1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
6 profile - Security profile file syntax for Firejail
7
10 firejail --profile=filename.profile
11firejail --profile=profile_name
12
15 Several command line options can be passed to the program using profile
16 files. Firejail chooses the profile file as follows:
17 1. If a profile file is provided by the user with --profile option, the
19 profile file is loaded. If a profile name is given, it is searched for
20 first in the ~/.config/firejail directory and if not found then in
21 /etc/firejail directory. Profile names do not include the .profile suf‐
22 fix. Example:
23 $ firejail --profile=/home/netblue/icecat.profile icecat
25 Reading profile /home/netblue/icecat.profile
26 [...]
27 $ firejail --profile=icecat icecat-wrapper.sh
30 Reading profile /etc/firejail/icecat.profile
31 [...]
32 2. If a profile file with the same name as the application is present
34 in ~/.config/firejail directory or in /etc/firejail, the profile is
35 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
36 ple:
37 $ firejail icecat
39 Command name #icecat#
40 Found icecat profile in /home/netblue/.config/firejail directory
41 Reading profile /home/netblue/.config/firejail/icecat.profile
42 [...]
43 3. Use a default.profile file if the sandbox is started by a regular
45 user, or a server.profile file if the sandbox is started by root. Fire‐
46 jail looks for these files in ~/.config/firejail directory, followed by
47 /etc/firejail directory. To disable default profile loading, use
48 --noprofile command option. Example:
49 $ firejail
51 Reading profile /etc/firejail/default.profile
52 Parent pid 8553, child pid 8554
53 Child process initialized
54 [...]
55 $ firejail --noprofile
57 Parent pid 8553, child pid 8554
58 Child process initialized
59 [...]
60
63 In /usr/share/doc/firejail there are two templates to write new pro‐
64 files.
65 profile.template - for regular profiles
66 redirect_alias-profile.template - for aliasing/redirecting pro‐
67 files
68
72 Scripting commands:
73 File and directory names
76 File and directory names containing spaces are supported. The
77 space character ' ' should not be escaped.
78 Example: "blacklist ~/My Virtual Machines"
80 # this is a comment
83 ?CONDITIONAL: profile line
86 Conditionally add profile line.
87 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
89 This example will load the whitelist profile line only if the
91 --appimage option has been specified on the command line.
92 Currently the only conditionals supported this way are
94 HAS_APPIMAGE, HAS_NET, HAS_NODBUS and HAS_X11. The conditionals
95 BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled or dis‐
96 abled globally in Firejail's configuration file.
97 The profile line may be any profile line that you would normally
99 use in a profile except for "quiet" and "include" lines.
100 include other.profile
103 Include other.profile file.
104 Example: "include /etc/firejail/disable-common.inc"
106 The file name can be prefixed with a macro such as ${HOME} or
108 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
109 is expanded as Firejail system configuration directory - in most
110 cases /etc/firejail or /usr/local/etc/firejail.
111 Example: "include ${HOME}/myprofiles/profile1" will load
113 "~/myprofiles/profile1" file.
114 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
116 jail/firefox.profile" file.
117 The file name may also be just the name without the leading
119 directory components. In this case, first the user config
120 directory (${HOME}/.config/firejail) is searched for the file
121 name and if not found then the system configuration directory is
122 search for the file name. Note: Unlike the --profile option
123 which takes a profile name without the '.profile' suffix,
124 include must be given the full file name.
125 Example: "include firefox.profile" will load "${HOME}/.con‐
127 fig/firejail/firefox.profile" file and if it does not exist
128 "${CFG}/firefox.profile" will be loaded.
129 System configuration files in ${CFG} are overwritten during
131 software installation. Persistent configuration at system level
132 is handled in ".local" files. For every profile file in ${CFG}
133 directory, the user can create a corresponding .local file stor‐
134 ing modifications to the persistent configuration. Persistent
135 .local files are included at the start of regular profile files.
