1FIREJAIL-PROFILE(5)       firejail profiles man page       FIREJAIL-PROFILE(5)
2
3
4

NAME

6       profile - Security profile file syntax for Firejail
7
8

USAGE

10       firejail --profile=filename.profile
11firejail --profile=profile_name
12
13

DESCRIPTION

15       Several command line options can be passed to the program using profile
16       files. Firejail chooses the profile file as follows:
17
18       1. If a profile file is provided by the user with --profile option, the
19       profile  file is loaded. If a profile name is given, it is searched for
20       first in the ~/.config/firejail directory and  if  not  found  then  in
21       /etc/firejail directory. Profile names do not include the .profile suf‐
22       fix.  Example:
23
24              $ firejail --profile=/home/netblue/icecat.profile icecat
25              Reading profile /home/netblue/icecat.profile
26              [...]
27
28
29              $ firejail --profile=icecat icecat-wrapper.sh
30              Reading profile /etc/firejail/icecat.profile
31              [...]
32
33       2. If a profile file with the same name as the application  is  present
34       in  ~/.config/firejail  directory  or  in /etc/firejail, the profile is
35       loaded. ~/.config/firejail takes precedence over  /etc/firejail.  Exam‐
36       ple:
37
38              $ firejail icecat
39              Command name #icecat#
40              Found icecat profile in /home/netblue/.config/firejail directory
41              Reading profile /home/netblue/.config/firejail/icecat.profile
42              [...]
43
44       3.  Use  a  default.profile file if the sandbox is started by a regular
45       user, or a server.profile file if the sandbox is started by root. Fire‐
46       jail looks for these files in ~/.config/firejail directory, followed by
47       /etc/firejail directory.   To  disable  default  profile  loading,  use
48       --noprofile command option. Example:
49
50              $ firejail
51              Reading profile /etc/firejail/default.profile
52              Parent pid 8553, child pid 8554
53              Child process initialized
54              [...]
55
56              $ firejail --noprofile
57              Parent pid 8553, child pid 8554
58              Child process initialized
59              [...]
60
61

Scripting

63       Scripting commands:
64
65
66       File and directory names
67              File  and  directory  names containing spaces are supported. The
68              space character ' ' should not be escaped.
69
70              Example: "blacklist ~/My Virtual Machines"
71
72
73       # this is a comment
74
75
76       ?CONDITIONAL: profile line
77              Conditionally add profile line.
78
79              Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
80
81              This example will load the whitelist profile line  only  if  the
82              --appimage option has been specified on the command line.
83
84              Currently the only conditional supported is HAS_APPIMAGE.
85
86              The profile line may be any profile line that you would normally
87              use in a profile except for "quiet" and "include" lines.
88
89
90       include other.profile
91              Include other.profile file.
92
93              Example: "include /etc/firejail/disable-common.inc"
94
95              The file name can be prefixed with a macro such  as  ${HOME}  or
96              ${CFG}.   ${HOME} is expanded as user home directory, and ${CFG}
97              is expanded as Firejail system configuration directory - in most
98              cases /etc/firejail or /usr/local/etc/firejail.
99
100              Example:   "include   ${HOME}/myprofiles/profile1"   will   load
101              "~/myprofiles/profile1" file.
102
103              Example: "include ${CFG}/firefox.profile" will load  "/etc/fire‐
104              jail/firefox.profile" file.
105
106              The  file  name  may  also  be just the name without the leading
107              directory components.  In  this  case,  first  the  user  config
108              directory  (${HOME}/.config/firejail)  is  searched for the file
109              name and if not found then the system configuration directory is
110              search  for  the  file  name.  Note: Unlike the --profile option
111              which takes  a  profile  name  without  the  '.profile'  suffix,
112              include must be given the full file name.
113
114              Example:  "include  firefox.profile"  will  load  "${HOME}/.con‐
115              fig/firejail/firefox.profile" file and  if  it  does  not  exist
116              "${CFG}/firefox.profile" will be loaded.
117
118              System  configuration  files  in  ${CFG}  are overwritten during
119              software installation.  Persistent configuration at system level
120              is  handled  in ".local" files. For every profile file in ${CFG}
121              directory, the user can create a corresponding .local file stor‐
122              ing  modifications  to  the persistent configuration. Persistent
123              .local files are included at the start of regular profile files.
124
125
126       noblacklist file_name
127              If the file name matches file_name, the file will not be  black‐
128              listed in any blacklist commands that follow.
129
130              Example: "noblacklist ${HOME}/.mozilla"
131
132
133       nowhitelist file_name
134              If  the  file  name  matches  file_name,  the  file  will not be
135              whitelisted in any whitelist commands that follow.
136
137              Example: "nowhitelist ~/.config"
138
139
140       ignore Ignore command.
141
142              Example: "ignore seccomp"
143              Example: "ignore net ehh0"
144
145
146       quiet  Disable Firejail's output. This should be the first  uncommented
147              command in the profile file.
148
149              Example: "quiet"
150
151

