6 files changed, 11 insertions, 1 deletions

diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index bcaa85a9c..57c7b371d 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 1a4c8fef9..aefb75c2c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -155,6 +155,7 @@ include globals.local
 #nogroups
 #noinput
 #nonewprivs
+#noprinters
 #noroot
 #nosound
 #notv
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 183259f16..24c8e3194 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -161,6 +161,7 @@ static char *usage_str =
         "    --nogroups - disable supplementary groups.\n"
         "    --noinput - disable input devices.\n"
         "    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+        "    --noprinters - disable printers.\n"
         "    --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
         "    --noroot - install a user namespace with only the current user.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e35f2837b..71dab18ba 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege.
+.TP
+\fBnoprinters
+Disable printers.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 5a005ea5c..80487a49d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1635,6 +1635,10 @@ does not result in an increase of privilege. This option
 is enabled by default if seccomp filter is activated.
 
 .TP
+\fB\-\-noprinters
+Disable printers.
+
+.TP
 \fB\-\-noprofile
 Do not use a security profile.
 .br
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 8c1d758cc..334812dd6 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -123,6 +123,7 @@ _firejail_args=(
     '--nogroups[disable supplementary groups]'
     '--noinput[disable input devices]'
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+    '--noprinters[disable printers]'
     '--nosound[disable sound system]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'