1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
3
4
6 profile - Security profile file syntax for Firejail
7
8
10 firejail --profile=filename.profile
11firejail --profile=profile_name
12
13
15 Several command line options can be passed to the program using profile
16 files. Firejail chooses the profile file as follows:
17
18 1. If a profile file is provided by the user with --profile option, the
19 profile file is loaded. If a profile name is given, it is searched for
20 first in the ~/.config/firejail directory and if not found then in
21 /etc/firejail directory. Profile names do not include the .profile suf‐
22 fix. Example:
23
24 $ firejail --profile=/home/netblue/icecat.profile icecat
25 Reading profile /home/netblue/icecat.profile
26 [...]
27
28
29 $ firejail --profile=icecat icecat-wrapper.sh
30 Reading profile /etc/firejail/icecat.profile
31 [...]
32
33 2. If a profile file with the same name as the application is present
34 in ~/.config/firejail directory or in /etc/firejail, the profile is
35 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
36 ple:
37
38 $ firejail icecat
39 Command name #icecat#
40 Found icecat profile in /home/netblue/.config/firejail directory
41 Reading profile /home/netblue/.config/firejail/icecat.profile
42 [...]
43
44 3. Use a default.profile file if the sandbox is started by a regular
45 user, or a server.profile file if the sandbox is started by root. Fire‐
46 jail looks for these files in ~/.config/firejail directory, followed by
47 /etc/firejail directory. To disable default profile loading, use
48 --noprofile command option. Example:
49
50 $ firejail
51 Reading profile /etc/firejail/default.profile
52 Parent pid 8553, child pid 8554
53 Child process initialized
54 [...]
55
56 $ firejail --noprofile
57 Parent pid 8553, child pid 8554
58 Child process initialized
59 [...]
60
61
63 Scripting commands:
64
65
66 File and directory names
67 File and directory names containing spaces are supported. The
68 space character ' ' should not be escaped.
69
70 Example: "blacklist ~/My Virtual Machines"
71
72
73 # this is a comment
74
75
76 ?CONDITIONAL: profile line
77 Conditionally add profile line.
78
79 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
80
81 This example will load the whitelist profile line only if the
82 --appimage option has been specified on the command line.
83
84 Currently the only conditional supported is HAS_APPIMAGE.
85
86 The profile line may be any profile line that you would normally
87 use in a profile except for "quiet" and "include" lines.
88
89
90 include other.profile
91 Include other.profile file.
92
93 Example: "include /etc/firejail/disable-common.inc"
94
95 The file name can be prefixed with a macro such as ${HOME} or
96 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
97 is expanded as Firejail system configuration directory - in most
98 cases /etc/firejail or /usr/local/etc/firejail.
99
100 Example: "include ${HOME}/myprofiles/profile1" will load
101 "~/myprofiles/profile1" file.
102
103 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
104 jail/firefox.profile" file.
105
106 The file name may also be just the name without the leading
107 directory components. In this case, first the user config
108 directory (${HOME}/.config/firejail) is searched for the file
109 name and if not found then the system configuration directory is
110 search for the file name. Note: Unlike the --profile option
111 which takes a profile name without the '.profile' suffix,
112 include must be given the full file name.
113
114 Example: "include firefox.profile" will load "${HOME}/.con‐
115 fig/firejail/firefox.profile" file and if it does not exist
116 "${CFG}/firefox.profile" will be loaded.
117
118 System configuration files in ${CFG} are overwritten during
119 software installation. Persistent configuration at system level
120 is handled in ".local" files. For every profile file in ${CFG}
121 directory, the user can create a corresponding .local file stor‐
122 ing modifications to the persistent configuration. Persistent
123 .local files are included at the start of regular profile files.
124
125
126 noblacklist file_name
127 If the file name matches file_name, the file will not be black‐
128 listed in any blacklist commands that follow.
129
130 Example: "noblacklist ${HOME}/.mozilla"
131
132
133 nowhitelist file_name
134 If the file name matches file_name, the file will not be
135 whitelisted in any whitelist commands that follow.
