1FIREJAIL(1) firejail man page FIREJAIL(1)
2
6 Firejail - Linux namespaces sandbox program
7
9 Start a sandbox:
10 firejail [OPTIONS] [program and arguments]
12 Start an AppImage program:
14 firejail [OPTIONS] --appimage [appimage-file and arguments]
16 File transfer from an existing sandbox
18 firejail {--ls | --get | --put} dir_or_filename
20 Network traffic shaping for an existing sandbox:
22 firejail --bandwidth={name|pid} bandwidth-command
24 Monitoring:
26 firejail {--list | --netstats | --top | --tree}
28 Miscellaneous:
30 firejail {-? | --debug-caps | --debug-errnos | --debug-syscalls
32 | --debug-protocols | --help | --version}
33
35 Firejail is a SUID sandbox program that reduces the risk of security
36 breaches by restricting the running environment of untrusted applica‐
37 tions using Linux namespaces, seccomp-bpf and Linux capabilities. It
38 allows a process and all its descendants to have their own private view
39 of the globally shared kernel resources, such as the network stack,
40 process table, mount table. Firejail can work in a SELinux or AppArmor
41 environment, and it is integrated with Linux Control Groups.
42 Written in C with virtually no dependencies, the software runs on any
44 Linux computer with a 3.x kernel version or newer. It can sandbox any
45 type of processes: servers, graphical applications, and even user login
46 sessions.
47 Firejail allows the user to manage application security using security
49 profiles. Each profile defines a set of permissions for a specific
50 application or group of applications. The software includes security
51 profiles for a number of more common Linux programs, such as Mozilla
52 Firefox, Chromium, VLC, Transmission etc.
53 Alternative sandbox technologies like snap (https://snapcraft.io/) and
55 flatpak (https://flatpak.org/) are not supported. Snap and flatpak
56 packages have their own native management tools and will not work when
57 sandboxed with Firejail.
58
61 Without any options, the sandbox consists of a filesystem build in a
62 new mount namespace, and new PID and UTS namespaces. IPC, network and
63 user namespaces can be added using the command line options. The
64 default Firejail filesystem is based on the host filesystem with the
65 main system directories mounted read-only. These directories are /etc,
66 /var, /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home
67 and /tmp are writable.
68 As it starts up, Firejail tries to find a security profile based on the
70 name of the application. If an appropriate profile is not found, Fire‐
71 jail will use a default profile. The default profile is quite restric‐
72 tive. In case the application doesn't work, use --noprofile option to
73 disable it. For more information, please see SECURITY PROFILES section
74 below.
75 If a program argument is not specified, Firejail starts /bin/bash
77 shell. Examples:
78 $ firejail [OPTIONS] # starting a /bin/bash shell
80 $ firejail [OPTIONS] firefox # starting Mozilla Firefox
82 # sudo firejail [OPTIONS] /etc/init.d/nginx start
84
87 -- Signal the end of options and disables further option process‐
88 ing.
89 --allow-debuggers
91 Allow tools such as strace and gdb inside the sandbox by
92 whitelisting system calls ptrace and process_vm_readv. This
93 option is only available when running on Linux kernels 4.8 or
94 newer - a kernel bug in ptrace system call allows a full bypass
95 of the seccomp filter.
96 Example:
98 $ firejail --allow-debuggers --profile=/etc/firejail/fire‐
99 fox.profile strace -f firefox
100 --allusers
102 All directories under /home are visible inside the sandbox. By
103 default, only current user home directory is visible.
104 Example:
106 $ firejail --allusers
107 --apparmor
109 Enable AppArmor confinement. For more information, please see
110 APPARMOR section below.
111 --apparmor.print=name|pid
113 Print the AppArmor confinement status for the sandbox identified
114 by name or by PID.
115 Example:
117 $ firejail --apparmor.print=browser
118 5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
119 AppArmor: firejail-default enforce
120 --appimage
123 Sandbox an AppImage (https://appimage.org/) application. If the
124 sandbox is started as a regular user, nonewprivs and a default
125 capabilities filter are enabled.
126 Example:
128 $ firejail --appimage krita-3.0-x86_64.appimage
129 $ firejail --appimage --private krita-3.0-x86_64.appimage
130 $ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
131 --audit
134 Audit the sandbox, see AUDIT section for more details.
135 --audit=test-program
137 Audit the sandbox, see AUDIT section for more details.
138 --bandwidth=name|pid
140 Set bandwidth limits for the sandbox identified by name or PID,
141 see TRAFFIC SHAPING section for more details.
142 --bind=filename1,filename2
144 Mount-bind filename1 on top of filename2. This option is only
145 available when running as root.
146 Example:
148 # firejail --bind=/config/etc/passwd,/etc/passwd
149 --blacklist=dirname_or_filename
151 Blacklist directory or file. File globbing is supported, see
152 FILE GLOBBING section for more details.
153 Example:
155 $ firejail --blacklist=/sbin --blacklist=/usr/sbin
156 $ firejail --blacklist=~/.mozilla
157 $ firejail "--blacklist=/home/username/My Virtual Machines"
158 $ firejail --blacklist=/home/username/My\ Virtual\ Machines
159 --build
161 The command builds a whitelisted profile. The profile is printed
162 on the screen. If /usr/bin/strace is installed on the system, it
163 also builds a whitelisted seccomp profile. The program is run in
164 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
165 privs. Programs that raise user privileges are not supported in
166 order to allow strace to run. Chromium and Chromium-based
167 browsers will not work.
168 Example:
170 $ firejail --build vlc ~/Videos/test.mp4
171 --build=profile-file
173 The command builds a whitelisted profile, and saves it in pro‐
174 file-file. If /usr/bin/strace is installed on the system, it
175 also builds a whitelisted seccomp profile. The program is run in
176 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
177 privs. Programs that raise user privileges are not supported in
178 order to allow strace to run. Chromium and Chromium-based
179 browsers will not work.
180 Example:
182 $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
183 -c Login shell compatibility option. This option is use by some
185 login programs when executing the login shell, such as when
186 firejail is used as a restricted login shell. It currently does
187 not change the execution of firejail.
188 --caps Linux capabilities is a kernel feature designed to split up the
190 root privilege into a set of distinct privileges. These privi‐
191 leges can be enabled or disabled independently, thus restricting
192 what a process running as root can do in the system.
193 By default root programs run with all capabilities enabled.
195 --caps option disables the following capabilities: CAP_SYS_MOD‐
196 ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
197 FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is
198 applied to all processes started in the sandbox.
199 Example:
201 $ sudo firejail --caps /etc/init.d/nginx start
202 --caps.drop=all
205 Drop all capabilities for the processes running in the sandbox.
206 This option is recommended for running GUI programs or any other
207 program that doesn't require root privileges. It is a must-have
208 option for sandboxing untrusted programs installed from unoffi‐
209 cial sources - such as games, Java programs, etc.
210 Example:
212 $ firejail --caps.drop=all warzone2100
213 --caps.drop=capability,capability,capability
216 Define a custom blacklist Linux capabilities filter.
217 Example:
219 $ firejail --caps.drop=net_broadcast,net_admin,net_raw
220 --caps.keep=capability,capability,capability
223 Define a custom whitelist Linux capabilities filter.
224 Example:
226 $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\
227 setuid /etc/init.d/nginx start
228 --caps.print=name|pid
231 Print the caps filter for the sandbox identified by name or by
232 PID.
233 Example:
235 $ firejail --name=mygame --caps.drop=all warzone2100 &
236 $ firejail --caps.print=mygame
237 Example:
239 $ firejail --list
240 3272:netblue::firejail --private firefox
241 $ firejail --caps.print=3272
242 --cgroup=tasks-file
245 Place the sandbox in the specified control group. tasks-file is
246 the full path of cgroup tasks file.
247 Example:
249 # firejail --cgroup=/sys/fs/cgroup/g1/tasks
250 --chroot=dirname
253 Chroot the sandbox into a root filesystem. Unlike the regular
254 filesystem container, the system directories are mounted read-
255 write. If the sandbox is started as a regular user, nonewprivs
256 and a default capabilities filter are enabled.
