--profile=FILE rework (#6896)

src/firejail/main.c

@@ -1800,7 +1800,6 @@ int main(int argc, char **argv, char **envp) {
 		}
 		else if (strncmp(argv[i], "--profile=", 10) == 0) {
 			// multiple profile files are allowed!
-
 			if (arg_noprofile) {
 				fprintf(stderr, "Error: --noprofile and --profile options are mutually exclusive\n");
 				exit(1);
@@ -1813,21 +1812,31 @@ int main(int argc, char **argv, char **envp) {
 			// checking for strange chars in the file name, no globbing
 			invalid_filename(ppath, 0);
 
-			if (*ppath == ':' || access(ppath, R_OK) || is_dir(ppath)) {
-				int has_colon = (*ppath == ':');
+			// is this a file path?
+			if (*ppath == '/' ||
+			    strncmp(ppath, "~/", 2) == 0 ||
+			    strncmp(ppath, "./", 2) == 0 ||
+			    strncmp(ppath, "../", 3) == 0) {
+				if (access(ppath, R_OK)) {
+					fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath);
+					exit(1);
+				}
+				profile_read(ppath);
+				custom_profile = 1;
+			}
+			// or an application name?
+			else {
 				char *ptr = ppath;
 				while (*ptr != '/' && *ptr != '.' && *ptr != '\0')
 					ptr++;
 				// profile path contains no / or . chars,
-				// assume its a profile name
+				// for example firefox will be ok, firefox.profile will fail
 				if (*ptr != '\0') {
-					fprintf(stderr, "Error: inaccessible profile file: %s\n", ppath);
+					fprintf(stderr, "Error: %s is not an application name.\n", ppath);
 					exit(1);
 				}
 
-				// profile was not read in previously, try to see if
-				// we were given a profile name.
-				if (!profile_find_firejail(ppath + has_colon, 1)) {
+				if (!profile_find_firejail(ppath, 1)) {
 					// do not fall through to default profile,
 					// because the user should be notified that
 					// given profile arg could not be used.
@@ -1837,10 +1846,6 @@ int main(int argc, char **argv, char **envp) {
 				else
 					custom_profile = 1;
 			}
-			else {
-				profile_read(ppath);
-				custom_profile = 1;
-			}
 			free(ppath);
 		}
 		else if (strcmp(argv[i], "--noprofile") == 0) {

src/man/firejail.1.in

@@ -88,12 +88,9 @@ system directories mounted read-only. These directories are /etc, /var, /usr, /b
 /libx32 and /lib64. Only /home and /tmp are writable.
 .PP
 Upon execution Firejail first looks in ~/.config/firejail/ for a profile and if it doesn't find one, it looks in /etc/firejail/.
-For profile resolution detail see
-.UR https://github.com/netblue30/firejail/wiki/Creating-Profiles#locations-and-types
-.UE .
 If an appropriate profile is not found, Firejail will use a default profile.
 The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
-to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
+to disable it.
 .PP
 If a program argument is not specified, Firejail starts the user's preferred shell.
 Examples:
@@ -2406,15 +2403,68 @@ drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
 .br
 
 .TP
-\fB\-\-profile=filename_or_profilename
-Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.
-For more information, see \fBSECURITY PROFILES\fR section below.
+\fB\-\-profile=filename|appname
+Load a custom security profile from filename, or use the name of a specific application.
+.br
+
+.br
+If the command line option --profile is not provided, Firejail will attempt to extract the appname
+from the target program filename. It will then search ~/.config/firejail directory for a suitable profile,
+followed by a search in /etc/firejail/directory.
 .br
 
 .br
 Example:
 .br
-$ firejail \-\-profile=myprofile
+$ firejail firefox
+.br
+Reading profile /home/netblue/.config/firejail/firefox.profile
+.br
+Reading profile /etc/firejail/firefox.profile
+.br
+Reading profile /etc/firejail/firefox-common.profile
+.br
+[...]
+.br
+
+.br
+When using a filename, please include a full path or a relative path.
+.br
+
+.br
+$ firejail --profile=./firefox.profile firefox
+.br
+Reading profile ./firefox.profile
+.br
+Reading profile /etc/firejail/firefox.profile
+.br
+Reading profile /etc/firejail/firefox-common.profile
+.br
+[...]
+.br
+
+.br
+--profile=appname comes in handy when running appimages:
+.br
+
+.br
+$ firejail --appimage --profile=firefox firefox-nightly-148.0.r20260103-x86_64.AppImage
+.br
+Reading profile /home/netblue/.config/firejail/firefox.profile
+.br
+Reading profile /etc/firejail/firefox.profile
+.br
+Reading profile /etc/firejail/firefox-common.profile
+.br
+[...]
+.br
+
+.br
+See \fBman 5 firejail-profile\fR for profile file syntax information.
+For  profile resolution  details see
+.UR
+https://github.com/netblue30/firejail/wiki/Creating-Profiles.
+.UE
 
