Add the mesa path and the old nvidia path:
* `~/.cache/mesa_shader_cache`
* `~/.nv`
This is a follow-up to commit 263f576d2 ("profiles: steam: whitelist
.cache/nvidia (#7114)", 2026-04-23).
Currently it is not possible to use XDG-related macros (such as
`${DOCUMENTS}`) with subpaths (such as `${DOCUMENTS}/foo`) and so
profiles just use `${HOME}` with a hardcoded path using the English
directory name and the subpath (such as `${HOME}/Documents/foo`).
Allow using subpaths after XDG macros, so that they automatically use
the auto-detected XDG path, just as when currently using the XDG macros
without subpaths.
Before:
${HOME}/Documents/foo
After:
${DOCUMENTS}/foo
This is a follow-up to #7147.
Closes#2359.
Relates to #4229.
The test is failing at multiple parts in CI due to timeouts.
From [1]:
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<=./macro-blacklist.profile ls ~/Videos; echo ret $?
Reading profile ./macro-blacklist.profile
firejail version 0.9.81
Parent pid 6385, child pid 6386
Base filesystem installed in 0.25 ms
firejail ls /home/runner/Videos
Child process initialized in 7.58 ms
ls: cannot open directory '/home/runner/Videos': Permission denied
Parent is shutting down, bye...
ret 2
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<le touch ~/Desktop/_firejail_test_file; echo ret $?
Reading profile ./macro-readonly.profile
firejail version 0.9.81
Parent pid 6390, child pid 6391
Base filesystem installed in 3.23 ms
TESTING ERROR 19
From [2]:
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<macro-blacklist.profile ls ~/Documents; echo ret $?
Reading profile ./macro-blacklist.profile
firejail version 0.9.81
Parent pid 6382, child pid 6383
Base filesystem installed in 0.26 ms
firejail ls /home/runner/Documents
Child process initialized in 7.84 ms
ls: cannot open directory '/home/runner/Documents': Permission denied
Parent is shutting down, bye...
ret 2
runner@runnervmrc6n4:~/work/firejail/firejail/test/fs$
<macro-blacklist.profile ls ~/Downloads; echo ret $?
Reading profile ./macro-blacklist.profile
firejail version 0.9.81
Parent pid 6387, child pid 6388
Base filesystem installed in 0.25 ms
firejail ls /home/runner/Downloads
TESTING ERROR 11
This amends commit 574885778 ("test/fs/macro.exp: reduce timeout and
sleep", 2026-04-24) / PR #7147.
[1] https://github.com/netblue30/firejail/actions/runs/25076422708/job/73470137137
[2] https://github.com/netblue30/firejail/actions/runs/25076422708/job/73522630528
Fail faster instead of waiting for the timeout.
See also commit a4e6495fd ("modif: do not follow symlinks to /dev/null
on disable (#7129)", 2026-04-17).
Use `_firejail_test_file` instead of `blablabla`, as the former is a
more common filename in tests and is what is actually removed in
test/fs/fs.sh.
Related commits:
* 2155203b3 ("xdg macro testing", 2018-08-07)
* 188d5f16d ("--profile=FILE rework (#6896)", 2026-01-05)
Debian has a separate "firejail-profiles" package for the profiles
(besides the main "firejail" package), which conflicts with our package
when trying to install it[1]:
$ sudo dpkg -i firejail_0.9.80_1_amd64.deb
FAIL: (Reading database ... 238526 files and directories currently installed.)
Preparing to unpack ./firejail_0.9.80_1_amd64.deb ...
Unpacking firejail (0.9.80-1) over (0.9.74-1~0ubuntu22.04.0) ...
dpkg: error processing archive ./firejail_0.9.80_1_amd64.deb (--install):
trying to overwrite '/etc/firejail/0ad.profile', which is also in package firejail-
profiles 0.9.74-1~0ubuntu22.04.0
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
./firejail_0.9.80_1_amd64.deb
So add a `Conflicts:` line for "firejail-profiles".
Relates to #7110.
[1] https://github.com/netblue30/firejail/issues/7072#issuecomment-4273240052
Reported-by: @ginto37
When trying to prevent a file or directory in the user home from being
written to, it is not uncommon to replace it with a symlink to
/dev/null.
If this path is also blacklisted (such as by disable-common.inc), the
symlink will be followed, resulting in /dev/null itself being
blacklisted, which can cause issues with (unrelated) programs that have
their output redirected to /dev/null (for example).
To avoid disabling /dev/null, when applying commands from
`disable_file()` (such as `blacklist` and `read-only`), if a file is a
symlink to /dev/null, avoid following the symlink and perform the
operation on the link itself instead.
Using these commands with "/dev/null" directly as the argument (that is,
without going through a symlink) should still work the same way.
It has been confirmed to work on Linux 3.8[1], so it should work on at
least 3.8 and later.
Closes#5803.
[1] https://github.com/netblue30/firejail/pull/7129#issuecomment-4233141574
Reported-by: @fgpietersz
Suggested-by: @Changaco
Tested-by: @Changaco
Tested-by: @Zopolis4
The `bugfix` items are usually for user-visible program changes, as most
users are unlikely care about code refactorings and changes that only
affect the code in general.
