1FIREJAIL(1)                    firejail man page                   FIREJAIL(1)
2
3
4

NAME

6       Firejail - Linux namespaces sandbox program
7

SYNOPSIS

9       Start a sandbox:
10
11              firejail [OPTIONS] [program and arguments]
12
13       Start an AppImage program:
14
15              firejail [OPTIONS] --appimage [appimage-file and arguments]
16
17       File transfer from an existing sandbox
18
19              firejail {--ls | --get | --put | --cat} dir_or_filename
20
21       Network traffic shaping for an existing sandbox:
22
23              firejail --bandwidth={name|pid} bandwidth-command
24
25       Monitoring:
26
27              firejail {--list | --netstats | --top | --tree}
28
29       Miscellaneous:
30
31              firejail  {-? | --debug-caps | --debug-errnos | --debug-syscalls
32              | --debug-syscalls32 | --debug-protocols | --help | --version}
33

DESCRIPTION

35       Firejail is a SUID sandbox program that reduces the  risk  of  security
36       breaches  by  restricting the running environment of untrusted applica‐
37       tions using Linux namespaces, seccomp-bpf and Linux  capabilities.   It
38       allows a process and all its descendants to have their own private view
39       of the globally shared kernel resources, such  as  the  network  stack,
40       process table, mount table.  Firejail can work in a SELinux or AppArmor
41       environment, and it is integrated with Linux Control Groups.
42
43       Written in C with virtually no dependencies, the software runs  on  any
44       Linux  computer with a 3.x kernel version or newer.  It can sandbox any
45       type of processes: servers, graphical applications, and even user login
46       sessions.
47
48       Firejail  allows the user to manage application security using security
49       profiles.  Each profile defines a set of  permissions  for  a  specific
50       application  or  group  of applications. The software includes security
51       profiles for a number of more common Linux programs,  such  as  Mozilla
52       Firefox, Chromium, VLC, Transmission etc.
53
54       Alternative  sandbox technologies like snap (https://snapcraft.io/) and
55       flatpak (https://flatpak.org/) are  not  supported.  Snap  and  flatpak
56       packages  have their own native management tools and will not work when
57       sandboxed with Firejail.
58
59

USAGE

61       Without any options, the sandbox consists of a filesystem  build  in  a
62       new  mount  namespace, and new PID and UTS namespaces. IPC, network and
63       user namespaces can be  added  using  the  command  line  options.  The
64       default  Firejail  filesystem  is based on the host filesystem with the
65       main system directories mounted read-only. These directories are  /etc,
66       /var,  /usr,  /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home
67       and /tmp are writable.
68
69       Upon execution Firejail first looks in ~/.config/firejail/ for  a  pro‐
70       file  and if it doesn't find one, it looks in /etc/firejail/.  For pro‐
71       file   resolution   detail    see    https://github.com/netblue30/fire
72       jail/wiki/Creating-Profiles#locations-and-types.    If  an  appropriate
73       profile is not found, Firejail will use a default profile.  The default
74       profile is quite restrictive. In case the application doesn't work, use
75       --noprofile option to disable it.  For  more  information,  please  see
76       SECURITY PROFILES section below.
77
78       If  a  program  argument  is  not  specified, Firejail starts /bin/bash
79       shell.  Examples:
80
81       $ firejail [OPTIONS]                # starting a /bin/bash shell
82
83       $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
84
85       # sudo firejail [OPTIONS] /etc/init.d/nginx start
86
87

