1FIREJAIL(1) firejail man page FIREJAIL(1)
2
6 Firejail - Linux namespaces sandbox program
7
9 Start a sandbox:
10 firejail [OPTIONS] [program and arguments]
12 File transfer from an existing sandbox
14 firejail {--ls | --get | --put} dir_or_filename
16 Network traffic shaping for an existing sandbox:
18 firejail --bandwidth={name|pid} bandwidth-command
20 Monitoring:
22 firejail {--list | --netstats | --top | --tree}
24 Miscellaneous:
26 firejail {-? | --debug-caps | --debug-errnos | --debug-syscalls
28 | --debug-protocols | --help | --version}
29
31 Firejail is a SUID sandbox program that reduces the risk of security
32 breaches by restricting the running environment of untrusted applica‐
33 tions using Linux namespaces, seccomp-bpf and Linux capabilities. It
34 allows a process and all its descendants to have their own private view
35 of the globally shared kernel resources, such as the network stack,
36 process table, mount table. Firejail can work in a SELinux or AppArmor
37 environment, and it is integrated with Linux Control Groups.
38 Written in C with virtually no dependencies, the software runs on any
40 Linux computer with a 3.x kernel version or newer. It can sandbox any
41 type of processes: servers, graphical applications, and even user login
42 sessions.
43 Firejail allows the user to manage application security using security
45 profiles. Each profile defines a set of permissions for a specific
46 application or group of applications. The software includes security
47 profiles for a number of more common Linux programs, such as Mozilla
48 Firefox, Chromium, VLC, Transmission etc.
49
52 Without any options, the sandbox consists of a filesystem build in a
53 new mount namespace, and new PID and UTS namespaces. IPC, network and
54 user namespaces can be added using the command line options. The
55 default Firejail filesystem is based on the host filesystem with the
56 main system directories mounted read-only. These directories are /etc,
57 /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home
58 and /tmp are writable.
59 As it starts up, Firejail tries to find a security profile based on the
61 name of the application. If an appropriate profile is not found, Fire‐
62 jail will use a default profile. The default profile is quite restric‐
63 tive. In case the application doesn't work, use --noprofile option to
64 disable it. For more information, please see SECURITY PROFILES section
65 below.
66 If a program argument is not specified, Firejail starts /bin/bash
68 shell. Examples:
69 $ firejail [OPTIONS] # starting a /bin/bash shell
71 $ firejail [OPTIONS] firefox # starting Mozilla Firefox
73 # sudo firejail [OPTIONS] /etc/init.d/nginx start
75
78 -- Signal the end of options and disables further option process‐
79 ing.
80 --allow-debuggers
82 Allow tools such as strace and gdb inside the sandbox by
83 whitelisting system calls ptrace and process_vm_readv. This
84 option is only available when running on Linux kernels 4.8 or
85 newer - a kernel bug in ptrace system call allows a full bypass
86 of the seccomp filter.
87 Example:
89 $ firejail --allow-debuggers --profile=/etc/firejail/fire‐
90 fox.profile strace -f firefox
91 --allusers
93 All directories under /home are visible inside the sandbox. By
94 default, only current user home directory is visible.
95 Example:
97 $ firejail --allusers
98 --apparmor
100 Enable AppArmor confinement. For more information, please see
101 APPARMOR section below.
102 --appimage
104 Sandbox an AppImage (https://appimage.org/) application. If the
105 sandbox is started as a regular user, default seccomp and capa‐
106 bilities filters are enabled.
107 Example:
109 $ firejail --appimage krita-3.0-x86_64.appimage
110 $ firejail --appimage --private krita-3.0-x86_64.appimage
111 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
112 --apparmor.print=name|pid
115 Print the AppArmor confinement status for the sandbox identified
116 by name or by PID.
117 Example:
119 $ firejail --apparmor.print=browser
120 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
121 AppArmor: firejail-default enforce
122 --audit
125 Audit the sandbox, see AUDIT section for more details.
126 --audit=test-program
128 Audit the sandbox, see AUDIT section for more details.
129 --bandwidth=name|pid
131 Set bandwidth limits for the sandbox identified by name or PID,
132 see TRAFFIC SHAPING section for more details.
133 --bind=filename1,filename2
135 Mount-bind filename1 on top of filename2. This option is only
136 available when running as root.
137 Example:
139 # firejail --bind=/config/etc/passwd,/etc/passwd
140 --blacklist=dirname_or_filename
142 Blacklist directory or file. File globbing is supported, see
143 FILE GLOBBING section for more details.
144 Example:
146 $ firejail --blacklist=/sbin --blacklist=/usr/sbin
147 $ firejail --blacklist=~/.mozilla
148 $ firejail "--blacklist=/home/username/My Virtual Machines"
149 $ firejail --blacklist=/home/username/My\ Virtual\ Machines
150 --build
152 The command builds a whitelisted profile. The profile is printed
153 on the screen. If /usr/bin/strace is installed on the system, it
154 also builds a whitelisted seccomp profile. The program is run in
155 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
156 privs. Programs that raise user privileges are not supported in
157 order to allow strace to run. Chromium and Chromium-based
158 browsers will not work.
159 Example:
161 $ firejail --build vlc ~/Videos/test.mp4
162 --build=profile-file
164 The command builds a whitelisted profile, and saves it in pro‐
165 file-file. If /usr/bin/strace is installed on the system, it
166 also builds a whitelisted seccomp profile. The program is run in
167 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
168 privs. Programs that raise user privileges are not supported in
169 order to allow strace to run. Chromium and Chromium-based
170 browsers will not work.
171 Example:
173 $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
174 -c Execute command and exit.
176 --caps Linux capabilities is a kernel feature designed to split up the
178 root privilege into a set of distinct privileges. These privi‐
179 leges can be enabled or disabled independently, thus restricting
180 what a process running as root can do in the system.
181 By default root programs run with all capabilities enabled.
183 --caps option disables the following capabilities: CAP_SYS_MOD‐
184 ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
185 FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is
186 applied to all processes started in the sandbox.
187 Example:
189 $ sudo firejail --caps /etc/init.d/nginx start
190 --caps.drop=all
193 Drop all capabilities for the processes running in the sandbox.
194 This option is recommended for running GUI programs or any other
195 program that doesn't require root privileges. It is a must-have
196 option for sandboxing untrusted programs installed from unoffi‐
197 cial sources - such as games, Java programs, etc.
198 Example:
200 $ firejail --caps.drop=all warzone2100
201 --caps.drop=capability,capability,capability
204 Define a custom blacklist Linux capabilities filter.
205 Example:
207 $ firejail --caps.drop=net_broadcast,net_admin,net_raw
208 --caps.keep=capability,capability,capability
211 Define a custom whitelist Linux capabilities filter.
212 Example:
214 $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\
215 setuid /etc/init.d/nginx start
216 --caps.print=name|pid
219 Print the caps filter for the sandbox identified by name or by
220 PID.
221 Example:
223 $ firejail --name=mygame --caps.drop=all warzone2100 &
224 $ firejail --caps.print=mygame
225 Example:
227 $ firejail --list
228 3272:netblue::firejail --private firefox
229 $ firejail --caps.print=3272
230 --cgroup=tasks-file
233 Place the sandbox in the specified control group. tasks-file is
234 the full path of cgroup tasks file.
235 Example:
237 # firejail --cgroup=/sys/fs/cgroup/g1/tasks
238 --chroot=dirname
241 Chroot the sandbox into a root filesystem. Unlike the regular
242 filesystem container, the system directories are mounted read-
243 write. If the sandbox is started as a regular user, default sec‐
244 comp and capabilities filters are enabled.
245 Example:
247 $ firejail --chroot=/media/ubuntu warzone2100
248 --cpu=cpu-number,cpu-number,cpu-number
251 Set CPU affinity.
252 Example:
254 $ firejail --cpu=0,1 handbrake
255 --cpu.print=name|pid
258 Print the CPU cores in use by the sandbox identified by name or
259 by PID.
