It still timeouts randomly, even with the changes from commit b613c3062
("tests: man: fix timeout error (#6949)", 2025-10-29).
When the test passes, the relevant commands appear to execute in less
than a second.
Log from a successful run of test-network on commit f5d82cc58 ("feature:
add env-max-count / env-max-len to firejail.config (#6951)",
2025-11-01)[1]:
2025-11-01T13:57:55.6533345Z /usr/bin/man
2025-11-01T13:57:55.6533649Z TESTING: man
2025-11-01T13:57:55.6564238Z spawn /bin/bash
2025-11-01T13:57:57.1602002Z rm -f /tmp/t
2025-11-01T13:57:57.1612808Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$ rm -f /tmp/t
2025-11-01T13:57:57.1613686Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$
2025-11-01T13:57:57.1614509Z <st/sysutils$ firejail /usr/bin/man firecfg > /tmp/t
2025-11-01T13:57:57.1615014Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$ cat /tmp/t
2025-11-01T13:57:57.1615466Z FIRECFG(1) firecfg man page FIRECFG(1)
2025-11-01T13:57:57.1615727Z
2025-11-01T13:57:57.1615799Z NAME
2025-11-01T13:57:57.1616119Z Firecfg - Desktop integration utility for Firejail software.
[...]
2025-11-01T13:57:57.1627646Z OPTIONS
2025-11-01T13:57:57.1627819Z --add-users user [user]
2025-11-01T13:57:57.7620833Z
2025-11-01T13:57:57.7621314Z all done
2025-11-01T13:57:57.7621564Z
2025-11-01T13:57:57.7634133Z /usr/bin/wget
2025-11-01T13:57:57.7634892Z TESTING: FIXME: wget
Misc: It seems that the last commit to disable a test in this manner was
commit 7e91a0414 ("tests: disable broken wget tests in utils/sysutils",
2023-08-28).
[1] https://github.com/netblue30/firejail/actions/runs/18997725218/job/54259933026
For a long time there have been intermittent failures in CI when trying
to open the firejail man page with `man`[1]:
2025-08-05T14:15:03.2742048Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$ rm -f /tmp/t
2025-08-05T14:15:03.2742725Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$
2025-08-05T14:15:03.2743522Z <ejail/test/sysutils$ firejail man firejail > /tmp/t
2025-08-05T14:15:03.2743913Z cat /tmp/t
2025-08-05T14:15:03.5645359Z troff: <standard input>:89: warning [p 2, 2.3i]: cannot adjust line
2025-08-05T14:15:03.5862718Z troff: <standard input>:3738: warning [p 40, 11.8i]: cannot adjust line
2025-08-05T14:15:13.5920525Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$ TESTING ERROR 0
It seems to happen due to a timeout, so use the firecfg man page
instead, as that results in over 10 times less lines in the output and
thus should be less likely to cause issues:
$ man src/man/firejail.1.in | wc -l
3057
$ man src/man/firecfg.1.in | wc -l
184
Also, use the full path to `man` just in case.
[1] https://github.com/netblue30/firejail/actions/runs/16752574198/job/47426439265
Changes:
* Remove unrelated `strerror` output from some error messages
* Remove periods from some error messages
* Ensure that the invalid value is in the error message
* Ensure that the full command name is in the error message (instead of
just `rlimit` in some cases)
* Standardize output
* tests: Expect the full command name (and argument in some cases)
Examples:
Before:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as. Only use positive numbers and K, M or G suffix.: No such file or directory
After:
$ firejail --quiet --noprofile --rlimit-cpu=-1 /bin/true
Error: invalid rlimit-cpu: -1
$ firejail --quiet --noprofile --rlimit-nproc=-1 /bin/true
Error: invalid rlimit-nproc: -1
$ firejail --quiet --noprofile --rlimit-as=-1 /bin/true
Error: invalid rlimit-as: -1; use only positive numbers and K, M or G suffix
This is a follow-up to #6891.
Relates to #4315.
Note: They are already sorted in the following files:
* contrib/syntax/lists/profile_commands_arg1.list
* src/firejail/usage.c
* src/man/firejail-profile.5.in
* src/man/firejail.1.in
* src/zsh_completion/_firejail.in
* test/environment/rlimit-bad-profile.exp
* test/environment/rlimit-bad.exp
Related commits:
* 137985136 ("Baseline firejail 0.9.28", 2015-08-08)
* caefb7929 ("RLIMIT_AS", 2017-10-13) / PR #1604
* e8685de73 ("implemented --rlimit-cpu - set max CPU time for processes
running in the sandbox; for issue #1614, more to come...", 2017-10-24)
Add the specific rlimit command name to the filename.
Commands used to rename the files:
git mv rlimit-bad1.profile rlimit-bad-fsize.profile
git mv rlimit-bad2.profile rlimit-bad-nofile.profile
git mv rlimit-bad3.profile rlimit-bad-nproc.profile
git mv rlimit-bad4.profile rlimit-bad-sigpending.profile
Added on commit d30ae468d ("testing", 2016-11-19).
