netblue30/firejail 0.9.76

Release 0.9.76

on GitHub

firejail (0.9.76) baseline; urgency=low

• feature: use globbing in hardcoded numbered /dev paths (#2723 #6704)
• feature: add warn command (#6710)
• feature: use non-blocking flock calls (#6761)
• modif: block TPM devices & turn notpm command into keep-dev-tpm (#6698)
• modif: improve error messages in mountinfo.c (#6711)
• modif: use "Error:" in errExit message (#6716)
• modif: keep tss group if keep-dev-tpm is used (#6718)
• modif: keep /dev/tpmrm devices if keep-dev-tpm is used (#6719)
• modif: keep tcm/tcmrm devices if keep-dev-tpm is used (#6724)
• modif: improve "Failed mount" error messages in util.c (#6747)
• modif: improve fcopy error messages in check() (#6801)
• modif: fcopy: try normal case first instead of last in check() (#6804)
• modif: improve new network namespace error message (#6824)
• modif: improve error messages in sandbox.c/sbox.c (#6825)
• bugfix: fix flock debug messages going to stderr (#6712)
• bugfix: add missing selinux relabeling for /dev paths (#6734)
• bugfix: fix potential deadlock with flock + SIGTSTP (#6729 #6750)
• bugfix: fcopy: add /usr/share + "runner:root" exception to fix CI (#6797
  #6803)
• bugfix: fcopy: allow /etc/resolv.conf owned by systemd-resolve (#4545
  #6808)
• bugfix: fix "Not enforcing Landlock" message always being printed (#6806)
• bugfix: add NULL check for cmdline in find_child() (#6840)
• build: use TARNAME in SYSCONFDIR/VARDIR (#6713)
• build: add localstatedir and use in VARDIR (#6715)
• build: replace SYSCONFDIR with @sysconfdir@ (#6737)
• ci: upgrade debian:buster to debian:bullseye (#6832)
• docs: improve URL formatting in man pages (#6706)
• docs: clarify --private bug in man pages (#6805)
• docs: fix man formatting of landlock.enforce (#6807)
• profiles: split commands that increase/reduce access (#6687)
• profiles: firefox: add comment about creating PWA shortcuts (#6689)
• profiles: add more xorg paths (#6708)
• profiles: fix include of deprecated disable-X11.inc (uppercase) (#6709)
• profiles: godot: remove noinput so gamepads work (#6707)
• profiles: remove mkdir ~/.pki (#6732)
• profiles: mpv: remove mkfile ~/.netrc (#6735)
• profiles: curl: allow ~/.netrc (#6736)
• profiles: discord-common: add env to private-bin (#6738)
• profiles: firecfg: disable checksum programs (#6755)
• profiles: rssguard: allow lua (#6758 #6759)
• profiles: wine: allow python to fix Epic Games Launcher (#6762 #6763)
• profiles: wusc: add /usr/share/xkeyboard-config-2 (#6773 #6775)
• profiles: chafa: quiet output (#6777)
• profiles: ripperx/sound-juicer: fix profile name typos (#6780)
• profiles: ani-cli: add mpv to private-etc for plugins access (#6779)
• profiles: use private-etc groups in more profiles (#6783)
• profiles: firecfg: disable foliate (#6784)
• profiles: finish converting private-opt to whitelist (#6785)
• profiles: replace hosts.conf with host.conf in private-etc (#6791)
• profiles: makedeb: allow dpkg (#6816)
• profiles: kate: fix network access (#6815 #6823)
• profiles: keepassxc: add x11 group to private-etc (#6827 #6828)
• profiles: allow org.kde.kwalletd6 for Plasma 6 systems (#6819)
• profiles: xreader: disable no3d to fix startup (#6829)
• profiles: firefox: add alternative tridactylrc path (#6720 #6721)
• new profile: ansel (#6751)
  -- netblue30 netblue30@yahoo.com Wed, 30 Jul 2025 11:00:00 -0500

A note about the different signing key:

Due to an xorg change, many/most xorg programs were rendered completely broken
when running under 0.9.74:

• #6773

This was fixed in 0.9.76:

• #6775

Usually the releases are created by @netblue30, but we could not get in contact
with @netblue30 for over a month, so to avoid leaving firejail in a broken
state for many common programs for too long (and since the release contains
mostly bugfixes), we (@kmk3 and @SkewedZeppelin) chose to release 0.9.76.

As a result, this release is signed by @SkewedZeppelin instead of @netblue30.

For details, see the following discussions:

• #6691 (comment)
• #6847