When trying to prevent a file or directory in the user home from being
written to, it is not uncommon to replace it with a symlink to
/dev/null.
If this path is also blacklisted (such as by disable-common.inc), the
symlink will be followed, resulting in /dev/null itself being
blacklisted, which can cause issues with (unrelated) programs that have
their output redirected to /dev/null (for example).
To avoid disabling /dev/null, when applying commands from
`disable_file()` (such as `blacklist` and `read-only`), if a file is a
symlink to /dev/null, avoid following the symlink and perform the
operation on the link itself instead.
Using these commands with "/dev/null" directly as the argument (that is,
without going through a symlink) should still work the same way.
It has been confirmed to work on Linux 3.8[1], so it should work on at
least 3.8 and later.
Closes#5803.
[1] https://github.com/netblue30/firejail/pull/7129#issuecomment-4233141574
Reported-by: @fgpietersz
Suggested-by: @Changaco
Tested-by: @Changaco
Tested-by: @Zopolis4
The `bugfix` items are usually for user-visible program changes, as most
users are unlikely care about code refactorings and changes that only
affect the code in general.
`build` is usually used for:
* Build system fixes and changes (configure/make)
* Fixes for errors/warnings from compilers and static analysis tools
* As a catch-all for refactorings in the code and scripts (as the
changes are usually similar to fixing compiler warnings)
Added on commit b993ce458 ("RELNOTES: add modif, build, profile and
bugfix items", 2026-04-16).
Remove commit reference for consistency with the other items and quote
`_` to improve the output when copying the text to a GitHub Release
(where it is treated as markdown).
This amends commit b993ce458 ("RELNOTES: add modif, build, profile and
bugfix items", 2026-04-16).
Relates to #7127.
No build errors without it, so it should be fine to remove as well.
This amends commit 8af07d8a2 ("build: merge fnettrace headers into
`fnettrace_common.h` (#7127)", 2026-04-13).
install.sh was used for AC_PROG_INSTALL, which was removed in
4421517c55 (corresponding PR #5133)
From the manual of GNU Autoconf (version 2.73):
> Autoconf comes with a copy of ‘install-sh’ that you can use. If
> you use ‘AC_PROG_INSTALL’, you must include ‘install-sh’ in your
> distribution; otherwise ‘autoreconf’ and ‘configure’ will produce
> an error message saying they can’t find it—even if the system
> you’re on has a good ‘install’ program. This check is a safety
> measure to prevent you from accidentally leaving that file out,
> which would prevent your package from installing on systems that
> don’t have a BSD-compatible ‘install’ program.
If install-sh wasn't found, configure would check for install.sh in
srcdir. install.sh is a placeholder that does nothing, without it
configure would abort.
`@default-keep` should be used for syscalls used by Firejail itself only.
We are moving some syscalls from `@default-keep` that do not meet this condition into the new group `@program-keep`.
Syscalls in `@program-keep` are not forced to whitelist (we let users decide), but should never be present in `@default` and its sub-groups.
Also move `execv` into `@obsolete` (sparc only, replaced by `execve`).
Most recent releases:
* firejail 0.9.72: 2023-01-16
* firejail 0.9.74: 2025-03-24
* firejail 0.9.76: 2025-07-30
* firejail 0.9.78: 2026-01-03
* firejail 0.9.80: 2026-03-14
firejail 0.9.76 was released over 6 months ago, but the packages from
both Debian stable (13 / Trixie) and the Ubuntu PPA appear to still be
on firejail 0.9.74, which is over 1 year old[1] [2].
As for installing firejail through Debian backports, it is unclear to me
if that is currently working and if so, which firejail version would be
installed on each Debian version.
Lastly, the packages on Ubuntu seem to still be on firejail 0.9.72,
which is over 3 years old, even on the latest Ubuntu 25.10 and on the
upcoming Ubuntu 26.04[3].
So to avoid bugs and bug reports caused by old firejail versions,
recommend either installing the release .deb file from GitHub or
building from source on Debian/Ubuntu.
Relates to #6842#7060.
