1FIREJAIL(1)                    firejail man page                   FIREJAIL(1)
2
3
4

NAME

6       Firejail - Linux namespaces sandbox program
7

SYNOPSIS

9       Start a sandbox:
10
11              firejail [OPTIONS] [program and arguments]
12
13       File transfer from an existing sandbox
14
15              firejail {--ls | --get | --put} dir_or_filename
16
17       Network traffic shaping for an existing sandbox:
18
19              firejail --bandwidth={name|pid} bandwidth-command
20
21       Monitoring:
22
23              firejail {--list | --netstats | --top | --tree}
24
25       Miscellaneous:
26
27              firejail  {-? | --debug-caps | --debug-errnos | --debug-syscalls
28              | --debug-protocols | --help | --version}
29

DESCRIPTION

31       Firejail is a SUID sandbox program that reduces the  risk  of  security
32       breaches  by  restricting the running environment of untrusted applica‐
33       tions using Linux namespaces, seccomp-bpf and Linux  capabilities.   It
34       allows a process and all its descendants to have their own private view
35       of the globally shared kernel resources, such  as  the  network  stack,
36       process table, mount table.  Firejail can work in a SELinux or AppArmor
37       environment, and it is integrated with Linux Control Groups.
38
39       Written in C with virtually no dependencies, the software runs  on  any
40       Linux  computer with a 3.x kernel version or newer.  It can sandbox any
41       type of processes: servers, graphical applications, and even user login
42       sessions.
43
44       Firejail  allows the user to manage application security using security
45       profiles.  Each profile defines a set of  permissions  for  a  specific
46       application  or  group  of applications. The software includes security
47       profiles for a number of more common Linux programs,  such  as  Mozilla
48       Firefox, Chromium, VLC, Transmission etc.
49
50

USAGE

52       Without  any  options,  the sandbox consists of a filesystem build in a
53       new mount namespace, and new PID and UTS namespaces. IPC,  network  and
54       user  namespaces  can  be  added  using  the  command line options. The
55       default Firejail filesystem is based on the host  filesystem  with  the
56       main  system directories mounted read-only. These directories are /etc,
57       /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64.  Only  /home
58       and /tmp are writable.
59
60       As it starts up, Firejail tries to find a security profile based on the
61       name of the application.  If an appropriate profile is not found, Fire‐
62       jail will use a default profile.  The default profile is quite restric‐
63       tive. In case the application doesn't work, use --noprofile  option  to
64       disable  it. For more information, please see SECURITY PROFILES section
65       below.
66
67       If a program argument  is  not  specified,  Firejail  starts  /bin/bash
68       shell.  Examples:
69
70       $ firejail [OPTIONS]                # starting a /bin/bash shell
71
72       $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
73
74       # sudo firejail [OPTIONS] /etc/init.d/nginx start
75
76

