[PR #7142] feature: firecfg: add and use firejail-symlink wrapper #6336

New issue

Open

opened 2026-05-05 10:55:01 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:55:01 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/7142
Author: @kmk3
Created: 4/18/2026
Status: 🔄 Open

Base: master ← Head: add-firejail-symlink-exec

📝 Commits (3)

61774ed build: config.mk.in: line-wrap config vars in COMMON_FLAGS
e1dddd9 build: config.mk.in: sort config vars in COMMON_FLAGS
d09499d feature: firecfg: add and use firejail-symlink wrapper

📊 Changes

11 files changed (+134 additions, -11 deletions)

View changed files

📝 Makefile (+3 -0)
📝 config.mk.in (+7 -3)
📝 src/firecfg/firecfg.h (+1 -0)
➕ src/firecfg/firejail-symlink.sh (+12 -0)
📝 src/firecfg/main.c (+8 -4)
📝 src/firejail/fs_lib.c (+3 -2)
📝 src/firejail/main.c (+11 -0)
📝 test/firecfg/firecfg.exp (+2 -2)
📝 test/firecfg/firecfg.sh (+8 -0)
➕ test/firecfg/firejail-program-args.exp (+57 -0)
➕ test/firecfg/firejail-program-args.sh (+22 -0)

📄 Description

Add a new firejail-symlink wrapper script that sets
FIREJAIL_SYMLINK=1 before calling firejail and use that script as the
symlink in /usr/local/bin instead of firejail.

Check both paths in firecfg for backwards compatibility (especially for
firecfg --clean).

Place the script in $(libexecdir) (which is not currently used), as
that is a more appropriate location than $(libdir) and having a stable
target path for the symlinks makes maintenance and support easier (as
opposed to potentially moving the script path later).

Background: The early firejail init code is brittle due to certain
interdependencies between different parts (such as when checking
environment variables, flags and firejail.config options).

This should make the code more robust by not having to guess when
firejail is called as a symlink (which affects argument parsing).

This fixes a bug added on commit 907916d04 ("modif: check for --version
during early init", 2025-11-23) / PR #6972, in which running
foo --version (and with foo being a symlink to firejail) results in
firejail parsing --version, printing its version and exiting instead
of just forwarding the argument to the program:

$ qpdf --version
firejail version 0.9.80
[...]

Misc: PR #6972 was still marked as a draft when it was merged.

Fixes #7140.

Relates to #6969 #6972.

Reported-by: @gcb
Bisected-by: @rusty-snake

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/7142 **Author:** [@kmk3](https://github.com/kmk3) **Created:** 4/18/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `add-firejail-symlink-exec` --- ### 📝 Commits (3) - [`61774ed`](https://github.com/netblue30/firejail/commit/61774ed946d26ee95352475bbf9e162fafbeffd6) build: config.mk.in: line-wrap config vars in `COMMON_FLAGS` - [`e1dddd9`](https://github.com/netblue30/firejail/commit/e1dddd9afff45365ef2a2e296e088ba1022dde64) build: config.mk.in: sort config vars in `COMMON_FLAGS` - [`d09499d`](https://github.com/netblue30/firejail/commit/d09499d7b3f9758a8a2f2d690ceba335504c9552) feature: firecfg: add and use firejail-symlink wrapper ### 📊 Changes **11 files changed** (+134 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `Makefile` (+3 -0) 📝 `config.mk.in` (+7 -3) 📝 `src/firecfg/firecfg.h` (+1 -0) ➕ `src/firecfg/firejail-symlink.sh` (+12 -0) 📝 `src/firecfg/main.c` (+8 -4) 📝 `src/firejail/fs_lib.c` (+3 -2) 📝 `src/firejail/main.c` (+11 -0) 📝 `test/firecfg/firecfg.exp` (+2 -2) 📝 `test/firecfg/firecfg.sh` (+8 -0) ➕ `test/firecfg/firejail-program-args.exp` (+57 -0) ➕ `test/firecfg/firejail-program-args.sh` (+22 -0) </details> ### 📄 Description Add a new `firejail-symlink` wrapper script that sets `FIREJAIL_SYMLINK=1` before calling firejail and use that script as the symlink in /usr/local/bin instead of `firejail`. Check both paths in firecfg for backwards compatibility (especially for `firecfg --clean`). Place the script in `$(libexecdir)` (which is not currently used), as that is a more appropriate location than `$(libdir)` and having a stable target path for the symlinks makes maintenance and support easier (as opposed to potentially moving the script path later). Background: The early firejail init code is brittle due to certain interdependencies between different parts (such as when checking environment variables, flags and firejail.config options). This should make the code more robust by not having to guess when firejail is called as a symlink (which affects argument parsing). This fixes a bug added on commit 907916d04 ("modif: check for --version during early init", 2025-11-23) / PR #6972, in which running `foo --version` (and with `foo` being a symlink to firejail) results in firejail parsing `--version`, printing its version and exiting instead of just forwarding the argument to the program: $ qpdf --version firejail version 0.9.80 [...] Misc: PR #6972 was still marked as a draft when it was merged. Fixes #7140. Relates to #6969 #6972. Reported-by: @gcb Bisected-by: @rusty-snake --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror added the

pull-request

label 2026-05-05 10:55:01 -06:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#6336

No description provided.

Rows
Columns