136
137 Example: "nowhitelist ~/.config"
138
139
140 ignore Ignore command.
141
142 Example: "ignore seccomp"
143 Example: "ignore net ehh0"
144
145
146 quiet Disable Firejail's output. This should be the first uncommented
147 command in the profile file.
148
149 Example: "quiet"
150
151
153 These profile entries define a chroot filesystem built on top of the
154 existing host filesystem. Each line describes a file element that is
155 removed from the filesystem (blacklist), a read-only file or directory
156 (read-only), a tmpfs mounted on top of an existing directory (tmpfs),
157 or mount-bind a directory or file on top of another directory or file
158 (bind). Use private to set private mode. File globbing is supported,
159 and PATH and HOME directories are searched. Examples:
160
161 blacklist file_or_directory
162 Blacklist directory or file. Examples:
163
164 blacklist /usr/bin
165 blacklist /usr/bin/gcc*
166 blacklist ${PATH}/ifconfig
167 blacklist ${HOME}/.ssh
168
169
170 blacklist-nolog file_or_directory
171 When --tracelog flag is set, blacklisting generates syslog mes‐
172 sages if the sandbox tries to access the file or directory.
173 blacklist-nolog command disables syslog messages for this par‐
174 ticular file or directory. Examples:
175
176 blacklist-nolog /usr/bin
177 blacklist-nolog /usr/bin/gcc*
178
179
180 bind directory1,directory2
181 Mount-bind directory1 on top of directory2. This option is only
182 available when running as root.
183
184 bind file1,file2
185 Mount-bind file1 on top of file2. This option is only available
186 when running as root.
187
188 disable-mnt
189 Disable /mnt, /media, /run/mount and /run/media access.
190
191 keep-var-tmp
192 /var/tmp directory is untouched.
193
194 mkdir directory
195 Create a directory in user home or under /tmp before the sandbox
196 is started. The directory is created if it doesn't already
197 exist.
198
199 Use this command for whitelisted directories you need to pre‐
200 serve when the sandbox is closed. Without it, the application
201 will create the directory, and the directory will be deleted
202 when the sandbox is closed. Subdirectories are recursively cre‐
203 ated. Example from firefox profile:
204
205 mkdir ~/.mozilla
206 whitelist ~/.mozilla
207 mkdir ~/.cache/mozilla/firefox
208 whitelist ~/.cache/mozilla/firefox
209
210 mkfile file
211 Similar to mkdir, this command creates a file in user home or
212 under /tmp before the sandbox is started. The file is created
213 if it doesn't already exist.
214
215 noexec file_or_directory
216 Remount the file or the directory noexec, nodev and nosuid.
217
218 overlay
219 Mount a filesystem overlay on top of the current filesystem.
220 The overlay is stored in $HOME/.firejail/<PID> directory.
221
222 overlay-named name
223 Mount a filesystem overlay on top of the current filesystem.
224 The overlay is stored in $HOME/.firejail/name directory.
225
226 overlay-tmpfs
227 Mount a filesystem overlay on top of the current filesystem.
228 All filesystem modifications are discarded when the sandbox is
229 closed.
230
231 private
232 Mount new /root and /home/user directories in temporary filesys‐
233 tems. All modifications are discarded when the sandbox is
234 closed.
235
236 private directory
237 Use directory as user home.
238
239 private-home file,directory
240 Build a new user home in a temporary filesystem, and copy the
241 files and directories in the list in the new home. All modifica‐
242 tions are discarded when the sandbox is closed.
243
244 private-cache
245 Mount an empty temporary filesystem on top of the .cache direc‐
246 tory in user home. All modifications are discarded when the
247 sandbox is closed.
248
249 private-bin file,file
250 Build a new /bin in a temporary filesystem, and copy the pro‐
251 grams in the list. The same directory is also bind-mounted over
252 /sbin, /usr/bin and /usr/sbin.