OPTIONS

89       --     Signal the end of options and disables further  option  process‐
90              ing.
91
92       --allow-debuggers
93              Allow  tools  such  as  strace  and  gdb  inside  the sandbox by
94              whitelisting system  calls  ptrace  and  process_vm_readv.  This
95              option  is  only  available when running on Linux kernels 4.8 or
96              newer - a kernel bug in ptrace system call allows a full  bypass
97              of the seccomp filter.
98
99              Example:
100              $   firejail    --allow-debuggers  --profile=/etc/firejail/fire‐
101              fox.profile strace -f firefox
102
103       --allusers
104              All directories under /home are visible inside the  sandbox.  By
105              default, only current user home directory is visible.
106
107              Example:
108              $ firejail --allusers
109
110       --appimage
111              Sandbox  an AppImage (https://appimage.org/) application. If the
112              sandbox is started as a regular user, nonewprivs and  a  default
113              capabilities  filter  are  enabled.  private-bin and private-lib
114              are disabled by default when running appimages.
115
116              Example:
117              $ firejail --appimage krita-3.0-x86_64.appimage
118              $ firejail --appimage --private krita-3.0-x86_64.appimage
119              #ifdef  HAVE_X11  $   firejail   --appimage   --net=none   --x11
120              krita-3.0-x86_64.appimage
121
122       --audit
123              Audit the sandbox, see AUDIT section for more details.
124
125       --audit=test-program
126              Audit the sandbox, see AUDIT section for more details.
127
128       --bandwidth=name|pid
129              Set  bandwidth limits for the sandbox identified by name or PID,
130              see TRAFFIC SHAPING section for more details.
131
132       --bind=filename1,filename2
133              Mount-bind filename1 on top of filename2. This  option  is  only
134              available when running as root.
135
136              Example:
137              # firejail --bind=/config/etc/passwd,/etc/passwd
138
139       --blacklist=dirname_or_filename
140              Blacklist  directory  or  file.  File globbing is supported, see
141              FILE GLOBBING section for more details.
142
143              Example:
144              $ firejail --blacklist=/sbin --blacklist=/usr/sbin
145              $ firejail --blacklist=~/.mozilla
146              $ firejail "--blacklist=/home/username/My Virtual Machines"
147              $ firejail --blacklist=/home/username/My\ Virtual\ Machines
148
149       --build
150              The command builds a whitelisted profile. The profile is printed
151              on the screen. If /usr/bin/strace is installed on the system, it
152              also builds a whitelisted seccomp profile. The program is run in
153              a  very  relaxed sandbox, with only --caps.drop=all and --nonew‐
154              privs. Programs that raise user privileges are not supported  in
155              order  to  allow  strace  to  run.  Chromium  and Chromium-based
156              browsers will not work.
157
158              Example:
159              $ firejail --build vlc ~/Videos/test.mp4
160
161       --build=profile-file
162              The command builds a whitelisted profile, and saves it  in  pro‐
163              file-file.  If  /usr/bin/strace  is  installed on the system, it
164              also builds a whitelisted seccomp profile. The program is run in
165              a  very  relaxed sandbox, with only --caps.drop=all and --nonew‐
166              privs. Programs that raise user privileges are not supported  in
167              order  to  allow  strace  to  run.  Chromium  and Chromium-based
168              browsers will not work.
169
170              Example:
171              $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
172
173       -c     Login shell compatibility option. This option  is  use  by  some
174              login  programs  when  executing  the  login shell, such as when
175              firejail is used as a restricted login shell. It currently  does
176              not change the execution of firejail.
177
178       --caps Linux  capabilities is a kernel feature designed to split up the
179              root privilege into a set of distinct privileges.  These  privi‐
180              leges can be enabled or disabled independently, thus restricting
181              what a process running as root can do in the system.
182
183              By default root programs  run  with  all  capabilities  enabled.
184              --caps  option disables the following capabilities: CAP_SYS_MOD‐
185              ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
186              FIG,   CAP_SYSLOG,  CAP_MKNOD,  CAP_SYS_ADMIN.   The  filter  is
187              applied to all processes started in the sandbox.
188
189              Example:
190              $ sudo firejail --caps /etc/init.d/nginx start
191
192
193       --caps.drop=all
194              Drop all capabilities for the processes running in the  sandbox.
195              This option is recommended for running GUI programs or any other
196              program that doesn't require root privileges. It is a  must-have
197              option  for sandboxing untrusted programs installed from unoffi‐
198              cial sources - such as games, Java programs, etc.
199
200              Example:
201              $ firejail --caps.drop=all warzone2100
202
203
204       --caps.drop=capability,capability,capability
205              Define a custom blacklist Linux capabilities filter.
206
207              Example:
208              $ firejail --caps.drop=net_broadcast,net_admin,net_raw
209
210
211       --caps.keep=capability,capability,capability
212              Define a custom whitelist Linux capabilities filter.
213
214              Example:
215              $  sudo   firejail   --caps.keep=chown,net_bind_service,setgid,\
216              setuid /etc/init.d/nginx start
217
218
219       --caps.print=name|pid
220              Print  the  caps filter for the sandbox identified by name or by
221              PID.
222
223              Example:
224              $ firejail --name=mygame --caps.drop=all warzone2100 &
225              $ firejail --caps.print=mygame
226
227              Example:
228              $ firejail --list
229              3272:netblue::firejail --private firefox
230              $ firejail --caps.print=3272
231
232
233       --cat=name|pid filename
234              Print content of file from sandbox container, see FILE  TRANSFER
235              section for more details.
236
237       --cgroup=tasks-file
238              Place  the sandbox in the specified control group. tasks-file is
239              the full path of cgroup tasks file.
240
241              Example:
242              # firejail --cgroup=/sys/fs/cgroup/g1/tasks
243
244       --chroot=dirname
245              Chroot the sandbox into a root filesystem.  Unlike  the  regular
246              filesystem  container,  the system directories are mounted read-
247              write. If the sandbox is started as a regular  user,  nonewprivs
248              and a default capabilities filter are enabled.
249
250              Example:
251              $ firejail --chroot=/media/ubuntu warzone2100
252
253       --cpu=cpu-number,cpu-number,cpu-number
254              Set CPU affinity.
255
256              Example:
257              $ firejail --cpu=0,1 handbrake
258
259
260       --cpu.print=name|pid
261              Print  the CPU cores in use by the sandbox identified by name or
262              by PID.
263
264              Example:
265              $ firejail --name=mygame --caps.drop=all warzone2100 &
266              $ firejail --cpu.print=mygame
267
268              Example:
269              $ firejail --list
270              3272:netblue::firejail --private firefox
271              $ firejail --cpu.print=3272
272
273       --dbus-log=file
274              Specify the location for the DBus log file.
275
276              The log file contains events for both  the  system  and  session
277              buses  if  both  of  the  --dbus-sysem.log  and  --dbus-user.log
278              options are specified. If no log file path is  given,  logs  are
279              written to the standard output instead.
280
281              Example:
282              $ firejail --dbus-system=filter --dbus-system.log \
283              --dbus-log=dbus.txt
284
285
286       --dbus-system=filter|none
287              Set system DBus sandboxing policy.
288
289              The  filter  policy  enables the system DBus filter. This option
290              requires installing the xdg-dbus-proxy utility. Permissions  for
291              well-known  can  be  specified  with  the --dbus-system.talk and
292              --dbus-system.own options.
293
294              The none policy disables access to the system DBus.
295
296              Only the regular system DBus UNIX  socket  is  handled  by  this
297              option.  To disable the abstract sockets (and force applications
298              to use the filtered UNIX socket) you would need to request a new
299              network  namespace  using  --net  command.  Another option is to
300              remove unix from the --protocol set.
301
302              Example:
303              $ firejail --dbus-system=none
304
305
306       --dbus-system.broadcast=name=[member][@path]
307              Allows  the  application  to  receive  broadcast  signals   from
308              theindicated  interface  member  at  the  indicated  object path
309              exposed by the indicated bus name on the system DBus.  The  name
310              may have a .* suffix to match all names underneath it, including
311              itself.  The interface member may have a .* to match all members
312              of  an interface, or be * to match all interfaces.  The path may
313              have a /* suffix to indicate all objects underneath it,  includ‐
314              ing  itself.   Omitting  the interface member or the object path
315              will match all members and object paths, respectively.
316
317              Example:
318              $ firejail --dbus-system=filter --dbus-system.broadcast=\
319              org.freedesktop.Notifications=\
320              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
321
322
323       --dbus-system.call=name=[member][@path]
324              Allows the application to call the indicated interface member at
325              the  indicated  object path exposed by the indicated bus name on
326              the system DBus.  The name may have a .*  suffix  to  match  all
327              names underneath it, including itself.  The interface member may
328              have a .* to match all members of an interface, or be * to match
329              all  interfaces.   The path may have a /* suffix to indicate all
330              objects underneath it, including itself.  Omitting the interface
331              member  or  the  object  path  will match all members and object
332              paths, respectively.
333
334              Example:
335              $ firejail --dbus-system=filter --dbus-system.call=\
336              org.freedesktop.Notifications=\
337              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
338
339
340       --dbus-system.log
341              Turn on DBus logging for the system DBus. This  option  requires
342              --dbus-system=log.
343
344              Example:
345              $ firejail --dbus-system=filter --dbus-system.log
346
347
348       --dbus-system.own=name
349              Allows  the  application to own the specified well-known name on
350              the system DBus.  The name may have a .*  suffix  to  match  all
351              names  underneath it, including itself (e.g. "foo.bar.*" matches
352              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
353              bar").
354
355              Example:
356              $ firejail --dbus-system=filter --dbus-system.own=\
357              org.gnome.ghex.*
358
359
360       --dbus-system.see=name
361              Allows  the  application  to  see, but not talk to the specified
362              well-known name on the system DBus.  The name may have a .* suf‐
363              fix  to  match  all  names underneath it, including itself (e.g.
364              "foo.bar.*"     matches     "foo.bar",     "foo.bar.baz"     and
365              "foo.bar.baz.quux", but not "foobar").
366
367              Example:
368              $ firejail --dbus-system=filter --dbus-system.see=\
369              org.freedesktop.Notifications
370
371
372       --dbus-system.talk=name
373              Allows  the application to talk to the specified well-known name
374              on the system DBus.  The name may have a .* suffix to match  all
375              names  underneath it, including itself (e.g. "foo.bar.*" matches
376              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
377              bar").
378
379              Example:
380              $ firejail --dbus-system=filter --dbus-system.talk=\
381              org.freedesktop.Notifications
382
383
384       --dbus-user=filter|none
385              Set session DBus sandboxing policy.
386
387              The  filter  policy enables the session DBus filter. This option
388              requires installing the xdg-dbus-proxy utility. Permissions  for
389              well-known  names  can  be  added  with the --dbus-user.talk and
390              --dbus-user.own options.
391
392              The none policy disables access to the session DBus.
393
394              Only the regular session DBus UNIX socket  is  handled  by  this
395              option.  To disable the abstract sockets (and force applications
396              to use the filtered UNIX socket) you would need to request a new
397              network  namespace  using  --net  command.  Another option is to
398              remove unix from the --protocol set.
399
400              Example:
401              $ firejail --dbus-user=none
402
403
404       --dbus-user.broadcast=name=[member][@path]
405              Allows  the  application  to  receive  broadcast  signals   from
406              theindicated  interface  member  at  the  indicated  object path
407              exposed by the indicated bus name on the session DBus.  The name
408              may have a .* suffix to match all names underneath it, including
409              itself.  The interface member may have a .* to match all members
410              of  an interface, or be * to match all interfaces.  The path may
411              have a /* suffix to indicate all objects underneath it,  includ‐
412              ing  itself.   Omitting  the interface member or the object path
413              will match all members and object paths, respectively.
414
415              Example:
416              $ firejail --dbus-user=filter --dbus-user.broadcast=\
417              org.freedesktop.Notifications=\
418              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
