Move it from `run_cmd_and_exit()` to right after the --quiet/--debug
checks.
This simplifies the sandbox check code by removing its own --version
check.
See also commit 5cd597e5d ("fix --version", 2016-06-28).
This is a follow-up to #6969.
The check for an existing sandbox (and running `run_no_sandbox()` if
applicable) must be done before calling `checkcfg()`, since if
`private-etc` is already in effect, running firejail again will abort at
`checkcfg()`, as /etc/firejail/firejail.config will not be accessible
(see #6966).
This is a follow-up to #6969.
Relates to #2877#6878#6951#6966.
Kind of relates to #6592.
Parse them as early as possible (after dropping permissions, etc), as
`checkcfg()` checks for `arg_debug` (for example).
Relates to #6878#6951.
Kind of relates to #6579.
And add it to the bug report template checklist.
To avoid potential issues due to firejail-in-firejail.
Commands used to search and replace:
perl -pi -e '
s/(firejail)( .*)? (blobby|dig|firefox|galculator|gedit|gimp|handbrake|icecat|iceweasel|mc|openbox|transmission|vlc|warzone2100|wget|xed|xterm)/$1$2 \/usr\/bin\/$3/;
' README.md src/firejail/usage.c src/man/*.in
perl -pi -e 's/^\s*(firefox \\?-)/\/usr\/bin\/$1/' \
src/man/firejail.1.in
Note: Some parts were edited manually.
Note: Most tests still use the program basename.
Relates to #2877.
To avoid wasting time due to (for example):
* Bugs that were already fixed
* Old versions with different/missing verbosity in the output
* Behavior that only affects (or differs in) old versions
* Copying and pasting profile lines which contain commands that are
unsupported in old versions (or that depend on other changes to
profiles in the current version)
This is a follow-up to #6964.
Changes:
* Format
* Quote URL
* Use `&&` where applicable
* Use parallel make
Kind of relates to commit 500d8f2d6 ("ci: run make in parallel where
applicable", 2023-08-14) / PR #5960.
This script fetches current system calls from kernel sources then extracts and
installs them in the src/include directory.
Syscalls can be updated by regenerating them, ideally once before each release.
contrib/syntax/lists/syscalls.list is synchronized too.
It generates also etc/templates/new_syscalls.txt, this makes it easier to update
groups and to inform users about new syscalls added.
The script must reside in the src/tools directory and requires the cURL CLI program.
It still timeouts randomly, even with the changes from commit b613c3062
("tests: man: fix timeout error (#6949)", 2025-10-29).
When the test passes, the relevant commands appear to execute in less
than a second.
Log from a successful run of test-network on commit f5d82cc58 ("feature:
add env-max-count / env-max-len to firejail.config (#6951)",
2025-11-01)[1]:
2025-11-01T13:57:55.6533345Z /usr/bin/man
2025-11-01T13:57:55.6533649Z TESTING: man
2025-11-01T13:57:55.6564238Z spawn /bin/bash
2025-11-01T13:57:57.1602002Z rm -f /tmp/t
2025-11-01T13:57:57.1612808Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$ rm -f /tmp/t
2025-11-01T13:57:57.1613686Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$
2025-11-01T13:57:57.1614509Z <st/sysutils$ firejail /usr/bin/man firecfg > /tmp/t
2025-11-01T13:57:57.1615014Z runner@runnervmxu1zt:~/work/firejail/firejail/test/sysutils$ cat /tmp/t
2025-11-01T13:57:57.1615466Z FIRECFG(1) firecfg man page FIRECFG(1)
2025-11-01T13:57:57.1615727Z
2025-11-01T13:57:57.1615799Z NAME
2025-11-01T13:57:57.1616119Z Firecfg - Desktop integration utility for Firejail software.
[...]
2025-11-01T13:57:57.1627646Z OPTIONS
2025-11-01T13:57:57.1627819Z --add-users user [user]
2025-11-01T13:57:57.7620833Z
2025-11-01T13:57:57.7621314Z all done
2025-11-01T13:57:57.7621564Z
2025-11-01T13:57:57.7634133Z /usr/bin/wget
2025-11-01T13:57:57.7634892Z TESTING: FIXME: wget
Misc: It seems that the last commit to disable a test in this manner was
commit 7e91a0414 ("tests: disable broken wget tests in utils/sysutils",
2023-08-28).