136 noblacklist file_name
139 If the file name matches file_name, the file will not be black‐
140 listed in any blacklist commands that follow.
141 Example: "noblacklist ${HOME}/.mozilla"
143 nowhitelist file_name
146 If the file name matches file_name, the file will not be
147 whitelisted in any whitelist commands that follow.
148 Example: "nowhitelist ~/.config"
150 ignore Ignore command.
153 Example: "ignore seccomp"
155 Example: "ignore net eth0"
156 quiet Disable Firejail's output. This should be the first uncommented
159 command in the profile file.
160 Example: "quiet"
162
165 These profile entries define a chroot filesystem built on top of the
166 existing host filesystem. Each line describes a file/directory that is
167 inaccessible (blacklist), a read-only file or directory (read-only), a
168 tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a
169 directory or file on top of another directory or file (bind). Use pri‐
170 vate to set private mode. File globbing is supported, and PATH and
171 HOME directories are searched. Examples:
172 blacklist file_or_directory
174 Blacklist directory or file. Examples:
175 blacklist /usr/bin
177 blacklist /usr/bin/gcc*
178 blacklist ${PATH}/ifconfig
179 blacklist ${HOME}/.ssh
180 blacklist-nolog file_or_directory
183 When --tracelog flag is set, blacklisting generates syslog mes‐
184 sages if the sandbox tries to access the file or directory.
185 blacklist-nolog command disables syslog messages for this par‐
186 ticular file or directory. Examples:
187 blacklist-nolog /usr/bin
189 blacklist-nolog /usr/bin/gcc*
190 bind directory1,directory2
193 Mount-bind directory1 on top of directory2. This option is only
194 available when running as root.
195 bind file1,file2
197 Mount-bind file1 on top of file2. This option is only available
198 when running as root.
199 disable-mnt
201 Disable /mnt, /media, /run/mount and /run/media access.
202 keep-dev-shm
204 /dev/shm directory is untouched (even with private-dev).
205 keep-var-tmp
207 /var/tmp directory is untouched.
208 mkdir directory
210 Create a directory in user home or under /tmp before the sandbox
211 is started. The directory is created if it doesn't already
212 exist.
213 Use this command for whitelisted directories you need to pre‐
215 serve when the sandbox is closed. Without it, the application
216 will create the directory, and the directory will be deleted
217 when the sandbox is closed. Subdirectories are recursively cre‐
218 ated. Example from firefox profile:
219 mkdir ~/.mozilla
221 whitelist ~/.mozilla
222 mkdir ~/.cache/mozilla/firefox
223 whitelist ~/.cache/mozilla/firefox
224 mkfile file
226 Similar to mkdir, this command creates a file in user home or
227 under /tmp before the sandbox is started. The file is created
228 if it doesn't already exist.
229 noexec file_or_directory
231 Remount the file or the directory noexec, nodev and nosuid.
232 overlay
234 Mount a filesystem overlay on top of the current filesystem.
235 The overlay is stored in $HOME/.firejail/<PID> directory.
236 overlay-named name
238 Mount a filesystem overlay on top of the current filesystem.
239 The overlay is stored in $HOME/.firejail/name directory.
240 overlay-tmpfs
242 Mount a filesystem overlay on top of the current filesystem.
243 All filesystem modifications are discarded when the sandbox is
244 closed.
245 private
247 Mount new /root and /home/user directories in temporary filesys‐
248 tems. All modifications are discarded when the sandbox is
249 closed.
250 private directory
252 Use directory as user home.
253 private-bin file,file
255 Build a new /bin in a temporary filesystem, and copy the pro‐
256 grams in the list. The same directory is also bind-mounted over
257 /sbin, /usr/bin and /usr/sbin.
258 private-cache
260 Mount an empty temporary filesystem on top of the .cache direc‐
261 tory in user home. All modifications are discarded when the
262 sandbox is closed.
263 private-cwd
265 Set working directory inside jail to the home directory, and
266 failing that, the root directory.