OPTIONS

78       --     Signal  the  end of options and disables further option process‐
79              ing.
80
81       --allow-debuggers
82              Allow tools such  as  strace  and  gdb  inside  the  sandbox  by
83              whitelisting  system  calls  ptrace  and  process_vm_readv. This
84              option is only available when running on Linux  kernels  4.8  or
85              newer  - a kernel bug in ptrace system call allows a full bypass
86              of the seccomp filter.
87
88              Example:
89              $  firejail    --allow-debuggers   --profile=/etc/firejail/fire‐
90              fox.profile strace -f firefox
91
92       --allusers
93              All  directories  under /home are visible inside the sandbox. By
94              default, only current user home directory is visible.
95
96              Example:
97              $ firejail --allusers
98
99       --apparmor
100              Enable AppArmor confinement. For more  information,  please  see
101              APPARMOR section below.
102
103       --appimage
104              Sandbox  an AppImage (https://appimage.org/) application. If the
105              sandbox is started as a regular user, default seccomp and  capa‐
106              bilities filters are enabled.
107
108              Example:
109              $ firejail --appimage krita-3.0-x86_64.appimage
110              $ firejail --appimage --private krita-3.0-x86_64.appimage
111              $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
112
113
114       --apparmor.print=name|pid
115              Print the AppArmor confinement status for the sandbox identified
116              by name or by PID.
117
118              Example:
119              $ firejail --apparmor.print=browser
120              5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
121                AppArmor: firejail-default enforce
122
123
124       --audit
125              Audit the sandbox, see AUDIT section for more details.
126
127       --audit=test-program
128              Audit the sandbox, see AUDIT section for more details.
129
130       --bandwidth=name|pid
131              Set bandwidth limits for the sandbox identified by name or  PID,
132              see TRAFFIC SHAPING section for more details.
133
134       --bind=filename1,filename2
135              Mount-bind  filename1  on  top of filename2. This option is only
136              available when running as root.
137
138              Example:
139              # firejail --bind=/config/etc/passwd,/etc/passwd
140
141       --blacklist=dirname_or_filename
142              Blacklist directory or file. File  globbing  is  supported,  see
143              FILE GLOBBING section for more details.
144
145              Example:
146              $ firejail --blacklist=/sbin --blacklist=/usr/sbin
147              $ firejail --blacklist=~/.mozilla
148              $ firejail "--blacklist=/home/username/My Virtual Machines"
149              $ firejail --blacklist=/home/username/My\ Virtual\ Machines
150
151       --build
152              The command builds a whitelisted profile. The profile is printed
153              on the screen. If /usr/bin/strace is installed on the system, it
154              also builds a whitelisted seccomp profile. The program is run in
155              a very relaxed sandbox, with only --caps.drop=all  and  --nonew‐
156              privs.  Programs that raise user privileges are not supported in
157              order to  allow  strace  to  run.  Chromium  and  Chromium-based
158              browsers will not work.
159
160              Example:
161              $ firejail --build vlc ~/Videos/test.mp4
162
163       --build=profile-file
164              The  command  builds a whitelisted profile, and saves it in pro‐
165              file-file. If /usr/bin/strace is installed  on  the  system,  it
166              also builds a whitelisted seccomp profile. The program is run in
167              a very relaxed sandbox, with only --caps.drop=all  and  --nonew‐
168              privs.  Programs that raise user privileges are not supported in
169              order to  allow  strace  to  run.  Chromium  and  Chromium-based
170              browsers will not work.
171
172              Example:
173              $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
174
175       -c     Execute command and exit.
176
177       --caps Linux  capabilities is a kernel feature designed to split up the
178              root privilege into a set of distinct privileges.  These  privi‐
179              leges can be enabled or disabled independently, thus restricting
180              what a process running as root can do in the system.
181
182              By default root programs  run  with  all  capabilities  enabled.
183              --caps  option disables the following capabilities: CAP_SYS_MOD‐
184              ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
185              FIG,   CAP_SYSLOG,  CAP_MKNOD,  CAP_SYS_ADMIN.   The  filter  is
186              applied to all processes started in the sandbox.
187
188              Example:
189              $ sudo firejail --caps /etc/init.d/nginx start
190
191
192       --caps.drop=all
193              Drop all capabilities for the processes running in the  sandbox.
194              This option is recommended for running GUI programs or any other
195              program that doesn't require root privileges. It is a  must-have
196              option  for sandboxing untrusted programs installed from unoffi‐
197              cial sources - such as games, Java programs, etc.
198
199              Example:
200              $ firejail --caps.drop=all warzone2100
201
202
203       --caps.drop=capability,capability,capability
204              Define a custom blacklist Linux capabilities filter.
205
206              Example:
207              $ firejail --caps.drop=net_broadcast,net_admin,net_raw
208
209
210       --caps.keep=capability,capability,capability
211              Define a custom whitelist Linux capabilities filter.
212
213              Example:
214              $  sudo   firejail   --caps.keep=chown,net_bind_service,setgid,\
215              setuid /etc/init.d/nginx start
216
217
218       --caps.print=name|pid
219              Print  the  caps filter for the sandbox identified by name or by
220              PID.
221
222              Example:
223              $ firejail --name=mygame --caps.drop=all warzone2100 &
224              $ firejail --caps.print=mygame
225
226              Example:
227              $ firejail --list
228              3272:netblue::firejail --private firefox
229              $ firejail --caps.print=3272
230
231
232       --cgroup=tasks-file
233              Place the sandbox in the specified control group. tasks-file  is
234              the full path of cgroup tasks file.
235
236              Example:
237              # firejail --cgroup=/sys/fs/cgroup/g1/tasks
238
239
240       --chroot=dirname
241              Chroot  the  sandbox  into a root filesystem. Unlike the regular
242              filesystem container, the system directories are  mounted  read-
243              write. If the sandbox is started as a regular user, default sec‐
244              comp and capabilities filters are enabled.
245
246              Example:
247              $ firejail --chroot=/media/ubuntu warzone2100
248
249
250       --cpu=cpu-number,cpu-number,cpu-number
251              Set CPU affinity.
252
253              Example:
254              $ firejail --cpu=0,1 handbrake
255
256
257       --cpu.print=name|pid
258              Print the CPU cores in use by the sandbox identified by name  or
259              by PID.
260
261              Example:
262              $ firejail --name=mygame --caps.drop=all warzone2100 &
263              $ firejail --cpu.print=mygame
264
265              Example:
266              $ firejail --list
267              3272:netblue::firejail --private firefox
268              $ firejail --cpu.print=3272
269
270
271       --debug
272              Print debug messages.
273
274              Example:
275              $ firejail --debug firefox
276
277
278       --debug-blacklists
279              Debug blacklisting.
280
281              Example:
282              $ firejail --debug-blacklists firefox
283
284
285       --debug-caps
286              Print  all recognized capabilities in the current Firejail soft‐
287              ware build and exit.
288
289              Example:
290              $ firejail --debug-caps
291
292
293       --debug-errnos
294              Print all recognized error numbers in the current Firejail soft‐
295              ware build and exit.
296
297              Example:
298              $ firejail --debug-errnos
299
300       --debug-private-lib
301              Debug messages for --private-lib option.
302
303       --debug-protocols
304              Print  all recognized protocols in the current Firejail software
305              build and exit.
306
307              Example:
308              $ firejail --debug-protocols
309
310       --debug-syscalls
311              Print all recognized system calls in the current Firejail  soft‐
312              ware build and exit.
313
314              Example:
315              $ firejail --debug-syscalls
316
317       --debug-whitelists
318              Debug whitelisting.
319
320              Example:
321              $ firejail --debug-whitelists firefox
322
323
324       --defaultgw=address
325              Use  this  address  as default gateway in the new network names‐
326              pace.
327
328              Example:
329              $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
330
331
332       --disable-mnt
333              Blacklist /mnt, /media, /run/mount and /run/media access.
334
335              Example:
336              $ firejail --disable-mnt firefox
337
338
339       --dns=address
340              Set a DNS server for the sandbox. Up to three DNS servers can be
341              defined.   Use  this  option if you don't trust the DNS setup on
342              your network.
343
344              Example:
345              $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
346
347              Note: this feature is not supported on systemd-resolved setups.
348
349       --dns.print=name|pid
350              Print DNS configuration for a sandbox identified by name  or  by
351              PID.
352
353              Example:
354              $ firejail --name=mygame --caps.drop=all warzone2100 &
355              $ firejail --dns.print=mygame
356
357              Example:
358              $ firejail --list
359              3272:netblue::firejail --private firefox
360              $ firejail --dns.print=3272
361
362
363       --env=name=value
364              Set environment variable in the new sandbox.
365
366              Example:
367              $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
368
369
370       --fs.print=name|pid
371              Print  the  filesystem log for the sandbox identified by name or
372              by PID.
373
374              Example:
375              $ firejail --name=mygame --caps.drop=all warzone2100 &
376              $ firejail --fs.print=mygame
377
378              Example:
379              $ firejail --list
380              3272:netblue::firejail --private firefox
381              $ firejail --fs.print=3272
382
383
384       --get=name|pid filename
385              Get a file from sandbox container, see FILE TRANSFER section for
386              more details.
387
388
389       -?, --help
390              Print options end exit.
391
392
393
394       --hostname=name
395              Set sandbox hostname.
396
397              Example:
398              $ firejail --hostname=officepc firefox
399
400
401       --hosts-file=file
402              Use file as /etc/hosts.
403
404              Example:
405              $ firejail --hosts-file=~/myhosts firefox
406
407
408       --ignore=command
409              Ignore command in profile file.
410
411              Example:
412              $ firejail --ignore=shell --ignore=seccomp firefox
413              $ firejail --ignore="net eth0" firefox
414
415       --interface=interface
416              Move  interface  in a new network namespace. Up to four --inter‐
417              face options can be specified.  Note: wlan devices are not  sup‐
418              ported for this option.
419
420              Example:
421              $ firejail --interface=eth1 --interface=eth0.vlan100
422
423
424       --ip=address
425              Assign  IP  addresses to the last network interface defined by a
426              --net option. A default gateway is assigned by default.
427
428              Example:
429              $ firejail --net=eth0 --ip=10.10.20.56 firefox
430
431
432       --ip=none
433              No IP address and no default gateway are configured for the last
434              interface defined by a --net option. Use this option in case you
435              intend to start an external DHCP client in the sandbox.
436
437              Example:
438              $ firejail --net=eth0 --ip=none
439
440              If the corresponding interface doesn't have an IP  address  con‐
441              figured, this option is enabled by default.
442
443
444       --ip6=address
445              Assign IPv6 addresses to the last network interface defined by a
446              --net option.
447
448              Example:
449              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
450
451              Note: you don't need this option if you obtain your ip6  address
452              from  router  via SLAAC (your ip6 address and default route will
453              be configured by kernel automatically).
454
455
456       --iprange=address,address
457              Assign an IP address in the provided range to the  last  network
458              interface  defined  by  a  --net  option.  A  default gateway is
459              assigned by default.
460
461              Example:
462              $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
463
464
465       --ipc-namespace
466              Enable  a new IPC namespace if the sandbox was started as a reg‐
467              ular  user.  IPC  namespace  is enabled by default for sandboxes
468              started as root.
469
470              Example:
471              $ firejail --ipc-namespace firefox
472
473       --join=name|pid
474              Join the sandbox identified by name or  by  PID.  By  default  a
475              /bin/bash shell is started after joining the sandbox.  If a pro‐
476              gram is specified, the program is run in the sandbox. If  --join
477              command  is  issued  as a regular user, all security filters are
