Changes:
* Keep hostname by default (same as using `--keep-hostname`)
* Add `--hostname-randomize` command to randomize the hostname
* Ignore `--keep-hostname` command and print a warning if it is used
Setting a different hostname inside of the sandbox may prevent X11
programs from authenticating to the X server and displaying windows at
all (see #7062).
To avoid breakage, keep the hostname as is by default and only set it to
a random value if a new `hostname-randomize` command is used.
This also avoids potentially surprising behavior, as the user might not
expect the hostname to be changed inside of the sandbox, considering
that usually the protections that are applied firejail involve
restricting access to resources (like file paths), rather than modifying
their values inside of the sandbox.
Fixes#7062
Relates to #7048#7069.
- src/lib/syscall.c
- Update the comment to also match `gettimeofday`
- Sort the content of `@default-keep` by alphabetical order
- etc/templates/syscalls.txt
- Update the Definition of groups
Related to this, trying to open xorg programs stopped working on Arch
recently (even with `--profile=noprofile`), producing the following
error[1]:
$ /usr/local/bin/thunderbird
[...]
Authorization required, but no authorization protocol specified
Error: cannot open display: :0
Parent is shutting down, bye...
The programs work if `--keep-hostname` is used.
The workaround was found quickly, but mostly by luck and guesswork, as
needing to use a profile command when even `--profile=noprofile` does
not work is counterintuitive and unexpected.
Related commits:
* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* e31d872a5 ("profiles: add keep-hostname to profile.template",
2026-02-11)
Relates to #7062.
[1] https://github.com/netblue30/firejail/issues/7062#issue-3943568845
Default directories in Firefox 146 and earlier:
* ~/.cache/mozilla # cache files
* ~/.mozilla # config and data
In Firefox 147[1]:
* ~/.cache/mozilla # cache files
* ~/.config/mozilla # config and data
Note that the new location apparently contains the same files as in the
former location (including settings, bookmarks, extensions, etc).
That is, even though the new directory resides in `$XDG_CONFIG_HOME` /
~/.config, it is not solely used for program configuration as described
in the XDG Base Directory specification[2] and `$XDG_DATA_HOME` /
~/.local/share/mozilla is seemingly not used at all (see also the
discussion in the bug tracker[3]).
Commands used to search and replace:
$ perl -pi -e 's/(.* )(\${HOME}\/\.mozilla)(.*)/$1\${HOME}\/.config\/mozilla$3\n$1$2$3/' \
-- \
etc/inc/*.inc \
etc/profile*/*.profile \
Note: The entries in the following profiles were sorted manually:
* etc/inc/disable-common.inc
* etc/inc/disable-programs.inc
* etc/profile-a-l/keepassxc.profile
* etc/profile-a-l/krunner.profile
* etc/profile-m-z/seamonkey.profile
Relates to #7040.
[1] https://www.firefox.com/en-US/firefox/147.0/releasenotes/
[2] https://specifications.freedesktop.org/basedir/latest/
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=259356
disable-common.inc has these lines:
blacklist ${PATH}/nc
blacklist ${PATH}/nc.openbsd
blacklist ${PATH}/nc.traditional
blacklist ${PATH}/ncat
With openbsd-netcat on Artix, `/usr/bin/nc.openbsd` is symlinked to
`/usr/bin/nc`:
$ pacman -Fl gnu-netcat openbsd-netcat | grep bin/nc
gnu-netcat usr/bin/nc
openbsd-netcat usr/bin/nc
openbsd-netcat usr/bin/nc.openbsd
$ realpath /usr/bin/nc.openbsd
/usr/bin/nc
So `noblacklist ${PATH}/nc` is not enough, as
`blacklist ${PATH}/nc.openbsd` will follow the symlink to `/usr/bin/nc`
and still blacklist it.
To prevent `/usr/bin/nc` from being blacklisted,
`noblacklist ${PATH}/nc.openbsd` is also needed in this case.
To ensure that netcat is allowed, always `noblacklist` all netcat paths.
Fixes#6911.
Put it together with the other `keep-` commands.
And move it to the allow section in libreoffice.profile.
