The base-2 units are more accurate, as `--rlimit-as=1K` is equivalent to
`--rlimit-as=1024`, not `--rlimit-as=1000`, for example.
This is a follow-up to #6891.
Relates to #4315.
Changes:
* Remove unrelated `strerror` output from some error messages
* Remove periods from some error messages
* Ensure that the invalid value is in the error message
* Ensure that the full command name is in the error message (instead of
just `rlimit` in some cases)
* Standardize output
* tests: Expect the full command name (and argument in some cases)
Examples:
Before:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as. Only use positive numbers and K, M or G suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit-cpu: -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit-nproc: -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as: -1; use only positive numbers and K, M or G suffix
This is a follow-up to #6891.
Relates to #4315.
Note: They are already sorted in the following files:
* contrib/syntax/lists/profile_commands_arg1.list
* src/firejail/usage.c
* src/man/firejail-profile.5.in
* src/man/firejail.1.in
* src/zsh_completion/_firejail.in
* test/environment/rlimit-bad-profile.exp
* test/environment/rlimit-bad.exp
Related commits:
* 137985136 ("Baseline firejail 0.9.28", 2015-08-08)
* caefb7929 ("RLIMIT_AS", 2017-10-13) / PR #1604
* e8685de73 ("implemented --rlimit-cpu - set max CPU time for processes
running in the sandbox; for issue #1614, more to come...", 2017-10-24)
For better usability and because the proper suffixes (KiB, MiB and GiB)
are uppercase.
Affected commands:
* `rlimit-as`
* `rlimit-fsize`
Before:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Relates to #4315.
Replace almost all debug `printf` calls with `debug_prctl` to reduce the
amount of duplication and `ifdefs`.
Note: There is one debug `printf` call that uses a different message
format, so it is left as is.
Command used to search and replace:
$ perl -0 -pi -e 's/#ifdef DEBUG_PRCTL\n(\s+)printf\("%s: %d, ([^\n]+)", __FUNCTION__, __LINE__([^\n]+)\n#endif/${1}debug_prctl("$2"$3/g; \
s/(debug_prctl\("event[^\n]+)/\t\t\t\t$1\n/g' \
src/firemon/procevent.c
Relates to #6792.
And improve the comment.
Fixes the following:
$ ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
sort: -:979: disorder: warzone2100
This amends commit 4422c9358 ("warzone2100 for Debian/Ubuntu -
/usr/bin/warzone2100 is a script calling /usr/bin/warzone2100.real",
2025-08-19).
Simplify the deallocation of `cmd` to make it easier to understand,
which looks like it would fix a potential memory leak of `cmd`:
if (!cmd) {
cmd = pid_proc_cmdline(pid); // alloc
}
if (add_new) {
// ... // no dealloc
}
else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) {
// ... // no dealloc
}
else {
// ...
else {
sprintf(lineptr, " %s\n", cmd);
if (cmd != pids[pid].option.event.cmd) {
free(cmd); // dealloc
}
}
// ...
}
This is a follow-up to commit 5ec00f70c ("fix: avoid cmd double-free in
procevent_monitor", 2025-07-31) / PR #6846.
Relates to #6792.
When checking if a .desktop file is valid, firecfg currently searches
for the first occurrence of `.desktop` in the filename and checks that
it is at the end of the string.
This fails if the filename contains multiple occurrences of `.desktop`,
such as the one for Telegram Desktop, `org.telegram.desktop.desktop`:
$ sudo firecfg
[...]
org.telegram.desktop.desktop skipped (not a .desktop file)
Instead, start the `.desktop` comparison from the last `.` character in
the filename.
This amends commit a9c851ee4 ("firecfg: use ignorelist also for .desktop
files", 2024-01-08) / PR #6153.
Fixes#6865.
Relates to #5245#5876.
Reported-by: @tht2005
Reported-by: @rusty-snake
It looks like it could happen if a line in /etc/firejail/firejail.config
starts with `netfilter-default ` and there is a space or tab right after
that.
$ pacman -Q gcc14 glibc
gcc14 14.3.1+r25+g42e99e057bd7-1
glibc 2.42+r3+gbc13db739377-1
$ ./configure --enable-analyzer CC=gcc-14 >/dev/null &&
make clean >/dev/null && make >/dev/null
[...]