 .TP
 \fB\-\-profile.print=name|pid
@@ -3792,73 +3842,6 @@ adduser \-\-shell /usr/bin/firejail username
 
 Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
 
-.SH SECURITY PROFILES
-Several command line options can be passed to the program using
-profile files. Firejail chooses the profile file as follows:
-
-1. If a profile file is provided by the user with --profile=FILE option, the profile FILE is loaded. If a profile name is given, it is searched for first in the ~/.config/firejail directory and if not found then in /etc/firejail directory. Profile names do not include the .profile suffix. If there is a file with the same name as the given profile name, it will be used instead of doing the profile search. To force a profile search, prefix the profile name with a colon (:), eg. --profile=:PROFILE_NAME.
-Example:
-.PP
-.RS
-$ firejail --profile=/home/netblue/icecat.profile /usr/bin/icecat
-.br
-Reading profile /home/netblue/icecat.profile
-.br
-[...]
-.RE
-
-.PP
-.RS
-$ firejail --profile=icecat /usr/bin/icecat-wrapper.sh
-.br
-Reading profile /etc/firejail/icecat.profile
-.br
-[...]
-.RE
-
-2. If a profile file with the same name as the application is present in ~/.config/firejail directory or
-in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
-.PP
-.RS
-$ firejail /usr/bin/icecat
-.br
-Command name #icecat#
-.br
-Found icecat profile in /home/netblue/.config/firejail directory
-.br
-Reading profile /home/netblue/.config/firejail/icecat.profile
-.br
-[...]
-.RE
-
-3. Use default.profile file if the sandbox
-is started by a regular user, or server.profile file if the sandbox
-is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
-To disable default profile loading, use --noprofile command option. Example:
-.PP
-.RS
-$ firejail
-.br
-Reading profile /etc/firejail/default.profile
-.br
-Parent pid 8553, child pid 8554
-.br
-Child process initialized
-.br
-[...]
-.br
-
-.br
-$ firejail \-\-noprofile
-.br
-Parent pid 8553, child pid 8554
-.br
-Child process initialized
-.br
-[...]
-.RE
-
-See \fBman 5 firejail-profile\fR for profile file syntax information.
 #ifdef HAVE_NETWORK
 .SH TRAFFIC SHAPING
 Network bandwidth is an expensive resource shared among all sandboxes running on a system.

test/capabilities/caps.exp

@@ -56,7 +56,7 @@ expect {
 }
 after 500
 
-send -- "firejail --profile=caps1.profile --debug ls\r"
+send -- "firejail --profile=./caps1.profile --debug ls\r"
 expect {
 	timeout {puts "TESTING ERROR 11\n";exit}
 	"Drop CAP_SYS_MODULE"
@@ -74,7 +74,7 @@ after 500
 
 ## tofix: possible problem with caps.keep in profile files
 ##send -- "firejail --caps.keep=chown,fowner --noprofile\r"
-#send -- "firejail --profile=caps2.profile\r"
+#send -- "firejail --profile=./caps2.profile\r"
 #expect {
 #	timeout {puts "TESTING ERROR 15\n";exit}
 #	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -94,7 +94,7 @@ after 500
 #sleep 1
 
 #send -- "firejail --caps.drop=chown,dac_override,dac_read_search,fowner --noprofile\r"
-send -- "firejail --profile=caps3.profile cat /proc/self/status\r"
+send -- "firejail --profile=./caps3.profile cat /proc/self/status\r"
 expect {
 	timeout {puts "TESTING ERROR 18\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/environment/dns.exp

