Add the following directories from the xdg-user-dirs specification[1]:
* `XDG_PUBLICSHARE_DIR="$HOME/Public"`
* `XDG_TEMPLATES_DIR="$HOME/Templates"`
With this, all directories from the specification are supported as
macros.
See also /etc/xdg/user-dirs.defaults.
Relates to #7157#7163.
[1] https://www.freedesktop.org/wiki/Software/xdg-user-dirs/
`@default-keep` should be used for syscalls used by Firejail itself only.
We are moving some syscalls from `@default-keep` that do not meet this condition into the new group `@program-keep`.
Syscalls in `@program-keep` are not forced to whitelist (we let users decide), but should never be present in `@default` and its sub-groups.
Also move `execv` into `@obsolete` (sparc only, replaced by `execve`).
Changes:
* Keep hostname by default (same as using `--keep-hostname`)
* Add `--hostname-randomize` command to randomize the hostname
* Ignore `--keep-hostname` command and print a warning if it is used
Setting a different hostname inside of the sandbox may prevent X11
programs from authenticating to the X server and displaying windows at
all (see #7062).
To avoid breakage, keep the hostname as is by default and only set it to
a random value if a new `hostname-randomize` command is used.
This also avoids potentially surprising behavior, as the user might not
expect the hostname to be changed inside of the sandbox, considering
that usually the protections that are applied firejail involve
restricting access to resources (like file paths), rather than modifying
their values inside of the sandbox.
Fixes#7062
Relates to #7048#7069.
- src/lib/syscall.c
- Update the comment to also match `gettimeofday`
- Sort the content of `@default-keep` by alphabetical order
- etc/templates/syscalls.txt
- Update the Definition of groups
Put it together with the other `keep-` commands.
And move it to the allow section in libreoffice.profile.
Related commits:
* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* fbc94070e ("adding keep-hostname to libreoffice.profile", 2026-02-11).
Relates to #7048.
- Remove extra empty lines
- Definition of groups:
- Add the two new groups `@memfd` and `@sandbox`
- Add new syscalls
- Inheritance of groups:
- Redraw it in a clearer form of groups and subgroups
- Add the two new groups
- Sort `@mount` and `@obsolete` groups by alphabetical order
This is the last part.
Changes:
* Convert all private-opt entries (other than `private-opt none`) to
whitelist entries
* Remove remaining commented private-opt entries and related comments
(for profiles that also have a corresponding whitelist entry)
* Enable `whitelist /opt/basilisk` in basilisk.profile (similarly to
mullvad-browser.profile and palemoon.profile)
* Update private-opt comment in etc/templates/profile.template
Most private-opt entries were converted into whitelist entries on commit
175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18), while some of them were left alone due to the program size
being deemed small enough as not to break file-copy-limit in
firejail.config.
For the sake of simplicity and clarity (and to avoid potential issues
with program install sizes increasing over time), convert those
private-opt entries into whitelist entries as well (note that users can
still enable private-opt in the corresponding .local profile).
Also, some commented private-opt entries remain (with a note about
potential issues with private-opt).
Since commit 175905530 also documented the drawbacks of private-opt in
firejail.1, it should be fine to remove the commented entries and
related comments (note that in all of the profiles containing such
comments, there is already an equivalent whitelist entry).
Related commits:
* f3f739c5d ("microsoft-edge.profile: rewrite profile for stable
channel", 2022-08-11) /
PR #5709
* 121e043df ("microsoft-edge-{dev,beta}: replaced private-opt by
whitelist #5307", 2022-08-11) /
PR #5709
* 2cb40fbec ("microsoft-edge fixes (#5697)", 2023-03-14)
* 58732a654 ("Add profiles for jami and postman (#5691)", 2023-03-15)
* 175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18)
And use it in etc/inc/disable-X11.inc.
This allows printing a warning message from inside a profile.
Everything after the command is printed in a warning message as is (that
is, without macro expansion).
Example:
$ firejail --noprofile --include=/etc/firejail/disable-X11.inc true
Reading profile /etc/firejail/disable-X11.inc
Warning: /etc/firejail/disable-X11.inc:5: This file is deprecated; use disable-x11.inc (lowercase) instead.
Reading profile /etc/firejail/disable-x11.inc
[...]
Relates to #6294.
This is a follow-up to #6709.
Instead of having a `notpm` command and potentially adding it to almost
all profiles (as few programs should need direct access to TPM devices),
add a `keep-dev-tpm` command and use it only in profiles that need
access to TPM devices.
Changes:
* Turn `notpm` command into `keep-dev-tpm` command
* Warn and ignore if `notpm` is used
* Block `/dev/tpm*` devices by default
* Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev`
is used)
Added on commit 001320226 ("feature: add notpm command & keep tpm
devices in private-dev (#6390)", 2024-07-09).
See also commit ee1c264c5 ("feature: block /dev/ntsync & add
keep-dev-ntsync command (#6660)", 2025-03-06) and the discussion at
PR #6660.
This is a follow-up to #6687.