419
420
421       --dbus-user.call=name=[member][@path]
422              Allows the application to call the indicated interface member at
423              the  indicated  object path exposed by the indicated bus name on
424              the session DBus.  The name may have a .* suffix  to  match  all
425              names underneath it, including itself.  The interface member may
426              have a .* to match all members of an interface, or be * to match
427              all  interfaces.   The path may have a /* suffix to indicate all
428              objects underneath it, including itself.  Omitting the interface
429              member  or  the  object  path  will match all members and object
430              paths, respectively.
431
432              Example:
433              $ firejail --dbus-user=filter --dbus-user.call=\
434              org.freedesktop.Notifications=\
435              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
436
437
438       --dbus-user.log
439              Turn on DBus logging for the session DBus. This option  requires
440              --dbus-user=log.
441
442              Example:
443              $ firejail --dbus-user=filter --dbus-user.log
444
445
446       --dbus-user.own=name
447              Allows  the  application to own the specified well-known name on
448              the session DBus.  The name may have a .* suffix  to  match  all
449              names  underneath it, including itself (e.g. "foo.bar.*" matches
450              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
451              bar").
452
453              Example:
454              $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
455
456
457       --dbus-user.talk=name
458              Allows  the application to talk to the specified well-known name
459              on the session DBus.  The name may have a .* suffix to match all
460              names  underneath it, including itself (e.g. "foo.bar.*" matches
461              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
462              bar").
463
464              Example:
465              $ firejail --dbus-user=filter --dbus-user.talk=\
466              org.freedesktop.Notifications
467
468
469       --dbus-user.see=name
470              Allows  the  application  to  see, but not talk to the specified
471              well-known name on the session DBus.  The name  may  have  a  .*
472              suffix  to match all names underneath it, including itself (e.g.
473              "foo.bar.*"     matches     "foo.bar",     "foo.bar.baz"     and
474              "foo.bar.baz.quux", but not "foobar").
475
476              Example:
477              $ firejail --dbus-user=filter --dbus-user.see=\
478              org.freedesktop.Notifications
479
480       --debug
481              Print debug messages.
482
483              Example:
484              $ firejail --debug firefox
485
486
487       --debug-blacklists
488              Debug blacklisting.
489
490              Example:
491              $ firejail --debug-blacklists firefox
492
493
494       --debug-caps
495              Print  all recognized capabilities in the current Firejail soft‐
496              ware build and exit.
497
498              Example:
499              $ firejail --debug-caps
500
501
502       --debug-errnos
503              Print all recognized error numbers in the current Firejail soft‐
504              ware build and exit.
505
506              Example:
507              $ firejail --debug-errnos
508
509       --debug-private-lib
510              Debug messages for --private-lib option.
511
512       --debug-protocols
513              Print  all recognized protocols in the current Firejail software
514              build and exit.
515
516              Example:
517              $ firejail --debug-protocols
518
519       --debug-syscalls
520              Print all recognized system calls in the current Firejail  soft‐
521              ware build and exit.
522
523              Example:
524              $ firejail --debug-syscalls
525
526       --debug-syscalls32
527              Print all recognized 32 bit system calls in the current Firejail
528              software build and exit.
529
530       --debug-whitelists
531              Debug whitelisting.
532
533              Example:
534              $ firejail --debug-whitelists firefox
535
536       --defaultgw=address
537              Use this address as default gateway in the  new  network  names‐
538              pace.
539
540              Example:
541              $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
542
543       --disable-mnt
544              Blacklist /mnt, /media, /run/mount and /run/media access.
545
546              Example:
547              $ firejail --disable-mnt firefox
548
549
550       --deterministic-exit-code
551              Always  exit  firejail  with  the first child's exit status. The
552              default behavior is to use the exit status of the final child to
553              exit, which can be nondeterministic.
554
555
556       --dns=address
557              Set a DNS server for the sandbox. Up to three DNS servers can be
558              defined.  Use this option if you don't trust the  DNS  setup  on
559              your network.
560
561              Example:
562              $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
563
564              Note: this feature is not supported on systemd-resolved setups.
565
566       --dns.print=name|pid
567              Print  DNS  configuration for a sandbox identified by name or by
568              PID.
569
570              Example:
571              $ firejail --name=mygame --caps.drop=all warzone2100 &
572              $ firejail --dns.print=mygame
573
574              Example:
575              $ firejail --list
576              3272:netblue::firejail --private firefox
577              $ firejail --dns.print=3272
578
579
580       --env=name=value
581              Set environment variable in the new sandbox.
582
583              Example:
584              $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
585
586
587       --fs.print=name|pid
588              Print the filesystem log for the sandbox identified by  name  or
589              by PID.
590
591              Example:
592              $ firejail --name=mygame --caps.drop=all warzone2100 &
593              $ firejail --fs.print=mygame
594
595              Example:
596              $ firejail --list
597              3272:netblue::firejail --private firefox
598              $ firejail --fs.print=3272
599
600
601       --get=name|pid filename
602              Get a file from sandbox container, see FILE TRANSFER section for
603              more details.
604
605       -?, --help
606              Print options end exit.
607
608
609
610       --hostname=name
611              Set sandbox hostname.
612
613              Example:
614              $ firejail --hostname=officepc firefox
615
616
617       --hosts-file=file
618              Use file as /etc/hosts.
619
620              Example:
621              $ firejail --hosts-file=~/myhosts firefox
622
623
624       --ignore=command
625              Ignore command in profile file.
626
627              Example:
628              $ firejail --ignore=shell --ignore=seccomp firefox
629              $ firejail --ignore="net eth0" firefox
630
631
632       --interface=interface
633              Move interface in a new network namespace. Up to  four  --inter‐
634              face  options can be specified.  Note: wlan devices are not sup‐
635              ported for this option.
636
637              Example:
638              $ firejail --interface=eth1 --interface=eth0.vlan100
639
640
641       --ip=address
642              Assign IP addresses to the last network interface defined  by  a
643              --net option. A default gateway is assigned by default.
644
645              Example:
646              $ firejail --net=eth0 --ip=10.10.20.56 firefox
647
648
649       --ip=none
650              No IP address and no default gateway are configured for the last
651              interface defined by a --net option. Use this option in case you
652              intend to start an external DHCP client in the sandbox.
653
654              Example:
655              $ firejail --net=eth0 --ip=none
656
657              If  the  corresponding interface doesn't have an IP address con‐
658              figured, this option is enabled by default.
659
660
661       --ip=dhcp
662              Acquire an IP address and default gateway for the last interface
663              defined  by  a  --net  option,  as  well  as set the DNS servers
664              according to the DHCP response.  This option  requires  the  ISC
665              dhclient DHCP client to be installed and will start it automati‐
666              cally inside the sandbox.
667
668              Example:
669              $ firejail --net=br0 --ip=dhcp
670
671              This option should not be used in  conjunction  with  the  --dns
672              option  if  the  DHCP server is set to configure DNS servers for
673              the clients, because the manually specified DNS servers will  be
674              overwritten.
675
676              The DHCP client will NOT release the DHCP lease when the sandbox
677              terminates.  If your DHCP server requires leases to  be  explic‐
678              itly  released, consider running a DHCP client and releasing the
679              lease manually in conjunction with the --net=none option.
680
681
682       --ip6=address
683              Assign IPv6 addresses to the last network interface defined by a
684              --net option.
685
686              Example:
687              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
688
689              Note:  you don't need this option if you obtain your ip6 address
690              from router via SLAAC (your ip6 address and default  route  will
691              be configured by kernel automatically).
692
693
694       --ip6=dhcp
695              Acquire  an IPv6 address and default gateway for the last inter‐
696              face defined by a --net option, as well as set the  DNS  servers
697              according  to  the  DHCP response.  This option requires the ISC
698              dhclient DHCP client to be installed and will start it automati‐
699              cally inside the sandbox.
700
701              Example:
702              $ firejail --net=br0 --ip6=dhcp
703
704              This  option  should  not  be used in conjunction with the --dns
705              option if the DHCP server is set to configure  DNS  servers  for
706              the  clients, because the manually specified DNS servers will be
707              overwritten.
708
709              The DHCP client will NOT release the DHCP lease when the sandbox
710              terminates.   If  your DHCP server requires leases to be explic‐
711              itly released, consider running a DHCP client and releasing  the
712              lease manually.
713
714
715       --iprange=address,address
716              Assign  an  IP address in the provided range to the last network
717              interface defined by  a  --net  option.  A  default  gateway  is
718              assigned by default.
719
720              Example:
721              $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
722
723
724       --ipc-namespace
725              Enable  a new IPC namespace if the sandbox was started as a reg‐
726              ular user. IPC namespace is enabled  by  default  for  sandboxes
727              started as root.
728
729              Example:
730              $ firejail --ipc-namespace firefox
731
732       --join=name|pid
733              Join  the  sandbox  identified  by  name or by PID. By default a
734              /bin/bash shell is started after joining the sandbox.  If a pro‐
735              gram  is specified, the program is run in the sandbox. If --join
736              command is issued as a regular user, all  security  filters  are
737              configured  for  the new process the same they are configured in
738              the sandbox.  If --join command is issued as root, the  security
739              filters,  cgroups and cpus configurations are not applied to the
740              process joining the sandbox.
741
742              Example:
743              $ firejail --name=mygame --caps.drop=all warzone2100 &
744              $ firejail --join=mygame
745
746              Example:
747              $ firejail --list
748              3272:netblue::firejail --private firefox
749              $ firejail --join=3272
750
751
752       --join-filesystem=name|pid
753              Join the mount namespace of the sandbox identified  by  name  or
754              PID.  By  default a /bin/bash shell is started after joining the
755              sandbox.  If a program is specified, the program is run  in  the
756              sandbox.  This command is available only to root user.  Security
757              filters, cgroups and cpus configurations are not applied to  the
758              process joining the sandbox.
759
760       --join-network=name|pid
761              Join the network namespace of the sandbox identified by name. By
762              default a /bin/bash shell is started after joining the  sandbox.
763              If  a  program  is specified, the program is run in the sandbox.
764              This command is available only to root user.  Security  filters,
765              cgroups  and  cpus configurations are not applied to the process
766              joining the sandbox. Example:
767
768              # start firefox
769              $ firejail --net=eth0 --name=browser firefox &
770
771              # change netfilter configuration
772              $ sudo firejail --join-network=browser bash -c  "cat  /etc/fire‐
773              jail/nolocal.net | /sbin/iptables-restore"
774
775              # verify netfilter configuration
776              $ sudo firejail --join-network=browser /sbin/iptables -vL
777
778              # verify  IP addresses
779              $ sudo firejail --join-network=browser ip addr
780              Switching  to pid 1932, the first child process inside the sand‐
781              box
782              1: lo: <LOOPBACK,UP,LOWER_UP>  mtu  65536  qdisc  noqueue  state
783              UNKNOWN group default
784                  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
785                  inet 127.0.0.1/8 scope host lo
786                     valid_lft forever preferred_lft forever
787                  inet6 ::1/128 scope host
788                     valid_lft forever preferred_lft forever
789              2:  eth0-1931:  <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
790              noqueue state UNKNOWN group default
791                  link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
792                  inet  192.168.1.158/24  brd   192.168.1.255   scope   global
793              eth0-1931
794                     valid_lft forever preferred_lft forever
795                  inet6 fe80::7458:14ff:fe42:78e4/64 scope link
796                     valid_lft forever preferred_lft forever
797
798       --join-or-start=name
