Changes:
* Use `scan-build make` instead of running `scan-build` inside of `make`
(this appears to be necessary for the output synchronization to work)
* Use `-j "$(nproc)"` and `-Orecurse` for the main `make` step in all
jobs (including where this step is currently not parallel)
The main drawback of using parallel make (`-j`) is that the output of
different jobs may be printed interspersed, which makes the output
harder to read and less stable across multiple executions.
Example:
job1: line1
job1: line2
job2: line1
job3: line1
job1: line3
Using `-Orecurse` should fix this by ensuring that the output of all
jobs is still printed sequentially in the order that the jobs were
executed (that is, as if `-j` was not used), even if the jobs themselves
are executed in parallel.
This should ensure that the main `make` step in each job runs its
targets in parallel and has a stable output at the same time, making it
easier to compare the logs of the same job across different CI runs.
Note: The `-O` flag is specific to GNU make and was added in version 4.0
(2013-10-09).
Related commits:
* 500d8f2d6 ("ci: run make in parallel where applicable", 2023-08-14) /
PR #5960
* 1f6400bd8 ("build: sync scan-build target with CI", 2024-02-24) /
PR #6222
The tests from this file are currently not even being executed in CI[1]:
TESTING: macro subpaths (test/fs/macro-subpath.exp)
./fs.sh: line 130: ./macro-subpath.exp: Permission denied
TESTING: whitelist empty (test/fs/whitelist-empty.exp)
This amends commit aff7cb630 ("feature: allow subpaths in xdg macros",
2026-04-21) / PR #7151.
Relates to #7147.
[1] https://github.com/netblue30/firejail/actions/runs/25602127293/job/75157737035
The whitelist test is currently broken[1]:
TESTING: macro subpaths (test/fs/macro-subpath.exp)
spawn /bin/bash
firejail --profile=./macro-subpath-whitelist.profile ls ~/Desktop/_firejail_test_dir [...]
[...]
/home/runner/Desktop/_firejail_test_dir:
a
[...]
Parent is shutting down, bye...
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$ TESTING ERROR 1.1 Desktop
This amends commit aff7cb630 ("feature: allow subpaths in xdg macros",
2026-04-21) / PR #7151.
Relates to #7147.
[1] https://github.com/netblue30/firejail/actions/runs/25638061680/job/75253423623
Commands used to search and replace:
$ git grep -IElz '\$\{HOME\}/(Desktop|Documents|Downloads|Music|Pictures|Projects|Videos)' -- etc |
xargs -0 perl -pi -e '
s/\$\{HOME\}\/Desktop/\${DESKTOP}/;
s/\$\{HOME\}\/Documents/\${DOCUMENTS}/;
s/\$\{HOME\}\/Downloads/\${DOWNLOADS}/;
s/\$\{HOME\}\/Music/\${MUSIC}/;
s/\$\{HOME\}\/Pictures/\${PICTURES}/;
s/\$\{HOME\}\/Projects/\${PROJECTS}/;
s/\$\{HOME\}\/Videos/\${VIDEOS}/;
'
Note: The entries in the following profiles were sorted manually:
* etc/profile-m-z/Mathematica.profile
* etc/profile-m-z/prismlauncher.profile
* etc/profile-m-z/zoom.profile
This is a follow-up to #7151.
Move it together with the other profiles used for redirecting in
`etc/profile*`.
Commands used to search and replace:
git mv etc/inc/llm-agent-common.inc etc/profile-a-l/llm-agent-common.profile
git grep -IElz llm-agent-common.inc | xargs -0 perl -pi -e '
s/llm-agent-common.inc/llm-agent-common.profile/
'
This amends commit c81777164 ("profiles: add llm-agent-common.inc
(#7158)", 2026-05-08).
Note: The missing line is already present in the other includers of
`nodejs-common.inc`:
$ git grep -Il 'include nodejs-common.profile'
etc/profile-m-z/node-gyp.profile
etc/profile-m-z/node.profile
etc/profile-m-z/npm.profile
etc/profile-m-z/npx.profile
etc/profile-m-z/pnpm.profile
etc/profile-m-z/pnpx.profile
etc/profile-m-z/semver.profile
etc/profile-m-z/yarn.profile
This amends commit 37452ef1a ("refactor nodejs applications (npm & yarn)
(#3876)", 2021-01-11).
To make it easier to add new directories.