478              configured for the new process the same they are  configured  in
479              the  sandbox.  If --join command is issued as root, the security
480              filters, cgroups and cpus configurations are not applied to  the
481              process joining the sandbox.
482
483              Example:
484              $ firejail --name=mygame --caps.drop=all warzone2100 &
485              $ firejail --join=mygame
486
487              Example:
488              $ firejail --list
489              3272:netblue::firejail --private firefox
490              $ firejail --join=3272
491
492
493       --join-filesystem=name|pid
494              Join  the  mount  namespace of the sandbox identified by name or
495              PID. By default a /bin/bash shell is started after  joining  the
496              sandbox.   If  a program is specified, the program is run in the
497              sandbox. This command is available only to root user.   Security
498              filters,  cgroups and cpus configurations are not applied to the
499              process joining the sandbox.
500
501
502       --join-network=name|pid
503              Join the network namespace of the sandbox identified by name. By
504              default  a /bin/bash shell is started after joining the sandbox.
505              If a program is specified, the program is run  in  the  sandbox.
506              This  command is available only to root user.  Security filters,
507              cgroups and cpus configurations are not applied to  the  process
508              joining the sandbox. Example:
509
510              # start firefox
511              $ firejail --net=eth0 --name=browser firefox &
512
513              # change netfilter configuration
514              $  sudo  firejail --join-network=browser bash -c "cat /etc/fire‐
515              jail/nolocal.net | /sbin/iptables-restore"
516
517              # verify netfilter configuration
518              $ sudo firejail --join-network=browser /sbin/iptables -vL
519
520              # verify  IP addresses
521              $ sudo firejail --join-network=browser ip addr
522              Switching to pid 1932, the first child process inside the  sand‐
523              box
524              1:  lo:  <LOOPBACK,UP,LOWER_UP>  mtu  65536  qdisc noqueue state
525              UNKNOWN group default
526                  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
527                  inet 127.0.0.1/8 scope host lo
528                     valid_lft forever preferred_lft forever
529                  inet6 ::1/128 scope host
530                     valid_lft forever preferred_lft forever
531              2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu  1500  qdisc
532              noqueue state UNKNOWN group default
533                  link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
534                  inet   192.168.1.158/24   brd   192.168.1.255  scope  global
535              eth0-1931
536                     valid_lft forever preferred_lft forever
537                  inet6 fe80::7458:14ff:fe42:78e4/64 scope link
538                     valid_lft forever preferred_lft forever
539
540
541       --join-or-start=name
542              Join the sandbox identified by name or start a new one.  Same as
543              "firejail  --join=name"  if  sandbox with specified name exists,
544              otherwise same as "firejail --name=name ..."
545              Note that in contrary to other join options there is  respective
546              profile option.
547
548
549       --keep-dev-shm
550              /dev/shm directory is untouched (even with --private-dev)
551
552              Example:
553              $ firejail --keep-dev-shm --private-dev
554
555
556       --keep-var-tmp
557              /var/tmp directory is untouched.
558
559              Example:
560              $ firejail --keep-var-tmp
561
562
563       --ls=name|pid dir_or_filename
564              List  files  in sandbox container, see FILE TRANSFER section for
565              more details.
566
567
568       --list List all sandboxes, see MONITORING section for more details.
569
570              Example:
571              $ firejail --list
572              7015:netblue:browser:firejail firefox
573              7056:netblue:torrent:firejail --net=eth0 transmission-gtk
574              7064:netblue::firejail --noroot xterm
575              $
576
577       --mac=address
578              Assign MAC addresses to the last network interface defined by  a
579              --net  option.  This option is not supported for wireless inter‐
580              faces.
581
582              Example:
583              $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
584
585
586       --machine-id
587              Spoof id number in /etc/machine-id file - a  new  random  id  is
588              generated inside the sandbox.
589
590              Example:
591              $ firejail --machine-id
592
593
594       --memory-deny-write-execute
595              Install a seccomp filter to block attempts to create memory map‐
596              pings that are both writable and executable, to change  mappings
597              to  be  executable,  or  to create executable shared memory. The
598              filter  examines  the  arguments  of  mmap,   mmap2,   mprotect,
599              pkey_mprotect  and  shmat  system calls and kills the process if
600              necessary.
601
602              Note: shmat is not implemented as a system call  on  some  plat‐
603              forms including i386, and it cannot be handled by seccomp-bpf.
604
605
606       --mtu=number
607              Assign  a  MTU  value to the last network interface defined by a
608              --net option.
609
610              Example:
611              $ firejail --net=eth0 --mtu=1492
612
613
614       --name=name
615              Set sandbox name. Several options, such as  --join  and  --shut‐
616              down, can use this name to identify a sandbox.
617
618              Example:
619              $ firejail --name=mybrowser firefox
620
621
622       --net=bridge_interface
623              Enable  a  new  network  namespace and connect it to this bridge
624              interface.  Unless specified with option --ip  and  --defaultgw,
625              an  IP  address and a default gateway will be assigned automati‐
626              cally to the sandbox. The  IP  address  is  verified  using  ARP
627              before  assignment. The address configured as default gateway is
628              the bridge device IP address. Up to four --net  options  can  be
629              specified.
630
631              Example:
632              $ sudo brctl addbr br0
633              $ sudo ifconfig br0 10.10.20.1/24
634              $ sudo brctl addbr br1
635              $ sudo ifconfig br1 10.10.30.1/24
636              $ firejail --net=br0 --net=br1
637
638
639       --net=ethernet_interface|wireless_interface
640              Enable  a  new network namespace and connect it to this ethernet
641              interface using the standard Linux macvlan|ipvaln driver. Unless
642              specified  with option --ip and --defaultgw, an IP address and a
643              default gateway will be assigned automatically to  the  sandbox.
644              The  IP  address  is  verified  using ARP before assignment. The
645              address configured as default gateway is the default gateway  of
646              the  host.  Up  to four --net options can be specified.  Support
647              for ipvlan driver was introduced in Linux kernel 3.19.
648
649              Example:
650              $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
651              $ firejail --net=wlan0 firefox
652
653
654       --net=tap_interface
655              Enable a new network namespace and connect it to  this  ethernet
656              tap  interface  using  the standard Linux macvlan driver. If the
657              tap interface is not configured, the sandbox  will  not  try  to
658              configure  the  interface  inside the sandbox.  Please use --ip,
659              --netmask and --defaultgw to specify the configuration.
660
661              Example:
662              $ firejail --net=tap0  --ip=10.10.20.80  --netmask=255.255.255.0
663              --defaultgw=10.10.20.1 firefox
664
665
666       --net=none
667              Enable  a new, unconnected network namespace. The only interface
668              available in the new namespace is a new loopback interface (lo).
669              Use  this  option  to deny network access to programs that don't
670              really need network access.
671
672              Example:
673              $ firejail --net=none vlc
674
675              Note: --net=none can crash the application  on  some  platforms.
676              In these cases, it can be replaced with --protocol=unix.
677
678
679       --netfilter
680              Enable  a default firewall if a new network namespace is created
681              inside the sandbox.  This option has  no  effect  for  sandboxes
682              using the system network namespace.
683
684              The  default  firewall is optimized for regular desktop applica‐
685              tions. No incoming connections are accepted:
686
687              *filter
688              :INPUT DROP [0:0]
689              :FORWARD DROP [0:0]
690              :OUTPUT ACCEPT [0:0]
691              -A INPUT -i lo -j ACCEPT
692              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
693              # allow ping
694              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
695              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
696              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
697              # drop STUN (WebRTC) requests
698              -A OUTPUT -p udp --dport 3478 -j DROP
699              -A OUTPUT -p udp --dport 3479 -j DROP
700              -A OUTPUT -p tcp --dport 3478 -j DROP
701              -A OUTPUT -p tcp --dport 3479 -j DROP
702              COMMIT
703
704              Example:
705              $ firejail --net=eth0 --netfilter firefox
706
707       --netfilter=filename
708              Enable the firewall specified  by  filename  if  a  new  network
709              namespace  is  created  inside  the sandbox.  This option has no
710              effect for sandboxes using the system network namespace.
711
712              Please use the regular iptables-save/iptables-restore format for
713              the  filter  file.  The  following  examples  are  available  in
714              /etc/firejail directory:
715
716              webserver.net is a webserver firewall that allows access only to
717              TCP ports 80 and 443.  Example:
718
719              $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
720              /etc/init.d/apache2 start
721
722              nolocal.net  is a desktop client firewall that disable access to
723              local network. Example:
724
725              $ firejail --netfilter=/etc/firejail/nolocal.net \
726              --net=eth0 firefox
727
728
729
730
731
732       --netfilter=filename,arg1,arg2,arg3 ...
733              This is the template version of  the  previous  command.  $ARG1,
734              $ARG2,  $ARG3 ... in the firewall script are replaced with arg1,
735              arg2, arg3 ... passed on the command line. Up  to  16  arguments
736              are supported.  Example:
737
738              $ firejail --net=eth0 --ip=192.168.1.105 \
739              --netfilter=/etc/firejail/tcpserver.net,5001 server-program
740
741
742
743
744       --netfilter.print=name|pid
745              Print the firewall installed in the sandbox specified by name or
746              PID. Example:
747
748              $ firejail --name=browser --net=eth0 --netfilter firefox &
749              $ firejail --netfilter.print=browser
750
751
752       --netfilter6=filename
753              Enable the IPv6 firewall specified by filename if a new  network
754              namespace  is  created  inside  the sandbox.  This option has no
755              effect for sandboxes using the system network namespace.  Please
756              use  the  regular  iptables-save/iptables-restore format for the
757              filter file.
758
759
760       --netfilter6.print=name|pid
761              Print the IPv6 firewall installed in the  sandbox  specified  by
762              name or PID. Example:
763
764              $ firejail --name=browser --net=eth0 --netfilter firefox &
765              $ firejail --netfilter6.print=browser
766
767
768       --netmask=address
769              Use  this  option when you want to assign an IP address in a new
770              namespace and the parent interface specified  by  --net  is  not
771              configured.  An  IP  address  and a default gateway address also
772              have to be added. By default the new namespace  interface  comes
773              without IP address and default gateway configured. Example:
774
775              $ sudo /sbin/brctl addbr br0
776              $ sudo /sbin/ifconfig br0 up
777              $      firejail     --ip=10.10.20.67     --netmask=255.255.255.0
778              --defaultgw=10.10.20.1
779
780
781       --netns=name
782              Run the program in a named, persistent network namespace.  These
783              can be created and configured using "ip netns".
784
785
786       --netstats
787              Monitor network namespace statistics, see MONITORING section for
788              more details.
789
790              Example:
791
792              $ firejail --netstats
793              PID  User    RX(KB/s) TX(KB/s) Command
794              1294 netblue 53.355   1.473    firejail --net=eth0 firefox
795              7383 netblue 9.045    0.112    firejail --net=eth0 transmission
796
797
798       --nice=value
799              Set nice value for all processes  running  inside  the  sandbox.
800              Only root may specify a negative value.
801
802              Example:
803              $ firejail --nice=2 firefox
804
805
806       --no3d Disable 3D hardware acceleration.
807
808              Example:
809              $ firejail --no3d firefox
810
811
812       --noblacklist=dirname_or_filename
813              Disable blacklist for this directory or file.
814
815              Example:
816              $ firejail
817              $ nc dict.org 2628
818              bash: /bin/nc: Permission denied
819              $ exit
820
821              $ firejail --noblacklist=/bin/nc
822              $ nc dict.org 2628
823              220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
824
825       --nodbus
826              Disable D-Bus access. Only the regular UNIX socket is handled by
