Merge pull request #4827 from kmk3/noprinters-add-missing

noprinters: add missing items & add to profile.template
netblue30 · Jan 8, 2022 · cdd5c06 · cdd5c06
2 parents 7fbb85d + 58b58cf
commit cdd5c06
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 1 deletion.
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained

diff --git a/etc/templates/profile.template b/etc/templates/profile.template
@@ -155,6 +155,7 @@ include globals.local
 #nogroups
 #noinput
 #nonewprivs
+#noprinters
 #noroot
 #nosound
 #notv

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -161,6 +161,7 @@ static char *usage_str =
  " --nogroups - disable supplementary groups.\n"
  " --noinput - disable input devices.\n"
  " --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+ " --noprinters - disable printers.\n"
  " --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
  " --noroot - install a user namespace with only the current user.\n"

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes
 cannot acquire new privileges using execve(2); in particular,
 this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege.
+.TP
+\fBnoprinters
+Disable printers.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -1634,6 +1634,10 @@ this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege. This option
 is enabled by default if seccomp filter is activated.
 
+.TP
+\fB\-\-noprinters
+Disable printers.
+
 .TP
 \fB\-\-noprofile
 Do not use a security profile.

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
@@ -123,6 +123,7 @@ _firejail_args=(
  '--nogroups[disable supplementary groups]'
  '--noinput[disable input devices]'
  '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+ '--noprinters[disable printers]'
  '--nosound[disable sound system]'
  '--nou2f[disable U2F devices]'
  '--novideo[disable video devices]'