260 Example:
262 $ firejail --name=mygame --caps.drop=all warzone2100 &
263 $ firejail --cpu.print=mygame
264 Example:
266 $ firejail --list
267 3272:netblue::firejail --private firefox
268 $ firejail --cpu.print=3272
269 --debug
272 Print debug messages.
273 Example:
275 $ firejail --debug firefox
276 --debug-blacklists
279 Debug blacklisting.
280 Example:
282 $ firejail --debug-blacklists firefox
283 --debug-caps
286 Print all recognized capabilities in the current Firejail soft‐
287 ware build and exit.
288 Example:
290 $ firejail --debug-caps
291 --debug-errnos
294 Print all recognized error numbers in the current Firejail soft‐
295 ware build and exit.
296 Example:
298 $ firejail --debug-errnos
299 --debug-private-lib
301 Debug messages for --private-lib option.
302 --debug-protocols
304 Print all recognized protocols in the current Firejail software
305 build and exit.
306 Example:
308 $ firejail --debug-protocols
309 --debug-syscalls
311 Print all recognized system calls in the current Firejail soft‐
312 ware build and exit.
313 Example:
315 $ firejail --debug-syscalls
316 --debug-whitelists
318 Debug whitelisting.
319 Example:
321 $ firejail --debug-whitelists firefox
322 --defaultgw=address
325 Use this address as default gateway in the new network names‐
326 pace.
327 Example:
329 $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
330 --disable-mnt
333 Blacklist /mnt, /media, /run/mount and /run/media access.
334 Example:
336 $ firejail --disable-mnt firefox
337 --dns=address
340 Set a DNS server for the sandbox. Up to three DNS servers can be
341 defined. Use this option if you don't trust the DNS setup on
342 your network.
343 Example:
345 $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
346 Note: this feature is not supported on systemd-resolved setups.
348 --dns.print=name|pid
350 Print DNS configuration for a sandbox identified by name or by
351 PID.
352 Example:
354 $ firejail --name=mygame --caps.drop=all warzone2100 &
355 $ firejail --dns.print=mygame
356 Example:
358 $ firejail --list
359 3272:netblue::firejail --private firefox
360 $ firejail --dns.print=3272
361 --env=name=value
364 Set environment variable in the new sandbox.
365 Example:
367 $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
368 --fs.print=name|pid
371 Print the filesystem log for the sandbox identified by name or
372 by PID.
373 Example:
375 $ firejail --name=mygame --caps.drop=all warzone2100 &
376 $ firejail --fs.print=mygame
377 Example:
379 $ firejail --list
380 3272:netblue::firejail --private firefox
381 $ firejail --fs.print=3272
382 --get=name|pid filename
385 Get a file from sandbox container, see FILE TRANSFER section for
386 more details.
387 -?, --help
390 Print options end exit.
391 --hostname=name
395 Set sandbox hostname.
396 Example:
398 $ firejail --hostname=officepc firefox
399 --hosts-file=file
402 Use file as /etc/hosts.
403 Example:
405 $ firejail --hosts-file=~/myhosts firefox
406 --ignore=command
409 Ignore command in profile file.
410 Example:
412 $ firejail --ignore=shell --ignore=seccomp firefox
413 $ firejail --ignore="net eth0" firefox
414 --interface=interface
416 Move interface in a new network namespace. Up to four --inter‐
417 face options can be specified. Note: wlan devices are not sup‐
418 ported for this option.
419 Example:
421 $ firejail --interface=eth1 --interface=eth0.vlan100
422 --ip=address
425 Assign IP addresses to the last network interface defined by a
426 --net option. A default gateway is assigned by default.
427 Example:
429 $ firejail --net=eth0 --ip=10.10.20.56 firefox
430 --ip=none
433 No IP address and no default gateway are configured for the last
434 interface defined by a --net option. Use this option in case you
435 intend to start an external DHCP client in the sandbox.
436 Example:
438 $ firejail --net=eth0 --ip=none
439 If the corresponding interface doesn't have an IP address con‐
441 figured, this option is enabled by default.
442 --ip6=address
445 Assign IPv6 addresses to the last network interface defined by a
446 --net option.
447 Example:
449 $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
450 Note: you don't need this option if you obtain your ip6 address
452 from router via SLAAC (your ip6 address and default route will
453 be configured by kernel automatically).
454 --iprange=address,address
457 Assign an IP address in the provided range to the last network
458 interface defined by a --net option. A default gateway is
459 assigned by default.
460 Example:
462 $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
463 --ipc-namespace
466 Enable a new IPC namespace if the sandbox was started as a reg‐
467 ular user. IPC namespace is enabled by default for sandboxes
468 started as root.
469 Example:
471 $ firejail --ipc-namespace firefox
472 --join=name|pid
474 Join the sandbox identified by name or by PID. By default a
475 /bin/bash shell is started after joining the sandbox. If a pro‐
476 gram is specified, the program is run in the sandbox. If --join
477 command is issued as a regular user, all security filters are
478 configured for the new process the same they are configured in
479 the sandbox. If --join command is issued as root, the security
480 filters, cgroups and cpus configurations are not applied to the
481 process joining the sandbox.
482 Example:
484 $ firejail --name=mygame --caps.drop=all warzone2100 &
485 $ firejail --join=mygame
486 Example:
488 $ firejail --list
489 3272:netblue::firejail --private firefox
490 $ firejail --join=3272
491 --join-filesystem=name|pid
494 Join the mount namespace of the sandbox identified by name or
495 PID. By default a /bin/bash shell is started after joining the
496 sandbox. If a program is specified, the program is run in the
497 sandbox. This command is available only to root user. Security
498 filters, cgroups and cpus configurations are not applied to the
499 process joining the sandbox.
500 --join-network=name|pid
503 Join the network namespace of the sandbox identified by name. By
504 default a /bin/bash shell is started after joining the sandbox.
505 If a program is specified, the program is run in the sandbox.
506 This command is available only to root user. Security filters,
507 cgroups and cpus configurations are not applied to the process
508 joining the sandbox. Example:
509 # start firefox
511 $ firejail --net=eth0 --name=browser firefox &
512 # change netfilter configuration
514 $ sudo firejail --join-network=browser bash -c "cat /etc/fire‐
515 jail/nolocal.net | /sbin/iptables-restore"
516 # verify netfilter configuration
518 $ sudo firejail --join-network=browser /sbin/iptables -vL
519 # verify IP addresses
521 $ sudo firejail --join-network=browser ip addr
522 Switching to pid 1932, the first child process inside the sand‐
523 box
524 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
525 UNKNOWN group default
526 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
527 inet 127.0.0.1/8 scope host lo
528 valid_lft forever preferred_lft forever
529 inet6 ::1/128 scope host
530 valid_lft forever preferred_lft forever
531 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
532 noqueue state UNKNOWN group default
533 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
534 inet 192.168.1.158/24 brd 192.168.1.255 scope global
535 eth0-1931
536 valid_lft forever preferred_lft forever
537 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
538 valid_lft forever preferred_lft forever
539 --join-or-start=name
542 Join the sandbox identified by name or start a new one. Same as
543 "firejail --join=name" if sandbox with specified name exists,
544 otherwise same as "firejail --name=name ..."
545 Note that in contrary to other join options there is respective
546 profile option.
547 --keep-dev-shm
550 /dev/shm directory is untouched (even with --private-dev)
551 Example:
553 $ firejail --keep-dev-shm --private-dev
554 --keep-var-tmp
557 /var/tmp directory is untouched.
558 Example:
560 $ firejail --keep-var-tmp
561 --ls=name|pid dir_or_filename
564 List files in sandbox container, see FILE TRANSFER section for
565 more details.
566 --list List all sandboxes, see MONITORING section for more details.
569 Example:
571 $ firejail --list
572 7015:netblue:browser:firejail firefox
573 7056:netblue:torrent:firejail --net=eth0 transmission-gtk
574 7064:netblue::firejail --noroot xterm
575 $
576 --mac=address
578 Assign MAC addresses to the last network interface defined by a
579 --net option. This option is not supported for wireless inter‐
580 faces.
