diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index e4d219e689b..8775ae71dfe 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim @@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword) syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below -syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained +syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e07035ae6c7..ac2fd279ebf 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -314,7 +314,6 @@ extern int arg_private_cwd; // private working directory extern int arg_scan; // arp-scan all interfaces extern int arg_whitelist; // whitelist command extern int arg_nosound; // disable sound -extern int arg_noautopulse; // disable automatic ~/.config/pulse init extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration extern int arg_quiet; // no output for scripting @@ -323,6 +322,7 @@ extern int arg_join_filesystem; // join only the mount namespace extern int arg_nice; // nice value configured extern int arg_ipc; // enable ipc namespace extern int arg_writable_etc; // writable etc +extern int arg_keep_config_pulse; // disable automatic ~/.config/pulse init extern int arg_writable_var; // writable var extern int arg_keep_var_tmp; // don't overwrite /var/tmp extern int arg_writable_run_user; // writable /run/user diff --git a/src/firejail/main.c b/src/firejail/main.c index a0ee1e43336..1914bdcae44 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -116,7 +116,6 @@ int arg_private_cwd = 0; // private working directory int arg_scan = 0; // arp-scan all interfaces int arg_whitelist = 0; // whitelist command int arg_nosound = 0; // disable sound -int arg_noautopulse = 0; // disable automatic ~/.config/pulse init int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration int arg_quiet = 0; // no output for scripting @@ -125,6 +124,7 @@ int arg_join_filesystem = 0; // join only the mount namespace int arg_nice = 0; // nice value configured int arg_ipc = 0; // enable ipc namespace int arg_writable_etc = 0; // writable etc +int arg_keep_config_pulse = 0; // disable automatic ~/.config/pulse init int arg_writable_var = 0; // writable var int arg_keep_var_tmp = 0; // don't overwrite /var/tmp int arg_writable_run_user = 0; // writable /run/user @@ -1824,8 +1824,8 @@ int main(int argc, char **argv, char **envp) { exit(1); } arg_noprofile = 1; - // force noautopulse in order to keep ~/.config/pulse as is - arg_noautopulse = 1; + // force keep-config-pulse in order to keep ~/.config/pulse as is + arg_keep_config_pulse = 1; } else if (strncmp(argv[i], "--ignore=", 9) == 0) { if (custom_profile) { @@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) { } arg_writable_etc = 1; } + else if (strcmp(argv[i], "--keep-config-pulse") == 0) { + arg_keep_config_pulse = 1; + } else if (strcmp(argv[i], "--writable-var") == 0) { arg_writable_var = 1; } @@ -2078,7 +2081,7 @@ int main(int argc, char **argv, char **envp) { else if (strcmp(argv[i], "--nosound") == 0) arg_nosound = 1; else if (strcmp(argv[i], "--noautopulse") == 0) - arg_noautopulse = 1; + arg_keep_config_pulse = 1; else if (strcmp(argv[i], "--novideo") == 0) arg_novideo = 1; else if (strcmp(argv[i], "--no3d") == 0) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2ea32b665fe..4f30fc4b1dd 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { return 0; } else if (strcmp(ptr, "noautopulse") == 0) { - arg_noautopulse = 1; + arg_keep_config_pulse = 1; return 0; } else if (strcmp(ptr, "notv") == 0) { @@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_machineid = 1; return 0; } + + if (strcmp(ptr, "keep-config-pulse") == 0) { + arg_keep_config_pulse = 1; + return 0; + } + // writable-var if (strcmp(ptr, "writable-var") == 0) { arg_writable_var = 1; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 3af828edeeb..40e644be811 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) { // disable /dev/snd fs_dev_disable_sound(); } - else if (!arg_noautopulse) + else if (!arg_keep_config_pulse) pulseaudio_init(); if (arg_no3d) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 397150158a7..15e4bd3ab8e 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -114,7 +114,8 @@ static char *usage_str = " --join-network=name|pid - join the network namespace.\n" #endif " --join-or-start=name|pid - join the sandbox or start a new one.\n" - " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" + " --keep-config-pulse - disable automatic ~/.config/pulse init.\n" + " --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n" " --keep-var-tmp - /var/tmp directory is untouched.\n" " --list - list all sandboxes.\n" #ifdef HAVE_FILE_TRANSFER diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9d59328f5ae..49be8d0b027 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as \fBdisable-mnt Disable /mnt, /media, /run/mount and /run/media access. .TP +\fBkeep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.TP \fBkeep-dev-shm /dev/shm directory is untouched (even with private-dev). .TP @@ -718,9 +722,8 @@ name browser \fBno3d Disable 3D hardware acceleration. .TP -\fBnoautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. +\fBnoautopulse \fR(deprecated) +See keep-config-pulse. .TP \fBnodvd Disable DVD and audio CD devices. diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 397ce5e1779..68aea58571b 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1051,6 +1051,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise .br Note that in contrary to other join options there is respective profile option. +.TP +\fB\-\-keep-config-pulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.br + +.br +Example: +.br +$ firejail \-\-keep-config-pulse firefox + .TP \fB\-\-keep-dev-shm /dev/shm directory is untouched (even with --private-dev) @@ -1460,15 +1471,8 @@ Example: $ firejail --no3d firefox .TP -\fB\-\-noautopulse -Disable automatic ~/.config/pulse init, for complex setups such as remote -pulse servers or non-standard socket paths. -.br - -.br -Example: -.br -$ firejail \-\-noautopulse firefox +\fB\-\-noautopulse \fR(deprecated) +See --keep-config-pulse. .TP \fB\-\-noblacklist=dirname_or_filename diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index fd27bb35fb9..a70a7fdf467 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -98,6 +98,7 @@ _firejail_args=( '*--ignore=-[ignore command in profile files]: :' '--ipc-namespace[enable a new IPC namespace]' '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails' + '--keep-config-pulse[disable automatic ~/.config/pulse init]' '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]' '--keep-var-tmp[/var/tmp directory is untouched]' '--machine-id[preserve /etc/machine-id]'