[1] https://tracker.debian.org/pkg/firejail
[2] https://launchpad.net/~deki/+archive/ubuntu/firejail
[3] https://launchpad.net/ubuntu/+source/firejail
The mount paths in disable-exec.inc are the exact same ones as in
disable-write-mnt.inc, so split them into their own list and add a note
above each list to keep them in sync with each other.
This amends commit 98c3b41bc ("disable-exec: add mount points",
2026-03-20) / PR #7112.
If no syscalls are defined (such as with an older kernel) inside of a
`.list` element, then compilation breaks due to a syntax error:
.list =
},
For example, `SYS_memfd_create` and `SYS_memfd_secret` are apparently
not defined on Linux 3.8, which is used on 32-bit x86 Chromebooks:
$ make clean >/dev/null && make CFLAGS+='-march=i686 -m32'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.81"' [...] -march=i686 -m32 -c ../../src/lib/syscall.c -o ../../src/lib/syscall.o
../../src/lib/syscall.c:907:9: error: expected expression before ‘}’ token
907 | },
| ^
make[1]: *** [../../src/prog.mk:25: ../../src/lib/syscall.o] Error 1
Also, syscall lists cannot be empty (`""`), so ensure that
`__dummy_syscall__` appears in every list as the last element for
simplicity.
This makes every non-dummy syscall string in the source code end with
`,` (including the last item, which makes sorting them easier) and
removes the need for checking all syscall macros in each list before
adding `__dummy_syscall__`.
Related commits:
* 34ee8e03f ("Seccomp: system call grouping and call numbers",
2017-08-06)
* 88a75a650 ("add a new option `--debug-syscall-groups` - part 1",
2026-01-31) / PR #7049
* a3f352521 ("update system call groups - part 3", 2026-01-18) / PR
#7034Fixes#7108.
Reported-by: @Zopolis4
Example case: you want to access the photos and have scripts or binaries on the same USB flash drive.
Let's set mount points not executable in disable-exec.inc.
Related commits:
* 6a6ff981b ("add a syscall header for the x32 ABI", 2026-03-05)
* 3db2e976e ("update: s390 syscall table is only for 64-bit now",
2026-03-05)
* e9cccefe1 ("update all system call headers", 2026-03-05)
* 19224d8fb ("RELNOTES: add syscall headers update items", 2026-03-13)
Remove `--keep-hostname` issue, as it was replaced with
`--hostname-randomize`.
Related commits:
* 09329b990 ("modif: replace --keep-hostname with new
--hostname-randomize", 2026-03-0t7) / PR #7095
Relates to #7062#7069#7095.
if strace runs in a terminal, it probes the background color to select
its color palette. this probing expects a reply, but due to expect
intercepting the io, the answer isn't sent back to strace, so it never
starts printing the expected output.
Changes:
* Keep hostname by default (same as using `--keep-hostname`)
* Add `--hostname-randomize` command to randomize the hostname
* Ignore `--keep-hostname` command and print a warning if it is used
Setting a different hostname inside of the sandbox may prevent X11
programs from authenticating to the X server and displaying windows at
all (see #7062).
To avoid breakage, keep the hostname as is by default and only set it to
a random value if a new `hostname-randomize` command is used.
This also avoids potentially surprising behavior, as the user might not
expect the hostname to be changed inside of the sandbox, considering
that usually the protections that are applied firejail involve
restricting access to resources (like file paths), rather than modifying
their values inside of the sandbox.
Fixes#7062
Relates to #7048#7069.
Fix formatting, reword, add commit reference and move.
The changes related to the items in question were made to not only the
CI files in .github/workflows, but also to the local test files and
scripts.
So use test items to clarify that their changes are not just strictly CI
changes.
Add a commit reference just to the "make test-compile" item because the
other items seem to relate to many commits.
Replace commit references with issue references.
Related commits:
* cbb7a3897 ("make Xephyr default for --x11 obption - currently Xpra is
not available in Debian/Ubuntu and derivatives", 2026-01-17)
* c13331305 ("adding apparmor profiles for --nettrace option",
2026-02-11)
Relates to #7093#7094.