827              this command. To disable the abstract socket you would  need  to
828              request  a  new  network  namespace using --net command. Another
829              option is to remove unix from --protocol set.
830
831              Example:
832              $ firejail --nodbus --net=none
833
834       --nodvd
835              Disable DVD and audio CD devices.
836
837              Example:
838              $ firejail --nodvd
839
840       --noexec=dirname_or_filename
841              Remount directory or file noexec, nodev and nosuid.  File  glob‐
842              bing is supported, see FILE GLOBBING section for more details.
843
844              Example:
845              $ firejail --noexec=/tmp
846
847              /etc  and  /var are noexec by default if the sandbox was started
848              as a regular user. If there are more than one mount operation on
849              the  path  of the file or directory, noexec should be applied to
850              the last one. Always check if the change took effect inside  the
851              sandbox.
852
853
854       --nogroups
855              Disable supplementary groups. Without this option, supplementary
856              groups are enabled for the user starting the sandbox.  For  root
857              user supplementary groups are always disabled.
858
859              Note:  By  default  all regular user groups are removed with the
860              exception of  the  current  user.  This  can  be  changed  using
861              --allusers command option.
862
863              Example:
864              $ id
865              uid=1000(netblue)       gid=1000(netblue)       groups=1000(net‐
866              blue),24(cdrom),25(floppy),27(sudo),29(audio)
867              $ firejail --nogroups
868              Parent pid 8704, child pid 8705
869              Child process initialized
870              $ id
871              uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
872              $
873
874
875       --noprofile
876              Do not use a security profile.
877
878              Example:
879              $ firejail
880              Reading profile /etc/firejail/default.profile
881              Parent pid 8553, child pid 8554
882              Child process initialized
883              [...]
884
885              $ firejail --noprofile
886              Parent pid 8553, child pid 8554
887              Child process initialized
888              [...]
889
890
891       --noroot
892              Install a user namespace with a single user - the current  user.
893              root  user  does  not  exist  in  the new namespace. This option
894              requires a Linux kernel version 3.8 or newer. The option is  not
895              supported  for  --chroot  and  --overlay  configurations, or for
896              sandboxes started as root.
897
898              Example:
899              $ firejail --noroot
900              Parent pid 8553, child pid 8554
901              Child process initialized
902              $ ping google.com
903              ping: icmp open socket: Operation not permitted
904              $
905
906
907       --nonewprivs
908              Sets the NO_NEW_PRIVS prctl.  This ensures that child  processes
909              cannot  acquire  new privileges using execve(2);  in particular,
910              this means that calling a suid binary (or one with file capabil‐
911              ities)  does not result in an increase of privilege. This option
912              is enabled by default if seccomp filter is activated.
913
914
915       --nosound
916              Disable sound system.
917
918              Example:
919              $ firejail --nosound firefox
920
921
922       --noautopulse
923              Disable automatic ~/.config/pulse init, for complex setups  such
924              as remote pulse servers or non-standard socket paths.
925
926              Example:
927              $ firejail --noautopulse firefox
928
929
930       --notv Disable DVB (Digital Video Broadcasting) TV devices.
931
932              Example:
933              $ firejail --notv vlc
934
935
936       --nou2f
937              Disable U2F devices.
938
939              Example:
940              $ firejail --nou2f
941
942
943       --novideo
944              Disable video devices.
945
946
947       --nowhitelist=dirname_or_filename
948              Disable whitelist for this directory or file.
949
950
951       --output=logfile
952              stdout  logging  and  log  rotation. Copy stdout to logfile, and
953              keep the size of the file under 500KB using log  rotation.  Five
954              files with prefixes .1 to .5 are used in rotation.
955
956              Example:
957              $ firejail --output=sandboxlog /bin/bash
958              [...]
959              $ ls -l sandboxlog*
960              -rw-r--r-- 1 netblue netblue 333890 Jun  2 07:48 sandboxlog
961              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.1
962              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.2
963              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.3
964              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.4
965              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.5
966
967
968       --output-stderr=logfile
969              Similar to --output, but stderr is also stored.
970
971
972       --overlay
973              Mount  a  filesystem  overlay  on top of the current filesystem.
974              Unlike the regular filesystem container, the system  directories
975              are mounted read-write. All filesystem modifications go into the
976              overlay.  Directories /run, /tmp and /dev are not covered by the
977              overlay.  The  overlay is stored in $HOME/.firejail/<PID> direc‐
978              tory.  If the sandbox is started as a regular user, default sec‐
979              comp and capabilities filters are enabled.
980
981              OverlayFS support is required in Linux kernel for this option to
982              work.  OverlayFS was officially introduced in Linux kernel  ver‐
983              sion 3.18.  This option is not available on Grsecurity systems.
984
985              Example:
986              $ firejail --overlay firefox
987
988
989       --overlay-named=name
990              Mount  a  filesystem  overlay  on top of the current filesystem.
991              Unlike the regular filesystem container, the system  directories
992              are mounted read-write. All filesystem modifications go into the
993              overlay.  Directories /run, /tmp and /dev are not covered by the
994              overlay.  The overlay is stored in $HOME/.firejail/<NAME> direc‐
995              tory.  The created overlay can be reused between  multiple  ses‐
996              sions.   If  the  sandbox  is started as a regular user, default
997              seccomp and capabilities filters are enabled.
998
999              OverlayFS support is required in Linux kernel for this option to
1000              work.   OverlayFS was officially introduced in Linux kernel ver‐
1001              sion 3.18.  This option is not available on Grsecurity systems.
1002
1003              Example:
1004              $ firejail --overlay-named=jail1 firefox
1005
1006
1007       --overlay-tmpfs
1008              Mount a filesystem overlay on top of the current filesystem. All
1009              filesystem  modifications  are  discarded  when  the  sandbox is
1010              closed. Directories /run, /tmp and /dev are not covered  by  the
1011              overlay.   If  the sandbox is started as a regular user, default
1012              seccomp and capabilities filters are enabled.
1013
1014              OverlayFS support is required in Linux kernel for this option to
1015              work.   OverlayFS was officially introduced in Linux kernel ver‐
1016              sion 3.18.  This option is not available on Grsecurity systems.
1017
1018              Example:
1019              $ firejail --overlay-tmpfs firefox
1020
1021
1022       --overlay-clean
1023              Clean all overlays stored in $HOME/.firejail directory.
1024
1025              Example:
1026              $ firejail --overlay-clean
1027
1028
1029       --private
1030              Mount new /root and /home/user directories in temporary filesys‐
1031              tems.  All  modifications  are  discarded  when  the  sandbox is
1032              closed.
1033
1034              Example:
1035              $ firejail --private firefox
1036
1037       --private=directory
1038              Use directory as user home.
1039
1040              Example:
1041              $ firejail --private=/home/netblue/firefox-home firefox
1042
1043
1044       --private-home=file,directory
1045              Build a new user home in a temporary filesystem,  and  copy  the
1046              files and directories in the list in the new home. All modifica‐
1047              tions are discarded when the sandbox is closed.
1048
1049              Example:
1050              $ firejail --private-home=.mozilla firefox
1051
1052
1053       --private-cache
1054              Mount an empty temporary filesystem on top of the .cache  direc‐
1055              tory  in  user  home.  All  modifications are discarded when the
1056              sandbox is closed.
1057
1058              Example:
1059              $ firejail --private-cache openbox
1060
1061
1062       --private-bin=file,file
1063              Build a new /bin in a temporary filesystem, and  copy  the  pro‐
1064              grams  in  the list.  If no listed file is found, /bin directory
1065              will be empty.  The same directory  is  also  bind-mounted  over
1066              /sbin,  /usr/bin,  /usr/sbin  and /usr/local/bin.  All modifica‐
1067              tions are discarded when the sandbox is closed. File globbing is
1068              supported, see FILE GLOBBING section for more details.
1069
1070              Example:
1071              $ firejail --private-bin=bash,sed,ls,cat
1072              Parent pid 20841, child pid 20842
1073              Child process initialized
1074              $ ls /bin
1075              bash  cat  ls  sed
1076
1077
1078       --private-lib=file,directory
1079              This  feature  is  currently under heavy development. Only amd64
1080              platforms are supported at this moment.  The idea is to build  a
1081              new  /lib in a temporary filesystem, with only the library files
1082              necessary to run the application.  It could be as simple as:
1083
1084              $ firejail --private-lib galculator
1085
1086              but it gets complicated really fast:
1087
1088              $   firejail    --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1089              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1090
1091              The feature is integrated with --private-bin:
1092
1093              $ firejail --private-lib --private-bin=bash,ls,ps
1094              $ ls /lib
1095              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6  libsys‐
1096              temd.so.0
1097              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1098              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1099              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1100              $ ps
1101               PID TTY          TIME CMD
1102                  1 pts/0    00:00:00 firejail
1103                 45 pts/0    00:00:00 bash
1104                 48 pts/0    00:00:00 ps
1105              $
1106
1107
1108
1109       --private-dev
1110              Create a new /dev directory. Only disc, dri, null,  full,  zero,
1111              tty, pts, ptmx, random, snd, urandom, video, log and shm devices
1112              are available.
1113
1114              Example:
1115              $ firejail --private-dev
1116              Parent pid 9887, child pid 9888
1117              Child process initialized
1118              $ ls /dev
1119              cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random
1120              shm  snd  sr0  tty  urandom  zero
1121              $
1122
1123       --private-etc=file,directory
1124              Build  a  new /etc in a temporary filesystem, and copy the files
1125              and directories in the list.  If no listed file is  found,  /etc
1126              directory  will  be empty.  All modifications are discarded when
1127              the sandbox is closed.
1128
1129              Example:
1130              $ firejail --private-etc=group,hostname,localtime, \
1131              nsswitch.conf,passwd,resolv.conf
1132
1133
1134       --private-opt=file,directory
1135              Build a new /opt in a temporary filesystem, and copy  the  files
1136              and  directories  in the list.  If no listed file is found, /opt
1137              directory will be empty.  All modifications are  discarded  when
1138              the sandbox is closed.
1139
1140              Example:
1141              $ firejail --private-opt=firefox /opt/firefox/firefox
1142
1143
1144       --private-srv=file,directory
1145              Build  a  new /srv in a temporary filesystem, and copy the files
1146              and directories in the list.  If no listed file is  found,  /srv
1147              directory  will  be empty.  All modifications are discarded when
1148              the sandbox is closed.
1149
1150              Example:
1151              # firejail --private-srv=www /etc/init.d/apache2 start
1152
1153
1154       --private-tmp
1155              Mount an empty temporary filesystem on  top  of  /tmp  directory
1156              whitelisting X11 and PulseAudio sockets.
1157
1158              Example:
1159              $ firejail --private-tmp
1160              $ ls -al /tmp
1161              drwxrwxrwt  4 nobody nogroup   80 Apr 30 11:46 .
1162              drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1163              drwx------   2  nobody  nogroup  4096  Apr  30  10:52 pulse-PKd‐
1164              htXMmr18n
1165              drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1166
1167
1168
1169       --profile=filename_or_profilename
1170              Load a custom security profile from filename. For  filename  use
1171              an  absolute  path  or a path relative to the current path.  For
1172              more information, see SECURITY PROFILES section below.
1173
1174              Example:
1175              $ firejail --profile=myprofile
1176
1177
1178       --profile.print=name|pid
1179              Print the name of the profile file for the sandbox identified by
1180              name or or PID.
1181
1182              Example:
1183              $ firejail --profile.print=browser
1184              /etc/firejail/firefox.profile
1185
