1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
6 profile - Security profile file syntax for Firejail
7
10 firejail --profile=filename.profile
11firejail --profile=profile_name
12
15 Several command line options can be passed to the program using profile
16 files. Firejail chooses the profile file as follows:
17 1. If a profile file is provided by the user with --profile option, the
19 profile file is loaded. If a profile name is given, it is searched for
20 first in the ~/.config/firejail directory and if not found then in
21 /etc/firejail directory. Profile names do not include the .profile suf‐
22 fix. Example:
23 $ firejail --profile=/home/netblue/icecat.profile icecat
25 Reading profile /home/netblue/icecat.profile
26 [...]
27 $ firejail --profile=icecat icecat-wrapper.sh
30 Reading profile /etc/firejail/icecat.profile
31 [...]
32 2. If a profile file with the same name as the application is present
34 in ~/.config/firejail directory or in /etc/firejail, the profile is
35 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
36 ple:
37 $ firejail icecat
39 Command name #icecat#
40 Found icecat profile in /home/netblue/.config/firejail directory
41 Reading profile /home/netblue/.config/firejail/icecat.profile
42 [...]
43 3. Use a default.profile file if the sandbox is started by a regular
45 user, or a server.profile file if the sandbox is started by root. Fire‐
46 jail looks for these files in ~/.config/firejail directory, followed by
47 /etc/firejail directory. To disable default profile loading, use
48 --noprofile command option. Example:
49 $ firejail
51 Reading profile /etc/firejail/default.profile
52 Parent pid 8553, child pid 8554
53 Child process initialized
54 [...]
55 $ firejail --noprofile
57 Parent pid 8553, child pid 8554
58 Child process initialized
59 [...]
60
63 Scripting commands:
64 File and directory names
67 File and directory names containing spaces are supported. The
68 space character ' ' should not be escaped.
69 Example: "blacklist ~/My Virtual Machines"
71 # this is a comment
74 ?CONDITIONAL: profile line
77 Conditionally add profile line.
78 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
80 This example will load the whitelist profile line only if the
82 --appimage option has been specified on the command line.
83 Currently the only conditional supported is HAS_APPIMAGE.
85 The profile line may be any profile line that you would normally
87 use in a profile except for "quiet" and "include" lines.
88 include other.profile
91 Include other.profile file.
92 Example: "include /etc/firejail/disable-common.inc"
94 The file name can be prefixed with a macro such as ${HOME} or
96 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
97 is expanded as Firejail system configuration directory - in most
98 cases /etc/firejail or /usr/local/etc/firejail.
99 Example: "include ${HOME}/myprofiles/profile1" will load
101 "~/myprofiles/profile1" file.
102 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
104 jail/firefox.profile" file.
105 The file name may also be just the name without the leading
107 directory components. In this case, first the user config
108 directory (${HOME}/.config/firejail) is searched for the file
109 name and if not found then the system configuration directory is
110 search for the file name. Note: Unlike the --profile option
111 which takes a profile name without the '.profile' suffix,
112 include must be given the full file name.
113 Example: "include firefox.profile" will load "${HOME}/.con‐
115 fig/firejail/firefox.profile" file and if it does not exist
116 "${CFG}/firefox.profile" will be loaded.
117 System configuration files in ${CFG} are overwritten during
119 software installation. Persistent configuration at system level
120 is handled in ".local" files. For every profile file in ${CFG}
121 directory, the user can create a corresponding .local file stor‐
122 ing modifications to the persistent configuration. Persistent
123 .local files are included at the start of regular profile files.
124 noblacklist file_name
127 If the file name matches file_name, the file will not be black‐
128 listed in any blacklist commands that follow.
129 Example: "noblacklist ${HOME}/.mozilla"
131 nowhitelist file_name
134 If the file name matches file_name, the file will not be
135 whitelisted in any whitelist commands that follow.
136 Example: "nowhitelist ~/.config"
138 ignore Ignore command.
141 Example: "ignore seccomp"
143 Example: "ignore net ehh0"
144 quiet Disable Firejail's output. This should be the first uncommented
147 command in the profile file.
148 Example: "quiet"
150
153 These profile entries define a chroot filesystem built on top of the
154 existing host filesystem. Each line describes a file element that is
155 removed from the filesystem (blacklist), a read-only file or directory
156 (read-only), a tmpfs mounted on top of an existing directory (tmpfs),
157 or mount-bind a directory or file on top of another directory or file
158 (bind). Use private to set private mode. File globbing is supported,
159 and PATH and HOME directories are searched. Examples:
160 blacklist file_or_directory
162 Blacklist directory or file. Examples:
163 blacklist /usr/bin
165 blacklist /usr/bin/gcc*
166 blacklist ${PATH}/ifconfig
167 blacklist ${HOME}/.ssh
168 blacklist-nolog file_or_directory
171 When --tracelog flag is set, blacklisting generates syslog mes‐
172 sages if the sandbox tries to access the file or directory.