`build` is usually used for:
* Build system fixes and changes (configure/make)
* Fixes for errors/warnings from compilers and static analysis tools
* As a catch-all for refactorings in the code and scripts (as the
changes are usually similar to fixing compiler warnings)
Added on commit b993ce458 ("RELNOTES: add modif, build, profile and
bugfix items", 2026-04-16).
Remove commit reference for consistency with the other items and quote
`_` to improve the output when copying the text to a GitHub Release
(where it is treated as markdown).
This amends commit b993ce458 ("RELNOTES: add modif, build, profile and
bugfix items", 2026-04-16).
Relates to #7127.
No build errors without it, so it should be fine to remove as well.
This amends commit 8af07d8a2 ("build: merge fnettrace headers into
`fnettrace_common.h` (#7127)", 2026-04-13).
install.sh was used for AC_PROG_INSTALL, which was removed in
4421517c55 (corresponding PR #5133)
From the manual of GNU Autoconf (version 2.73):
> Autoconf comes with a copy of ‘install-sh’ that you can use. If
> you use ‘AC_PROG_INSTALL’, you must include ‘install-sh’ in your
> distribution; otherwise ‘autoreconf’ and ‘configure’ will produce
> an error message saying they can’t find it—even if the system
> you’re on has a good ‘install’ program. This check is a safety
> measure to prevent you from accidentally leaving that file out,
> which would prevent your package from installing on systems that
> don’t have a BSD-compatible ‘install’ program.
If install-sh wasn't found, configure would check for install.sh in
srcdir. install.sh is a placeholder that does nothing, without it
configure would abort.
`@default-keep` should be used for syscalls used by Firejail itself only.
We are moving some syscalls from `@default-keep` that do not meet this condition into the new group `@program-keep`.
Syscalls in `@program-keep` are not forced to whitelist (we let users decide), but should never be present in `@default` and its sub-groups.
Also move `execv` into `@obsolete` (sparc only, replaced by `execve`).
Most recent releases:
* firejail 0.9.72: 2023-01-16
* firejail 0.9.74: 2025-03-24
* firejail 0.9.76: 2025-07-30
* firejail 0.9.78: 2026-01-03
* firejail 0.9.80: 2026-03-14
firejail 0.9.76 was released over 6 months ago, but the packages from
both Debian stable (13 / Trixie) and the Ubuntu PPA appear to still be
on firejail 0.9.74, which is over 1 year old[1] [2].
As for installing firejail through Debian backports, it is unclear to me
if that is currently working and if so, which firejail version would be
installed on each Debian version.
Lastly, the packages on Ubuntu seem to still be on firejail 0.9.72,
which is over 3 years old, even on the latest Ubuntu 25.10 and on the
upcoming Ubuntu 26.04[3].
So to avoid bugs and bug reports caused by old firejail versions,
recommend either installing the release .deb file from GitHub or
building from source on Debian/Ubuntu.
Relates to #6842#7060.
[1] https://tracker.debian.org/pkg/firejail
[2] https://launchpad.net/~deki/+archive/ubuntu/firejail
[3] https://launchpad.net/ubuntu/+source/firejail
The mount paths in disable-exec.inc are the exact same ones as in
disable-write-mnt.inc, so split them into their own list and add a note
above each list to keep them in sync with each other.
This amends commit 98c3b41bc ("disable-exec: add mount points",
2026-03-20) / PR #7112.
If no syscalls are defined (such as with an older kernel) inside of a
`.list` element, then compilation breaks due to a syntax error:
.list =
},
For example, `SYS_memfd_create` and `SYS_memfd_secret` are apparently
not defined on Linux 3.8, which is used on 32-bit x86 Chromebooks:
$ make clean >/dev/null && make CFLAGS+='-march=i686 -m32'
[...]
gcc -ggdb -O2 -DVERSION='"0.9.81"' [...] -march=i686 -m32 -c ../../src/lib/syscall.c -o ../../src/lib/syscall.o
../../src/lib/syscall.c:907:9: error: expected expression before ‘}’ token
907 | },
| ^
make[1]: *** [../../src/prog.mk:25: ../../src/lib/syscall.o] Error 1
Also, syscall lists cannot be empty (`""`), so ensure that
`__dummy_syscall__` appears in every list as the last element for
simplicity.
This makes every non-dummy syscall string in the source code end with
`,` (including the last item, which makes sorting them easier) and
removes the need for checking all syscall macros in each list before
adding `__dummy_syscall__`.
Related commits:
* 34ee8e03f ("Seccomp: system call grouping and call numbers",
2017-08-06)
* 88a75a650 ("add a new option `--debug-syscall-groups` - part 1",
2026-01-31) / PR #7049
* a3f352521 ("update system call groups - part 3", 2026-01-18) / PR
#7034Fixes#7108.
Reported-by: @Zopolis4
Example case: you want to access the photos and have scripts or binaries on the same USB flash drive.
Let's set mount points not executable in disable-exec.inc.