@@ -82,7 +82,7 @@ send -- "exit\r"
 sleep 1
 
 
-send -- "firejail --profile=dns.profile\r"
+send -- "firejail --profile=./dns.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 5.1\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/environment/env.exp

@@ -34,7 +34,7 @@ send -- "exit\r"
 after 100
 
 #***********************************************
-send -- "firejail --profile=env.profile\r"
+send -- "firejail --profile=./env.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/environment/nice.exp

@@ -36,7 +36,7 @@ sleep 1
 send -- "exit\r"
 after 100
 
-send -- "firejail --profile=nice.profile\r"
+send -- "firejail --profile=./nice.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 10\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/environment/rlimit-bad-profile.exp

@@ -7,41 +7,41 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=rlimit-bad-as.profile\r"
+send -- "firejail --profile=./rlimit-bad-as.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	"invalid rlimit-as:"
 }
 after 100
 
-send -- "firejail --profile=rlimit-bad-cpu.profile\r"
+send -- "firejail --profile=./rlimit-bad-cpu.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"invalid rlimit-cpu:"
 }
 after 100
 
-send -- "firejail --profile=rlimit-bad-fsize.profile\r"
+send -- "firejail --profile=./rlimit-bad-fsize.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 2\n";exit}
 	"invalid rlimit-fsize:"
 }
 after 100
 
-send -- "firejail --profile=rlimit-bad-nofile.profile\r"
+send -- "firejail --profile=./rlimit-bad-nofile.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 3\n";exit}
 	"invalid rlimit-nofile:"
 }
 after 100
 
-send -- "firejail --profile=rlimit-bad-nproc.profile\r"
+send -- "firejail --profile=./rlimit-bad-nproc.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
 	"invalid rlimit-nproc:"
 }
 after 100
-send -- "firejail --profile=rlimit-bad-sigpending.profile\r"
+send -- "firejail --profile=./rlimit-bad-sigpending.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
 	"invalid rlimit-sigpending:"

test/environment/rlimit-profile.exp

@@ -8,7 +8,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=rlimit.profile\r"
+send -- "firejail --profile=./rlimit.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/environment/sound.exp

@@ -36,7 +36,7 @@ expect {
 sleep 2
 
 
-send -- "firejail --profile=sound.profile speaker-test\r"
+send -- "firejail --profile=./sound.profile speaker-test\r"
 expect {
 	timeout {puts "TESTING ERROR 11\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -47,7 +47,7 @@ expect {
 }
 sleep 2
 
-send -- "firejail --profile=sound.profile aplay -l\r"
+send -- "firejail --profile=./sound.profile aplay -l\r"
 expect {
 	timeout {puts "TESTING ERROR 13\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/fs/macro.exp

@@ -8,7 +8,7 @@ spawn $env(SHELL)
 match_max 100000
 
 
-send -- "firejail --profile=macro-whitelist.profile ls ~\r"
+send -- "firejail --profile=./macro-whitelist.profile ls ~\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -39,7 +39,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-blacklist.profile ls ~/Desktop\r"
+send -- "firejail --profile=./macro-blacklist.profile ls ~/Desktop\r"
 expect {
 	timeout {puts "TESTING ERROR 7\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -50,7 +50,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-blacklist.profile ls ~/Documents\r"
+send -- "firejail --profile=./macro-blacklist.profile ls ~/Documents\r"
 expect {
 	timeout {puts "TESTING ERROR 9n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -61,7 +61,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-blacklist.profile ls ~/Downloads\r"
+send -- "firejail --profile=./macro-blacklist.profile ls ~/Downloads\r"
 expect {
 	timeout {puts "TESTING ERROR 11n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -72,7 +72,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-blacklist.profile ls ~/Music\r"
+send -- "firejail --profile=./macro-blacklist.profile ls ~/Music\r"
 expect {
 	timeout {puts "TESTING ERROR 13\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -83,7 +83,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-blacklist.profile ls ~/Pictures\r"
+send -- "firejail --profile=./macro-blacklist.profile ls ~/Pictures\r"
 expect {
 	timeout {puts "TESTING ERROR 15\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -94,7 +94,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-blacklist.profile ls ~/Videos\r"
+send -- "firejail --profile=./macro-blacklist.profile ls ~/Videos\r"
 expect {
 	timeout {puts "TESTING ERROR 17\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -105,7 +105,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-readonly.profile touch ~/Desktop/blablabla\r"
+send -- "firejail --profile=./macro-readonly.profile touch ~/Desktop/blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 19\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -116,7 +116,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-readonly.profile touch ~/Documents/blablabla\r"
+send -- "firejail --profile=./macro-readonly.profile touch ~/Documents/blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 21\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -127,7 +127,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-readonly.profile touch ~/Downloads/blablabla\r"
+send -- "firejail --profile=./macro-readonly.profile touch ~/Downloads/blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 23\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -138,7 +138,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-readonly.profile touch ~/Music/blablabla\r"
+send -- "firejail --profile=./macro-readonly.profile touch ~/Music/blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 25\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -149,7 +149,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-readonly.profile touch ~/Pictures/blablabla\r"
+send -- "firejail --profile=./macro-readonly.profile touch ~/Pictures/blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 27\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -160,7 +160,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=macro-readonly.profile touch ~/Videos/blablabla\r"
+send -- "firejail --profile=./macro-readonly.profile touch ~/Videos/blablabla\r"
 expect {
 	timeout {puts "TESTING ERROR 29\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/fs/mkdir.exp

