1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
6 profile - Security profile file syntax for Firejail
7
10 firejail --profile=filename.profile
11 firejail --profile=profile_name
12
15 Several command line options can be passed to the program using profile
16 files. Firejail chooses the profile file as follows:
17 1. If a profile file is provided by the user with --profile option, the
19 profile file is loaded. If a profile name is given, it is searched for
20 first in the ~/.config/firejail directory and if not found then in
21 /etc/firejail directory. Profile names do not include the .profile suf‐
22 fix. Example:
23 $ firejail --profile=/home/netblue/icecat.profile icecat
25 Reading profile /home/netblue/icecat.profile
26 [...]
27 $ firejail --profile=icecat icecat-wrapper.sh
30 Reading profile /etc/firejail/icecat.profile
31 [...]
32 2. If a profile file with the same name as the application is present
34 in ~/.config/firejail directory or in /etc/firejail, the profile is
35 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
36 ple:
37 $ firejail icecat
39 Command name #icecat#
40 Found icecat profile in /home/netblue/.config/firejail directory
41 Reading profile /home/netblue/.config/firejail/icecat.profile
42 [...]
43 3. Use a default.profile file if the sandbox is started by a regular
45 user, or a server.profile file if the sandbox is started by root. Fire‐
46 jail looks for these files in ~/.config/firejail directory, followed by
47 /etc/firejail directory. To disable default profile loading, use --no‐
48 profile command option. Example:
49 $ firejail
51 Reading profile /etc/firejail/default.profile
52 Parent pid 8553, child pid 8554
53 Child process initialized
54 [...]
55 $ firejail --noprofile
57 Parent pid 8553, child pid 8554
58 Child process initialized
59 [...]
60
63 In /usr/share/doc/firejail there are two templates to write new pro‐
64 files.
65 profile.template - for regular profiles
66 redirect_alias-profile.template - for aliasing/redirecting pro‐
67 files
68
72 Scripting commands:
73 File and directory names
76 File and directory names containing spaces are supported. The
77 space character ' ' should not be escaped.
78 Example: "blacklist ~/My Virtual Machines"
80 # this is a comment
83 ?CONDITIONAL: profile line
86 Conditionally add profile line.
87 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
89 This example will load the whitelist profile line only if the
91 --appimage option has been specified on the command line.
92 Currently the only conditionals supported this way are HAS_AP‐
94 PIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND and HAS_X11. The condi‐
95 tionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled
96 or disabled globally in Firejail's configuration file.
97 The profile line may be any profile line that you would normally
99 use in a profile except for "quiet" and "include" lines.
100 include other.profile
103 Include other.profile file.
104 Example: "include /etc/firejail/disable-common.inc"
106 The file name can be prefixed with a macro such as ${HOME} or
108 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
109 is expanded as Firejail system configuration directory - in most
110 cases /etc/firejail or /usr/local/etc/firejail.
111 Example: "include ${HOME}/myprofiles/profile1" will load
113 "~/myprofiles/profile1" file.
114 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
116 jail/firefox.profile" file.
117 The file name may also be just the name without the leading di‐
119 rectory components. In this case, first the user config direc‐
120 tory (${HOME}/.config/firejail) is searched for the file name
121 and if not found then the system configuration directory is
122 search for the file name. Note: Unlike the --profile option
123 which takes a profile name without the '.profile' suffix, in‐
124 clude must be given the full file name.
125 Example: "include firefox.profile" will load "${HOME}/.con‐
127 fig/firejail/firefox.profile" file and if it does not exist
128 "${CFG}/firefox.profile" will be loaded.
129 System configuration files in ${CFG} are overwritten during
131 software installation. Persistent configuration at system level
132 is handled in ".local" files. For every profile file in ${CFG}
133 directory, the user can create a corresponding .local file stor‐
134 ing modifications to the persistent configuration. Persistent
135 .local files are included at the start of regular profile files.
136 noblacklist file_name
139 If the file name matches file_name, the file will not be black‐
140 listed in any blacklist commands that follow.
141 Example: "noblacklist ${HOME}/.mozilla"
143 nowhitelist file_name
146 If the file name matches file_name, the file will not be
147 whitelisted in any whitelist commands that follow.
148 Example: "nowhitelist ~/.config"
150 ignore Ignore command.
153 Example: "ignore seccomp"
155 Example: "ignore net eth0"
156 quiet Disable Firejail's output. This should be the first uncommented
158 command in the profile file.