Use `Error: ` instead of just `Error `, for consistency with the other
error messages.
Related commits:
* b963fe41a ("Improve errExit error messages", 2023-06-16) /
PR #5871
* a8abb7800 ("modif: Change errExit msg format to match assert",
2024-01-14) /
PR #6158
Misc: This was noticed on #6705.
To make hardware tokens available for ordinary users, some distributions
include a udev rule to make the corresponding entry in /dev available
for users belonging to a specific group.
In the case of Void Linux, it now uses the `plugdev` group for FIDO2
access[1] and when using a YubiKey, it appears as the following device
nodes:
$ find /dev -group plugdev | LC_ALL=C sort -u
/dev/hidraw1
/dev/hidraw2
$ ls -l /dev/hidraw1 /dev/hidraw2
crw-rw---- 1 root plugdev 240, 1 Mar 7 19:53 /dev/hidraw1
crw-rw---- 1 root plugdev 240, 2 Mar 7 19:53 /dev/hidraw2
[1] https://github.com/void-linux/void-packages/pull/54519
Commands used to check for issues:
git grep 'Copyright .*Firejail' | grep -v 2014-2025
Misc: This was noticed on commit 212ac3cb1 ("update copyright",
2025-01-12).
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
This amends commit 29da82d08 ("private-etc: kdiff3, gzip, gunzip, tar
etc", 2023-02-10).
This is causing CI to fail, as "index.html" has nothing to do with
gzip.exp[1]:
##[group]Run make test-sysutils
make test-sysutils
shell: /usr/bin/bash -e {0}
env:
SHELL: /bin/bash
##[endgroup]
make -C test sysutils
make[1]: Entering directory '/home/runner/work/firejail/firejail/test'
cd sysutils && ./sysutils.sh 2>&1 | tee sysutils.log
/usr/bin/gzip
TESTING: gzip
spawn /bin/bash
rm index.html*
runner@fv-az1391-790:~/work/firejail/firejail/test/sysutils$ rm index.html*
rm: cannot remove 'index.html*': No such file or directory
runner@fv-az1391-790:~/work/firejail/firejail/test/sysutils$
<irejail gzip -c ../../mkdeb.sh | firejail gunzip -c
TESTING ERROR 1
[1] https://github.com/netblue30/firejail/actions/runs/8739405468/job/23982517624:
For consistency and to make it clearer where jobs differ (for example,
to see where `--enable-analyzer` is used).
Changes:
* Always use --prefix=/usr and --enable-fatal-warnings (except in the
Alpine job due to current warnings; see #6224)
* Use the same argument order
Note: mkdeb.sh and platform/rpm/mkrpm.sh already pass `--prefix=/usr` to
./configure.
Currently the number of make jobs used for the default build target are
hardcoded and the value used varies across files.
For consistency (and potentially better performance), use
`make -j "$(nproc)"` everywhere that `make -j` is currently used.
Kind of relates to commit 500d8f2d6 ("ci: run make in parallel where
applicable", 2023-08-14) / PR #5960.
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to test/compile/compile.sh not being able to source config.mk (which is
created by ./configure):
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/Firejail/firejail_ci'
error: run ./configure to generate config.mk
[...]
cd compile && ./compile.sh --clean
./compile.sh: line 15: ./../../config.sh: No such file or directory
make[2]: *** [Makefile:24: clean] Error 1
This amends commit 152a21f15 ("build: simplify clean target",
2023-07-29) / PR #6186.
It was broken likely due to `private-dev` being added to default.profile
on commit 307dad542 ("adding private-tmp and private-dev to
default.profile", 2023-08-20).
So ignore `private-dev` in the test and make sure to run the tests when
default.profile changes.
This amends commit 75cefd5b1 ("tests: fix error when /dev/kmsg is
missing", 2023-08-21).
This fixes the following errors:
$ make clean
[...]
cd test/compile; ./compile.sh --clean; cd ../..
./compile.sh: line 55: TARNAME: command not found
./compile.sh: line 55: VERSION: command not found
This amends commit 200f389ed ("build: use config.sh in more scripts",
2023-07-28) / PR #5927.
The `shell` option has been removed. Remove stale references.
This does NOT remove `shell none`-related code comments in:
- src/firejail/fs_lib.c (L433-L441)
- src/firejail/join.c (L415-L417)
Relates to #5196.
Suggested by #5891.
Changes:
* Move msg to the end of errExit (right before perror(3p))
* Include the full file path (within the repository)
* Add "()" to function name for clarity
Before:
Error malloc: main.c:123 main: Cannot allocate memory
After:
Error src/firejail/main.c:123 main(): malloc: Cannot allocate memory
Note: This clarifies which is the exact file that the error message
comes from, as there are many source files with the same name. For
example:
$ git ls-files 'src/*/main.c' | wc -l
20
To reduce the amount of boilerplate in the makefiles.
This amends commit 9789c263a ("build: disable all built-in implicit make
rules", 2023-06-21) / PR #5864.
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