This is similar to commit 1511aab5f
("test/fs/disable-devnull-symlink.exp: simplify error messages",
2026-04-27).
Relates to #7147#7151.
Ephoto is a lightweight, user-friendly image viewer and editor built
on the Enlightenment Foundation Libraries (EFL). It combines simplicity
with performance, delivering a fast and efficient experience without
unnecessary overhead.
https://www.enlightenment.org/about-ephoto
Add the mesa path and the old nvidia path:
* `~/.cache/mesa_shader_cache`
* `~/.nv`
This is a follow-up to commit 263f576d2 ("profiles: steam: whitelist
.cache/nvidia (#7114)", 2026-04-23).
Currently it is not possible to use XDG-related macros (such as
`${DOCUMENTS}`) with subpaths (such as `${DOCUMENTS}/foo`) and so
profiles just use `${HOME}` with a hardcoded path using the English
directory name and the subpath (such as `${HOME}/Documents/foo`).
Allow using subpaths after XDG macros, so that they automatically use
the auto-detected XDG path, just as when currently using the XDG macros
without subpaths.
Before:
${HOME}/Documents/foo
After:
${DOCUMENTS}/foo
This is a follow-up to #7147.
Closes#2359.
Relates to #4229.
The test is failing at multiple parts in CI due to timeouts.
From [1]:
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<=./macro-blacklist.profile ls ~/Videos; echo ret $?
Reading profile ./macro-blacklist.profile
firejail version 0.9.81
Parent pid 6385, child pid 6386
Base filesystem installed in 0.25 ms
firejail ls /home/runner/Videos
Child process initialized in 7.58 ms
ls: cannot open directory '/home/runner/Videos': Permission denied
Parent is shutting down, bye...
ret 2
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<le touch ~/Desktop/_firejail_test_file; echo ret $?
Reading profile ./macro-readonly.profile
firejail version 0.9.81
Parent pid 6390, child pid 6391
Base filesystem installed in 3.23 ms
TESTING ERROR 19
From [2]:
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<macro-blacklist.profile ls ~/Documents; echo ret $?
Reading profile ./macro-blacklist.profile
firejail version 0.9.81
Parent pid 6382, child pid 6383
Base filesystem installed in 0.26 ms
firejail ls /home/runner/Documents
Child process initialized in 7.84 ms
ls: cannot open directory '/home/runner/Documents': Permission denied
Parent is shutting down, bye...
ret 2
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<macro-blacklist.profile ls ~/Downloads; echo ret $?
Reading profile ./macro-blacklist.profile
firejail version 0.9.81
Parent pid 6387, child pid 6388
Base filesystem installed in 0.25 ms
firejail ls /home/runner/Downloads
TESTING ERROR 11
This amends commit 574885778 ("test/fs/macro.exp: reduce timeout and
sleep", 2026-04-24) / PR #7147.
[1] https://github.com/netblue30/firejail/actions/runs/25076422708/job/73470137137
[2] https://github.com/netblue30/firejail/actions/runs/25076422708/job/73522630528
Fail faster instead of waiting for the timeout.
See also commit a4e6495fd ("modif: do not follow symlinks to /dev/null
on disable (#7129)", 2026-04-17).
Use `_firejail_test_file` instead of `blablabla`, as the former is a
more common filename in tests and is what is actually removed in
test/fs/fs.sh.
Related commits:
* 2155203b3 ("xdg macro testing", 2018-08-07)
* 188d5f16d ("--profile=FILE rework (#6896)", 2026-01-05)
Debian has a separate "firejail-profiles" package for the profiles
(besides the main "firejail" package), which conflicts with our package
when trying to install it[1]:
$ sudo dpkg -i firejail_0.9.80_1_amd64.deb
FAIL: (Reading database ... 238526 files and directories currently installed.)
Preparing to unpack ./firejail_0.9.80_1_amd64.deb ...
Unpacking firejail (0.9.80-1) over (0.9.74-1~0ubuntu22.04.0) ...
dpkg: error processing archive ./firejail_0.9.80_1_amd64.deb (--install):
trying to overwrite '/etc/firejail/0ad.profile', which is also in package firejail-
profiles 0.9.74-1~0ubuntu22.04.0
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
./firejail_0.9.80_1_amd64.deb
So add a `Conflicts:` line for "firejail-profiles".
Relates to #7110.
[1] https://github.com/netblue30/firejail/issues/7072#issuecomment-4273240052
Reported-by: @ginto37