267 private-cwd directory
269 Set working directory inside the jail.
270 private-dev
272 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
273 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
274 shm and usb devices are available. Use the options no3d, nodvd,
275 nosound, notv, nou2f and novideo for additional restrictions.
276 private-etc file,directory
279 Build a new /etc in a temporary filesystem, and copy the files
280 and directories in the list. All modifications are discarded
281 when the sandbox is closed.
282 private-home file,directory
284 Build a new user home in a temporary filesystem, and copy the
285 files and directories in the list in the new home. All modifica‐
286 tions are discarded when the sandbox is closed.
287 private-lib file,directory
289 Build a new /lib directory and bring in the libraries required
290 by the application to run. This feature is still under develop‐
291 ment, see man 1 firejail for some examples.
292 private-opt file,directory
294 Build a new /opt in a temporary filesystem, and copy the files
295 and directories in the list. All modifications are discarded
296 when the sandbox is closed.
297 private-srv file,directory
299 Build a new /srv in a temporary filesystem, and copy the files
300 and directories in the list. All modifications are discarded
301 when the sandbox is closed.
302 private-tmp
304 Mount an empty temporary filesystem on top of /tmp directory
305 whitelisting /tmp/.X11-unix.
306 read-only file_or_directory
308 Make directory or file read-only.
309 read-write file_or_directory
311 Make directory or file read-write.
312 tmpfs directory
314 Mount an empty tmpfs filesystem on top of directory. This option
315 is available only when running the sandbox as root.
316 tracelog
318 Blacklist violations logged to syslog.
319 whitelist file_or_directory
321 Whitelist directory or file. A temporary file system is mounted
322 on the top directory, and the whitelisted files are mount-binded
323 inside. Modifications to whitelisted files are persistent,
324 everything else is discarded when the sandbox is closed. The top
325 directory could be user home, /dev, /etc, /media, /mnt, /opt,
326 /srv, /sys/module, /usr/share, /var, and /tmp.
327 Symbolic link handling: with the exception of user home, both
329 the link and the real file should be in the same top directory.
330 For user home, both the link and the real file should be owned
331 by the user.
332 writable-etc
334 Mount /etc directory read-write.
335 writable-run-user
337 Disable the default blacklisting of run/user/$UID/systemd and
338 /run/user/$UID/gnupg.
339 writable-var
341 Mount /var directory read-write.
342 writable-var-log
344 Use the real /var/log directory, not a clone. By default, a
345 tmpfs is mounted on top of /var/log directory, and a skeleton
346 filesystem is created based on the original /var/log.
347
350 The following security filters are currently implemented:
351 allow-debuggers
354 Allow tools such as strace and gdb inside the sandbox by
355 whitelisting system calls ptrace and process_vm_readv.
356 apparmor
358 Enable AppArmor confinement.
359 caps Enable default Linux capabilities filter.
361 caps.drop capability,capability,capability
363 Blacklist given Linux capabilities.
364 caps.drop all
366 Blacklist all Linux capabilities.
367 caps.keep capability,capability,capability
369 Whitelist given Linux capabilities.
370 memory-deny-write-execute
372 Install a seccomp filter to block attempts to create memory map‐
373 pings that are both writable and executable, to change mappings
374 to be executable or to create executable shared memory.
375 nonewprivs
377 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
378 cannot acquire new privileges using execve(2); in particular,
379 this means that calling a suid binary (or one with file capabil‐
380 ities) does not result in an increase of privilege.
381 noroot Use this command to enable an user namespace. The namespace has
383 only one user, the current user. There is no root account (uid
384 0) defined in the namespace.
385 protocol protocol1,protocol2,protocol3
387 Enable protocol filter. The filter is based on seccomp and
388 checks the first argument to socket system call. Recognized val‐
389 ues: unix, inet, inet6, netlink and packet.
390 seccomp
392 Enable seccomp filter and blacklist the syscalls in the default
393 list. See man 1 firejail for more details.