1186       --protocol=protocol,protocol,protocol
1187              Enable  protocol  filter.  The  filter  is  based on seccomp and
1188              checks the first argument to  socket  system  call.   Recognized
1189              values:  unix,  inet,  inet6, netlink and packet. This option is
1190              not supported for i386 architecture.
1191
1192              Example:
1193              $ firejail --protocol=unix,inet,inet6 firefox
1194
1195       --protocol.print=name|pid
1196              Print the protocol filter for the sandbox identified by name  or
1197              PID.
1198
1199              Example:
1200              $ firejail --name=mybrowser firefox &
1201              $ firejail --protocol.print=mybrowser
1202              unix,inet,inet6,netlink
1203
1204              Example:
1205              $ firejail --list
1206              3272:netblue::firejail --private firefox
1207              $ firejail --protocol.print=3272
1208              unix,inet,inet6,netlink
1209
1210       --put=name|pid src-filename dest-filename
1211              Put  a  file in sandbox container, see FILE TRANSFER section for
1212              more details.
1213
1214       --quiet
1215              Turn off Firejail's output.
1216
1217       --read-only=dirname_or_filename
1218              Set directory or file read-only. File globbing is supported, see
1219              FILE GLOBBING section for more details.
1220
1221              Example:
1222              $ firejail --read-only=~/.mozilla firefox
1223
1224              A  short  note about mixing --whitelist and --read-only options.
1225              Whitelisted directories should be made read-only  independently.
1226              Making a parent directory read-only, will not make the whitelist
1227              read-only. Example:
1228
1229              $ firejail --whitelist=~/work --read-only=~ --read-only=~/work
1230
1231
1232       --read-write=dirname_or_filename
1233              Set directory or file  read-write.  Only  files  or  directories
1234              belonging  to  the  current user are allowed for this operation.
1235              File globbing is supported, see FILE GLOBBING section  for  more
1236              details.  Example:
1237
1238              $ mkdir ~/test
1239              $ touch ~/test/a
1240              $ firejail --read-only=~/test --read-write=~/test/a
1241
1242
1243
1244       --rlimit-as=number
1245              Set  the  maximum  size of the process's virtual memory (address
1246              space) in bytes.
1247
1248
1249       --rlimit-cpu=number
1250              Set the maximum limit, in seconds, for the amount  of  CPU  time
1251              each  sandboxed process  can consume. When the limit is reached,
1252              the processes are killed.
1253
1254              The CPU limit is a limit on  CPU  seconds  rather  than  elapsed
1255              time. CPU seconds is basically how many seconds the CPU has been
1256              in use and does not necessarily directly relate to  the  elapsed
1257              time.  Linux  kernel keeps track of CPU seconds for each process
1258              independently.
1259
1260
1261       --rlimit-fsize=number
1262              Set the maximum file size that can be created by a process.
1263
1264       --rlimit-nofile=number
1265              Set the maximum number of files that can be opened by a process.
1266
1267       --rlimit-nproc=number
1268              Set the maximum number of processes that can be created for  the
1269              real user ID of the calling process.
1270
1271       --rlimit-sigpending=number
1272              Set the maximum number of pending signals for a process.
1273
1274
1275       --rmenv=name
1276              Remove environment variable in the new sandbox.
1277
1278              Example:
1279              $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1280
1281
1282       --scan ARP-scan all the networks from inside a network namespace.  This
1283              makes it possible to detect macvlan kernel device  drivers  run‐
1284              ning on the current host.
1285
1286              Example:
1287              $ firejail --net=eth0 --scan
1288
1289       --seccomp
1290              Enable  seccomp filter and blacklist the syscalls in the default
1291              list (@default). The default list is as follows: _sysctl,  acct,
1292              add_key,  adjtimex,  afs_syscall,  bdflush,  bpf, break, chroot,
1293              clock_adjtime, clock_settime, create_module, delete_module, fan‐
1294              otify_init, finit_module, ftime, get_kernel_syms, getpmsg, gtty,
1295              init_module,  io_cancel,  io_destroy,  io_getevents,   io_setup,
1296              io_submit,  ioperm,  iopl,  ioprio_set,  kcmp,  kexec_file_load,
1297              kexec_load, keyctl, lock, lookup_dcookie, mbind,  migrate_pages,
1298              modify_ldt,    mount,    move_pages,   mpx,   name_to_handle_at,
1299              nfsservctl,  ni_syscall,  open_by_handle_at,   pciconfig_iobase,
1300              pciconfig_read,  pciconfig_write,  perf_event_open, personality,
1301              pivot_root, process_vm_readv, process_vm_writev,  prof,  profil,
1302              ptrace,   putpmsg,   query_module,   reboot,   remap_file_pages,
1303              request_key, rtas,  s390_mmio_read,  s390_mmio_write,  s390_run‐
1304              time_instr, security, set_mempolicy, setdomainname, sethostname,
1305              settimeofday, sgetmask,  ssetmask,  stime,  stty,  subpage_prot,
1306              swapoff,  swapon,  switch_endian,  sys_debug_setcontext,  sysfs,
1307              syslog, tuxcall, ulimit, umount, umount2,  uselib,  userfaultfd,
1308              ustat, vhangup, vm86, vm86old, vmsplice and vserver.
1309
1310              To help creating useful seccomp filters more easily, the follow‐
1311              ing system call  groups  are  defined:  @clock,  @cpu-emulation,
1312              @debug,  @default, @default-nodebuggers, @default-keep, @module,
1313              @obsolete, @privileged, @raw-io, @reboot, @resources and  @swap.
1314              In addtion, a system call can be specified by its number instead
1315              of name with prefix $, so for example $165  would  be  equal  to
1316              mount on i386.
1317
1318              System  architecture  is  strictly  imposed  only if flag --sec‐
1319              comp.block-secondary is used. The filter is applied at run  time
1320              only  if  the correct architecture was detected. For the case of
1321              I386 and AMD64 both 32-bit and 64-bit filters are installed.
1322
1323              Firejail will print seccomp violations to the audit log  if  the
1324              kernel was compiled with audit support (CONFIG_AUDIT flag).
1325
1326              Example:
1327              $ firejail --seccomp
1328
1329       --seccomp=syscall,@group
1330              Enable seccomp filter, blacklist the default list (@default) and
1331              the syscalls or syscall groups specified by the command.
1332
1333              Example:
1334              $ firejail --seccomp=utime,utimensat,utimes firefox
1335              $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1336
1337              Instead of dropping the syscall, a specific error number can  be
1338              returned using syscall:errorno syntax.
1339
1340              Example: $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1341              Parent pid 10662, child pid 10663
1342              Child process initialized
1343              $ touch testfile
1344              $ rm testfile
1345              rm: cannot remove `testfile': Operation not permitted
1346
1347              If the blocked system calls would also block Firejail from oper‐
1348              ating, they are handled by adding a preloaded library which per‐
1349              forms seccomp system calls later.
1350
1351              Example:
1352              $ firejail --noprofile --shell=none --seccomp=execve bash
1353              Parent pid 32751, child pid 32752
1354              Post-exec seccomp protector enabled
1355              list  in:  execve,  check  list:  @default-keep prelist: (null),
1356              postlist: execve
1357              Child process initialized in 46.44 ms
1358              $ ls
1359              Bad system call
1360
1361
1362       --seccomp.block-secondary
1363              Enable seccomp filter and filter system  call  architectures  so
1364              that  only  the  native architecture is allowed. For example, on
1365              amd64, i386 and x32 system calls are blocked as well as changing
1366              the execution domain with personality(2) system call.
1367
1368
1369       --seccomp.drop=syscall,@group
1370              Enable seccomp filter, and blacklist the syscalls or the syscall
1371              groups specified by the command.
1372
1373              Example:
1374              $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1375
1376              Instead of dropping the syscall, a specific error number can  be
1377              returned using syscall:errorno syntax.
1378
1379              Example:
1380              $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1381              Parent pid 10662, child pid 10663
1382              Child process initialized
1383              $ touch testfile
1384              $ rm testfile
1385              rm: cannot remove `testfile': Operation not permitted
1386
1387
1388
1389
1390
1391
1392       --seccomp.keep=syscall,syscall,syscall
1393              Enable  seccomp  filter, and whitelist the syscalls specified by
1394              the  command.  The  system  calls  needed  by  Firejail   (group
1395              @default-keep:  prctl,  execve)  are  handled  with  the preload
1396              library.
1397
1398              Example:
1399              $ firejail --shell=none --seccomp.keep=poll,select,[...]  trans‐
1400              mission-gtk
1401
1402
1403       --seccomp.print=name|pid
1404              Print  the  seccomp filter for the sandbox identified by name or
1405              PID.
1406
1407              Example:
1408              $ firejail --name=browser firefox &
1409              $ firejail --seccomp.print=browser
1410               line  OP JT JF    K
1411              =================================
1412               0000: 20 00 00 00000004   ld  data.architecture
1413               0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
1414               0002: 06 00 00 7fff0000   ret ALLOW
1415               0003: 20 00 00 00000000   ld  data.syscall-number
1416               0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
1417               0005: 35 01 00 00000000   jge read 0007 (false 0006)
1418               0006: 06 00 00 00050001   ret ERRNO(1)
1419               0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
1420               0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
1421               0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
1422               000a: 15 3e 00 00000137    jeq  process_vm_writev  0049  (false
1423              000b)
1424               000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
1425               000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
1426               000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
1427               000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
1428               000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
1429               0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
1430               0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
1431               0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
1432               0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
1433               0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
1434               0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
1435               0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
1436               0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
1437               0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
1438               0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
1439               001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
1440               001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
1441               001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
1442               001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
1443               001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
1444               001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
1445               0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
1446               0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
1447               0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
1448               0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
1449               0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
1450               0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
1451               0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
1452               0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
1453               0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
1454               0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
1455               002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
1456               002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
1457               002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
1458               002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
1459               002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
1460               002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
1461               0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
1462               0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
1463               0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
1464               0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
1465               0034:  15  14  00  00000130   jeq open_by_handle_at 0049 (false
1466              0035)
1467               0035: 15 13 00 0000012f    jeq  name_to_handle_at  0049  (false
1468              0036)
1469               0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
1470               0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
1471               0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
1472               0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
1473               003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
