From ec97091163e94ba6da0979c171760eb261274f7d Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Mon, 1 Mar 2021 19:38:21 +0100 Subject: zsh-comp: Use easiery syntax I don't understand the current brace expansions, so let's use a easier one: --foo <> one-time; no argument *--foo <> multi-time; no argument --foo=- <> one-time; with argument (direct after the =) *--foo=- <> multi-time; with argument (direct after the =) --- src/zsh_completion/_firejail.in | 192 ++++++++++++++++++++-------------------- 1 file changed, 96 insertions(+), 96 deletions(-) (limited to 'src') diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index f58f0d4b9..3640ab129 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -28,13 +28,13 @@ _all_profiles() { _firejail_args=( '*::arguments:_normal' - '(--profile)'{--profile=,--profile=}'[use a custom profile]: :_all_profiles' + '--profile=-[use a custom profile]: :_all_profiles' '--caps[enable default Linux capabilities filter]' - '(--caps.drop)'{--caps.drop=,--caps.drop=}'[drop capabilities: all|cap1,cap2,...]: :->caps_drop' - '(--caps.keep)'{--caps.keep=,--caps.keep=}'[keep capabilities: cap1,cap2,...]: :->caps_keep' - '(--caps.print)'{--caps.print=,--caps.print=}'[print the caps filter name|pid]:firejail:_all_firejails' + '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' + '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' + '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' - '(--debug)'{--debug,--debug}'[print sandbox debug messages]' + '--debug[print sandbox debug messages]' '--debug-blacklists[debug blacklisting]' '--debug-caps[print all recognized capabilities]' '--debug-errnos[print all recognized error numbers]' @@ -44,53 +44,53 @@ _firejail_args=( '--debug-syscalls32[print all recognized 32 bit system calls]' '--debug-whitelists[debug whitelisting]' # Ignore that you can do -? too as it's the only short option - '(--help)'{--help,--help}'[this help screen]' + '--help[this help screen]' '--allusers[all user home directories are visible inside the sandbox]' '--appimage[sandbox an AppImage application]' '--private[temporary home directory]' - '(--private)'{--private=,--private=}'[use directory as user home]: : _files -/' - '--seccomp[enable seccomp filter and apply the default blacklist]' - '(--seccomp=)'{--seccomp=,--seccomp=}'[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' - '(--seccomp.print)'{--seccomp.print=,--seccomp.print=}'[print the seccomp filter for the sandbox identified by name|pid]: : _all_firejails' + '--private=-[use directory as user home]: :_files -/' + '--seccomp[enable seccomp filter and apply the default blacklist]: :' + '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' + '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' '--seccomp.block-secondary[build only the native architecture filters]' - '(--seccomp.drop)'{--seccomp.drop=,--seccomp.drop=}'[enable seccomp filter, and blacklist the syscalls specified by the command]: :' - '(--seccomp.keep)'{--seccomp.keep=,--seccomp.keep=}'[enable seccomp filter, and whitelist the syscalls specified by the command]: :' - '(--seccomp.32.drop)'{--seccomp.32.drop=,--seccomp.32.drop=}'[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' - '(--seccomp.32.keep)'{--seccomp.32.keep=,--seccomp.32.keep=}'[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' - '(--seccomp-error-action)'{--seccomp-error-action=,--seccomp-error-action=}'[change error code, kill process or log the attempt]: :(ERRNO kill log)' + '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' + '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' + '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' + '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' + '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' - '*'{--blacklist=,--blacklist=}'[blacklist directory or file]: : _files' + '*--blacklist=-[blacklist directory or file]: :_files' '--writable-etc[/etc directory is mounted read-write]' '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' '--writable-var[/var directory is mounted read-write]' '--writable-var-log[use the real /var/log directory, not a clone]' '--build[build a whitelisted profile for the application and print it on stdout]' - '(--build)'{--build=,--build=}'[build a whitelisted profile for the application and save it]: : _files' - '(--fs.print)'{--fs.print=,--fs.print=}'[print the filesystem log name|pid]: : _all_firejails' - '(--join)'{--join=,--join=}'[join the sandbox name|pid]: : _all_firejails' - '(--join-filesystem)'{--join-filesystem=,--join-filesystem=}'[join the mount namespace name|pid]: : _all_firejails' - '(--profile.print)'{--profile.print=,--profile.print=}'[print the name of profile file name|pid]: : _all_firejails' - '(--protocol.print)'{--protocol.print=,--protocol.print=}'[print the protocol filter name|pid]: : _all_firejails' - '(--shutdown)'{--shutdown=,--shutdown=}'[shutdown the sandbox identified by name|pid]: : _all_firejails' - '(--cat)'{--cat=,--cat=}'[print content of file from sandbox container name|pid]: : _all_firejails' - '(--cpu.print)'{--cpu.print=,--cpu.print=}'[print the cpus in use name|pid]: : _all_firejails' + '--build=-[build a whitelisted profile for the application and save it]: :_files' + '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' + '--join=-[join the sandbox name|pid]: :_all_firejails' + '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' + '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' + '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' + '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' + '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' + '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' '--list[list all sandboxes]' - '(--dns)'{--dns=,--dns=}'[set DNS server]: :' + '*--dns=-[set DNS server]: :' '*--mkdir=-[create a directory]:' '*--mkfile=-[create a file]:' - '(--protocol)'{--protocol=,--protocol=}'[enable protocol filter]: :' - '(--join-or-start)'{--join-or-start=,--join-or-start=}'[join the sandbox or start a new one name|pid]: : _all_firejails' - '(--hosts-file)'{--hosts-file=,--hosts-file=}'[use file as /etc/hosts]: : _files' + '*--protocol=-[enable protocol filter]: :' + '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' + '--hosts-file=-[use file as /etc/hosts]: :_files' '--shell=none[run the program directly without a user shell]' - '(--shell)'{--shell=,--shell=}'[set default user shell]: : _files -g "*(*)"' - '(--output)'{--output=,--output=}'[stdout logging and log rotation]: : _files' - '(--output-stderr)'{--output-stderr=,--output-stderr=}'[stdout and stderr logging and log rotation]: : _files' + '--shell=-[set default user shell]: :_files -g "*(*)"' + '--output=-[stdout logging and log rotation]: :_files' + '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' '--no3d[disable 3D hardware acceleration]' '--nodvd[disable DVD and audio CD devices]' '--nogroups[disable supplementary groups]' '--nonewprivs[sets the NO_NEW_PRIVS prctl]' '--noprofile[do not use a security profile]' - '(--noexec)'{--noexec=,--noexec=}'[remount the file or directory noexec nosuid and nodev]: : _files' + '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' '--ipc-namespace[enable a new IPC namespace]' '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' '--keep-var-tmp[/var/tmp directory is untouched]' @@ -98,78 +98,78 @@ _firejail_args=( '--trace[trace open, access and connect system calls]' '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' '--tree[print a tree of all sandboxed processes]' - '(--cpu)'{--cpu=,--cpu=}'[set cpu affinity]: :->cpus' + '--cpu=-[set cpu affinity]: :->cpus' '--private-dev[create a new /dev directory with a small number of common device files]' '--private-tmp[mount a tmpfs on top of /tmp directory]' '--private-cwd[do not inherit working directory inside jail]' - '(--private-cwd)'{--private-cwd=,--private-cwd=}'[set working directory inside jail]: : _files -/' - '*'{--read-only=,--read-only=}'[set directory or file read-only]: : _files' - '*'{--read-write=,--read-write=}'[set directory or file read-write]: : _files' - '(--tmpfs)'{--tmpfs=,--tmpfs=}'[mount a tmpfs filesystem on directory dirname]: : _files -/' - '(--private-etc)'{--private-etc=,--private-etc=}'[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: : _files' + '--private-cwd=-[set working directory inside jail]: :_files -/' + '*--read-only=-[set directory or file read-only]: :_files' + '*--read-write=-[set directory or file read-write]: :_files' + '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' + '*--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' "--deterministic-exit-code[always exit with first child's status code]" '--machine-id[preserve /etc/machine-id]' # Sample values as I don't think # many would enjoy getting a list from -20..20 - '(--nice)'{--nice=,--nice=}'[set nice value]: :(1 10 15 20)' + '--nice=-[set nice value]: :(1 10 15 20)' # Should be _files, a comma and files or files -/ - '*'{--bind=,--bind=}'[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' - '(--cgroup)'{--cgroup=,--cgroup=}'[place the sandbox in the specified control group]: :' - '*'{--env=,--env=}'[set environment variable]: :' - '(--hostname)'{--hostname=,--hostname=}'[set sandbox hostname]: :' - '(--ignore)'{--ignore=,--ignore=}'[ignore command in profile files]: :' - '(--name)'{--name=,--name=}'[set sandbox name]: :' + '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' + '--cgroup=-[place the sandbox in the specified control group]: :' + '*--env=-[set environment variable]: :' + '--hostname=-[set sandbox hostname]: :' + '*--ignore=-[ignore command in profile files]: :' + '--name=-[set sandbox name]: :' '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :" '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :' '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :' '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :' '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :' '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :' - '*'{--rmenv=,--rmenv=}'[remove environment variable in the new sandbox]: :' - '(--timeout)'{--timeout=,--timeout=}'[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' + '*--rmenv=-[remove environment variable in the new sandbox]: :' + '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' "--quiet[turn off Firejail's output.]" '--version[print program version and exit]' #ifdef HAVE_APPARMOR '--apparmor[enable AppArmor confinement]' - '(--apparmor.print=)'{--apparmor.print=,--apparmor.print=}'[print apparmor status name|pid]:firejail:_all_firejails' + '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' #endif #ifdef HAVE_CHROOT - '(--chroot)'{--chroot=,--chroot=}'[chroot into directory]: : _files -/' + '--chroot=-[chroot into directory]: :_files -/' #endif #ifdef HAVE_FILE_TRANSFER - '(--get)'{--get=,--get=}'[get a file from sandbox container name|pid]: : _all_firejails' + '--get=-[get a file from sandbox container name|pid]: :_all_firejails' # --put=name|pid src-filename dest-filename - put a file in sandbox container. - '(--put)'{--put=,--put=}'[put a file in sandbox container]: :' - '(--ls)'{--ls=,--ls=}'[list files in sandbox container name|pid]: : _all_firejails' + '--put=-[put a file in sandbox container]: :' + '--ls=-[list files in sandbox container name|pid]: :_all_firejails' #endif #ifdef HAVE_NETWORK # '--net=none[enable a new, unconnected network namespace]' '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' - '(--net.print)'{--net.print=,--net.print=}'[print network interface configuration name|pid]: : _all_firejails' - '(--netfilter.print)'{--netfilter.print=,--netfilter.print=}'[print the firewall name|pid]: : _all_firejails' - '(--netfilter6.print)'{--netfilter6.print=,--netfilter6.print=}'[print the IPv6 firewall name|pid]: : _all_firejails' + '--net.print=-[print network interface configuration name|pid]: :_all_firejails' + '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' + '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' '--netstats[monitor network statistics]' - '(--netmask)'{--netmask=,--netmask=}'[define a network mask when dealing with unconfigured parrent interfaces]: :' - '(--netns)'{--netns=,--netns=}'[Run the program in a named, persistent network namespace]: :' - '(--netfilter)'{--netfilter=,--netfilter=}'[enable firewall]: :' - '(--netfilter6)'{--netfilter6=,--netfilter6=}'[enable IPv6 firewall]: :' - '(--veth-name)'{--veth-name=,--veth-name=}'[use