173 blacklist-nolog command disables syslog messages for this par‐
174 ticular file or directory. Examples:
175 blacklist-nolog /usr/bin
177 blacklist-nolog /usr/bin/gcc*
178 bind directory1,directory2
181 Mount-bind directory1 on top of directory2. This option is only
182 available when running as root.
183 bind file1,file2
185 Mount-bind file1 on top of file2. This option is only available
186 when running as root.
187 disable-mnt
189 Disable /mnt, /media, /run/mount and /run/media access.
190 keep-var-tmp
192 /var/tmp directory is untouched.
193 mkdir directory
195 Create a directory in user home or under /tmp before the sandbox
196 is started. The directory is created if it doesn't already
197 exist.
198 Use this command for whitelisted directories you need to pre‐
200 serve when the sandbox is closed. Without it, the application
201 will create the directory, and the directory will be deleted
202 when the sandbox is closed. Subdirectories are recursively cre‐
203 ated. Example from firefox profile:
204 mkdir ~/.mozilla
206 whitelist ~/.mozilla
207 mkdir ~/.cache/mozilla/firefox
208 whitelist ~/.cache/mozilla/firefox
209 mkfile file
211 Similar to mkdir, this command creates a file in user home or
212 under /tmp before the sandbox is started. The file is created
213 if it doesn't already exist.
214 noexec file_or_directory
216 Remount the file or the directory noexec, nodev and nosuid.
217 overlay
219 Mount a filesystem overlay on top of the current filesystem.
220 The overlay is stored in $HOME/.firejail/<PID> directory.
221 overlay-named name
223 Mount a filesystem overlay on top of the current filesystem.
224 The overlay is stored in $HOME/.firejail/name directory.
225 overlay-tmpfs
227 Mount a filesystem overlay on top of the current filesystem.
228 All filesystem modifications are discarded when the sandbox is
229 closed.
230 private
232 Mount new /root and /home/user directories in temporary filesys‐
233 tems. All modifications are discarded when the sandbox is
234 closed.
235 private directory
237 Use directory as user home.
238 private-home file,directory
240 Build a new user home in a temporary filesystem, and copy the
241 files and directories in the list in the new home. All modifica‐
242 tions are discarded when the sandbox is closed.
243 private-cache
245 Mount an empty temporary filesystem on top of the .cache direc‐
246 tory in user home. All modifications are discarded when the
247 sandbox is closed.
248 private-bin file,file
250 Build a new /bin in a temporary filesystem, and copy the pro‐
251 grams in the list. The same directory is also bind-mounted over
252 /sbin, /usr/bin and /usr/sbin.
253 private-dev
255 Create a new /dev directory. Only disc, dri, null, full, zero,
256 tty, pts, ptmx, random, snd, urandom, video, log and shm devices
257 are available.
258 keep-dev-shm
260 /dev/shm directory is untouched (even with private-dev).
261 private-etc file,directory
263 Build a new /etc in a temporary filesystem, and copy the files
264 and directories in the list. All modifications are discarded
265 when the sandbox is closed.
266 private-lib file,directory
268 Build a new /lib directory and bring in the libraries required
269 by the application to run. This feature is still under develop‐
270 ment, see man 1 firejail for some examples.
271 private-opt file,directory
273 Build a new /optin a temporary filesystem, and copy the files
274 and directories in the list. All modifications are discarded
275 when the sandbox is closed.
276 private-srv file,directory
278 Build a new /srv in a temporary filesystem, and copy the files
279 and directories in the list. All modifications are discarded
280 when the sandbox is closed.
281 private-tmp
283 Mount an empty temporary filesystem on top of /tmp directory
284 whitelisting /tmp/.X11-unix.
285 read-only file_or_directory
287 Make directory or file read-only.
288 read-write file_or_directory
290 Make directory or file read-write.
291 tmpfs directory
293 Mount an empty tmpfs filesystem on top of directory. This option
294 is available only when running the sandbox as root.
295 tracelog
297 Blacklist violations logged to syslog.
298 whitelist file_or_directory
300 Whitelist directory or file. A temporary file system is mounted
301 on the top directory, and the whitelisted files are mount-binded
302 inside. Modifications to whitelisted files are persistent,
303 everything else is discarded when the sandbox is closed. The top
304 directory could be user home, /dev, /etc, /media, /mnt, /opt,
305 /srv, /sys/module, /usr/share, /var, and /tmp.
306 Symbolic link handling: with the exception of user home, both
308 the link and the real file should be in the same top directory.