../../src/firejail/checkcfg.c: In function ‘checkcfg’:
../../src/firejail/checkcfg.c:137:40: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop]
137 | while (*fname == ' ' || *fname == '\t')
| ^~~~~~
‘checkcfg’: events 1-5
|
| 137 | while (*fname == ' ' || *fname == '\t')
| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (2) if it ever follows ‘true’ branch, it will always do so...
| | (1) infinite loop here
| | (5) ...to here
| 138 | ptr++;
| | ~~~~~
| | |
| | (3) ...to here
| | (4) looping back...
|
[...]
Added on commit 340a6b2ee ("added netfilter-default config option in
/etc/firejail/firejail.config", 2016-07-28).
All other debug messages in procevent.c use the `%s: %d, ` format.
Note that by default this line is not actually compiled (unless
`DEBUG_PRCTL` is defined).
Added on commit d72a43af0 ("firemon fixes", 2016-02-29).
Kind of relates to #6792.
Changes:
* Use `strace --trace=%file` instead of `| grep open`, so that more
path-related syscalls are traced (rather than just `open*`)
* Always use `strace -f` to ensure that child processes are also traced
* Add an example using firejail + strace for `--private-etc`
* Improve formatting/grammar
* Add references between commands related to strace
Added on commit 9774ab8a3 ("private-etc rework: new man page",
2023-01-25) / issue #6400.
Misc: This was noticed on #6843.
There is a possible execution path in procevent_monitor function,
when allocated memory for cmd may be deallocated twice.
Commit adds check before deallocating memory.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Clarify that `--net` should be used to create a new network namespace
before using a firejail command that needs to be executed inside a
(firejail) network namespace.
Example:
$ firejail --netfilter.print=10000
Switching to pid 10001, the first child process inside the sandbox
Error: the sandbox doesn't use a new network namespace (see --net)
Reported-by: @osevan
Relates to #6820.
Remove the `.PP` macro to avoid removing the indentation from the
preceding `.TP` in firejail-profile.5.in.
This also makes it more consistent with the description of
`landlock.enforce` in firejail.1.in.
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Relates to #6078.
Even when Landlock is in fact being enforced.
Also, mention the `landlock.enforce` command in the message.
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Relates to #6078#6796.
Reported-by: @osevan
Apparently /etc/resolv.conf may be a regular file (instead of a symlink
to /run/systemd/resolve/resolv.conf) and owned by the "systemd-resolve"
user at the same time.
This is a follow-up to #6804.
Fixes#4545.
Relates to #1531.
The following CI jobs started failing since the GitHub Actions runner
image for ubuntu-22.04 was (automatically) upgraded from version
20250615.1.0[1] to 20250622.1.0[2]:
* test-fs
* test-environment
* test-network
Most/all fail with the same fcopy error message for the same path,
presumably due to using `private-etc`, as `localtime` is in the default
private-etc group (see the full log below):
Error fcopy: invalid ownership for /etc/localtime -> /usr/share/zoneinfo/Etc/UTC (type=- uid=1001 name=runner)
Error: failed to run /run/firejail/lib/fcopy, exiting...
In at least the newer runner image, `/usr/share/zoneinfo/Etc/UTC` is
owned by `runner:root` instead of the usual `root:root`, so add an
exception in fcopy to allow it.
From a run of the `test-fs` job for commit 1f92779d2 ("modif: improve
fcopy error messages in check() (#6801)", 2025-07-07) [3]:
make -C test private-etc
make[1]: Entering directory '/home/runner/work/firejail/firejail/test'
cd private-etc && ./private-etc.sh 2>&1 | tee private-etc.log
TESTING: private-etc (test/private-etc/private-etc.exp)
spawn /bin/bash
firejail --private-etc=passwd,group,resolv.conf,X11
runner@pkrvmdyo8zrnvmk:~/work/firejail/firejail/test/private-etc$
<firejail --private-etc=passwd,group,resolv.conf,X11
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/landlock-common.inc
** Note: you can use --noprofile to disable default.profile **
firejail version 0.9.75
Parent pid 4511, child pid 4512
Error fcopy: invalid ownership for /etc/localtime -> /usr/share/zoneinfo/Etc/UTC (type=- uid=1001 name=runner)
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 4511 cannot sync with peer: unexpected EOF
Peer 4512 unexpectedly exited with status 1
runner@pkrvmdyo8zrnvmk:~/work/firejail/firejail/test/private-etc$ TESTING ERROR 1
Fixes#6797.
