netblue30 · kmk3 · May 16, 2021 · May 13, 2021 · May 14, 2021
diff --git a/contrib/vim/syntax/firejail.vim b/contrib/vim/syntax/firejail.vim
@@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
@@ -314,7 +314,6 @@ extern int arg_private_cwd;	// private working directory
 extern int arg_scan;		// arp-scan all interfaces
 extern int arg_whitelist;	// whitelist command
 extern int arg_nosound;	// disable sound
-extern int arg_noautopulse; // disable automatic ~/.config/pulse init
 extern int arg_novideo; //disable video devices in /dev
 extern int arg_no3d;		// disable 3d hardware acceleration
 extern int arg_quiet;		// no output for scripting
@@ -323,6 +322,7 @@ extern int arg_join_filesystem;	// join only the mount namespace
 extern int arg_nice;		// nice value configured
 extern int arg_ipc;		// enable ipc namespace
 extern int arg_writable_etc;	// writable etc
+extern int arg_keep_config_pulse;	// disable automatic ~/.config/pulse init
 extern int arg_writable_var;	// writable var
 extern int arg_keep_var_tmp; // don't overwrite /var/tmp
 extern int arg_writable_run_user;	// writable /run/user

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -116,7 +116,6 @@ int arg_private_cwd = 0;			// private working directory
 int arg_scan = 0;				// arp-scan all interfaces
 int arg_whitelist = 0;				// whitelist command
 int arg_nosound = 0;				// disable sound
-int arg_noautopulse = 0;			// disable automatic ~/.config/pulse init
 int arg_novideo = 0;			//disable video devices in /dev
 int arg_no3d;					// disable 3d hardware acceleration
 int arg_quiet = 0;				// no output for scripting
@@ -125,6 +124,7 @@ int arg_join_filesystem = 0;			// join only the mount namespace
 int arg_nice = 0;				// nice value configured
 int arg_ipc = 0;					// enable ipc namespace
 int arg_writable_etc = 0;			// writable etc
+int arg_keep_config_pulse = 0;			// disable automatic ~/.config/pulse init
 int arg_writable_var = 0;			// writable var
 int arg_keep_var_tmp = 0;                       // don't overwrite /var/tmp
 int arg_writable_run_user = 0;			// writable /run/user
@@ -1824,8 +1824,8 @@ int main(int argc, char **argv, char **envp) {
 				exit(1);
 			}
 			arg_noprofile = 1;
-			// force noautopulse in order to keep ~/.config/pulse as is
-			arg_noautopulse = 1;
+			// force keep-config-pulse in order to keep ~/.config/pulse as is
+			arg_keep_config_pulse = 1;
 		}
 		else if (strncmp(argv[i], "--ignore=", 9) == 0) {
 			if (custom_profile) {
@@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) {
 			}
 			arg_writable_etc = 1;
 		}
+		else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
+			arg_keep_config_pulse = 1;
+		}
 		else if (strcmp(argv[i], "--writable-var") == 0) {
 			arg_writable_var = 1;
 		}
@@ -2078,7 +2081,7 @@ int main(int argc, char **argv, char **envp) {
 		else if (strcmp(argv[i], "--nosound") == 0)
 			arg_nosound = 1;
 		else if (strcmp(argv[i], "--noautopulse") == 0)
-			arg_noautopulse = 1;
+			arg_keep_config_pulse = 1;
 		else if (strcmp(argv[i], "--novideo") == 0)
 			arg_novideo = 1;
 		else if (strcmp(argv[i], "--no3d") == 0)

diff --git a/src/firejail/profile.c b/src/firejail/profile.c
@@ -423,7 +423,7 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		return 0;
 	}
 	else if (strcmp(ptr, "noautopulse") == 0) {
-		arg_noautopulse = 1;
+		arg_keep_config_pulse = 1;
 		return 0;
 	}
 	else if (strcmp(ptr, "notv") == 0) {
@@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_machineid = 1;
 		return 0;
 	}
+
+	if (strcmp(ptr, "keep-config-pulse") == 0) {
+		arg_keep_config_pulse = 1;
+		return 0;
+	}
+
 	// writable-var
 	if (strcmp(ptr, "writable-var") == 0) {
 		arg_writable_var = 1;

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
@@ -1015,7 +1015,7 @@ int sandbox(void* sandbox_arg) {
 		// disable /dev/snd
 		fs_dev_disable_sound();
 	}
-	else if (!arg_noautopulse)
+	else if (!arg_keep_config_pulse)
 		pulseaudio_init();
 
 	if (arg_no3d)

diff --git a/src/firejail/usage.c b/src/firejail/usage.c
@@ -114,7 +114,8 @@ static char *usage_str =
 	"    --join-network=name|pid - join the network namespace.\n"
 #endif
 	"    --join-or-start=name|pid - join the sandbox or start a new one.\n"
-        "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+	"    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
+	"    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
 	"    --keep-var-tmp - /var/tmp directory is untouched.\n"
 	"    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
@@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
+\fBkeep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.TP
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
@@ -718,9 +722,8 @@ name browser
 \fBno3d
 Disable 3D hardware acceleration.
 .TP
-\fBnoautopulse
-Disable automatic ~/.config/pulse init, for complex setups such as remote
-pulse servers or non-standard socket paths.
+\fBnoautopulse \fR(deprecated)
+See keep-config-pulse.
 .TP
 \fBnodvd
 Disable DVD and audio CD devices.

diff --git a/src/man/firejail.txt b/src/man/firejail.txt
@@ -1051,6 +1051,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
 .br
 Note that in contrary to other join options there is respective profile option.
 
+.TP
+\fB\-\-keep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-keep-config-pulse firefox
+
 .TP
 \fB\-\-keep-dev-shm
 /dev/shm directory is untouched (even with --private-dev)
@@ -1460,15 +1471,8 @@ Example:
 $ firejail --no3d firefox
 
 .TP
-\fB\-\-noautopulse
-Disable automatic ~/.config/pulse init, for complex setups such as remote
-pulse servers or non-standard socket paths.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noautopulse firefox
+\fB\-\-noautopulse \fR(deprecated)
+See --keep-config-pulse.
 
 .TP
 \fB\-\-noblacklist=dirname_or_filename

diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in
@@ -98,6 +98,7 @@ _firejail_args=(
     '*--ignore=-[ignore command in profile files]: :'
     '--ipc-namespace[enable a new IPC namespace]'
     '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-config-pulse[disable automatic ~/.config/pulse init]'
     '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
     '--keep-var-tmp[/var/tmp directory is untouched]'
     '--machine-id[preserve /etc/machine-id]'