It is a GUI program and without it the program does not start due to a
dbus error[1]:
$ firejail keepassxc
Reading profile /etc/firejail/keepassxc.profile
[...]
firejail version 0.9.74
[...]
Child process initialized in 698.63 ms
dbus[23]: D-Bus library appears to be incorrectly set up: see the manual page for dbus-uuidgen to correct this issue. (Failed to open "/var/lib/dbus/machine-id": No such file or directory; Failed to open "/etc/machine-id": No such file or directory)
D-Bus not built with -rdynamic so unable to print a backtrace
Parent is shutting down, bye...
This issue is also mentioned in src/include/etc_groups.h:
// @x11
static char *etc_group_x11[] = {
// [...]
"machine-id", // QT dbus lib is crashing without it!
// [...]
NULL
};
This amends commit 5d0822c52 ("private-etc: big profile changes",
2023-02-05).
Fixes#6827.
Relates to #6400.
[1] https://github.com/netblue30/firejail/issues/6827#issue-3228990975
Reported-by: @Rosika2
Clarify that `--net` should be used to create a new network namespace
before using a firejail command that needs to be executed inside a
(firejail) network namespace.
Example:
$ firejail --netfilter.print=10000
Switching to pid 10001, the first child process inside the sandbox
Error: the sandbox doesn't use a new network namespace (see --net)
Reported-by: @osevan
Relates to #6820.
Remove the `.PP` macro to avoid removing the indentation from the
preceding `.TP` in firejail-profile.5.in.
This also makes it more consistent with the description of
`landlock.enforce` in firejail.1.in.
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Relates to #6078.
Even when Landlock is in fact being enforced.
Also, mention the `landlock.enforce` command in the message.
This amends commit 760f50f78 ("landlock: move commands into profile and
add landlock.enforce", 2023-11-17) / PR #6125.
Relates to #6078#6796.
Reported-by: @osevan
Apparently /etc/resolv.conf may be a regular file (instead of a symlink
to /run/systemd/resolve/resolv.conf) and owned by the "systemd-resolve"
user at the same time.
This is a follow-up to #6804.
Fixes#4545.
Relates to #1531.
The following CI jobs started failing since the GitHub Actions runner
image for ubuntu-22.04 was (automatically) upgraded from version
20250615.1.0[1] to 20250622.1.0[2]:
* test-fs
* test-environment
* test-network
Most/all fail with the same fcopy error message for the same path,
presumably due to using `private-etc`, as `localtime` is in the default
private-etc group (see the full log below):
Error fcopy: invalid ownership for /etc/localtime -> /usr/share/zoneinfo/Etc/UTC (type=- uid=1001 name=runner)
Error: failed to run /run/firejail/lib/fcopy, exiting...
In at least the newer runner image, `/usr/share/zoneinfo/Etc/UTC` is
owned by `runner:root` instead of the usual `root:root`, so add an
exception in fcopy to allow it.
From a run of the `test-fs` job for commit 1f92779d2 ("modif: improve
fcopy error messages in check() (#6801)", 2025-07-07) [3]:
make -C test private-etc
make[1]: Entering directory '/home/runner/work/firejail/firejail/test'
cd private-etc && ./private-etc.sh 2>&1 | tee private-etc.log
TESTING: private-etc (test/private-etc/private-etc.exp)
spawn /bin/bash
firejail --private-etc=passwd,group,resolv.conf,X11
runner@pkrvmdyo8zrnvmk:~/work/firejail/firejail/test/private-etc$
<firejail --private-etc=passwd,group,resolv.conf,X11
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/landlock-common.inc
** Note: you can use --noprofile to disable default.profile **
firejail version 0.9.75
Parent pid 4511, child pid 4512
Error fcopy: invalid ownership for /etc/localtime -> /usr/share/zoneinfo/Etc/UTC (type=- uid=1001 name=runner)
Error: failed to run /run/firejail/lib/fcopy, exiting...
Error: proc 4511 cannot sync with peer: unexpected EOF
Peer 4512 unexpectedly exited with status 1
runner@pkrvmdyo8zrnvmk:~/work/firejail/firejail/test/private-etc$ TESTING ERROR 1
Fixes#6797.
Relates to #6801.