this name for the interface connected to the bridge]: :' - '(--join-network)'{--join-network=,--join-network=}'[join the network namespace name|pid]: : _all_firejails' - '(--defaultgw)'{--defaultgw=,--defaultgw=}'[configure default gateway]: :' - '(--ip)'{--ip=,--ip=}'[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' - '(--dns.print)'{--dns.print=,--dns.print=}'[print DNS configuration name|pid]: : _all_firejails' - '(--interface)'{--interface=,--interface=}'[move interface in sandbox]: :' - '(--ip6)'{--ip6=,--ip6=}'[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' - '(--iprange)'{--iprange=,--iprange=}'[configure an IP address in this range]: :' - '(--mac)'{--mac=,--mac=}'[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' - '(--mtu)'{--mtu=,--mtu=}'[set interface MTU]: :' + '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' + '--netns=-[Run the program in a named, persistent network namespace]: :' + '--netfilter=-[enable firewall]: :' + '--netfilter6=-[enable IPv6 firewall]: :' + '--veth-name=-[use this name for the interface connected to the bridge]: :' + '--join-network=-[join the network namespace name|pid]: :_all_firejails' + '--defaultgw=[configure default gateway]: :' + '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' + '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' + '--interface=-[move interface in sandbox]: :' + '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' + '--iprange=-[configure an IP address in this range]: :' + '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' + '--mtu=-[set interface MTU]: :' '--scan[ARP-scan all the networks from inside a network namespace]' - '(--bandwidth)'{--bandwidth=,--bandwidth=}'[set bandwidth limits name|pid]: : _all_firejails' + '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' #endif #ifdef HAVE_X11 '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' - '(--x11)'{--x11=,--x11=}'[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' - '(--xephyr-screen)'{--xephyr-screen=,--xephyr-screen=}'[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' + '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' + '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' #endif #ifdef HAVE_USERNS '--noroot[install a user namespace with only the current user]' @@ -180,45 +180,45 @@ _firejail_args=( '--nou2f[disable U2F devices]' #ifdef HAVE_OVERLAYFS '--overlay[mount a filesystem overlay on top of the current filesystem]' - '(--overlay-named)'{--overlay-named=,--overlay-named=}'[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: : _files -/' + '--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' #endif #ifdef HAVE_WHITELIST - '(--nowhitelist)'{--nowhitelist=,--nowhitelist=}'[disable whitelist for file or directory]: : _files' - '*'{--whitelist=,--whitelist=}'[whitelist directory or file]: : _files' + '*--nowhitelist=-[disable whitelist for file or directory]: :_files' + '*--whitelist=-[whitelist directory or file]: :_files' #endif - '(--noblacklist)'{--noblacklist=,--noblacklist=}'[disable blacklist for file or directory]: : _files' + '--noblacklist=-[disable blacklist for file or directory]: :_files' #ifdef HAVE_DBUSPROXY - '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy or none]: :' - '(--dbus-system.broadcast)'{--dbus-system.broadcast=,--dbus-system.broadcast=}'[allow signals on the system DBus according to rule]: :' - '(--dbus-system.call)'{--dbus-system.call=,--dbus-system.call=}'[allow calls on the system DBus according to rule]: :' - '(--dbus-system.own)'{--dbus-system.own=,--dbus-system.own=}'[allow ownership of name on the system DBus]: :' - '(--dbus-system.see)'{--dbus-system.see=,--dbus-system.see=}'[allow seeing name on the system DBus]: :' - '(--dbus-system.talk)'{--dbus-system.talk=,--dbus-system.talk=}'[allow talking to name on the system DBus]: :' - '(--dbus-user)'{--dbus-user=,--dbus-user=}'[set session DBus access policy or none]: :' - '(--dbus-user.broadcast)'{--dbus-user.broadcast=,--dbus-user.broadcast=}'[allow signals on the session DBus according to rule]: :' - '(--dbus-user.call)'{--dbus-user.call=,--dbus-user.call=}'[allow calls on the session DBus according to rule]: :' - '(--dbus-user.see)'{--dbus-user.see=,--dbus-user.see=}'[allow seeing name on the session DBus]: :' - '(--dbus-user.talk)'{--dbus-user.talk=,--dbus-user.talk=}'[allow talking to name on the session DBus]: :' - '(--dbus-log)'{--dbus-log=,--dbus-log=}'[set DBus log file location]: : _files' - '(--dbus-system)'{--dbus-system=,--dbus-system=}'[set system DBus access policy]: :(filter none)' + '--dbus-system=-[set system DBus access policy or none]: :' + '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' + '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' + '--dbus-system.own=-[allow ownership of name on the system DBus]: :' + '--dbus-system.see=-[allow seeing name on the system DBus]: :' + '--dbus-system.talk=-[allow talking to name on the system DBus]: :' + '--dbus-user=-[set session DBus access policy or none]: :' + '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' + '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' + '--dbus-user.see=-[allow seeing name on the session DBus]: :' + '--dbus-user.talk=-[allow talking to name on the session DBus]: :' + '--dbus-log=-[set DBus log file location]: :_files' + '--dbus-system=-[set system DBus access policy]: :(filter none)' '--dbus-user.log[turn on logging for the user DBus]' - '(--dbus-user.own)'{--dbus-user.own=,--dbus-user.own=}'[allow ownership of name on the session DBus]: :' + '--dbus-user.own=-[allow ownership of name on the session DBus]: :' '--dbus-system.log[turn on logging for the system DBus]' '--nodbus[disable D-Bus access]' #endif #ifdef HAVE_PRIVATE_HOME - '(--private-home)'{--private-home=,--private-home=}'[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :' + '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' #endif - '(--private-bin)'{--private-bin=,--private-bin=}'[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' - '(--private-opt)'{--private-opt=,--private-opt=}'[build a new /opt in a temporary filesystem]: :' - '(--private-srv)'{--private-srv=,--private-srv=}'[build a new /srv in a temporary