Related commits:
* cc8b019b5 ("--keep-hostname part 1 (#7048)", 2026-02-03)
* fbc94070e ("adding keep-hostname to libreoffice.profile", 2026-02-11).
Relates to #7048.
- Remove extra empty lines
- Definition of groups:
- Add the two new groups `@memfd` and `@sandbox`
- Add new syscalls
- Inheritance of groups:
- Redraw it in a clearer form of groups and subgroups
- Add the two new groups
- Sort `@mount` and `@obsolete` groups by alphabetical order
This is the last part.
Add paths in the same places as nodejs/npm paths.
Deno is a javascript runtime and development tool similar to nodejs.
The following paths seem to be intended for downloading and caching
dependencies (and apparently also artifacts from .ts to .js compilation)
globally during development (as can be done with ~/.npm):
* ~/.cache/deno
* ~/.deno
Note that this commit makes these paths read-only (as npm dependencies
are usually executable code), which may potentially affect users of the
runtime (like yt-dlp).
Related commits:
* f2de86464 ("tentative fix for yt-dlp/javaScript deno profile (#6999)",
2026-01-13)
Fast, easy and free BitTorrent client (GTK4 GUI for transmission-daemon):
https://gitlab.gnome.org/World/Fragments
The profile is based on transmission-common and transmission-gtk profiles.
Only added dbus permissions and changed default paths.
QuakeSpasm is a modern multi-platform Quake source port designed as an
improved successor to GLQuake and FitzQuake. It aims to preserve the
classic gameplay and graphics while enhancing compatibility and
modernization.
https://sourceforge.net/projects/quakespasm
One of the profile requests lists GZDoom.
So create profiles for GZDoom and its variants: UZDoom and LZDoom.
GZDoom served as the primary port for several years after ZDoom was
discontinued.
UZDoom has now become the latest version targeting systems with modern
graphics hardware.
LZDoom is geared towards systems with legacy hardware.
All three profiles work.
https://zdoom.org
OpenRA is an open source project that recreates and modernizes classic
real time strategy games, like Red Alert, Command & Conquer, and Dune
2000.
This profile works for all three AppImage editions of Openra: Red Alert,
Tiberium Dawn, and Dune 2000.
https://www.openra.net
Remove what remains of the overlayfs support, `--overlay` commands and
the `--enable-overlayfs` configure option.
Commands:
* `--overlay`
* `--overlay-named=`
* `--overlay-clean`
* `--overlay-tmpfs`
firejail.config:
* `overlayfs`
Related commits:
* 489cc25c2 ("cleaned up old overlayfs code; the feature was disabled by
default in 2021 because of security problems", 2025-12-16).
* b537aa57b ("fixed /sys mounting broken during overlayfs cleanup",
2025-12-18)
Relates to #6994.
Note: Code with `RUN_OVERLAY_ROOT` / `oroot` is left as is, since it
seems to also be used by `--chroot`:
$ git grep -E '[^n]oroot'
etc/apparmor/firejail-default:# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
etc/apparmor/firejail-default:# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
etc/apparmor/firejail-default:#/{,run/firejail/mnt/oroot/}home/** ix,
etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
src/firejail/chroot.c: // create /run/firejail/mnt/oroot
src/firejail/chroot.c: char *oroot = RUN_OVERLAY_ROOT;
src/firejail/chroot.c: if (mkdir(oroot, 0755) == -1)
src/firejail/chroot.c: // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
src/firejail/chroot.c: if (bind_mount_fd_to_path(parentfd, oroot))
src/firejail/chroot.c: errExit("mounting rootdir oroot");
src/firejail/chroot.c: if (chroot(oroot) < 0)
src/include/rundefs.h:#define RUN_OVERLAY_ROOT RUN_MNT_DIR "/oroot"
Remove what remains of the Intrusion Detection System (IDS)/fids,
`--ids` commands and the `--enable-ids` configure option.
Commands:
* `--ids-check`
* `--ids-init`
Related commits:
* 5e962ff78 ("removed IDS feature, it was never enabled by default in
our builds", 2025-12-17)
Relates to #6995.
Sonic Robo Blast 2 is implemented in C, occasionally crashes with memory
access errors and has a multiplayer mode with insecure network traffic,
so I think it's a good candidate for sandboxing.
