[GH-ISSUE #2203] Consider keeping /dev/input/js0 (joystick device) with --private-dev #1474

New issue

Closed

opened 2026-05-05 08:08:26 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented 2026-05-05 08:08:26 -06:00

Owner

Copy link

Originally created by @iskunk on GitHub (Oct 18, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2203

I've been testing a game application in Firejail. It works great with --private-dev, except that it cannot see my correctly-functioning USB gamepad.

The standard device location for a joystick in Linux is /dev/input/js0. I don't know if bringing in all of /dev/input/ is desirable (this would include items like /dev/input/mouse0), but at least /dev/input/js* seems reasonable.

Originally created by @iskunk on GitHub (Oct 18, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2203 I've been testing a game application in Firejail. It works great with `--private-dev`, except that it cannot see my correctly-functioning USB gamepad. The standard device location for a joystick in Linux is `/dev/input/js0`. I don't know if bringing in all of `/dev/input/` is desirable (this would include items like `/dev/input/mouse0`), but at least `/dev/input/js*` seems reasonable.

gitea-mirror 2026-05-05 08:08:26 -06:00

• closed this issue
• added the
  enhancement
  label

gitea-mirror commented 2026-05-05 08:08:29 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Oct 18, 2018):

See #1446

Here is also a cleaned version of your profile
citra-qt.profile.txt

<!-- gh-comment-id:430888952 --> @SkewedZeppelin commented on GitHub (Oct 18, 2018): See #1446 Here is also a cleaned version of your profile [citra-qt.profile.txt](https://github.com/netblue30/firejail/files/2490490/citra-qt.profile.txt)

gitea-mirror commented 2026-05-05 08:08:30 -06:00

Author

Owner

Copy link

@iskunk commented on GitHub (Oct 18, 2018):

If --private-dev is ever extended to allow specifying additional devices, it'll need to allow devices in subdirectories (input/js0).

I'm not sure that I understand the edits you made to the profile. By dropping the mkdir and whitelist directives, the config directories are not created on first run, and config files are not saved to the real homedir. And I believe those noblacklist directives will print a warning as there are no corresponding blacklistentries in the include files.

<!-- gh-comment-id:430907893 --> @iskunk commented on GitHub (Oct 18, 2018): If `--private-dev` is ever extended to allow specifying additional devices, it'll need to allow devices in subdirectories (`input/js0`). I'm not sure that I understand the edits you made to the profile. By dropping the `mkdir` and `whitelist` directives, the config directories are not created on first run, and config files are not saved to the real homedir. And I believe those `noblacklist` directives will print a warning as there are no corresponding `blacklist`entries in the include files.

gitea-mirror commented 2026-05-05 08:08:31 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Oct 18, 2018):

I'm not sure that I understand the edits you made to the profile.

Emulators need ROM files and what not yea? As is yours would only allow loading them from .config/citra-emu, .local/share/citra-emu, and any other drives. Access to home would be blocked. So I switched it from whitelist to blacklist.

machine-id also breaks sound via pulseaudio in many cases, which is why I removed that too.

And I believe those noblacklist directives will print a warning

As is yes, but they would be added to disable-programs.inc on merge.

If the one I uploaded works, I can either commit it in your name/email or you can make a PR with it.

<!-- gh-comment-id:430910911 --> @SkewedZeppelin commented on GitHub (Oct 18, 2018): > I'm not sure that I understand the edits you made to the profile. Emulators need ROM files and what not yea? As is yours would *only* allow loading them from `.config/citra-emu`, `.local/share/citra-emu`, and any other drives. Access to home would be blocked. So I switched it from whitelist to blacklist. `machine-id` also breaks sound via pulseaudio in many cases, which is why I removed that too. > And I believe those noblacklist directives will print a warning As is yes, but they would be added to disable-programs.inc on merge. If the one I uploaded works, I can either commit it in your name/email or you can make a PR with it.

gitea-mirror commented 2026-05-05 08:08:32 -06:00

Author

Owner

Copy link

@iskunk commented on GitHub (Oct 18, 2018):

There's no standard directory for Citra game ROMs, however. That would need to be specified by the user, perhaps in a command-line option. machine-id is a good point, however, as I use ALSA directly.

I'll give this a try and report back my findings soon.