309 For user home, both the link and the real file should be owned
310 by the user.
311 writable-etc
313 Mount /etc directory read-write.
314 writable-run-user
316 Disable the default blacklisting of run/user/$UID/systemd and
317 /run/user/$UID/gnupg.
318 writable-var
320 Mount /var directory read-write.
321 writable-var-log
323 Use the real /var/log directory, not a clone. By default, a
324 tmpfs is mounted on top of /var/log directory, and a skeleton
325 filesystem is created based on the original /var/log.
326
329 The following security filters are currently implemented:
330 apparmor
333 Enable AppArmor confinement.
334 caps Enable default Linux capabilities filter.
336 caps.drop all
338 Blacklist all Linux capabilities.
339 caps.drop capability,capability,capability
341 Blacklist given Linux capabilities.
342 caps.keep capability,capability,capability
344 Whitelist given Linux capabilities.
345 protocol protocol1,protocol2,protocol3
347 Enable protocol filter. The filter is based on seccomp and
348 checks the first argument to socket system call. Recognized val‐
349 ues: unix, inet, inet6, netlink and packet.
350 seccomp
352 Enable seccomp filter and blacklist the syscalls in the default
353 list. See man 1 firejail for more details.
354 seccomp syscall,syscall,syscall
356 Enable seccomp filter and blacklist the system calls in the list
357 on top of default seccomp filter.
358 seccomp.block-secondary
360 Enable seccomp filter and filter system call architectures so
361 that only the native architecture is allowed.
362 seccomp.drop syscall,syscall,syscall
364 Enable seccomp filter and blacklist the system calls in the
365 list.
366 seccomp.keep syscall,syscall,syscall
368 Enable seccomp filter and whitelist the system calls in the
369 list.
370 memory-deny-write-execute
372 Install a seccomp filter to block attempts to create memory map‐
373 pings that are both writable and executable, to change mappings
374 to be executable or to create executable shared memory.
375 nonewprivs
377 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
378 cannot acquire new privileges using execve(2); in particular,
379 this means that calling a suid binary (or one with file capabil‐
380 ities) does not result in an increase of privilege.
381 noroot Use this command to enable an user namespace. The namespace has
383 only one user, the current user. There is no root account (uid
384 0) defined in the namespace.
385 x11 Enable X11 sandboxing.
387 x11 none
389 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
390 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
391 and XAUTHORITY environment variables. Stop with error message
392 if X11 abstract socket will be accessible in jail.
393 x11 xephyr
395 Enable X11 sandboxing with Xephyr server.
396 x11 xorg
398 Enable X11 sandboxing with X11 security extension.
399 x11 xpra
401 Enable X11 sandboxing with Xpra server.
402 x11 xvfb
404 Enable X11 sandboxing with Xvfb server.
405 xephyr-screen WIDTHxHEIGHT
407 Set screen size for x11 xephyr. This command should be included
408 in the profile file before x11 xephyr command.
409 Example:
411 xephyr-screen 640x480
413 x11 xephyr
414
419 These profile entries define the limits on system resources (rlimits)
420 for the processes inside the sandbox. The limits can be modified
421 inside the sandbox using the regular ulimit command. cpu command con‐
422 figures the CPU cores available, and cgroup command place the sandbox
423 in an existing control group.
424 Examples:
426 rlimit-as 123456789012
429 Set the maximum size of the process's virtual memory to
430 123456789012 bytes.
431 rlimit-cpu 123
433 Set the maximum CPU time in seconds.
434 rlimit-fsize 1024
436 Set the maximum file size that can be created by a process to
437 1024 bytes.
438 rlimit-nproc 1000
440 Set the maximum number of processes that can be created for the
441 real user ID of the calling process to 1000.
442 rlimit-nofile 500
444 Set the maximum number of files that can be opened by a process
445 to 500.
446 rlimit-sigpending 200
448 Set the maximum number of processes that can be created for the
449 real user ID of the calling process to 200.
450 cpu 0,1,2
452 Use only CPU cores 0, 1 and 2.
453 nice -5
455 Set a nice value of -5 to all processes running inside the sand‐
456 box.
457 cgroup /sys/fs/cgroup/g1/tasks
459 The sandbox is placed in g1 control group.
460 timeout hh:mm:ss
462 Kill the sandbox automatically after the time has elapsed. The
463 time is specified in hours/minutes/seconds format.
464
467 allusers
468 All user home directories are visible inside the sandbox. By
469 default, only current user home directory is visible.
470 name sandboxname
473 Set sandbox name. Example:
474 name browser
476 env name=value
479 Set environment variable. Examples:
480 env LD_LIBRARY_PATH=/opt/test/lib
482 env CFLAGS="-W -Wall -Werror"
483 nodvd Disable DVD and audio CD devices.