799              Join the sandbox identified by name or start a new one.  Same as
800              "firejail --join=name" if sandbox with  specified  name  exists,
801              otherwise same as "firejail --name=name ..."
802              Note  that in contrary to other join options there is respective
803              profile option.
804
805
806       --keep-dev-shm
807              /dev/shm directory is untouched (even with --private-dev)
808
809              Example:
810              $ firejail --keep-dev-shm --private-dev
811
812
813       --keep-var-tmp
814              /var/tmp directory is untouched.
815
816              Example:
817              $ firejail --keep-var-tmp
818
819
820       --list List all sandboxes, see MONITORING section for more details.
821
822              Example:
823              $ firejail --list
824              7015:netblue:browser:firejail firefox
825              7056:netblue:torrent:firejail --net=eth0 transmission-gtk
826              7064:netblue::firejail --noroot xterm
827
828       --ls=name|pid dir_or_filename
829              List files in sandbox container, see FILE TRANSFER  section  for
830              more details.
831
832       --mac=address
833              Assign  MAC addresses to the last network interface defined by a
834              --net option. This option is not supported for  wireless  inter‐
835              faces.
836
837              Example:
838              $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
839
840       --machine-id
841              Spoof  id  number  in  /etc/machine-id file - a new random id is
842              generated inside the sandbox.  Note that this breaks audio  sup‐
843              port. Enable it when sound is not required.
844
845              Example:
846              $ firejail --machine-id
847
848
849       --memory-deny-write-execute
850              Install a seccomp filter to block attempts to create memory map‐
851              pings that are both writable and executable, to change  mappings
852              to  be  executable,  or  to create executable shared memory. The
853              filter  examines  the  arguments  of  mmap,   mmap2,   mprotect,
854              pkey_mprotect,  memfd_create  and shmat system calls and returns
855              error EPERM to the process (or kills it or log the attempt,  see
856              --seccomp-error-action below) if necessary.
857
858              Note:  shmat  is  not implemented as a system call on some plat‐
859              forms including i386, and it cannot be handled by seccomp-bpf.
860
861       --mtu=number
862              Assign a MTU value to the last network interface  defined  by  a
863              --net option.
864
865              Example:
866              $ firejail --net=eth0 --mtu=1492
867
868       --name=name
869              Set  sandbox  name.  Several options, such as --join and --shut‐
870              down, can use this name to identify a sandbox.
871
872              In case the name supplied by the  user  is  already  in  use  by
873              another  sandbox, Firejail will assign a new name as "name-PID",
874              where PID is the process ID of the sandbox.  This  functionality
875              can  be  disabled  at  run time in /etc/firejail/firejail.config
876              file, by setting "name-change" flag to "no".
877
878              Example:
879              $ firejail --name=browser firefox &
880              $ firejail --name=browser --private firefox --no-remote &
881              $ firejail --list
882              1198:netblue:browser:firejail --name=browser firefox
883              1312:netblue:browser-1312:firejail   --name=browser    --private
884              firefox --no-remote
885
886       --net=bridge_interface
887              Enable  a  new  network  namespace and connect it to this bridge
888              interface.  Unless specified with option --ip  and  --defaultgw,
889              an  IP  address and a default gateway will be assigned automati‐
890              cally to the sandbox. The  IP  address  is  verified  using  ARP
891              before  assignment. The address configured as default gateway is
892              the bridge device IP address. Up to four --net  options  can  be
893              specified.
894
895              Example:
896              $ sudo brctl addbr br0
897              $ sudo ifconfig br0 10.10.20.1/24
898              $ sudo brctl addbr br1
899              $ sudo ifconfig br1 10.10.30.1/24
900              $ firejail --net=br0 --net=br1
901
902
903       --net=ethernet_interface|wireless_interface
904              Enable  a  new network namespace and connect it to this ethernet
905              interface using the standard Linux macvlan|ipvaln driver. Unless
906              specified  with option --ip and --defaultgw, an IP address and a
907              default gateway will be assigned automatically to  the  sandbox.
908              The  IP  address  is  verified  using ARP before assignment. The
909              address configured as default gateway is the default gateway  of
910              the  host.  Up  to four --net options can be specified.  Support
911              for ipvlan driver was introduced in Linux kernel 3.19.
912
913              Example:
914              $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
915              $ firejail --net=wlan0 firefox
916
917       --net=none
918              Enable a new, unconnected network namespace. The only  interface
919              available in the new namespace is a new loopback interface (lo).
920              Use this option to deny network access to  programs  that  don't
921              really need network access.
922
923              Example:
924              $ firejail --net=none vlc
925
926              Note:  --net=none  can  crash the application on some platforms.
927              In these cases, it can be replaced with --protocol=unix.
928
929       --net=tap_interface
930              Enable a new network namespace and connect it to  this  ethernet
931              tap  interface  using  the standard Linux macvlan driver. If the
932              tap interface is not configured, the sandbox  will  not  try  to
933              configure  the  interface  inside the sandbox.  Please use --ip,
934              --netmask and --defaultgw to specify the configuration.
935
936              Example:
937              $ firejail --net=tap0  --ip=10.10.20.80  --netmask=255.255.255.0
938              --defaultgw=10.10.20.1 firefox
939
940
941       --net.print=name|pid
942              If  a  new network namespace is enabled, print network interface
943              configuration for the sandbox specified by name or PID. Example:
944
945              $ firejail --net.print=browser
946              Switching to pid 1853, the first child process inside the  sand‐
947              box
948              Interface  MAC               IP            Mask        Status
949              lo                           127.0.0.1     255.0.0.0     UP
950              eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
951
952
953       --netfilter
954              Enable  a default firewall if a new network namespace is created
955              inside the sandbox.  This option has  no  effect  for  sandboxes
956              using the system network namespace.
957
958              The  default  firewall is optimized for regular desktop applica‐
959              tions. No incoming connections are accepted:
960
961              *filter
962              :INPUT DROP [0:0]
963              :FORWARD DROP [0:0]
964              :OUTPUT ACCEPT [0:0]
965              -A INPUT -i lo -j ACCEPT
966              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
967              # allow ping
968              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
969              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
970              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
971              # drop STUN (WebRTC) requests
972              -A OUTPUT -p udp --dport 3478 -j DROP
973              -A OUTPUT -p udp --dport 3479 -j DROP
974              -A OUTPUT -p tcp --dport 3478 -j DROP
975              -A OUTPUT -p tcp --dport 3479 -j DROP
976              COMMIT
977
978              Example:
979              $ firejail --net=eth0 --netfilter firefox
980
981       --netfilter=filename
982              Enable the firewall specified  by  filename  if  a  new  network
983              namespace  is  created  inside  the sandbox.  This option has no
984              effect for sandboxes using the system network namespace.
985
986              Please use the regular iptables-save/iptables-restore format for
987              the  filter  file.  The  following  examples  are  available  in
988              /etc/firejail directory:
989
990              webserver.net is a webserver firewall that allows access only to
991              TCP ports 80 and 443.  Example:
992
993              $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
994              /etc/init.d/apache2 start
995
996              nolocal.net  is a desktop client firewall that disable access to
997              local network. Example:
998
999              $ firejail --netfilter=/etc/firejail/nolocal.net \
1000              --net=eth0 firefox
1001
1002
1003       --netfilter=filename,arg1,arg2,arg3 ...
1004              This is the template version of  the  previous  command.  $ARG1,
1005              $ARG2,  $ARG3 ... in the firewall script are replaced with arg1,
1006              arg2, arg3 ... passed on the command line. Up  to  16  arguments
1007              are supported.  Example:
1008
1009              $ firejail --net=eth0 --ip=192.168.1.105 \
1010              --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1011
1012
1013       --netfilter.print=name|pid
1014              Print the firewall installed in the sandbox specified by name or
1015              PID. Example:
1016
1017              $ firejail --name=browser --net=eth0 --netfilter firefox &
1018              $ firejail --netfilter.print=browser
1019
1020
1021       --netfilter6=filename
1022              Enable the IPv6 firewall specified by filename if a new  network
1023              namespace  is  created  inside  the sandbox.  This option has no
1024              effect for sandboxes using the system network namespace.  Please
1025              use  the  regular  iptables-save/iptables-restore format for the
1026              filter file.
1027
1028
1029       --netfilter6.print=name|pid
1030              Print the IPv6 firewall installed in the  sandbox  specified  by
1031              name or PID. Example:
1032
1033              $ firejail --name=browser --net=eth0 --netfilter firefox &
1034              $ firejail --netfilter6.print=browser
1035
1036
1037       --netmask=address
1038              Use  this  option when you want to assign an IP address in a new
1039              namespace and the parent interface specified  by  --net  is  not
1040              configured.  An  IP  address  and a default gateway address also
1041              have to be added. By default the new namespace  interface  comes
1042              without IP address and default gateway configured. Example:
1043
1044              $ sudo /sbin/brctl addbr br0
1045              $ sudo /sbin/ifconfig br0 up
1046              $      firejail     --ip=10.10.20.67     --netmask=255.255.255.0
1047              --defaultgw=10.10.20.1
1048
1049
1050       --netns=name
1051              Run the program in a named, persistent network namespace.  These
1052              can be created and configured using "ip netns".
1053
1054
1055       --netstats
1056              Monitor network namespace statistics, see MONITORING section for
1057              more details.
1058
1059              Example:
1060
1061              $ firejail --netstats
1062              PID  User    RX(KB/s) TX(KB/s) Command
1063              1294 netblue 53.355   1.473    firejail --net=eth0 firefox
1064              7383 netblue 9.045    0.112    firejail --net=eth0 transmission
1065
1066       --nice=value
1067              Set nice value for all processes  running  inside  the  sandbox.
1068              Only root may specify a negative value.
1069
1070              Example:
1071              $ firejail --nice=2 firefox
1072
1073
1074       --no3d Disable 3D hardware acceleration.
1075
1076              Example:
1077              $ firejail --no3d firefox
1078
1079
1080       --noautopulse
1081              Disable  automatic ~/.config/pulse init, for complex setups such
1082              as remote pulse servers or non-standard socket paths.
1083
1084              Example:
1085              $ firejail --noautopulse firefox
1086
1087
1088       --noblacklist=dirname_or_filename
1089              Disable blacklist for this directory or file.
1090
1091              Example:
1092              $ firejail
1093              $ nc dict.org 2628
1094              bash: /bin/nc: Permission denied
1095              $ exit
1096
1097              $ firejail --noblacklist=/bin/nc
1098              $ nc dict.org 2628
1099              220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1100
1101       --nodbus (deprecated)
1102              Disable D-Bus access (both system and session buses). Equivalent
1103              to --dbus-system=none --dbus-user=none.
1104
1105              Example:
1106              $ firejail --nodbus --net=none
1107
1108       --nodvd
1109              Disable DVD and audio CD devices.
1110
1111              Example:
1112              $ firejail --nodvd
1113
1114       --noexec=dirname_or_filename
1115              Remount  directory  or file noexec, nodev and nosuid. File glob‐
1116              bing is supported, see FILE GLOBBING section for more details.
1117
1118              Example:
1119              $ firejail --noexec=/tmp
1120
1121              /etc and /var are noexec by default if the sandbox  was  started
1122              as a regular user.
1123
1124
1125       --nogroups
1126              Disable supplementary groups. Without this option, supplementary
1127              groups are enabled for the user starting the sandbox.  For  root
1128              user supplementary groups are always disabled.
1129
1130              Note:  By  default  all regular user groups are removed with the
1131              exception of  the  current  user.  This  can  be  changed  using
1132              --allusers command option.
1133
1134              Example:
1135              $ id
1136              uid=1000(netblue)       gid=1000(netblue)       groups=1000(net‐
1137              blue),24(cdrom),25(floppy),27(sudo),29(audio)
1138              $ firejail --nogroups
1139              Parent pid 8704, child pid 8705
1140              Child process initialized
1141              $ id
1142              uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1143              $
1144
1145
1146       --nonewprivs
1147              Sets the NO_NEW_PRIVS prctl.  This ensures that child  processes
1148              cannot  acquire  new privileges using execve(2);  in particular,
1149              this means that calling a suid binary (or one with file capabil‐