[1] https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20250615.1
[2] https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20250622.1
[3] https://github.com/netblue30/firejail/actions/runs/16122142799/job/45490345354
Changes:
* Remove "file" from "invalid ownership" error message (`src` can also
be a directory)
* Print more error messages
* Include the source path, realpath, file type and uid/username of the
file owner where applicable
Relates to #6797.
`hosts.conf` was added in #3849 and is only used in 3 profiles, while
all other profiles use `host.conf` (which is documented in
`host.conf(5)`):
$ git grep -E 'private-etc .*,host\.conf(,|$| +#)' -- etc | wc -l
64
$ git grep -E 'private-etc .*,hosts\.conf(,|$| +#)' -- etc | wc -l
3
Considering that and as discussed with @bbhtt (the author of #3849),
`hosts.conf` is likely a typo of `host.conf`[1].
Commands used to search and replace:
$ git grep -IElz 'private-etc .*,hosts\.conf(,|$| +#)' -- etc |
xargs -0 \
perl -pi -e 's/(private-etc .*,)hosts\.conf(,|$| +#)/$1host.conf$2/'
Related commits:
* a8a8e33bc ("Add whitelisting to mutt; improve geary, new profile for
neomutt", 2020-12-28) /
PR #3849
* 144aee26f ("Improve whitelisting and dbus of Sylpheed and Claws-mail",
2020-12-31) /
PR #3849
Kind of relates to #6400.
[1] https://github.com/netblue30/firejail/pull/3849#issuecomment-3001532350
As reported by @hlein in #6729, if a firejailed process is `^Z`'d at the
wrong time during startup, other firejail processes will be unable to
proceed because they'll wait forever for an flock on
`/run/firejail/firejail-run.lock`.
This builds upon commit f4b8c6dbb ("bugfix: fix potential deadlock with
flock + SIGTSTP (#6750)", 2025-05-21) to add a busy wait while
attempting to acquire a lock. This allows the application to bail out if
it fails to acquire a lock after a given timeout.
Behavior after this patch (we use SIGSTOP, as that cannot be
caught/ignored):
$ firejail --debug id & P=$!;sleep 0.00001;kill -STOP $P
[1] 14411
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=14411: locking /run/firejail/firejail-run.lock ...
pid=14411: locked /run/firejail/firejail-run.lock
[1]+ Stopped firejail --debug id
$ firejail --debug ls
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=14413: locking /run/firejail/firejail-run.lock ...
pid=14413: sleeping 500us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 1000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 2000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 4000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 8000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 16000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 32000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 64000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 128000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 256000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
pid=14413: sleeping 500000us while trying to lock /run/firejail/firejail-run.lock
Error: timeout occurred while trying to lock /run/firejail/firejail-run.lock
Error: ../../src/firejail/preproc.c:112: preproc_lock_file: flock: Resource temporarily unavailable
Enhances commit f4b8c6dbb ("bugfix: fix potential deadlock with flock +
SIGTSTP (#6750)", 2025-05-21).
Suggested-by: @hlein
Co-authored-by: @kmk3
Changes:
* Convert all private-opt entries (other than `private-opt none`) to
whitelist entries
* Remove remaining commented private-opt entries and related comments
(for profiles that also have a corresponding whitelist entry)
* Enable `whitelist /opt/basilisk` in basilisk.profile (similarly to
mullvad-browser.profile and palemoon.profile)
* Update private-opt comment in etc/templates/profile.template
Most private-opt entries were converted into whitelist entries on commit
175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18), while some of them were left alone due to the program size
being deemed small enough as not to break file-copy-limit in
firejail.config.
For the sake of simplicity and clarity (and to avoid potential issues
with program install sizes increasing over time), convert those
private-opt entries into whitelist entries as well (note that users can
still enable private-opt in the corresponding .local profile).
Also, some commented private-opt entries remain (with a note about
potential issues with private-opt).
Since commit 175905530 also documented the drawbacks of private-opt in
firejail.1, it should be fine to remove the commented entries and
related comments (note that in all of the profiles containing such
comments, there is already an equivalent whitelist entry).