394 seccomp syscall,syscall,syscall
396 Enable seccomp filter and blacklist the system calls in the list
397 on top of default seccomp filter.
398 seccomp.block-secondary
400 Enable seccomp filter and filter system call architectures so
401 that only the native architecture is allowed.
402 seccomp.drop syscall,syscall,syscall
404 Enable seccomp filter and blacklist the system calls in the
405 list.
406 seccomp.keep syscall,syscall,syscall
408 Enable seccomp filter and whitelist the system calls in the
409 list.
410 x11 Enable X11 sandboxing.
412 x11 none
414 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
415 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
416 and XAUTHORITY environment variables. Stop with error message
417 if X11 abstract socket will be accessible in jail.
418 x11 xephyr
420 Enable X11 sandboxing with Xephyr server.
421 x11 xorg
423 Enable X11 sandboxing with X11 security extension.
424 x11 xpra
426 Enable X11 sandboxing with Xpra server.
427 x11 xvfb
429 Enable X11 sandboxing with Xvfb server.
430 xephyr-screen WIDTHxHEIGHT
432 Set screen size for x11 xephyr. This command should be included
433 in the profile file before x11 xephyr command.
434 Example:
436 xephyr-screen 640x480
438 x11 xephyr
439
444 These profile entries define the limits on system resources (rlimits)
445 for the processes inside the sandbox. The limits can be modified
446 inside the sandbox using the regular ulimit command. cpu command con‐
447 figures the CPU cores available, and cgroup command place the sandbox
448 in an existing control group.
449 Examples:
451 cgroup /sys/fs/cgroup/g1/tasks
454 The sandbox is placed in g1 control group.
455 cpu 0,1,2
457 Use only CPU cores 0, 1 and 2.
458 nice -5
460 Set a nice value of -5 to all processes running inside the sand‐
461 box.
462 rlimit-as 123456789012
464 Set the maximum size of the process's virtual memory to
465 123456789012 bytes.
466 rlimit-cpu 123
468 Set the maximum CPU time in seconds.
469 rlimit-fsize 1024
471 Set the maximum file size that can be created by a process to
472 1024 bytes.
473 rlimit-nproc 1000
475 Set the maximum number of processes that can be created for the
476 real user ID of the calling process to 1000.
477 rlimit-nofile 500
479 Set the maximum number of files that can be opened by a process
480 to 500.
481 rlimit-sigpending 200
483 Set the maximum number of processes that can be created for the
484 real user ID of the calling process to 200.
485 timeout hh:mm:ss
487 Kill the sandbox automatically after the time has elapsed. The
488 time is specified in hours/minutes/seconds format.
489
492 allusers
493 All user home directories are visible inside the sandbox. By
494 default, only current user home directory is visible.
495 env name=value
498 Set environment variable. Examples:
499 env LD_LIBRARY_PATH=/opt/test/lib
501 env CFLAGS="-W -Wall -Werror"
502 ipc-namespace
505 Enable IPC namespace.
506 name sandboxname
508 Set sandbox name. Example:
509 name browser
511 no3d Disable 3D hardware acceleration.
514 noautopulse
516 Disable automatic ~/.config/pulse init, for complex setups such
517 as remote pulse servers or non-standard socket paths.
518 nodbus Disable D-Bus access. Only the regular UNIX socket is handled by
520 this command. To disable the abstract socket, you would need to
521 request a new network namespace using the net command. Another
522 option is to remove unix from protocol set.
523 nodvd Disable DVD and audio CD devices.
525 nogroups
527 Disable supplementary user groups
528 nosound
530 Disable sound system.
531 notv Disable DVB (Digital Video Broadcasting) TV devices.
533 nou2f Disable U2F devices.
535 novideo
537 Disable video devices.
538 shell none
540 Run the program directly, without a shell.
541
545 Networking features available in profile files.
546 defaultgw address
549 Use this address as default gateway in the new network names‐
550 pace.
551 dns address
554 Set a DNS server for the sandbox. Up to three DNS servers can be
555 defined.