1150              ities)  does not result in an increase of privilege. This option
1151              is enabled by default if seccomp filter is activated.
1152
1153
1154       --noprofile
1155              Do not use a security profile.
1156
1157              Example:
1158              $ firejail
1159              Reading profile /etc/firejail/default.profile
1160              Parent pid 8553, child pid 8554
1161              Child process initialized
1162              [...]
1163
1164              $ firejail --noprofile
1165              Parent pid 8553, child pid 8554
1166              Child process initialized
1167              [...]  #if HAVE_USERNS
1168
1169       --noroot
1170              Install a user namespace with a single user - the current  user.
1171              root  user  does  not  exist  in  the new namespace. This option
1172              requires a Linux kernel version 3.8 or newer. The option is  not
1173              supported  for  --chroot  and  --overlay  configurations, or for
1174              sandboxes started as root.
1175
1176              Example:
1177              $ firejail --noroot
1178              Parent pid 8553, child pid 8554
1179              Child process initialized
1180              $ ping google.com
1181              ping: icmp open socket: Operation not permitted
1182              $
1183
1184       --nosound
1185              Disable sound system.
1186
1187              Example:
1188              $ firejail --nosound firefox
1189
1190
1191       --notv Disable DVB (Digital Video Broadcasting) TV devices.
1192
1193              Example:
1194              $ firejail --notv vlc
1195
1196
1197       --nou2f
1198              Disable U2F devices.
1199
1200              Example:
1201              $ firejail --nou2f
1202
1203
1204       --novideo
1205              Disable video devices.
1206
1207
1208       --nowhitelist=dirname_or_filename
1209              Disable whitelist for this directory or file.
1210
1211
1212       --output=logfile
1213              stdout logging and log rotation. Copy  stdout  to  logfile,  and
1214              keep  the  size of the file under 500KB using log rotation. Five
1215              files with prefixes .1 to .5 are used in rotation.
1216
1217              Example:
1218              $ firejail --output=sandboxlog /bin/bash
1219              [...]
1220              $ ls -l sandboxlog*
1221              -rw-r--r-- 1 netblue netblue 333890 Jun  2 07:48 sandboxlog
1222              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.1
1223              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.2
1224              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.3
1225              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.4
1226              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.5
1227
1228
1229       --output-stderr=logfile
1230              Similar to --output, but stderr is also stored.
1231
1232
1233       --overlay
1234              Mount a filesystem overlay on top  of  the  current  filesystem.
1235              Unlike  the regular filesystem container, the system directories
1236              are mounted read-write. All filesystem modifications go into the
1237              overlay.  Directories /run, /tmp and /dev are not covered by the
1238              overlay. The overlay is stored in  $HOME/.firejail/<PID>  direc‐
1239              tory.   If  the sandbox is started as a regular user, nonewprivs
1240              and a default capabilities filter are enabled.
1241
1242              OverlayFS support is required in Linux kernel for this option to
1243              work.   OverlayFS was officially introduced in Linux kernel ver‐
1244              sion 3.18.  This option is not available on Grsecurity systems.
1245
1246              Example:
1247              $ firejail --overlay firefox
1248
1249
1250       --overlay-clean
1251              Clean all overlays stored in $HOME/.firejail directory.
1252
1253              Example:
1254              $ firejail --overlay-clean
1255
1256
1257       --overlay-named=name
1258              Mount a filesystem overlay on top  of  the  current  filesystem.
1259              Unlike  the regular filesystem container, the system directories
1260              are mounted read-write. All filesystem modifications go into the
1261              overlay.  Directories /run, /tmp and /dev are not covered by the
1262              overlay. The overlay is stored in $HOME/.firejail/<NAME>  direc‐
1263              tory.   The  created overlay can be reused between multiple ses‐
1264              sions.  If the sandbox is started as a regular user,  nonewprivs
1265              and a default capabilities filter are enabled.
1266
1267              OverlayFS support is required in Linux kernel for this option to
1268              work.  OverlayFS was officially introduced in Linux kernel  ver‐
1269              sion 3.18.  This option is not available on Grsecurity systems.
1270
1271              Example:
1272              $ firejail --overlay-named=jail1 firefox
1273
1274
1275       --overlay-tmpfs
1276              Mount a filesystem overlay on top of the current filesystem. All
1277              filesystem modifications  are  discarded  when  the  sandbox  is
1278              closed.  Directories  /run, /tmp and /dev are not covered by the
1279              overlay.  If the sandbox is started as a  regular  user,  nonew‐
1280              privs and a default capabilities filter are enabled.
1281
1282              OverlayFS support is required in Linux kernel for this option to
1283              work.  OverlayFS was officially introduced in Linux kernel  ver‐
1284              sion 3.18.  This option is not available on Grsecurity systems.
1285
1286              Example:
1287              $ firejail --overlay-tmpfs firefox
1288
1289       --private
1290              Mount new /root and /home/user directories in temporary filesys‐
1291              tems. All  modifications  are  discarded  when  the  sandbox  is
1292              closed.
1293
1294              Example:
1295              $ firejail --private firefox
1296
1297
1298       --private=directory
1299              Use  directory  as user home.  --private and --private=directory
1300              cannot be used together.
1301
1302              Example:
1303              $ firejail --private=/home/netblue/firefox-home firefox
1304
1305
1306       --private-bin=file,file
1307              Build a new /bin in a temporary filesystem, and  copy  the  pro‐
1308              grams  in  the list.  The files in the list must be expressed as
1309              relative  to  the   /bin,   /sbin,   /usr/bin,   /usr/sbin,   or
1310              /usr/local/bin  directories.  If no listed files are found, /bin
1311              directory will be empty.   The  same  directory  is  also  bind-
1312              mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.  All
1313              modifications are discarded when the  sandbox  is  closed.  File
1314              globbing  is  supported,  see  FILE  GLOBBING  section  for more
1315              details.
1316
1317              Example:
1318              $ firejail --private-bin=bash,sed,ls,cat
1319              Parent pid 20841, child pid 20842
1320              Child process initialized
1321              $ ls /bin
1322              bash  cat  ls  sed
1323
1324
1325       --private-cache
1326              Mount an empty temporary filesystem on top of the .cache  direc‐
1327              tory  in  user  home.  All  modifications are discarded when the
1328              sandbox is closed.
1329
1330              Example:
1331              $ firejail --private-cache openbox
1332
1333
1334       --private-cwd
1335              Set working directory inside jail to  the  home  directory,  and
1336              failing that, the root directory.
1337              Does not impact working directory of profile include paths.
1338
1339              Example:
1340              $ pwd
1341              /tmp
1342              $ firejail --private-cwd
1343              $ pwd
1344              /home/user
1345
1346
1347       --private-cwd=directory
1348              Set working directory inside the jail.
1349              Does not impact working directory of profile include paths.
1350
1351              Example:
1352              $ pwd
1353              /tmp
1354              $ firejail --private-cwd=/opt
1355              $ pwd
1356              /opt
1357
1358
1359       --private-dev
1360              Create  a new /dev directory. Only disc, dri, dvb, hidraw, null,
1361              full, zero, tty, pts, ptmx, random, snd,  urandom,  video,  log,
1362              shm  and  usb  devices  are  available.  Use the options --no3d,
1363              --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1364              restrictions.
1365
1366              Example:
1367              $ firejail --private-dev
1368              Parent pid 9887, child pid 9888
1369              Child process initialized
1370              $ ls /dev
1371              cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random
1372              shm  snd  sr0  tty  urandom  zero
1373              $
1374
1375       --private-etc=file,directory
1376              Build a new /etc in a temporary filesystem, and copy  the  files
1377              and  directories  in the list.  The files and directories in the
1378              list must be expressed as relative to the /etc directory.  If no
1379              listed file is found, /etc directory will be empty.  All modifi‐
1380              cations are discarded when the sandbox is closed.
1381
1382              Example:
1383              $ firejail --private-etc=group,hostname,localtime, \
1384              nsswitch.conf,passwd,resolv.conf,default/motd-news
1385
1386       --private-home=file,directory
1387              Build a new user home in a temporary filesystem,  and  copy  the
1388              files  and  directories  in the list in the new home.  The files
1389              and directories in the list must be expressed as relative to the
1390              current  user's home directory.  All modifications are discarded
1391              when the sandbox is closed.
1392
1393              Example:
1394              $ firejail --private-home=.mozilla firefox
1395
1396       --private-lib=file,directory
1397              This feature is currently under heavy  development.  Only  amd64
1398              platforms  are supported at this moment.  The files and directo‐
1399              ries in the list must be  expressed  as  relative  to  the  /lib
1400              directory.   The  idea  is  to  build  a new /lib in a temporary
1401              filesystem, with only the library files  necessary  to  run  the
1402              application.  It could be as simple as:
1403
1404              $ firejail --private-lib galculator
1405
1406              but it gets complicated really fast:
1407
1408              $    firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1409              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1410
1411              The feature is integrated with --private-bin:
1412
1413              $ firejail --private-lib --private-bin=bash,ls,ps
1414              $ ls /lib
1415              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6  libsys‐
1416              temd.so.0
1417              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1418              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1419              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1420              $ ps
1421               PID TTY          TIME CMD
1422                  1 pts/0    00:00:00 firejail
1423                 45 pts/0    00:00:00 bash
1424                 48 pts/0    00:00:00 ps
1425              $
1426
1427
1428       --private-opt=file,directory
1429              Build  a  new /opt in a temporary filesystem, and copy the files
1430              and directories in the list.  The files and directories  in  the
1431              list must be expressed as relative to the /opt directory.  If no
1432              listed file is found, /opt directory will be empty.  All modifi‐
1433              cations are discarded when the sandbox is closed.
1434
1435              Example:
1436              $ firejail --private-opt=firefox /opt/firefox/firefox
1437
1438
1439       --private-srv=file,directory
1440              Build  a  new /srv in a temporary filesystem, and copy the files
1441              and directories in the list.  The files and directories  in  the
1442              list must be expressed as relative to the /srv directory.  If no
1443              listed file is found, /srv directory will be empty.  All modifi‐
1444              cations are discarded when the sandbox is closed.
1445
1446              Example:
1447              # firejail --private-srv=www /etc/init.d/apache2 start
1448
1449
1450       --private-tmp
1451              Mount  an  empty  temporary  filesystem on top of /tmp directory
1452              whitelisting X11 and PulseAudio sockets.
1453
1454              Example:
1455              $ firejail --private-tmp
1456              $ ls -al /tmp
1457              drwxrwxrwt  4 nobody nogroup   80 Apr 30 11:46 .
1458              drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1459              drwx------  2  nobody  nogroup  4096  Apr  30  10:52  pulse-PKd‐
1460              htXMmr18n
1461              drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1462
1463
1464       --profile=filename_or_profilename
1465              Load  a  custom security profile from filename. For filename use
1466              an absolute path or a path relative to the  current  path.   For
1467              more information, see SECURITY PROFILES section below.
1468
1469              Example:
1470              $ firejail --profile=myprofile
1471
1472
1473       --profile.print=name|pid
1474              Print the name of the profile file for the sandbox identified by
1475              name or or PID.
1476
1477              Example:
1478              $ firejail --profile.print=browser
1479              /etc/firejail/firefox.profile
1480
1481       --protocol=protocol,protocol,protocol
1482              Enable protocol filter. The  filter  is  based  on  seccomp  and
1483              checks  the  first  argument  to socket system call.  Recognized
1484              values: unix, inet, inet6, netlink and packet.  This  option  is
1485              not supported for i386 architecture.
1486
1487              Example:
1488              $ firejail --protocol=unix,inet,inet6 firefox
1489
1490       --protocol.print=name|pid
1491              Print  the protocol filter for the sandbox identified by name or
1492              PID.
1493
1494              Example:
1495              $ firejail --name=mybrowser firefox &
1496              $ firejail --protocol.print=mybrowser
1497              unix,inet,inet6,netlink
1498
1499              Example:
1500              $ firejail --list
1501              3272:netblue::firejail --private firefox
1502              $ firejail --protocol.print=3272
1503              unix,inet,inet6,netlink