Related commits:
* f3f739c5d ("microsoft-edge.profile: rewrite profile for stable
channel", 2022-08-11) /
PR #5709
* 121e043df ("microsoft-edge-{dev,beta}: replaced private-opt by
whitelist #5307", 2022-08-11) /
PR #5709
* 2cb40fbec ("microsoft-edge fixes (#5697)", 2023-03-14)
* 58732a654 ("Add profiles for jami and postman (#5691)", 2023-03-15)
* 175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18)
It seems unable to open ebooks on Arch (even with `--noprofile` and
`--profile=noprofile`), likely due due to webkitgtk / bwrap.
Error log[1]:
$ firejail --profile=noprofile /usr/bin/foliate
Reading profile /etc/firejail/noprofile.profile
firejail version 0.9.74
Parent pid 16189, child pid 16190
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Base filesystem installed in 0.01 ms
Child process initialized in 12.32 ms
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:759: FINISHME: support YUV colorspace with DRM format modifiers
MESA-INTEL: warning: ../mesa-25.1.3/src/intel/vulkan_hasvk/anv_formats.c:790: FINISHME: support more multi-planar formats with DRM modifiers
bwrap: Can't mount proc on /newroot/proc: Operation not permitted
** (com.github.johnfactotum.Foliate:3): ERROR **: 23:16:32.030: Failed to fully launch dbus-proxy: Child process exited with code 1
Relates to #3647#6782.
[1] https://github.com/netblue30/firejail/issues/6782#issuecomment-2982568811
Reported-by: @rsramkis
For simplicity and to make diffs more readable.
Use them in the remaining profiles that have `private-etc` enabled but
are not currently using private-etc groups.
Note: All of the profiles in question were created between 0.9.72 and
0.9.74 (which is when private-etc groups were introduced).
Command used to search for relevant profiles:
$ git grep '^private-etc .*alternatives' -- etc
Misc: The changes were made somewhat manually.
This is a follow-up to #6779.
Relates to #5691#5706#5707#5710#6007#6400.
Allow ani-cli to access /etc/mpv for mpv plugins/themes/scripts access.
mpv playing under ani-cli cannot use plugins.
Example: Unable to use mpv-mpris plugin when playing anime using
ani-cli.
This patch just adds mpv to private-etc for plugin access.
The profile imports mpv.profile later so all that magic is taken care
of.
Note that in mpv.profile, there is no private-etc definition, but it is
defined in ani-cli.profile.
That's why it is broken.
When using chafa as an image viewer for other apps, it litters the
output with firejail (debug/output) messages.
Use `quiet` so that the image is displayed cleanly.
With xkeyboard-config 2.45, many programs fail to start, such as:
Firefox, Thunderbird, Gajim, KeepassXC, GoldenDict, and Zathura.
Example[1]:
Reading profile /etc/firejail/zathura.profile
[...]
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.75
[...]
Child process initialized in 197.83 ms
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
Parent is shutting down, bye...
It seems that in xkeyboard-config 2.45 the path was changed from:
* /usr/share/X11/xkb
To:
* /usr/share/xkeyboard-config-2
With the former now being a symlink to the latter and with the goal of
using a versioning scheme for the directories, in order to introduce new
file formats with breaking changes while keeping backwards compatibility
in the current file format[2] [3].
Fixes#6773.
Thanks to @oddfellow for finding the root cause and the relevant commit.
[1] https://github.com/netblue30/firejail/issues/6773#issue-3130459006
[2] https://github.com/netblue30/firejail/issues/6773#issuecomment-2956384127
[3] fd1d8d2d4f
Reported-by: @myrslint
Reported-by: @aminvakil
Reported-by: @oddfellow
Reported-by: @reagentoo
Include the relevant mount path(s).
Example:
Before:
$ firejail --debug --noprofile --blacklist=/run true
[...]
Disable /run
Disable /sys/fs
Failed mount: No such file or directory
Error: ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory
Error: proc 12345 cannot sync with peer: unexpected EOF
Peer 12345 unexpectedly exited with status 1
After:
$ firejail --debug --noprofile --blacklist=/run true
[...]
Disable /run
Disable /sys/fs
Failed to mount /run/firejail/firejail.ro.dir on /sys/fs: No such file or directory
Error: ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory
Error: proc 12345 cannot sync with peer: unexpected EOF
Peer 12345 unexpectedly exited with status 1
This helps clarify that it is not possible to blacklist /run, as
firejail uses files inside /run/firejail in order to set up the sandbox.