1474               003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
1475               003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
1476               003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
1477               003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
1478               003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
1479               0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
1480               0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
1481               0042:  15  06  00  000000d8    jeq remap_file_pages 0049 (false
1482              0043)
1483               0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
1484               0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
1485               0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
1486               0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
1487               0047: 15 01 00  00000136    jeq  process_vm_readv  0049  (false
1488              0048)
1489               0048: 06 00 00 7fff0000   ret ALLOW
1490               0049: 06 00 01 00000000   ret KILL
1491              $
1492
1493       --shell=none
1494              Run the program directly, without a user shell.
1495
1496              Example:
1497              $ firejail --shell=none script.sh
1498
1499       --shell=program
1500              Set  default  user  shell. Use this shell to run the application
1501              using -c shell option.  For example "firejail  --shell=/bin/dash
1502              firefox"  will  start Mozilla Firefox as "/bin/dash -c firefox".
1503              By default Bash shell (/bin/bash) is used.
1504
1505              Example: $firejail --shell=/bin/dash script.sh
1506
1507       --shutdown=name|pid
1508              Shutdown the sandbox identified by name or PID.
1509
1510              Example:
1511              $ firejail --name=mygame --caps.drop=all warzone2100 &
1512              $ firejail --shutdown=mygame
1513
1514              Example:
1515              $ firejail --list
1516              3272:netblue::firejail --private firefox
1517              $ firejail --shutdown=3272
1518
1519       --timeout=hh:mm:ss
1520              Kill the sandbox automatically after the time has  elapsed.  The
1521              time is specified in hours/minutes/seconds format.
1522
1523              $ firejail --timeout=01:30:00 firefox
1524
1525       --tmpfs=dirname
1526              Mount  a  tmpfs  filesystem on directory dirname. This option is
1527              available only when running the sandbox as root.  File  globbing
1528              is supported, see FILE GLOBBING section for more details.
1529
1530              Example:
1531              # firejail --tmpfs=/var
1532
1533       --top  Monitor the most CPU-intensive sandboxes, see MONITORING section
1534              for more details.
1535
1536              Example:
1537              $ firejail --top
1538
1539       --trace
1540              Trace open, access and connect system calls.
1541
1542              Example:
1543              $ firejail --trace wget -q www.debian.org
1544              Reading profile /etc/firejail/wget.profile
1545              3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1546              3:wget:fopen /etc/hosts:0x5c8e8cfb70
1547              3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1548              3:wget:connect 3 8.8.8.8 port 53:0
1549              3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1550              3:wget:connect 3 130.89.148.14 port 80:0
1551              3:wget:fopen64 index.html:0x5c8e8d1a60
1552
1553              parent is shutting down, bye...
1554
1555       --tracelog
1556              This option enables auditing blacklisted files and  directories.
1557              A message is sent to syslog in case the file or the directory is
1558              accessed.
1559
1560              Example:
1561              $ firejail --tracelog firefox
1562
1563              Sample messages:
1564              $ sudo tail -f /var/log/syslog
1565              [...]
1566              Dec  3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1567              box 26370, exe firefox, syscall open64, path /etc/shadow
1568              Dec  3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1569              box 26370, exe firefox, syscall opendir, path /boot
1570              [...]
1571
1572       --tree Print a tree of all sandboxed processes, see MONITORING  section
1573              for more details.
1574
1575              Example:
1576              $ firejail --tree
1577              11903:netblue:firejail iceweasel
1578                11904:netblue:iceweasel
1579                  11957:netblue:/usr/lib/iceweasel/plugin-container
1580              11969:netblue:firejail --net=eth0 transmission-gtk
1581                11970:netblue:transmission-gtk
1582
1583
1584       --tunnel[=devname]
1585              Connect  the  sandbox to a network overlay/VPN tunnel created by
1586              firetunnel utility. This options tries first the client side  of
1587              the tunnel. If this fails, it tries the server side. If multiple
1588              tunnels are active,  please  specify  the  tunnel  device  using
1589              --tunnel=devname.
1590
1591              The  available  tunnel  devices  are  listed  in /etc/firetunnel
1592              directory, one file for each  device.   The  files  are  regular
1593              firejail profile files containing the network configuration, and
1594              are created and managed by firetunnel utility.  By  default  ftc
1595              is the client-side device and fts is the server-side device. For
1596              more information please see man 1 firetunnel.
1597
1598              Example:
1599              $ firejail --tunnel firefox
1600
1601       --version
1602              Print program version and exit.
1603
1604              Example:
1605              $ firejail --version
1606              firejail version 0.9.27
1607
1608
1609       --veth-name=name
1610              Use this name for the interface  connected  to  the  bridge  for
1611              --net=bridge_interface commands, instead of the default one.
1612
1613              Example:
1614              $ firejail --net=br0 --veth-name=if0
1615
1616
1617       --whitelist=dirname_or_filename
1618              Whitelist  directory or file. A temporary file system is mounted
1619              on the top directory, and the whitelisted files are mount-binded
1620              inside.  Modifications  to  whitelisted  files  are  persistent,
1621              everything else is discarded when the sandbox is closed. The top
1622              directory  could  be  user home, /dev, /etc, /media, /mnt, /opt,
1623              /srv, /sys/module, /usr/share, /var, and /tmp.
1624
1625              Symbolic link handling: with the exception of  user  home,  both
1626              the  link and the real file should be in the same top directory.
1627              For user home, both the link and the real file should  be  owned
1628              by the user.
1629
1630              Example:
1631              $ firejail --noprofile --whitelist=~/.mozilla
1632              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1633              $ firejail "--whitelist=/home/username/My Virtual Machines"
1634
1635
1636       --writable-etc
1637              Mount /etc directory read-write.
1638
1639              Example:
1640              $ sudo firejail --writable-etc
1641
1642
1643       --writable-run-user
1644              Disable  the  default blacklisting of /run/user/$UID/systemd and
1645              /run/user/$UID/gnupg.
1646
1647              Example:
1648              $ sudo firejail --writable-run-user
1649
1650
1651       --writable-var
1652              Mount /var directory read-write.
1653
1654              Example:
1655              $ sudo firejail --writable-var
1656
1657
1658       --writable-var-log
1659              Use the real /var/log directory, not  a  clone.  By  default,  a
1660              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
1661              filesystem is created based on the original /var/log.
1662
1663              Example:
1664              $ sudo firejail --writable-var-log
1665
1666
1667
1668       --x11  Sandbox the application using Xpra, Xephyr, Xvfb or  Xorg  secu‐
1669              rity  extension.   The sandbox will prevents screenshot and key‐
1670              logger applications started inside the  sandbox  from  accessing
1671              clients  running  outside  the sandbox.  Firejail will try first
1672              Xpra, and if Xpra is not installed on the system, it will try to
1673              find  Xephyr.   If  all  fails, Firejail will not attempt to use
1674              Xvfb or X11 security extension.
1675
1676              Xpra, Xephyr and Xvfb modes require a network  namespace  to  be
1677              instantiated  in  order  to disable X11 abstract Unix socket. If
1678              this is not possible, the user can disable the  abstract  socket
1679              by  adding  "-nolisten  local"  on  Xorg  command line at system
1680              level.
1681
1682              Example:
1683              $ firejail --x11 --net=eth0 firefox
1684
1685
1686       --x11=none
1687              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
1688              file  specified  in  ${XAUTHORITY} environment variable.  Remove
1689              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
1690              message if X11 abstract socket will be accessible in jail.
1691
1692
1693       --x11=xephyr
1694              Start Xephyr and attach the sandbox to this server.  Xephyr is a
1695              display server implementing the X11 display server protocol.   A
1696              network  namespace  needs  to  be  instantiated in order to deny
1697              access to X11 abstract Unix domain socket.
1698
1699              Xephyr runs in a window just like any other X11 application. The
1700              default  window  size  is  800x600.   This  can  be  modified in
1701              /etc/firejail/firejail.config file.
1702
1703              The recommended way to use this feature is to run a window  man‐
1704              ager inside the sandbox.  A security profile for OpenBox is pro‐
1705              vided.
1706
1707              Xephyr is developed by Xorg project. On Debian platforms  it  is
1708              installed  with the command sudo apt-get install xserver-xephyr.
1709              This feature is not available when running as root.
1710
1711              Example:
1712              $ firejail --x11=xephyr --net=eth0 openbox
1713
1714
1715       --x11=xorg
1716              Sandbox the application using the untrusted mode implemented  by
1717              X11  security  extension.   The  extension  is available in Xorg
1718              package and it is installed by default on most  Linux  distribu‐
1719              tions.  It  provides support for a simple trusted/untrusted con‐
1720              nection model. Untrusted clients are restricted in certain  ways
1721              to  prevent  them from reading window contents of other clients,
1722              stealing input events, etc.
1723
1724              The untrusted mode has several limitations.  A  lot  of  regular
1725              programs   assume  they are a trusted X11 clients and will crash
1726              or lock up when run in  untrusted  mode.  Chromium  browser  and
1727              xterm are two examples.  Firefox and transmission-gtk seem to be
1728              working fine.  A network namespace  is  not  required  for  this
1729              option.
1730
1731              Example:
1732              $ firejail --x11=xorg firefox
1733
1734
1735       --x11=xpra
1736              Start  Xpra  (https://xpra.org)  and  attach the sandbox to this
1737              server.  Xpra is a persistent remote display server  and  client
1738              for  forwarding X11 applications and desktop screens.  A network
1739              namespace needs to be instantiated in order to  deny  access  to
1740              X11 abstract Unix domain socket.
1741
1742              On Debian platforms Xpra is installed with the command sudo apt-
1743              get install xpra.  This feature is not available when running as
1744              root.
1745
1746              Example:
1747              $ firejail --x11=xpra --net=eth0 firefox
1748
1749
1750
1751       --x11=xvfb
1752              Start  Xvfb  X11  server  and attach the sandbox to this server.
1753              Xvfb, short for X virtual framebuffer,  performs  all  graphical
1754              operations  in memory without showing any screen output. Xvfb is
1755              mainly used for remote access and software testing  on  headless
1756              servers.
1757
1758              On Debian platforms Xvfb is installed with the command sudo apt-
1759              get install xvfb.  This feature is not available when running as
1760              root.
1761
1762              Example: remote VNC access
1763
1764              On  the  server we start a sandbox using Xvfb and openbox window
1765              manager. The default size of Xvfb screen is 800x600 - it can  be
1766              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
1767              sort of networking (--net) is required in order to  isolate  the
1768              abstract sockets used by other X servers.
1769
1770              $ firejail --net=none --x11=xvfb openbox
1771
1772              *** Attaching to Xvfb display 792 ***
1773
1774              Reading profile /etc/firejail/openbox.profile
1775              Reading profile /etc/firejail/disable-common.inc
1776              Reading profile /etc/firejail/disable-common.local
1777              Parent pid 5400, child pid 5401
1778
1779              On  the  server  we also start a VNC server and attach it to the
1780              display handled by our Xvfb server (792).
1781
1782              $ x11vnc -display :792
1783
1784              On the client machine we start a VNC viewer and use it  to  con‐
1785              nect to our server:
1786
1787              $ vncviewer
1788
1789
1790       --xephyr-screen=WIDTHxHEIGHT
1791              Set screen size for --x11=xephyr. The setting will overwrite the
1792              default set in  /etc/firejail/firejail.config  for  the  current
1793              sandbox.  Run  xrandr  to get a list of supported resolutions on
1794              your computer.
1795
1796              Example:
1797              $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
1798              fox
1799
1800

