On each profile, ensure that the `blacklist` section is right above the
`include disable` section.
See etc/templates/profile.template.
Misc: This appears to affect about a third of the profiles that contain
`blacklist` entries:
$ git grep -El '^#?blacklist ' -- etc/profile* | wc -l
158
$ git diff --name-only f1381b342 | wc -l
49
Kind of relates to commit 04efbb276 ("profiles: replace x11 socket
blacklist with disable-X11.inc", 2024-03-22) / PR #6286.
From @kolAflash[1]:
> The `noinput` setting for Wine prevents Joysticks from being used in
> Wine.
> Use the Wine "control" center for testing: `wine control`.
>
> There you find a `Gamecontroller` program for testing.
Fixes#6866.
Relates to #6707.
[1] https://github.com/netblue30/firejail/issues/6866#issue-3328634575
Suggested-by: @kolAflash
Besides ignoring whitelist-run-user-common.inc itself, also ignore the
lines from the keepassxc comment from firefox-common.profile, to prevent
them from applying whitelisting to `${RUNUSER}`, which could break the
program due to missing xorg/wayland sockets from wruc.
This amends commit b787548b1 ("profiles: browsers: centralize/sync
keepassxc extension comment", 2024-07-14) / PR #6486.
Fixes#6839.
Reported-by: @Gilrain
Reported-by: @rusty-snake
Tridactyl: The default rc path isn't only `~/.tridactylrc`, but also
`~/.config/tridactyl/tridactylrc`.
Actually, second path is more default than other paths.
Fixes#6720.
`xreader` fails to start on my system with `no3d`. The error is related
to `/dev/dri`:
$ firejail --private=Documents/ xreader
Reading profile /etc/firejail/xreader.profile
...
MESA: error: Failed to query drm device.
libEGL warning: egl: failed to create dri2 screen
libEGL warning: DRI2: could not open /dev/dri/card1 (No such file or directory)
MESA: error: ZINK: failed to choose pdev
libEGL warning: egl: failed to create dri2 screen
$ xreader --version
xreader 4.2.6
Environment: Intel GPU on Linux Mint 22.1.
Removing `no3d` fixes the problem.
It is a GUI program and without it the program does not start due to a
dbus error[1]:
$ firejail keepassxc
Reading profile /etc/firejail/keepassxc.profile
[...]
firejail version 0.9.74
[...]
Child process initialized in 698.63 ms
dbus[23]: D-Bus library appears to be incorrectly set up: see the manual page for dbus-uuidgen to correct this issue. (Failed to open "/var/lib/dbus/machine-id": No such file or directory; Failed to open "/etc/machine-id": No such file or directory)
D-Bus not built with -rdynamic so unable to print a backtrace
Parent is shutting down, bye...
This issue is also mentioned in src/include/etc_groups.h:
// @x11
static char *etc_group_x11[] = {
// [...]
"machine-id", // QT dbus lib is crashing without it!
// [...]
NULL
};
This amends commit 5d0822c52 ("private-etc: big profile changes",
2023-02-05).
Fixes#6827.
Relates to #6400.
[1] https://github.com/netblue30/firejail/issues/6827#issue-3228990975
Reported-by: @Rosika2
`hosts.conf` was added in #3849 and is only used in 3 profiles, while
all other profiles use `host.conf` (which is documented in
`host.conf(5)`):
$ git grep -E 'private-etc .*,host\.conf(,|$| +#)' -- etc | wc -l
64
$ git grep -E 'private-etc .*,hosts\.conf(,|$| +#)' -- etc | wc -l
3
Considering that and as discussed with @bbhtt (the author of #3849),
`hosts.conf` is likely a typo of `host.conf`[1].
Commands used to search and replace:
$ git grep -IElz 'private-etc .*,hosts\.conf(,|$| +#)' -- etc |
xargs -0 \
perl -pi -e 's/(private-etc .*,)hosts\.conf(,|$| +#)/$1host.conf$2/'
Related commits:
* a8a8e33bc ("Add whitelisting to mutt; improve geary, new profile for
neomutt", 2020-12-28) /
PR #3849
* 144aee26f ("Improve whitelisting and dbus of Sylpheed and Claws-mail",
2020-12-31) /
PR #3849
Kind of relates to #6400.
[1] https://github.com/netblue30/firejail/pull/3849#issuecomment-3001532350
Changes:
* Convert all private-opt entries (other than `private-opt none`) to
whitelist entries
* Remove remaining commented private-opt entries and related comments
(for profiles that also have a corresponding whitelist entry)
* Enable `whitelist /opt/basilisk` in basilisk.profile (similarly to
mullvad-browser.profile and palemoon.profile)
* Update private-opt comment in etc/templates/profile.template
Most private-opt entries were converted into whitelist entries on commit
175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18), while some of them were left alone due to the program size
being deemed small enough as not to break file-copy-limit in
firejail.config.