Filesystem

153       These  profile  entries  define a chroot filesystem built on top of the
154       existing host filesystem. Each line describes a file  element  that  is
155       removed  from the filesystem (blacklist), a read-only file or directory
156       (read-only), a tmpfs mounted on top of an existing  directory  (tmpfs),
157       or  mount-bind a directory  or file on top of another directory or file
158       (bind).  Use private to set private mode.  File globbing is  supported,
159       and PATH and HOME directories are searched.  Examples:
160
161       blacklist file_or_directory
162              Blacklist directory or file. Examples:
163
164              blacklist /usr/bin
165              blacklist /usr/bin/gcc*
166              blacklist ${PATH}/ifconfig
167              blacklist ${HOME}/.ssh
168
169
170       blacklist-nolog file_or_directory
171              When  --tracelog flag is set, blacklisting generates syslog mes‐
172              sages if the sandbox tries to  access  the  file  or  directory.
173              blacklist-nolog  command  disables syslog messages for this par‐
174              ticular file or directory. Examples:
175
176              blacklist-nolog /usr/bin
177              blacklist-nolog /usr/bin/gcc*
178
179
180       bind directory1,directory2
181              Mount-bind directory1 on top of directory2. This option is  only
182              available when running as root.
183
184       bind file1,file2
185              Mount-bind  file1 on top of file2. This option is only available
186              when running as root.
187
188       disable-mnt
189              Disable /mnt, /media, /run/mount and /run/media access.
190
191       keep-var-tmp
192              /var/tmp directory is untouched.
193
194       mkdir directory
195              Create a directory in user home or under /tmp before the sandbox
196              is  started.   The  directory  is  created if it doesn't already
197              exist.
198
199              Use this command for whitelisted directories you  need  to  pre‐
200              serve  when  the  sandbox is closed. Without it, the application
201              will create the directory, and the  directory  will  be  deleted
202              when  the sandbox is closed. Subdirectories are recursively cre‐
203              ated. Example from firefox profile:
204
205              mkdir ~/.mozilla
206              whitelist ~/.mozilla
207              mkdir ~/.cache/mozilla/firefox
208              whitelist ~/.cache/mozilla/firefox
209
210       mkfile file
211              Similar to mkdir, this command creates a file in  user  home  or
212              under  /tmp  before the sandbox is started.  The file is created
213              if it doesn't already exist.
214
215       noexec file_or_directory
216              Remount the file or the directory noexec, nodev and nosuid.
217
218       overlay
219              Mount  a  filesystem  overlay  on top of the current filesystem.
220              The overlay is stored in $HOME/.firejail/<PID>  directory.
221
222       overlay-named name
223              Mount  a  filesystem  overlay  on top of the current filesystem.
224              The overlay is stored in $HOME/.firejail/name  directory.
225
226       overlay-tmpfs
227              Mount  a  filesystem  overlay  on top of the current filesystem.
228              All  filesystem  modifications are discarded when the sandbox is
229              closed.
230
231       private
232              Mount new /root and /home/user directories in temporary filesys‐
233              tems.  All  modifications  are  discarded  when  the  sandbox is
234              closed.
235
236       private directory
237              Use directory as user home.
238
239       private-home file,directory
240              Build a new user home in a temporary filesystem,  and  copy  the
241              files and directories in the list in the new home. All modifica‐
242              tions are discarded when the sandbox is closed.
243
244       private-cache
245              Mount an empty temporary filesystem on top of the .cache  direc‐
246              tory  in  user  home.  All  modifications are discarded when the
247              sandbox is closed.
248
249       private-bin file,file
250              Build a new /bin in a temporary filesystem, and  copy  the  pro‐
251              grams in the list.  The same directory is also bind-mounted over
252              /sbin, /usr/bin and /usr/sbin.
253
254       private-dev
255              Create a new /dev directory. Only disc, dri, null,  full,  zero,
256              tty, pts, ptmx, random, snd, urandom, video, log and shm devices
257              are available.
258
259       keep-dev-shm
260              /dev/shm directory is untouched (even with private-dev).
261
262       private-etc file,directory
263              Build a new /etc in a temporary filesystem, and copy  the  files
264              and  directories  in  the list.  All modifications are discarded
265              when the sandbox is closed.
266
267       private-lib file,directory
268              Build a new /lib directory and bring in the  libraries  required
269              by the application to run.  This feature is still under develop‐
270              ment, see man 1 firejail for some examples.
271
272       private-opt file,directory
273              Build a new /optin a temporary filesystem, and  copy  the  files
274              and  directories  in  the list.  All modifications are discarded
275              when the sandbox is closed.
276
277       private-srv file,directory
278              Build a new /srv in a temporary filesystem, and copy  the  files
279              and  directories  in  the list.  All modifications are discarded
280              when the sandbox is closed.
281
282       private-tmp
283              Mount an empty temporary filesystem on  top  of  /tmp  directory
284              whitelisting /tmp/.X11-unix.
285
286       read-only file_or_directory
287              Make directory or file read-only.
288
289       read-write file_or_directory
290              Make directory or file read-write.
291
292       tmpfs directory
293              Mount an empty tmpfs filesystem on top of directory. This option
294              is available only when running the sandbox as root.
295
296       tracelog
297              Blacklist violations logged to syslog.
298
299       whitelist file_or_directory
300              Whitelist directory or file. A temporary file system is  mounted
301              on the top directory, and the whitelisted files are mount-binded
302              inside.  Modifications  to  whitelisted  files  are  persistent,
303              everything else is discarded when the sandbox is closed. The top
304              directory could be user home, /dev, /etc,  /media,  /mnt,  /opt,
305              /srv, /sys/module, /usr/share, /var, and /tmp.
306
307              Symbolic  link  handling:  with the exception of user home, both
308              the link and the real file should be in the same top  directory.
309              For  user  home, both the link and the real file should be owned
310              by the user.
311
312       writable-etc
313              Mount /etc directory read-write.
314
315       writable-run-user
316              Disable the default blacklisting  of  run/user/$UID/systemd  and
317              /run/user/$UID/gnupg.
318
319       writable-var
320              Mount /var directory read-write.
321
322       writable-var-log
323              Use  the  real  /var/log  directory,  not a clone. By default, a
324              tmpfs is mounted on top of /var/log directory,  and  a  skeleton
325              filesystem is created based on the original /var/log.
326
327