In the above example, when processing the first blacklist, firejail
bind-mounts /run/firejail/firejail.ro.dir (a directory with no
read/write/execute permissions) on top of /run, rendering /run/firejail
inaccessible. When attempting to process the next blacklist (for
/sys/fs), firejail is unable to access /run/firejail, so it fails to
bind mount /run/firejail/firejail.ro.dir on top of /sys/fs and aborts.
Relates to #6711#6740.
As reported by @hlein[1]:
> A number of packages can't compile on Gentoo when various `*sum` tools
> are firejailed; they'll die like:
>
> ...
> -- Installing: /var/tmp/portage/dev-libs/protobuf-30.2/image/usr/lib64/cmake/protobuf/protobuf-options.cmake
> Error: too many arguments: argc (166) >= MAX_ARGS (128)
> * ERROR: dev-libs/protobuf-30.2::gentoo failed (install phase):
> ...
> * The specific snippet of code:
> * cksum=$(_multilib_header_cksum) || die;
>
> Same for various others.
>
> `_multilib_header_cksum` is defined in `eclass/multilib-build.eclass`
> and it does a `find ... -exec chksum {} +` - behaves similar to `xargs`.
> `chksum` is wrapped by `firecfg` by default.
>
> So this points out anything that uses `find ... -exec ... {} +` or
> `xargs` and runs a firejail'ed process is prone to failure. When bulding
> a couple hundred packages, these all failed this way:
>
> # find /var/tmp/portage/ -name build.log | xargs egrep -l MAX_ARGS |
> cut -d/ -f5,6 | uniq
> dev-libs/icu-77.1
> dev-libs/boost-1.88.0-r1
> dev-libs/protobuf-30.2
> media-video/ffmpeg-7.1.1-r1
> app-crypt/rpm-sequoia-1.8.0
> media-libs/opencv-4.11.0
> app-misc/binwalk-3.1.0-r1
> llvm-core/clang-19.1.7
> llvm-core/llvm-20.1.5
> x11-libs/wxGTK-3.2.8
>
> The largest of which being:
>
> # find /var/tmp/portage/ -name build.log | xargs egrep MAX_ARGS |
> cut -d\( -f2 | cut -d\) -f1 | sort -rn | head -n1
> 1438
Command used to search and replace:
$ perl -pi -e 's/^[^#]+sum/#$& # breaks with too many arguments (see #4633)/' \
src/firecfg/firecfg.config
Related commits:
* f7e232c1b ("Add profile for checksum tools", 2021-03-08) /
PR #4069
* 713249c98 ("sha256sum: add nvm support comment", 2022-03-20) /
PR #5058
* 7176e6324 ("private-etc: libreoffice, audacity, forzen-bubble,
transmission, md5sum/sha512sum, more sysutils testing, fix
electron-hardened.inc.profile", 2023-02-08)
* 028d236b8 ("profiles: firecfg: fix sha384sum & add b2sum/cksum
(#6578)", 2024-12-26)
* afce4679b ("New profile: b3sum (blake3) (#6577)", 2024-12-26)
Relates to #4633.
[1] https://github.com/netblue30/firejail/issues/4633#issuecomment-2889232775
Reported-by: @hlein
As reported by @hlein in #6729, if a firejailed process is `^Z`'d at the
wrong time during startup, other firejail processes will be unable to
proceed because they'll wait forever for an flock on
`/run/firejail/firejail-run.lock`.
This fixes that by installing a signal handler to catch SIGTSTP (Ctrl-Z)
before acquiring locks. The handler increments a flag to allow for
re-sending the SIGTSTP signal after locks have been released.
Deadlock Reproducer:
Note: The length of the sleep should be adjusted until the debug output
resembles the output below:
$ firejail --debug id & P=$!;sleep 0.0005;kill -TSTP $P
[1] 16130
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=16130: locking /run/firejail/firejail-run.lock ...
pid=16130: locked /run/firejail/firejail-run.lock
[1]+ Stopped firejail --debug id
Further calls to firejail will hang due to the stopped process holding
the firejail-run lock.