For the sake of simplicity and clarity (and to avoid potential issues
with program install sizes increasing over time), convert those
private-opt entries into whitelist entries as well (note that users can
still enable private-opt in the corresponding .local profile).
Also, some commented private-opt entries remain (with a note about
potential issues with private-opt).
Since commit 175905530 also documented the drawbacks of private-opt in
firejail.1, it should be fine to remove the commented entries and
related comments (note that in all of the profiles containing such
comments, there is already an equivalent whitelist entry).
Related commits:
* f3f739c5d ("microsoft-edge.profile: rewrite profile for stable
channel", 2022-08-11) /
PR #5709
* 121e043df ("microsoft-edge-{dev,beta}: replaced private-opt by
whitelist #5307", 2022-08-11) /
PR #5709
* 2cb40fbec ("microsoft-edge fixes (#5697)", 2023-03-14)
* 58732a654 ("Add profiles for jami and postman (#5691)", 2023-03-15)
* 175905530 ("profiles: exchange private-opt with a whitelist (#6021)",
2023-10-18)
For simplicity and to make diffs more readable.
Use them in the remaining profiles that have `private-etc` enabled but
are not currently using private-etc groups.
Note: All of the profiles in question were created between 0.9.72 and
0.9.74 (which is when private-etc groups were introduced).
Command used to search for relevant profiles:
$ git grep '^private-etc .*alternatives' -- etc
Misc: The changes were made somewhat manually.
This is a follow-up to #6779.
Relates to #5691#5706#5707#5710#6007#6400.
Allow ani-cli to access /etc/mpv for mpv plugins/themes/scripts access.
mpv playing under ani-cli cannot use plugins.
Example: Unable to use mpv-mpris plugin when playing anime using
ani-cli.
This patch just adds mpv to private-etc for plugin access.
The profile imports mpv.profile later so all that magic is taken care
of.
Note that in mpv.profile, there is no private-etc definition, but it is
defined in ani-cli.profile.
That's why it is broken.
When using chafa as an image viewer for other apps, it litters the
output with firejail (debug/output) messages.
Use `quiet` so that the image is displayed cleanly.
With xkeyboard-config 2.45, many programs fail to start, such as:
Firefox, Thunderbird, Gajim, KeepassXC, GoldenDict, and Zathura.
Example[1]:
Reading profile /etc/firejail/zathura.profile
[...]
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.75
[...]
Child process initialized in 197.83 ms
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
xkbcommon: ERROR: failed to add default include path /usr/share/X11/xkb
Parent is shutting down, bye...
It seems that in xkeyboard-config 2.45 the path was changed from:
* /usr/share/X11/xkb
To:
* /usr/share/xkeyboard-config-2
With the former now being a symlink to the latter and with the goal of
using a versioning scheme for the directories, in order to introduce new
file formats with breaking changes while keeping backwards compatibility
in the current file format[2] [3].
Fixes#6773.
Thanks to @oddfellow for finding the root cause and the relevant commit.
[1] https://github.com/netblue30/firejail/issues/6773#issue-3130459006
[2] https://github.com/netblue30/firejail/issues/6773#issuecomment-2956384127
[3] fd1d8d2d4f
Reported-by: @myrslint
Reported-by: @aminvakil
Reported-by: @oddfellow
Reported-by: @reagentoo
This adds support for Ansel, a Darktable fork:
https://github.com/aurelienpierreeng/ansel/
The profile is based on darktable.profile. I have personally tested it
and it works.
From curl(1):
> -n, --netrc
> Make curl scan the .netrc file in the user's home directory for
> login name and password. This is typically used for FTP on
> Unix. If used with HTTP, curl enables user authentication. See
> netrc(5) and ftp(1) for details on the file format. curl does
> not complain if that file does not have the right permissions
> (it should be neither world- nor group-readable). The
> environment variable "HOME" is used to find the home directory.
Environment: curl 8.13.0-2 on Artix Linux.
This is a follow-up to #6735.
To reduce clutter in the user home.
This file is apparently intended to specify login information for remote
systems, such as username and password for ftp/http connections
(similarly to using ~/.ssh/config for ssh connections).
From inetutils.info of GNU inetutils 2.6, which provides ftp and telnet
binaries (among others):
> 11.7 The ‘.netrc’ file
> The ‘.netrc’ file contains login and initialization information used
> by the auto-login process. It generally resides in the user's home
> directory, but a location outside of the home directory can be set
> using the environment variable ‘NETRC’. Both locations are overridden
> by the command line option ‘-N’. The selected file must be a regular
> file, or access will be denied.
