10 files changed, 85 insertions, 1 deletions
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index bcaa85a9c..57c7b371d 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 804869e2a..ca43e5ed9 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -40,6 +40,15 @@ blacklist /usr/lib/perl*
 blacklist /usr/lib64/perl*
 blacklist /usr/share/perl*
+# rxvt needs Perl modules, thus does not work. In particular, blacklisting
+# it is needed so that Firefox can run applications with Terminal=true in
+# their .desktop file (depending on what is installed). The reason is that
+# this is done via glib, which currently uses a hardcoded list of terminal
+# emulators:
+#   https://gitlab.gnome.org/GNOME/glib/-/issues/338
+# And in this list, rxvt comes before xterm.
+blacklist ${PATH}/rxvt
 # PHP
 blacklist ${PATH}/php*
 blacklist /usr/lib/php*
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 02407f54f..ca8820ab6 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -192,6 +192,7 @@ blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/rednotebook
 blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/rpcs3
 blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
@@ -573,6 +574,7 @@ blacklist ${HOME}/.config/redshift
 blacklist ${HOME}/.config/redshift.conf
 blacklist ${HOME}/.config/remmina
 blacklist ${HOME}/.config/ristretto
+blacklist ${HOME}/.config/rpcs3
 blacklist ${HOME}/.config/rtv
 blacklist ${HOME}/.config/scribus
 blacklist ${HOME}/.config/scribusrc
diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile
new file mode 100644
index 000000000..147afb236
--- /dev/null
+++ b/etc/profile-m-z/rpcs3.profile
@@ -0,0 +1,62 @@
+# Firejail profile for RPCS3 emulator
+# Description: RPCS3 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rpcs3.local 
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/rpcs3
+noblacklist ${HOME}/.cache/rpcs3
+# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
+# won't even start.
+noblacklist /sbin
+noblacklist /usr/sbin
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc # disable if PPU compilation crashes
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/rpcs3
+mkdir ${HOME}/.config/rpcs3
+whitelist ${HOME}/.cache/rpcs3
+whitelist ${HOME}/.config/rpcs3
+whitelist ${DOWNLOADS}
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+netfilter
+nodvd
+nogroups
+#noinput
+nonewprivs
+noroot
+noprinters
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+#private-cache
+#private-etc ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 1a4c8fef9..aefb75c2c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -155,6 +155,7 @@ include globals.local
 #nogroups
 #noinput
 #nonewprivs
+#noprinters
 #noroot
 #nosound
 #notv
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index bbbd1e063..e68c04b4c 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -702,6 +702,7 @@ riot-web
 ripperx
 ristretto
 rocketchat
+rpcs3
 rtorrent
 runenpass.sh
 sayonara
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 183259f16..24c8e3194 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -161,6 +161,7 @@ static char *usage_str =
        "    --nogroups - disable supplementary groups.\n"
        "    --noinput - disable input devices.\n"
        "    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+        "    --noprinters - disable printers.\n"
        "    --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
        "    --noroot - install a user namespace with only the current user.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e35f2837b..71dab18ba 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege.
+.TP
+\fBnoprinters
+Disable printers.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 5a005ea5c..80487a49d 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1635,6 +1635,10 @@ does not result in an increase of privilege. This option
 is enabled by default if seccomp filter is activated.
 .TP
+\fB\-\-noprinters
+Disable printers.
+.TP
 \fB\-\-noprofile
 Do not use a security profile.
 .br
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 8c1d758cc..334812dd6 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -123,6 +123,7 @@ _firejail_args=(
    '--nogroups[disable supplementary groups]'
    '--noinput[disable input devices]'
    '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+    '--noprinters[disable printers]'
    '--nosound[disable sound system]'
    '--nou2f[disable U2F devices]'
    '--novideo[disable video devices]'

diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim index bcaa85a9c..57c7b371d 100644 --- a/contrib/vim/syntax/firejail.vim +++ b/contrib/vim/syntax/firejail.vim
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG\|DESKTOP\|DOCUMENTS\|DOWNLOADS\|HOME\|MUSIC\|PATH\|PICTURES
51	" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } \| grep -vEx '(include\|ignore\|caps\.drop\|caps\.keep\|protocol\|seccomp\|seccomp\.drop\|seccomp\.keep\|env\|rmenv\|net\|ip)' \| sort -u \| tr $'\n' '\|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)	51	" Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } \| grep -vEx '(include\|ignore\|caps\.drop\|caps\.keep\|protocol\|seccomp\|seccomp\.drop\|seccomp\.keep\|env\|rmenv\|net\|ip)' \| sort -u \| tr $'\n' '\|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
52	syn match fjCommand /\v(bind\|blacklist\|blacklist-nolog\|cgroup\|cpu\|defaultgw\|dns\|hostname\|hosts-file\|ip6\|iprange\|join-or-start\|mac\|mkdir\|mkfile\|mtu\|name\|netfilter\|netfilter6\|netmask\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|read-only\|read-write\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|timeout\|tmpfs\|veth-name\|whitelist\|xephyr-screen) / skipwhite contained	52	syn match fjCommand /\v(bind\|blacklist\|blacklist-nolog\|cgroup\|cpu\|defaultgw\|dns\|hostname\|hosts-file\|ip6\|iprange\|join-or-start\|mac\|mkdir\|mkfile\|mtu\|name\|netfilter\|netfilter6\|netmask\|nice\|noblacklist\|noexec\|nowhitelist\|overlay-named\|private\|private-bin\|private-cwd\|private-etc\|private-home\|private-lib\|private-opt\|private-srv\|read-only\|read-write\|rlimit-as\|rlimit-cpu\|rlimit-fsize\|rlimit-nofile\|rlimit-nproc\|rlimit-sigpending\|timeout\|tmpfs\|veth-name\|whitelist\|xephyr-screen) / skipwhite contained
53	" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c \| grep -vEx '(include\|rlimit\|quiet)' \| sed -e 's/\./\\./' \| sort -u \| tr $'\n' '\|' # include/rlimit are false positives, quiet is special-cased below	53	" Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c \| grep -vEx '(include\|rlimit\|quiet)' \| sed -e 's/\./\\./' \| sort -u \| tr $'\n' '\|' # include/rlimit are false positives, quiet is special-cased below
54	syn match fjCommand /\v(allow-debuggers\|allusers\|apparmor\|caps\|deterministic-exit-code\|deterministic-shutdown\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay\|overlay-tmpfs\|private\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|seccomp\|seccomp\.32\|seccomp\.block-secondary\|tracelog\|writable-etc\|writable-run-user\|writable-var\|writable-var-log\|x11)$/ contained	54	syn match fjCommand /\v(allow-debuggers\|allusers\|apparmor\|caps\|deterministic-exit-code\|deterministic-shutdown\|disable-mnt\|ipc-namespace\|keep-config-pulse\|keep-dev-shm\|keep-var-tmp\|machine-id\|memory-deny-write-execute\|netfilter\|no3d\|noautopulse\|nodbus\|nodvd\|nogroups\|noinput\|nonewprivs\|noprinters\|noroot\|nosound\|notv\|nou2f\|novideo\|overlay\|overlay-tmpfs\|private\|private-cache\|private-cwd\|private-dev\|private-lib\|private-tmp\|seccomp\|seccomp\.32\|seccomp\.block-secondary\|tracelog\|writable-etc\|writable-run-user\|writable-var\|writable-var-log\|x11)$/ contained
55	syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained	55	syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
56	syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained	56	syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
57	syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained	57	syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained


diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 804869e2a..ca43e5ed9 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc
@@ -40,6 +40,15 @@ blacklist /usr/lib/perl*
40	blacklist /usr/lib64/perl*	40	blacklist /usr/lib64/perl*
41	blacklist /usr/share/perl*	41	blacklist /usr/share/perl*
42		42
		43	# rxvt needs Perl modules, thus does not work. In particular, blacklisting
		44	# it is needed so that Firefox can run applications with Terminal=true in
		45	# their .desktop file (depending on what is installed). The reason is that
		46	# this is done via glib, which currently uses a hardcoded list of terminal
		47	# emulators:
		48	# https://gitlab.gnome.org/GNOME/glib/-/issues/338
		49	# And in this list, rxvt comes before xterm.
		50	blacklist ${PATH}/rxvt
		51
43	# PHP	52	# PHP
44	blacklist ${PATH}/php*	53	blacklist ${PATH}/php*
45	blacklist /usr/lib/php*	54	blacklist /usr/lib/php*


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 02407f54f..ca8820ab6 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -192,6 +192,7 @@ blacklist ${HOME}/.cache/qupzilla
192	blacklist ${HOME}/.cache/qutebrowser	192	blacklist ${HOME}/.cache/qutebrowser
193	blacklist ${HOME}/.cache/rednotebook	193	blacklist ${HOME}/.cache/rednotebook
194	blacklist ${HOME}/.cache/rhythmbox	194	blacklist ${HOME}/.cache/rhythmbox
		195	blacklist ${HOME}/.cache/rpcs3
195	blacklist ${HOME}/.cache/shotwell	196	blacklist ${HOME}/.cache/shotwell
196	blacklist ${HOME}/.cache/simple-scan	197	blacklist ${HOME}/.cache/simple-scan
197	blacklist ${HOME}/.cache/slimjet	198	blacklist ${HOME}/.cache/slimjet
@@ -573,6 +574,7 @@ blacklist ${HOME}/.config/redshift
573	blacklist ${HOME}/.config/redshift.conf	574	blacklist ${HOME}/.config/redshift.conf
574	blacklist ${HOME}/.config/remmina	575	blacklist ${HOME}/.config/remmina
575	blacklist ${HOME}/.config/ristretto	576	blacklist ${HOME}/.config/ristretto
		577	blacklist ${HOME}/.config/rpcs3
576	blacklist ${HOME}/.config/rtv	578	blacklist ${HOME}/.config/rtv
577	blacklist ${HOME}/.config/scribus	579	blacklist ${HOME}/.config/scribus
578	blacklist ${HOME}/.config/scribusrc	580	blacklist ${HOME}/.config/scribusrc


diff --git a/etc/profile-m-z/rpcs3.profile b/etc/profile-m-z/rpcs3.profile new file mode 100644 index 000000000..147afb236 --- /dev/null +++ b/etc/profile-m-z/rpcs3.profile
@@ -0,0 +1,62 @@
		1	# Firejail profile for RPCS3 emulator
		2	# Description: RPCS3 emulator
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include rpcs3.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/rpcs3
		10	noblacklist ${HOME}/.cache/rpcs3
		11	# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
		12	# won't even start.
		13	noblacklist /sbin
		14	noblacklist /usr/sbin
		15
		16	blacklist /usr/libexec
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-exec.inc
		21	include disable-interpreters.inc
		22	include disable-programs.inc # disable if PPU compilation crashes
		23	include disable-shell.inc
		24	include disable-xdg.inc
		25
		26	mkdir ${HOME}/.cache/rpcs3
		27	mkdir ${HOME}/.config/rpcs3
		28	whitelist ${HOME}/.cache/rpcs3
		29	whitelist ${HOME}/.config/rpcs3
		30	whitelist ${DOWNLOADS}
		31	include whitelist-common.inc
		32	include whitelist-run-common.inc
		33	include whitelist-runuser-common.inc
		34	include whitelist-usr-share-common.inc
		35	include whitelist-var-common.inc
		36
		37	apparmor
		38	caps.drop all
		39	net none
		40	netfilter
		41	nodvd
		42	nogroups
		43	#noinput
		44	nonewprivs
		45	noroot
		46	noprinters
		47	notv
		48	nou2f
		49	novideo
		50	protocol unix,netlink
		51	seccomp
		52	seccomp.block-secondary
		53	shell none
		54	tracelog
		55
		56	disable-mnt
		57	#private-cache
		58	#private-etc ca-certificates,crypto-policies,machine-id,pki,resolv.conf,ssl # seems to need awk
		59	private-tmp
		60
		61	dbus-user none
		62	dbus-system none


diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 1a4c8fef9..aefb75c2c 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template
@@ -155,6 +155,7 @@ include globals.local
155	#nogroups	155	#nogroups
156	#noinput	156	#noinput
157	#nonewprivs	157	#nonewprivs
		158	#noprinters
158	#noroot	159	#noroot
159	#nosound	160	#nosound
160	#notv	161	#notv


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index bbbd1e063..e68c04b4c 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -702,6 +702,7 @@ riot-web
702	ripperx	702	ripperx
703	ristretto	703	ristretto
704	rocketchat	704	rocketchat
		705	rpcs3
705	rtorrent	706	rtorrent
706	runenpass.sh	707	runenpass.sh
707	sayonara	708	sayonara


diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 183259f16..24c8e3194 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -161,6 +161,7 @@ static char *usage_str =
161	" --nogroups - disable supplementary groups.\n"	161	" --nogroups - disable supplementary groups.\n"
162	" --noinput - disable input devices.\n"	162	" --noinput - disable input devices.\n"
163	" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"	163	" --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
		164	" --noprinters - disable printers.\n"
164	" --noprofile - do not use a security profile.\n"	165	" --noprofile - do not use a security profile.\n"
165	#ifdef HAVE_USERNS	166	#ifdef HAVE_USERNS
166	" --noroot - install a user namespace with only the current user.\n"	167	" --noroot - install a user namespace with only the current user.\n"


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index e35f2837b..71dab18ba 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes
489	cannot acquire new privileges using execve(2); in particular,	489	cannot acquire new privileges using execve(2); in particular,
490	this means that calling a suid binary (or one with file capabilities)	490	this means that calling a suid binary (or one with file capabilities)
491	does not result in an increase of privilege.	491	does not result in an increase of privilege.
		492	.TP
		493	\fBnoprinters
		494	Disable printers.
492	#ifdef HAVE_USERNS	495	#ifdef HAVE_USERNS
493	.TP	496	.TP
494	\fBnoroot	497	\fBnoroot


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 5a005ea5c..80487a49d 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -1635,6 +1635,10 @@ does not result in an increase of privilege. This option
1635	is enabled by default if seccomp filter is activated.	1635	is enabled by default if seccomp filter is activated.
1636		1636
1637	.TP	1637	.TP
		1638	\fB\-\-noprinters
		1639	Disable printers.
		1640
		1641	.TP
1638	\fB\-\-noprofile	1642	\fB\-\-noprofile
1639	Do not use a security profile.	1643	Do not use a security profile.
1640	.br	1644	.br


diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 8c1d758cc..334812dd6 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in
@@ -123,6 +123,7 @@ _firejail_args=(
123	'--nogroups[disable supplementary groups]'	123	'--nogroups[disable supplementary groups]'
124	'--noinput[disable input devices]'	124	'--noinput[disable input devices]'
125	'--nonewprivs[sets the NO_NEW_PRIVS prctl]'	125	'--nonewprivs[sets the NO_NEW_PRIVS prctl]'
		126	'--noprinters[disable printers]'
126	'--nosound[disable sound system]'	127	'--nosound[disable sound system]'
127	'--nou2f[disable U2F devices]'	128	'--nou2f[disable U2F devices]'
128	'--novideo[disable video devices]'	129	'--novideo[disable video devices]'