From cc8b019b5debfa1d67043f8448e54a66f5d2c2e6 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@protonmail.com>
Date: Tue, 3 Feb 2026 11:41:34 -0500
Subject: [PATCH] --keep-hostname part 1 (#7048)

---
 contrib/syntax/lists/profile_commands_arg0.list |  1 +
 src/firejail/firejail.h                         |  1 +
 src/firejail/fs_hostname.c                      |  4 ++++
 src/firejail/main.c                             | 12 ++++++++++++
 src/firejail/profile.c                          | 12 ++++++++++++
 src/firejail/sandbox.c                          |  4 +++-
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/contrib/syntax/lists/profile_commands_arg0.list b/contrib/syntax/lists/profile_commands_arg0.list
index e881ad7ed..9fed09678 100644
--- a/contrib/syntax/lists/profile_commands_arg0.list
+++ b/contrib/syntax/lists/profile_commands_arg0.list
@@ -13,6 +13,7 @@ keep-config-pulse
 keep-dev-ntsync
 keep-dev-shm
 keep-dev-tpm
+keep-hostname
 keep-shell-rc
 keep-var-tmp
 landlock.enforce
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 8ce0ed4f4..2bec9c840 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -375,6 +375,7 @@ extern int arg_netlock;	// netlocker
 extern int arg_restrict_namespaces;
 extern int arg_allow_bwrap;
 extern int arg_unhide_pid1;
+extern int arg_keep_hostname;
 
 typedef enum {
 	DBUS_POLICY_ALLOW,	// Allow unrestricted access to the bus
diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 015d01577..172f01039 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -26,6 +26,8 @@
 
 // build a random host name
 static char *random_hostname(void) {
+	assert(!arg_keep_hostname);
+	
 	char vowels[] = { 'a', 'e', 'i', 'o', 'u'};
 	char consonants[] = {'b', 'c', 'c', 'c', 'g', 'h', 'h', 'h', 'h', 'h',
 		'j', 'j', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'k', 'm', 'm', 'm', 'm', 'n', 'n', 'n', 'n', 'n',
@@ -53,6 +55,8 @@ static char *random_hostname(void) {
 }
 
 void fs_hostname(void) {
+	assert(!arg_keep_hostname);
+
 	if (!cfg.hostname)
 		cfg.hostname = random_hostname();
 	struct stat s;
diff --git a/src/firejail/main.c b/src/firejail/main.c
index f8025b3a9..390cfb4a8 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -171,6 +171,7 @@ int arg_netlock = 0;
 int arg_restrict_namespaces = 0;
 int arg_allow_bwrap = 0;
 int arg_unhide_pid1 = 0;
+int arg_keep_hostname = 0;
 
 int parent_to_child_fds[2];
 int child_to_parent_fds[2];
@@ -2118,6 +2119,10 @@ int main(int argc, char **argv, char **envp) {
 			}
 		}
 		else if (strncmp(argv[i], "--hostname=", 11) == 0) {
+			if (arg_keep_hostname) {
+				fprintf(stderr, "Error: hostname and keep-hostname are mutually exclusive\n");
+				exit(1);
+			}
 			cfg.hostname = argv[i] + 11;
 			if (strlen(cfg.hostname) == 0) {
 				fprintf(stderr, "Error: invalid hostname: cannot be empty\n");
@@ -2317,6 +2322,13 @@ int main(int argc, char **argv, char **envp) {
 #endif
 		else if (strcmp(argv[i], "--unhide-pid1") == 0)
 			arg_unhide_pid1 = 1;
+		else if (strcmp(argv[i], "--keep-hostname") == 0) {
+			if (cfg.hostname) {
+				fprintf(stderr, "Error: hostname and keep-hostname are mutually exclusive\n");
+				exit(1);
+			}
+			arg_keep_hostname = 1;
+		}
 
 		//*************************************
 		// network
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index e916122cd..190f3033a 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -1205,6 +1205,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 
 	// hostname
 	if (strncmp(ptr, "hostname ", 9) == 0) {
+		if (arg_keep_hostname) {
+			fprintf(stderr, "Error: hostname and keep-hostname are mutually exclusive\n");
+			exit(1);
+		}
 		cfg.hostname = ptr + 9;
 		if (strlen(cfg.hostname) == 0) {
 			fprintf(stderr, "Error: invalid hostname: cannot be empty\n");
@@ -1216,6 +1220,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
 		}
 		return 0;
 	}
+	if (strncmp(ptr, "keep-hostname", 13) == 0) {
+		if (cfg.hostname) {
+			fprintf(stderr, "Error: hostname and keep-hostname are mutually exclusive\n");
+			exit(1);
+		}
+		arg_keep_hostname = 1;
+		return 0;
+	}
 
 	// hosts-file
 	if (strncmp(ptr, "hosts-file ", 11) == 0) {
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 6105cedd1..13ffc3a9b 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -681,6 +681,7 @@ int sandbox(void* sandbox_arg) {
 	// set hostname
 	//****************************
 	if (cfg.hostname) {
+		assert(arg_keep_hostname == 0);
 		if (sethostname(cfg.hostname, strlen(cfg.hostname)) < 0)
 			errExit("sethostname");
 	}
@@ -988,7 +989,8 @@ int sandbox(void* sandbox_arg) {
 	//****************************
 	// hosts and hostname
 	//****************************
-	fs_hostname();
+	if (!arg_keep_hostname)
+		fs_hostname();
 
 	//****************************
 	// /etc overrides from the network namespace