filesystem]: :' + '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' + '--private-opt=-[build a new /opt in a temporary filesystem]: :' + '--private-srv=-[build a new /srv in a temporary filesystem]: :' #ifdef HAVE_USERTMPFS '--private-cache[temporary ~/.cache directory]' #endif #ifdef HAVE_FIRETUNNEL - '(--tunnel)'{--tunnel=,--tunnel=}'[connect the sandbox to a tunnel created by firetunnel utility]: :' + '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' #endif ) -- cgit v1.2.3-70-g09d2 From c88dbab01db934b36bb13f23f433b3c02852ced1 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Mon, 1 Mar 2021 20:21:42 +0100 Subject: zsh-comp: order and sort --- src/zsh_completion/_firejail.in | 274 +++++++++++++++++++++------------------- 1 file changed, 145 insertions(+), 129 deletions(-) (limited to 'src') diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 3640ab129..6d8ed3cfc 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -28,12 +28,22 @@ _all_profiles() { _firejail_args=( '*::arguments:_normal' + + '--appimage[sandbox an AppImage application]' + '--build[build a whitelisted profile for the application and print it on stdout]' + '--build=-[build a whitelisted profile for the application and save it]: :_files' + # Ignore that you can do -? too as it's the only short option + '--help[this help screen]' + '--join=-[join the sandbox name|pid]: :_all_firejails' + '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' + '--list[list all sandboxes]' + '--noprofile[do not use a security profile]' '--profile=-[use a custom profile]: :_all_profiles' - '--caps[enable default Linux capabilities filter]' - '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' - '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' - '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' - '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' + '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' + '--top[monitor the most CPU-intensive sandboxes]' + '--tree[print a tree of all sandboxed processes]' + '--version[print program version and exit]' + '--debug[print sandbox debug messages]' '--debug-blacklists[debug blacklisting]' '--debug-caps[print all recognized capabilities]' @@ -43,184 +53,190 @@ _firejail_args=( '--debug-syscalls[print all recognized system calls]' '--debug-syscalls32[print all recognized 32 bit system calls]' '--debug-whitelists[debug whitelisting]' - # Ignore that you can do -? too as it's the only short option - '--help[this help screen]' - '--allusers[all user home directories are visible inside the sandbox]' - '--appimage[sandbox an AppImage application]' - '--private[temporary home directory]' - '--private=-[use directory as user home]: :_files -/' - '--seccomp[enable seccomp filter and apply the default blacklist]: :' - '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' - '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' - '--seccomp.block-secondary[build only the native architecture filters]' - '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' - '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' - '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' - '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' - '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' - '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' - '*--blacklist=-[blacklist directory or file]: :_files' - '--writable-etc[/etc directory is mounted read-write]' - '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' - '--writable-var[/var directory is mounted read-write]' - '--writable-var-log[use the real /var/log directory, not a clone]' - '--build[build a whitelisted profile for the application and print it on stdout]' - '--build=-[build a whitelisted profile for the application and save it]: :_files' + + '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' + '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' '--fs.print=-[print the filesystem log name|pid]: :_all_firejails' - '--join=-[join the sandbox name|pid]: :_all_firejails' - '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' '--profile.print=-[print the name of profile file name|pid]: :_all_firejails' '--protocol.print=-[print the protocol filter name|pid]: :_all_firejails' - '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' - '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' - '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' - '--list[list all sandboxes]' + '--seccomp.print=-[print the seccomp filter for the sandbox identified by name|pid]: :_all_firejails' + + '--allow-debuggers[allow tools such as strace and gdb inside the sandbox]' + '--allusers[all user home directories are visible inside the sandbox]' + # Should be _files, a comma and files or files -/ + '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' + '*--blacklist=-[blacklist directory or file]: :_files' + '--caps[enable default Linux capabilities filter]' + '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' + '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' + '--cgroup=-[place the sandbox in the specified control group]: :' + '--cpu=-[set cpu affinity]: :->cpus' + "--deterministic-exit-code[always exit with first child's status code]" '*--dns=-[set DNS server]: :' + '*--env=-[set environment variable]: :' + '--hostname=-[set sandbox hostname]: :' + '--hosts-file=-[use file as /etc/hosts]: :_files' + '*--ignore=-[ignore command in profile files]: :' + '--ipc-namespace[enable a new IPC namespace]' + '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' + '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' + '--keep-var-tmp[/var/tmp directory is untouched]' + '--machine-id[preserve /etc/machine-id]' + '--memory-deny-write-execute[seccomp filter to block attempts to create memory mappings that are both writable and executable]' '*--mkdir=-[create a directory]:' '*--mkfile=-[create a file]:' - '*--protocol=-[enable protocol filter]: :' - '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' - '--hosts-file=-[use file as /etc/hosts]: :_files' - '--shell=none[run the program directly without a user shell]' - '--shell=-[set default user shell]: :_files -g "*(*)"' - '--output=-[stdout logging and log rotation]: :_files' - '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' + '--name=-[set sandbox name]: :' + # Sample values as I don't think + # many would enjoy getting a list from -20..20 + '--nice=-[set nice value]: :(1 10 15 20)' '--no3d[disable 3D hardware acceleration]' + '--noautopulse[disable automatic ~/.config/pulse init]' + '--noblacklist=-[disable blacklist for file or directory]: :_files' + '--nodbus[disable D-Bus access]' '--nodvd[disable DVD and audio CD devices]' + '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' '--nogroups[disable supplementary groups]' '--nonewprivs[sets the NO_NEW_PRIVS prctl]' - '--noprofile[do not use a security profile]' - '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' - '--ipc-namespace[enable a new IPC namespace]' - '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' - '--keep-var-tmp[/var/tmp directory is untouched]' - '--top[monitor the most CPU-intensive sandboxes]' - '--trace[trace open, access and connect system calls]' - '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' - '--tree[print a tree of all sandboxed processes]' - '--cpu=-[set cpu affinity]: :->cpus' - '--private-dev[create a new /dev directory with a small number of common device files]' - '--private-tmp[mount a tmpfs on top of /tmp directory]' + '--nosound[disable sound system]' + '--nou2f[disable U2F devices]' + '--novideo[disable video devices]' + '--private[temporary home directory]' + '--private=-[use directory as user home]: :_files -/' + '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' '--private-cwd[do not inherit working directory inside jail]' '--private-cwd=-[set working directory inside jail]: :_files -/' + '--private-dev[create a new /dev directory with a small number of common device files]' + '*--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' + '--private-opt=-[build a new /opt in a temporary filesystem]: :' + '--private-srv=-[build a new /srv in a temporary filesystem]: :' + '--private-tmp[mount a tmpfs on top of /tmp directory]' + '*--protocol=-[enable protocol filter]: :' + "--quiet[turn off Firejail's output.]" '*--read-only=-[set directory or file read-only]: :_files' '*--read-write=-[set directory or file read-write]: :_files' - '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' - '*--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' - "--deterministic-exit-code[always exit with first child's status code]" - '--machine-id[preserve /etc/machine-id]' - # Sample values as I don't think - # many would enjoy getting a list from -20..20 - '--nice=-[set nice value]: :(1 10 15 20)' - # Should be _files, a comma and files or files -/ - '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' - '--cgroup=-[place the sandbox in the specified control group]: :' - '*--env=-[set environment variable]: :' - '--hostname=-[set sandbox hostname]: :' - '*--ignore=-[ignore command in profile files]: :' - '--name=-[set sandbox name]: :' - '(--rlimit-as)'{--rlimit-as=,--rlimit-as=}"[set the maximum size of the process's virtual memory (address space) in bytes]: :" - '(--rlimit-cpu)'{--rlimit-cpu=,--rlimit-cpu=}'[set the maximum CPU time in seconds]: :' - '(--rlimit-fsize)'{--rlimit-fsize=,--rlimit-fsize=}'[set the maximum file size that can be created by a process]: :' - '(--rlimit-nofile)'{--rlimit-nofile=,--rlimit-nofile=}'[set the maximum number of files that can be opened by a process]: :' - '(--rlimit-nproc)'{--rlimit-nproc=,--rlimit-nproc=}'[set the maximum number of processes that can be created for the real user ID of the calling process]: :' - '(--rlimit-sigpending)'{--rlimit-sigpending=,--rlimit-sigpending=}'[set the maximum number of pending signals for a process]: :' + "--rlimit-as=-[set the maximum size of the process's virtual memory (address space) in bytes]: :" + '--rlimit-cpu=-[set the maximum CPU time in seconds]: :' + '--rlimit-fsize=-[set the maximum file size that can be created by a process]: :' + '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' + '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' + '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' '*--rmenv=-[remove environment variable in the new sandbox]: :' + '--seccomp[enable seccomp filter and apply the default blacklist]: :' + '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' + '--seccomp.block-secondary[build only the native architecture filters]' + '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' + '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' + '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' + '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' + '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' + '--shell=none[run the program directly without a user shell]' + '--shell=-[set default user shell]: :_files -g "*(*)"' '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' - "--quiet[turn off Firejail's output.]" - '--version[print program version and exit]' + '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' + '--trace[trace open, access and connect system calls]' + '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' + '--writable-etc[/etc directory is mounted read-write]' + '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' + '--writable-var[/var directory is mounted read-write]' + '--writable-var-log[use the real /var/log directory, not a clone]' + #ifdef HAVE_APPARMOR '--apparmor[enable AppArmor confinement]' '--apparmor.print=-[print apparmor status name|pid]:firejail:_all_firejails' #endif + #ifdef HAVE_CHROOT '--chroot=-[chroot into directory]: :_files -/' #endif + +#ifdef HAVE_DBUSPROXY + '--dbus-log=-[set DBus log file location]: :_files' + '--dbus-system=-[set system DBus access policy]: :(filter none)' + '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' + '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' + '--dbus-system.own=-[allow ownership of name on the system DBus]: :' + '--dbus-system.see=-[allow seeing name on the system DBus]: :' + '--dbus-system.talk=-[allow talking to name on the system DBus]: :' + '--dbus-user=-[set session DBus access policy or none]: :' + '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' + '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' + '--dbus-user.own=-[allow ownership