581 Example:
583 $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
584 --machine-id
587 Spoof id number in /etc/machine-id file - a new random id is
588 generated inside the sandbox.
589 Example:
591 $ firejail --machine-id
592 --memory-deny-write-execute
595 Install a seccomp filter to block attempts to create memory map‐
596 pings that are both writable and executable, to change mappings
597 to be executable, or to create executable shared memory. The
598 filter examines the arguments of mmap, mmap2, mprotect,
599 pkey_mprotect and shmat system calls and kills the process if
600 necessary.
601 Note: shmat is not implemented as a system call on some plat‐
603 forms including i386, and it cannot be handled by seccomp-bpf.
604 --mtu=number
607 Assign a MTU value to the last network interface defined by a
608 --net option.
609 Example:
611 $ firejail --net=eth0 --mtu=1492
612 --name=name
615 Set sandbox name. Several options, such as --join and --shut‐
616 down, can use this name to identify a sandbox.
617 Example:
619 $ firejail --name=mybrowser firefox
620 --net=bridge_interface
623 Enable a new network namespace and connect it to this bridge
624 interface. Unless specified with option --ip and --defaultgw,
625 an IP address and a default gateway will be assigned automati‐
626 cally to the sandbox. The IP address is verified using ARP
627 before assignment. The address configured as default gateway is
628 the bridge device IP address. Up to four --net options can be
629 specified.
630 Example:
632 $ sudo brctl addbr br0
633 $ sudo ifconfig br0 10.10.20.1/24
634 $ sudo brctl addbr br1
635 $ sudo ifconfig br1 10.10.30.1/24
636 $ firejail --net=br0 --net=br1
637 --net=ethernet_interface|wireless_interface
640 Enable a new network namespace and connect it to this ethernet
641 interface using the standard Linux macvlan|ipvaln driver. Unless
642 specified with option --ip and --defaultgw, an IP address and a
643 default gateway will be assigned automatically to the sandbox.
644 The IP address is verified using ARP before assignment. The
645 address configured as default gateway is the default gateway of
646 the host. Up to four --net options can be specified. Support
647 for ipvlan driver was introduced in Linux kernel 3.19.
648 Example:
650 $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
651 $ firejail --net=wlan0 firefox
652 --net=tap_interface
655 Enable a new network namespace and connect it to this ethernet
656 tap interface using the standard Linux macvlan driver. If the
657 tap interface is not configured, the sandbox will not try to
658 configure the interface inside the sandbox. Please use --ip,
659 --netmask and --defaultgw to specify the configuration.
660 Example:
662 $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
663 --defaultgw=10.10.20.1 firefox
664 --net=none
667 Enable a new, unconnected network namespace. The only interface
668 available in the new namespace is a new loopback interface (lo).
669 Use this option to deny network access to programs that don't
670 really need network access.
671 Example:
673 $ firejail --net=none vlc
674 Note: --net=none can crash the application on some platforms.
676 In these cases, it can be replaced with --protocol=unix.
677 --netfilter
680 Enable a default firewall if a new network namespace is created
681 inside the sandbox. This option has no effect for sandboxes
682 using the system network namespace.
683 The default firewall is optimized for regular desktop applica‐
685 tions. No incoming connections are accepted:
686 *filter
688 :INPUT DROP [0:0]
689 :FORWARD DROP [0:0]
690 :OUTPUT ACCEPT [0:0]
691 -A INPUT -i lo -j ACCEPT
692 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
693 # allow ping
694 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
695 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
696 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
697 # drop STUN (WebRTC) requests
698 -A OUTPUT -p udp --dport 3478 -j DROP
699 -A OUTPUT -p udp --dport 3479 -j DROP
700 -A OUTPUT -p tcp --dport 3478 -j DROP
701 -A OUTPUT -p tcp --dport 3479 -j DROP
702 COMMIT
703 Example:
705 $ firejail --net=eth0 --netfilter firefox
706 --netfilter=filename
708 Enable the firewall specified by filename if a new network
709 namespace is created inside the sandbox. This option has no
710 effect for sandboxes using the system network namespace.
711 Please use the regular iptables-save/iptables-restore format for
713 the filter file. The following examples are available in
714 /etc/firejail directory:
715 webserver.net is a webserver firewall that allows access only to
717 TCP ports 80 and 443. Example:
718 $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
720 /etc/init.d/apache2 start
721 nolocal.net is a desktop client firewall that disable access to
723 local network. Example:
724 $ firejail --netfilter=/etc/firejail/nolocal.net \
726 --net=eth0 firefox
727 --netfilter=filename,arg1,arg2,arg3 ...
733 This is the template version of the previous command. $ARG1,
734 $ARG2, $ARG3 ... in the firewall script are replaced with arg1,
735 arg2, arg3 ... passed on the command line. Up to 16 arguments
736 are supported. Example:
737 $ firejail --net=eth0 --ip=192.168.1.105 \
739 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
740 --netfilter.print=name|pid
745 Print the firewall installed in the sandbox specified by name or
746 PID. Example:
747 $ firejail --name=browser --net=eth0 --netfilter firefox &
749 $ firejail --netfilter.print=browser
750 --netfilter6=filename
753 Enable the IPv6 firewall specified by filename if a new network
754 namespace is created inside the sandbox. This option has no
755 effect for sandboxes using the system network namespace. Please
756 use the regular iptables-save/iptables-restore format for the
757 filter file.
758 --netfilter6.print=name|pid
761 Print the IPv6 firewall installed in the sandbox specified by
762 name or PID. Example:
763 $ firejail --name=browser --net=eth0 --netfilter firefox &
765 $ firejail --netfilter6.print=browser
766 --netmask=address
769 Use this option when you want to assign an IP address in a new
770 namespace and the parent interface specified by --net is not
771 configured. An IP address and a default gateway address also
772 have to be added. By default the new namespace interface comes
773 without IP address and default gateway configured. Example:
774 $ sudo /sbin/brctl addbr br0
776 $ sudo /sbin/ifconfig br0 up
777 $ firejail --ip=10.10.20.67 --netmask=255.255.255.0
778 --defaultgw=10.10.20.1
779 --netns=name
782 Run the program in a named, persistent network namespace. These
783 can be created and configured using "ip netns".
784 --netstats
787 Monitor network namespace statistics, see MONITORING section for
788 more details.
789 Example:
791 $ firejail --netstats
793 PID User RX(KB/s) TX(KB/s) Command
794 1294 netblue 53.355 1.473 firejail --net=eth0 firefox
795 7383 netblue 9.045 0.112 firejail --net=eth0 transmission
796 --nice=value
799 Set nice value for all processes running inside the sandbox.
800 Only root may specify a negative value.
801 Example:
803 $ firejail --nice=2 firefox
804 --no3d Disable 3D hardware acceleration.
807 Example:
809 $ firejail --no3d firefox
810 --noblacklist=dirname_or_filename
813 Disable blacklist for this directory or file.
814 Example:
816 $ firejail
817 $ nc dict.org 2628
818 bash: /bin/nc: Permission denied
819 $ exit
820 $ firejail --noblacklist=/bin/nc
822 $ nc dict.org 2628
823 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
824 --nodbus
826 Disable D-Bus access. Only the regular UNIX socket is handled by
827 this command. To disable the abstract socket you would need to
828 request a new network namespace using --net command. Another
829 option is to remove unix from --protocol set.
830 Example:
832 $ firejail --nodbus --net=none
833 --nodvd
835 Disable DVD and audio CD devices.
836 Example:
838 $ firejail --nodvd
839 --noexec=dirname_or_filename
841 Remount directory or file noexec, nodev and nosuid. File glob‐
842 bing is supported, see FILE GLOBBING section for more details.
843 Example:
845 $ firejail --noexec=/tmp
846 /etc and /var are noexec by default if the sandbox was started
848 as a regular user. If there are more than one mount operation on
849 the path of the file or directory, noexec should be applied to
850 the last one. Always check if the change took effect inside the
851 sandbox.
