github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6688] Cannot block keyboard/mouse input (multiseat) #3336

New issue

Closed

opened 2026-05-05 09:55:21 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 09:55:21 -06:00

Owner

Originally created by @Sx1Fl0NdqlkM6N4s2pswXKUI0k9FKTaOckLbNXu on GitHub (Mar 23, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6688

Description

Adding keyboard or mouse to blacklist doesn't work.

Steps to Reproduce

firejail --noprofile --blacklist="/dev/input/*" \
  --blacklist="/dev/input/by-id/*" \
  --blacklist="/dev/input/by-path/*" \
  --blacklist="/dev/input/event*" application

or pointing out devices individually, or using --noinput flag also shows no results.

Additional context

I'd assume it's an intended feature for most users, with no way to turn it off.
My use-case is a multiseat setup where kb&m inputs won't be sent to all selected windows.

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @Sx1Fl0NdqlkM6N4s2pswXKUI0k9FKTaOckLbNXu on GitHub (Mar 23, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6688 ### Description Adding keyboard or mouse to blacklist doesn't work. ### Steps to Reproduce ```sh firejail --noprofile --blacklist="/dev/input/*" \ --blacklist="/dev/input/by-id/*" \ --blacklist="/dev/input/by-path/*" \ --blacklist="/dev/input/event*" application ``` or pointing out devices individually, or using `--noinput` flag also shows no results. ### Additional context I'd assume it's an intended feature for most users, with no way to turn it off. My use-case is a multiseat setup where kb&m inputs won't be sent to all selected windows. ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror

2026-05-05 09:55:21 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:55:23 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 23, 2025):

firejail --noprofile --blacklist="/dev/input/" --blacklist="/dev/input/by-id/" --blacklist="/dev/input/by-path/" --blacklist="/dev/input/event" application

What did you expected to happen?

Who did you checked? if blacklisting does not work, this would be a security problem. But I don't believe.

Note that neither GUI nor TUI programs read raw kb/m input from device files.

@rusty-snake commented on GitHub (Mar 23, 2025): > firejail --noprofile --blacklist="/dev/input/" --blacklist="/dev/input/by-id/" --blacklist="/dev/input/by-path/" --blacklist="/dev/input/event" application ***What did you expected to happen?*** Who did you checked? if blacklisting does not work, this would be a security problem. But I don't believe. Note that neither GUI nor TUI programs read raw kb/m input from device files.

gitea-mirror commented

2026-05-05 09:55:24 -06:00

Author

Owner

@Sx1Fl0NdqlkM6N4s2pswXKUI0k9FKTaOckLbNXu commented on GitHub (Mar 23, 2025):

What did you expected to happen?

Formatting have eaten stars after every directory.
I was simply blacklisting every found device, hoping something would block keyboard and a mouse, because pointing them individually didn't work (i.e. --blacklist=/dev/input/by-id/usb-0000_USB_OPTICAL_MOUSE-event-mouse --blacklist= /dev/input/by-id/usb-0000_USB_OPTICAL_MOUSE-mouse).

I assume it's correct way to blacklist a device, as that's the examples I've seen, and disabling game controllers and similar worked as expected.

Note that neither GUI nor TUI programs read raw kb/m input from device files.

I don't know about any of this, I use firejail purely as enable/disable device software.

@Sx1Fl0NdqlkM6N4s2pswXKUI0k9FKTaOckLbNXu commented on GitHub (Mar 23, 2025): > _**What did you expected to happen?**_ Formatting have eaten stars after every directory. I was simply blacklisting every found device, hoping something would block keyboard and a mouse, because pointing them individually didn't work (i.e. --blacklist=/dev/input/by-id/usb-0000_USB_OPTICAL_MOUSE-event-mouse --blacklist= /dev/input/by-id/usb-0000_USB_OPTICAL_MOUSE-mouse). I assume it's correct way to blacklist a device, as that's the examples I've seen, and disabling game controllers and similar worked as expected. > Note that neither GUI nor TUI programs read raw kb/m input from device files. I don't know about any of this, I use firejail purely as enable/disable device software.

gitea-mirror commented

2026-05-05 09:55:25 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 24, 2025):

My use-case is a multiseat setup where kb&m inputs won't be sent to all
selected windows.

I was simply blacklisting every found device, hoping something would block
keyboard and a mouse, because pointing them individually didn't work

I assume it's correct way to blacklist a device, as that's the examples I've
seen, and disabling game controllers and similar worked as expected.

As mentioned by @rusty-snake, programs don't simply get raw access to
keyboard/mouse devices (unlike in some cases with gamepads).

Programs usually just listen and respond to key presses, which is mainly
mediated by xorg/wayland (or something nearby in the stack).

So you'd probably have to try configuring things at that level.

Maybe you can allocate specific devices to specific users with xorg, but I'm
not familiar with that.

Anyway, I don't think that this can be solved with firejail since these device
paths are usually handled by something else and firejail effectively runs on
top of it.

@kmk3 commented on GitHub (Mar 24, 2025): > My use-case is a multiseat setup where kb&m inputs won't be sent to all > selected windows. > I was simply blacklisting every found device, hoping something would block > keyboard and a mouse, because pointing them individually didn't work > I assume it's correct way to blacklist a device, as that's the examples I've > seen, and disabling game controllers and similar worked as expected. As mentioned by @rusty-snake, programs don't simply get raw access to keyboard/mouse devices (unlike in some cases with gamepads). Programs usually just listen and respond to key presses, which is mainly mediated by xorg/wayland (or something nearby in the stack). So you'd probably have to try configuring things at that level. Maybe you can allocate specific devices to specific users with xorg, but I'm not familiar with that. Anyway, I don't think that this can be solved with firejail since these device paths are usually handled by something else and firejail effectively runs on top of it.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3336

No description provided.

Rows
Columns