@@ -10,7 +10,7 @@ match_max 100000
 send -- "rm -fr ~/_firejail_test_dir\r"
 after 100
 
-send -- "firejail --profile=mkdir.profile find ~/_firejail_test_dir\r"
+send -- "firejail --profile=./mkdir.profile find ~/_firejail_test_dir\r"
 expect {
 	timeout {puts "TESTING ERROR 1.1\n";exit}
 	"_firejail_test_dir/_firejail_test_file"
@@ -18,7 +18,7 @@ expect {
 send -- "rm -rf ~/_firejail_test_dir\r"
 after 100
 
-send -- "firejail --profile=mkdir.profile find /tmp/_firejail_test_dir\r"
+send -- "firejail --profile=./mkdir.profile find /tmp/_firejail_test_dir\r"
 expect {
 	timeout {puts "TESTING ERROR 2.1\n";exit}
 	"_firejail_test_dir/_firejail_test_file"
@@ -29,7 +29,7 @@ after 100
 set UID [exec id -u]
 set fexist [file exist /run/user/$UID]
 if { $fexist } {
-	send -- "firejail --profile=mkdir.profile find /run/user/$UID/_firejail_test_dir\r"
+	send -- "firejail --profile=./mkdir.profile find /run/user/$UID/_firejail_test_dir\r"
 	expect {
 		timeout {puts "TESTING ERROR 3.1\n";exit}
 		"_firejail_test_dir/_firejail_test_file"
@@ -38,7 +38,7 @@ if { $fexist } {
 	after 100
 
 
-	send -- "firejail --profile=mkdir2.profile\r"
+	send -- "firejail --profile=./mkdir2.profile\r"
 	expect {
 		timeout {puts "TESTING ERROR 4\n";exit}
 		"only files or directories in user home, /tmp, or /run/user/<UID>"

test/fs/mkdir_mkfile.exp

@@ -9,7 +9,7 @@ match_max 100000
 
 
 # testing profile and private
-send -- "firejail --private --profile=mkdir_mkfile.profile\r"
+send -- "firejail --private --profile=./mkdir_mkfile.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -45,7 +45,7 @@ after 100
 send -- "exit\r"
 after 100
 
-send -- "firejail --profile=mkfile.profile\r"
+send -- "firejail --profile=./mkfile.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 7\n";exit}
 	"only files or directories in user home, /tmp"

test/fs/private-bin.exp

@@ -37,7 +37,7 @@ expect {
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --profile=private-bin.profile\r"
+send -- "firejail --profile=./private-bin.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 7\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/fs/private-cwd.exp

@@ -44,7 +44,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail  --profile=private-cwd.profile pwd\r"
+send -- "firejail  --profile=./private-cwd.profile pwd\r"
 expect {
 	timeout {puts "TESTING ERROR 6\n";exit}
 	"$env(HOME)"

test/fs/tab.exp

@@ -31,7 +31,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --private --profile=tab.profile ls -al\r"
+send -- "firejail --private --profile=./tab.profile ls -al\r"
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/network/ip6.exp

