From 1271645da968d5147a784a4e8e5bcf6593947065 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Wed, 5 Jan 2022 18:31:12 -0300
Subject: noprinters: add missing items from new command checklist

See CONTRIBUTING.md.

The changes are based on what was done on commit 5a612029b ("rename
noautopulse to keep-config-pulse", 2021-05-13) / PR #4278.

This amends commit bd15e763e ("--noprinter option", 2021-10-20) and
commit d9403dcdc ("small fix", 2021-10-20).

Relates to #4607.
---
 contrib/vim/syntax/firejail.vim | 2 +-
 src/firejail/usage.c            | 1 +
 src/man/firejail-profile.txt    | 3 +++
 src/man/firejail.txt            | 4 ++++
 src/zsh_completion/_firejail.in | 1 +
 5 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
index bcaa85a9c..57c7b371d 100644
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@@ -51,7 +51,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-cwd|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allow-debuggers|allusers|apparmor|caps|deterministic-exit-code|deterministic-shutdown|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noprinters|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-cwd|private-dev|private-lib|private-tmp|seccomp|seccomp\.32|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index b993cb80c..d74840441 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -161,6 +161,7 @@ static char *usage_str =
 	"    --nogroups - disable supplementary groups.\n"
 	"    --noinput - disable input devices.\n"
 	"    --nonewprivs - sets the NO_NEW_PRIVS prctl.\n"
+	"    --noprinters - disable printers.\n"
 	"    --noprofile - do not use a security profile.\n"
 #ifdef HAVE_USERNS
 	"    --noroot - install a user namespace with only the current user.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e35f2837b..71dab18ba 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -489,6 +489,9 @@ Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
 cannot acquire new privileges using execve(2);  in particular,
 this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege.
+.TP
+\fBnoprinters
+Disable printers.
 #ifdef HAVE_USERNS
 .TP
 \fBnoroot
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index b366fed7c..4fa20c70f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1633,6 +1633,10 @@ this means that calling a suid binary (or one with file capabilities)
 does not result in an increase of privilege. This option
 is enabled by default if seccomp filter is activated.
 
+.TP
+\fB\-\-noprinters
+Disable printers.
+
 .TP
 \fB\-\-noprofile
 Do not use a security profile.
diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
index 8c1d758cc..334812dd6 100644
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@@ -123,6 +123,7 @@ _firejail_args=(
     '--nogroups[disable supplementary groups]'
     '--noinput[disable input devices]'
     '--nonewprivs[sets the NO_NEW_PRIVS prctl]'
+    '--noprinters[disable printers]'
     '--nosound[disable sound system]'
     '--nou2f[disable U2F devices]'
     '--novideo[disable video devices]'
-- 
cgit v1.2.3-70-g09d2