of name on the session DBus]: :' + '--dbus-user.see=-[allow seeing name on the session DBus]: :' + '--dbus-user.talk=-[allow talking to name on the session DBus]: :' +#endif + #ifdef HAVE_FILE_TRANSFER + '--cat=-[print content of file from sandbox container name|pid]: :_all_firejails' '--get=-[get a file from sandbox container name|pid]: :_all_firejails' # --put=name|pid src-filename dest-filename - put a file in sandbox container. '--put=-[put a file in sandbox container]: :' '--ls=-[list files in sandbox container name|pid]: :_all_firejails' #endif + +#ifdef HAVE_FIRETUNNEL + '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' +#endif + #ifdef HAVE_NETWORK + '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' + '--defaultgw=[configure default gateway]: :' + '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' + '--join-network=-[join the network namespace name|pid]: :_all_firejails' + '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' + '--mtu=-[set interface MTU]: :' # '--net=none[enable a new, unconnected network namespace]' - '(--net)'{--net=,--net=}'[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' + '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' '--net.print=-[print network interface configuration name|pid]: :_all_firejails' + '--netfilter=-[enable firewall]: :' '--netfilter.print=-[print the firewall name|pid]: :_all_firejails' + '--netfilter6=-[enable IPv6 firewall]: :' '--netfilter6.print=-[print the IPv6 firewall name|pid]: :_all_firejails' - '--netstats[monitor network statistics]' '--netmask=-[define a network mask when dealing with unconfigured parrent interfaces]: :' '--netns=-[Run the program in a named, persistent network namespace]: :' - '--netfilter=-[enable firewall]: :' - '--netfilter6=-[enable IPv6 firewall]: :' - '--veth-name=-[use this name for the interface connected to the bridge]: :' - '--join-network=-[join the network namespace name|pid]: :_all_firejails' - '--defaultgw=[configure default gateway]: :' - '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' - '--dns.print=-[print DNS configuration name|pid]: :_all_firejails' + '--netstats[monitor network statistics]' '--interface=-[move interface in sandbox]: :' + '--ip=-[set interface IP address none|dhcp|ADDRESS]: :(none dhcp)' '--ip6=-[set interface IPv6 address or use dhcp via dhclient]: :(dhcp)' '--iprange=-[configure an IP address in this range]: :' - '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' - '--mtu=-[set interface MTU]: :' '--scan[ARP-scan all the networks from inside a network namespace]' - '--bandwidth=-[set bandwidth limits name|pid]: :_all_firejails' -#endif -#ifdef HAVE_X11 - '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' - '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' - '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' + '--veth-name=-[use this name for the interface connected to the bridge]: :' #endif -#ifdef HAVE_USERNS - '--noroot[install a user namespace with only the current user]' + +#ifdef HAVE_OUTPUT + '--output=-[stdout logging and log rotation]: :_files' + '--output-stderr=-[stdout and stderr logging and log rotation]: :_files' #endif - '--nosound[disable sound system]' - '--noautopulse[disable automatic ~/.config/pulse init]' - '--novideo[disable video devices]' - '--nou2f[disable U2F devices]' + #ifdef HAVE_OVERLAYFS '--overlay[mount a filesystem overlay on top of the current filesystem]' + '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' '--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' - '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' -#endif -#ifdef HAVE_WHITELIST - '*--nowhitelist=-[disable whitelist for file or directory]: :_files' - '*--whitelist=-[whitelist directory or file]: :_files' -#endif - '--noblacklist=-[disable blacklist for file or directory]: :_files' -#ifdef HAVE_DBUSPROXY - '--dbus-system=-[set system DBus access policy or none]: :' - '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' - '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' - '--dbus-system.own=-[allow ownership of name on the system DBus]: :' - '--dbus-system.see=-[allow seeing name on the system DBus]: :' - '--dbus-system.talk=-[allow talking to name on the system DBus]: :' - '--dbus-user=-[set session DBus access policy or none]: :' - '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' - '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' - '--dbus-user.see=-[allow seeing name on the session DBus]: :' - '--dbus-user.talk=-[allow talking to name on the session DBus]: :' - '--dbus-log=-[set DBus log file location]: :_files' - '--dbus-system=-[set system DBus access policy]: :(filter none)' - '--dbus-user.log[turn on logging for the user DBus]' - '--dbus-user.own=-[allow ownership of name on the session DBus]: :' - '--dbus-system.log[turn on logging for the system DBus]' - '--nodbus[disable D-Bus access]' #endif + #ifdef HAVE_PRIVATE_HOME '--private-home=-[build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home]: :_files' #endif - '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' - '--private-opt=-[build a new /opt in a temporary filesystem]: :' - '--private-srv=-[build a new /srv in a temporary filesystem]: :' + +#ifdef HAVE_USERNS + '--noroot[install a user namespace with only the current user]' +#endif + #ifdef HAVE_USERTMPFS '--private-cache[temporary ~/.cache directory]' #endif -#ifdef HAVE_FIRETUNNEL - '--tunnel=-[connect the sandbox to a tunnel created by firetunnel utility]: :' + +#ifdef HAVE_WHITELIST + '*--nowhitelist=-[disable whitelist for file or directory]: :_files' + '*--whitelist=-[whitelist directory or file]: :_files' +#endif + +#ifdef HAVE_X11 + '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]' + '--x11=-[disable or enable specific X11 server]: :(none xephyr xorg xpra xvfb)' + '--xephyr-screen=-[set screen size for --x11=xephyr]: :(WIDTHxHEIGHT)' #endif - ) +) _firejail() { -- cgit v1.2.3-70-g09d2 From eff12378dd671848e1ab7ead4403b4c64fd134da Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 3 Mar 2021 12:33:41 +0100 Subject: zsh-comp: make some options mutually exclusive --- src/zsh_completion/_firejail.in | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) (limited to 