@@ -26,7 +26,7 @@ expect {
 }
 sleep 1
 
-send -- "firejail --profile=ip6.profile ip addr show\r"
+send -- "firejail --profile=./ip6.profile ip addr show\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/network/net_ip.exp

@@ -131,7 +131,7 @@ expect {
 
 after 500
 
-send -- "firejail --profile=net_ip.profile ip addr show\r"
+send -- "firejail --profile=./net_ip.profile ip addr show\r"
 expect {
 	timeout {puts "TESTING ERROR 26\n";exit}
 	"eth0"
@@ -158,7 +158,7 @@ expect {
 }
 after 500
 
-send -- "firejail --profile=net_ip.profile ip route  show\r"
+send -- "firejail --profile=./net_ip.profile ip route  show\r"
 expect {
 	timeout {puts "TESTING ERROR 32\n";exit}
 	"default via 10.10.20.9"

test/network/net_none.exp

@@ -25,7 +25,7 @@ after 500
 
 
 # profile
-send -- "firejail --profile=net_none.profile\r"
+send -- "firejail --profile=./net_none.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 2\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/profiles/profile_bad_appname.exp

@@ -0,0 +1,16 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --profile=org.gnome.blablabla bwrap\r"
+expect {
+    timeout {puts "TESTING ERROR 0\n";exit}
+    "is not an application name"
+}
+after 100
+puts "all done\n"

test/profiles/profile_build.exp

@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm -fr /tmp/firejailtest*\r"
+sleep 1
+
+send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r"
+sleep 1
+
+send -- "cat /tmp/firejailtest.profile\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"seccomp"
+}
+after 100
+
+send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r"
+expect {
+	timeout {puts "TESTING ERROR 3\n";exit}
+	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+expect {
+	timeout {puts "TESTING ERROR 4\n";exit}
+	"Parent is shutting down"
+}
+after 100
+
+send -- "rm -fr /tmp/firejailtest*\r"
+after 100
+
+puts "\nall done\n"

test/profiles/profile_comment.exp

@@ -7,12 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "rm -fr /tmp/firejailtest*\r"
-send -- "rm -fr /tmp/firejail-strace*\r"
-send -- "rm -fr /tmp/firejail-trace*\r"
-sleep 1
-
-send -- "firejail --profile=comment.profile /usr/bin/true\r"
+send -- "firejail --profile=./comment.profile /usr/bin/true\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -21,32 +16,6 @@ expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"Parent is shutting down"
 }
-sleep 2
-
-send -- "firejail --build=/tmp/firejailtest.profile /usr/bin/true\r"
-sleep 1
-
-send -- "cat /tmp/firejailtest.profile\r"
-expect {
-	timeout {puts "TESTING ERROR 2\n";exit}
-	"seccomp"
-}
-after 100
-
-send -- "firejail --profile=/tmp/firejailtest.profile /usr/bin/true\r"
-expect {
-	timeout {puts "TESTING ERROR 3\n";exit}
-	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
-}
-expect {
-	timeout {puts "TESTING ERROR 4\n";exit}
-	"Parent is shutting down"
-}
-after 100
-
-send -- "rm -fr /tmp/firejailtest*\r"
-send -- "rm -fr /tmp/firejail-strace*\r"
-send -- "rm -fr /tmp/firejail-trace*\r"
 after 100
 
 puts "\nall done\n"

test/profiles/profile_conditional.exp

@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --debug --nodbus --profile=cond1.profile\r"
+send -- "firejail --debug --nodbus --profile=./cond1.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	"conditional HAS_NODBUS, private"
@@ -20,7 +20,7 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --debug --profile=cond1.profile\r"
+send -- "firejail --debug --profile=./cond1.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 2\n";exit}
 	"conditional HAS_NODBUS, private" {puts "TESTING ERROR 3\n";exit}
@@ -30,14 +30,14 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --profile=cond2.profile\r"
+send -- "firejail --profile=./cond2.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
 	"invalid conditional syntax"
 }
 after 100
 
-send -- "firejail --profile=cond3.profile\r"
+send -- "firejail --profile=./cond3.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
 	"invalid conditional syntax"

test/profiles/profile_followlnk.exp

@@ -13,7 +13,7 @@ send -- "touch /tmp/firejailtestfile\r"
 send -- "ln -s /tmp/firejailtestfile /tmp/firejailtestfilelnk\r"
 sleep 1
 