DESKTOP INTEGRATION

1802       A  symbolic link to /usr/bin/firejail under the name of a program, will
1803       start the program in Firejail sandbox.  The  symbolic  link  should  be
1804       placed  in  the  first $PATH position. On most systems, a good place is
1805       /usr/local/bin directory. Example:
1806
1807              Make a firefox symlink to /usr/bin/firejail:
1808
1809              $ ln -s /usr/bin/firejail /usr/local/bin/firefox
1810
1811              Verify $PATH
1812
1813              $ which -a firefox
1814              /usr/local/bin/firefox
1815              /usr/bin/firefox
1816
1817              Starting firefox in this moment, automatically invokes “firejail
1818              firefox”.
1819
1820       This  works  for  clicking on desktop environment icons, menus etc. Use
1821       "firejail --tree" to verify the program is sandboxed.
1822
1823              $ firejail --tree
1824              1189:netblue:firejail firefox
1825                1190:netblue:firejail firefox
1826                  1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
1827                    1221:netblue:/usr/lib/firefox/firefox
1828
1829       We provide a tool that automates all this integration, please see man 1
1830       firecfg for more details.
1831
1832

FILE GLOBBING

1834       Globbing is the operation that expands a wildcard pattern into the list
1835       of pathnames matching the pattern. Matching is defined by:
1836
1837              - '?' matches any character
1838              - '*' matches any string
1839              - '[' denotes a range of characters
1840
1841       The gobing feature is implemented using glibc glob  command.  For  more
1842       information on the wildcard syntax see man 7 glob.
1843
1844
1845       The  following  command line options are supported: --blacklist, --pri‐
1846       vate-bin, --noexec, --read-only, --read-write, and --tmpfs.
1847
1848
1849       Examples:
1850
1851              $ firejail --private-bin=sh,bash,python*
1852              $ firejail --blacklist=~/dir[1234]
1853              $ firejail --read-only=~/dir[1-4]
1854
1855

APPARMOR

1857       AppArmor support is disabled by default at compile time. Use  --enable-
1858       apparmor configuration option to enable it:
1859
1860              $ ./configure --prefix=/usr --enable-apparmor
1861
1862       During  software  install,  a  generic AppArmor profile file, firejail-
1863       default, is placed in /etc/apparmor.d directory. The  local  customiza‐
1864       tions  can  be placed in /etc/apparmor.d/local/firejail-local. The pro‐
1865       file needs to be loaded into the kernel by reloading  apparmor.service,
1866       rebooting the system or running the following command as root:
1867
1868              # apparmor_parser -r /etc/apparmor.d/firejail-default
1869
1870       The  installed  profile is supplemental for main firejail functions and
1871       among other things does the following:
1872
1873              - Disable ptrace. With ptrace it  is  possible  to  inspect  and
1874              hijack  running programs. Usually this is needed only for debug‐
1875              ging. You should have no problems running Chromium  or  Firefox.
1876              This feature is available only on Ubuntu kernels.
1877
1878              -  Whitelist write access to several files under /run, /proc and
1879              /sys.
1880
1881              - Allow running programs only from well-known system paths, such
1882              as /bin, /sbin, /usr/bin etc. Those paths are available as read-
1883              only. Running programs and  scripts  from  user  home  or  other
1884              directories writable by the user is not allowed.
1885
1886              -  Prevent  using non-standard network sockets. Only unix, inet,
1887              inet6, netlink, raw and packet are allowed.
1888
1889              - Deny access to known sensitive paths like .snapshots.
1890
1891
1892       To enable AppArmor confinement on top of your current Firejail security
1893       features,  pass  --apparmor flag to Firejail command line. You can also
1894       include apparmor command in a Firejail profile file. Example:
1895
1896              $ firejail --apparmor firefox
1897
1898