486 nogroups
488 Disable supplementary user groups
489 shell none
491 Run the program directly, without a shell.
492 ipc-namespace
494 Enable IPC namespace.
495 nodbus Disable D-Bus access. Only the regular UNIX socket is handled by
497 this command. To disable the abstract socket, you would need to
498 request a new network namespace using the net command. Another
499 option is to remove unix from protocol set.
500 nosound
502 Disable sound system.
503 noautopulse
505 Disable automatic ~/.config/pulse init, for complex setups such
506 as remote pulse servers or non-standard socket paths.
507 notv Disable DVB (Digital Video Broadcasting) TV devices.
509 nou2f Disable U2F devices.
511 novideo
513 Disable video devices.
514 no3d Disable 3D hardware acceleration.
516
519 Networking features available in profile files.
520 defaultgw address
523 Use this address as default gateway in the new network names‐
524 pace.
525 dns address
528 Set a DNS server for the sandbox. Up to three DNS servers can be
529 defined.
530 hostname name
533 Set a hostname for the sandbox.
534 hosts-file file
537 Use file as /etc/hosts.
538 ip address
541 Assign IP addresses to the last network interface defined by a
542 net command. A default gateway is assigned by default.
543 Example:
545 net eth0
546 ip 10.10.20.56
547 ip none
550 No IP address and no default gateway are configured for the last
551 interface defined by a net command. Use this option in case you
552 intend to start an external DHCP client in the sandbox.
553 Example:
555 net eth0
556 ip none
557 ip6 address
560 Assign IPv6 addresses to the last network interface defined by a
561 net command.
562 Example:
564 net eth0
565 ip6 2001:0db8:0:f101::1/64
566 iprange address,address
569 Assign an IP address in the provided range to the last network
570 interface defined by a net command. A default gateway is
571 assigned by default.
572 Example:
574 net eth0
576 iprange 192.168.1.150,192.168.1.160
577 mac address
580 Assign MAC addresses to the last network interface defined by a
581 net command.
582 machine-id
585 Spoof id number in /etc/machine-id file - a new random id is
586 generated inside the sandbox.
587 mtu number
590 Assign a MTU value to the last network interface defined by a
591 net command.
592 netfilter
597 If a new network namespace is created, enabled default network
598 filter.
599 netfilter filename
602 If a new network namespace is created, enabled the network fil‐
603 ter in filename.
604 net bridge_interface
607 Enable a new network namespace and connect it to this bridge
608 interface. Unless specified with option --ip and --defaultgw,
609 an IP address and a default gateway will be assigned automati‐
610 cally to the sandbox. The IP address is verified using ARP
611 before assignment. The address configured as default gateway is
612 the bridge device IP address. Up to four --net bridge devices
613 can be defined. Mixing bridge and macvlan devices is allowed.
614 net ethernet_interface|wireless_interface
617 Enable a new network namespace and connect it to this ethernet
618 interface using the standard Linux macvlan or ipvlan driver.
619 Unless specified with option --ip and --defaultgw, an IP address
620 and a default gateway will be assigned automatically to the
621 sandbox. The IP address is verified using ARP before assignment.
622 The address configured as default gateway is the default gateway
623 of the host. Up to four --net devices can be defined. Mixing
624 bridge and macvlan devices is allowed.
625 net tap_interface
628 Enable a new network namespace and connect it to this ethernet
629 tap interface using the standard Linux macvlan driver. If the
630 tap interface is not configured, the sandbox will not try to
631 configure the interface inside the sandbox. Please use ip, net‐
632 mask and defaultgw to specify the configuration.
633 net none
636 Enable a new, unconnected network namespace. The only interface
637 available in the new namespace is a new loopback interface (lo).
638 Use this option to deny network access to programs that don't
639 really need network access.
640 netmask address
643 Use this option when you want to assign an IP address in a new
644 namespace and the parent interface specified by --net is not
645 configured. An IP address and a default gateway address also
646 have to be added.
647 veth-name name
650 Use this name for the interface connected to the bridge for
651 --net=bridge_interface commands, instead of the default one.
652
655 join-or-start sandboxname
656 Join the sandbox identified by name or start a new one. Same as
657 "firejail --join=sandboxname" command if sandbox with specified
658 name exists, otherwise same as "name sandboxname".
659
662 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
663
666 Firejail is free software; you can redistribute it and/or modify it
667 under the terms of the GNU General Public License as published by the
668 Free Software Foundation; either version 2 of the License, or (at your
669 option) any later version.
670 Homepage: https://firejail.wordpress.com
672
674 firejail(1), firemon(1), firecfg(1), firejail-login(5) firejail-
675 users(5)
6760.9.57 Jan 2019 FIREJAIL-PROFILE(5)