257 Example:
259 $ firejail --chroot=/media/ubuntu warzone2100
260 --cpu=cpu-number,cpu-number,cpu-number
263 Set CPU affinity.
264 Example:
266 $ firejail --cpu=0,1 handbrake
267 --cpu.print=name|pid
270 Print the CPU cores in use by the sandbox identified by name or
271 by PID.
272 Example:
274 $ firejail --name=mygame --caps.drop=all warzone2100 &
275 $ firejail --cpu.print=mygame
276 Example:
278 $ firejail --list
279 3272:netblue::firejail --private firefox
280 $ firejail --cpu.print=3272
281 --debug
284 Print debug messages.
285 Example:
287 $ firejail --debug firefox
288 --debug-blacklists
291 Debug blacklisting.
292 Example:
294 $ firejail --debug-blacklists firefox
295 --debug-caps
298 Print all recognized capabilities in the current Firejail soft‐
299 ware build and exit.
300 Example:
302 $ firejail --debug-caps
303 --debug-errnos
306 Print all recognized error numbers in the current Firejail soft‐
307 ware build and exit.
308 Example:
310 $ firejail --debug-errnos
311 --debug-private-lib
313 Debug messages for --private-lib option.
314 --debug-protocols
316 Print all recognized protocols in the current Firejail software
317 build and exit.
318 Example:
320 $ firejail --debug-protocols
321 --debug-syscalls
323 Print all recognized system calls in the current Firejail soft‐
324 ware build and exit.
325 Example:
327 $ firejail --debug-syscalls
328 --debug-whitelists
330 Debug whitelisting.
331 Example:
333 $ firejail --debug-whitelists firefox
334 --defaultgw=address
337 Use this address as default gateway in the new network names‐
338 pace.
339 Example:
341 $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
342 --disable-mnt
345 Blacklist /mnt, /media, /run/mount and /run/media access.
346 Example:
348 $ firejail --disable-mnt firefox
349 --deterministic-exit-code
352 Always exit firejail with the first child's exit status. The
353 default behavior is to use the exit status of the final child to
354 exit, which can be nondeterministic.
355 --dns=address
358 Set a DNS server for the sandbox. Up to three DNS servers can be
359 defined. Use this option if you don't trust the DNS setup on
360 your network.
361 Example:
363 $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
364 Note: this feature is not supported on systemd-resolved setups.
366 --dns.print=name|pid
368 Print DNS configuration for a sandbox identified by name or by
369 PID.
370 Example:
372 $ firejail --name=mygame --caps.drop=all warzone2100 &
373 $ firejail --dns.print=mygame
374 Example:
376 $ firejail --list
377 3272:netblue::firejail --private firefox
378 $ firejail --dns.print=3272
379 --env=name=value
382 Set environment variable in the new sandbox.
383 Example:
385 $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
386 --fs.print=name|pid
389 Print the filesystem log for the sandbox identified by name or
390 by PID.
391 Example:
393 $ firejail --name=mygame --caps.drop=all warzone2100 &
394 $ firejail --fs.print=mygame
395 Example:
397 $ firejail --list
398 3272:netblue::firejail --private firefox
399 $ firejail --fs.print=3272
400 --get=name|pid filename
403 Get a file from sandbox container, see FILE TRANSFER section for
404 more details.
405 -?, --help
408 Print options end exit.
409 --hostname=name
413 Set sandbox hostname.
414 Example:
416 $ firejail --hostname=officepc firefox
417 --hosts-file=file
420 Use file as /etc/hosts.
421 Example:
423 $ firejail --hosts-file=~/myhosts firefox
424 --ignore=command
427 Ignore command in profile file.
428 Example:
430 $ firejail --ignore=shell --ignore=seccomp firefox
431 $ firejail --ignore="net eth0" firefox
432 --interface=interface
434 Move interface in a new network namespace. Up to four --inter‐
435 face options can be specified. Note: wlan devices are not sup‐
436 ported for this option.
437 Example:
439 $ firejail --interface=eth1 --interface=eth0.vlan100
440 --ip=address
443 Assign IP addresses to the last network interface defined by a
444 --net option. A default gateway is assigned by default.
445 Example:
447 $ firejail --net=eth0 --ip=10.10.20.56 firefox
448 --ip=none
451 No IP address and no default gateway are configured for the last
452 interface defined by a --net option. Use this option in case you
453 intend to start an external DHCP client in the sandbox.
454 Example:
456 $ firejail --net=eth0 --ip=none
457 If the corresponding interface doesn't have an IP address con‐
459 figured, this option is enabled by default.
460 --ip6=address
463 Assign IPv6 addresses to the last network interface defined by a
464 --net option.
465 Example:
467 $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
468 Note: you don't need this option if you obtain your ip6 address
470 from router via SLAAC (your ip6 address and default route will
471 be configured by kernel automatically).
472 --iprange=address,address
475 Assign an IP address in the provided range to the last network
476 interface defined by a --net option. A default gateway is
477 assigned by default.
478 Example:
480 $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
481 --ipc-namespace
484 Enable a new IPC namespace if the sandbox was started as a reg‐
485 ular user. IPC namespace is enabled by default for sandboxes
486 started as root.
487 Example:
489 $ firejail --ipc-namespace firefox
490 --join=name|pid
492 Join the sandbox identified by name or by PID. By default a
493 /bin/bash shell is started after joining the sandbox. If a pro‐
494 gram is specified, the program is run in the sandbox. If --join
495 command is issued as a regular user, all security filters are
496 configured for the new process the same they are configured in
497 the sandbox. If --join command is issued as root, the security
498 filters, cgroups and cpus configurations are not applied to the
499 process joining the sandbox.
500 Example:
502 $ firejail --name=mygame --caps.drop=all warzone2100 &
503 $ firejail --join=mygame
504 Example:
506 $ firejail --list
507 3272:netblue::firejail --private firefox
508 $ firejail --join=3272
509 --join-filesystem=name|pid
512 Join the mount namespace of the sandbox identified by name or
513 PID. By default a /bin/bash shell is started after joining the
514 sandbox. If a program is specified, the program is run in the
515 sandbox. This command is available only to root user. Security
516 filters, cgroups and cpus configurations are not applied to the
517 process joining the sandbox.
518 --join-network=name|pid
521 Join the network namespace of the sandbox identified by name. By
522 default a /bin/bash shell is started after joining the sandbox.
523 If a program is specified, the program is run in the sandbox.
524 This command is available only to root user. Security filters,
525 cgroups and cpus configurations are not applied to the process
526 joining the sandbox. Example:
527 # start firefox
529 $ firejail --net=eth0 --name=browser firefox &
530 # change netfilter configuration
532 $ sudo firejail --join-network=browser bash -c "cat /etc/fire‐
533 jail/nolocal.net | /sbin/iptables-restore"
534 # verify netfilter configuration
536 $ sudo firejail --join-network=browser /sbin/iptables -vL
537 # verify IP addresses
539 $ sudo firejail --join-network=browser ip addr
540 Switching to pid 1932, the first child process inside the sand‐
541 box
542 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
543 UNKNOWN group default
544 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
545 inet 127.0.0.1/8 scope host lo
546 valid_lft forever preferred_lft forever
547 inet6 ::1/128 scope host
548 valid_lft forever preferred_lft forever
549 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
550 noqueue state UNKNOWN group default
551 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
552 inet 192.168.1.158/24 brd 192.168.1.255 scope global
553 eth0-1931
554 valid_lft forever preferred_lft forever
555 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
556 valid_lft forever preferred_lft forever
557 --join-or-start=name
560 Join the sandbox identified by name or start a new one. Same as
561 "firejail --join=name" if sandbox with specified name exists,
562 otherwise same as "firejail --name=name ..."
563 Note that in contrary to other join options there is respective
564 profile option.
565 --keep-dev-shm
568 /dev/shm directory is untouched (even with --private-dev)
569 Example:
571 $ firejail --keep-dev-shm --private-dev
572 --keep-var-tmp
575 /var/tmp directory is untouched.
576 Example:
578 $ firejail --keep-var-tmp
579 --list List all sandboxes, see MONITORING section for more details.
