It still timeouts randomly, even with the changes from commit b613c3062
("tests: man: fix timeout error (#6949)", 2025-10-29).
When the test passes, the relevant commands appear to execute in less
than a second.
Log from a successful run of test-network on commit f5d82cc58 ("feature:
add env-max-count / env-max-len to firejail.config (#6951)",
2025-11-01)[1]:
2025-11-01T13:57:55.6533345Z /usr/bin/man
2025-11-01T13:57:55.6533649Z TESTING: man
2025-11-01T13:57:55.6564238Z spawn /bin/bash
2025-11-01T13:57:57.1602002Z rm -f /tmp/t
2025-11-01T13:57:57.1612808Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$ rm -f /tmp/t
2025-11-01T13:57:57.1613686Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$
2025-11-01T13:57:57.1614509Z <st/sysutils$ firejail /usr/bin/man firecfg > /tmp/t
2025-11-01T13:57:57.1615014Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$ cat /tmp/t
2025-11-01T13:57:57.1615466Z FIRECFG(1) firecfg man page FIRECFG(1)
2025-11-01T13:57:57.1615727Z
2025-11-01T13:57:57.1615799Z NAME
2025-11-01T13:57:57.1616119Z Firecfg - Desktop integration utility for Firejail software.
[...]
2025-11-01T13:57:57.1627646Z OPTIONS
2025-11-01T13:57:57.1627819Z --add-users user [user]
2025-11-01T13:57:57.7620833Z
2025-11-01T13:57:57.7621314Z all done
2025-11-01T13:57:57.7621564Z
2025-11-01T13:57:57.7634133Z /usr/bin/wget
2025-11-01T13:57:57.7634892Z TESTING: FIXME: wget
Misc: It seems that the last commit to disable a test in this manner was
commit 7e91a0414 ("tests: disable broken wget tests in utils/sysutils",
2023-08-28).
[1] https://github.com/netblue30/firejail/actions/runs/18997725218/job/54259933026
Replace the hardcoded `MAX_ENVS` and `MAX_ENV_LEN` limits with new
global configuration options, `env-max-count` and `env-max-len`, which
limit the maximum number of environment variables and the maximum length
of each environment variable (respectively).
Also, include the environment name and value in the "too long
environment variable" error message, similarly to the "too long
argument" error message (see PR #4676 and PR #5677).
This is a follow-up to #6878.
Closes#3678.
Replace the hardcoded `MAX_ARGS` and `MAX_ARG_LEN` limits with new
global configuration options, `arg-max-count` and `arg-max-len`, which
limit the maximum number of command-line arguments and the maximum
length of each argument (respectively).
Closes#4633.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
For a long time there have been intermittent failures in CI when trying
to open the firejail man page with `man`[1]:
2025-08-05T14:15:03.2742048Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$ rm -f /tmp/t
2025-08-05T14:15:03.2742725Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$
2025-08-05T14:15:03.2743522Z <ejail/test/sysutils$ firejail man firejail > /tmp/t
2025-08-05T14:15:03.2743913Z cat /tmp/t
2025-08-05T14:15:03.5645359Z troff: <standard input>:89: warning [p 2, 2.3i]: cannot adjust line
2025-08-05T14:15:03.5862718Z troff: <standard input>:3738: warning [p 40, 11.8i]: cannot adjust line
2025-08-05T14:15:13.5920525Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$ TESTING ERROR 0
It seems to happen due to a timeout, so use the firecfg man page
instead, as that results in over 10 times less lines in the output and
thus should be less likely to cause issues:
$ man src/man/firejail.1.in | wc -l
3057
$ man src/man/firecfg.1.in | wc -l
184
Also, use the full path to `man` just in case.
[1] https://github.com/netblue30/firejail/actions/runs/16752574198/job/47426439265
Note: We ship a file in this directory since commit 16afd8c8e ("Add
basic gtksourceview language-spec (#5502)", 2022-12-04)
This is a follow-up to #6909.
Allow the folder that Day of the Tentacle Remastered uses to store save
files. Without adding them in the steam profile, save states don't work
in the game (or it didn't even start, don't remember exactly).