Security filters

329       The following security filters are currently implemented:
330
331
332       apparmor
333              Enable AppArmor confinement.
334
335       caps   Enable default Linux capabilities filter.
336
337       caps.drop all
338              Blacklist all Linux capabilities.
339
340       caps.drop capability,capability,capability
341              Blacklist given Linux capabilities.
342
343       caps.keep capability,capability,capability
344              Whitelist given Linux capabilities.
345
346       protocol protocol1,protocol2,protocol3
347              Enable  protocol  filter.  The  filter  is  based on seccomp and
348              checks the first argument to socket system call. Recognized val‐
349              ues: unix, inet, inet6, netlink and packet.
350
351       seccomp
352              Enable  seccomp filter and blacklist the syscalls in the default
353              list. See man 1 firejail for more details.
354
355       seccomp syscall,syscall,syscall
356              Enable seccomp filter and blacklist the system calls in the list
357              on top of default seccomp filter.
358
359       seccomp.block-secondary
360              Enable  seccomp  filter  and filter system call architectures so
361              that only the native architecture is allowed.
362
363       seccomp.drop syscall,syscall,syscall
364              Enable seccomp filter and blacklist  the  system  calls  in  the
365              list.
366
367       seccomp.keep syscall,syscall,syscall
368              Enable  seccomp  filter  and  whitelist  the system calls in the
369              list.
370
371       memory-deny-write-execute
372              Install a seccomp filter to block attempts to create memory map‐
373              pings  that are both writable and executable, to change mappings
374              to be executable or to create executable shared memory.
375
376       nonewprivs
377              Sets the NO_NEW_PRIVS prctl.  This ensures that child  processes
378              cannot  acquire  new privileges using execve(2);  in particular,
379              this means that calling a suid binary (or one with file capabil‐
380              ities) does not result in an increase of privilege.
381
382       noroot Use this command  to enable an user namespace. The namespace has
383              only one user, the current user.  There is no root account  (uid
384              0) defined in the namespace.
385
386       x11    Enable X11 sandboxing.
387
388       x11 none
389              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
390              specified in ${XAUTHORITY} environment variable.  Remove DISPLAY
391              and  XAUTHORITY  environment variables.  Stop with error message
392              if X11 abstract socket will be accessible in jail.
393
394       x11 xephyr
395              Enable X11 sandboxing with Xephyr server.
396
397       x11 xorg
398              Enable X11 sandboxing with X11 security extension.
399
400       x11 xpra
401              Enable X11 sandboxing with Xpra server.
402
403       x11 xvfb
404              Enable X11 sandboxing with Xvfb server.
405
406       xephyr-screen WIDTHxHEIGHT
407              Set screen size for x11 xephyr. This command should be  included
408              in the profile file before x11 xephyr command.
409
410              Example:
411
412              xephyr-screen 640x480
413              x11 xephyr
414
415
416
417

