rename noautopulse to keep-config-pulse

Changes: * add the keep-config-pulse option * make noautopulse an alias for keep-config-pulse * deprecate the noautopulse option * misc: fix indentation of --keep-dev-shm on src/firejail/usage.c Even though noautopulse is not intended for hardening, it looks like it is, because it starts with "no", just like no3d, noroot, etc). In fact, it is the only "no" option that differs in such a way. And it has been accidentally misused as such before; see PR #4269 and commit e4beaeaa8 ("drop noautopulse from agetpkg"). So effectively rename it to keep-config-pulse in order to avoid confusion. This is similar to the keep-var-tmp and keep-dev-shm options, which are used to "leave a path alone", just like noautopulse. Note: The changes on this patch are based on the ones from commit 617ff40c9 ("add --noautopulse arg for complex pulse setups") / PR #1854. See #4269 for the discussion.
2026-05-15 14:16:14 -06:00 · 2021-05-13 20:39:21 -03:00 · 2021-05-13 20:39:21 -03:00 · 5a612029b6
commit 5a612029b6
parent c9e7fe8ab3
7 changed files with 32 additions and 14 deletions
--- a/contrib/vim/syntax/firejail.vim
+++ b/contrib/vim/syntax/firejail.vim
@ -49,7 +49,7 @@ syn match fjVar /\v\$\{(CFG|DESKTOP|DOCUMENTS|DOWNLOADS|HOME|MUSIC|PATH|PICTURES
 " Generate list with: { rg -o 'strn?cmp\(ptr, "([^"]+) "' -r '$1' src/firejail/profile.c; echo private-lib; } | grep -vEx '(include|ignore|caps\.drop|caps\.keep|protocol|seccomp|seccomp\.drop|seccomp\.keep|env|rmenv|net|ip)' | sort -u | tr $'\n' '|' # private-lib is special-cased in the code and doesn't match the regex; grep-ed patterns are handled later with 'syn match nextgroup=' directives (except for include which is special-cased as a fjCommandNoCond keyword)
 syn match fjCommand /\v(bind|blacklist|blacklist-nolog|cgroup|cpu|defaultgw|dns|hostname|hosts-file|ip6|iprange|join-or-start|mac|mkdir|mkfile|mtu|name|netfilter|netfilter6|netmask|nice|noblacklist|noexec|nowhitelist|overlay-named|private|private-bin|private-etc|private-home|private-lib|private-opt|private-srv|read-only|read-write|rlimit-as|rlimit-cpu|rlimit-fsize|rlimit-nofile|rlimit-nproc|rlimit-sigpending|timeout|tmpfs|veth-name|whitelist|xephyr-screen) / skipwhite contained
 " Generate list with: rg -o 'strn?cmp\(ptr, "([^ "]*[^ ])"' -r '$1' src/firejail/profile.c | grep -vEx '(include|rlimit|quiet)' | sed -e 's/\./\\./' | sort -u | tr $'\n' '|' # include/rlimit are false positives, quiet is special-cased below
-syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
+syn match fjCommand /\v(allusers|apparmor|caps|disable-mnt|ipc-namespace|keep-config-pulse|keep-dev-shm|keep-var-tmp|machine-id|memory-deny-write-execute|netfilter|no3d|noautopulse|nodbus|nodvd|nogroups|noinput|nonewprivs|noroot|nosound|notv|nou2f|novideo|overlay|overlay-tmpfs|private|private-cache|private-dev|private-lib|private-tmp|seccomp|seccomp\.block-secondary|tracelog|writable-etc|writable-run-user|writable-var|writable-var-log|x11)$/ contained
 syn match fjCommand /ignore / nextgroup=fjCommand,fjCommandNoCond skipwhite contained
 syn match fjCommand /caps\.drop / nextgroup=fjCapability,fjAll skipwhite contained
 syn match fjCommand /caps\.keep / nextgroup=fjCapability skipwhite contained
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@ -1876,6 +1876,9 @@ int main(int argc, char **argv, char **envp) {
 			}
 			arg_writable_etc = 1;
 		}
+		else if (strcmp(argv[i], "--keep-config-pulse") == 0) {
+			arg_noautopulse = 1;
+		}
 		else if (strcmp(argv[i], "--writable-var") == 0) {
 			arg_writable_var = 1;
 		}
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@ -1143,6 +1143,12 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		arg_machineid = 1;
 		return 0;
 	}
+
+	if (strcmp(ptr, "keep-config-pulse") == 0) {
+		arg_noautopulse = 1;
+		return 0;
+	}
+
 	// writable-var
 	if (strcmp(ptr, "writable-var") == 0) {
 		arg_writable_var = 1;
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@ -114,7 +114,8 @@ static char *usage_str =
 	"    --join-network=name|pid - join the network namespace.\n"
 #endif
 	"    --join-or-start=name|pid - join the sandbox or start a new one.\n"
-        "    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
+	"    --keep-config-pulse - disable automatic ~/.config/pulse init.\n"
+	"    --keep-dev-shm - /dev/shm directory is untouched (even with --private-dev).\n"
 	"    --keep-var-tmp - /var/tmp directory is untouched.\n"
 	"    --list - list all sandboxes.\n"
 #ifdef HAVE_FILE_TRANSFER
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@ -271,6 +271,10 @@ Mount-bind file1 on top of file2. This option is only available when running as
 \fBdisable-mnt
 Disable /mnt, /media, /run/mount and /run/media access.
 .TP
+\fBkeep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.TP
 \fBkeep-dev-shm
 /dev/shm directory is untouched (even with private-dev).
 .TP
@ -718,9 +722,8 @@ name browser
 \fBno3d
 Disable 3D hardware acceleration.
 .TP
-\fBnoautopulse
-Disable automatic ~/.config/pulse init, for complex setups such as remote
-pulse servers or non-standard socket paths.
+\fBnoautopulse \fR(deprecated)
+See keep-config-pulse.
 .TP
 \fBnodvd
 Disable DVD and audio CD devices.
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@ -1051,6 +1051,17 @@ Same as "firejail --join=name" if sandbox with specified name exists, otherwise
 .br
 Note that in contrary to other join options there is respective profile option.

+.TP
+\fB\-\-keep-config-pulse
+Disable automatic ~/.config/pulse init, for complex setups such as remote
+pulse servers or non-standard socket paths.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-keep-config-pulse firefox
+
 .TP
 \fB\-\-keep-dev-shm
 /dev/shm directory is untouched (even with --private-dev)
@ -1460,15 +1471,8 @@ Example:
 $ firejail --no3d firefox

 .TP
-\fB\-\-noautopulse
-Disable automatic ~/.config/pulse init, for complex setups such as remote
-pulse servers or non-standard socket paths.
-.br
-
-.br
-Example:
-.br
-$ firejail \-\-noautopulse firefox
+\fB\-\-noautopulse \fR(deprecated)
+See --keep-config-pulse.

 .TP
 \fB\-\-noblacklist=dirname_or_filename
--- a/src/zsh_completion/_firejail.in
+++ b/src/zsh_completion/_firejail.in
@ -98,6 +98,7 @@ _firejail_args=(
    '*--ignore=-[ignore command in profile files]: :'
    '--ipc-namespace[enable a new IPC namespace]'
    '--join-or-start=-[join the sandbox or start a new one name|pid]: :_all_firejails'
+    '--keep-config-pulse[disable automatic ~/.config/pulse init]'
    '--keep-dev-shm[/dev/shm directory is untouched (even with --private-dev)]'
    '--keep-var-tmp[/var/tmp directory is untouched]'
    '--machine-id[preserve /etc/machine-id]'