$ firejail id
^C
With this commit:
$ firejail --debug id & P=$!;sleep 0.0005;kill -TSTP $P
[1] 16504
Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=16504: locking /run/firejail/firejail-run.lock ...
pid=16504: locked /run/firejail/firejail-run.lock
pid=16504: caught SIGTSTP while locks are held
pid=16504: unlocking /run/firejail/firejail-run.lock ...
pid=16504: unlocked /run/firejail/firejail-run.lock
pid=16504: resending caught SIGTSTP
[1]+ Stopped firejail --debug id
Due to the locks being properly released before the process is stopped,
new firejail processes will not hang while acquiring the lock.
Fixes#6729.
Reported-by: @hlein
This adds support for Ansel, a Darktable fork:
https://github.com/aurelienpierreeng/ansel/
The profile is based on darktable.profile. I have personally tested it
and it works.
Some objects are created in fs_dev but not labeled. This patch ensures
that those objects are properly labeled.
Signed-off-by: Antonio Enrico Russo <aerusso@aerusso.net>
For consistency, use the conventional autoconf variable name (see also
config.mk.in).
Commands used to search and replace:
$ git grep -Ilz '_SYSCONFDIR_' | xargs -0 \
perl -pi -e 's/_SYSCONFDIR_/\@sysconfdir\@/'
Added on commit a37ffc337 ("Add first version of zsh completion",
2021-01-02) / PR #3864.
From curl(1):
> -n, --netrc
> Make curl scan the .netrc file in the user's home directory for
> login name and password. This is typically used for FTP on
> Unix. If used with HTTP, curl enables user authentication. See
> netrc(5) and ftp(1) for details on the file format. curl does
> not complain if that file does not have the right permissions
> (it should be neither world- nor group-readable). The
> environment variable "HOME" is used to find the home directory.
Environment: curl 8.13.0-2 on Artix Linux.
This is a follow-up to #6735.
To reduce clutter in the user home.
This file is apparently intended to specify login information for remote
systems, such as username and password for ftp/http connections
(similarly to using ~/.ssh/config for ssh connections).
From inetutils.info of GNU inetutils 2.6, which provides ftp and telnet
binaries (among others):
> 11.7 The ‘.netrc’ file
> The ‘.netrc’ file contains login and initialization information used
> by the auto-login process. It generally resides in the user's home
> directory, but a location outside of the home directory can be set
> using the environment variable ‘NETRC’. Both locations are overridden
> by the command line option ‘-N’. The selected file must be a regular
> file, or access will be denied.
It seems that the file is intended to be created manually (just like
~/.ssh/config), as it is not mentioned in mpv(1). mpv supports using
yt-dlp and ~/.netrc is mentined in yt-dlp(1), though it does not look
like it would create the file either.
Note also that this entry is not present in any other profile (including
the ones that allow ~/.netrc).
Related commits:
* 5d741795c ("Use whitelisting for video players (#3472)", 2020-08-15)
* 8bf892d67 ("Fix missing mkfile in
5d741795c3", 2020-08-16)
This is a follow-up to #6732.
To reduce clutter in the user home.
This appears to be a legacy path and the relevant profiles already
create an XDG path as well:
mkdir ${HOME}/.local/share/pki
From nss 3.111[1]:
/**
* Return the path to user's NSS database.
* We search in the following dirs in order:
* (1) $HOME/.pki/nssdb;
* (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
* (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
* If (1) does not exist, then the returned dir will be set to either
* (2) or (3), depending if XDG_DATA_HOME is set.
*/
The XDG path has apparently been supported since nss 3.42, which was
released on 2019-01-25[2] [3] [4].
Misc: The original path was first added on commit 3a71eb2af ("added
mkdir in all whitelisted profiles", 2016-02-18) and the XDG path was
first added on commit 63c35052b ("Add '$HOME/.local/share/pki' to
blacklist", 2019-02-03).
Relates to #4262.
[1] https://github.com/nss-dev/nss/blob/NSS_3_111_RTM/lib/sysinit/nsssysinit.c#L64-L72
[2] https://github.com/nss-dev/nss/blob/NSS_3_42_RTM/lib/sysinit/nsssysinit.c#L65-L73
[3] 7f21d4f497
[4] https://github.com/nss-dev/nss/releases/tag/NSS_3_42_RTM