FILE TRANSFER

1900       These features allow the user to inspect the filesystem container of an
1901       existing  sandbox  and  transfer  files  from the container to the host
1902       filesystem.
1903
1904
1905       --get=name|pid filename
1906              Retrieve the container file and store it on the host in the cur‐
1907              rent  working  directory.  The container is specified by name or
1908              PID.
1909
1910
1911       --ls=name|pid dir_or_filename
1912              List container files. The container is specified by name or PID.
1913
1914
1915       --put=name|pid src-filename dest-filename
1916              Put src-filename in sandbox container.  The container is  speci‐
1917              fied by name or PID.
1918
1919
1920       Examples:
1921
1922              $ firejail --name=mybrowser --private firefox
1923
1924              $ firejail --ls=mybrowser ~/Downloads
1925              drwxr-xr-x netblue  netblue         4096 .
1926              drwxr-xr-x netblue  netblue         4096 ..
1927              -rw-r--r-- netblue  netblue         7847 x11-x305.png
1928              -rw-r--r-- netblue  netblue         6800 x11-x642.png
1929              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
1930
1931              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
1932
1933              $  firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
1934              clipboard.png
1935
1936

TRAFFIC SHAPING

1938       Network bandwidth is an expensive resource shared among  all  sandboxes
1939       running  on a system.  Traffic shaping allows the user to increase net‐
1940       work performance by controlling the amount of data that flows into  and
1941       out of the sandboxes.
1942
1943       Firejail  implements  a simple rate-limiting shaper based on Linux com‐
1944       mand tc.  The shaper works at sandbox level, and can be used  only  for
1945       sandboxes configured with new network namespaces.
1946
1947       Set rate-limits:
1948
1949            $ firejail --bandwidth=name|pid set network download upload
1950
1951       Clear rate-limits:
1952
1953            $ firejail --bandwidth=name|pid clear network
1954
1955       Status:
1956
1957            $ firejail --bandwidth=name|pid status
1958
1959       where:
1960            name - sandbox name
1961            pid - sandbox pid
1962            network - network interface as used by --net option
1963            download - download speed in KB/s (kilobyte per second)
1964            upload - upload speed in KB/s (kilobyte per second)
1965
1966       Example:
1967            $ firejail --name=mybrowser --net=eth0 firefox &
1968            $ firejail --bandwidth=mybrowser set eth0 80 20
1969            $ firejail --bandwidth=mybrowser status
1970            $ firejail --bandwidth=mybrowser clear eth0
1971
1972

AUDIT

1974       Audit  feature  allows the user to point out gaps in security profiles.
1975       The implementation replaces the program to be  sandboxed  with  a  test
1976       program. By default, we use faudit program distributed with Firejail. A
1977       custom test program can also be supplied by the user. Examples:
1978
1979       Running the default audit program:
1980            $ firejail --audit transmission-gtk
1981
1982       Running a custom audit program:
1983            $ firejail --audit=~/sandbox-test transmission-gtk
1984
1985       In the examples above, the sandbox configures transmission-gtk  profile
1986       and  starts  the test program. The real program, transmission-gtk, will
1987       not be started.
1988
1989       Limitations: audit feature is not implemented for --x11 commands.
1990
1991

MONITORING

1993       Option --list prints a list of  all  sandboxes.  The  format  for  each
1994       process entry is as follows:
1995
1996            PID:USER:Sandbox Name:Command
1997
1998       Option  --tree prints the tree of processes running in the sandbox. The
1999       format for each process entry is as follows:
2000
2001            PID:USER:Sandbox Name:Command
2002
2003       Option --top is similar to the UNIX top  command,  however  it  applies
2004       only to sandboxes.
2005
2006       Option  --netstats  prints  network  statistics  for  active  sandboxes
2007       installing new network namespaces.
2008
2009
2010       Listed below are the available fields (columns) in  alphabetical  order
2011       for --top and --netstat options:
2012
2013
2014       Command
2015              Command used to start the sandbox.
2016
2017       CPU%   CPU  usage,  the sandbox share of the elapsed CPU time since the
2018              last screen update
2019
2020       PID    Unique process ID for the task controlling the sandbox.
2021
2022       Prcs   Number of processes running in sandbox, including  the  control‐
2023              ling process.
2024
2025       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
2026              It is a sum of the RES values for all processes running  in  the
2027              sandbox.
2028
2029       RX(KB/s)
2030              Network receive speed.
2031
2032       Sandbox Name
2033              The name of the sandbox, if any.
2034
2035       SHR    Shared  Memory  Size (KiB), it reflects memory shared with other
2036              processes. It is a sum of the SHR values for all processes  run‐
2037              ning in the sandbox, including the controlling process.
2038
2039       TX(KB/s)
2040              Network transmit speed.
2041
2042       Uptime Sandbox running time in hours:minutes:seconds format.
2043
2044       USER   The owner of the sandbox.
2045
2046

SECURITY PROFILES

2048       Several command line options can be passed to the program using profile
2049       files. Firejail chooses the profile file as follows:
2050
2051       1. If a profile file is provided by the user with --profile option, the
2052       profile  file is loaded. If a profile name is given, it is searched for
2053       first in the ~/.config/firejail directory and  if  not  found  then  in
2054       /etc/firejail directory. Profile names do not include the .profile suf‐
2055       fix.  Example:
2056
2057              $ firejail --profile=/home/netblue/icecat.profile icecat
2058              Reading profile /home/netblue/icecat.profile
2059              [...]
2060
2061
2062              $ firejail --profile=icecat icecat-wrapper.sh
2063              Reading profile /etc/firejail/icecat.profile
2064              [...]
2065
2066       2. If a profile file with the same name as the application  is  present
2067       in  ~/.config/firejail  directory  or  in /etc/firejail, the profile is
2068       loaded. ~/.config/firejail takes precedence over  /etc/firejail.  Exam‐
2069       ple:
2070
2071              $ firejail icecat
2072              Command name #icecat#
2073              Found icecat profile in /home/netblue/.config/firejail directory
2074              Reading profile /home/netblue/.config/firejail/icecat.profile
2075              [...]
2076
2077       3.  Use  default.profile  file  if  the sandbox is started by a regular
2078       user, or server.profile file if the sandbox is started by  root.  Fire‐
2079       jail looks for these files in ~/.config/firejail directory, followed by
2080       /etc/firejail directory.   To  disable  default  profile  loading,  use
2081       --noprofile command option. Example:
2082
2083              $ firejail
2084              Reading profile /etc/firejail/default.profile
2085              Parent pid 8553, child pid 8554
2086              Child process initialized
2087              [...]
2088
2089              $ firejail --noprofile
2090              Parent pid 8553, child pid 8554
2091              Child process initialized
2092              [...]
2093
2094       See man 5 firejail-profile for profile file syntax information.
2095
2096

RESTRICTED SHELL

2098       To  configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2099       jail in /etc/passwd file for each user that  needs  to  be  restricted.
2100       Alternatively, you can specify /usr/bin/firejail  in adduser command:
2101
2102       adduser --shell /usr/bin/firejail username
2103
2104       Additional  arguments  passed  to  firejail  executable  upon login are
2105       declared in /etc/firejail/login.users file.
2106
2107

EXAMPLES

2109       firejail
2110              Sandbox a regular /bin/bash session.
2111
2112       firejail firefox
2113              Start Mozilla Firefox.
2114
2115       firejail --debug firefox
2116              Debug Firefox sandbox.
2117
2118       firejail --private firefox
2119              Start Firefox with a new, empty home directory.
2120
2121       firejail --net=none vlc
2122              Start VLC in an unconnected network namespace.
2123
2124       firejail --net=eth0 firefox
2125              Start Firefox in a new  network  namespace.  An  IP  address  is
2126              assigned automatically.
2127
2128       firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2129              Start a /bin/bash session in a new network namespace and connect
2130              it to br0, br1, and br2 host bridge devices.  IP  addresses  are
2131              assigned  automatically  for the interfaces connected to br1 and
2132              b2
2133
2134       firejail --list
2135              List all sandboxed processes.
2136

LICENSE

2138       This program is free software; you can redistribute it and/or modify it
2139       under  the  terms of the GNU General Public License as published by the
2140       Free Software Foundation; either version 2 of the License, or (at  your
2141       option) any later version.
2142
2143       Homepage: https://firejail.wordpress.com
2144

SEE ALSO

2146       firemon(1),  firecfg(1),  firejail-profile(5),  firejail-login(5) fire‐
2147       jail-users(5)
2148
2149
2150
21510.9.57                             Nov 2018                        FIREJAIL(1)
Impressum