It seems that the file is intended to be created manually (just like
~/.ssh/config), as it is not mentioned in mpv(1). mpv supports using
yt-dlp and ~/.netrc is mentined in yt-dlp(1), though it does not look
like it would create the file either.
Note also that this entry is not present in any other profile (including
the ones that allow ~/.netrc).
Related commits:
* 5d741795c ("Use whitelisting for video players (#3472)", 2020-08-15)
* 8bf892d67 ("Fix missing mkfile in
5d741795c3", 2020-08-16)
This is a follow-up to #6732.
To reduce clutter in the user home.
This appears to be a legacy path and the relevant profiles already
create an XDG path as well:
mkdir ${HOME}/.local/share/pki
From nss 3.111[1]:
/**
* Return the path to user's NSS database.
* We search in the following dirs in order:
* (1) $HOME/.pki/nssdb;
* (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
* (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
* If (1) does not exist, then the returned dir will be set to either
* (2) or (3), depending if XDG_DATA_HOME is set.
*/
The XDG path has apparently been supported since nss 3.42, which was
released on 2019-01-25[2] [3] [4].
Misc: The original path was first added on commit 3a71eb2af ("added
mkdir in all whitelisted profiles", 2016-02-18) and the XDG path was
first added on commit 63c35052b ("Add '$HOME/.local/share/pki' to
blacklist", 2019-02-03).
Relates to #4262.
[1] https://github.com/nss-dev/nss/blob/NSS_3_111_RTM/lib/sysinit/nsssysinit.c#L64-L72
[2] https://github.com/nss-dev/nss/blob/NSS_3_42_RTM/lib/sysinit/nsssysinit.c#L65-L73
[3] 7f21d4f497
[4] https://github.com/nss-dev/nss/releases/tag/NSS_3_42_RTM
And use it in etc/inc/disable-X11.inc.
This allows printing a warning message from inside a profile.
Everything after the command is printed in a warning message as is (that
is, without macro expansion).
Example:
$ firejail --noprofile --include=/etc/firejail/disable-X11.inc true
Reading profile /etc/firejail/disable-X11.inc
Warning: /etc/firejail/disable-X11.inc:5: This file is deprecated; use disable-x11.inc (lowercase) instead.
Reading profile /etc/firejail/disable-x11.inc
[...]
Relates to #6294.
This is a follow-up to #6709.
Replace it with the current disable-x11.inc (lowercase) include.
See commit 0060b5105 ("profiles: rename disable-X11.inc to
disable-x11.inc (#6294)", 2024-03-27).
Commands used to search and replace:
$ git grep -Ilz 'disable-X11' -- etc/profile* | xargs -0 \
perl -pi -e 's/disable-X11/disable-x11/'
Relates to #6549#6583#6584#6585#6586#6587#6589#6590.
Add the following files, which may be used to configure X clients:
* `~/.Xdefaults`
* `~/.Xdefaults-*` (`~/.Xdefaults-$(hostname)`)
* `~/.Xresources`
And block the following paths, which are intended for the X server:
* `~/.local/share/xorg` (rootless Xorg log directory)
* `/etc/X11/xinit`
* `/etc/X11/xorg.conf.d`
* `/var/log/Xorg.*` (default Xorg log path)
Note: ~/.Xdefaults is read directly by each application when it starts,
while ~/.Xresources is loaded once into the X root window with xrdb(1)
when starting the session, such as by a DE or directly in ~/.xinitrc.
Both use the same format and it appears that users are encouraged to use
~/.Xresources instead of ~/.Xdefaults but applications still try to read
~/.Xdefaults if it exists.
From xrdb(1):
> FILES
> Xrdb does not load any files on its own, but many desktop
> environments use xrdb to load ~/.Xresources files on session
> startup to initialize the resource database, as a generalized
> replacement for ~/.Xdefaults files.
See X(1), Xorg(1), xinit(1) and xrdb(1).
Instead of having a `notpm` command and potentially adding it to almost
all profiles (as few programs should need direct access to TPM devices),
add a `keep-dev-tpm` command and use it only in profiles that need
access to TPM devices.
Changes:
* Turn `notpm` command into `keep-dev-tpm` command
* Warn and ignore if `notpm` is used
* Block `/dev/tpm*` devices by default
* Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev`
is used)
Added on commit 001320226 ("feature: add notpm command & keep tpm
devices in private-dev (#6390)", 2024-07-09).
See also commit ee1c264c5 ("feature: block /dev/ntsync & add
keep-dev-ntsync command (#6660)", 2025-03-06) and the discussion at
PR #6660.
This is a follow-up to #6687.
This should clarify which commands do what (increase/reduce access) and
also make etc/templates/profile.template more consistent with
etc/profile-m-z/noprofile.profile.
This is a follow-up to #6660.
See also the discussion at [1].
[1] https://github.com/netblue30/firejail/pull/6660#discussion_r1975233984