159 Example: "quiet"
161
164 These profile entries define a chroot filesystem built on top of the
165 existing host filesystem. Each line describes a file/directory that is
166 inaccessible (blacklist), a read-only file or directory (read-only), a
167 tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a
168 directory or file on top of another directory or file (bind). Use pri‐
169 vate to set private mode. File globbing is supported, and PATH and
170 HOME directories are searched, see the firejail FILE GLOBBING section
171 for more details. Examples:
172 blacklist file_or_directory
174 Blacklist directory or file. Examples:
175 blacklist /usr/bin
177 blacklist /usr/bin/gcc*
178 blacklist ${PATH}/ifconfig
179 blacklist ${HOME}/.ssh
180 blacklist-nolog file_or_directory
183 When --tracelog flag is set, blacklisting generates syslog mes‐
184 sages if the sandbox tries to access the file or directory.
185 blacklist-nolog command disables syslog messages for this par‐
186 ticular file or directory. Examples:
187 blacklist-nolog /usr/bin
189 blacklist-nolog /usr/bin/gcc*
190 bind directory1,directory2
193 Mount-bind directory1 on top of directory2. This option is only
194 available when running as root.
195 bind file1,file2
197 Mount-bind file1 on top of file2. This option is only available
198 when running as root.
199 disable-mnt
201 Disable /mnt, /media, /run/mount and /run/media access.
202 keep-dev-shm
204 /dev/shm directory is untouched (even with private-dev).
205 keep-var-tmp
207 /var/tmp directory is untouched.
208 mkdir directory
210 Create a directory in user home, under /tmp, or under
211 /run/user/<UID> before the sandbox is started. The directory is
212 created if it doesn't already exist.
213 Use this command for whitelisted directories you need to pre‐
215 serve when the sandbox is closed. Without it, the application
216 will create the directory, and the directory will be deleted
217 when the sandbox is closed. Subdirectories are recursively cre‐
218 ated. Example from firefox profile:
219 mkdir ~/.mozilla
221 whitelist ~/.mozilla
222 mkdir ~/.cache/mozilla/firefox
223 whitelist ~/.cache/mozilla/firefox
224 For files in /run/user/<PID> use ${RUNUSER} macro:
226 mkdir ${RUNUSER}/firejail-testing
228 mkfile file
230 Similar to mkdir, this command creates an empty file in user
231 home, or /tmp, or under /run/user/<UID> before the sandbox is
232 started. The file is created if it doesn't already exist.
233 noexec file_or_directory
235 Remount the file or the directory noexec, nodev and nosuid.
236 private
238 Mount new /root and /home/user directories in temporary filesys‐
239 tems. All modifications are discarded when the sandbox is
240 closed.
241 private directory
243 Use directory as user home.
244 private-bin file,file
246 Build a new /bin in a temporary filesystem, and copy the pro‐
247 grams in the list. The files in the list must be expressed as
248 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
249 cal/bin directories. The same directory is also bind-mounted
250 over /sbin, /usr/bin and /usr/sbin.
251 private-cache
253 Mount an empty temporary filesystem on top of the .cache direc‐
254 tory in user home. All modifications are discarded when the
255 sandbox is closed.
256 private-cwd
258 Set working directory inside jail to the home directory, and
259 failing that, the root directory.
260 private-cwd directory
262 Set working directory inside the jail.
263 private-dev
265 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
266 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
267 shm and usb devices are available. Use the options no3d, nodvd,
268 nosound, notv, nou2f and novideo for additional restrictions.
269 private-etc file,directory
272 Build a new /etc in a temporary filesystem, and copy the files
273 and directories in the list. The files and directories in the
274 list must be expressed as relative to the /etc directory. All
275 modifications are discarded when the sandbox is closed.
276 private-home file,directory
278 Build a new user home in a temporary filesystem, and copy the
279 files and directories in the list in the new home. The files
280 and directories in the list must be expressed as relative to the
281 current user's home directory. All modifications are discarded
282 when the sandbox is closed.
283 private-lib file,directory
285 Build a new /lib directory and bring in the libraries required
286 by the application to run. The files and directories in the
287 list must be expressed as relative to the /lib directory. This
288 feature is still under development, see man 1 firejail for some
289 examples.
290 private-opt file,directory
292 Build a new /opt in a temporary filesystem, and copy the files
293 and directories in the list. The files and directories in the
294 list must be expressed as relative to the /opt directory. All
295 modifications are discarded when the sandbox is closed.
