github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1286] private-dev for firefox/chrome #874

New issue

Closed

opened 2026-05-05 07:01:32 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 07:01:32 -06:00

Owner

Originally created by @msva on GitHub (May 19, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1286

I noticed, you've removed private-dev from firefox and chromium profiles, with a message that it prevents video calls.

Isn't it only because of /dev/video[0-9]* is not present there?
If so, I guess, it can be solved by implementing wildcard whitelisting and adding it in the default profiles. Doesn't it? 😸

Originally created by @msva on GitHub (May 19, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1286 I noticed, you've removed private-dev from firefox and chromium profiles, with a message that it prevents video calls. Isn't it only because of `/dev/video[0-9]*` is not present there? If so, I guess, it can be solved by implementing wildcard whitelisting and adding it in the default profiles. Doesn't it? 😸

gitea-mirror

2026-05-05 07:01:32 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:01:37 -06:00

Author

Owner

@netblue30 commented on GitHub (May 19, 2017):

I added support for /dev/video* inside private-dev, uncommented private-dev in firefox and chromium profiles.

@netblue30 commented on GitHub (May 19, 2017): I added support for /dev/video* inside private-dev, uncommented private-dev in firefox and chromium profiles.

gitea-mirror commented

2026-05-05 07:01:41 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (May 19, 2017):

@netblue30 Is there still a way to disable video devices inside profiles?

@Fred-Barclay commented on GitHub (May 19, 2017): @netblue30 Is there still a way to disable video devices inside profiles?

gitea-mirror commented

2026-05-05 07:01:45 -06:00

Author

Owner

@msva commented on GitHub (May 19, 2017):

@netblue30 Is there still a way to disable video devices inside profiles?

blacklist /dev/videoN in "custom" profile (/etc/firejail/firefox.local or
~/.config/firejail/firefox)?

// Or does @netblue30 implemented wildcard/regexp in white/blacklist params
already?

@msva commented on GitHub (May 19, 2017): > @netblue30 Is there still a way to disable video devices inside profiles? blacklist /dev/videoN in "custom" profile (/etc/firejail/firefox.local or ~/.config/firejail/firefox)? // Or does @netblue30 implemented wildcard/regexp in white/blacklist params already?

gitea-mirror commented

2026-05-05 07:01:47 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (May 19, 2017):

@msva Good thought. That would work but I'm not crazy about having to explicitly blacklist all video devices in all my profiles that currently have private-dev. 😉

@netblue30 Would it be possible/wanted to keep the old behavior of private-dev (no video devices) with a new flag? Something like --private-dev-all? Or perhaps --no-video like the existing --no-sound? I could try to code it in myself it's something you wouldn't mind having.

@Fred-Barclay commented on GitHub (May 19, 2017): @msva Good thought. That would work but I'm not crazy about having to explicitly blacklist all video devices in all my profiles that currently have private-dev. 😉 @netblue30 Would it be possible/wanted to keep the old behavior of private-dev (no video devices) with a new flag? Something like `--private-dev-all`? Or perhaps `--no-video` like the existing `--no-sound`? I could *try* to code it in myself it's something you wouldn't mind having.

gitea-mirror commented

2026-05-05 07:01:48 -06:00

Author

Owner

@msva commented on GitHub (May 20, 2017):

@netblue30 Would it be possible/wanted to keep the old behavior of
private-dev (no video devices) with a new flag? Something like
--private-dev-all? Or perhaps --no-video like the existing
--no-sound? I could try to code it in myself it's something you
wouldn't mind having.

Actually, I think, it'd be nicer to make private-dev to support lists like
private-bin and private-etc.
In that case, default behaviour (with no list) would work as before, and for
the cases where you need exact list of devices you'd be able to specify exact
list.

Although, I guess, it's anyway possible with whitelist atm

// although, AFAIK, whitelist still does not support wildcards/regexp :'(

@msva commented on GitHub (May 20, 2017): > @netblue30 Would it be possible/wanted to keep the old behavior of > private-dev (no video devices) with a new flag? Something like > `--private-dev-all`? Or perhaps `--no-video` like the existing > `--no-sound`? I could *try* to code it in myself it's something you > wouldn't mind having. Actually, I think, it'd be nicer to make private-dev to support lists like private-bin and private-etc. In that case, default behaviour (with no list) would work as before, and for the cases where you need exact list of devices you'd be able to specify exact list. Although, I guess, it's anyway possible with whitelist atm // although, AFAIK, whitelist still does not support wildcards/regexp :'(

gitea-mirror commented

2026-05-05 07:01:51 -06:00

Author

Owner

@SYN-cook commented on GitHub (May 22, 2017):

Being able to prevent software from accessing a webcam seems quite useful. It might even serve as an alternative to taping webcams on notebooks.

@SYN-cook commented on GitHub (May 22, 2017): Being able to prevent software from accessing a webcam seems quite useful. It might even serve as an alternative to taping webcams on notebooks.

gitea-mirror commented

2026-05-05 07:01:53 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (May 22, 2017):

@SYN-cook I've got a working --novideo flag. 🎉 I'll test it some more and if it's still working I'll open a PR for it to be reviewed (my C is abysmal so it needs reviewing by someone much more experienced be 😁 )

EDIT: I'll open the PR now.

@Fred-Barclay commented on GitHub (May 22, 2017): @SYN-cook I've got a working `--novideo` flag. 🎉 I'll test it some more and if it's still working I'll open a PR for it to be reviewed (my C is abysmal so it needs reviewing by someone much more experienced be 😁 ) EDIT: I'll open the PR now.

gitea-mirror commented

2026-05-05 07:01:55 -06:00

Author

Owner

@msva commented on GitHub (May 22, 2017):

It might even serve as an alternative to taping webcams on notebooks.

Actually, firejail doesn't save you from trojan horses in firmwares (cpu,
intel's apus (skylake+ needs blob firmware to work properly), bios, whatever).

But, yes, I having idea to combine firejail and, say, mobile OSes for a very
long time already :)

@msva commented on GitHub (May 22, 2017): > It might even serve as an alternative to taping webcams on notebooks. Actually, firejail doesn't save you from trojan horses in firmwares (cpu, intel's apus (skylake+ needs blob firmware to work properly), bios, whatever). But, yes, I having idea to combine firejail and, say, mobile OSes for a very long time already :)

gitea-mirror referenced this issue

2026-05-05 10:07:51 -06:00

[PR #874] [MERGED] Minor fixes #3783

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#874

No description provided.

Rows
Columns