852 --nogroups
855 Disable supplementary groups. Without this option, supplementary
856 groups are enabled for the user starting the sandbox. For root
857 user supplementary groups are always disabled.
858 Note: By default all regular user groups are removed with the
860 exception of the current user. This can be changed using
861 --allusers command option.
862 Example:
864 $ id
865 uid=1000(netblue) gid=1000(netblue) groups=1000(net‐
866 blue),24(cdrom),25(floppy),27(sudo),29(audio)
867 $ firejail --nogroups
868 Parent pid 8704, child pid 8705
869 Child process initialized
870 $ id
871 uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
872 $
873 --noprofile
876 Do not use a security profile.
877 Example:
879 $ firejail
880 Reading profile /etc/firejail/default.profile
881 Parent pid 8553, child pid 8554
882 Child process initialized
883 [...]
884 $ firejail --noprofile
886 Parent pid 8553, child pid 8554
887 Child process initialized
888 [...]
889 --noroot
892 Install a user namespace with a single user - the current user.
893 root user does not exist in the new namespace. This option
894 requires a Linux kernel version 3.8 or newer. The option is not
895 supported for --chroot and --overlay configurations, or for
896 sandboxes started as root.
897 Example:
899 $ firejail --noroot
900 Parent pid 8553, child pid 8554
901 Child process initialized
902 $ ping google.com
903 ping: icmp open socket: Operation not permitted
904 $
905 --nonewprivs
908 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
909 cannot acquire new privileges using execve(2); in particular,
910 this means that calling a suid binary (or one with file capabil‐
911 ities) does not result in an increase of privilege. This option
912 is enabled by default if seccomp filter is activated.
913 --nosound
916 Disable sound system.
917 Example:
919 $ firejail --nosound firefox
920 --noautopulse
923 Disable automatic ~/.config/pulse init, for complex setups such
924 as remote pulse servers or non-standard socket paths.
925 Example:
927 $ firejail --noautopulse firefox
928 --notv Disable DVB (Digital Video Broadcasting) TV devices.
931 Example:
933 $ firejail --notv vlc
934 --nou2f
937 Disable U2F devices.
938 Example:
940 $ firejail --nou2f
941 --novideo
944 Disable video devices.
945 --nowhitelist=dirname_or_filename
948 Disable whitelist for this directory or file.
949 --output=logfile
952 stdout logging and log rotation. Copy stdout to logfile, and
953 keep the size of the file under 500KB using log rotation. Five
954 files with prefixes .1 to .5 are used in rotation.
955 Example:
957 $ firejail --output=sandboxlog /bin/bash
958 [...]
959 $ ls -l sandboxlog*
960 -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
961 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
962 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
963 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
964 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
965 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
966 --output-stderr=logfile
969 Similar to --output, but stderr is also stored.
970 --overlay
973 Mount a filesystem overlay on top of the current filesystem.
974 Unlike the regular filesystem container, the system directories
975 are mounted read-write. All filesystem modifications go into the
976 overlay. Directories /run, /tmp and /dev are not covered by the
977 overlay. The overlay is stored in $HOME/.firejail/<PID> direc‐
978 tory. If the sandbox is started as a regular user, default sec‐
979 comp and capabilities filters are enabled.
980 OverlayFS support is required in Linux kernel for this option to
982 work. OverlayFS was officially introduced in Linux kernel ver‐
983 sion 3.18. This option is not available on Grsecurity systems.
984 Example:
986 $ firejail --overlay firefox
987 --overlay-named=name
990 Mount a filesystem overlay on top of the current filesystem.
991 Unlike the regular filesystem container, the system directories
992 are mounted read-write. All filesystem modifications go into the
993 overlay. Directories /run, /tmp and /dev are not covered by the
994 overlay. The overlay is stored in $HOME/.firejail/<NAME> direc‐
995 tory. The created overlay can be reused between multiple ses‐
996 sions. If the sandbox is started as a regular user, default
997 seccomp and capabilities filters are enabled.
998 OverlayFS support is required in Linux kernel for this option to
1000 work. OverlayFS was officially introduced in Linux kernel ver‐
1001 sion 3.18. This option is not available on Grsecurity systems.
1002 Example:
1004 $ firejail --overlay-named=jail1 firefox
1005 --overlay-tmpfs
1008 Mount a filesystem overlay on top of the current filesystem. All
1009 filesystem modifications are discarded when the sandbox is
1010 closed. Directories /run, /tmp and /dev are not covered by the
1011 overlay. If the sandbox is started as a regular user, default
1012 seccomp and capabilities filters are enabled.
1013 OverlayFS support is required in Linux kernel for this option to
1015 work. OverlayFS was officially introduced in Linux kernel ver‐
1016 sion 3.18. This option is not available on Grsecurity systems.
1017 Example:
1019 $ firejail --overlay-tmpfs firefox
1020 --overlay-clean
1023 Clean all overlays stored in $HOME/.firejail directory.
1024 Example:
1026 $ firejail --overlay-clean
1027 --private
1030 Mount new /root and /home/user directories in temporary filesys‐
1031 tems. All modifications are discarded when the sandbox is
1032 closed.
1033 Example:
1035 $ firejail --private firefox
1036 --private=directory
1038 Use directory as user home.
1039 Example:
1041 $ firejail --private=/home/netblue/firefox-home firefox
1042 --private-home=file,directory
1045 Build a new user home in a temporary filesystem, and copy the
1046 files and directories in the list in the new home. All modifica‐
1047 tions are discarded when the sandbox is closed.
1048 Example:
1050 $ firejail --private-home=.mozilla firefox
1051 --private-cache
1054 Mount an empty temporary filesystem on top of the .cache direc‐
1055 tory in user home. All modifications are discarded when the
1056 sandbox is closed.
1057 Example:
1059 $ firejail --private-cache openbox
1060 --private-bin=file,file
1063 Build a new /bin in a temporary filesystem, and copy the pro‐
1064 grams in the list. If no listed file is found, /bin directory
1065 will be empty. The same directory is also bind-mounted over
1066 /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifica‐
1067 tions are discarded when the sandbox is closed. File globbing is
1068 supported, see FILE GLOBBING section for more details.
1069 Example:
1071 $ firejail --private-bin=bash,sed,ls,cat
1072 Parent pid 20841, child pid 20842
1073 Child process initialized
1074 $ ls /bin
1075 bash cat ls sed
1076 --private-lib=file,directory
1079 This feature is currently under heavy development. Only amd64
1080 platforms are supported at this moment. The idea is to build a
1081 new /lib in a temporary filesystem, with only the library files
1082 necessary to run the application. It could be as simple as:
1083 $ firejail --private-lib galculator
1085 but it gets complicated really fast:
1087 $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1089 gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1090 The feature is integrated with --private-bin:
1092 $ firejail --private-lib --private-bin=bash,ls,ps
1094 $ ls /lib
1095 ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
1096 temd.so.0
1097 libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1098 libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1099 libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1100 $ ps
1101 PID TTY TIME CMD
1102 1 pts/0 00:00:00 firejail
1103 45 pts/0 00:00:00 bash
1104 48 pts/0 00:00:00 ps
1105 $
1106 --private-dev
1110 Create a new /dev directory. Only disc, dri, null, full, zero,
1111 tty, pts, ptmx, random, snd, urandom, video, log and shm devices
1112 are available.
1113 Example:
1115 $ firejail --private-dev
1116 Parent pid 9887, child pid 9888
1117 Child process initialized
1118 $ ls /dev
1119 cdrom cdrw dri dvd dvdrw full log null ptmx pts random
1120 shm snd sr0 tty urandom zero
1121 $
1122 --private-etc=file,directory
1124 Build a new /etc in a temporary filesystem, and copy the files
1125 and directories in the list. If no listed file is found, /etc
1126 directory will be empty. All modifications are discarded when
1127 the sandbox is closed.
