[PR #6698] [MERGED] modif: block TPM devices & turn notpm command into keep-dev-tpm #6126

New issue

Closed

opened 2026-05-05 10:51:13 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:51:13 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/6698
Author: @kmk3
Created: 4/1/2025
Status: ✅ Merged
Merged: 4/5/2025
Merged by: @kmk3

Base: master ← Head: notpm-to-keep-dev-tpm

📝 Commits (3)

844f307 profiles: remove notpm entries
4d34d4c modif: block TPM devices & turn notpm command into keep-dev-tpm
4911b78 profiles: add keep-dev-tpm entries

📊 Changes

29 files changed (+56 additions, -45 deletions)

View changed files

📝 contrib/syntax/lists/profile_commands_arg0.list (+1 -0)
📝 etc/inc/allow-ssh.inc (+2 -0)
📝 etc/profile-a-l/aria2p.profile (+0 -1)
📝 etc/profile-a-l/aria2rpc.profile (+0 -1)
📝 etc/profile-a-l/buku.profile (+0 -1)
📝 etc/profile-a-l/default.profile (+0 -1)
📝 etc/profile-a-l/device-flasher.linux.profile (+0 -1)
📝 etc/profile-a-l/hledger.profile (+0 -1)
📝 etc/profile-a-l/irssi.profile (+0 -1)
📝 etc/profile-m-z/monero-wallet-cli.profile (+0 -1)
📝 etc/profile-m-z/ncmpcpp.profile (+0 -1)
📝 etc/profile-m-z/noprofile.profile (+1 -0)
📝 etc/profile-m-z/nsxiv.profile (+0 -1)
📝 etc/profile-m-z/prismlauncher.profile (+0 -1)
📝 etc/profile-m-z/pyradio.profile (+0 -1)
📝 etc/profile-m-z/singularity.profile (+0 -1)
📝 etc/profile-m-z/syncthing.profile (+2 -1)
📝 etc/profile-m-z/tremc.profile (+0 -1)
📝 etc/templates/profile.template (+1 -1)
📝 src/fbuilder/build_profile.c (+0 -1)

...and 9 more files

📄 Description

Instead of having a notpm command and potentially adding it to almost
all profiles (as few programs should need direct access to TPM devices),
add a keep-dev-tpm command and use it only in profiles that need
access to TPM devices.

Changes:

Turn notpm command into keep-dev-tpm command
Warn and ignore if notpm is used
Block /dev/tpm* devices by default
Allow /dev/tpm* devices with keep-dev-tpm (even if private-dev
is used)

Added on commit 001320226 ("feature: add notpm command & keep tpm
devices in private-dev (#6390)", 2024-07-09).

See also commit ee1c264c5 ("feature: block /dev/ntsync & add
keep-dev-ntsync command (#6660)", 2025-03-06) and the discussion at
PR #6660.

This is a follow-up to #6687.

Relates to #6379 #6536.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/6698 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 4/1/2025 **Status:** ✅ Merged **Merged:** 4/5/2025 **Merged by:** [@kmk3](https://github.com/kmk3) **Base:** `master` ← **Head:** `notpm-to-keep-dev-tpm` --- ### 📝 Commits (3) - [`844f307`](https://github.com/netblue30/firejail/commit/844f307a3fbb14382ff83fe0a75b1dbd509ee004) profiles: remove notpm entries - [`4d34d4c`](https://github.com/netblue30/firejail/commit/4d34d4c336156d2735dd2e8fea878e72119aac09) modif: block TPM devices & turn notpm command into keep-dev-tpm - [`4911b78`](https://github.com/netblue30/firejail/commit/4911b7803ff88611289cebb91c63803d993f9fef) profiles: add keep-dev-tpm entries ### 📊 Changes **29 files changed** (+56 additions, -45 deletions) <details> <summary>View changed files</summary> 📝 `contrib/syntax/lists/profile_commands_arg0.list` (+1 -0) 📝 `etc/inc/allow-ssh.inc` (+2 -0) 📝 `etc/profile-a-l/aria2p.profile` (+0 -1) 📝 `etc/profile-a-l/aria2rpc.profile` (+0 -1) 📝 `etc/profile-a-l/buku.profile` (+0 -1) 📝 `etc/profile-a-l/default.profile` (+0 -1) 📝 `etc/profile-a-l/device-flasher.linux.profile` (+0 -1) 📝 `etc/profile-a-l/hledger.profile` (+0 -1) 📝 `etc/profile-a-l/irssi.profile` (+0 -1) 📝 `etc/profile-m-z/monero-wallet-cli.profile` (+0 -1) 📝 `etc/profile-m-z/ncmpcpp.profile` (+0 -1) 📝 `etc/profile-m-z/noprofile.profile` (+1 -0) 📝 `etc/profile-m-z/nsxiv.profile` (+0 -1) 📝 `etc/profile-m-z/prismlauncher.profile` (+0 -1) 📝 `etc/profile-m-z/pyradio.profile` (+0 -1) 📝 `etc/profile-m-z/singularity.profile` (+0 -1) 📝 `etc/profile-m-z/syncthing.profile` (+2 -1) 📝 `etc/profile-m-z/tremc.profile` (+0 -1) 📝 `etc/templates/profile.template` (+1 -1) 📝 `src/fbuilder/build_profile.c` (+0 -1) _...and 9 more files_ </details> ### 📄 Description Instead of having a `notpm` command and potentially adding it to almost all profiles (as few programs should need direct access to TPM devices), add a `keep-dev-tpm` command and use it only in profiles that need access to TPM devices. Changes: * Turn `notpm` command into `keep-dev-tpm` command * Warn and ignore if `notpm` is used * Block `/dev/tpm*` devices by default * Allow `/dev/tpm*` devices with `keep-dev-tpm` (even if `private-dev` is used) Added on commit 001320226 ("feature: add notpm command & keep tpm devices in private-dev (#6390)", 2024-07-09). See also commit ee1c264c5 ("feature: block /dev/ntsync & add keep-dev-ntsync command (#6660)", 2025-03-06) and the discussion at PR #6660. This is a follow-up to #6687. Relates to #6379 #6536. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:51:13 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6126

No description provided.

Rows
Columns