582 Example:
584 $ firejail --list
585 7015:netblue:browser:firejail firefox
586 7056:netblue:torrent:firejail --net=eth0 transmission-gtk
587 7064:netblue::firejail --noroot xterm
588 --ls=name|pid dir_or_filename
590 List files in sandbox container, see FILE TRANSFER section for
591 more details.
592 --mac=address
595 Assign MAC addresses to the last network interface defined by a
596 --net option. This option is not supported for wireless inter‐
597 faces.
598 Example:
600 $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
601 --machine-id
604 Spoof id number in /etc/machine-id file - a new random id is
605 generated inside the sandbox. Note that this breaks audio sup‐
606 port. Enable it when sound is not required.
607 Example:
609 $ firejail --machine-id
610 --memory-deny-write-execute
613 Install a seccomp filter to block attempts to create memory map‐
614 pings that are both writable and executable, to change mappings
615 to be executable, or to create executable shared memory. The
616 filter examines the arguments of mmap, mmap2, mprotect,
617 pkey_mprotect, memfd_create and shmat system calls and kills the
618 process if necessary.
619 Note: shmat is not implemented as a system call on some plat‐
621 forms including i386, and it cannot be handled by seccomp-bpf.
622 --mtu=number
625 Assign a MTU value to the last network interface defined by a
626 --net option.
627 Example:
629 $ firejail --net=eth0 --mtu=1492
630 --name=name
633 Set sandbox name. Several options, such as --join and --shut‐
634 down, can use this name to identify a sandbox.
635 In case the name supplied by the user is already in use by
637 another sandbox, Firejail will assign a new name as "name-PID",
638 where PID is the process ID of the sandbox. This functionality
639 can be disabled at run time in /etc/firejail/firejail.config
640 file, by setting "name-change" flag to "no".
641 Example:
643 $ firejail --name=browser firefox &
644 $ firejail --name=browser --private firefox --no-remote &
645 $ firejail --list
646 1198:netblue:browser:firejail --name=browser firefox
647 1312:netblue:browser-1312:firejail --name=browser --private
648 firefox --no-remote
649 --net=bridge_interface
652 Enable a new network namespace and connect it to this bridge
653 interface. Unless specified with option --ip and --defaultgw,
654 an IP address and a default gateway will be assigned automati‐
655 cally to the sandbox. The IP address is verified using ARP
656 before assignment. The address configured as default gateway is
657 the bridge device IP address. Up to four --net options can be
658 specified.
659 Example:
661 $ sudo brctl addbr br0
662 $ sudo ifconfig br0 10.10.20.1/24
663 $ sudo brctl addbr br1
664 $ sudo ifconfig br1 10.10.30.1/24
665 $ firejail --net=br0 --net=br1
666 --net=ethernet_interface|wireless_interface
669 Enable a new network namespace and connect it to this ethernet
670 interface using the standard Linux macvlan|ipvaln driver. Unless
671 specified with option --ip and --defaultgw, an IP address and a
672 default gateway will be assigned automatically to the sandbox.
673 The IP address is verified using ARP before assignment. The
674 address configured as default gateway is the default gateway of
675 the host. Up to four --net options can be specified. Support
676 for ipvlan driver was introduced in Linux kernel 3.19.
677 Example:
679 $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
680 $ firejail --net=wlan0 firefox
681 --net=none
684 Enable a new, unconnected network namespace. The only interface
685 available in the new namespace is a new loopback interface (lo).
686 Use this option to deny network access to programs that don't
687 really need network access.
688 Example:
690 $ firejail --net=none vlc
691 Note: --net=none can crash the application on some platforms.
693 In these cases, it can be replaced with --protocol=unix.
694 --net=tap_interface
697 Enable a new network namespace and connect it to this ethernet
698 tap interface using the standard Linux macvlan driver. If the
699 tap interface is not configured, the sandbox will not try to
700 configure the interface inside the sandbox. Please use --ip,
701 --netmask and --defaultgw to specify the configuration.
702 Example:
704 $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
705 --defaultgw=10.10.20.1 firefox
706 --net.print=name|pid
709 If a new network namespace is enabled, print network interface
710 configuration for the sandbox specified by name or PID. Example:
711 $ firejail --net.print=browser
713 Switching to pid 1853, the first child process inside the sand‐
714 box
715 Interface MAC IP Mask Status
716 lo 127.0.0.1 255.0.0.0 UP
717 eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
718 --netfilter
721 Enable a default firewall if a new network namespace is created
722 inside the sandbox. This option has no effect for sandboxes
723 using the system network namespace.
724 The default firewall is optimized for regular desktop applica‐
726 tions. No incoming connections are accepted:
727 *filter
729 :INPUT DROP [0:0]
730 :FORWARD DROP [0:0]
731 :OUTPUT ACCEPT [0:0]
732 -A INPUT -i lo -j ACCEPT
733 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
734 # allow ping
735 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
736 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
737 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
738 # drop STUN (WebRTC) requests
739 -A OUTPUT -p udp --dport 3478 -j DROP
740 -A OUTPUT -p udp --dport 3479 -j DROP
741 -A OUTPUT -p tcp --dport 3478 -j DROP
742 -A OUTPUT -p tcp --dport 3479 -j DROP
743 COMMIT
744 Example:
746 $ firejail --net=eth0 --netfilter firefox
747 --netfilter=filename
749 Enable the firewall specified by filename if a new network
750 namespace is created inside the sandbox. This option has no
751 effect for sandboxes using the system network namespace.
752 Please use the regular iptables-save/iptables-restore format for
754 the filter file. The following examples are available in
755 /etc/firejail directory:
756 webserver.net is a webserver firewall that allows access only to
758 TCP ports 80 and 443. Example:
759 $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
761 /etc/init.d/apache2 start
762 nolocal.net is a desktop client firewall that disable access to
764 local network. Example:
765 $ firejail --netfilter=/etc/firejail/nolocal.net \
767 --net=eth0 firefox
768 --netfilter=filename,arg1,arg2,arg3 ...
774 This is the template version of the previous command. $ARG1,
775 $ARG2, $ARG3 ... in the firewall script are replaced with arg1,
776 arg2, arg3 ... passed on the command line. Up to 16 arguments
777 are supported. Example:
778 $ firejail --net=eth0 --ip=192.168.1.105 \
780 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
781 --netfilter.print=name|pid
786 Print the firewall installed in the sandbox specified by name or
787 PID. Example:
788 $ firejail --name=browser --net=eth0 --netfilter firefox &
790 $ firejail --netfilter.print=browser
791 --netfilter6=filename
794 Enable the IPv6 firewall specified by filename if a new network
795 namespace is created inside the sandbox. This option has no
796 effect for sandboxes using the system network namespace. Please
797 use the regular iptables-save/iptables-restore format for the
798 filter file.
799 --netfilter6.print=name|pid
802 Print the IPv6 firewall installed in the sandbox specified by
803 name or PID. Example:
804 $ firejail --name=browser --net=eth0 --netfilter firefox &
806 $ firejail --netfilter6.print=browser
807 --netmask=address
810 Use this option when you want to assign an IP address in a new
811 namespace and the parent interface specified by --net is not
812 configured. An IP address and a default gateway address also
813 have to be added. By default the new namespace interface comes
814 without IP address and default gateway configured. Example:
815 $ sudo /sbin/brctl addbr br0
817 $ sudo /sbin/ifconfig br0 up
818 $ firejail --ip=10.10.20.67 --netmask=255.255.255.0
819 --defaultgw=10.10.20.1
820 --netns=name
823 Run the program in a named, persistent network namespace. These
824 can be created and configured using "ip netns".
825 --netstats
828 Monitor network namespace statistics, see MONITORING section for
829 more details.
830 Example:
832 $ firejail --netstats
834 PID User RX(KB/s) TX(KB/s) Command
835 1294 netblue 53.355 1.473 firejail --net=eth0 firefox
836 7383 netblue 9.045 0.112 firejail --net=eth0 transmission
837 --nice=value
840 Set nice value for all processes running inside the sandbox.
841 Only root may specify a negative value.
842 Example:
844 $ firejail --nice=2 firefox
845 --no3d Disable 3D hardware acceleration.