253
254 private-dev
255 Create a new /dev directory. Only disc, dri, null, full, zero,
256 tty, pts, ptmx, random, snd, urandom, video, log and shm devices
257 are available.
258
259 keep-dev-shm
260 /dev/shm directory is untouched (even with private-dev).
261
262 private-etc file,directory
263 Build a new /etc in a temporary filesystem, and copy the files
264 and directories in the list. All modifications are discarded
265 when the sandbox is closed.
266
267 private-lib file,directory
268 Build a new /lib directory and bring in the libraries required
269 by the application to run. This feature is still under develop‐
270 ment, see man 1 firejail for some examples.
271
272 private-opt file,directory
273 Build a new /optin a temporary filesystem, and copy the files
274 and directories in the list. All modifications are discarded
275 when the sandbox is closed.
276
277 private-srv file,directory
278 Build a new /srv in a temporary filesystem, and copy the files
279 and directories in the list. All modifications are discarded
280 when the sandbox is closed.
281
282 private-tmp
283 Mount an empty temporary filesystem on top of /tmp directory
284 whitelisting /tmp/.X11-unix.
285
286 read-only file_or_directory
287 Make directory or file read-only.
288
289 read-write file_or_directory
290 Make directory or file read-write.
291
292 tmpfs directory
293 Mount an empty tmpfs filesystem on top of directory. This option
294 is available only when running the sandbox as root.
295
296 tracelog
297 Blacklist violations logged to syslog.
298
299 whitelist file_or_directory
300 Whitelist directory or file. A temporary file system is mounted
301 on the top directory, and the whitelisted files are mount-binded
302 inside. Modifications to whitelisted files are persistent,
303 everything else is discarded when the sandbox is closed. The top
304 directory could be user home, /dev, /etc, /media, /mnt, /opt,
305 /srv, /sys/module, /usr/share, /var, and /tmp.
306
307 Symbolic link handling: with the exception of user home, both
308 the link and the real file should be in the same top directory.
309 For user home, both the link and the real file should be owned
310 by the user.
311
312 writable-etc
313 Mount /etc directory read-write.
314
315 writable-run-user
316 Disable the default blacklisting of run/user/$UID/systemd and
317 /run/user/$UID/gnupg.
318
319 writable-var
320 Mount /var directory read-write.
321
322 writable-var-log
323 Use the real /var/log directory, not a clone. By default, a
324 tmpfs is mounted on top of /var/log directory, and a skeleton
325 filesystem is created based on the original /var/log.
326
327
329 The following security filters are currently implemented:
330
331
332 apparmor
333 Enable AppArmor confinement.
334
335 caps Enable default Linux capabilities filter.
336
337 caps.drop all
338 Blacklist all Linux capabilities.
339
340 caps.drop capability,capability,capability
341 Blacklist given Linux capabilities.
342
343 caps.keep capability,capability,capability
344 Whitelist given Linux capabilities.
345
346 protocol protocol1,protocol2,protocol3
347 Enable protocol filter. The filter is based on seccomp and
348 checks the first argument to socket system call. Recognized val‐
349 ues: unix, inet, inet6, netlink and packet.
350
351 seccomp
352 Enable seccomp filter and blacklist the syscalls in the default
353 list. See man 1 firejail for more details.
354
355 seccomp syscall,syscall,syscall
356 Enable seccomp filter and blacklist the system calls in the list
357 on top of default seccomp filter.
358
359 seccomp.block-secondary
360 Enable seccomp filter and filter system call architectures so
361 that only the native architecture is allowed.
362
363 seccomp.drop syscall,syscall,syscall
364 Enable seccomp filter and blacklist the system calls in the
365 list.
366
367 seccomp.keep syscall,syscall,syscall
368 Enable seccomp filter and whitelist the system calls in the
369 list.
370
371 memory-deny-write-execute
372 Install a seccomp filter to block attempts to create memory map‐
373 pings that are both writable and executable, to change mappings
374 to be executable or to create executable shared memory.