Relates to #6801.
[1] https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20250615.1
[2] https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20250622.1
[3] https://github.com/netblue30/firejail/actions/runs/16122142799/job/45490345354
Changes:
* Remove "file" from "invalid ownership" error message (`src` can also
be a directory)
* Print more error messages
* Include the source path, realpath, file type and uid/username of the
file owner where applicable
Relates to #6797.
As reported by @hlein in #6729, if a firejailed process is `^Z`'d at the
wrong time during startup, other firejail processes will be unable to
proceed because they'll wait forever for an flock on
`/run/firejail/firejail-run.lock`.
This builds upon commit f4b8c6dbb ("bugfix: fix potential deadlock with
flock + SIGTSTP (#6750)", 2025-05-21) to add a busy wait while
attempting to acquire a lock. This allows the application to bail out if
it fails to acquire a lock after a given timeout.
Behavior after this patch (we use SIGSTOP, as that cannot be
caught/ignored):
$ firejail --debug id & P=$!;sleep 0.00001;kill -STOP $P
[1] 14411
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=14411: locking /run/firejail/firejail-run.lock ...
pid=14411: locked /run/firejail/firejail-run.lock
[1]+ Stopped firejail --debug id
$ firejail --debug ls
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=14413: locking /run/firejail/firejail-run.lock ...
pid=14413: sleeping 500us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 1000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 2000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 4000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 8000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 16000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 32000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 64000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 128000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 256000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
Error: timeout occurred while trying to lock /run/firejail/firejail-run.lock
Error: ../../src/firejail/preproc.c:112: preproc_lock_file: flock: Resource temporarily unavailable
Enhances commit f4b8c6dbb ("bugfix: fix potential deadlock with flock +
SIGTSTP (#6750)", 2025-05-21).
Suggested-by: @hlein
Co-authored-by: @kmk3
It seems unable to open ebooks on Arch (even with `--noprofile` and
`--profile=noprofile`), likely due due to webkitgtk / bwrap.
Error log[1]:
$ firejail --profile=noprofile /usr/bin/foliate
Reading profile /etc/firejail/noprofile.profile
firejail version 0.9.74
Parent pid 16189, child pid 16190
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Base filesystem installed in 0.01 ms
Child process initialized in 12.32 ms
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
** (com.github.johnfactotum.Foliate:3): ERROR **: 23:16:32.030: Failed to fully launch dbus-proxy: Child process exited with code 1
Relates to #3647#6782.
[1] https://github.com/netblue30/firejail/issues/6782#issuecomment-2982568811
Reported-by: @rsramkis
Include the relevant mount path(s).
Example:
Before:
$ firejail --debug --noprofile --blacklist=/run true
[...]
Disable /run
Disable /sys/fs
Failed mount: No such file or directory
Error: ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory
Error: proc 12345 cannot sync with peer: unexpected EOF
Peer 12345 unexpectedly exited with status 1
After:
$ firejail --debug --noprofile --blacklist=/run true
[...]
Disable /run
Disable /sys/fs
Failed to mount /run/firejail/firejail.ro.dir on /sys/fs: No such file or directory
Error: ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory
Error: proc 12345 cannot sync with peer: unexpected EOF
Peer 12345 unexpectedly exited with status 1
This helps clarify that it is not possible to blacklist /run, as
firejail uses files inside /run/firejail in order to set up the sandbox.
In the above example, when processing the first blacklist, firejail
bind-mounts /run/firejail/firejail.ro.dir (a directory with no
read/write/execute permissions) on top of /run, rendering /run/firejail
inaccessible. When attempting to process the next blacklist (for
/sys/fs), firejail is unable to access /run/firejail, so it fails to
bind mount /run/firejail/firejail.ro.dir on top of /sys/fs and aborts.
Relates to #6711#6740.
As reported by @hlein[1]:
> A number of packages can't compile on Gentoo when various `*sum` tools
> are firejailed; they'll die like:
>
> ...
> -- Installing: /var/tmp/portage/dev-libs/protobuf-30.2/image/usr/lib64/cmake/protobuf/protobuf-options.cmake
> Error: too many arguments: argc (166) >= MAX_ARGS (128)
> * ERROR: dev-libs/protobuf-30.2::gentoo failed (install phase):
> ...
