From 5a612029b6c88000eba3b1195eedb7169553b7fa Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 13 May 2021 20:39:21 -0300 Subject: rename noautopulse to keep-config-pulse Changes: * add the keep-config-pulse option * make noautopulse an alias for keep-config-pulse * deprecate the noautopulse option * misc: fix indentation of --keep-dev-shm on src/firejail/usage.c Even though noautopulse is not intended for hardening, it looks like it is, because it starts with "no", just like no3d, noroot, etc). In fact, it is the only "no" option that differs in such a way. And it has been accidentally misused as such before; see PR #4269 and commit e4beaeaa8 ("drop noautopulse from agetpkg"). So effectively rename it to keep-config-pulse in order to avoid confusion. This is similar to the keep-var-tmp and keep-dev-shm options, which are used to "leave a path alone", just like noautopulse. Note: The changes on this patch are based on the ones from commit 617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854. See #4269 for the discussion. --- contrib/vim/syntax/firejail.vim | 2 +- src/firejail/main.c | 3 +++ src/firejail/profile.c | 6 ++++++ src/firejail/usage.c | 3 ++- src/man/firejail-profile.txt | 9 ++++++--- src/man/firejail.txt | 22 +++++++++++++--------- src/zsh_completion/_firejail.in | 1 + 7 files changed, 32 insertions(+), 14 deletions(-) diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index e4d219e68..8775ae71d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim @@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below -syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained +syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained diff --git a/src/firejail/main.c b/src/firejail/main.c index a0ee1e433..389eeeae9 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) { } arg_writable_etc = 1; } + else if (strcmp(argv[i], "--keep-config-pulse") == 0) { + arg_noautopulse = 1; + } else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2ea32b665..3f90d7c1d 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_machineid = 1; return 0; } + + if (strcmp(ptr, "keep-config-pulse") == 0) { + arg_noautopulse = 1; + return 0; + } + // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 397150158..15e4bd3ab 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -114,7 +114,8 @@ static char *usage_str = " --join-network=name|pid - join the network namespace.\n" #endif " --join-or-start=name|pid - join the sandbox or start a new one.\n" - " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" + " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" + " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9d59328f5..49be8d0b0 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as \fBdisable-mnt Disable /mnt, /media, /run/mount and /run/media access. .TP +\fBkeep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.TP \fBkeep-dev-shm /dev/shm directory is untouched (even with private-dev). .TP @@ -718,9 +722,8 @@ name browser \fBno3d Disable 3D hardware acceleration. .TP -\fBnoautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. +\fBnoautopulse \fR(deprecated) +See keep-config-pulse. .TP \fBnodvd Disable DVD and audio CD devices. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 397ce5e17..68aea5857 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1051,6 +1051,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise .br Note that in contrary to other join options there is respective profile option. +.TP +\fB\-\-keep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.br + +.br +Example: +.br +$ firejail \-\-keep-config-pulse firefox + .TP \fB\-\-keep-dev-shm /dev/shm directory is untouched (even with --private-dev) @@ -1460,15 +1471,8 @@ Example: $ firejail --no3d firefox .TP -\fB\-\-noautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. -.br - -.br -Example: -.br -$ firejail \-\-noautopulse firefox +\fB\-\-noautopulse \fR(deprecated) +See --keep-config-pulse. .TP \fB\-\-noblacklist=dirname_or_filename diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index fd27bb35f..a70a7fdf4 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -98,6 +98,7 @@ _firejail_args=( '*--ignore=-[ignore command in profile files]: :' '--ipc-namespace[enable a new IPC namespace]' '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' + '--keep-config-pulse[disable automatic ~/.config/pulse init]' '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' '--keep-var-tmp[/var/tmp directory is untouched]' '--machine-id[preserve /etc/machine-id]' -- cgit v1.2.3-54-g00ecf From b7015edb02e06e26700fd23722b3c47b26063d2b Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 13 May 2021 21:13:24 -0300 Subject: rename arg_noautopulse var to arg_keep_config_pulse --- src/firejail/firejail.h | 2 +- src/firejail/main.c | 10 +++++----- src/firejail/profile.c | 4 ++-- src/firejail/sandbox.c | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e07035ae6..ac2fd279e 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -314,7 +314,6 @@ extern int arg_private_cwd; // private working directory extern int arg_scan; // arp-scan all interfaces extern int arg_whitelist; // whitelist command extern int arg_nosound; // disable sound -extern int arg_noautopulse; // disable automatic ~/.config/pulse init extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration extern int arg_quiet; // no output for scripting @@ -323,6 +322,7 @@ extern int arg_join_filesystem; // join only the mount namespace extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc +extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init extern int arg_writable_var; // writable var extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user diff --git a/src/firejail/main.c b/src/firejail/main.c index 389eeeae9..1914bdcae 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -116,7 +116,6 @@ int arg_private_cwd = 0; // private working directory int arg_scan = 0; // arp-scan all interfaces int arg_whitelist = 0; // whitelist command int arg_nosound = 0; // disable sound -int arg_noautopulse = 0; // disable automatic ~/.config/pulse init int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration int arg_quiet = 0; // no output for scripting @@ -125,6 +124,7 @@ int arg_join_filesystem = 0; // join only the mount namespace int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc +int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init int arg_writable_var = 0; // writable var int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user @@ -1824,8 +1824,8 @@ int main(int argc, char **argv, char **envp) { exit(1); } arg_noprofile = 1; - // force noautopulse in order to keep ~/.config/pulse as is - arg_noautopulse = 1; + // force keep-config-pulse in order to keep ~/.config/pulse as is + arg_keep_config_pulse = 1; } else if (strncmp(argv[i], "--ignore=", 9) == 0) { if (custom_profile) { @@ -1877,7 +1877,7 @@ int main(int argc, char **argv, char **envp) { arg_writable_etc = 1; } else if (strcmp(argv[i], "--keep-config-pulse") == 0) { - arg_noautopulse = 1; + arg_keep_config_pulse = 1; } else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; @@ -2081,7 +2081,7 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--nosound") == 0) arg_nosound = 1; else if (strcmp(argv[i], "--noautopulse") == 0) - arg_noautopulse = 1; + arg_keep_config_pulse = 1; else if (strcmp(argv[i], "--novideo") == 0) arg_novideo = 1; else if (strcmp(argv[i], "--no3d") == 0) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 3f90d7c1d..4f30fc4b1 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "noautopulse") == 0) { - arg_noautopulse = 1; + arg_keep_config_pulse = 1; return 0; } else if (strcmp(ptr, "notv") == 0) { @@ -1145,7 +1145,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { } if (strcmp(ptr, "keep-config-pulse") == 0) { - arg_noautopulse = 1; + arg_keep_config_pulse = 1; return 0; } diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3af828ede..40e644be8 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) { // disable /dev/snd fs_dev_disable_sound(); } - else if (!arg_noautopulse) + else if (!arg_keep_config_pulse) pulseaudio_init(); if (arg_no3d) -- cgit v1.2.3-54-g00ecf