375
376 nonewprivs
377 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
378 cannot acquire new privileges using execve(2); in particular,
379 this means that calling a suid binary (or one with file capabil‐
380 ities) does not result in an increase of privilege.
381
382 noroot Use this command to enable an user namespace. The namespace has
383 only one user, the current user. There is no root account (uid
384 0) defined in the namespace.
385
386 x11 Enable X11 sandboxing.
387
388 x11 none
389 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
390 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
391 and XAUTHORITY environment variables. Stop with error message
392 if X11 abstract socket will be accessible in jail.
393
394 x11 xephyr
395 Enable X11 sandboxing with Xephyr server.
396
397 x11 xorg
398 Enable X11 sandboxing with X11 security extension.
399
400 x11 xpra
401 Enable X11 sandboxing with Xpra server.
402
403 x11 xvfb
404 Enable X11 sandboxing with Xvfb server.
405
406 xephyr-screen WIDTHxHEIGHT
407 Set screen size for x11 xephyr. This command should be included
408 in the profile file before x11 xephyr command.
409
410 Example:
411
412 xephyr-screen 640x480
413 x11 xephyr
414
415
416
417
419 These profile entries define the limits on system resources (rlimits)
420 for the processes inside the sandbox. The limits can be modified
421 inside the sandbox using the regular ulimit command. cpu command con‐
422 figures the CPU cores available, and cgroup command place the sandbox
423 in an existing control group.
424
425 Examples:
426
427
428 rlimit-as 123456789012
429 Set the maximum size of the process's virtual memory to
430 123456789012 bytes.
431
432 rlimit-cpu 123
433 Set the maximum CPU time in seconds.
434
435 rlimit-fsize 1024
436 Set the maximum file size that can be created by a process to
437 1024 bytes.
438
439 rlimit-nproc 1000
440 Set the maximum number of processes that can be created for the
441 real user ID of the calling process to 1000.
442
443 rlimit-nofile 500
444 Set the maximum number of files that can be opened by a process
445 to 500.
446
447 rlimit-sigpending 200
448 Set the maximum number of processes that can be created for the
449 real user ID of the calling process to 200.
450
451 cpu 0,1,2
452 Use only CPU cores 0, 1 and 2.
453
454 nice -5
455 Set a nice value of -5 to all processes running inside the sand‐
456 box.
457
458 cgroup /sys/fs/cgroup/g1/tasks
459 The sandbox is placed in g1 control group.
460
461 timeout hh:mm:ss
462 Kill the sandbox automatically after the time has elapsed. The
463 time is specified in hours/minutes/seconds format.
464
465
467 allusers
468 All user home directories are visible inside the sandbox. By
469 default, only current user home directory is visible.
470
471
472 name sandboxname
473 Set sandbox name. Example:
474
475 name browser
476
477
478 env name=value
479 Set environment variable. Examples:
480
481 env LD_LIBRARY_PATH=/opt/test/lib
482 env CFLAGS="-W -Wall -Werror"
483
484
485 nodvd Disable DVD and audio CD devices.
486
487 nogroups
488 Disable supplementary user groups
489
490 shell none
491 Run the program directly, without a shell.
492
493 ipc-namespace
494 Enable IPC namespace.
495
496 nodbus Disable D-Bus access. Only the regular UNIX socket is handled by
497 this command. To disable the abstract socket, you would need to
498 request a new network namespace using the net command. Another
499 option is to remove unix from protocol set.
500
501 nosound
502 Disable sound system.
503
504 noautopulse
505 Disable automatic ~/.config/pulse init, for complex setups such
506 as remote pulse servers or non-standard socket paths.
507
508 notv Disable DVB (Digital Video Broadcasting) TV devices.
509
510 nou2f Disable U2F devices.
511
512 novideo
513 Disable video devices.
514
515 no3d Disable 3D hardware acceleration.
516
517
519 Networking features available in profile files.
520
521
522 defaultgw address
523 Use this address as default gateway in the new network names‐
524 pace.
525
526
527 dns address
528 Set a DNS server for the sandbox. Up to three DNS servers can be
529 defined.