This should clarify which commands do what (increase/reduce access) and
also make etc/templates/profile.template more consistent with
etc/profile-m-z/noprofile.profile.
This is a follow-up to #6660.
See also the discussion at [1].
[1] https://github.com/netblue30/firejail/pull/6660#discussion_r1975233984
Changes:
* Block access to /dev/ntsync by default
* Add the `keep-dev-ntsync` command to allow access to /dev/ntsync (even
if `private-dev` is used)
* Add `keep-dev-ntsync` to wine.profile and similar profiles
Closes#6655.
An ssh private key may be stored in a Trusted Platform Module (TPM)
device and `private-dev` in ssh.profile currently breaks this use-case,
as it does not keep tpm devices (see #6379).
So add a new `notpm` command and keep tpm devices in /dev by default
with `private-dev` unless `notpm` is used.
To make it consistent with the other include profiles.
See etc/templates/profile.template.
With this, all `etc/inc/allow-*` files are listed in profile.template.
The explanation is based on a comment by @rusty-snake[1].
Relates to #4071.
This is a follow-up to #6299.
[1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
To make it consistent with the other include profiles.
See etc/templates/profile.template.
Note: It is not currently included in any profile.
Added on commit 89f30f1f2 ("Create allow-php.inc", 2020-01-25).
This is a follow-up to #6298.
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections. That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.
Also, keep the old include as a redirect to the new one for now to avoid
breakage.
Commands used to search and replace:
git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
git grep -Ilz 'disable-X11' -- etc | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #4462#4854#6070#6289.
This is a follow-up to #6286.
Since Landlock ABI v4 it is possible to restrict actions related to the
network and potentially more areas will be added in the future.
So use `landlock.fs.` as the prefix in the current filesystem-related
commands (and later `landlock.net.` for the network-related commands) to
keep them organized and to match what is used in the kernel.
Examples of filesystem and network access flags:
* `LANDLOCK_ACCESS_FS_EXECUTE`: Execute a file.
* `LANDLOCK_ACCESS_FS_READ_DIR`: Open a directory or list its content.
* `LANDLOCK_ACCESS_NET_BIND_TCP`: Bind a TCP socket to a local port.
* `LANDLOCK_ACCESS_NET_CONNECT_TCP`: Connect an active TCP socket to a
remote port.
Relates to #6078.
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
`landlock.special` is not very descriptive of what it allows.
So split `landlock.special` into:
* `landlock.makeipc`: allow creating named pipes and sockets (which are
usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices
Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices. `ipc` was suggested by
@rusty-snake[2].
Relates to #6078.
[1] https://github.com/netblue30/firejail/pull/6078#pullrequestreview-1740569786
[2] https://github.com/netblue30/firejail/pull/6187#issuecomment-1924107294
Changes:
* Move commands from --landlock and --landlock.proc= into
etc/inc/landlock-common.inc
* Remove --landlock and --landlock.proc=
* Add --landlock.enforce
Instead of hard-coding the default commands (and having a separate
command just for /proc), move them into a dedicated profile to make it
easier for users to interact with the entries (view, copy, add ignore
entries, etc).
Only enforce the Landlock commands if --landlock.enforce is supplied.
This allows safely adding Landlock commands to (upstream) profiles while
keeping their enforcement opt-in. It also makes it simpler to
effectively disable all Landlock commands, by using
`--ignore=landlock.enforce`.
Relates to #6078.
* profiles: drop private-opt (existing whitelist)
* profiles: replace private-opt with whitelist
In most profiles.
Kept private-opt for enpass (~85MB), mate-dictionary (<20MB),
minecraft-launcher (~1.6MB) and ppsspp (~44MB). The only app I couldn't
check: xmr-stak.
* docs: note potential issues with private-opt
The `shell` option has been removed. Remove stale references.
This does NOT remove `shell none`-related code comments in:
- src/firejail/fs_lib.c (L433-L441)
- src/firejail/join.c (L415-L417)
Relates to #5196.
Suggested by #5891.
now covers syscalls up to including process_madvise (440)
group assignment was blindly copied from systemd:
729d2df806/src/shared/seccomp-util.c (L305)
the only exception is close_range, which was added to both @basic-io and @file-system
this commit adds the following syscalls to the default blacklist:
pidfd_getfd,fsconfig,fsmount,fsopen,fspick,move_mount,open_tree
Still unresolved:
> If someone who use systemd-resolved can say more which resolv.conf is necessary on such system.
> whitelist /run/systemd/resolve/resolv.conf
> whitelist /run/systemd/resolve/stub-resolv.conf
- Fix#4157 -- [Feature] Should rmenv GitHub auth tokens
There are still more token variables from other program that should be
added.
- Fix#4093 -- darktable needs read access to liblua*
- Fix#4383 -- move noblacklist ${HOME}/.bogofilter to email-common.profile for claws-mail (and other mailers)
- Fix xournalpp.profile
- syscalls.txt: ausyscall i386 -> firejail --debug-syscalls32