<!-- gh-comment-id:430917168 --> @iskunk commented on GitHub (Oct 18, 2018): There's no standard directory for Citra game ROMs, however. That would need to be specified by the user, perhaps in a command-line option. `machine-id` is a good point, however, as I use ALSA directly. I'll give this a try and report back my findings soon.

gitea-mirror commented 2026-05-05 08:08:32 -06:00

Author

Owner

Copy link

@iskunk commented on GitHub (Oct 18, 2018):

The modified profile does allow the program to run, but now the majority of the home directory is open to reading and writing, which I was wanting to avoid (not least as Citra implements network multiplayer functionality and so in theory could be compromised that way).

Isn't it feasible for the user to specify to Firejail the directory that contains the game ROMs?

<!-- gh-comment-id:431191084 --> @iskunk commented on GitHub (Oct 18, 2018): The modified profile does allow the program to run, but now the majority of the home directory is open to reading and writing, which I was wanting to avoid (not least as Citra implements network multiplayer functionality and so in theory could be compromised that way). Isn't it feasible for the user to specify to Firejail the directory that contains the game ROMs?

gitea-mirror commented 2026-05-05 08:08:33 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Oct 18, 2018):

Isn't it feasible for the user to specify to Firejail the directory that contains the game ROMs?

We generally try to make default profiles work out of the box and ensure usability for the majority. All of the other emulators we ship profiles for are blacklist as well.

Citra implements network multiplayer

Is multiplayer used enough to justify network access by default? If not we can ship with net none which will help with the concern of access to home.

<!-- gh-comment-id:431197236 --> @SkewedZeppelin commented on GitHub (Oct 18, 2018): > Isn't it feasible for the user to specify to Firejail the directory that contains the game ROMs? We generally try to make default profiles work out of the box and ensure usability for the majority. All of the other emulators we ship profiles for are blacklist as well. > Citra implements network multiplayer Is multiplayer used enough to justify network access by default? If not we can ship with `net none` which will help with the concern of access to home.

gitea-mirror commented 2026-05-05 08:08:34 -06:00

Author

Owner

Copy link

@iskunk commented on GitHub (Oct 18, 2018):

We generally try to make default profiles work out of the box and ensure usability for the majority. All of the other emulators we ship profiles for are blacklist as well.

Okay... I guess this would be fine to add to the set of profiles, then, though I myself would continue to use the stricter original.

Is multiplayer used enough to justify network access by default? If not we can ship with net none which will help with the concern of access to home.

I don't know, to be honest; I'm an outsider to the Citra community. That said, the functionality is fairly prominent in the GUI, and multiplayer 3DS gaming sessions tend to be a common sight at fan conventions...

<!-- gh-comment-id:431201540 --> @iskunk commented on GitHub (Oct 18, 2018): > We generally try to make default profiles work out of the box and ensure usability for the majority. All of the other emulators we ship profiles for are blacklist as well. Okay... I guess this would be fine to add to the set of profiles, then, though I myself would continue to use the stricter original. > Is multiplayer used enough to justify network access by default? If not we can ship with `net none` which will help with the concern of access to home. I don't know, to be honest; I'm an outsider to the Citra community. That said, the functionality is fairly prominent in the GUI, and multiplayer 3DS gaming sessions tend to be a common sight at fan conventions...

gitea-mirror commented 2026-05-05 08:08:35 -06:00

Author

Owner

Copy link

@adrianlshaw commented on GitHub (Jan 18, 2020):

The standard device location for a joystick in Linux is /dev/input/js0. I don't know if bringing in all of /dev/input/ is desirable (this would include items like /dev/input/mouse0), but at least /dev/input/js* seems reasonable.

I'd also like this feature. Is /dev/input/js* sufficient? I'm trying to get a controller working with another application but this doesn't seem to be enough.

<!-- gh-comment-id:575887540 --> @adrianlshaw commented on GitHub (Jan 18, 2020): > The standard device location for a joystick in Linux is /dev/input/js0. I don't know if bringing in all of /dev/input/ is desirable (this would include items like /dev/input/mouse0), but at least /dev/input/js* seems reasonable. I'd also like this feature. Is /dev/input/js* sufficient? I'm trying to get a controller working with another application but this doesn't seem to be enough.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1474

No description provided.