-send -- "firejail --profile=readonly-lnk.profile\r"
+send -- "firejail --profile=./readonly-lnk.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/profiles/profile_ignore.exp

@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=ignore.profile --ignore=seccomp \r"
+send -- "firejail --profile=./ignore.profile --ignore=seccomp \r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	"Error: please use --profile after --ignore"
@@ -23,7 +23,7 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --ignore=seccomp --ignore=name --profile=ignore.profile \r"
+send -- "firejail --ignore=seccomp --ignore=name --profile=./ignore.profile \r"
 expect {
 	timeout {puts "TESTING ERROR 3\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -39,7 +39,7 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --ignore=private --ignore=name --profile=ignore.profile \r"
+send -- "firejail --ignore=private --ignore=name --profile=./ignore.profile \r"
 expect {
 	timeout {puts "TESTING ERROR 5\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -55,7 +55,7 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --debug --profile=ignore2.profile\r"
+send -- "firejail --debug --profile=./ignore2.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 7\n";exit}
 	BLACKLIST {puts "TESTING ERROR 8\n";exit}
@@ -66,7 +66,7 @@ after 100
 send -- "exit\r"
 sleep 1
 
-send -- "firejail --ignore=quiet --ignore=name --profile=ignore.profile \r"
+send -- "firejail --ignore=quiet --ignore=name --profile=./ignore.profile \r"
 expect {
 	timeout {puts "TESTING ERROR 9\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/profiles/profile_multiple.exp

@@ -0,0 +1,24 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --ignore=quiet --profile=wget --profile=curl bwrap\r"
+expect {
+    timeout {puts "TESTING ERROR 0\n";exit}
+    "disable-programs"
+}
+expect {
+    timeout {puts "TESTING ERROR 1\n";exit}
+    "disable-programs"
+}
+expect {
+    timeout {puts "TESTING ERROR 2\n";exit}
+    "fbwrap - bwrap replacement for Firejail sandbox"
+}
+after 100
+puts "all done\n"

test/profiles/profile_noprofile.exp

@@ -0,0 +1,16 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2026 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --noprofile --profile=wget bwrap\r"
+expect {
+    timeout {puts "TESTING ERROR 0\n";exit}
+    "options are mutually exclusive"
+}
+after 100
+puts "all done\n"

test/profiles/profile_readonly.exp

@@ -11,7 +11,7 @@ send -- "mkdir /tmp/firejailtestdir\r"
 send -- "touch /tmp/firejailtestfile\r"
 sleep 1
 
-send -- "firejail --profile=readonly.profile\r"
+send -- "firejail --profile=./readonly.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/profiles/profile_recursivity.exp

@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=test3.profile\r"
+send -- "firejail --profile=./test3.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	"Reading profile test3.profile"

test/profiles/profile_syntax.exp

@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=test.profile\r"
+send -- "firejail --profile=./test.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/profiles/profile_syntax2.exp

@@ -7,10 +7,10 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "firejail --profile=test2.profile\r"
+send -- "firejail --profile=./test2.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
-	"Reading profile test2.profile"
+	"Reading profile ./test2.profile"
 }
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}

test/profiles/profiles.sh

@@ -7,11 +7,14 @@ export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 export LC_ALL=C
 
-echo "TESTING: profile comments (test/profiles/profilecomment.exp)"
+echo "TESTING: profile comments (test/profiles/profile_comment.exp)"
 ./profile_comment.exp
 
-echo "TESTING: profile conditional (test/profiles/conditional.exp)"
-./conditional.exp
+echo "TESTING: profile build (test/profiles/profile_build.exp)"
+./profile_build.exp
+
+echo "TESTING: profile conditional (test/profiles/profile_conditional.exp)"
+./profile_conditional.exp
 
 echo "TESTING: profile recursivity (test/profiles/profile_recursivity.exp)"
 ./profile_recursivity.exp
@@ -25,23 +28,32 @@ echo "TESTING: profile syntax (test/profiles/profile_syntax.exp)"
 echo "TESTING: profile syntax 2 (test/profiles/profile_syntax2.exp)"
 ./profile_syntax2.exp
 
-echo "TESTING: ignore command (test/profiles/ignore.exp)"
-./ignore.exp
+echo "TESTING: profile ignore command (test/profiles/profile_ignore.exp)"
+./profile_ignore.exp
 
 echo "TESTING: profile read-only (test/profiles/profile_readonly.exp)"
 ./profile_readonly.exp
 