'src') diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6d8ed3cfc..df5ac0138 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -1,5 +1,8 @@ #compdef firejail +# Documentation: man 1 zshcompsys +# HowTo: https://github.com/zsh-users/zsh-completions/blob/master/zsh-completions-howto.org + _all_firejails() { local -a _all_firejails_list for jail in ${(f)"$(_call_program modules_tag "firejail --list 2> /dev/null | cut -d: -f1")"}; do @@ -37,8 +40,8 @@ _firejail_args=( '--join=-[join the sandbox name|pid]: :_all_firejails' '--join-filesystem=-[join the mount namespace name|pid]: :_all_firejails' '--list[list all sandboxes]' - '--noprofile[do not use a security profile]' - '--profile=-[use a custom profile]: :_all_profiles' + '(--profile)--noprofile[do not use a security profile]' + '(--noprofile)--profile=-[use a custom profile]: :_all_profiles' '--shutdown=-[shutdown the sandbox identified by name|pid]: :_all_firejails' '--top[monitor the most CPU-intensive sandboxes]' '--tree[print a tree of all sandboxed processes]' @@ -106,7 +109,7 @@ _firejail_args=( '--private-cwd[do not inherit working directory inside jail]' '--private-cwd=-[set working directory inside jail]: :_files -/' '--private-dev[create a new /dev directory with a small number of common device files]' - '*--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' + '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' '--private-opt=-[build a new /opt in a temporary filesystem]: :' '--private-srv=-[build a new /srv in a temporary filesystem]: :' '--private-tmp[mount a tmpfs on top of /tmp directory]' @@ -132,10 +135,10 @@ _firejail_args=( '--shell=none[run the program directly without a user shell]' '--shell=-[set default user shell]: :_files -g "*(*)"' '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' - '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' - '--trace[trace open, access and connect system calls]' - '--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' - '--writable-etc[/etc directory is mounted read-write]' + #'(--tracelog)--trace[trace open, access and connect system calls]' + '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' + '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' + '(--private-etc)--writable-etc[/etc directory is mounted read-write]' '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' '--writable-var[/var directory is mounted read-write]' '--writable-var-log[use the real /var/log directory, not a clone]' @@ -146,7 +149,7 @@ _firejail_args=( #endif #ifdef HAVE_CHROOT - '--chroot=-[chroot into directory]: :_files -/' + '(--noroot --overlay --overlay-named --overlay-tmpfs)--chroot=-[chroot into directory]: :_files -/' #endif #ifdef HAVE_DBUSPROXY @@ -208,10 +211,10 @@ _firejail_args=( #endif #ifdef HAVE_OVERLAYFS - '--overlay[mount a filesystem overlay on top of the current filesystem]' + '(--chroot --noroot)--overlay[mount a filesystem overlay on top of the current filesystem]' '--overlay-clean[clean all overlays stored in $HOME/.firejail directory]' - '--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' - '--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' + '(--chroot --noroot)--overlay-named=-[mount a filesystem overlay on top of the current filesystem, and store it in name directory]: :_files -/' + '(--chroot --noroot)--overlay-tmpfs[mount a temporary filesystem overlay on top of the current filesystem]' #endif #ifdef HAVE_PRIVATE_HOME @@ -219,11 +222,12 @@ _firejail_args=( #endif #ifdef HAVE_USERNS - '--noroot[install a user namespace with only the current user]' + '(--chroot --overlay --overlay-named --overlay-tmpfs)--noroot[install a user namespace with only the current user]' #endif #ifdef HAVE_USERTMPFS '--private-cache[temporary ~/.cache directory]' + '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' #endif #ifdef HAVE_WHITELIST @@ -260,3 +264,5 @@ _firejail() { ;; esac } + +# vim: ft=zsh sw=2 ts=2 et -- cgit v1.2.3-70-g09d2 From e4ce9f8092e8b3aef9bbe4222de994abe9513e56 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 3 Mar 2021 17:31:06 +0100 Subject: zsh-comp: better value completion --- src/zsh_completion/_firejail.in | 87 ++++++++++++++++++++++++----------------- 1 file changed, 51 insertions(+), 36 deletions(-) (limited to 'src') diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index df5ac0138..fd27bb35f 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -19,7 +19,7 @@ _all_cpus() { } _profiles() { - print $1/*.profile | sed -E "s;^$1/;;g;s;\.profile$;;g;" + print $1/*.profile | sed -E "s;$1/;;g;s;\.profile;;g;" } _profiles_with_ext() { print $1/*.profile @@ -29,6 +29,21 @@ _all_profiles() { _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) } +_session_bus_names() { + _values names $(busctl --user list --no-legend --activatable | cut -d" " -f1) + # Alternatives to hack on for non-systemd systems: + # dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply=literal /org/freedesktop/DBus org.freedesktop.DBus.ListNames + # ls /usr/share/dbus-1/services | xargs -I FILENAME basename FILENAME .service +} + +_system_bus_names() { + _values names $(busctl --system list --no-legend --activatable | cut -d" " -f1) +} + +_caps() { + _values -s "," caps $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}') +} + _firejail_args=( '*::arguments:_normal' @@ -70,8 +85,9 @@ _firejail_args=( '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' '*--blacklist=-[blacklist directory or file]: :_files' '--caps[enable default Linux capabilities filter]' - '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :->caps_drop' - '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :->caps_keep' + '--caps.drop=all[drop all capabilities]' + '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' + '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' '--cgroup=-[place the sandbox in the specified control group]: :' '--cpu=-[set cpu affinity]: :->cpus' "--deterministic-exit-code[always exit with first child's status code]" @@ -89,6 +105,7 @@ _firejail_args=( '*--mkdir=-[create a directory]:' '*--mkfile=-[create a file]:' '--name=-[set sandbox name]: :' + '--net=none[enable a new, unconnected network namespace]' # Sample values as I don't think # many would enjoy