848 Example:
850 $ firejail --no3d firefox
851 --noautopulse
854 Disable automatic ~/.config/pulse init, for complex setups such
855 as remote pulse servers or non-standard socket paths.
856 Example:
858 $ firejail --noautopulse firefox
859 --noblacklist=dirname_or_filename
862 Disable blacklist for this directory or file.
863 Example:
865 $ firejail
866 $ nc dict.org 2628
867 bash: /bin/nc: Permission denied
868 $ exit
869 $ firejail --noblacklist=/bin/nc
871 $ nc dict.org 2628
872 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
873 --nodbus
875 Disable D-Bus access (both system and session buses). Only the
876 regular UNIX sockets are handled by this command. To disable the
877 abstract sockets you would need to request a new network names‐
878 pace using --net command. Another option is to remove unix from
879 --protocol set.
880 Example:
882 $ firejail --nodbus --net=none
883 --nodvd
885 Disable DVD and audio CD devices.
886 Example:
888 $ firejail --nodvd
889 --noexec=dirname_or_filename
891 Remount directory or file noexec, nodev and nosuid. File glob‐
892 bing is supported, see FILE GLOBBING section for more details.
893 Example:
895 $ firejail --noexec=/tmp
896 /etc and /var are noexec by default if the sandbox was started
898 as a regular user.
899 --nogroups
902 Disable supplementary groups. Without this option, supplementary
903 groups are enabled for the user starting the sandbox. For root
904 user supplementary groups are always disabled.
905 Note: By default all regular user groups are removed with the
907 exception of the current user. This can be changed using
908 --allusers command option.
909 Example:
911 $ id
912 uid=1000(netblue) gid=1000(netblue) groups=1000(net‐
913 blue),24(cdrom),25(floppy),27(sudo),29(audio)
914 $ firejail --nogroups
915 Parent pid 8704, child pid 8705
916 Child process initialized
917 $ id
918 uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
919 $
920 --nonewprivs
923 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
924 cannot acquire new privileges using execve(2); in particular,
925 this means that calling a suid binary (or one with file capabil‐
926 ities) does not result in an increase of privilege. This option
927 is enabled by default if seccomp filter is activated.
928 --noprofile
931 Do not use a security profile.
932 Example:
934 $ firejail
935 Reading profile /etc/firejail/default.profile
936 Parent pid 8553, child pid 8554
937 Child process initialized
938 [...]
939 $ firejail --noprofile
941 Parent pid 8553, child pid 8554
942 Child process initialized
943 [...]
944 --noroot
947 Install a user namespace with a single user - the current user.
948 root user does not exist in the new namespace. This option
949 requires a Linux kernel version 3.8 or newer. The option is not
950 supported for --chroot and --overlay configurations, or for
951 sandboxes started as root.
952 Example:
954 $ firejail --noroot
955 Parent pid 8553, child pid 8554
956 Child process initialized
957 $ ping google.com
958 ping: icmp open socket: Operation not permitted
959 $
960 --nosound
963 Disable sound system.
964 Example:
966 $ firejail --nosound firefox
967 --notv Disable DVB (Digital Video Broadcasting) TV devices.
970 Example:
972 $ firejail --notv vlc
973 --nou2f
976 Disable U2F devices.
977 Example:
979 $ firejail --nou2f
980 --novideo
983 Disable video devices.
984 --nowhitelist=dirname_or_filename
987 Disable whitelist for this directory or file.
988 --output=logfile
991 stdout logging and log rotation. Copy stdout to logfile, and
992 keep the size of the file under 500KB using log rotation. Five
993 files with prefixes .1 to .5 are used in rotation.
994 Example:
996 $ firejail --output=sandboxlog /bin/bash
997 [...]
998 $ ls -l sandboxlog*
999 -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
1000 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
1001 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
1002 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
1003 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
1004 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
1005 --output-stderr=logfile
1008 Similar to --output, but stderr is also stored.
1009 --overlay
1012 Mount a filesystem overlay on top of the current filesystem.
1013 Unlike the regular filesystem container, the system directories
1014 are mounted read-write. All filesystem modifications go into the
1015 overlay. Directories /run, /tmp and /dev are not covered by the
1016 overlay. The overlay is stored in $HOME/.firejail/<PID> direc‐
1017 tory. If the sandbox is started as a regular user, nonewprivs
1018 and a default capabilities filter are enabled.
1019 OverlayFS support is required in Linux kernel for this option to
1021 work. OverlayFS was officially introduced in Linux kernel ver‐
1022 sion 3.18. This option is not available on Grsecurity systems.
1023 Example:
1025 $ firejail --overlay firefox
1026 --overlay-clean
1029 Clean all overlays stored in $HOME/.firejail directory.
1030 Example:
1032 $ firejail --overlay-clean
1033 --overlay-named=name
1036 Mount a filesystem overlay on top of the current filesystem.
1037 Unlike the regular filesystem container, the system directories
1038 are mounted read-write. All filesystem modifications go into the
1039 overlay. Directories /run, /tmp and /dev are not covered by the
1040 overlay. The overlay is stored in $HOME/.firejail/<NAME> direc‐
1041 tory. The created overlay can be reused between multiple ses‐
1042 sions. If the sandbox is started as a regular user, nonewprivs
1043 and a default capabilities filter are enabled.
1044 OverlayFS support is required in Linux kernel for this option to
1046 work. OverlayFS was officially introduced in Linux kernel ver‐
1047 sion 3.18. This option is not available on Grsecurity systems.
1048 Example:
1050 $ firejail --overlay-named=jail1 firefox
1051 --overlay-tmpfs
1054 Mount a filesystem overlay on top of the current filesystem. All
1055 filesystem modifications are discarded when the sandbox is
1056 closed. Directories /run, /tmp and /dev are not covered by the
1057 overlay. If the sandbox is started as a regular user, nonew‐
1058 privs and a default capabilities filter are enabled.
1059 OverlayFS support is required in Linux kernel for this option to
1061 work. OverlayFS was officially introduced in Linux kernel ver‐
1062 sion 3.18. This option is not available on Grsecurity systems.
1063 Example:
1065 $ firejail --overlay-tmpfs firefox
1066 --private
1069 Mount new /root and /home/user directories in temporary filesys‐
1070 tems. All modifications are discarded when the sandbox is
1071 closed.
1072 Example:
1074 $ firejail --private firefox
1075 --private=directory
1078 Use directory as user home.
1079 Example:
1081 $ firejail --private=/home/netblue/firefox-home firefox
1082 --private-bin=file,file
1085 Build a new /bin in a temporary filesystem, and copy the pro‐
1086 grams in the list. If no listed file is found, /bin directory
1087 will be empty. The same directory is also bind-mounted over
1088 /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifica‐
1089 tions are discarded when the sandbox is closed. File globbing is
1090 supported, see FILE GLOBBING section for more details.
1091 Example:
1093 $ firejail --private-bin=bash,sed,ls,cat
1094 Parent pid 20841, child pid 20842
1095 Child process initialized
1096 $ ls /bin
1097 bash cat ls sed
1098 --private-cache
1101 Mount an empty temporary filesystem on top of the .cache direc‐
1102 tory in user home. All modifications are discarded when the
1103 sandbox is closed.
1104 Example:
1106 $ firejail --private-cache openbox
1107 --private-cwd
1110 Set working directory inside jail to the home directory, and
1111 failing that, the root directory.
1112 Does not impact working directory of profile include paths.
1113 Example:
1115 $ pwd
1116 /tmp
1117 $ firejail --private-cwd
1118 $ pwd
1119 /home/user
1120 --private-cwd=directory
1123 Set working directory inside the jail.
1124 Does not impact working directory of profile include paths.
1125 Example:
1127 $ pwd
1128 /tmp
1129 $ firejail --private-cwd=/opt
1130 $ pwd
1131 /opt
1132 --private-dev
1135 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
1136 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
1137 shm and usb devices are available. Use the options --no3d,
1138 --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1139 restrictions.