-echo "TESTING: profile read-only links (test/profiles/profile_readonly.exp)"
+echo "TESTING: profile read-only links (test/profiles/profile_followlnk.exp)"
 ./profile_followlnk.exp
 
 echo "TESTING: profile no permissions (test/profiles/profile_noperm.exp)"
 ./profile_noperm.exp
 
-profiles=( /etc/firejail/transmission*.profile /etc/firejail/fi*.profile /etc/firejail/fl*.profile /etc/firejail/free*.profile )
-echo "TESTING: small number of default profiles installed in /etc"
+echo "TESTING: multiple profiles (test/profiles/profile_multiple.exp)"
+./profile_multiple.exp
+
+echo "TESTING: profiles bad appname (test/profiles/profile_app_name.exp)"
+./profile_bad_appname.exp
+
+echo "TESTING: profiles nopprofilee (test/profiles/profile_noprofile.exp)"
+./profile_noprofile.exp
+
+profiles=( transmission-gtk transmission-qt firefox mpv vlc ping warzone2100 galculator )
+profiles+=( gimp inkscape qbittorrent chromium-browser ssh evince pdftotext audacity okular)
 
 for profile in "${profiles[@]}"
 do
-	echo "TESTING: $profile"
+	echo "TESTING: profile $profile"
 	./test-profile.exp "$profile"
 done

test/profiles/test-profile.exp

@@ -8,18 +8,15 @@ spawn $env(SHELL)
 match_max 100000
 
 if { $argc != 1 } {
-	puts "TESTING ERROR: argument missing"
-	puts "Usage: test-profile.exp profile_name"
-	exit
+    puts "TESTING ERROR: argument missing"
+    puts "Usage: test-profile.exp profile_name"
+    exit
 }
 
-send -- "stty -echo\r"
-after 100
-send -- "firejail --profile=$argv echo done\r"
+send -- "firejail --profile=$argv bwrap\r"
 expect {
-	timeout {puts "TESTING ERROR 0\n";exit}
-	"done" {puts "all fine"}
-	"no suitable echo executable found" {puts "echo not found"}
+    timeout {puts "TESTING ERROR 1\n";exit}
+    "fbwrap - bwrap replacement for Firejail sandbox"
 }
-#after 100
+after 100
 puts "\n"

test/seccomp-extra/block-secondary.exp

@@ -28,7 +28,7 @@ expect {
 after 500
 
 # 64 bit architecture - seccomp.block-secondary, profile
-send --  "firejail --debug --profile=block-secondary.profile pwd\r"
+send --  "firejail --debug --profile=./block-secondary.profile pwd\r"
 expect {
 	timeout {puts "TESTING ERROR 7\n";exit}
 	"Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter" {puts "TESTING ERROR 8\n";exit}

test/seccomp-extra/mrwx.exp

@@ -21,7 +21,7 @@ expect {
 }
 after 500
 
-send --  "firejail --debug --profile=mrwx.profile pwd\r"
+send --  "firejail --debug --profile=./mrwx.profile pwd\r"
 expect {
 	timeout {puts "TESTING ERROR 3\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/seccomp-extra/protocol-print.exp

@@ -16,7 +16,7 @@ sleep 2
 
 
 spawn $env(SHELL)
-send -- "firejail --name=test1 --profile=protocol1.profile\r"
+send -- "firejail --name=test1 --profile=./protocol1.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
@@ -24,7 +24,7 @@ expect {
 sleep 2
 
 spawn $env(SHELL)
-send -- "firejail --name=test2 --profile=protocol2.profile\r"
+send -- "firejail --name=test2 --profile=./protocol2.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 2\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/utils/join-profile.exp

@@ -8,7 +8,7 @@ spawn $env(SHELL)
 match_max 100000
 
 
-send --  "firejail --profile=name.profile\r"
+send --  "firejail --profile=./name.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"

test/utils/join5.exp

@@ -7,7 +7,7 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send --  "firejail --name=test123 --profile=join5.profile\r"
+send --  "firejail --name=test123 --profile=./join5.profile\r"
 expect {
 	timeout {puts "TESTING ERROR 0\n";exit}
 	-re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"