[GH-ISSUE #4565] Block audio input in default.profile (like with video input)

gitea-mirror commented

2026-05-05 09:22:07 -06:00

Owner

Originally created by @vinc17fr on GitHub (Sep 21, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4565

Description

The intent of commit ee7b466576 is to block input devices in the default profile. For instance, with this commit, the webcam (via /dev/video*) is no longer available. But the microphone is still available. This is not consistent and may give a false sense of security.

Steps to Reproduce

firejail --ignore=read-only --noblacklist='${HOME}/*' --private=some_dir zsh
Run an app with audio and video input, like the Zoom client (or audacity for audio recording).

Expected behavior

Since the webcam is not available by design, microphones should not be available either.

Note: #1769 suggests to use the nosound option, but it is still commented out in default.profile, contrary to novideo.

Actual behavior

The webcam is not available, but the internal microphone of my machine is working.

Behavior without a profile

N/A (the point is the behavior of the default profile, which now has noinput and novideo, in particular).

Environment

Debian/unstable on x86_64
Firejail version (firejail --version): 0.9.66 (Debian package firejail 0.9.66-2)

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of firejail --ignore=read-only --noblacklist='${HOME}/*' --private=fj-dir zsh

Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file

** Note: you can use --noprofile to disable default.profile **

Parent pid 2913249, child pid 2913250
Child process initialized in 52.92 ms

Originally created by @vinc17fr on GitHub (Sep 21, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4565 ### Description The intent of commit ee7b466576a06ec8ccb82e7ad8277d7f7fe4549b is to block input devices in the default profile. For instance, with this commit, the webcam (via `/dev/video*`) is no longer available. But the microphone is still available. This is not consistent and may give a false sense of security. ### Steps to Reproduce 1. `firejail --ignore=read-only --noblacklist='${HOME}/*' --private=some_dir zsh` 2. Run an app with audio and video input, like the Zoom client (or audacity for audio recording). ### Expected behavior Since the webcam is not available by design, microphones should not be available either. Note: #1769 suggests to use the `nosound` option, but it is still commented out in `default.profile`, contrary to `novideo`. ### Actual behavior The webcam is not available, but the internal microphone of my machine is working. ### Behavior without a profile N/A (the point is the behavior of the default profile, which now has `noinput` and `novideo`, in particular). ### Environment - Debian/unstable on x86_64 - Firejail version (`firejail --version`): 0.9.66 (Debian package firejail 0.9.66-2) ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>firejail --ignore=read-only --noblacklist='${HOME}/*' --private=fj-dir zsh</code></summary> <p> ``` Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file ** Note: you can use --noprofile to disable default.profile ** Parent pid 2913249, child pid 2913250 Child process initialized in 52.92 ms ``` </p> </details>

gitea-mirror added the

enhancement

label 2026-05-05 09:22:07 -06:00

gitea-mirror commented

2026-05-05 09:22:09 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 21, 2021):

Note: #1769 suggests to use the nosound option, but it is still commented out in default.profile, contrary to novideo.

Because nosound means no-sound i.e. no sound input but also no sound output. As much as I would like to see it, there is currently no good way to block only the audio input, AFAIK. If we would use nosound by default in default.profile, it would break the sound output for all programs without a profile (browsers, video player, audio player, games, ...).

Some stats:
non-redirect profiles total: 658
non-redirect profiles with nosound: 342
non-redirect profiles without nosound: 316

So around the half of the profiles don't use nosound. While for novideo only one fifth of the profiles don't use it (stats: 658, 515, 143). IMHO this would break to much applications by default. If this is important for you, you can add it to your default.local. However block if microphone access (which is BTW more a privacy issue than a security issues IMHO) is such important for you, you should block it at a higher point (PA/PW/JACK/Kernel/UEFI/HW).

commands used for stats:

grep -L "^# Redirect" /etc/firejail/* | wc -l
grep -l "^nosound" $(grep -L "^# Redirect" /etc/firejail/*) | wc -l
grep -L "^nosound" $(grep -L "^# Redirect" /etc/firejail/*) | wc -l

