[GH-ISSUE #498] "generic.profile" vs "default.profile" ambiguity #349

New issue

Closed

opened 2026-05-05 05:39:11 -06:00 by gitea-mirror · 20 comments

gitea-mirror commented 2026-05-05 05:39:11 -06:00

Owner

Copy link

Originally created by @vn971 on GitHub (May 3, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/498

Please fix the ambiguity in either of the two directions.

Currently, firejail does ship a generic.profile file, and uses it when possible. On the other hand, firejail-profile manual says it will look for default.profile and server.profile files.

I find default.profile to be a better name, but generic is used already, so I guess I fully leave the choice to the author..

Originally created by @vn971 on GitHub (May 3, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/498 Please fix the ambiguity in either of the two directions. Currently, firejail does ship a `generic.profile` file, and uses it when possible. On the other hand, `firejail-profile` manual says it will look for `default.profile` and `server.profile` files. I find `default.profile` to be a better name, but `generic` is used already, so I guess I fully leave the choice to the author..

gitea-mirror 2026-05-05 05:39:11 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 05:39:21 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (May 4, 2016):

From man firejail-profile:

      3. Use a default.profile file if the sandbox is started  by  a  regular
       user, or a server.profile file if the sandbox is started by root. Fire‐
       jail looks for these files in ~/.config/firejail directory, followed by
       /etc/firejail  directory [...]

later: You are right, I'll have to fix it. I'll change generic.profile to default profile!

<!-- gh-comment-id:216855667 --> @netblue30 commented on GitHub (May 4, 2016): From man firejail-profile: ``` 3. Use a default.profile file if the sandbox is started by a regular user, or a server.profile file if the sandbox is started by root. Fire‐ jail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory [...] ``` later: You are right, I'll have to fix it. I'll change generic.profile to default profile!

gitea-mirror commented 2026-05-05 05:39:23 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (May 4, 2016):

Cool, thanks.:)

<!-- gh-comment-id:216889507 --> @vn971 commented on GitHub (May 4, 2016): Cool, thanks.:)

gitea-mirror commented 2026-05-05 05:39:26 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (May 4, 2016):

Fixed, give it a try and let me know if you find anything else. I'll update the project webpages after I release the next version. Thanks.

<!-- gh-comment-id:216933198 --> @netblue30 commented on GitHub (May 4, 2016): Fixed, give it a try and let me know if you find anything else. I'll update the project webpages after I release the next version. Thanks.

gitea-mirror commented 2026-05-05 05:39:28 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (May 15, 2016):

Hm, I'm not sure it works. I'm testing the following scheme now:

• empty ~/.config/firejail directory
• the directory /etc/firejail contains only firejail.config and default.profile, with default.profile being generated by echo syntaxError > /etc/firejail/default.profile
• starting just the firejail without any additional command line arguments.

Expected: firejail failing to load itself because either the absence of a profile file, or because of incorrect syntaxt in it.

Observe: firejail actually loading itself. With empty rule set it seems.

<!-- gh-comment-id:219276532 --> @vn971 commented on GitHub (May 15, 2016): Hm, I'm not sure it works. I'm testing the following scheme now: - empty ~/.config/firejail directory - the directory /etc/firejail contains only `firejail.config` and `default.profile`, with default.profile being generated by `echo syntaxError > /etc/firejail/default.profile` - starting just the `firejail` without any additional command line arguments. Expected: firejail failing to load itself because either the absence of a profile file, or because of incorrect syntaxt in it. Observe: firejail actually loading itself. With empty rule set it seems.

gitea-mirror commented 2026-05-05 05:39:30 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (May 17, 2016):

This is what I get:

$ ls /etc/firejail/
default.profile
$ firejail
Reading profile /etc/firejail/default.profile
Error: line 1 in /etc/firejail/default.profile is invalid

I would say it is the expected behavior. Not a bug.

<!-- gh-comment-id:219689105 --> @netblue30 commented on GitHub (May 17, 2016): This is what I get: ``` $ ls /etc/firejail/ default.profile $ firejail Reading profile /etc/firejail/default.profile Error: line 1 in /etc/firejail/default.profile is invalid ``` I would say it is the expected behavior. Not a bug.

gitea-mirror commented 2026-05-05 05:39:32 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (May 17, 2016):

Hm, that's strange.
It still does not work for me. I even removed both the /etc/firejail and ~/.config/firejail directories, but firejail still loads itself.

