From @kolAflash[1]:
> The `noinput` setting for Wine prevents Joysticks from being used in
> Wine.
> Use the Wine "control" center for testing: `wine control`.
>
> There you find a `Gamecontroller` program for testing.
Fixes#6866.
Relates to #6707.
[1] https://github.com/netblue30/firejail/issues/6866#issue-3328634575
Suggested-by: @kolAflash
Besides ignoring whitelist-run-user-common.inc itself, also ignore the
lines from the keepassxc comment from firefox-common.profile, to prevent
them from applying whitelisting to `${RUNUSER}`, which could break the
program due to missing xorg/wayland sockets from wruc.
This amends commit b787548b1 ("profiles: browsers: centralize/sync
keepassxc extension comment", 2024-07-14) / PR #6486.
Fixes#6839.
Reported-by: @Gilrain
Reported-by: @rusty-snake
`xreader` fails to start on my system with `no3d`. The error is related
to `/dev/dri`:
$ firejail --private=Documents/ xreader
Reading profile /etc/firejail/xreader.profile
...
MESA: error: Failed to query drm device.
libEGL warning: egl: failed to create dri2 screen
libEGL warning: DRI2: could not open /dev/dri/card1 (No such file or directory)
MESA: error: ZINK: failed to choose pdev
libEGL warning: egl: failed to create dri2 screen
$ xreader --version
xreader 4.2.6
Environment: Intel GPU on Linux Mint 22.1.
Removing `no3d` fixes the problem.
`hosts.conf` was added in #3849 and is only used in 3 profiles, while
all other profiles use `host.conf` (which is documented in
`host.conf(5)`):
$ git grep -E 'private-etc .*,host\.conf(,|$| +#)' -- etc | wc -l
64
$ git grep -E 'private-etc .*,hosts\.conf(,|$| +#)' -- etc | wc -l
3
Considering that and as discussed with @bbhtt (the author of #3849),
`hosts.conf` is likely a typo of `host.conf`[1].
Commands used to search and replace:
$ git grep -IElz 'private-etc .*,hosts\.conf(,|$| +#)' -- etc |
xargs -0 \
perl -pi -e 's/(private-etc .*,)hosts\.conf(,|$| +#)/$1host.conf$2/'
Related commits:
* a8a8e33bc ("Add whitelisting to mutt; improve geary, new profile for
neomutt", 2020-12-28) /
PR #3849
* 144aee26f ("Improve whitelisting and dbus of Sylpheed and Claws-mail",
2020-12-31) /
PR #3849
Kind of relates to #6400.
[1] https://github.com/netblue30/firejail/pull/3849#issuecomment-3001532350
Changes:
* Convert all private-opt entries (other than `private-opt none`) to
whitelist entries
* Remove remaining commented private-opt entries and related comments
(for profiles that also have a corresponding whitelist entry)
* Enable `whitelist /opt/basilisk` in basilisk.profile (similarly to
mullvad-browser.profile and palemoon.profile)
* Update private-opt comment in etc/templates/profile.template
Most private-opt entries were converted into whitelist entries on commit
175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18), while some of them were left alone due to the program size
being deemed small enough as not to break file-copy-limit in
firejail.config.
For the sake of simplicity and clarity (and to avoid potential issues
with program install sizes increasing over time), convert those
private-opt entries into whitelist entries as well (note that users can
still enable private-opt in the corresponding .local profile).
Also, some commented private-opt entries remain (with a note about
potential issues with private-opt).
Since commit 175905530 also documented the drawbacks of private-opt in
firejail.1, it should be fine to remove the commented entries and
related comments (note that in all of the profiles containing such
comments, there is already an equivalent whitelist entry).
Related commits:
* f3f739c5d ("microsoft-edge.profile: rewrite profile for stable
channel", 2022-08-11) /
PR #5709
* 121e043df ("microsoft-edge-{dev,beta}: replaced private-opt by
whitelist #5307", 2022-08-11) /
PR #5709
* 2cb40fbec ("microsoft-edge fixes (#5697)", 2023-03-14)
* 58732a654 ("Add profiles for jami and postman (#5691)", 2023-03-15)
* 175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18)
For simplicity and to make diffs more readable.
Use them in the remaining profiles that have `private-etc` enabled but
are not currently using private-etc groups.
Note: All of the profiles in question were created between 0.9.72 and
0.9.74 (which is when private-etc groups were introduced).
Command used to search for relevant profiles:
$ git grep '^private-etc .*alternatives' -- etc
Misc: The changes were made somewhat manually.
This is a follow-up to #6779.
Relates to #5691#5706#5707#5710#6007#6400.
To reduce clutter in the user home.
This file is apparently intended to specify login information for remote
systems, such as username and password for ftp/http connections
(similarly to using ~/.ssh/config for ssh connections).
From inetutils.info of GNU inetutils 2.6, which provides ftp and telnet
binaries (among others):
> 11.7 The ‘.netrc’ file
> The ‘.netrc’ file contains login and initialization information used
> by the auto-login process. It generally resides in the user's home
> directory, but a location outside of the home directory can be set
> using the environment variable ‘NETRC’. Both locations are overridden
> by the command line option ‘-N’. The selected file must be a regular
> file, or access will be denied.
