Commands used to search and replace:
$ git grep -IElz '\$\{HOME\}/(Desktop|Documents|Downloads|Music|Pictures|Projects|Videos)' -- etc |
xargs -0 perl -pi -e '
s/\$\{HOME\}\/Desktop/\${DESKTOP}/;
s/\$\{HOME\}\/Documents/\${DOCUMENTS}/;
s/\$\{HOME\}\/Downloads/\${DOWNLOADS}/;
s/\$\{HOME\}\/Music/\${MUSIC}/;
s/\$\{HOME\}\/Pictures/\${PICTURES}/;
s/\$\{HOME\}\/Projects/\${PROJECTS}/;
s/\$\{HOME\}\/Videos/\${VIDEOS}/;
'
Note: The entries in the following profiles were sorted manually:
* etc/profile-m-z/Mathematica.profile
* etc/profile-m-z/prismlauncher.profile
* etc/profile-m-z/zoom.profile
This is a follow-up to #7151.
Move it together with the other profiles used for redirecting in
`etc/profile*`.
Commands used to search and replace:
git mv etc/inc/llm-agent-common.inc etc/profile-a-l/llm-agent-common.profile
git grep -IElz llm-agent-common.inc | xargs -0 perl -pi -e '
s/llm-agent-common.inc/llm-agent-common.profile/
'
This amends commit c81777164 ("profiles: add llm-agent-common.inc
(#7158)", 2026-05-08).
Note: The missing line is already present in the other includers of
`nodejs-common.inc`:
$ git grep -Il 'include nodejs-common.profile'
etc/profile-m-z/node-gyp.profile
etc/profile-m-z/node.profile
etc/profile-m-z/npm.profile
etc/profile-m-z/npx.profile
etc/profile-m-z/pnpm.profile
etc/profile-m-z/pnpx.profile
etc/profile-m-z/semver.profile
etc/profile-m-z/yarn.profile
This amends commit 37452ef1a ("refactor nodejs applications (npm & yarn)
(#3876)", 2021-01-11).
Ephoto is a lightweight, user-friendly image viewer and editor built
on the Enlightenment Foundation Libraries (EFL). It combines simplicity
with performance, delivering a fast and efficient experience without
unnecessary overhead.
https://www.enlightenment.org/about-ephoto
Add the mesa path and the old nvidia path:
* `~/.cache/mesa_shader_cache`
* `~/.nv`
This is a follow-up to commit 263f576d2 ("profiles: steam: whitelist
.cache/nvidia (#7114)", 2026-04-23).
`@default-keep` should be used for syscalls used by Firejail itself only.
We are moving some syscalls from `@default-keep` that do not meet this condition into the new group `@program-keep`.
Syscalls in `@program-keep` are not forced to whitelist (we let users decide), but should never be present in `@default` and its sub-groups.
Also move `execv` into `@obsolete` (sparc only, replaced by `execve`).
The mount paths in disable-exec.inc are the exact same ones as in
disable-write-mnt.inc, so split them into their own list and add a note
above each list to keep them in sync with each other.
This amends commit 98c3b41bc ("disable-exec: add mount points",
2026-03-20) / PR #7112.
Example case: you want to access the photos and have scripts or binaries on the same USB flash drive.
Let's set mount points not executable in disable-exec.inc.
Changes:
* Keep hostname by default (same as using `--keep-hostname`)
* Add `--hostname-randomize` command to randomize the hostname
* Ignore `--keep-hostname` command and print a warning if it is used
Setting a different hostname inside of the sandbox may prevent X11
programs from authenticating to the X server and displaying windows at
all (see #7062).
To avoid breakage, keep the hostname as is by default and only set it to
a random value if a new `hostname-randomize` command is used.
This also avoids potentially surprising behavior, as the user might not
expect the hostname to be changed inside of the sandbox, considering
that usually the protections that are applied firejail involve
restricting access to resources (like file paths), rather than modifying
their values inside of the sandbox.
Fixes#7062
Relates to #7048#7069.
- src/lib/syscall.c
- Update the comment to also match `gettimeofday`
- Sort the content of `@default-keep` by alphabetical order
- etc/templates/syscalls.txt
- Update the Definition of groups
Related to this, trying to open xorg programs stopped working on Arch
recently (even with `--profile=noprofile`), producing the following
error[1]:
$ /usr/local/bin/thunderbird
[...]