1140 Example:
1142 $ firejail --private-dev
1143 Parent pid 9887, child pid 9888
1144 Child process initialized
1145 $ ls /dev
1146 cdrom cdrw dri dvd dvdrw full log null ptmx pts random
1147 shm snd sr0 tty urandom zero
1148 $
1149 --private-etc=file,directory
1151 Build a new /etc in a temporary filesystem, and copy the files
1152 and directories in the list. If no listed file is found, /etc
1153 directory will be empty. All modifications are discarded when
1154 the sandbox is closed.
1155 Example:
1157 $ firejail --private-etc=group,hostname,localtime, \
1158 nsswitch.conf,passwd,resolv.conf
1159 --private-home=file,directory
1162 Build a new user home in a temporary filesystem, and copy the
1163 files and directories in the list in the new home. All modifica‐
1164 tions are discarded when the sandbox is closed.
1165 Example:
1167 $ firejail --private-home=.mozilla firefox
1168 --private-lib=file,directory
1171 This feature is currently under heavy development. Only amd64
1172 platforms are supported at this moment. The idea is to build a
1173 new /lib in a temporary filesystem, with only the library files
1174 necessary to run the application. It could be as simple as:
1175 $ firejail --private-lib galculator
1177 but it gets complicated really fast:
1179 $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1181 gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1182 The feature is integrated with --private-bin:
1184 $ firejail --private-lib --private-bin=bash,ls,ps
1186 $ ls /lib
1187 ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
1188 temd.so.0
1189 libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1190 libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1191 libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1192 $ ps
1193 PID TTY TIME CMD
1194 1 pts/0 00:00:00 firejail
1195 45 pts/0 00:00:00 bash
1196 48 pts/0 00:00:00 ps
1197 $
1198 --private-opt=file,directory
1201 Build a new /opt in a temporary filesystem, and copy the files
1202 and directories in the list. If no listed file is found, /opt
1203 directory will be empty. All modifications are discarded when
1204 the sandbox is closed.
1205 Example:
1207 $ firejail --private-opt=firefox /opt/firefox/firefox
1208 --private-srv=file,directory
1211 Build a new /srv in a temporary filesystem, and copy the files
1212 and directories in the list. If no listed file is found, /srv
1213 directory will be empty. All modifications are discarded when
1214 the sandbox is closed.
1215 Example:
1217 # firejail --private-srv=www /etc/init.d/apache2 start
1218 --private-tmp
1221 Mount an empty temporary filesystem on top of /tmp directory
1222 whitelisting X11 and PulseAudio sockets.
1223 Example:
1225 $ firejail --private-tmp
1226 $ ls -al /tmp
1227 drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
1228 drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1229 drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKd‐
1230 htXMmr18n
1231 drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1232 --profile=filename_or_profilename
1235 Load a custom security profile from filename. For filename use
1236 an absolute path or a path relative to the current path. For
1237 more information, see SECURITY PROFILES section below.
1238 Example:
1240 $ firejail --profile=myprofile
1241 --profile.print=name|pid
1244 Print the name of the profile file for the sandbox identified by
1245 name or or PID.
1246 Example:
1248 $ firejail --profile.print=browser
1249 /etc/firejail/firefox.profile
1250 --protocol=protocol,protocol,protocol
1252 Enable protocol filter. The filter is based on seccomp and
1253 checks the first argument to socket system call. Recognized
1254 values: unix, inet, inet6, netlink and packet. This option is
1255 not supported for i386 architecture.
1256 Example:
1258 $ firejail --protocol=unix,inet,inet6 firefox
1259 --protocol.print=name|pid
1261 Print the protocol filter for the sandbox identified by name or
1262 PID.
1263 Example:
1265 $ firejail --name=mybrowser firefox &
1266 $ firejail --protocol.print=mybrowser
1267 unix,inet,inet6,netlink
1268 Example:
1270 $ firejail --list
1271 3272:netblue::firejail --private firefox
1272 $ firejail --protocol.print=3272
1273 unix,inet,inet6,netlink
1274 --put=name|pid src-filename dest-filename
1276 Put a file in sandbox container, see FILE TRANSFER section for
1277 more details.
1278 --quiet
1280 Turn off Firejail's output.
1281 The same effect can be obtained by setting an environment vari‐
1283 able FIREJAIL_QUIET to yes.
1284 --read-only=dirname_or_filename
1286 Set directory or file read-only. File globbing is supported, see
1287 FILE GLOBBING section for more details.
1288 Example:
1290 $ firejail --read-only=~/.mozilla firefox
1291 --read-write=dirname_or_filename
1293 Set directory or file read-write. Only files or directories
1294 belonging to the current user are allowed for this operation.
1295 File globbing is supported, see FILE GLOBBING section for more
1296 details. Example:
1297 $ mkdir ~/test
1299 $ touch ~/test/a
1300 $ firejail --read-only=~/test --read-write=~/test/a
1301 --rlimit-as=number
1305 Set the maximum size of the process's virtual memory (address
1306 space) in bytes.
1307 --rlimit-cpu=number
1310 Set the maximum limit, in seconds, for the amount of CPU time
1311 each sandboxed process can consume. When the limit is reached,
1312 the processes are killed.
1313 The CPU limit is a limit on CPU seconds rather than elapsed
1315 time. CPU seconds is basically how many seconds the CPU has been
1316 in use and does not necessarily directly relate to the elapsed
1317 time. Linux kernel keeps track of CPU seconds for each process
1318 independently.
1319 --rlimit-fsize=number
1322 Set the maximum file size that can be created by a process.
1323 --rlimit-nofile=number
1325 Set the maximum number of files that can be opened by a process.
1326 --rlimit-nproc=number
1328 Set the maximum number of processes that can be created for the
1329 real user ID of the calling process.
1330 --rlimit-sigpending=number
1332 Set the maximum number of pending signals for a process.
1333 --rmenv=name
1336 Remove environment variable in the new sandbox.
1337 Example:
1339 $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1340 --scan ARP-scan all the networks from inside a network namespace. This
1343 makes it possible to detect macvlan kernel device drivers run‐
1344 ning on the current host.
1345 Example:
1347 $ firejail --net=eth0 --scan
1348 --seccomp
1350 Enable seccomp filter and blacklist the syscalls in the default
1351 list, which is @default-nodebuggers unless allow-debuggers is
1352 specified, then it is @default.
1353 To help creating useful seccomp filters more easily, the follow‐
1355 ing system call groups are defined: @aio, @basic-io, @chown,
1356 @clock, @cpu-emulation, @debug, @default, @default-nodebuggers,
1357 @default-keep, @file-system, @io-event, @ipc, @keyring, @mem‐
1358 lock, @module, @mount, @network-io, @obsolete, @privileged,
1359 @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync,
1360 @system-service and @timer. More informations about groups can
1361 be found in /usr/share/doc/firejail/syscalls.txt
1362 In addition, a system call can be specified by its number
1364 instead of name with prefix $, so for example $165 would be
1365 equal to mount on i386. Exceptions can be allowed with prefix
1366 !.
1367 System architecture is strictly imposed only if flag --sec‐
1369 comp.block-secondary is used. The filter is applied at run time
1370 only if the correct architecture was detected. For the case of
1371 I386 and AMD64 both 32-bit and 64-bit filters are installed.
1372 Firejail will print seccomp violations to the audit log if the
1374 kernel was compiled with audit support (CONFIG_AUDIT flag).
1375 Example:
1377 $ firejail --seccomp
1378 --seccomp=syscall,@group,!syscall2
1380 Enable seccomp filter, whitelist "syscall2", but blacklist the
1381 default list and the syscalls or syscall groups specified by the
1382 command.
1383 Example:
1385 $ firejail --seccomp=utime,utimensat,utimes firefox
1386 $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1387 Instead of dropping the syscall, a specific error number can be
1389 returned using syscall:errorno syntax.
1390 Example: $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1392 Parent pid 10662, child pid 10663
1393 Child process initialized
1394 $ touch testfile
1395 $ rm testfile
1396 rm: cannot remove `testfile': Operation not permitted
1397 If the blocked system calls would also block Firejail from oper‐
1399 ating, they are handled by adding a preloaded library which per‐
1400 forms seccomp system calls later.