1504
1505       --put=name|pid src-filename dest-filename
1506              Put a file in sandbox container, see FILE TRANSFER  section  for
1507              more details.
1508
1509       --quiet
1510              Turn off Firejail's output.
1511
1512              The  same effect can be obtained by setting an environment vari‐
1513              able FIREJAIL_QUIET to yes.
1514
1515       --read-only=dirname_or_filename
1516              Set directory or file read-only. File globbing is supported, see
1517              FILE GLOBBING section for more details.
1518
1519              Example:
1520              $ firejail --read-only=~/.mozilla firefox
1521
1522       --read-write=dirname_or_filename
1523              Set  directory  or  file  read-write.  Only files or directories
1524              belonging to the current user are allowed  for  this  operation.
1525              File  globbing  is supported, see FILE GLOBBING section for more
1526              details.  Example:
1527
1528              $ mkdir ~/test
1529              $ touch ~/test/a
1530              $ firejail --read-only=~/test --read-write=~/test/a
1531
1532
1533
1534       --rlimit-as=number
1535              Set the maximum size of the process's  virtual  memory  (address
1536              space) in bytes.
1537
1538
1539       --rlimit-cpu=number
1540              Set  the  maximum  limit, in seconds, for the amount of CPU time
1541              each sandboxed process  can consume. When the limit is  reached,
1542              the processes are killed.
1543
1544              The  CPU  limit  is  a  limit on CPU seconds rather than elapsed
1545              time. CPU seconds is basically how many seconds the CPU has been
1546              in  use  and does not necessarily directly relate to the elapsed
1547              time. Linux kernel keeps track of CPU seconds for  each  process
1548              independently.
1549
1550
1551       --rlimit-fsize=number
1552              Set the maximum file size that can be created by a process.
1553
1554       --rlimit-nofile=number
1555              Set the maximum number of files that can be opened by a process.
1556
1557       --rlimit-nproc=number
1558              Set  the maximum number of processes that can be created for the
1559              real user ID of the calling process.
1560
1561       --rlimit-sigpending=number
1562              Set the maximum number of pending signals for a process.
1563
1564
1565       --rmenv=name
1566              Remove environment variable in the new sandbox.
1567
1568              Example:
1569              $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1570
1571       --scan ARP-scan all the networks from inside a network namespace.  This
1572              makes  it  possible to detect macvlan kernel device drivers run‐
1573              ning on the current host.
1574
1575              Example:
1576              $ firejail --net=eth0 --scan
1577
1578       --seccomp
1579              Enable seccomp filter and blacklist the syscalls in the  default
1580              list,  which  is  @default-nodebuggers unless allow-debuggers is
1581              specified, then it is @default.
1582
1583              To help creating useful seccomp filters more easily, the follow‐
1584              ing  system  call  groups  are defined: @aio, @basic-io, @chown,
1585              @clock, @cpu-emulation, @debug, @default,  @default-nodebuggers,
1586              @default-keep,  @file-system,  @io-event,  @ipc, @keyring, @mem‐
1587              lock,  @module,  @mount,  @network-io,  @obsolete,  @privileged,
1588              @process,  @raw-io,  @reboot, @resources, @setuid, @swap, @sync,
1589              @system-service and @timer.  More information about  groups  can
1590              be found in /usr/share/doc/firejail/syscalls.txt
1591
1592              In  addition,  a  system  call  can  be  specified by its number
1593              instead of name with prefix $, so  for  example  $165  would  be
1594              equal  to  mount on i386.  Exceptions can be allowed with prefix
1595              !.
1596
1597              System architecture is strictly  imposed  only  if  flag  --sec‐
1598              comp.block-secondary  is used. The filter is applied at run time
1599              only if the correct architecture was detected. For the  case  of
1600              I386  and AMD64 both 32-bit and 64-bit filters are installed. On
1601              a 64 bit architecture, an additional filter for  32  bit  system
1602              calls can be installed with --seccomp.32.
1603
1604              Firejail  will  print seccomp violations to the audit log if the
1605              kernel was compiled with audit support (CONFIG_AUDIT flag).
1606
1607              Example:
1608              $ firejail --seccomp
1609
1610       --seccomp=syscall,@group,!syscall2
1611              Enable seccomp filter, whitelist "syscall2", but  blacklist  the
1612              default list and the syscalls or syscall groups specified by the
1613              command.
1614
1615              Example:
1616              $ firejail --seccomp=utime,utimensat,utimes firefox
1617              $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1618
1619              Instead of dropping the  syscall  by  returning  EPERM,  another
1620              error  number  can  be returned using syscall:errno syntax. This
1621              can be also changed globally with --seccomp-error-action  or  in
1622              /etc/firejail/firejail.config  file.   The  process  can also be
1623              killed by using syscall:kill  syntax,  or  the  attempt  may  be
1624              logged with syscall:log.
1625
1626              Example: $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1627              Parent pid 10662, child pid 10663
1628              Child process initialized
1629              $ touch testfile
1630              $ rm testfile
1631              rm: cannot remove `testfile': Operation not permitted
1632
1633              If the blocked system calls would also block Firejail from oper‐
1634              ating, they are handled by adding a preloaded library which per‐
1635              forms  seccomp system calls later. However, this is incompatible
1636              with 32 bit seccomp filters.
1637
1638              Example:
1639              $ firejail --noprofile --shell=none --seccomp=execve bash
1640              Parent pid 32751, child pid 32752
1641              Post-exec seccomp protector enabled
1642              list in: execve,  check  list:  @default-keep  prelist:  (null),
1643              postlist: execve
1644              Child process initialized in 46.44 ms
1645              $ ls
1646              Bad system call
1647
1648
1649       --seccomp.block-secondary
1650              Enable  seccomp  filter  and filter system call architectures so
1651              that only the native architecture is allowed.  For  example,  on
1652              amd64, i386 and x32 system calls are blocked as well as changing
1653              the execution domain with personality(2) system call.
1654
1655
1656       --seccomp.drop=syscall,@group
1657              Enable seccomp filter, and blacklist the syscalls or the syscall
1658              groups  specified  by  the command. On a 64 bit architecture, an
1659              additional filter for 32 bit system calls can be installed  with
1660              --seccomp.32.drop.
1661
1662              Example:
1663              $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1664
1665              Instead  of  dropping  the  syscall  by returning EPERM, another
1666              error number can be returned using  syscall:errno  syntax.  This
1667              can  be  also changed globally with --seccomp-error-action or in
1668              /etc/firejail/firejail.config file.  The  process  can  also  be
1669              killed  by  using  syscall:kill  syntax,  or  the attempt may be
1670              logged with syscall:log.
1671
1672              Example:
1673              $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1674              Parent pid 10662, child pid 10663
1675              Child process initialized
1676              $ touch testfile
1677              $ rm testfile
1678              rm: cannot remove `testfile': Operation not permitted
1679
1680
1681
1682
1683
1684
1685       --seccomp.keep=syscall,@group,!syscall2
1686              Enable seccomp filter, blacklist  all  syscall  not  listed  and
1687              "syscall2".    The   system  calls  needed  by  Firejail  (group
1688              @default-keep: prctl,  execve)  are  handled  with  the  preload
1689              library.  On  a 64 bit architecture, an additional filter for 32
1690              bit system calls can be installed with --seccomp.32.keep.
1691
1692              Example:
1693              $ firejail --shell=none --seccomp.keep=poll,select,[...]  trans‐
1694              mission-gtk
1695
1696
1697       --seccomp.print=name|pid
1698              Print  the  seccomp filter for the sandbox identified by name or
1699              PID.
1700
1701              Example:
1702              $ firejail --name=browser firefox &
1703              $ firejail --seccomp.print=browser
1704               line  OP JT JF    K
1705              =================================
1706               0000: 20 00 00 00000004   ld  data.architecture
1707               0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
1708               0002: 06 00 00 7fff0000   ret ALLOW
1709               0003: 20 00 00 00000000   ld  data.syscall-number
1710               0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
1711               0005: 35 01 00 00000000   jge read 0007 (false 0006)
1712               0006: 06 00 00 00050001   ret ERRNO(1)
1713               0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
1714               0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
1715               0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
1716               000a: 15 3e 00 00000137    jeq  process_vm_writev  0049  (false
1717              000b)
1718               000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
1719               000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
1720               000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
1721               000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
1722               000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
1723               0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
1724               0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
1725               0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
1726               0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
1727               0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
1728               0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
1729               0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
1730               0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
1731               0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
1732               0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
1733               001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
1734               001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
1735               001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
1736               001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
1737               001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
1738               001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
1739               0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
1740               0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
1741               0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
1742               0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
1743               0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
1744               0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
1745               0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
1746               0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
1747               0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
1748               0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
1749               002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
1750               002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
1751               002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
1752               002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
1753               002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
1754               002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
1755               0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
1756               0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
1757               0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
1758               0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
1759               0034:  15  14  00  00000130   jeq open_by_handle_at 0049 (false
1760              0035)
1761               0035: 15 13 00 0000012f    jeq  name_to_handle_at  0049  (false
1762              0036)
1763               0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
1764               0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
1765               0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
1766               0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
1767               003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
1768               003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
1769               003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
1770               003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
1771               003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
1772               003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
1773               0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
1774               0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
1775               0042:  15  06  00  000000d8    jeq remap_file_pages 0049 (false
1776              0043)
1777               0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
1778               0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
1779               0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
1780               0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
1781               0047: 15 01 00  00000136    jeq  process_vm_readv  0049  (false
1782              0048)
1783               0048: 06 00 00 7fff0000   ret ALLOW
1784               0049: 06 00 01 00000000   ret KILL
1785              $
1786
1787
1788       --seccomp-error-action= kill | ERRNO
1789              By  default,  if  a  seccomp  filter  blocks  a system call, the
1790              process  gets  EPERM  as  the   error.   With   --seccomp-error-
1791              action=error,  another error number can be returned, for example