[1] https://github.com/netblue30/firejail/actions/runs/18997725218/job/54259933026
Replace the hardcoded `MAX_ENVS` and `MAX_ENV_LEN` limits with new
global configuration options, `env-max-count` and `env-max-len`, which
limit the maximum number of environment variables and the maximum length
of each environment variable (respectively).
Also, include the environment name and value in the "too long
environment variable" error message, similarly to the "too long
argument" error message (see PR #4676 and PR #5677).
This is a follow-up to #6878.
Closes#3678.
Replace the hardcoded `MAX_ARGS` and `MAX_ARG_LEN` limits with new
global configuration options, `arg-max-count` and `arg-max-len`, which
limit the maximum number of command-line arguments and the maximum
length of each argument (respectively).
Closes#4633.
Co-authored-by: Kelvin M. Klann <kmk3.code@protonmail.com>
For a long time there have been intermittent failures in CI when trying
to open the firejail man page with `man`[1]:
2025-08-05T14:15:03.2742048Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$ rm -f /tmp/t
2025-08-05T14:15:03.2742725Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$
2025-08-05T14:15:03.2743522Z <ejail/test/sysutils$ firejail man firejail > /tmp/t
2025-08-05T14:15:03.2743913Z cat /tmp/t
2025-08-05T14:15:03.5645359Z troff: <standard input>:89: warning [p 2, 2.3i]: cannot adjust line
2025-08-05T14:15:03.5862718Z troff: <standard input>:3738: warning [p 40, 11.8i]: cannot adjust line
2025-08-05T14:15:13.5920525Z runner@pkrvm76nib4usnx:~/work/firejail/firejail/test/sysutils$ TESTING ERROR 0
It seems to happen due to a timeout, so use the firecfg man page
instead, as that results in over 10 times less lines in the output and
thus should be less likely to cause issues:
$ man src/man/firejail.1.in | wc -l
3057
$ man src/man/firecfg.1.in | wc -l
184
Also, use the full path to `man` just in case.
[1] https://github.com/netblue30/firejail/actions/runs/16752574198/job/47426439265
Note: We ship a file in this directory since commit 16afd8c8e ("Add
basic gtksourceview language-spec (#5502)", 2022-12-04)
This is a follow-up to #6909.
Allow the folder that Day of the Tentacle Remastered uses to store save
files. Without adding them in the steam profile, save states don't work
in the game (or it didn't even start, don't remember exactly).
See https://www.pcgamingwiki.com/wiki/Day_of_the_Tentacle_Remastered
Probably it would also allow save games for other games done by
doublefine (https://store.steampowered.com/developer/doublefine), but I
have no other game from them and I have not checked it.
Clarify that even though Unix sockets are an IPC mechanism, IPC
namespaces do not affect them (see ipc_namespaces(7)).
Relates to #6928.
Reported-by: @tupo2
The start-mullvad-browser script uses readlink and realpath when
it is a symlink, so these need to be included as part of private-bin,
or the following error dialog appears, and the browser fails to start:
start-mullvad-browser cannot be run using a symlink on this operating system.
This problem is observed using Mullvad Browser 14.5.7 as packaged
for Fedora 42.
Repo: https://repository.mullvad.net/rpm/stable/mullvad.repo
Fedora script path: /usr/lib/mullvad-browser/start-mullvad-browser
Upstream: 2f802636b8/projects/browser/RelativeLink/start-browser (L202-207)
This directory is part of the gtk4 package (version 1:4.20.1-1) on Artix
Linux.
Add it just in case, as wusc already contains the same analogous paths
for gtk2 and gtk3.
This is a follow-up to #6907.
This is apparently needed by glycin/gdk-pixbuf2, which is used by many
programs, such as Firefox and GIMP.
Relates to #6906.
Reported-by: @myrslint
Suggsted-by: @myrslint
