From e4ce9f8092e8b3aef9bbe4222de994abe9513e56 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 3 Mar 2021 17:31:06 +0100 Subject: zsh-comp: better value completion --- src/zsh_completion/_firejail.in | 87 ++++++++++++++++++++++++----------------- 1 file changed, 51 insertions(+), 36 deletions(-) (limited to 'src/zsh_completion') diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index df5ac0138..fd27bb35f 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -19,7 +19,7 @@ _all_cpus() { } _profiles() { - print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;" + print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" } _profiles_with_ext() { print $1/*.profile @@ -29,6 +29,21 @@ _all_profiles() { _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) } +_session_bus_names() { + _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) + # Alternatives to hack on for non-systemd systems: + # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames + # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service +} + +_system_bus_names() { + _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) +} + +_caps() { + _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') +} + _firejail_args=( '*::arguments:_normal' @@ -70,8 +85,9 @@ _firejail_args=( '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' '*--blacklist=-[blacklist directory or file]: :_files' '--caps[enable default Linux capabilities filter]' - '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' - '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' + '--caps.drop=all[drop all capabilities]' + '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' + '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' '--cgroup=-[place the sandbox in the specified control group]: :' '--cpu=-[set cpu affinity]: :->cpus' "--deterministic-exit-code[always exit with first child's status code]" @@ -89,6 +105,7 @@ _firejail_args=( '*--mkdir=-[create a directory]:' '*--mkfile=-[create a file]:' '--name=-[set sandbox name]: :' + '--net=none[enable a new, unconnected network namespace]' # Sample values as I don't think # many would enjoy getting a list from -20..20 '--nice=-[set nice value]: :(1 10 15 20)' @@ -105,15 +122,15 @@ _firejail_args=( '--novideo[disable video devices]' '--private[temporary home directory]' '--private=-[use directory as user home]: :_files -/' - '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' + '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' '--private-cwd[do not inherit working directory inside jail]' '--private-cwd=-[set working directory inside jail]: :_files -/' '--private-dev[create a new /dev directory with a small number of common device files]' - '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' - '--private-opt=-[build a new /opt in a temporary filesystem]: :' - '--private-srv=-[build a new /srv in a temporary filesystem]: :' + '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' + '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' + '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' '--private-tmp[mount a tmpfs on top of /tmp directory]' - '*--protocol=-[enable protocol filter]: :' + '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' "--quiet[turn off Firejail's output.]" '*--read-only=-[set directory or file read-only]: :_files' '*--read-write=-[set directory or file read-write]: :_files' @@ -123,18 +140,19 @@ _firejail_args=( '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' - '*--rmenv=-[remove environment variable in the new sandbox]: :' + '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' '--seccomp[enable seccomp filter and apply the default blacklist]: :' - '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' + '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' '--seccomp.block-secondary[build only the native architecture filters]' - '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' - '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' + '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' + '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' - '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' + # FIXME: Add errnos + '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' '--shell=none[run the program directly without a user shell]' - '--shell=-[set default user shell]: :_files -g "*(*)"' - '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' + '--shell=-[set default user shell]: :_values $(cat /etc/shells)' + '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' #'(--tracelog)--trace[trace open, access and connect system calls]' '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' @@ -153,19 +171,21 @@ _firejail_args=( #endif #ifdef HAVE_DBUSPROXY + # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. + # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl '--dbus-log=-[set DBus log file location]: :_files' '--dbus-system=-[set system DBus access policy]: :(filter none)' - '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' - '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' - '--dbus-system.own=-[allow ownership of name on the system DBus]: :' - '--dbus-system.see=-[allow seeing name on the system DBus]: :' - '--dbus-system.talk=-[allow talking to name on the system DBus]: :' - '--dbus-user=-[set session DBus access policy or none]: :' - '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' - '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' - '--dbus-user.own=-[allow ownership of name on the session DBus]: :' - '--dbus-user.see=-[allow seeing name on the session DBus]: :' - '--dbus-user.talk=-[allow talking to name on the session DBus]: :' + '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' + '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' + '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' + '--dbus-user=-[set session DBus access policy or none]: :(filter none)' + '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' + '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' + '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' #endif #ifdef HAVE_FILE_TRANSFER @@ -187,7 +207,6 @@ _firejail_args=( '--join-network=-[join the network namespace name|pid]: :_all_firejails' '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' '--mtu=-[set interface MTU]: :' - # '--net=none[enable a new, unconnected network namespace]' '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' '--net.print=-[print network interface configuration name|pid]: :_all_firejails' '--netfilter=-[enable firewall]: :' @@ -246,14 +265,6 @@ _firejail_args=( _firejail() { _arguments -S $_firejail_args case "$state" in - caps_drop) - local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) - _values -s "," 'caps_drop' $caps_and_all - ;; - caps_keep) - local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) - _values -s "," 'caps_keep' $caps - ;; cpus) _values -s "," 'cpus' $(_all_cpus) ;; @@ -262,7 +273,11 @@ _firejail() { local net_and_none=(none $netdevs) _values 'net' $net_and_none ;; + seccomp) + # TODO: syscall groups + _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) + ;; esac } -# vim: ft=zsh sw=2 ts=2 et +# vim: ft=zsh sw=4 ts=4 et sts=4 ai -- cgit v1.2.3-54-g00ecf