> * The specific snippet of code:
> * cksum=$(_multilib_header_cksum) || die;
>
> Same for various others.
>
> `_multilib_header_cksum` is defined in `eclass/multilib-build.eclass`
> and it does a `find ... -exec chksum {} +` - behaves similar to `xargs`.
> `chksum` is wrapped by `firecfg` by default.
>
> So this points out anything that uses `find ... -exec ... {} +` or
> `xargs` and runs a firejail'ed process is prone to failure. When bulding
> a couple hundred packages, these all failed this way:
>
> # find /var/tmp/portage/ -name build.log | xargs egrep -l MAX_ARGS |
> cut -d/ -f5,6 | uniq
> dev-libs/icu-77.1
> dev-libs/boost-1.88.0-r1
> dev-libs/protobuf-30.2
> media-video/ffmpeg-7.1.1-r1
> app-crypt/rpm-sequoia-1.8.0
> media-libs/opencv-4.11.0
> app-misc/binwalk-3.1.0-r1
> llvm-core/clang-19.1.7
> llvm-core/llvm-20.1.5
> x11-libs/wxGTK-3.2.8
>
> The largest of which being:
>
> # find /var/tmp/portage/ -name build.log | xargs egrep MAX_ARGS |
> cut -d\( -f2 | cut -d\) -f1 | sort -rn | head -n1
> 1438
Command used to search and replace:
$ perl -pi -e 's/^[^#]+sum/#$& # breaks with too many arguments (see #4633)/' \
src/firecfg/firecfg.config
Related commits:
* f7e232c1b ("Add profile for checksum tools", 2021-03-08) /
PR #4069
* 713249c98 ("sha256sum: add nvm support comment", 2022-03-20) /
PR #5058
* 7176e6324 ("private-etc: libreoffice, audacity, forzen-bubble,
transmission, md5sum/sha512sum, more sysutils testing, fix
electron-hardened.inc.profile", 2023-02-08)
* 028d236b8 ("profiles: firecfg: fix sha384sum & add b2sum/cksum
(#6578)", 2024-12-26)
* afce4679b ("New profile: b3sum (blake3) (#6577)", 2024-12-26)
Relates to #4633.
[1] https://github.com/netblue30/firejail/issues/4633#issuecomment-2889232775
Reported-by: @hlein
As reported by @hlein in #6729, if a firejailed process is `^Z`'d at the
wrong time during startup, other firejail processes will be unable to
proceed because they'll wait forever for an flock on
`/run/firejail/firejail-run.lock`.
This fixes that by installing a signal handler to catch SIGTSTP (Ctrl-Z)
before acquiring locks. The handler increments a flag to allow for
re-sending the SIGTSTP signal after locks have been released.
Deadlock Reproducer:
Note: The length of the sleep should be adjusted until the debug output
resembles the output below:
$ firejail --debug id & P=$!;sleep 0.0005;kill -TSTP $P
[1] 16130
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=16130: locking /run/firejail/firejail-run.lock ...
pid=16130: locked /run/firejail/firejail-run.lock
[1]+ Stopped firejail --debug id
Further calls to firejail will hang due to the stopped process holding
the firejail-run lock.
$ firejail id
^C
With this commit:
$ firejail --debug id & P=$!;sleep 0.0005;kill -TSTP $P
[1] 16504
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=16504: locking /run/firejail/firejail-run.lock ...
pid=16504: locked /run/firejail/firejail-run.lock
pid=16504: caught SIGTSTP while locks are held
pid=16504: unlocking /run/firejail/firejail-run.lock ...
pid=16504: unlocked /run/firejail/firejail-run.lock
pid=16504: resending caught SIGTSTP
[1]+ Stopped firejail --debug id
Due to the locks being properly released before the process is stopped,
new firejail processes will not hang while acquiring the lock.
Fixes#6729.
Reported-by: @hlein
Some objects are created in fs_dev but not labeled. This patch ensures
that those objects are properly labeled.
Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
For consistency, use the conventional autoconf variable name (see also
config.mk.in).
Commands used to search and replace:
$ git grep -Ilz '_SYSCONFDIR_' | xargs -0 \
perl -pi -e 's/_SYSCONFDIR_/\@sysconfdir\@/'
Added on commit a37ffc337 ("Add first version of zsh completion",
2021-01-02) / PR #3864.