530
531
532 hostname name
533 Set a hostname for the sandbox.
534
535
536 hosts-file file
537 Use file as /etc/hosts.
538
539
540 ip address
541 Assign IP addresses to the last network interface defined by a
542 net command. A default gateway is assigned by default.
543
544 Example:
545 net eth0
546 ip 10.10.20.56
547
548
549 ip none
550 No IP address and no default gateway are configured for the last
551 interface defined by a net command. Use this option in case you
552 intend to start an external DHCP client in the sandbox.
553
554 Example:
555 net eth0
556 ip none
557
558
559 ip6 address
560 Assign IPv6 addresses to the last network interface defined by a
561 net command.
562
563 Example:
564 net eth0
565 ip6 2001:0db8:0:f101::1/64
566
567
568 iprange address,address
569 Assign an IP address in the provided range to the last network
570 interface defined by a net command. A default gateway is
571 assigned by default.
572
573 Example:
574
575 net eth0
576 iprange 192.168.1.150,192.168.1.160
577
578
579 mac address
580 Assign MAC addresses to the last network interface defined by a
581 net command.
582
583
584 machine-id
585 Spoof id number in /etc/machine-id file - a new random id is
586 generated inside the sandbox.
587
588
589 mtu number
590 Assign a MTU value to the last network interface defined by a
591 net command.
592
593
594
595
596 netfilter
597 If a new network namespace is created, enabled default network
598 filter.
599
600
601 netfilter filename
602 If a new network namespace is created, enabled the network fil‐
603 ter in filename.
604
605
606 net bridge_interface
607 Enable a new network namespace and connect it to this bridge
608 interface. Unless specified with option --ip and --defaultgw,
609 an IP address and a default gateway will be assigned automati‐
610 cally to the sandbox. The IP address is verified using ARP
611 before assignment. The address configured as default gateway is
612 the bridge device IP address. Up to four --net bridge devices
613 can be defined. Mixing bridge and macvlan devices is allowed.
614
615
616 net ethernet_interface|wireless_interface
617 Enable a new network namespace and connect it to this ethernet
618 interface using the standard Linux macvlan or ipvlan driver.
619 Unless specified with option --ip and --defaultgw, an IP address
620 and a default gateway will be assigned automatically to the
621 sandbox. The IP address is verified using ARP before assignment.
622 The address configured as default gateway is the default gateway
623 of the host. Up to four --net devices can be defined. Mixing
624 bridge and macvlan devices is allowed.
625
626
627 net tap_interface
628 Enable a new network namespace and connect it to this ethernet
629 tap interface using the standard Linux macvlan driver. If the
630 tap interface is not configured, the sandbox will not try to
631 configure the interface inside the sandbox. Please use ip, net‐
632 mask and defaultgw to specify the configuration.
633
634
635 net none
636 Enable a new, unconnected network namespace. The only interface
637 available in the new namespace is a new loopback interface (lo).
638 Use this option to deny network access to programs that don't
639 really need network access.
640
641
642 netmask address
643 Use this option when you want to assign an IP address in a new
644 namespace and the parent interface specified by --net is not
645 configured. An IP address and a default gateway address also
646 have to be added.
647
648
649 veth-name name
650 Use this name for the interface connected to the bridge for
651 --net=bridge_interface commands, instead of the default one.
652
653
655 join-or-start sandboxname
656 Join the sandbox identified by name or start a new one. Same as
657 "firejail --join=sandboxname" command if sandbox with specified
658 name exists, otherwise same as "name sandboxname".
659
660
662 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
663
664
666 Firejail is free software; you can redistribute it and/or modify it
667 under the terms of the GNU General Public License as published by the
668 Free Software Foundation; either version 2 of the License, or (at your
669 option) any later version.
670
671 Homepage: https://firejail.wordpress.com
672
674 firejail(1), firemon(1), firecfg(1), firejail-login(5) firejail-
675 users(5)
676
677
678
6790.9.57 Jan 2019 FIREJAIL-PROFILE(5)