1401 Example:
1403 $ firejail --noprofile --shell=none --seccomp=execve bash
1404 Parent pid 32751, child pid 32752
1405 Post-exec seccomp protector enabled
1406 list in: execve, check list: @default-keep prelist: (null),
1407 postlist: execve
1408 Child process initialized in 46.44 ms
1409 $ ls
1410 Bad system call
1411 --seccomp.block-secondary
1414 Enable seccomp filter and filter system call architectures so
1415 that only the native architecture is allowed. For example, on
1416 amd64, i386 and x32 system calls are blocked as well as changing
1417 the execution domain with personality(2) system call.
1418 --seccomp.drop=syscall,@group
1421 Enable seccomp filter, and blacklist the syscalls or the syscall
1422 groups specified by the command.
1423 Example:
1425 $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1426 Instead of dropping the syscall, a specific error number can be
1428 returned using syscall:errorno syntax.
1429 Example:
1431 $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1432 Parent pid 10662, child pid 10663
1433 Child process initialized
1434 $ touch testfile
1435 $ rm testfile
1436 rm: cannot remove `testfile': Operation not permitted
1437 --seccomp.keep=syscall,@group,!syscall2
1444 Enable seccomp filter, blacklist all syscall not listed and
1445 "syscall2". The system calls needed by Firejail (group
1446 @default-keep: prctl, execve) are handled with the preload
1447 library.
1448 Example:
1450 $ firejail --shell=none --seccomp.keep=poll,select,[...] trans‐
1451 mission-gtk
1452 --seccomp.print=name|pid
1455 Print the seccomp filter for the sandbox identified by name or
1456 PID.
1457 Example:
1459 $ firejail --name=browser firefox &
1460 $ firejail --seccomp.print=browser
1461 line OP JT JF K
1462 =================================
1463 0000: 20 00 00 00000004 ld data.architecture
1464 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1465 0002: 06 00 00 7fff0000 ret ALLOW
1466 0003: 20 00 00 00000000 ld data.syscall-number
1467 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1468 0005: 35 01 00 00000000 jge read 0007 (false 0006)
1469 0006: 06 00 00 00050001 ret ERRNO(1)
1470 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1471 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1472 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1473 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false
1474 000b)
1475 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1476 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1477 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1478 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1479 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1480 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1481 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1482 0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1483 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1484 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1485 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1486 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1487 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
1488 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
1489 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
1490 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
1491 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
1492 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
1493 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
1494 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
1495 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
1496 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
1497 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
1498 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
1499 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
1500 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
1501 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
1502 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
1503 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
1504 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
1505 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
1506 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
1507 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
1508 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
1509 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
1510 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
1511 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
1512 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
1513 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
1514 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
1515 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
1516 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false
1517 0035)
1518 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false
1519 0036)
1520 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
1521 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
1522 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
1523 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
1524 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
1525 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
1526 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
1527 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
1528 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
1529 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
1530 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
1531 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
1532 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false
1533 0043)
1534 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
1535 0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
1536 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
1537 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
1538 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false
1539 0048)
1540 0048: 06 00 00 7fff0000 ret ALLOW
1541 0049: 06 00 01 00000000 ret KILL
1542 $
1543 --shell=none
1545 Run the program directly, without a user shell.
1546 Example:
1548 $ firejail --shell=none script.sh
1549 --shell=program
1551 Set default user shell. Use this shell to run the application
1552 using -c shell option. For example "firejail --shell=/bin/dash
1553 firefox" will start Mozilla Firefox as "/bin/dash -c firefox".
1554 By default Bash shell (/bin/bash) is used.
1555 Example: $firejail --shell=/bin/dash script.sh
1557 --shutdown=name|pid
1559 Shutdown the sandbox identified by name or PID.
1560 Example:
1562 $ firejail --name=mygame --caps.drop=all warzone2100 &
1563 $ firejail --shutdown=mygame
1564 Example:
1566 $ firejail --list
1567 3272:netblue::firejail --private firefox
1568 $ firejail --shutdown=3272
1569 --timeout=hh:mm:ss
1571 Kill the sandbox automatically after the time has elapsed. The
1572 time is specified in hours/minutes/seconds format.
1573 $ firejail --timeout=01:30:00 firefox
1575 --tmpfs=dirname
1577 Mount a writable tmpfs filesystem on directory dirname. This
1578 option is available only when running the sandbox as root. File
1579 globbing is supported, see FILE GLOBBING section for more
1580 details.
1581 Example:
1583 # firejail --tmpfs=/var
1584 --top Monitor the most CPU-intensive sandboxes, see MONITORING section
1586 for more details.
1587 Example:
1589 $ firejail --top
1590 --trace[=filename]
1592 Trace open, access and connect system calls. If filename is
1593 specified, log trace output to filename, otherwise log to con‐
1594 sole.
1595 Example:
1597 $ firejail --trace wget -q www.debian.org
1598 Reading profile /etc/firejail/wget.profile
1599 3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1600 3:wget:fopen /etc/hosts:0x5c8e8cfb70
1601 3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1602 3:wget:connect 3 8.8.8.8 port 53:0
1603 3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1604 3:wget:connect 3 130.89.148.14 port 80:0
1605 3:wget:fopen64 index.html:0x5c8e8d1a60
1606 parent is shutting down, bye...
1608 --tracelog
1610 This option enables auditing blacklisted files and directories.
1611 A message is sent to syslog in case the file or the directory is
1612 accessed.
1613 Example:
1615 $ firejail --tracelog firefox
1616 Sample messages:
1618 $ sudo tail -f /var/log/syslog
1619 [...]
1620 Dec 3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1621 box 26370, exe firefox, syscall open64, path /etc/shadow
1622 Dec 3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1623 box 26370, exe firefox, syscall opendir, path /boot
1624 [...]
1625 --tree Print a tree of all sandboxed processes, see MONITORING section
1627 for more details.
1628 Example:
1630 $ firejail --tree
1631 11903:netblue:firejail iceweasel
1632 11904:netblue:iceweasel
1633 11957:netblue:/usr/lib/iceweasel/plugin-container
1634 11969:netblue:firejail --net=eth0 transmission-gtk
1635 11970:netblue:transmission-gtk
1636 --tunnel[=devname]
1639 Connect the sandbox to a network overlay/VPN tunnel created by
1640 firetunnel utility. This options tries first the client side of
1641 the tunnel. If this fails, it tries the server side. If multiple
1642 tunnels are active, please specify the tunnel device using
1643 --tunnel=devname.
1644 The available tunnel devices are listed in /etc/firetunnel
1646 directory, one file for each device. The files are regular
1647 firejail profile files containing the network configuration, and
1648 are created and managed by firetunnel utility. By default ftc
1649 is the client-side device and fts is the server-side device. For
1650 more information please see man 1 firetunnel.
1651 Example:
1653 $ firejail --tunnel firefox
1654 --version
1656 Print program version and exit.
1657 Example:
1659 $ firejail --version
1660 firejail version 0.9.27
1661 --veth-name=name
1664 Use this name for the interface connected to the bridge for
1665 --net=bridge_interface commands, instead of the default one.
1666 Example:
1668 $ firejail --net=br0 --veth-name=if0
1669 --whitelist=dirname_or_filename
1672 Whitelist directory or file. A temporary file system is mounted
1673 on the top directory, and the whitelisted files are mount-binded
1674 inside. Modifications to whitelisted files are persistent,
1675 everything else is discarded when the sandbox is closed. The top
1676 directory could be user home, /dev, /etc, /media, /mnt, /opt,
1677 /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.
1678 Symbolic link handling: with the exception of user home, both
1680 the link and the real file should be in the same top directory.
1681 For user home, both the link and the real file should be owned
1682 by the user.
1683 Example:
1685 $ firejail --noprofile --whitelist=~/.mozilla
1686 $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1687 $ firejail "--whitelist=/home/username/My Virtual Machines"
1688 --writable-etc
1691 Mount /etc directory read-write.
1692 Example:
1694 $ sudo firejail --writable-etc
1695 --writable-run-user
1698 Disable the default blacklisting of /run/user/$UID/systemd and
1699 /run/user/$UID/gnupg.