1128 Example:
1130 $ firejail --private-etc=group,hostname,localtime, \
1131 nsswitch.conf,passwd,resolv.conf
1132 --private-opt=file,directory
1135 Build a new /opt in a temporary filesystem, and copy the files
1136 and directories in the list. If no listed file is found, /opt
1137 directory will be empty. All modifications are discarded when
1138 the sandbox is closed.
1139 Example:
1141 $ firejail --private-opt=firefox /opt/firefox/firefox
1142 --private-srv=file,directory
1145 Build a new /srv in a temporary filesystem, and copy the files
1146 and directories in the list. If no listed file is found, /srv
1147 directory will be empty. All modifications are discarded when
1148 the sandbox is closed.
1149 Example:
1151 # firejail --private-srv=www /etc/init.d/apache2 start
1152 --private-tmp
1155 Mount an empty temporary filesystem on top of /tmp directory
1156 whitelisting X11 and PulseAudio sockets.
1157 Example:
1159 $ firejail --private-tmp
1160 $ ls -al /tmp
1161 drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
1162 drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1163 drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKd‐
1164 htXMmr18n
1165 drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1166 --profile=filename_or_profilename
1170 Load a custom security profile from filename. For filename use
1171 an absolute path or a path relative to the current path. For
1172 more information, see SECURITY PROFILES section below.
1173 Example:
1175 $ firejail --profile=myprofile
1176 --profile.print=name|pid
1179 Print the name of the profile file for the sandbox identified by
1180 name or or PID.
1181 Example:
1183 $ firejail --profile.print=browser
1184 /etc/firejail/firefox.profile
1185 --protocol=protocol,protocol,protocol
1187 Enable protocol filter. The filter is based on seccomp and
1188 checks the first argument to socket system call. Recognized
1189 values: unix, inet, inet6, netlink and packet. This option is
1190 not supported for i386 architecture.
1191 Example:
1193 $ firejail --protocol=unix,inet,inet6 firefox
1194 --protocol.print=name|pid
1196 Print the protocol filter for the sandbox identified by name or
1197 PID.
1198 Example:
1200 $ firejail --name=mybrowser firefox &
1201 $ firejail --protocol.print=mybrowser
1202 unix,inet,inet6,netlink
1203 Example:
1205 $ firejail --list
1206 3272:netblue::firejail --private firefox
1207 $ firejail --protocol.print=3272
1208 unix,inet,inet6,netlink
1209 --put=name|pid src-filename dest-filename
1211 Put a file in sandbox container, see FILE TRANSFER section for
1212 more details.
1213 --quiet
1215 Turn off Firejail's output.
1216 --read-only=dirname_or_filename
1218 Set directory or file read-only. File globbing is supported, see
1219 FILE GLOBBING section for more details.
1220 Example:
1222 $ firejail --read-only=~/.mozilla firefox
1223 A short note about mixing --whitelist and --read-only options.
1225 Whitelisted directories should be made read-only independently.
1226 Making a parent directory read-only, will not make the whitelist
1227 read-only. Example:
1228 $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
1230 --read-write=dirname_or_filename
1233 Set directory or file read-write. Only files or directories
1234 belonging to the current user are allowed for this operation.
1235 File globbing is supported, see FILE GLOBBING section for more
1236 details. Example:
1237 $ mkdir ~/test
1239 $ touch ~/test/a
1240 $ firejail --read-only=~/test --read-write=~/test/a
1241 --rlimit-as=number
1245 Set the maximum size of the process's virtual memory (address
1246 space) in bytes.
1247 --rlimit-cpu=number
1250 Set the maximum limit, in seconds, for the amount of CPU time
1251 each sandboxed process can consume. When the limit is reached,
1252 the processes are killed.
1253 The CPU limit is a limit on CPU seconds rather than elapsed
1255 time. CPU seconds is basically how many seconds the CPU has been
1256 in use and does not necessarily directly relate to the elapsed
1257 time. Linux kernel keeps track of CPU seconds for each process
1258 independently.
1259 --rlimit-fsize=number
1262 Set the maximum file size that can be created by a process.
1263 --rlimit-nofile=number
1265 Set the maximum number of files that can be opened by a process.
1266 --rlimit-nproc=number
1268 Set the maximum number of processes that can be created for the
1269 real user ID of the calling process.
1270 --rlimit-sigpending=number
1272 Set the maximum number of pending signals for a process.
1273 --rmenv=name
1276 Remove environment variable in the new sandbox.
1277 Example:
1279 $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1280 --scan ARP-scan all the networks from inside a network namespace. This
1283 makes it possible to detect macvlan kernel device drivers run‐
1284 ning on the current host.
1285 Example:
1287 $ firejail --net=eth0 --scan
1288 --seccomp
1290 Enable seccomp filter and blacklist the syscalls in the default
1291 list (@default). The default list is as follows: _sysctl, acct,
1292 add_key, adjtimex, afs_syscall, bdflush, bpf, break, chroot,
1293 clock_adjtime, clock_settime, create_module, delete_module, fan‐
1294 otify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty,
1295 init_module, io_cancel, io_destroy, io_getevents, io_setup,
1296 io_submit, ioperm, iopl, ioprio_set, kcmp, kexec_file_load,
1297 kexec_load, keyctl, lock, lookup_dcookie, mbind, migrate_pages,
1298 modify_ldt, mount, move_pages, mpx, name_to_handle_at,
1299 nfsservctl, ni_syscall, open_by_handle_at, pciconfig_iobase,
1300 pciconfig_read, pciconfig_write, perf_event_open, personality,
1301 pivot_root, process_vm_readv, process_vm_writev, prof, profil,
1302 ptrace, putpmsg, query_module, reboot, remap_file_pages,
1303 request_key, rtas, s390_mmio_read, s390_mmio_write, s390_run‐
1304 time_instr, security, set_mempolicy, setdomainname, sethostname,
1305 settimeofday, sgetmask, ssetmask, stime, stty, subpage_prot,
1306 swapoff, swapon, switch_endian, sys_debug_setcontext, sysfs,
1307 syslog, tuxcall, ulimit, umount, umount2, uselib, userfaultfd,
1308 ustat, vhangup, vm86, vm86old, vmsplice and vserver.
1309 To help creating useful seccomp filters more easily, the follow‐
1311 ing system call groups are defined: @clock, @cpu-emulation,
1312 @debug, @default, @default-nodebuggers, @default-keep, @module,
1313 @obsolete, @privileged, @raw-io, @reboot, @resources and @swap.
1314 In addtion, a system call can be specified by its number instead
1315 of name with prefix $, so for example $165 would be equal to
1316 mount on i386.
1317 System architecture is strictly imposed only if flag --sec‐
1319 comp.block-secondary is used. The filter is applied at run time
1320 only if the correct architecture was detected. For the case of
1321 I386 and AMD64 both 32-bit and 64-bit filters are installed.
1322 Firejail will print seccomp violations to the audit log if the
1324 kernel was compiled with audit support (CONFIG_AUDIT flag).
1325 Example:
1327 $ firejail --seccomp
1328 --seccomp=syscall,@group
1330 Enable seccomp filter, blacklist the default list (@default) and
1331 the syscalls or syscall groups specified by the command.
1332 Example:
1334 $ firejail --seccomp=utime,utimensat,utimes firefox
1335 $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1336 Instead of dropping the syscall, a specific error number can be
1338 returned using syscall:errorno syntax.
1339 Example: $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1341 Parent pid 10662, child pid 10663
1342 Child process initialized
1343 $ touch testfile
1344 $ rm testfile
1345 rm: cannot remove `testfile': Operation not permitted
1346 If the blocked system calls would also block Firejail from oper‐
1348 ating, they are handled by adding a preloaded library which per‐
1349 forms seccomp system calls later.