Authorization required, but no authorization protocol specified
Error: cannot open display: :0
Parent is shutting down, bye...
The programs work if `--keep-hostname` is used.
The workaround was found quickly, but mostly by luck and guesswork, as
needing to use a profile command when even `--profile=noprofile` does
not work is counterintuitive and unexpected.
Related commits:
* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* e31d872a5 ("profiles: add keep-hostname to profile.template",
2026-02-11)
Relates to #7062.
[1] https://github.com/netblue30/firejail/issues/7062#issue-3943568845
Default directories in Firefox 146 and earlier:
* ~/.cache/mozilla # cache files
* ~/.mozilla # config and data
In Firefox 147[1]:
* ~/.cache/mozilla # cache files
* ~/.config/mozilla # config and data
Note that the new location apparently contains the same files as in the
former location (including settings, bookmarks, extensions, etc).
That is, even though the new directory resides in `$XDG_CONFIG_HOME` /
~/.config, it is not solely used for program configuration as described
in the XDG Base Directory specification[2] and `$XDG_DATA_HOME` /
~/.local/share/mozilla is seemingly not used at all (see also the
discussion in the bug tracker[3]).
Commands used to search and replace:
$ perl -pi -e 's/(.* )(\${HOME}\/\.mozilla)(.*)/$1\${HOME}\/.config\/mozilla$3\n$1$2$3/' \
-- \
etc/inc/*.inc \
etc/profile*/*.profile \
Note: The entries in the following profiles were sorted manually:
* etc/inc/disable-common.inc
* etc/inc/disable-programs.inc
* etc/profile-a-l/keepassxc.profile
* etc/profile-a-l/krunner.profile
* etc/profile-m-z/seamonkey.profile
Relates to #7040.
[1] https://www.firefox.com/en-US/firefox/147.0/releasenotes/
[2] https://specifications.freedesktop.org/basedir/latest/
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=259356
disable-common.inc has these lines:
blacklist ${PATH}/nc
blacklist ${PATH}/nc.openbsd
blacklist ${PATH}/nc.traditional
blacklist ${PATH}/ncat
With openbsd-netcat on Artix, `/usr/bin/nc.openbsd` is symlinked to
`/usr/bin/nc`:
$ pacman -Fl gnu-netcat openbsd-netcat | grep bin/nc
gnu-netcat usr/bin/nc
openbsd-netcat usr/bin/nc
openbsd-netcat usr/bin/nc.openbsd
$ realpath /usr/bin/nc.openbsd
/usr/bin/nc
So `noblacklist ${PATH}/nc` is not enough, as
`blacklist ${PATH}/nc.openbsd` will follow the symlink to `/usr/bin/nc`
and still blacklist it.
To prevent `/usr/bin/nc` from being blacklisted,
`noblacklist ${PATH}/nc.openbsd` is also needed in this case.
To ensure that netcat is allowed, always `noblacklist` all netcat paths.
Fixes#6911.
Put it together with the other `keep-` commands.
And move it to the allow section in libreoffice.profile.
Related commits:
* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* fbc94070e ("adding keep-hostname to libreoffice.profile", 2026-02-11).
Relates to #7048.
- Remove extra empty lines
- Definition of groups:
- Add the two new groups `@memfd` and `@sandbox`
- Add new syscalls
- Inheritance of groups:
- Redraw it in a clearer form of groups and subgroups
- Add the two new groups
- Sort `@mount` and `@obsolete` groups by alphabetical order
This is the last part.
Add paths in the same places as nodejs/npm paths.
Deno is a javascript runtime and development tool similar to nodejs.
The following paths seem to be intended for downloading and caching
dependencies (and apparently also artifacts from .ts to .js compilation)
globally during development (as can be done with ~/.npm):
* ~/.cache/deno
* ~/.deno
Note that this commit makes these paths read-only (as npm dependencies
are usually executable code), which may potentially affect users of the
runtime (like yt-dlp).
Related commits:
* f2de86464 ("tentative fix for yt-dlp/javaScript deno profile (#6999)",
2026-01-13)
