Skip to content

Commit

Permalink
rename noautopulse to keep-config-pulse
Browse files Browse the repository at this point in the history
Changes:

* add the keep-config-pulse option
* make noautopulse an alias for keep-config-pulse
* deprecate the noautopulse option
* misc: fix indentation of --keep-dev-shm on src/firejail/usage.c

Even though noautopulse is not intended for hardening, it looks like it
is, because it starts with "no", just like no3d, noroot, etc).  In fact,
it is the only "no" option that differs in such a way.

And it has been accidentally misused as such before; see PR netblue30#4269 and
commit e4beaea ("drop noautopulse from agetpkg").

So effectively rename it to keep-config-pulse in order to avoid
confusion.  This is similar to the keep-var-tmp and keep-dev-shm
options, which are used to "leave a path alone", just like noautopulse.

Note: The changes on this patch are based on the ones from commit
617ff40 ("add --noautopulse arg for complex pulse setups") / PR netblue30#1854.

See netblue30#4269 for the discussion.
  • Loading branch information
kmk3 committed May 14, 2021
1 parent c9e7fe8 commit 5a61202
Show file tree
Hide file tree
Showing 7 changed files with 32 additions and 14 deletions.
2 changes: 1 addition & 1 deletion contrib/vim/syntax/firejail.vim
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
Expand Down
3 changes: 3 additions & 0 deletions src/firejail/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) {
}
arg_writable_etc = 1;
}
else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
arg_noautopulse = 1;
}
else if (strcmp(argv[i], "--writable-var") == 0) {
arg_writable_var = 1;
}
Expand Down
6 changes: 6 additions & 0 deletions src/firejail/profile.c
Original file line number Diff line number Diff line change
Expand Up @@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
arg_machineid = 1;
return 0;
}

if (strcmp(ptr, "keep-config-pulse") == 0) {
arg_noautopulse = 1;
return 0;
}

// writable-var
if (strcmp(ptr, "writable-var") == 0) {
arg_writable_var = 1;
Expand Down
3 changes: 2 additions & 1 deletion src/firejail/usage.c
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,8 @@ static char *usage_str =
" --join-network=name|pid - join the network namespace.\n"
#endif
" --join-or-start=name|pid - join the sandbox or start a new one.\n"
" --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
" --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
" --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
" --keep-var-tmp - /var/tmp directory is untouched.\n"
" --list - list all sandboxes.\n"
#ifdef HAVE_FILE_TRANSFER
Expand Down
9 changes: 6 additions & 3 deletions src/man/firejail-profile.txt
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as
\fBdisable-mnt
Disable /mnt, /media, /run/mount and /run/media access.
.TP
\fBkeep-config-pulse
Disable automatic ~/.config/pulse init, for complex setups such as remote
pulse servers or non-standard socket paths.
.TP
\fBkeep-dev-shm
/dev/shm directory is untouched (even with private-dev).
.TP
Expand Down Expand Up @@ -718,9 +722,8 @@ name browser
\fBno3d
Disable 3D hardware acceleration.
.TP
\fBnoautopulse
Disable automatic ~/.config/pulse init, for complex setups such as remote
pulse servers or non-standard socket paths.
\fBnoautopulse \fR(deprecated)
See keep-config-pulse.
.TP
\fBnodvd
Disable DVD and audio CD devices.
Expand Down
22 changes: 13 additions & 9 deletions src/man/firejail.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1051,6 +1051,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
.br
Note that in contrary to other join options there is respective profile option.

.TP
\fB\-\-keep-config-pulse
Disable automatic ~/.config/pulse init, for complex setups such as remote
pulse servers or non-standard socket paths.
.br

.br
Example:
.br
$ firejail \-\-keep-config-pulse firefox

.TP
\fB\-\-keep-dev-shm
/dev/shm directory is untouched (even with --private-dev)
Expand Down Expand Up @@ -1460,15 +1471,8 @@ Example:
$ firejail --no3d firefox

.TP
\fB\-\-noautopulse
Disable automatic ~/.config/pulse init, for complex setups such as remote
pulse servers or non-standard socket paths.
.br

.br
Example:
.br
$ firejail \-\-noautopulse firefox
\fB\-\-noautopulse \fR(deprecated)
See --keep-config-pulse.

.TP
\fB\-\-noblacklist=dirname_or_filename
Expand Down
1 change: 1 addition & 0 deletions src/zsh_completion/_firejail.in
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ _firejail_args=(
'*--ignore=-[ignore command in profile files]: :'
'--ipc-namespace[enable a new IPC namespace]'
'--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
'--keep-config-pulse[disable automatic ~/.config/pulse init]'
'--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
'--keep-var-tmp[/var/tmp directory is untouched]'
'--machine-id[preserve /etc/machine-id]'
Expand Down

0 comments on commit 5a61202

Please sign in to comment.