1350 Example:
1352 $ firejail --noprofile --shell=none --seccomp=execve bash
1353 Parent pid 32751, child pid 32752
1354 Post-exec seccomp protector enabled
1355 list in: execve, check list: @default-keep prelist: (null),
1356 postlist: execve
1357 Child process initialized in 46.44 ms
1358 $ ls
1359 Bad system call
1360 --seccomp.block-secondary
1363 Enable seccomp filter and filter system call architectures so
1364 that only the native architecture is allowed. For example, on
1365 amd64, i386 and x32 system calls are blocked as well as changing
1366 the execution domain with personality(2) system call.
1367 --seccomp.drop=syscall,@group
1370 Enable seccomp filter, and blacklist the syscalls or the syscall
1371 groups specified by the command.
1372 Example:
1374 $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1375 Instead of dropping the syscall, a specific error number can be
1377 returned using syscall:errorno syntax.
1378 Example:
1380 $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1381 Parent pid 10662, child pid 10663
1382 Child process initialized
1383 $ touch testfile
1384 $ rm testfile
1385 rm: cannot remove `testfile': Operation not permitted
1386 --seccomp.keep=syscall,syscall,syscall
1393 Enable seccomp filter, and whitelist the syscalls specified by
1394 the command. The system calls needed by Firejail (group
1395 @default-keep: prctl, execve) are handled with the preload
1396 library.
1397 Example:
1399 $ firejail --shell=none --seccomp.keep=poll,select,[...] trans‐
1400 mission-gtk
1401 --seccomp.print=name|pid
1404 Print the seccomp filter for the sandbox identified by name or
1405 PID.
1406 Example:
1408 $ firejail --name=browser firefox &
1409 $ firejail --seccomp.print=browser
1410 line OP JT JF K
1411 =================================
1412 0000: 20 00 00 00000004 ld data.architecture
1413 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1414 0002: 06 00 00 7fff0000 ret ALLOW
1415 0003: 20 00 00 00000000 ld data.syscall-number
1416 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1417 0005: 35 01 00 00000000 jge read 0007 (false 0006)
1418 0006: 06 00 00 00050001 ret ERRNO(1)
1419 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1420 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1421 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1422 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false
1423 000b)
1424 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1425 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1426 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1427 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1428 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1429 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1430 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1431 0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1432 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1433 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1434 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1435 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1436 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
1437 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
1438 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
1439 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
1440 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
1441 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
1442 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
1443 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
1444 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
1445 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
1446 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
1447 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
1448 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
1449 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
1450 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
1451 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
1452 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
1453 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
1454 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
1455 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
1456 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
1457 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
1458 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
1459 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
1460 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
1461 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
1462 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
1463 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
1464 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
1465 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false
1466 0035)
1467 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false
1468 0036)
1469 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
1470 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
1471 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
1472 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
1473 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
1474 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
1475 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
1476 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
1477 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
1478 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
1479 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
1480 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
1481 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false
1482 0043)
1483 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
1484 0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
1485 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
1486 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
1487 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false
1488 0048)
1489 0048: 06 00 00 7fff0000 ret ALLOW
1490 0049: 06 00 01 00000000 ret KILL
1491 $
1492 --shell=none
1494 Run the program directly, without a user shell.
1495 Example:
1497 $ firejail --shell=none script.sh
1498 --shell=program
1500 Set default user shell. Use this shell to run the application
1501 using -c shell option. For example "firejail --shell=/bin/dash
1502 firefox" will start Mozilla Firefox as "/bin/dash -c firefox".
1503 By default Bash shell (/bin/bash) is used.
1504 Example: $firejail --shell=/bin/dash script.sh
1506 --shutdown=name|pid
1508 Shutdown the sandbox identified by name or PID.
1509 Example:
1511 $ firejail --name=mygame --caps.drop=all warzone2100 &
1512 $ firejail --shutdown=mygame
1513 Example:
1515 $ firejail --list
1516 3272:netblue::firejail --private firefox
1517 $ firejail --shutdown=3272
1518 --timeout=hh:mm:ss
1520 Kill the sandbox automatically after the time has elapsed. The
1521 time is specified in hours/minutes/seconds format.
1522 $ firejail --timeout=01:30:00 firefox
1524 --tmpfs=dirname
1526 Mount a tmpfs filesystem on directory dirname. This option is
1527 available only when running the sandbox as root. File globbing
1528 is supported, see FILE GLOBBING section for more details.
1529 Example:
1531 # firejail --tmpfs=/var
1532 --top Monitor the most CPU-intensive sandboxes, see MONITORING section
1534 for more details.
1535 Example:
1537 $ firejail --top
1538 --trace
1540 Trace open, access and connect system calls.
1541 Example:
1543 $ firejail --trace wget -q www.debian.org
1544 Reading profile /etc/firejail/wget.profile
1545 3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1546 3:wget:fopen /etc/hosts:0x5c8e8cfb70
1547 3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1548 3:wget:connect 3 8.8.8.8 port 53:0
1549 3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1550 3:wget:connect 3 130.89.148.14 port 80:0
1551 3:wget:fopen64 index.html:0x5c8e8d1a60
1552 parent is shutting down, bye...
1554 --tracelog
1556 This option enables auditing blacklisted files and directories.
1557 A message is sent to syslog in case the file or the directory is
1558 accessed.
1559 Example:
1561 $ firejail --tracelog firefox
1562 Sample messages:
1564 $ sudo tail -f /var/log/syslog
1565 [...]
1566 Dec 3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1567 box 26370, exe firefox, syscall open64, path /etc/shadow
1568 Dec 3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1569 box 26370, exe firefox, syscall opendir, path /boot
1570 [...]
1571 --tree Print a tree of all sandboxed processes, see MONITORING section
1573 for more details.
1574 Example:
1576 $ firejail --tree
1577 11903:netblue:firejail iceweasel
1578 11904:netblue:iceweasel
1579 11957:netblue:/usr/lib/iceweasel/plugin-container
1580 11969:netblue:firejail --net=eth0 transmission-gtk
1581 11970:netblue:transmission-gtk
1582 --tunnel[=devname]
1585 Connect the sandbox to a network overlay/VPN tunnel created by
1586 firetunnel utility. This options tries first the client side of
1587 the tunnel. If this fails, it tries the server side. If multiple
1588 tunnels are active, please specify the tunnel device using
1589 --tunnel=devname.
1590 The available tunnel devices are listed in /etc/firetunnel
1592 directory, one file for each device. The files are regular
1593 firejail profile files containing the network configuration, and
1594 are created and managed by firetunnel utility. By default ftc
1595 is the client-side device and fts is the server-side device. For
1596 more information please see man 1 firetunnel.
1597 Example:
1599 $ firejail --tunnel firefox
1600 --version
1602 Print program version and exit.
1603 Example:
1605 $ firejail --version
1606 firejail version 0.9.27
1607 --veth-name=name
1610 Use this name for the interface connected to the bridge for
1611 --net=bridge_interface commands, instead of the default one.
1612 Example:
1614 $ firejail --net=br0 --veth-name=if0
1615 --whitelist=dirname_or_filename
1618 Whitelist directory or file. A temporary file system is mounted
1619 on the top directory, and the whitelisted files are mount-binded
1620 inside. Modifications to whitelisted files are persistent,
1621 everything else is discarded when the sandbox is closed. The top
1622 directory could be user home, /dev, /etc, /media, /mnt, /opt,
1623 /srv, /sys/module, /usr/share, /var, and /tmp.
1624 Symbolic link handling: with the exception of user home, both
1626 the link and the real file should be in the same top directory.
1627 For user home, both the link and the real file should be owned
1628 by the user.
1629 Example:
1631 $ firejail --noprofile --whitelist=~/.mozilla
1632 $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1633 $ firejail "--whitelist=/home/username/My Virtual Machines"
1634 --writable-etc
1637 Mount /etc directory read-write.
1638 Example:
1640 $ sudo firejail --writable-etc
1641 --writable-run-user
1644 Disable the default blacklisting of /run/user/$UID/systemd and
1645 /run/user/$UID/gnupg.