1700 Example:
1702 $ sudo firejail --writable-run-user
1703 --writable-var
1706 Mount /var directory read-write.
1707 Example:
1709 $ sudo firejail --writable-var
1710 --writable-var-log
1713 Use the real /var/log directory, not a clone. By default, a
1714 tmpfs is mounted on top of /var/log directory, and a skeleton
1715 filesystem is created based on the original /var/log.
1716 Example:
1718 $ sudo firejail --writable-var-log
1719 --x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg secu‐
1723 rity extension. The sandbox will prevent screenshot and keylog‐
1724 ger applications started inside the sandbox from accessing
1725 clients running outside the sandbox. Firejail will try Xpra
1726 first, and if Xpra is not installed on the system, it will try
1727 to find Xephyr. If all fails, Firejail will not attempt to use
1728 Xvfb or X11 security extension.
1729 Xpra, Xephyr and Xvfb modes require a network namespace to be
1731 instantiated in order to disable X11 abstract Unix socket. If
1732 this is not possible, the user can disable the abstract socket
1733 by adding "-nolisten local" on Xorg command line at system
1734 level.
1735 Example:
1737 $ firejail --x11 --net=eth0 firefox
1738 --x11=none
1741 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
1742 file specified in ${XAUTHORITY} environment variable. Remove
1743 DISPLAY and XAUTHORITY environment variables. Stop with error
1744 message if X11 abstract socket will be accessible in jail.
1745 --x11=xephyr
1748 Start Xephyr and attach the sandbox to this server. Xephyr is a
1749 display server implementing the X11 display server protocol. A
1750 network namespace needs to be instantiated in order to deny
1751 access to X11 abstract Unix domain socket.
1752 Xephyr runs in a window just like any other X11 application. The
1754 default window size is 800x600. This can be modified in
1755 /etc/firejail/firejail.config file.
1756 The recommended way to use this feature is to run a window man‐
1758 ager inside the sandbox. A security profile for OpenBox is pro‐
1759 vided.
1760 Xephyr is developed by Xorg project. On Debian platforms it is
1762 installed with the command sudo apt-get install xserver-xephyr.
1763 This feature is not available when running as root.
1764 Example:
1766 $ firejail --x11=xephyr --net=eth0 openbox
1767 --x11=xorg
1770 Sandbox the application using the untrusted mode implemented by
1771 X11 security extension. The extension is available in Xorg
1772 package and it is installed by default on most Linux distribu‐
1773 tions. It provides support for a simple trusted/untrusted con‐
1774 nection model. Untrusted clients are restricted in certain ways
1775 to prevent them from reading window contents of other clients,
1776 stealing input events, etc.
1777 The untrusted mode has several limitations. A lot of regular
1779 programs assume they are a trusted X11 clients and will crash
1780 or lock up when run in untrusted mode. Chromium browser and
1781 xterm are two examples. Firefox and transmission-gtk seem to be
1782 working fine. A network namespace is not required for this
1783 option.
1784 Example:
1786 $ firejail --x11=xorg firefox
1787 --x11=xpra
1790 Start Xpra (https://xpra.org) and attach the sandbox to this
1791 server. Xpra is a persistent remote display server and client
1792 for forwarding X11 applications and desktop screens. A network
1793 namespace needs to be instantiated in order to deny access to
1794 X11 abstract Unix domain socket.
1795 On Debian platforms Xpra is installed with the command sudo apt-
1797 get install xpra. This feature is not available when running as
1798 root.
1799 Example:
1801 $ firejail --x11=xpra --net=eth0 firefox
1802 --x11=xvfb
1806 Start Xvfb X11 server and attach the sandbox to this server.
1807 Xvfb, short for X virtual framebuffer, performs all graphical
1808 operations in memory without showing any screen output. Xvfb is
1809 mainly used for remote access and software testing on headless
1810 servers.
1811 On Debian platforms Xvfb is installed with the command sudo apt-
1813 get install xvfb. This feature is not available when running as
1814 root.
1815 Example: remote VNC access
1817 On the server we start a sandbox using Xvfb and openbox window
1819 manager. The default size of Xvfb screen is 800x600 - it can be
1820 changed in /etc/firejail/firejail.config (xvfb-screen). Some
1821 sort of networking (--net) is required in order to isolate the
1822 abstract sockets used by other X servers.
1823 $ firejail --net=none --x11=xvfb openbox
1825 *** Attaching to Xvfb display 792 ***
1827 Reading profile /etc/firejail/openbox.profile
1829 Reading profile /etc/firejail/disable-common.inc
1830 Reading profile /etc/firejail/disable-common.local
1831 Parent pid 5400, child pid 5401
1832 On the server we also start a VNC server and attach it to the
1834 display handled by our Xvfb server (792).
1835 $ x11vnc -display :792
1837 On the client machine we start a VNC viewer and use it to con‐
1839 nect to our server:
1840 $ vncviewer
1842 --xephyr-screen=WIDTHxHEIGHT
1845 Set screen size for --x11=xephyr. The setting will overwrite the
1846 default set in /etc/firejail/firejail.config for the current
1847 sandbox. Run xrandr to get a list of supported resolutions on
1848 your computer.
1849 Example:
1851 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
1852 fox
1853
1856 AppArmor support is disabled by default at compile time. Use --enable-
1857 apparmor configuration option to enable it:
1858 $ ./configure --prefix=/usr --enable-apparmor
1860 During software install, a generic AppArmor profile file, firejail-
1862 default, is placed in /etc/apparmor.d directory. The local customiza‐
1863 tions must be placed in /etc/apparmor.d/local/firejail-local. The pro‐
1864 file needs to be loaded into the kernel by reloading apparmor.service,
1865 rebooting the system or running the following command as root:
1866 # apparmor_parser -r /etc/apparmor.d/firejail-default
1868 The installed profile is supplemental for main firejail functions and
1870 among other things does the following:
1871 - Disable ptrace. With ptrace it is possible to inspect and
1873 hijack running programs. Usually this is needed only for debug‐
1874 ging. You should have no problems running Chromium or Firefox.
1875 This feature is available only on Ubuntu kernels.
1876 - Whitelist write access to several files under /run, /proc and
1878 /sys.
1879 - Allow running programs only from well-known system paths, such
1881 as /bin, /sbin, /usr/bin etc. Those paths are available as read-
1882 only. Running programs and scripts from user home or other
1883 directories writable by the user is not allowed.
1884 - Prevent using non-standard network sockets. Only unix, inet,
1886 inet6, netlink, raw and packet are allowed.
1887 - Deny access to known sensitive paths like .snapshots.
1889 To enable AppArmor confinement on top of your current Firejail security
1892 features, pass --apparmor flag to Firejail command line. You can also
1893 include apparmor command in a Firejail profile file. Example:
1894 $ firejail --apparmor firefox
1896
1899 Audit feature allows the user to point out gaps in security profiles.
1900 The implementation replaces the program to be sandboxed with a test
1901 program. By default, we use faudit program distributed with Firejail. A
1902 custom test program can also be supplied by the user. Examples:
1903 Running the default audit program:
1905 $ firejail --audit transmission-gtk
1906 Running a custom audit program:
1908 $ firejail --audit=~/sandbox-test transmission-gtk
1909 In the examples above, the sandbox configures transmission-gtk profile
1911 and starts the test program. The real program, transmission-gtk, will
1912 not be started.
1913 Limitations: audit feature is not implemented for --x11 commands.
1915
1918 A symbolic link to /usr/bin/firejail under the name of a program, will
1919 start the program in Firejail sandbox. The symbolic link should be
1920 placed in the first $PATH position. On most systems, a good place is
1921 /usr/local/bin directory. Example:
1922 Make a firefox symlink to /usr/bin/firejail:
1924 $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
1926 Verify $PATH
1928 $ which -a firefox
1930 /usr/local/bin/firefox
1931 /usr/bin/firefox
1932 Starting firefox in this moment, automatically invokes “firejail
1934 firefox”.
1935 This works for clicking on desktop environment icons, menus etc. Use
1937 "firejail --tree" to verify the program is sandboxed.
