Put it together with the other `keep-` commands.
And move it to the allow section in libreoffice.profile.
Related commits:
* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* fbc94070e ("adding keep-hostname to libreoffice.profile", 2026-02-11).
Relates to #7048.
- Remove extra empty lines
- Definition of groups:
- Add the two new groups `@memfd` and `@sandbox`
- Add new syscalls
- Inheritance of groups:
- Redraw it in a clearer form of groups and subgroups
- Add the two new groups
- Sort `@mount` and `@obsolete` groups by alphabetical order
This is the last part.
Add paths in the same places as nodejs/npm paths.
Deno is a javascript runtime and development tool similar to nodejs.
The following paths seem to be intended for downloading and caching
dependencies (and apparently also artifacts from .ts to .js compilation)
globally during development (as can be done with ~/.npm):
* ~/.cache/deno
* ~/.deno
Note that this commit makes these paths read-only (as npm dependencies
are usually executable code), which may potentially affect users of the
runtime (like yt-dlp).
Related commits:
* f2de86464 ("tentative fix for yt-dlp/javaScript deno profile (#6999)",
2026-01-13)
Fast, easy and free BitTorrent client (GTK4 GUI for transmission-daemon):
https://gitlab.gnome.org/World/Fragments
The profile is based on transmission-common and transmission-gtk profiles.
Only added dbus permissions and changed default paths.
QuakeSpasm is a modern multi-platform Quake source port designed as an
improved successor to GLQuake and FitzQuake. It aims to preserve the
classic gameplay and graphics while enhancing compatibility and
modernization.
https://sourceforge.net/projects/quakespasm
One of the profile requests lists GZDoom.
So create profiles for GZDoom and its variants: UZDoom and LZDoom.
GZDoom served as the primary port for several years after ZDoom was
discontinued.
UZDoom has now become the latest version targeting systems with modern
graphics hardware.
LZDoom is geared towards systems with legacy hardware.
All three profiles work.
https://zdoom.org
OpenRA is an open source project that recreates and modernizes classic
real time strategy games, like Red Alert, Command & Conquer, and Dune
2000.
This profile works for all three AppImage editions of Openra: Red Alert,
Tiberium Dawn, and Dune 2000.
https://www.openra.net
Remove what remains of the overlayfs support, `--overlay` commands and
the `--enable-overlayfs` configure option.
Commands:
* `--overlay`
* `--overlay-named=`
* `--overlay-clean`
* `--overlay-tmpfs`
firejail.config:
* `overlayfs`
Related commits:
* 489cc25c2 ("cleaned up old overlayfs code; the feature was disabled by
default in 2021 because of security problems", 2025-12-16).
* b537aa57b ("fixed /sys mounting broken during overlayfs cleanup",
2025-12-18)
Relates to #6994.
Note: Code with `RUN_OVERLAY_ROOT` / `oroot` is left as is, since it
seems to also be used by `--chroot`:
$ git grep -E '[^n]oroot'
etc/apparmor/firejail-default:# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
etc/apparmor/firejail-default:# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
etc/apparmor/firejail-default:#/{,run/firejail/mnt/oroot/}home/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
src/firejail/chroot.c: // create /run/firejail/mnt/oroot
src/firejail/chroot.c: char *oroot = RUN_OVERLAY_ROOT;
src/firejail/chroot.c: if (mkdir(oroot, 0755) == -1)
src/firejail/chroot.c: // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
src/firejail/chroot.c: if (bind_mount_fd_to_path(parentfd, oroot))
src/firejail/chroot.c: errExit("mounting rootdir oroot");
src/firejail/chroot.c: if (chroot(oroot) < 0)
src/include/rundefs.h:#define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot"
Remove what remains of the Intrusion Detection System (IDS)/fids,
`--ids` commands and the `--enable-ids` configure option.
Commands:
* `--ids-check`
* `--ids-init`
Related commits:
* 5e962ff78 ("removed IDS feature, it was never enabled by default in
our builds", 2025-12-17)
Relates to #6995.
Sonic Robo Blast 2 is implemented in C, occasionally crashes with memory
access errors and has a multiplayer mode with insecure network traffic,
so I think it's a good candidate for sandboxing.