UPDATE: I re-compiled from master, but still observe the bug. I use ArchLinux with the following build "script": https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=firejail-git

<!-- gh-comment-id:219692618 --> @vn971 commented on GitHub (May 17, 2016): Hm, that's strange. It still does not work for me. I even removed both the `/etc/firejail` and `~/.config/firejail` directories, but firejail still loads itself. UPDATE: I re-compiled from `master`, but still observe the bug. I use ArchLinux with the following build "script": https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=firejail-git

gitea-mirror commented 2026-05-05 05:39:34 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (May 17, 2016):

Output for firejail --debug (first lines):

Command name #bash#
Attempting to find default.profile...
DISPLAY :0.0, 0
Using the local network stack
Parent pid 2477, child pid 2478
Initializing child process
Host network configured
PID namespace installed

<!-- gh-comment-id:219697488 --> @vn971 commented on GitHub (May 17, 2016): Output for `firejail --debug` (first lines): ``` Command name #bash# Attempting to find default.profile... DISPLAY :0.0, 0 Using the local network stack Parent pid 2477, child pid 2478 Initializing child process Host network configured PID namespace installed ```

gitea-mirror commented 2026-05-05 05:39:35 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (May 31, 2016):

I have the new release out, give it a try and I'll reopen the bug if you still have problems.

<!-- gh-comment-id:222721839 --> @netblue30 commented on GitHub (May 31, 2016): I have the new release out, give it a try and I'll reopen the bug if you still have problems.

gitea-mirror commented 2026-05-05 05:39:36 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 14, 2016):

Hi! Sorry for the late reply. The bug persists in recent versions of firejail, too. My directory structure and the observed bug are the same as described earlier: https://github.com/netblue30/firejail/issues/498#issuecomment-219276532

I'm using "firejail version 0.9.41" (as shown by firejail --version).

<!-- gh-comment-id:232717506 --> @vn971 commented on GitHub (Jul 14, 2016): Hi! Sorry for the late reply. The bug persists in recent versions of `firejail`, too. My directory structure and the observed bug are the same as described earlier: https://github.com/netblue30/firejail/issues/498#issuecomment-219276532 I'm using "firejail version 0.9.41" (as shown by `firejail --version`).

gitea-mirror commented 2026-05-05 05:39:39 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jul 14, 2016):

OK, let's start from the beginning. On version 0.9.41, print here the commands you run and the output you get.

<!-- gh-comment-id:232725111 --> @netblue30 commented on GitHub (Jul 14, 2016): OK, let's start from the beginning. On version 0.9.41, print here the commands you run and the output you get.

gitea-mirror commented 2026-05-05 05:39:41 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 14, 2016):

• mv ~/.config/firejail ~/.config/firejail2 (no output since it is a successful operation)
• delete all files in /etc/firejail except /etc/firejail/firejail.config
• start firejail .Without any additional command line arguments. Output:

Parent pid 21136, child pid 21137
Child process initialized
[myName@myCompName ~]$ 

• expected: failure

<!-- gh-comment-id:232733032 --> @vn971 commented on GitHub (Jul 14, 2016): - `mv ~/.config/firejail ~/.config/firejail2` (no output since it is a successful operation) - delete all files in `/etc/firejail` except `/etc/firejail/firejail.config` - start `firejail` .Without any additional command line arguments. Output: ``` Parent pid 21136, child pid 21137 Child process initialized [myName@myCompName ~]$ ``` - expected: failure

gitea-mirror commented 2026-05-05 05:39:43 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 14, 2016):

Alternative one-liner to show the bug:
firejail --noprofile --private --blacklist=/etc/firejail firejail
In this example, inner firejail should not have access to any profiles, so it should fail. In fact it does not fail.

<!-- gh-comment-id:232736220 --> @vn971 commented on GitHub (Jul 14, 2016): Alternative one-liner to show the bug: `firejail --noprofile --private --blacklist=/etc/firejail firejail` In this example, inner firejail should not have access to any profiles, so it should fail. In fact it does not fail.

gitea-mirror commented 2026-05-05 05:39:45 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 14, 2016):

@netblue30 Can you reproduce with the last (simple) example?

<!-- gh-comment-id:232741201 --> @vn971 commented on GitHub (Jul 14, 2016): @netblue30 Can you reproduce with the last (simple) example?

gitea-mirror commented 2026-05-05 05:39:47 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jul 14, 2016):

$ firejail --noprofile --private --blacklist=/etc/firejail firejail
Parent pid 26416, child pid 26417

Child process initialized
Warning: an existing sandbox was detected. /bin/bash will run without any additional sandboxing features in a /bin/sh shell
$ 

It doesn't get a chance to fail, but it doesn't start either. It detects an existing sandbox, and it runs a normal bash session (see the warning).

If you force it to start with --force, this is what happens:

$ firejail --noprofile --private --blacklist=/etc/firejail firejail --force
Parent pid 26475, child pid 26476

Child process initialized
Warning: Firejail configuration file /etc/firejail/firejail.config not found

Parent is shutting down, bye...
$

So it fails, as it should be.