1792              ENOSYS or EACCES. The process can also be killed (like  in  ver‐
1793              sions  <0.9.63 of Firejail) by using --seccomp-error-action=kill
1794              syntax, or the  attempt  may  be  logged  with  --seccomp-error-
1795              action=log.  Not  killing  the process weakens Firejail slightly
1796              when trying to contain intrusion, but it may also allow  tighter
1797              filters if the only alternative is to allow a system call.
1798
1799
1800       --shell=none
1801              Run the program directly, without a user shell.
1802
1803              Example:
1804              $ firejail --shell=none script.sh
1805
1806       --shell=program
1807              Set  default  user  shell. Use this shell to run the application
1808              using -c shell option.  For example "firejail  --shell=/bin/dash
1809              firefox"  will  start Mozilla Firefox as "/bin/dash -c firefox".
1810              By default Bash shell (/bin/bash) is used.
1811
1812              Example: $firejail --shell=/bin/dash script.sh
1813
1814       --shutdown=name|pid
1815              Shutdown the sandbox identified by name or PID.
1816
1817              Example:
1818              $ firejail --name=mygame --caps.drop=all warzone2100 &
1819              $ firejail --shutdown=mygame
1820
1821              Example:
1822              $ firejail --list
1823              3272:netblue::firejail --private firefox
1824              $ firejail --shutdown=3272
1825
1826       --timeout=hh:mm:ss
1827              Kill the sandbox automatically after the time has  elapsed.  The
1828              time is specified in hours/minutes/seconds format.
1829
1830              $ firejail --timeout=01:30:00 firefox
1831
1832       --tmpfs=dirname
1833              Mount  a  writable  tmpfs  filesystem on directory dirname. This
1834              option is available only when running the sandbox as root.  File
1835              globbing  is  supported,  see  FILE  GLOBBING  section  for more
1836              details.
1837
1838              Example:
1839              # firejail --tmpfs=/var
1840
1841       --top  Monitor the most CPU-intensive sandboxes, see MONITORING section
1842              for more details.
1843
1844              Example:
1845              $ firejail --top
1846
1847       --trace[=filename]
1848              Trace  open,  access  and  connect  system calls. If filename is
1849              specified, log trace output to filename, otherwise log  to  con‐
1850              sole.
1851
1852              Example:
1853              $ firejail --trace wget -q www.debian.org
1854              Reading profile /etc/firejail/wget.profile
1855              3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1856              3:wget:fopen /etc/hosts:0x5c8e8cfb70
1857              3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1858              3:wget:connect 3 8.8.8.8 port 53:0
1859              3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1860              3:wget:connect 3 130.89.148.14 port 80:0
1861              3:wget:fopen64 index.html:0x5c8e8d1a60
1862
1863              parent is shutting down, bye...
1864
1865       --tracelog
1866              This  option enables auditing blacklisted files and directories.
1867              A message is sent to syslog in case the file or the directory is
1868              accessed.
1869
1870              Example:
1871              $ firejail --tracelog firefox
1872
1873              Sample messages:
1874              $ sudo tail -f /var/log/syslog
1875              [...]
1876              Dec  3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1877              box 26370, exe firefox, syscall open64, path /etc/shadow
1878              Dec  3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1879              box 26370, exe firefox, syscall opendir, path /boot
1880              [...]
1881
1882       --tree Print  a tree of all sandboxed processes, see MONITORING section
1883              for more details.
1884
1885              Example:
1886              $ firejail --tree
1887              11903:netblue:firejail iceweasel
1888                11904:netblue:iceweasel
1889                  11957:netblue:/usr/lib/iceweasel/plugin-container
1890              11969:netblue:firejail --net=eth0 transmission-gtk
1891                11970:netblue:transmission-gtk
1892
1893
1894       --tunnel[=devname]
1895              Connect the sandbox to a network overlay/VPN tunnel  created  by
1896              firetunnel  utility. This options tries first the client side of
1897              the tunnel. If this fails, it tries the server side. If multiple
1898              tunnels  are  active,  please  specify  the  tunnel device using
1899              --tunnel=devname.
1900
1901              The available  tunnel  devices  are  listed  in  /etc/firetunnel
1902              directory,  one  file  for  each  device.  The files are regular
1903              firejail profile files containing the network configuration, and
1904              are  created  and managed by firetunnel utility.  By default ftc
1905              is the client-side device and fts is the server-side device. For
1906              more information please see man 1 firetunnel.
1907
1908              Example:
1909              $ firejail --tunnel firefox
1910
1911       --version
1912              Print program version/compile time support and exit.
1913
1914              Example:
1915              $ firejail --version
1916              firejail version 0.9.27
1917
1918              Compile time support:
1919                  - AppArmor support is enabled
1920                  - AppImage support is enabled
1921                  - chroot support is enabled
1922                  - file and directory whitelisting support is enabled
1923                  - file transfer support is enabled
1924                  - firetunnel support is enabled
1925                  - networking support is enabled
1926                  - overlayfs support is enabled
1927                  - private-home support is enabled
1928                  - seccomp-bpf support is enabled
1929                  - user namespace support is enabled
1930                  - X11 sandboxing support is enabled
1931
1932       --veth-name=name
1933              Use  this  name  for  the  interface connected to the bridge for
1934              --net=bridge_interface commands, instead of the default one.
1935
1936              Example:
1937              $ firejail --net=br0 --veth-name=if0
1938
1939       --whitelist=dirname_or_filename
1940              Whitelist directory or file. A temporary file system is  mounted
1941              on the top directory, and the whitelisted files are mount-binded
1942              inside.  Modifications  to  whitelisted  files  are  persistent,
1943              everything else is discarded when the sandbox is closed. The top
1944              directory could be user home, /dev, /etc,  /media,  /mnt,  /opt,
1945              /run/user/$UID, /srv, /sys/module, /tmp, /usr/share and /var.
1946
1947              Symbolic  link  handling:  with the exception of user home, both
1948              the link and the real file should be in the same top  directory.
1949              For  user  home, both the link and the real file should be owned
1950              by the user.
1951
1952              File globbing is supported, see FILE GLOBBING section  for  more
1953              details.
1954
1955              Example:
1956              $ firejail --noprofile --whitelist=~/.mozilla
1957              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1958              $ firejail "--whitelist=/home/username/My Virtual Machines"
1959              $ firejail --whitelist=~/work* --whitelist=/var/backups*
1960
1961
1962       --writable-etc
1963              Mount /etc directory read-write.
1964
1965              Example:
1966              $ sudo firejail --writable-etc
1967
1968
1969       --writable-run-user
1970              Disable  the  default blacklisting of /run/user/$UID/systemd and
1971              /run/user/$UID/gnupg.
1972
1973              Example:
1974              $ sudo firejail --writable-run-user
1975
1976
1977       --writable-var
1978              Mount /var directory read-write.
1979
1980              Example:
1981              $ sudo firejail --writable-var
1982
1983
1984       --writable-var-log
1985              Use the real /var/log directory, not  a  clone.  By  default,  a
1986              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
1987              filesystem is created based on the original /var/log.
1988
1989              Example:
1990              $ sudo firejail --writable-var-log
1991
1992              #ifdef HAVE_X11
1993
1994       --x11  Sandbox the application using Xpra, Xephyr, Xvfb or  Xorg  secu‐
1995              rity extension.  The sandbox will prevent screenshot and keylog‐
1996              ger applications  started  inside  the  sandbox  from  accessing
1997              clients  running  outside  the  sandbox.  Firejail will try Xpra
1998              first, and if Xpra is not installed on the system, it  will  try
1999              to  find Xephyr.  If all fails, Firejail will not attempt to use
2000              Xvfb or X11 security extension.
2001
2002              Xpra, Xephyr and Xvfb modes require a network  namespace  to  be
2003              instantiated  in  order  to disable X11 abstract Unix socket. If
2004              this is not possible, the user can disable the  abstract  socket
2005              by  adding  "-nolisten  local"  on  Xorg  command line at system
2006              level.
2007
2008              Example:
2009              $ firejail --x11 --net=eth0 firefox
2010
2011
2012       --x11=none
2013              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
2014              file  specified  in  ${XAUTHORITY} environment variable.  Remove
2015              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
2016              message if X11 abstract socket will be accessible in jail.
2017
2018
2019       --x11=xephyr
2020              Start Xephyr and attach the sandbox to this server.  Xephyr is a
2021              display server implementing the X11 display server protocol.   A
2022              network  namespace  needs  to  be  instantiated in order to deny
2023              access to X11 abstract Unix domain socket.
2024
2025              Xephyr runs in a window just like any other X11 application. The
2026              default  window  size  is  800x600.   This  can  be  modified in
2027              /etc/firejail/firejail.config file.
2028
2029              The recommended way to use this feature is to run a window  man‐
2030              ager inside the sandbox.  A security profile for OpenBox is pro‐
2031              vided.
2032
2033              Xephyr is developed by Xorg project. On Debian platforms  it  is
2034              installed  with the command sudo apt-get install xserver-xephyr.
2035              This feature is not available when running as root.
2036
2037              Example:
2038              $ firejail --x11=xephyr --net=eth0 openbox
2039
2040
2041       --x11=xorg
2042              Sandbox the application using the untrusted mode implemented  by
2043              X11  security  extension.   The  extension  is available in Xorg
2044              package and it is installed by default on most  Linux  distribu‐
2045              tions.  It  provides support for a simple trusted/untrusted con‐
2046              nection model. Untrusted clients are restricted in certain  ways
2047              to  prevent  them from reading window contents of other clients,
2048              stealing input events, etc.
2049
2050              The untrusted mode has several limitations.  A  lot  of  regular
2051              programs   assume  they are a trusted X11 clients and will crash
2052              or lock up when run in  untrusted  mode.  Chromium  browser  and
2053              xterm are two examples.  Firefox and transmission-gtk seem to be
2054              working fine.  A network namespace  is  not  required  for  this
2055              option.
2056
2057              Example:
2058              $ firejail --x11=xorg firefox
2059
2060
2061       --x11=xpra
2062              Start  Xpra  (https://xpra.org)  and  attach the sandbox to this
2063              server.  Xpra is a persistent remote display server  and  client
2064              for  forwarding X11 applications and desktop screens.  A network
2065              namespace needs to be instantiated in order to  deny  access  to
2066              X11 abstract Unix domain socket.
2067
2068              On Debian platforms Xpra is installed with the command sudo apt-
2069              get install xpra.  This feature is not available when running as
2070              root.
2071
2072              Example:
2073              $ firejail --x11=xpra --net=eth0 firefox
2074
2075
2076
2077       --x11=xvfb
2078              Start  Xvfb  X11  server  and attach the sandbox to this server.
2079              Xvfb, short for X virtual framebuffer,  performs  all  graphical
2080              operations  in memory without showing any screen output. Xvfb is
2081              mainly used for remote access and software testing  on  headless
2082              servers.
2083
2084              On Debian platforms Xvfb is installed with the command sudo apt-
2085              get install xvfb.  This feature is not available when running as
2086              root.
2087
2088              Example: remote VNC access
2089
2090              On  the  server we start a sandbox using Xvfb and openbox window
2091              manager. The default size of Xvfb screen is 800x600 - it can  be
2092              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
2093              sort of networking (--net) is required in order to  isolate  the
2094              abstract sockets used by other X servers.
2095
2096              $ firejail --net=none --x11=xvfb openbox
2097
2098              *** Attaching to Xvfb display 792 ***
2099
2100              Reading profile /etc/firejail/openbox.profile
2101              Reading profile /etc/firejail/disable-common.inc
2102              Reading profile /etc/firejail/disable-common.local
2103              Parent pid 5400, child pid 5401
2104
2105              On  the  server  we also start a VNC server and attach it to the
2106              display handled by our Xvfb server (792).
2107
2108              $ x11vnc -display :792
2109
2110              On the client machine we start a VNC viewer and use it  to  con‐
2111              nect to our server:
2112
2113              $ vncviewer
2114
2115
2116       --xephyr-screen=WIDTHxHEIGHT
2117              Set screen size for --x11=xephyr. The setting will overwrite the
2118              default set in  /etc/firejail/firejail.config  for  the  current
2119              sandbox.  Run  xrandr  to get a list of supported resolutions on
2120              your computer.
2121
2122              Example:
2123              $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2124              fox
2125
2126