1938 $ firejail --tree
1940 1189:netblue:firejail firefox
1941 1190:netblue:firejail firefox
1942 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
1943 1221:netblue:/usr/lib/firefox/firefox
1944 We provide a tool that automates all this integration, please see
1946 firecfg(1) for more details.
1947
1950 firejail
1951 Sandbox a regular /bin/bash session.
1952 firejail firefox
1954 Start Mozilla Firefox.
1955 firejail --debug firefox
1957 Debug Firefox sandbox.
1958 firejail --private firefox
1960 Start Firefox with a new, empty home directory.
1961 firejail --net=none vlc
1963 Start VLC in an unconnected network namespace.
1964 firejail --net=eth0 firefox
1966 Start Firefox in a new network namespace. An IP address is
1967 assigned automatically.
1968 firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
1970 Start a /bin/bash session in a new network namespace and connect
1971 it to br0, br1, and br2 host bridge devices. IP addresses are
1972 assigned automatically for the interfaces connected to br1 and
1973 b2
1974 firejail --list
1976 List all sandboxed processes.
1977
1980 Globbing is the operation that expands a wildcard pattern into the list
1981 of pathnames matching the pattern. Matching is defined by:
1982 - '?' matches any character
1984 - '*' matches any string
1985 - '[' denotes a range of characters
1986 The globbing feature is implemented using glibc glob command. For more
1988 information on the wildcard syntax see man 7 glob.
1989 The following command line options are supported: --blacklist, --pri‐
1992 vate-bin, --noexec, --read-only, --read-write, and --tmpfs.
1993 Examples:
1996 $ firejail --private-bin=sh,bash,python*
1998 $ firejail --blacklist=~/dir[1234]
1999 $ firejail --read-only=~/dir[1-4]
2000
2003 These features allow the user to inspect the filesystem container of an
2004 existing sandbox and transfer files between the container and the host
2005 filesystem.
2006 --get=name|pid filename
2009 Retrieve the container file and store it on the host in the cur‐
2010 rent working directory. The container is specified by name or
2011 PID.
2012 --ls=name|pid dir_or_filename
2015 List container files. The container is specified by name or PID.
2016 --put=name|pid src-filename dest-filename
2019 Put src-filename in sandbox container. The container is speci‐
2020 fied by name or PID.
2021 Examples:
2024 $ firejail --name=mybrowser --private firefox
2026 $ firejail --ls=mybrowser ~/Downloads
2028 drwxr-xr-x netblue netblue 4096 .
2029 drwxr-xr-x netblue netblue 4096 ..
2030 -rw-r--r-- netblue netblue 7847 x11-x305.png
2031 -rw-r--r-- netblue netblue 6800 x11-x642.png
2032 -rw-r--r-- netblue netblue 34139 xpra-clipboard.png
2033 $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2035 $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
2037 clipboard.png
2038
2041 Option --list prints a list of all sandboxes. The format for each
2042 process entry is as follows:
2043 PID:USER:Sandbox Name:Command
2045 Option --tree prints the tree of processes running in the sandbox. The
2047 format for each process entry is as follows:
2048 PID:USER:Sandbox Name:Command
2050 Option --top is similar to the UNIX top command, however it applies
2052 only to sandboxes.
2053 Option --netstats prints network statistics for active sandboxes
2055 installing new network namespaces.
2056 Listed below are the available fields (columns) in alphabetical order
2059 for --top and --netstats options:
2060 Command
2063 Command used to start the sandbox.
2064 CPU% CPU usage, the sandbox share of the elapsed CPU time since the
2066 last screen update
2067 PID Unique process ID for the task controlling the sandbox.
2069 Prcs Number of processes running in sandbox, including the control‐
2071 ling process.
2072 RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
2074 It is a sum of the RES values for all processes running in the
2075 sandbox.
2076 RX(KB/s)
2078 Network receive speed.
2079 Sandbox Name
2081 The name of the sandbox, if any.
2082 SHR Shared Memory Size (KiB), it reflects memory shared with other
2084 processes. It is a sum of the SHR values for all processes run‐
2085 ning in the sandbox, including the controlling process.
2086 TX(KB/s)
2088 Network transmit speed.
2089 Uptime Sandbox running time in hours:minutes:seconds format.
2091 USER The owner of the sandbox.
2093
2096 Several command line options can be passed to the program using profile
2097 files. Firejail chooses the profile file as follows:
2098 1. If a profile file is provided by the user with --profile=FILE
2100 option, the profile FILE is loaded. If a profile name is given, it is
2101 searched for first in the ~/.config/firejail directory and if not found
2102 then in /etc/firejail directory. Profile names do not include the
2103 .profile suffix. If there is a file with the same name as the given
2104 profile name, it will be used instead of doing the profile search. To
2105 force a profile search, prefix the profile name with a colon (:), eg.
2106 --profile=:PROFILE_NAME. Example:
2107 $ firejail --profile=/home/netblue/icecat.profile icecat
2109 Reading profile /home/netblue/icecat.profile
2110 [...]
2111 $ firejail --profile=icecat icecat-wrapper.sh
2114 Reading profile /etc/firejail/icecat.profile
2115 [...]
2116 2. If a profile file with the same name as the application is present
2118 in ~/.config/firejail directory or in /etc/firejail, the profile is
2119 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
2120 ple:
2121 $ firejail icecat
2123 Command name #icecat#
2124 Found icecat profile in /home/netblue/.config/firejail directory
2125 Reading profile /home/netblue/.config/firejail/icecat.profile
2126 [...]
2127 3. Use default.profile file if the sandbox is started by a regular
2129 user, or server.profile file if the sandbox is started by root. Fire‐
2130 jail looks for these files in ~/.config/firejail directory, followed by
2131 /etc/firejail directory. To disable default profile loading, use
2132 --noprofile command option. Example:
2133 $ firejail
2135 Reading profile /etc/firejail/default.profile
2136 Parent pid 8553, child pid 8554
2137 Child process initialized
2138 [...]
2139 $ firejail --noprofile
2141 Parent pid 8553, child pid 8554
2142 Child process initialized
2143 [...]
2144 See man 5 firejail-profile for profile file syntax information.
2146
2149 To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2150 jail in /etc/passwd file for each user that needs to be restricted.
2151 Alternatively, you can specify /usr/bin/firejail in adduser command:
2152 adduser --shell /usr/bin/firejail username
2154 Additional arguments passed to firejail executable upon login are
2156 declared in /etc/firejail/login.users file.
2157
2160 Network bandwidth is an expensive resource shared among all sandboxes
2161 running on a system. Traffic shaping allows the user to increase net‐
2162 work performance by controlling the amount of data that flows into and
2163 out of the sandboxes.
2164 Firejail implements a simple rate-limiting shaper based on Linux com‐
2166 mand tc. The shaper works at sandbox level, and can be used only for
2167 sandboxes configured with new network namespaces.
2168 Set rate-limits:
2170 $ firejail --bandwidth=name|pid set network download upload
2172 Clear rate-limits:
2174 $ firejail --bandwidth=name|pid clear network
2176 Status:
2178 $ firejail --bandwidth=name|pid status
2180 where:
2182 name - sandbox name
2183 pid - sandbox pid
2184 network - network interface as used by --net option
2185 download - download speed in KB/s (kilobyte per second)
2186 upload - upload speed in KB/s (kilobyte per second)
2187 Example:
2189 $ firejail --name=mybrowser --net=eth0 firefox &
2190 $ firejail --bandwidth=mybrowser set eth0 80 20
2191 $ firejail --bandwidth=mybrowser status
2192 $ firejail --bandwidth=mybrowser clear eth0
2193
2196 This program is free software; you can redistribute it and/or modify it
2197 under the terms of the GNU General Public License as published by the
2198 Free Software Foundation; either version 2 of the License, or (at your
2199 option) any later version.
2200 Homepage: https://firejail.wordpress.com
2202
2204 firemon(1), firecfg(1), firejail-profile(5), firejail-login(5) fire‐
2205 jail-users(5)
22060.9.62 Feb 2020 FIREJAIL(1)