<!-- gh-comment-id:232769146 --> @netblue30 commented on GitHub (Jul 14, 2016): ``` $ firejail --noprofile --private --blacklist=/etc/firejail firejail Parent pid 26416, child pid 26417 Child process initialized Warning: an existing sandbox was detected. /bin/bash will run without any additional sandboxing features in a /bin/sh shell $ ``` It doesn't get a chance to fail, but it doesn't start either. It detects an existing sandbox, and it runs a normal bash session (see the warning). If you force it to start with --force, this is what happens: ``` $ firejail --noprofile --private --blacklist=/etc/firejail firejail --force Parent pid 26475, child pid 26476 Child process initialized Warning: Firejail configuration file /etc/firejail/firejail.config not found Parent is shutting down, bye... $ ``` So it fails, as it should be.

gitea-mirror commented 2026-05-05 05:39:48 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 14, 2016):

@netblue30 indeed. I have to write it a bit differently. This command still shows the bug:
firejail --noprofile --private --blacklist=/etc/firejail/default.profile firejail --force

<!-- gh-comment-id:232781936 --> @vn971 commented on GitHub (Jul 14, 2016): @netblue30 indeed. I have to write it a bit differently. This command still shows the bug: `firejail --noprofile --private --blacklist=/etc/firejail/default.profile firejail --force`

gitea-mirror commented 2026-05-05 05:39:51 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jul 14, 2016):

$ firejail --noprofile --private --blacklist=/etc/firejail/default.profile firejail --force
Parent pid 27707, child pid 27708

Child process initialized
Error: cannot open profile file /etc/firejail/default.profile

Parent is shutting down, bye...

It doesn't find a default.profile and it is shutting down. Is this a bug? You can add --noprofile at the end of the command and it will start.

<!-- gh-comment-id:232813104 --> @netblue30 commented on GitHub (Jul 14, 2016): ``` $ firejail --noprofile --private --blacklist=/etc/firejail/default.profile firejail --force Parent pid 27707, child pid 27708 Child process initialized Error: cannot open profile file /etc/firejail/default.profile Parent is shutting down, bye... ``` It doesn't find a default.profile and it is shutting down. Is this a bug? You can add --noprofile at the end of the command and it will start.

gitea-mirror commented 2026-05-05 05:39:54 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 15, 2016):

@netblue30 sorry again, I forgot my computer does not have the file ("/etc/firejail/default.profile"), so my --blacklist behaves differently on other computers.

If your patience has not been spent already yet... To reproduce the bug on a fresh environment, the following is needed:

mv /etc/firejail/default.profile /etc/firejail/default2.profile
firejail --noprofile --private firejail --force

Or, alternatively, this:

mv ~/.config/firejail ~/.config/firejail2
mv /etc/firejail/default.profile /etc/firejail/default2.profile
firejail

<!-- gh-comment-id:232904558 --> @vn971 commented on GitHub (Jul 15, 2016): @netblue30 sorry again, I forgot my computer does not have the file ("/etc/firejail/default.profile"), so my `--blacklist` behaves differently on other computers. If your patience has not been spent already yet... To reproduce the bug on a fresh environment, the following is needed: ``` mv /etc/firejail/default.profile /etc/firejail/default2.profile firejail --noprofile --private firejail --force ``` Or, alternatively, this: ``` mv ~/.config/firejail ~/.config/firejail2 mv /etc/firejail/default.profile /etc/firejail/default2.profile firejail ```

gitea-mirror commented 2026-05-05 05:39:57 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jul 18, 2016):

If your patience has not been spent already yet...

No problem, keep going. It usually ends up with me fixing some hard to catch bug. This is what I do:

$ sudo mv /etc/firejail/default.profile /etc/firejail/default2.profile
$ firejail --noprofile --private firejail
Parent pid 24561, child pid 24562

Child process initialized
$

So far so good. Firejail doens't care /etcfirejail/default.profile is missing because it was told not to care by --noprofile. Then I run the second command:

$ firejail --force
Parent pid 7, child pid 8

Child process initialized
$

This one shouldn't succeed because the default profile is missing. You are right, it is a bug!

<!-- gh-comment-id:233321067 --> @netblue30 commented on GitHub (Jul 18, 2016): > If your patience has not been spent already yet... No problem, keep going. It usually ends up with me fixing some hard to catch bug. This is what I do: ``` $ sudo mv /etc/firejail/default.profile /etc/firejail/default2.profile $ firejail --noprofile --private firejail Parent pid 24561, child pid 24562 Child process initialized $ ``` So far so good. Firejail doens't care /etcfirejail/default.profile is missing because it was told not to care by --noprofile. Then I run the second command: ``` $ firejail --force Parent pid 7, child pid 8 Child process initialized $ ``` This one shouldn't succeed because the default profile is missing. You are right, it is a bug!

gitea-mirror commented 2026-05-05 05:39:59 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Jul 20, 2016):

Fixed in git, thanks!

<!-- gh-comment-id:233991905 --> @netblue30 commented on GitHub (Jul 20, 2016): Fixed in git, thanks!

gitea-mirror commented 2026-05-05 05:40:01 -06:00

Author

Owner

Copy link

@vn971 commented on GitHub (Jul 20, 2016):

@netblue30 indeed it works now. Thanks!

<!-- gh-comment-id:234016296 --> @vn971 commented on GitHub (Jul 20, 2016): @netblue30 indeed it works now. Thanks!

gitea-mirror referenced this issue 2026-05-05 10:04:29 -06:00

[PR #349] [MERGED] Created Atril profile #3604

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#349

No description provided.