For better usability and because the proper suffixes (KiB, MiB and GiB)
are uppercase.
Affected commands:
* `rlimit-as`
* `rlimit-fsize`
Before:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Relates to #4315.
On each profile, ensure that the `blacklist` section is right above the
`include disable` section.
See etc/templates/profile.template.
Misc: This appears to affect about a third of the profiles that contain
`blacklist` entries:
$ git grep -El '^#?blacklist ' -- etc/profile* | wc -l
158
$ git diff --name-only f1381b342 | wc -l
49
Kind of relates to commit 04efbb276 ("profiles: replace x11 socket
blacklist with disable-X11.inc", 2024-03-22) / PR #6286.
Replace almost all debug `printf` calls with `debug_prctl` to reduce the
amount of duplication and `ifdefs`.
Note: There is one debug `printf` call that uses a different message
format, so it is left as is.
Command used to search and replace:
$ perl -0 -pi -e 's/#ifdef DEBUG_PRCTL\n(\s+)printf\("%s: %d, ([^\n]+)", __FUNCTION__, __LINE__([^\n]+)\n#endif/${1}debug_prctl("$2"$3/g; \
s/(debug_prctl\("event[^\n]+)/\t\t\t\t$1\n/g' \
src/firemon/procevent.c
Relates to #6792.
The `--check-level=exhaustive` option was briefly added, then changed to
`--max-ctu-depth=40`, presumably because the version being used in CI
(cppcheck 2.7 on ubuntu-22.04) did not support the former.
The current version in CI (cppcheck 2.13 on ubuntu-24.04) supports that
option, so restore it.
This fixes a flood of `information:` messages (which appear even with
`-q`) in the latest version of cppcheck:
$ cppcheck --version
Cppcheck 2.18.0
$ make cppcheck
cppcheck -q -j 4 --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
cppcheck: --max-ctu-depth is being capped at 10. This limitation will be removed in a future Cppcheck version.
src/etc-cleanup/main.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_bin.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_fs.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
[...]
This is a follow-up to #6874.
Related commits:
* be3c2a071 ("some problems reported by ccpcheck", 2025-08-17)
* d4881b6bc ("cppcheck cleanup", 2025-08-17)
* ebb368780 ("ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04",
2025-08-20) / PR #6874
And improve the comment.
Fixes the following:
$ ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
sort: -:979: disorder: warzone2100
This amends commit 4422c9358 ("warzone2100 for Debian/Ubuntu -
/usr/bin/warzone2100 is a script calling /usr/bin/warzone2100.real",
2025-08-19).
Simplify the deallocation of `cmd` to make it easier to understand,
which looks like it would fix a potential memory leak of `cmd`:
if (!cmd) {
cmd = pid_proc_cmdline(pid); // alloc
}
if (add_new) {
// ... // no dealloc
}
else if (proc_ev->what == PROC_EVENT_EXIT && pids[pid].level == 1) {
// ... // no dealloc
}
else {
// ...
else {
sprintf(lineptr, " %s\n", cmd);
if (cmd != pids[pid].option.event.cmd) {
free(cmd); // dealloc
}
}
// ...
}
This is a follow-up to commit 5ec00f70c ("fix: avoid cmd double-free in
procevent_monitor", 2025-07-31) / PR #6846.
Relates to #6792.
When checking if a .desktop file is valid, firecfg currently searches
for the first occurrence of `.desktop` in the filename and checks that
it is at the end of the string.
This fails if the filename contains multiple occurrences of `.desktop`,
such as the one for Telegram Desktop, `org.telegram.desktop.desktop`:
$ sudo firecfg
[...]
org.telegram.desktop.desktop skipped (not a .desktop file)
Instead, start the `.desktop` comparison from the last `.` character in
the filename.
This amends commit a9c851ee4 ("firecfg: use ignorelist also for .desktop
files", 2024-01-08) / PR #6153.
Fixes#6865.
Relates to #5245#5876.
Reported-by: @tht2005
Reported-by: @rusty-snake