1646 Example:
1648 $ sudo firejail --writable-run-user
1649 --writable-var
1652 Mount /var directory read-write.
1653 Example:
1655 $ sudo firejail --writable-var
1656 --writable-var-log
1659 Use the real /var/log directory, not a clone. By default, a
1660 tmpfs is mounted on top of /var/log directory, and a skeleton
1661 filesystem is created based on the original /var/log.
1662 Example:
1664 $ sudo firejail --writable-var-log
1665 --x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg secu‐
1669 rity extension. The sandbox will prevents screenshot and key‐
1670 logger applications started inside the sandbox from accessing
1671 clients running outside the sandbox. Firejail will try first
1672 Xpra, and if Xpra is not installed on the system, it will try to
1673 find Xephyr. If all fails, Firejail will not attempt to use
1674 Xvfb or X11 security extension.
1675 Xpra, Xephyr and Xvfb modes require a network namespace to be
1677 instantiated in order to disable X11 abstract Unix socket. If
1678 this is not possible, the user can disable the abstract socket
1679 by adding "-nolisten local" on Xorg command line at system
1680 level.
1681 Example:
1683 $ firejail --x11 --net=eth0 firefox
1684 --x11=none
1687 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
1688 file specified in ${XAUTHORITY} environment variable. Remove
1689 DISPLAY and XAUTHORITY environment variables. Stop with error
1690 message if X11 abstract socket will be accessible in jail.
1691 --x11=xephyr
1694 Start Xephyr and attach the sandbox to this server. Xephyr is a
1695 display server implementing the X11 display server protocol. A
1696 network namespace needs to be instantiated in order to deny
1697 access to X11 abstract Unix domain socket.
1698 Xephyr runs in a window just like any other X11 application. The
1700 default window size is 800x600. This can be modified in
1701 /etc/firejail/firejail.config file.
1702 The recommended way to use this feature is to run a window man‐
1704 ager inside the sandbox. A security profile for OpenBox is pro‐
1705 vided.
1706 Xephyr is developed by Xorg project. On Debian platforms it is
1708 installed with the command sudo apt-get install xserver-xephyr.
1709 This feature is not available when running as root.
1710 Example:
1712 $ firejail --x11=xephyr --net=eth0 openbox
1713 --x11=xorg
1716 Sandbox the application using the untrusted mode implemented by
1717 X11 security extension. The extension is available in Xorg
1718 package and it is installed by default on most Linux distribu‐
1719 tions. It provides support for a simple trusted/untrusted con‐
1720 nection model. Untrusted clients are restricted in certain ways
1721 to prevent them from reading window contents of other clients,
1722 stealing input events, etc.
1723 The untrusted mode has several limitations. A lot of regular
1725 programs assume they are a trusted X11 clients and will crash
1726 or lock up when run in untrusted mode. Chromium browser and
1727 xterm are two examples. Firefox and transmission-gtk seem to be
1728 working fine. A network namespace is not required for this
1729 option.
1730 Example:
1732 $ firejail --x11=xorg firefox
1733 --x11=xpra
1736 Start Xpra (https://xpra.org) and attach the sandbox to this
1737 server. Xpra is a persistent remote display server and client
1738 for forwarding X11 applications and desktop screens. A network
1739 namespace needs to be instantiated in order to deny access to
1740 X11 abstract Unix domain socket.
1741 On Debian platforms Xpra is installed with the command sudo apt-
1743 get install xpra. This feature is not available when running as
1744 root.
1745 Example:
1747 $ firejail --x11=xpra --net=eth0 firefox
1748 --x11=xvfb
1752 Start Xvfb X11 server and attach the sandbox to this server.
1753 Xvfb, short for X virtual framebuffer, performs all graphical
1754 operations in memory without showing any screen output. Xvfb is
1755 mainly used for remote access and software testing on headless
1756 servers.
1757 On Debian platforms Xvfb is installed with the command sudo apt-
1759 get install xvfb. This feature is not available when running as
1760 root.
1761 Example: remote VNC access
1763 On the server we start a sandbox using Xvfb and openbox window
1765 manager. The default size of Xvfb screen is 800x600 - it can be
1766 changed in /etc/firejail/firejail.config (xvfb-screen). Some
1767 sort of networking (--net) is required in order to isolate the
1768 abstract sockets used by other X servers.
1769 $ firejail --net=none --x11=xvfb openbox
1771 *** Attaching to Xvfb display 792 ***
1773 Reading profile /etc/firejail/openbox.profile
1775 Reading profile /etc/firejail/disable-common.inc
1776 Reading profile /etc/firejail/disable-common.local
1777 Parent pid 5400, child pid 5401
1778 On the server we also start a VNC server and attach it to the
1780 display handled by our Xvfb server (792).
1781 $ x11vnc -display :792
1783 On the client machine we start a VNC viewer and use it to con‐
1785 nect to our server:
1786 $ vncviewer
1788 --xephyr-screen=WIDTHxHEIGHT
1791 Set screen size for --x11=xephyr. The setting will overwrite the
1792 default set in /etc/firejail/firejail.config for the current
1793 sandbox. Run xrandr to get a list of supported resolutions on
1794 your computer.
1795 Example:
1797 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
1798 fox
1799
1802 A symbolic link to /usr/bin/firejail under the name of a program, will
1803 start the program in Firejail sandbox. The symbolic link should be
1804 placed in the first $PATH position. On most systems, a good place is
1805 /usr/local/bin directory. Example:
1806 Make a firefox symlink to /usr/bin/firejail:
1808 $ ln -s /usr/bin/firejail /usr/local/bin/firefox
1810 Verify $PATH
1812 $ which -a firefox
1814 /usr/local/bin/firefox
1815 /usr/bin/firefox
1816 Starting firefox in this moment, automatically invokes “firejail
1818 firefox”.
1819 This works for clicking on desktop environment icons, menus etc. Use
1821 "firejail --tree" to verify the program is sandboxed.
1822 $ firejail --tree
1824 1189:netblue:firejail firefox
1825 1190:netblue:firejail firefox
1826 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
1827 1221:netblue:/usr/lib/firefox/firefox
1828 We provide a tool that automates all this integration, please see man 1
1830 firecfg for more details.
1831
1834 Globbing is the operation that expands a wildcard pattern into the list
1835 of pathnames matching the pattern. Matching is defined by:
1836 - '?' matches any character
1838 - '*' matches any string
1839 - '[' denotes a range of characters
1840 The gobing feature is implemented using glibc glob command. For more
1842 information on the wildcard syntax see man 7 glob.
1843 The following command line options are supported: --blacklist, --pri‐
1846 vate-bin, --noexec, --read-only, --read-write, and --tmpfs.
1847 Examples:
1850 $ firejail --private-bin=sh,bash,python*
1852 $ firejail --blacklist=~/dir[1234]
1853 $ firejail --read-only=~/dir[1-4]
1854
1857 AppArmor support is disabled by default at compile time. Use --enable-
1858 apparmor configuration option to enable it:
1859 $ ./configure --prefix=/usr --enable-apparmor
1861 During software install, a generic AppArmor profile file, firejail-
1863 default, is placed in /etc/apparmor.d directory. The local customiza‐
1864 tions can be placed in /etc/apparmor.d/local/firejail-local. The pro‐
1865 file needs to be loaded into the kernel by reloading apparmor.service,
1866 rebooting the system or running the following command as root:
1867 # apparmor_parser -r /etc/apparmor.d/firejail-default
1869 The installed profile is supplemental for main firejail functions and
1871 among other things does the following:
1872 - Disable ptrace. With ptrace it is possible to inspect and
1874 hijack running programs. Usually this is needed only for debug‐
1875 ging. You should have no problems running Chromium or Firefox.
1876 This feature is available only on Ubuntu kernels.
1877 - Whitelist write access to several files under /run, /proc and
1879 /sys.
1880 - Allow running programs only from well-known system paths, such
1882 as /bin, /sbin, /usr/bin etc. Those paths are available as read-
1883 only. Running programs and scripts from user home or other
1884 directories writable by the user is not allowed.