556 hostname name
559 Set a hostname for the sandbox.
560 hosts-file file
563 Use file as /etc/hosts.
564 ip address
567 Assign IP addresses to the last network interface defined by a
568 net command. A default gateway is assigned by default.
569 Example:
571 net eth0
572 ip 10.10.20.56
573 ip none
576 No IP address and no default gateway are configured for the last
577 interface defined by a net command. Use this option in case you
578 intend to start an external DHCP client in the sandbox.
579 Example:
581 net eth0
582 ip none
583 ip6 address
586 Assign IPv6 addresses to the last network interface defined by a
587 net command.
588 Example:
590 net eth0
591 ip6 2001:0db8:0:f101::1/64
592 iprange address,address
595 Assign an IP address in the provided range to the last network
596 interface defined by a net command. A default gateway is
597 assigned by default.
598 Example:
600 net eth0
602 iprange 192.168.1.150,192.168.1.160
603 mac address
606 Assign MAC addresses to the last network interface defined by a
607 net command.
608 machine-id
611 Spoof id number in /etc/machine-id file - a new random id is
612 generated inside the sandbox.
613 mtu number
616 Assign a MTU value to the last network interface defined by a
617 net command.
618 net bridge_interface
621 Enable a new network namespace and connect it to this bridge
622 interface. Unless specified with option --ip and --defaultgw,
623 an IP address and a default gateway will be assigned automati‐
624 cally to the sandbox. The IP address is verified using ARP
625 before assignment. The address configured as default gateway is
626 the bridge device IP address. Up to four --net bridge devices
627 can be defined. Mixing bridge and macvlan devices is allowed.
628 net ethernet_interface|wireless_interface
631 Enable a new network namespace and connect it to this ethernet
632 interface using the standard Linux macvlan or ipvlan driver.
633 Unless specified with option --ip and --defaultgw, an IP address
634 and a default gateway will be assigned automatically to the
635 sandbox. The IP address is verified using ARP before assignment.
636 The address configured as default gateway is the default gateway
637 of the host. Up to four --net devices can be defined. Mixing
638 bridge and macvlan devices is allowed.
639 net none
642 Enable a new, unconnected network namespace. The only interface
643 available in the new namespace is a new loopback interface (lo).
644 Use this option to deny network access to programs that don't
645 really need network access.
646 net tap_interface
649 Enable a new network namespace and connect it to this ethernet
650 tap interface using the standard Linux macvlan driver. If the
651 tap interface is not configured, the sandbox will not try to
652 configure the interface inside the sandbox. Please use ip, net‐
653 mask and defaultgw to specify the configuration.
654 netfilter
657 If a new network namespace is created, enabled default network
658 filter.
659 netfilter filename
662 If a new network namespace is created, enabled the network fil‐
663 ter in filename.
664 netmask address
668 Use this option when you want to assign an IP address in a new
669 namespace and the parent interface specified by --net is not
670 configured. An IP address and a default gateway address also
671 have to be added.
672 veth-name name
675 Use this name for the interface connected to the bridge for
676 --net=bridge_interface commands, instead of the default one.
677
680 deterministic-exit-code
681 Always exit firejail with the first child's exit status. The
682 default behavior is to use the exit status of the final child to
683 exit, which can be nondeterministic.
684 join-or-start sandboxname
687 Join the sandbox identified by name or start a new one. Same as
688 "firejail --join=sandboxname" command if sandbox with specified
689 name exists, otherwise same as "name sandboxname".
690
693 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
694
697 Firejail is free software; you can redistribute it and/or modify it
698 under the terms of the GNU General Public License as published by the
699 Free Software Foundation; either version 2 of the License, or (at your
700 option) any later version.
701 Homepage: https://firejail.wordpress.com
703
705 firejail(1), firemon(1), firecfg(1), firejail-login(5) firejail-
706 users(5)
7070.9.62 Feb 2020 FIREJAIL-PROFILE(5)