getting a list from -20..20 '--nice=-[set nice value]: :(1 10 15 20)' @@ -105,15 +122,15 @@ _firejail_args=( '--novideo[disable video devices]' '--private[temporary home directory]' '--private=-[use directory as user home]: :_files -/' - '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :' + '--private-bin=-[build a new /bin in a temporary filesystem, and copy the programs in the list]: :_files -W /usr/bin' '--private-cwd[do not inherit working directory inside jail]' '--private-cwd=-[set working directory inside jail]: :_files -/' '--private-dev[create a new /dev directory with a small number of common device files]' - '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files' - '--private-opt=-[build a new /opt in a temporary filesystem]: :' - '--private-srv=-[build a new /srv in a temporary filesystem]: :' + '(--writable-etc)--private-etc=-[build a new /etc in a temporary filesystem, and copy the files and directories in the list]: :_files -W /etc' + '--private-opt=-[build a new /opt in a temporary filesystem]: :_files -W /opt' + '--private-srv=-[build a new /srv in a temporary filesystem]: :_files -W /srv' '--private-tmp[mount a tmpfs on top of /tmp directory]' - '*--protocol=-[enable protocol filter]: :' + '*--protocol=-[enable protocol filter]: :_values -s , protocols unix inet inet6 netlink packet bluetooth' "--quiet[turn off Firejail's output.]" '*--read-only=-[set directory or file read-only]: :_files' '*--read-write=-[set directory or file read-write]: :_files' @@ -123,18 +140,19 @@ _firejail_args=( '--rlimit-nofile=-[set the maximum number of files that can be opened by a process]: :' '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' - '*--rmenv=-[remove environment variable in the new sandbox]: :' + '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' '--seccomp[enable seccomp filter and apply the default blacklist]: :' - '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]:' + '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' '--seccomp.block-secondary[build only the native architecture filters]' - '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :' - '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :' + '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' + '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' - '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(ERRNO kill log)' + # FIXME: Add errnos + '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' '--shell=none[run the program directly without a user shell]' - '--shell=-[set default user shell]: :_files -g "*(*)"' - '--timeout=-[kill the sandbox automatically after the time has elapsed]: :(hh\:mm\:ss)' + '--shell=-[set default user shell]: :_values $(cat /etc/shells)' + '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' #'(--tracelog)--trace[trace open, access and connect system calls]' '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' @@ -153,19 +171,21 @@ _firejail_args=( #endif #ifdef HAVE_DBUSPROXY + # FIXME: _xx_bus_names is actually wrong for --dbus-*.{broadcast,call}. + # We can steal some function from https://github.com/systemd/systemd/blob/main/shell-completion/zsh/_busctl '--dbus-log=-[set DBus log file location]: :_files' '--dbus-system=-[set system DBus access policy]: :(filter none)' - '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :' - '--dbus-system.call=-[allow calls on the system DBus according to rule]: :' - '--dbus-system.own=-[allow ownership of name on the system DBus]: :' - '--dbus-system.see=-[allow seeing name on the system DBus]: :' - '--dbus-system.talk=-[allow talking to name on the system DBus]: :' - '--dbus-user=-[set session DBus access policy or none]: :' - '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :' - '--dbus-user.call=-[allow calls on the session DBus according to rule]: :' - '--dbus-user.own=-[allow ownership of name on the session DBus]: :' - '--dbus-user.see=-[allow seeing name on the session DBus]: :' - '--dbus-user.talk=-[allow talking to name on the session DBus]: :' + '--dbus-system.broadcast=-[allow signals on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.call=-[allow calls on the system DBus according to rule]: :_system_bus_names' + '--dbus-system.own=-[allow ownership of name on the system DBus]: :_system_bus_names' + '--dbus-system.see=-[allow seeing name on the system DBus]: :_system_bus_names' + '--dbus-system.talk=-[allow talking to name on the system DBus]: :_system_bus_names' + '--dbus-user=-[set session DBus access policy or none]: :(filter none)' + '--dbus-user.broadcast=-[allow signals on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.call=-[allow calls on the session DBus according to rule]: :_session_bus_names' + '--dbus-user.own=-[allow ownership of name on the session DBus]: :_session_bus_names' + '--dbus-user.see=-[allow seeing name on the session DBus]: :_session_bus_names' + '--dbus-user.talk=-[allow talking to name on the session DBus]: :_session_bus_names' #endif #ifdef HAVE_FILE_TRANSFER @@ -187,7 +207,6 @@ _firejail_args=( '--join-network=-[join the network namespace name|pid]: :_all_firejails' '--mac=-[set interface MAC address]: :(xx\:xx\:xx\:xx\:xx\:xx)' '--mtu=-[set interface MTU]: :' - # '--net=none[enable a new, unconnected network namespace]' '--net=-[enable network namespaces and connect to this bridge or Ethernet interface (or none to disable)]: :->net_or_none' '--net.print=-[print network interface configuration name|pid]: :_all_firejails' '--netfilter=-[enable firewall]: :' @@ -246,14 +265,6 @@ _firejail_args=( _firejail() { _arguments -S $_firejail_args case "$state" in - caps_drop) - local caps_and_all=(all $(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) - _values -s "," 'caps_drop' $caps_and_all - ;; - caps_keep) - local caps=($(firejail --debug-caps | awk '/[0-9]+\s*- /{print $3}')) - _values -s "," 'caps_keep' $caps - ;; cpus) _values -s "," 'cpus' $(_all_cpus) ;; @@ -262,7 +273,11 @@ _firejail() { local net_and_none=(none $netdevs) _values 'net' $net_and_none ;; + seccomp) + # TODO: syscall groups + _values -s "," 'syscalls' $(firejail --debug-syscalls | cut -d" " -f2) + ;; esac } -# vim: ft=zsh sw=2 ts=2 et +# vim: ft=zsh sw=4 ts=4 et sts=4 ai -- cgit v1.2.3-70-g09d2