AUDIT

2128       Audit  feature  allows the user to point out gaps in security profiles.
2129       The implementation replaces the program to be  sandboxed  with  a  test
2130       program. By default, we use faudit program distributed with Firejail. A
2131       custom test program can also be supplied by the user. Examples:
2132
2133       Running the default audit program:
2134            $ firejail --audit transmission-gtk
2135
2136       Running a custom audit program:
2137            $ firejail --audit=~/sandbox-test transmission-gtk
2138
2139       In the examples above, the sandbox configures transmission-gtk  profile
2140       and  starts  the test program. The real program, transmission-gtk, will
2141       not be started.
2142
2143       You can also audit a specific profile without specifying a program.
2144            $ firejail --audit --profile=/etc/firejail/zoom.profile
2145
2146       Limitations: audit feature is not implemented for --x11 commands.
2147
2148

DESKTOP INTEGRATION

2150       A symbolic link to /usr/bin/firejail under the name of a program,  will
2151       start  the  program  in  Firejail sandbox.  The symbolic link should be
2152       placed in the first $PATH position. On most systems, a  good  place  is
2153       /usr/local/bin directory. Example:
2154
2155              Make a firefox symlink to /usr/bin/firejail:
2156
2157              $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2158
2159              Verify $PATH
2160
2161              $ which -a firefox
2162              /usr/local/bin/firefox
2163              /usr/bin/firefox
2164
2165              Starting firefox in this moment, automatically invokes “firejail
2166              firefox”.
2167
2168       This works for clicking on desktop environment icons,  menus  etc.  Use
2169       "firejail --tree" to verify the program is sandboxed.
2170
2171              $ firejail --tree
2172              1189:netblue:firejail firefox
2173                1190:netblue:firejail firefox
2174                  1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2175                    1221:netblue:/usr/lib/firefox/firefox
2176
2177       We  provide  a  tool  that  automates  all this integration, please see
2178       firecfg(1) for more details.
2179
2180

EXAMPLES

2182       firejail
2183              Sandbox a regular /bin/bash session.
2184
2185       firejail firefox
2186              Start Mozilla Firefox.
2187
2188       firejail --debug firefox
2189              Debug Firefox sandbox.
2190
2191       firejail --private firefox
2192              Start Firefox with a new, empty home directory.
2193
2194       firejail --net=none vlc
2195              Start VLC in an unconnected network namespace.
2196
2197       firejail --net=eth0 firefox
2198              Start Firefox in a new  network  namespace.  An  IP  address  is
2199              assigned automatically.
2200
2201       firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2202              Start a /bin/bash session in a new network namespace and connect
2203              it to br0, br1, and br2 host bridge devices.  IP  addresses  are
2204              assigned  automatically  for the interfaces connected to br1 and
2205              b2
2206
2207       firejail --list
2208              List all sandboxed processes.
2209
2210

FILE GLOBBING

2212       Globbing is the operation that expands a wildcard pattern into the
2213              list of pathnames matching the pattern.  This pattern is matched
2214              at  firejail start, and is NOT UPDATED at runtime.  Files match‐
2215              ing a blacklist, but created after firejail start will be acces‐
2216              sible within the jail. Matching is defined by:
2217
2218              - '?' matches any character
2219              - '*' matches any string
2220              - '[' denotes a range of characters
2221
2222       The globbing feature is implemented using glibc glob command. For
2223              more information on the wildcard syntax see man 7 glob.
2224
2225
2226       The following command line options are supported: --blacklist,
2227              --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2228              --whitelist.
2229
2230
2231       Examples:
2232
2233              $ firejail --private-bin=sh,bash,python*
2234              $ firejail --blacklist=~/dir[1234]
2235              $ firejail --read-only=~/dir[1-4]
2236
2237

FILE TRANSFER

2239       These features allow the user to inspect the filesystem container of an
2240       existing  sandbox and transfer files between the container and the host
2241       filesystem.
2242
2243
2244       --cat=name|pid filename
2245              Write content of a container file to standard out. The container
2246              is specified by name or PID.  If standard out is a terminal, all
2247              ASCII control characters except new line and horizontal tab  are
2248              replaced.
2249
2250
2251       --get=name|pid filename
2252              Retrieve the container file and store it on the host in the cur‐
2253              rent working directory.  The container is specified by  name  or
2254              PID.
2255
2256
2257       --ls=name|pid dir_or_filename
2258              List container files. The container is specified by name or PID.
2259
2260
2261       --put=name|pid src-filename dest-filename
2262              Put  src-filename in sandbox container.  The container is speci‐
2263              fied by name or PID.
2264
2265
2266       Examples:
2267
2268              $ firejail --name=mybrowser --private firefox
2269
2270              $ firejail --ls=mybrowser ~/Downloads
2271              drwxr-xr-x netblue  netblue         4096 .
2272              drwxr-xr-x netblue  netblue         4096 ..
2273              -rw-r--r-- netblue  netblue         7847 x11-x305.png
2274              -rw-r--r-- netblue  netblue         6800 x11-x642.png
2275              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
2276
2277              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2278
2279              $ firejail --put=mybrowser xpra-clipboard.png  ~/Downloads/xpra-
2280              clipboard.png
2281
2282              $ firejail --cat=mybrowser ~/.bashrc
2283

MONITORING

2285       Option  --list  prints  a  list  of  all sandboxes. The format for each
2286       process entry is as follows:
2287
2288            PID:USER:Sandbox Name:Command
2289
2290       Option --tree prints the tree of processes running in the sandbox.  The
2291       format for each process entry is as follows:
2292
2293            PID:USER:Sandbox Name:Command
2294
2295       Option  --top  is  similar  to the UNIX top command, however it applies
2296       only to sandboxes.
2297
2298       Option  --netstats  prints  network  statistics  for  active  sandboxes
2299       installing new network namespaces.
2300
2301       Listed  below  are the available fields (columns) in alphabetical order
2302       for --top and --netstats options:
2303
2304
2305       Command
2306              Command used to start the sandbox.
2307
2308       CPU%   CPU usage, the sandbox share of the elapsed CPU time  since  the
2309              last screen update
2310
2311       PID    Unique process ID for the task controlling the sandbox.
2312
2313       Prcs   Number  of  processes running in sandbox, including the control‐
2314              ling process.
2315
2316       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
2317              It  is  a sum of the RES values for all processes running in the
2318              sandbox.
2319
2320       RX(KB/s)
2321              Network receive speed.
2322
2323       Sandbox Name
2324              The name of the sandbox, if any.
2325
2326       SHR    Shared Memory Size (KiB), it reflects memory shared  with  other
2327              processes.  It is a sum of the SHR values for all processes run‐
2328              ning in the sandbox, including the controlling process.
2329
2330       TX(KB/s)
2331              Network transmit speed.
2332
2333       Uptime Sandbox running time in hours:minutes:seconds format.
2334
2335       USER   The owner of the sandbox.
2336
2337

RESTRICTED SHELL

2339       To configure a restricted shell, replace /bin/bash with  /usr/bin/fire‐
2340       jail  in  /etc/passwd  file  for each user that needs to be restricted.
2341       Alternatively, you can specify /usr/bin/firejail  in adduser command:
2342
2343       adduser --shell /usr/bin/firejail username
2344
2345       Additional arguments passed  to  firejail  executable  upon  login  are
2346       declared in /etc/firejail/login.users file.
2347
2348

SECURITY PROFILES

2350       Several command line options can be passed to the program using profile
2351       files. Firejail chooses the profile file as follows:
2352
2353       1. If a profile file  is  provided  by  the  user  with  --profile=FILE
2354       option,  the  profile FILE is loaded. If a profile name is given, it is
2355       searched for first in the ~/.config/firejail directory and if not found
2356       then  in   /etc/firejail  directory.  Profile  names do not include the
2357       .profile suffix. If there is a file with the same  name  as  the  given
2358       profile  name,  it will be used instead of doing the profile search. To
2359       force a profile search, prefix the profile name with a colon  (:),  eg.
2360       --profile=:PROFILE_NAME.  Example:
2361
2362              $ firejail --profile=/home/netblue/icecat.profile icecat
2363              Reading profile /home/netblue/icecat.profile
2364              [...]
2365
2366
2367              $ firejail --profile=icecat icecat-wrapper.sh
2368              Reading profile /etc/firejail/icecat.profile
2369              [...]
2370
2371       2.  If  a profile file with the same name as the application is present
2372       in ~/.config/firejail directory or in  /etc/firejail,  the  profile  is
2373       loaded.  ~/.config/firejail  takes precedence over /etc/firejail. Exam‐
2374       ple:
2375
2376              $ firejail icecat
2377              Command name #icecat#
2378              Found icecat profile in /home/netblue/.config/firejail directory
2379              Reading profile /home/netblue/.config/firejail/icecat.profile
2380              [...]
2381
2382       3. Use default.profile file if the sandbox  is  started  by  a  regular
2383       user,  or  server.profile file if the sandbox is started by root. Fire‐
2384       jail looks for these files in ~/.config/firejail directory, followed by
2385       /etc/firejail  directory.   To  disable  default  profile  loading, use
2386       --noprofile command option. Example:
2387
2388              $ firejail
2389              Reading profile /etc/firejail/default.profile
2390              Parent pid 8553, child pid 8554
2391              Child process initialized
2392              [...]
2393
2394              $ firejail --noprofile
2395              Parent pid 8553, child pid 8554
2396              Child process initialized
2397              [...]
2398
2399       See man 5 firejail-profile for profile file syntax information.
2400

TRAFFIC SHAPING

2402       Network bandwidth is an expensive resource shared among  all  sandboxes
2403       running  on a system.  Traffic shaping allows the user to increase net‐
2404       work performance by controlling the amount of data that flows into  and
2405       out of the sandboxes.
2406
2407       Firejail  implements  a simple rate-limiting shaper based on Linux com‐
2408       mand tc.  The shaper works at sandbox level, and can be used  only  for
2409       sandboxes configured with new network namespaces.
2410
2411       Set rate-limits:
2412
2413            $ firejail --bandwidth=name|pid set network download upload
2414
2415       Clear rate-limits:
2416
2417            $ firejail --bandwidth=name|pid clear network
2418
2419       Status:
2420
2421            $ firejail --bandwidth=name|pid status
2422
2423       where:
2424            name - sandbox name
2425            pid - sandbox pid
2426            network - network interface as used by --net option
2427            download - download speed in KB/s (kilobyte per second)
2428            upload - upload speed in KB/s (kilobyte per second)
2429
2430       Example:
2431            $ firejail --name=mybrowser --net=eth0 firefox &
2432            $ firejail --bandwidth=mybrowser set eth0 80 20
2433            $ firejail --bandwidth=mybrowser status
2434            $ firejail --bandwidth=mybrowser clear eth0
2435

LICENSE

2437       This program is free software; you can redistribute it and/or modify it
2438       under the terms of the GNU General Public License as published  by  the
2439       Free  Software Foundation; either version 2 of the License, or (at your
2440       option) any later version.
2441
2442       Homepage: https://firejail.wordpress.com
2443

SEE ALSO

2445       firemon(1), firecfg(1), firejail-profile(5),  firejail-login(5),  fire‐
2446       jail-users(5),            ⟨https://github.com/netblue30/firejail/wiki⟩,
2447https://github.com/netblue30/firejail
2448
2449
2450
24510.9.64                             Oct 2020                        FIREJAIL(1)
Impressum