1885 - Prevent using non-standard network sockets. Only unix, inet,
1887 inet6, netlink, raw and packet are allowed.
1888 - Deny access to known sensitive paths like .snapshots.
1890 To enable AppArmor confinement on top of your current Firejail security
1893 features, pass --apparmor flag to Firejail command line. You can also
1894 include apparmor command in a Firejail profile file. Example:
1895 $ firejail --apparmor firefox
1897
1900 These features allow the user to inspect the filesystem container of an
1901 existing sandbox and transfer files from the container to the host
1902 filesystem.
1903 --get=name|pid filename
1906 Retrieve the container file and store it on the host in the cur‐
1907 rent working directory. The container is specified by name or
1908 PID.
1909 --ls=name|pid dir_or_filename
1912 List container files. The container is specified by name or PID.
1913 --put=name|pid src-filename dest-filename
1916 Put src-filename in sandbox container. The container is speci‐
1917 fied by name or PID.
1918 Examples:
1921 $ firejail --name=mybrowser --private firefox
1923 $ firejail --ls=mybrowser ~/Downloads
1925 drwxr-xr-x netblue netblue 4096 .
1926 drwxr-xr-x netblue netblue 4096 ..
1927 -rw-r--r-- netblue netblue 7847 x11-x305.png
1928 -rw-r--r-- netblue netblue 6800 x11-x642.png
1929 -rw-r--r-- netblue netblue 34139 xpra-clipboard.png
1930 $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
1932 $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
1934 clipboard.png
1935
1938 Network bandwidth is an expensive resource shared among all sandboxes
1939 running on a system. Traffic shaping allows the user to increase net‐
1940 work performance by controlling the amount of data that flows into and
1941 out of the sandboxes.
1942 Firejail implements a simple rate-limiting shaper based on Linux com‐
1944 mand tc. The shaper works at sandbox level, and can be used only for
1945 sandboxes configured with new network namespaces.
1946 Set rate-limits:
1948 $ firejail --bandwidth=name|pid set network download upload
1950 Clear rate-limits:
1952 $ firejail --bandwidth=name|pid clear network
1954 Status:
1956 $ firejail --bandwidth=name|pid status
1958 where:
1960 name - sandbox name
1961 pid - sandbox pid
1962 network - network interface as used by --net option
1963 download - download speed in KB/s (kilobyte per second)
1964 upload - upload speed in KB/s (kilobyte per second)
1965 Example:
1967 $ firejail --name=mybrowser --net=eth0 firefox &
1968 $ firejail --bandwidth=mybrowser set eth0 80 20
1969 $ firejail --bandwidth=mybrowser status
1970 $ firejail --bandwidth=mybrowser clear eth0
1971
1974 Audit feature allows the user to point out gaps in security profiles.
1975 The implementation replaces the program to be sandboxed with a test
1976 program. By default, we use faudit program distributed with Firejail. A
1977 custom test program can also be supplied by the user. Examples:
1978 Running the default audit program:
1980 $ firejail --audit transmission-gtk
1981 Running a custom audit program:
1983 $ firejail --audit=~/sandbox-test transmission-gtk
1984 In the examples above, the sandbox configures transmission-gtk profile
1986 and starts the test program. The real program, transmission-gtk, will
1987 not be started.
1988 Limitations: audit feature is not implemented for --x11 commands.
1990
1993 Option --list prints a list of all sandboxes. The format for each
1994 process entry is as follows:
1995 PID:USER:Sandbox Name:Command
1997 Option --tree prints the tree of processes running in the sandbox. The
1999 format for each process entry is as follows:
2000 PID:USER:Sandbox Name:Command
2002 Option --top is similar to the UNIX top command, however it applies
2004 only to sandboxes.
2005 Option --netstats prints network statistics for active sandboxes
2007 installing new network namespaces.
2008 Listed below are the available fields (columns) in alphabetical order
2011 for --top and --netstat options:
2012 Command
2015 Command used to start the sandbox.
2016 CPU% CPU usage, the sandbox share of the elapsed CPU time since the
2018 last screen update
2019 PID Unique process ID for the task controlling the sandbox.
2021 Prcs Number of processes running in sandbox, including the control‐
2023 ling process.
2024 RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
2026 It is a sum of the RES values for all processes running in the
2027 sandbox.
2028 RX(KB/s)
2030 Network receive speed.
2031 Sandbox Name
2033 The name of the sandbox, if any.
2034 SHR Shared Memory Size (KiB), it reflects memory shared with other
2036 processes. It is a sum of the SHR values for all processes run‐
2037 ning in the sandbox, including the controlling process.
2038 TX(KB/s)
2040 Network transmit speed.
2041 Uptime Sandbox running time in hours:minutes:seconds format.
2043 USER The owner of the sandbox.
2045
2048 Several command line options can be passed to the program using profile
2049 files. Firejail chooses the profile file as follows:
2050 1. If a profile file is provided by the user with --profile option, the
2052 profile file is loaded. If a profile name is given, it is searched for
2053 first in the ~/.config/firejail directory and if not found then in
2054 /etc/firejail directory. Profile names do not include the .profile suf‐
2055 fix. Example:
2056 $ firejail --profile=/home/netblue/icecat.profile icecat
2058 Reading profile /home/netblue/icecat.profile
2059 [...]
2060 $ firejail --profile=icecat icecat-wrapper.sh
2063 Reading profile /etc/firejail/icecat.profile
2064 [...]
2065 2. If a profile file with the same name as the application is present
2067 in ~/.config/firejail directory or in /etc/firejail, the profile is
2068 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
2069 ple:
2070 $ firejail icecat
2072 Command name #icecat#
2073 Found icecat profile in /home/netblue/.config/firejail directory
2074 Reading profile /home/netblue/.config/firejail/icecat.profile
2075 [...]
2076 3. Use default.profile file if the sandbox is started by a regular
2078 user, or server.profile file if the sandbox is started by root. Fire‐
2079 jail looks for these files in ~/.config/firejail directory, followed by
2080 /etc/firejail directory. To disable default profile loading, use
2081 --noprofile command option. Example:
2082 $ firejail
2084 Reading profile /etc/firejail/default.profile
2085 Parent pid 8553, child pid 8554
2086 Child process initialized
2087 [...]
2088 $ firejail --noprofile
2090 Parent pid 8553, child pid 8554
2091 Child process initialized
2092 [...]
2093 See man 5 firejail-profile for profile file syntax information.
2095
2098 To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2099 jail in /etc/passwd file for each user that needs to be restricted.
2100 Alternatively, you can specify /usr/bin/firejail in adduser command:
2101 adduser --shell /usr/bin/firejail username
2103 Additional arguments passed to firejail executable upon login are
2105 declared in /etc/firejail/login.users file.
2106
2109 firejail
2110 Sandbox a regular /bin/bash session.
2111 firejail firefox
2113 Start Mozilla Firefox.
2114 firejail --debug firefox
2116 Debug Firefox sandbox.
2117 firejail --private firefox
2119 Start Firefox with a new, empty home directory.
2120 firejail --net=none vlc
2122 Start VLC in an unconnected network namespace.
2123 firejail --net=eth0 firefox
2125 Start Firefox in a new network namespace. An IP address is
2126 assigned automatically.
2127 firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2129 Start a /bin/bash session in a new network namespace and connect
2130 it to br0, br1, and br2 host bridge devices. IP addresses are
2131 assigned automatically for the interfaces connected to br1 and
2132 b2
2133 firejail --list
2135 List all sandboxed processes.
2136
2138 This program is free software; you can redistribute it and/or modify it
2139 under the terms of the GNU General Public License as published by the
2140 Free Software Foundation; either version 2 of the License, or (at your
2141 option) any later version.
2142 Homepage: https://firejail.wordpress.com
2144
2146 firemon(1), firecfg(1), firejail-profile(5), firejail-login(5) fire‐
2147 jail-users(5)
21480.9.57 Nov 2018 FIREJAIL(1)