See https://www.pcgamingwiki.com/wiki/Day_of_the_Tentacle_Remastered
Probably it would also allow save games for other games done by
doublefine (https://store.steampowered.com/developer/doublefine), but I
have no other game from them and I have not checked it.
Clarify that even though Unix sockets are an IPC mechanism, IPC
namespaces do not affect them (see ipc_namespaces(7)).
Relates to #6928.
Reported-by: @tupo2
The start-mullvad-browser script uses readlink and realpath when
it is a symlink, so these need to be included as part of private-bin,
or the following error dialog appears, and the browser fails to start:
start-mullvad-browser cannot be run using a symlink on this operating system.
This problem is observed using Mullvad Browser 14.5.7 as packaged
for Fedora 42.
Repo: https://repository.mullvad.net/rpm/stable/mullvad.repo
Fedora script path: /usr/lib/mullvad-browser/start-mullvad-browser
Upstream: 2f802636b8/projects/browser/RelativeLink/start-browser (L202-207)
This directory is part of the gtk4 package (version 1:4.20.1-1) on Artix
Linux.
Add it just in case, as wusc already contains the same analogous paths
for gtk2 and gtk3.
This is a follow-up to #6907.
This is apparently needed by glycin/gdk-pixbuf2, which is used by many
programs, such as Firefox and GIMP.
Relates to #6906.
Reported-by: @myrslint
Suggsted-by: @myrslint
The base-2 units are more accurate, as `--rlimit-as=1K` is equivalent to
`--rlimit-as=1024`, not `--rlimit-as=1000`, for example.
This is a follow-up to #6891.
Relates to #4315.
Changes:
* Remove unrelated `strerror` output from some error messages
* Remove periods from some error messages
* Ensure that the invalid value is in the error message
* Ensure that the full command name is in the error message (instead of
just `rlimit` in some cases)
* Standardize output
* tests: Expect the full command name (and argument in some cases)
Examples:
Before:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as. Only use positive numbers and K, M or G suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit-cpu: -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit-nproc: -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as: -1; use only positive numbers and K, M or G suffix
This is a follow-up to #6891.
Relates to #4315.
Note: They are already sorted in the following files:
* contrib/syntax/lists/profile_commands_arg1.list
* src/firejail/usage.c
* src/man/firejail-profile.5.in
* src/man/firejail.1.in
* src/zsh_completion/_firejail.in
* test/environment/rlimit-bad-profile.exp
* test/environment/rlimit-bad.exp
Related commits:
* 137985136 ("Baseline firejail 0.9.28", 2015-08-08)
* caefb7929 ("RLIMIT_AS", 2017-10-13) / PR #1604
* e8685de73 ("implemented --rlimit-cpu - set max CPU time for processes
running in the sandbox; for issue #1614, more to come...", 2017-10-24)
Add the specific rlimit command name to the filename.
Commands used to rename the files:
git mv rlimit-bad1.profile rlimit-bad-fsize.profile
git mv rlimit-bad2.profile rlimit-bad-nofile.profile
git mv rlimit-bad3.profile rlimit-bad-nproc.profile
git mv rlimit-bad4.profile rlimit-bad-sigpending.profile
Added on commit d30ae468d ("testing", 2016-11-19).
For better usability and because the proper suffixes (KiB, MiB and GiB)
are uppercase.
Affected commands:
* `rlimit-as`
* `rlimit-fsize`
Before:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Error: invalid rlimit-as. Only use positive numbers and k, m or g suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-as=100m /bin/true
$ firejail --quiet --noprofile --rlimit-as=100M /bin/true
Relates to #4315.
On each profile, ensure that the `blacklist` section is right above the
`include disable` section.
See etc/templates/profile.template.
Misc: This appears to affect about a third of the profiles that contain
`blacklist` entries:
$ git grep -El '^#?blacklist ' -- etc/profile* | wc -l
158
$ git diff --name-only f1381b342 | wc -l
49
Kind of relates to commit 04efbb276 ("profiles: replace x11 socket
blacklist with disable-X11.inc", 2024-03-22) / PR #6286.