Resource limits, CPU affinity, Control Groups

419       These  profile  entries define the limits on system resources (rlimits)
420       for the processes inside the  sandbox.   The  limits  can  be  modified
421       inside  the  sandbox using the regular ulimit command. cpu command con‐
422       figures the CPU cores available, and cgroup command place  the  sandbox
423       in an existing control group.
424
425       Examples:
426
427
428       rlimit-as 123456789012
429              Set  the  maximum  size  of  the  process's  virtual  memory  to
430              123456789012 bytes.
431
432       rlimit-cpu 123
433              Set the maximum CPU time in seconds.
434
435       rlimit-fsize 1024
436              Set the maximum file size that can be created by  a  process  to
437              1024 bytes.
438
439       rlimit-nproc 1000
440              Set  the maximum number of processes that can be created for the
441              real user ID of the calling process to 1000.
442
443       rlimit-nofile 500
444              Set the maximum number of files that can be opened by a  process
445              to 500.
446
447       rlimit-sigpending 200
448              Set  the maximum number of processes that can be created for the
449              real user ID of the calling process to 200.
450
451       cpu 0,1,2
452              Use only CPU cores 0, 1 and 2.
453
454       nice -5
455              Set a nice value of -5 to all processes running inside the sand‐
456              box.
457
458       cgroup /sys/fs/cgroup/g1/tasks
459              The sandbox is placed in g1 control group.
460
461       timeout hh:mm:ss
462              Kill  the  sandbox automatically after the time has elapsed. The
463              time is specified in hours/minutes/seconds format.
464
465

User Environment

467       allusers
468              All user home directories are visible  inside  the  sandbox.  By
469              default, only current user home directory is visible.
470
471
472       name sandboxname
473              Set sandbox name. Example:
474
475              name browser
476
477
478       env name=value
479              Set environment variable. Examples:
480
481              env LD_LIBRARY_PATH=/opt/test/lib
482              env CFLAGS="-W -Wall -Werror"
483
484
485       nodvd  Disable DVD and audio CD devices.
486
487       nogroups
488              Disable supplementary user groups
489
490       shell none
491              Run the program directly, without a shell.
492
493       ipc-namespace
494              Enable IPC namespace.
495
496       nodbus Disable D-Bus access. Only the regular UNIX socket is handled by
497              this command. To disable the abstract socket, you would need  to
498              request  a  new network namespace using the net command. Another
499              option is to remove unix from protocol set.
500
501       nosound
502              Disable sound system.
503
504       noautopulse
505              Disable automatic ~/.config/pulse init, for complex setups  such
506              as remote pulse servers or non-standard socket paths.
507
508       notv   Disable DVB (Digital Video Broadcasting) TV devices.
509
510       nou2f  Disable U2F devices.
511
512       novideo
513              Disable video devices.
514
515       no3d   Disable 3D hardware acceleration.
516
517