@rusty-snake commented on GitHub (Sep 21, 2021): > Note: #1769 suggests to use the `nosound` option, but it is still commented out in `default.profile`, contrary to `novideo`. Because `nosound` means no-sound i.e. no sound input but also no sound output. As much as I would like to see it, there is currently no good way to block only the audio input, AFAIK. If we would use `nosound` by default in default.profile, it would break the sound output for all programs without a profile (browsers, video player, audio player, games, ...). Some stats: non-redirect profiles total: 658 non-redirect profiles with nosound: 342 non-redirect profiles without nosound: 316 So around the half of the profiles don't use `nosound`. While for `novideo` only one fifth of the profiles don't use it (stats: 658, 515, 143). IMHO this would break to much applications by default. If this is important for you, you can add it to your default.local. However block if microphone access (which is BTW more a privacy issue than a security issues IMHO) is such important for you, you should block it at a higher point (PA/PW/JACK/Kernel/UEFI/HW). commands used for stats: ```bash grep -L "^# Redirect" /etc/firejail/* | wc -l grep -l "^nosound" $(grep -L "^# Redirect" /etc/firejail/*) | wc -l grep -L "^nosound" $(grep -L "^# Redirect" /etc/firejail/*) | wc -l ```

gitea-mirror commented

2026-05-05 09:22:10 -06:00

Author

Owner

@vinc17fr commented on GitHub (Sep 21, 2021):

Because nosound means no-sound i.e. no sound input but also no sound output. As much as I would like to see it, there is currently no good way to block only the audio input, AFAIK.

Then perhaps there should be a request to make this possible (at the Linux kernel level?).

However block if microphone access (which is BTW more a privacy issue than a security issues IMHO) is such important for you, you should block it at a higher point (PA/PW/JACK/Kernel/UEFI/HW).

The point is to block it only in firejailed applications (by default).

@vinc17fr commented on GitHub (Sep 21, 2021): > Because `nosound` means no-sound i.e. no sound input but also no sound output. As much as I would like to see it, there is currently no good way to block only the audio input, AFAIK. Then perhaps there should be a request to make this possible (at the Linux kernel level?). > However block if microphone access (which is BTW more a privacy issue than a security issues IMHO) is such important for you, you should block it at a higher point (PA/PW/JACK/Kernel/UEFI/HW). The point is to block it only in firejailed applications (by default).

gitea-mirror commented

2026-05-05 09:22:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 21, 2021):

Then perhaps there should be a request to make this possible (at the Linux kernel level?).

The kernel is fine, it is the pulseaudio protocol which says all or thing. I'm not sure about jack. PipeWire was even developed with such isolation in mind, however it will take some time until it is support by libraries and used by distribution (yes fedora 34 uses pipewire as default, however the communication uses still the pa protocol).

@rusty-snake commented on GitHub (Sep 21, 2021): > Then perhaps there should be a request to make this possible (at the Linux kernel level?). The kernel is fine, it is the pulseaudio protocol which says all or thing. I'm not sure about jack. PipeWire was even developed with such isolation in mind, however it will take some time until it is support by libraries and used by distribution (yes fedora 34 uses pipewire as default, however the communication uses still the pa protocol).

gitea-mirror commented

2026-05-05 09:22:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 9, 2021):

Anyone? How should be proceed here?

@rusty-snake commented on GitHub (Oct 9, 2021): Anyone? How should be proceed here?

gitea-mirror commented

2026-05-05 09:22:13 -06:00

Author

Owner

@kmk3 commented on GitHub (Oct 12, 2021):

I wonder if it would be enough to set audio devices on /dev to write-only
(i.e.: bind-mount them without read permissions). It might work for at least
ALSA and sndio; not sure about the rest.

If it does, I suppose that something like a nosoundinput (or maybe
noinput-sound) command could be added.

@kmk3 commented on GitHub (Oct 12, 2021): I wonder if it would be enough to set audio devices on /dev to write-only (i.e.: bind-mount them without read permissions). It might work for at least ALSA and sndio; not sure about the rest. If it does, I suppose that something like a `nosoundinput` (or maybe `noinput-sound`) command could be added.

gitea-mirror commented

2026-05-05 09:22:14 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 12, 2021):

not sure about the rest.

For PA, no (unless you make it systemwide).

nosoundinput

nomic(rophone)

@rusty-snake commented on GitHub (Oct 12, 2021): > not sure about the rest. For PA, no (unless you make it systemwide). > nosoundinput `nomic(rophone)`

gitea-mirror commented

2026-05-05 09:22:15 -06:00

Author

Owner

@ilikenwf commented on GitHub (Oct 12, 2024):

I'd love to see something like this as well..some chat applications...I don't trust for anything but text chat and while they can have media embeds, I can't play them in application due to this because I use noaudio and novideo....

@ilikenwf commented on GitHub (Oct 12, 2024): I'd love to see something like this as well..some chat applications...I don't trust for anything but text chat and while they can have media embeds, I can't play them in application due to this because I use noaudio and novideo....

gitea-mirror commented

2026-05-05 09:22:16 -06:00

Author

Owner

@ghost commented on GitHub (Feb 2, 2026):

@ghost commented on GitHub (Feb 2, 2026): related https://github.com/netblue30/firejail/issues/7053

Rows
Columns

[GH-ISSUE #4565] Block audio input in default.profile (like with video input) #2709

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Environment

Checklist

Log