Consider keeping /dev/input/js0 (joystick device) with --private-dev

[iskunk]

I've been testing a game application in Firejail. It works great with --private-dev, except that it cannot see my correctly-functioning USB gamepad.

The standard device location for a joystick in Linux is /dev/input/js0. I don't know if bringing in all of /dev/input/ is desirable (this would include items like /dev/input/mouse0), but at least /dev/input/js* seems reasonable.

[SkewedZeppelin]

See #1446

Here is also a cleaned version of your profile
citra-qt.profile.txt

[iskunk]

If --private-dev is ever extended to allow specifying additional devices, it'll need to allow devices in subdirectories (input/js0).

I'm not sure that I understand the edits you made to the profile. By dropping the mkdir and whitelist directives, the config directories are not created on first run, and config files are not saved to the real homedir. And I believe those noblacklist directives will print a warning as there are no corresponding blacklistentries in the include files.

[SkewedZeppelin]

I'm not sure that I understand the edits you made to the profile.

Emulators need ROM files and what not yea? As is yours would only allow loading them from .config/citra-emu, .local/share/citra-emu, and any other drives. Access to home would be blocked. So I switched it from whitelist to blacklist.

machine-id also breaks sound via pulseaudio in many cases, which is why I removed that too.

And I believe those noblacklist directives will print a warning

As is yes, but they would be added to disable-programs.inc on merge.

If the one I uploaded works, I can either commit it in your name/email or you can make a PR with it.

[iskunk]

There's no standard directory for Citra game ROMs, however. That would need to be specified by the user, perhaps in a command-line option. machine-id is a good point, however, as I use ALSA directly.

I'll give this a try and report back my findings soon.

[iskunk]

The modified profile does allow the program to run, but now the majority of the home directory is open to reading and writing, which I was wanting to avoid (not least as Citra implements network multiplayer functionality and so in theory could be compromised that way).

Isn't it feasible for the user to specify to Firejail the directory that contains the game ROMs?

[SkewedZeppelin]

Isn't it feasible for the user to specify to Firejail the directory that contains the game ROMs?

We generally try to make default profiles work out of the box and ensure usability for the majority. All of the other emulators we ship profiles for are blacklist as well.

Citra implements network multiplayer

Is multiplayer used enough to justify network access by default? If not we can ship with net none which will help with the concern of access to home.

[iskunk]

We generally try to make default profiles work out of the box and ensure usability for the majority. All of the other emulators we ship profiles for are blacklist as well.

Okay... I guess this would be fine to add to the set of profiles, then, though I myself would continue to use the stricter original.

Is multiplayer used enough to justify network access by default? If not we can ship with net none which will help with the concern of access to home.

I don't know, to be honest; I'm an outsider to the Citra community. That said, the functionality is fairly prominent in the GUI, and multiplayer 3DS gaming sessions tend to be a common sight at fan conventions...

[adrianlshaw]

The standard device location for a joystick in Linux is /dev/input/js0. I don't know if bringing in all of /dev/input/ is desirable (this would include items like /dev/input/mouse0), but at least /dev/input/js* seems reasonable.

I'd also like this feature. Is /dev/input/js* sufficient? I'm trying to get a controller working with another application but this doesn't seem to be enough.