Networking

519       Networking features available in profile files.
520
521
522       defaultgw address
523              Use  this  address  as default gateway in the new network names‐
524              pace.
525
526
527       dns address
528              Set a DNS server for the sandbox. Up to three DNS servers can be
529              defined.
530
531
532       hostname name
533              Set a hostname for the sandbox.
534
535
536       hosts-file file
537              Use file as /etc/hosts.
538
539
540       ip address
541              Assign  IP  addresses to the last network interface defined by a
542              net command. A default gateway is assigned by default.
543
544              Example:
545              net eth0
546              ip 10.10.20.56
547
548
549       ip none
550              No IP address and no default gateway are configured for the last
551              interface  defined by a net command. Use this option in case you
552              intend to start an external DHCP client in the sandbox.
553
554              Example:
555              net eth0
556              ip none
557
558
559       ip6 address
560              Assign IPv6 addresses to the last network interface defined by a
561              net command.
562
563              Example:
564              net eth0
565              ip6 2001:0db8:0:f101::1/64
566
567
568       iprange address,address
569              Assign  an  IP address in the provided range to the last network
570              interface defined by  a  net command.  A  default   gateway   is
571              assigned by default.
572
573              Example:
574
575              net eth0
576              iprange 192.168.1.150,192.168.1.160
577
578
579       mac address
580              Assign  MAC addresses to the last network interface defined by a
581              net command.
582
583
584       machine-id
585              Spoof id number in /etc/machine-id file - a  new  random  id  is
586              generated inside the sandbox.
587
588
589       mtu number
590              Assign  a  MTU  value to the last network interface defined by a
591              net command.
592
593
594
595
596       netfilter
597              If a new network namespace is created, enabled  default  network
598              filter.
599
600
601       netfilter filename
602              If  a new network namespace is created, enabled the network fil‐
603              ter in filename.
604
605
606       net bridge_interface
607              Enable a new network namespace and connect  it  to  this  bridge
608              interface.   Unless  specified with option --ip and --defaultgw,
609              an IP address and a default gateway will be  assigned  automati‐
610              cally  to  the  sandbox.  The  IP  address is verified using ARP
611              before assignment. The address configured as default gateway  is
612              the  bridge  device  IP address. Up to four --net bridge devices
613              can be defined. Mixing bridge and macvlan devices is allowed.
614
615
616       net ethernet_interface|wireless_interface
617              Enable a new network namespace and connect it to  this  ethernet
618              interface  using  the  standard  Linux macvlan or ipvlan driver.
619              Unless specified with option --ip and --defaultgw, an IP address
620              and  a  default  gateway  will  be assigned automatically to the
621              sandbox. The IP address is verified using ARP before assignment.
622              The address configured as default gateway is the default gateway
623              of the host. Up to four --net devices  can  be  defined.  Mixing
624              bridge and macvlan devices is allowed.
625
626
627       net tap_interface
628              Enable  a  new network namespace and connect it to this ethernet
629              tap interface using the standard Linux macvlan driver.   If  the
630              tap  interface  is  not  configured, the sandbox will not try to
631              configure the interface inside the sandbox.  Please use ip, net‐
632              mask and defaultgw to specify the configuration.
633
634
635       net none
636              Enable  a new, unconnected network namespace. The only interface
637              available in the new namespace is a new loopback interface (lo).
638              Use  this  option  to deny network access to programs that don't
639              really need network access.
640
641
642       netmask address
643              Use this option when you want to assign an IP address in  a  new
644              namespace  and  the  parent  interface specified by --net is not
645              configured. An IP address and a  default  gateway  address  also
646              have to be added.
647
648
649       veth-name name
650              Use  this  name  for  the  interface connected to the bridge for
651              --net=bridge_interface commands, instead of the default one.
652
653

Other

655       join-or-start sandboxname
656              Join the sandbox identified by name or start a new one.  Same as
657              "firejail  --join=sandboxname" command if sandbox with specified
658              name exists, otherwise same as "name sandboxname".
659
660

FILES

662       /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
663
664

LICENSE

666       Firejail is free software; you can redistribute  it  and/or  modify  it
667       under  the  terms of the GNU General Public License as published by the
668       Free Software Foundation; either version 2 of the License, or (at  your
669       option) any later version.
670
671       Homepage: https://firejail.wordpress.com
672

SEE ALSO

674       firejail(1),   firemon(1),   firecfg(1),   firejail-login(5)  firejail-
675       users(5)
676
677
678
6790.9.57                             Jan 2019                FIREJAIL-PROFILE(5)
Impressum