From b0290153afba7d0d13579a2af45d37587330335c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 10 Dec 2021 13:11:18 -0300 Subject: [PATCH] Revert "allow/deny in zsh completion" This reverts commit 1021fb9e5d32a48698c0c8c913d44a048b12db7f. Relates to #4388 and #4410. --- src/zsh_completion/_firejail.in | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 6ce71aed8e0..8c1d758cc3b 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -48,8 +48,8 @@ _firejail_args=( '*::arguments:_normal' '--appimage[sandbox an AppImage application]' - '--build[build a profile for the application and print it on stdout]' - '--build=-[build a profile for the application and save it]: :_files' + '--build[build a whitelisted profile for the application and print it on stdout]' + '--build=-[build a whitelisted profile for the application and save it]: :_files' # Ignore that you can do -? too as it's the only short option '--help[this help screen]' '--join=-[join the sandbox name|pid]: :_all_firejails' @@ -66,14 +66,14 @@ _firejail_args=( '--ids-init[initialize IDS database]' '--debug[print sandbox debug messages]' - '--debug-allow[debug file system access]' + '--debug-blacklists[debug blacklisting]' '--debug-caps[print all recognized capabilities]' - '--debug-deny[debug file system access]' '--debug-errnos[print all recognized error numbers]' '--debug-private-lib[debug for --private-lib option]' '--debug-protocols[print all recognized protocols]' '--debug-syscalls[print all recognized system calls]' '--debug-syscalls32[print all recognized 32 bit system calls]' + '--debug-whitelists[debug whitelisting]' '--caps.print=-[print the caps filter name|pid]:firejail:_all_firejails' '--cpu.print=-[print the cpus in use name|pid]: :_all_firejails' @@ -86,13 +86,13 @@ _firejail_args=( '--allusers[all user home directories are visible inside the sandbox]' # Should be _files, a comma and files or files -/ '*--bind=-[mount-bind dirname1/filename1 on top of dirname2/filename2]: :(file1,file2 dir1,dir2)' + '*--blacklist=-[blacklist directory or file]: :_files' '--caps[enable default Linux capabilities filter]' '--caps.drop=all[drop all capabilities]' '*--caps.drop=-[drop capabilities: all|cap1,cap2,...]: :_caps' '*--caps.keep=-[keep capabilities: cap1,cap2,...]: :_caps' '--cgroup=-[place the sandbox in the specified control group]: :' '--cpu=-[set cpu affinity]: :->cpus' - '*--deny=-[deny access to directory or file]: :_files' "--deterministic-exit-code[always exit with first child's status code]" '--deterministic-shutdown[terminate orphan processes]' '*--dns=-[set DNS server]: :' @@ -116,7 +116,7 @@ _firejail_args=( '--nice=-[set nice value]: :(1 10 15 20)' '--no3d[disable 3D hardware acceleration]' '--noautopulse[disable automatic ~/.config/pulse init]' - '--nodeny=-[disable deny command for file or directory]: :_files' + '--noblacklist=-[disable blacklist for file or directory]: :_files' '--nodbus[disable D-Bus access]' '--nodvd[disable DVD and audio CD devices]' '*--noexec=-[remount the file or directory noexec nosuid and nodev]: :_files' @@ -147,13 +147,13 @@ _firejail_args=( '--rlimit-nproc=-[set the maximum number of processes that can be created for the real user ID of the calling process]: :' '--rlimit-sigpending=-[set the maximum number of pending signals for a process]: :' '*--rmenv=-[remove environment variable in the new sandbox]: :_values environment-variables $(env | cut -d= -f1)' - '--seccomp[enable seccomp filter and drop the default syscalls]: :' - '--seccomp=-[enable seccomp filter, drop the default syscall list and the syscalls specified by the command]: :->seccomp' + '--seccomp[enable seccomp filter and apply the default blacklist]: :' + '--seccomp=-[enable seccomp filter, blacklist the default syscall list and the syscalls specified by the command]: :->seccomp' '--seccomp.block-secondary[build only the native architecture filters]' - '*--seccomp.drop=-[enable seccomp filter, and drop the syscalls specified by the command]: :->seccomp' - '*--seccomp.keep=-[enable seccomp filter, and allow the syscalls specified by the command]: :->seccomp' - '*--seccomp.32.drop=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' - '*--seccomp.32.keep=-[enable seccomp filter, and drop the 32 bit syscalls specified by the command]: :' + '*--seccomp.drop=-[enable seccomp filter, and blacklist the syscalls specified by the command]: :->seccomp' + '*--seccomp.keep=-[enable seccomp filter, and whitelist the syscalls specified by the command]: :->seccomp' + '*--seccomp.32.drop=-[enable seccomp filter, and blacklist the 32 bit syscalls specified by the command]: :' + '*--seccomp.32.keep=-[enable seccomp filter, and whitelist the 32 bit syscalls specified by the command]: :' # FIXME: Add errnos '--seccomp-error-action=-[change error code, kill process or log the attempt]: :(kill log)' '--shell=none[run the program directly without a user shell]' @@ -161,7 +161,7 @@ _firejail_args=( '--timeout=-[kill the sandbox automatically after the time has elapsed]: :' #'(--tracelog)--trace[trace open, access and connect system calls]' '(--tracelog)--trace=-[trace open, access and connect system calls]: :_files' - '(--trace)--tracelog[add a syslog message for every access to files or directories dropped by the security profile]' + '(--trace)--tracelog[add a syslog message for every access to files or directories blacklisted by the security profile]' '(--private-etc)--writable-etc[/etc directory is mounted read-write]' '--writable-run-user[allow access to /run/user/$UID/systemd and /run/user/$UID/gnupg]' '--writable-var[/var directory is mounted read-write]' @@ -255,8 +255,8 @@ _firejail_args=( '*--tmpfs=-[mount a tmpfs filesystem on directory dirname]: :_files -/' #endif - '*--noallow=-[disable allow command for file or directory]: :_files' - '*--allow=-[allow file system access]: :_files' + '*--nowhitelist=-[disable whitelist for file or directory]: :_files' + '*--whitelist=-[whitelist directory or file]: :_files' #ifdef HAVE_X11 '--x11[enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension]'