It seems that the file is intended to be created manually (just like
~/.ssh/config), as it is not mentioned in mpv(1). mpv supports using
yt-dlp and ~/.netrc is mentined in yt-dlp(1), though it does not look
like it would create the file either.
Note also that this entry is not present in any other profile (including
the ones that allow ~/.netrc).
Related commits:
* 5d741795c ("Use whitelisting for video players (#3472)", 2020-08-15)
* 8bf892d67 ("Fix missing mkfile in
5d741795c3", 2020-08-16)
This is a follow-up to #6732.
To reduce clutter in the user home.
This appears to be a legacy path and the relevant profiles already
create an XDG path as well:
mkdir ${HOME}/.local/share/pki
From nss 3.111[1]:
/**
* Return the path to user's NSS database.
* We search in the following dirs in order:
* (1) $HOME/.pki/nssdb;
* (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
* (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
* If (1) does not exist, then the returned dir will be set to either
* (2) or (3), depending if XDG_DATA_HOME is set.
*/
The XDG path has apparently been supported since nss 3.42, which was
released on 2019-01-25[2] [3] [4].
Misc: The original path was first added on commit 3a71eb2af ("added
mkdir in all whitelisted profiles", 2016-02-18) and the XDG path was
first added on commit 63c35052b ("Add '$HOME/.local/share/pki' to
blacklist", 2019-02-03).
Relates to #4262.
[1] https://github.com/nss-dev/nss/blob/NSS_3_111_RTM/lib/sysinit/nsssysinit.c#L64-L72
[2] https://github.com/nss-dev/nss/blob/NSS_3_42_RTM/lib/sysinit/nsssysinit.c#L65-L73
[3] 7f21d4f497
[4] https://github.com/nss-dev/nss/releases/tag/NSS_3_42_RTM
Replace it with the current disable-x11.inc (lowercase) include.
See commit 0060b5105 ("profiles: rename disable-X11.inc to
disable-x11.inc (#6294)", 2024-03-27).
Commands used to search and replace:
$ git grep -Ilz 'disable-X11' -- etc/profile* | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #6549#6583#6584#6585#6586#6587#6589#6590.
Instead of having a `notpm` command and potentially adding it to almost
all profiles (as few programs should need direct access to TPM devices),
add a `keep-dev-tpm` command and use it only in profiles that need
access to TPM devices.
Changes:
* Turn `notpm` command into `keep-dev-tpm` command
* Warn and ignore if `notpm` is used
* Block `/dev/tpm*` devices by default
* Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev`
is used)
Added on commit 001320226 ("feature: add notpm command & keep tpm
devices in private-dev (#6390)", 2024-07-09).
See also commit ee1c264c5 ("feature: block /dev/ntsync & add
keep-dev-ntsync command (#6660)", 2025-03-06) and the discussion at
PR #6660.
This is a follow-up to #6687.
Changes:
* Block access to /dev/ntsync by default
* Add the `keep-dev-ntsync` command to allow access to /dev/ntsync (even
if `private-dev` is used)
* Add `keep-dev-ntsync` to wine.profile and similar profiles
Closes#6655.
Apparently the .desktop file for `seahorse` is located in the following
path:
* `/usr/share/applications/org.gnome.seahorse.Application.desktop`
Which ends in `Application.desktop` instead of `seahorse.desktop`,
leading to it not being automatically detected by firecfg.
So add a redirect profile and an entry in firecfg.config.
Related commits:
* bd9761508 ("Temp fix firecfg (#2634)", 2019-04-02)
* 8f69e9841 ("bugfix: firecfg: check full filename in check_profile()
(#6674)", 2025-03-04).
Fixes#6658.
Relates to #2624.
Reported-by: @ginto37
Reported-by: @rusty-snake
Remmina may install this wrapper binary on some distributions.
On Void Linux, this is the default binary launched via application
launchers (e.g. rofi):
$ grep "Exec" /usr/share/applications/org.remmina.Remmina.desktop
TryExec=remmina-file-wrapper
Exec=remmina-file-wrapper %U
[...]
Apparently the main binary has been renamed from `ytmdesktop` to
`youtube-music-desktop-app`[1]:
$ pacman -Qlq ytmdesktop
[...]
/opt/ytmdesktop/youtube-music-desktop-app
/usr/bin/youtube-music-desktop-app
/usr/share/applications/ytmdesktop.desktop
So add a redirect for it.
Fixes#6662.
[1] https://github.com/netblue30/firejail/issues/6662#issuecomment-2681532969
Reported-by: @Dieterbe
Changes:
* Strip whitespace at the beginning
* Strip whitespace at the end
* Ensure exactly one newline at the end
* Strip extraneous newlines
Also, for clarity print the git diff in the sort.py ci job, since the
specific lines changed are not printed by the sort.py script in this
case (as whitespace is fixed in the entire profile at once).
Command used to search and replace:
./contrib/sort.py etc/inc/*.inc etc/profile*/*.profile
This is a follow-up to #6556.
Update contrib/sort.py
