--mtu=,--mtu=}'[set interface MTU]: :'
+    '--interface=-[move interface in sandbox]: :'
+    '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)'
+    '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)'
+    '--iprange=-[configure an IP address in this range]: :'
     '--scan[ARP-scan all the networks from inside a network namespace]'
-    '(--bandwidth)'{--bandwidth=,--bandwidth=}'[set bandwidth limits name|pid]: : _all_firejails'
-#endif
-#ifdef HAVE_X11
-    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
-    '(--x11)'{--x11=,--x11=}'[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
-    '(--xephyr-screen)'{--xephyr-screen=,--xephyr-screen=}'[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
+    '--veth-name=-[use this name for the interface connected to the bridge]: :'
 #endif
-#ifdef HAVE_USERNS
-    '--noroot[install a user namespace with only the current user]'
+
+#ifdef HAVE_OUTPUT
+    '--output=-[stdout logging and log rotation]: :_files'
+    '--output-stderr=-[stdout and stderr logging and log rotation]: :_files'
 #endif
-    '--nosound[disable sound system]'
-    '--noautopulse[disable automatic ~/.config/pulse init]'
-    '--novideo[disable video devices]'
-    '--nou2f[disable U2F devices]'
+
 #ifdef HAVE_OVERLAYFS
-    '--overlay[mount a filesystem overlay on top of the current filesystem]'
-    '(--overlay-named)'{--overlay-named=,--overlay-named=}'[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: : _files -/'
-    '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
+    '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]'
     '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]'
+    '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/'
+    '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]'
 #endif
-#ifdef HAVE_WHITELIST
-    '(--nowhitelist)'{--nowhitelist=,--nowhitelist=}'[disable whitelist for file or directory]: : _files'
-    '*'{--whitelist=,--whitelist=}'[whitelist directory or file]: : _files'
-#endif
-    '(--noblacklist)'{--noblacklist=,--noblacklist=}'[disable blacklist for file or directory]: : _files'
-#ifdef HAVE_DBUSPROXY
-    '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy or none]: :'
-    '(--dbus-system.broadcast)'{--dbus-system.broadcast=,--dbus-system.broadcast=}'[allow signals on the system DBus according to rule]: :'
-    '(--dbus-system.call)'{--dbus-system.call=,--dbus-system.call=}'[allow calls on the system DBus according to rule]: :'
-    '(--dbus-system.own)'{--dbus-system.own=,--dbus-system.own=}'[allow ownership of name on the system DBus]: :'
-    '(--dbus-system.see)'{--dbus-system.see=,--dbus-system.see=}'[allow seeing name on the system DBus]: :'
-    '(--dbus-system.talk)'{--dbus-system.talk=,--dbus-system.talk=}'[allow talking to name on the system DBus]: :'
-    '(--dbus-user)'{--dbus-user=,--dbus-user=}'[set session DBus access policy or none]: :'
-    '(--dbus-user.broadcast)'{--dbus-user.broadcast=,--dbus-user.broadcast=}'[allow signals on the session DBus according to rule]: :'
-    '(--dbus-user.call)'{--dbus-user.call=,--dbus-user.call=}'[allow calls on the session DBus according to rule]: :'
-    '(--dbus-user.see)'{--dbus-user.see=,--dbus-user.see=}'[allow seeing name on the session DBus]: :'
-    '(--dbus-user.talk)'{--dbus-user.talk=,--dbus-user.talk=}'[allow talking to name on the session DBus]: :'
-    '(--dbus-log)'{--dbus-log=,--dbus-log=}'[set DBus log file location]: : _files'
-    '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy]: :(filter none)'
-    '--dbus-user.log[turn on logging for the user DBus]'
-    '(--dbus-user.own)'{--dbus-user.own=,--dbus-user.own=}'[allow ownership of name on the session DBus]: :'
-    '--dbus-system.log[turn on logging for the system DBus]'
-    '--nodbus[disable D-Bus access]'
-#endif
+
 #ifdef HAVE_PRIVATE_HOME
-    '(--private-home)'{--private-home=,--private-home=}'[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :'
+    '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files'
+#endif
+
+#ifdef HAVE_USERNS
+    '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]'
 #endif
-    '(--private-bin)'{--private-bin=,--private-bin=}'[build a new /bin in a temporary filesystem, and copy the programs in the list]: :'
-    '(--private-opt)'{--private-opt=,--private-opt=}'[build a new /opt in a temporary filesystem]: :'
-    '(--private-srv)'{--private-srv=,--private-srv=}'[build a new /srv in a temporary filesystem]: :'
+
 #ifdef HAVE_USERTMPFS
     '--private-cache[temporary ~/.cache directory]'
+    '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/'
 #endif
-#ifdef HAVE_FIRETUNNEL
-    '(--tunnel)'{--tunnel=,--tunnel=}'[connect the sandbox to a tunnel created by firetunnel utility]: :'
+
+#ifdef HAVE_WHITELIST
+    '*--nowhitelist=-[disable whitelist for file or directory]: :_files'
+    '*--whitelist=-[whitelist directory or file]: :_files'
 #endif
-    )
+
+#ifdef HAVE_X11
+    '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'
+    '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)'
+    '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)'
+#endif
+)
 
 
 _firejail() {
     _arguments -S $_firejail_args
     case "$state" in
-        caps_drop)
-            local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}'))
-            _values -s "," 'caps_drop' $caps_and_all
-            ;;
-        caps_keep)
-            local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}'))
-            _values -s "," 'caps_keep' $caps
-            ;;
         cpus)
             _values -s "," 'cpus' $(_all_cpus)
             ;;
@@ -242,5 +273,11 @@ _firejail() {
             local net_and_none=(none $netdevs)
             _values 'net' $net_and_none
             ;;
+        seccomp)
+            # TODO: syscall groups
+            _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2)
+            ;;
     esac
 }
+
+# vim: ft=zsh sw=4 ts=4 et sts=4 ai