296 private-srv file,directory
298 Build a new /srv in a temporary filesystem, and copy the files
299 and directories in the list. The files and directories in the
300 list must be expressed as relative to the /srv directory. All
301 modifications are discarded when the sandbox is closed.
302 private-tmp
304 Mount an empty temporary filesystem on top of /tmp directory
305 whitelisting /tmp/.X11-unix.
306 read-only file_or_directory
308 Make directory or file read-only.
309 read-write file_or_directory
311 Make directory or file read-write.
312 tmpfs directory
314 Mount an empty tmpfs filesystem on top of directory. This option
315 is available only when running the sandbox as root.
316 tracelog
318 Blacklist violations logged to syslog.
319 whitelist file_or_directory
321 Whitelist directory or file. A temporary file system is mounted
322 on the top directory, and the whitelisted files are mount-binded
323 inside. Modifications to whitelisted files are persistent, ev‐
324 erything else is discarded when the sandbox is closed. The top
325 directory could be user home, /dev, /etc, /media, /mnt, /opt,
326 /srv, /sys/module, /usr/share, /var, and /tmp.
327 Symbolic link handling: with the exception of user home, both
329 the link and the real file should be in the same top directory.
330 For user home, both the link and the real file should be owned
331 by the user.
332 writable-etc
334 Mount /etc directory read-write.
335 writable-run-user
337 Disable the default blacklisting of run/user/$UID/systemd and
338 /run/user/$UID/gnupg.
339 writable-var
341 Mount /var directory read-write.
342 writable-var-log
344 Use the real /var/log directory, not a clone. By default, a
345 tmpfs is mounted on top of /var/log directory, and a skeleton
346 filesystem is created based on the original /var/log.
347
350 The following security filters are currently implemented:
351 allow-debuggers
354 Allow tools such as strace and gdb inside the sandbox by
355 whitelisting system calls ptrace and process_vm_readv.
356 caps Enable default Linux capabilities filter.
358 caps.drop capability,capability,capability
360 Blacklist given Linux capabilities.
361 caps.drop all
363 Blacklist all Linux capabilities.
364 caps.keep capability,capability,capability
366 Whitelist given Linux capabilities.
367 memory-deny-write-execute
369 Install a seccomp filter to block attempts to create memory map‐
370 pings that are both writable and executable, to change mappings
371 to be executable or to create executable shared memory.
372 nonewprivs
374 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
375 cannot acquire new privileges using execve(2); in particular,
376 this means that calling a suid binary (or one with file capabil‐
377 ities) does not result in an increase of privilege.
378 noroot Use this command to enable an user namespace. The namespace has
380 only one user, the current user. There is no root account (uid
381 0) defined in the namespace.
382 protocol protocol1,protocol2,protocol3
384 Enable protocol filter. The filter is based on seccomp and
385 checks the first argument to socket system call. Recognized val‐
386 ues: unix, inet, inet6, netlink, packet and bluetooth.
387 seccomp
389 Enable seccomp filter and blacklist the syscalls in the default
390 list. See man 1 firejail for more details.
391 seccomp.32
393 Enable seccomp filter and blacklist the syscalls in the default
394 list for 32 bit system calls on a 64 bit architecture system.
395 seccomp syscall,syscall,syscall
397 Enable seccomp filter and blacklist the system calls in the list
398 on top of default seccomp filter.
399 seccomp.32 syscall,syscall,syscall
401 Enable seccomp filter and blacklist the system calls in the list
402 on top of default seccomp filter for 32 bit system calls on a 64
403 bit architecture system.
404 seccomp.block-secondary
406 Enable seccomp filter and filter system call architectures so
407 that only the native architecture is allowed.
408 seccomp.drop syscall,syscall,syscall
410 Enable seccomp filter and blacklist the system calls in the
411 list.
412 seccomp.32.drop syscall,syscall,syscall
414 Enable seccomp filter and blacklist the system calls in the list
415 for 32 bit system calls on a 64 bit architecture system.
416 seccomp.keep syscall,syscall,syscall
418 Enable seccomp filter and whitelist the system calls in the
419 list.
420 seccomp.32.keep syscall,syscall,syscall
422 Enable seccomp filter and whitelist the system calls in the list
423 for 32 bit system calls on a 64 bit architecture system.
424 seccomp-error-action kill | log | ERRNO
426 Return a different error instead of EPERM to the process, kill
427 it when an attempt is made to call a blocked system call, or al‐
428 low but log the attempt.
429 x11 Enable X11 sandboxing.
431 x11 none
433 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
434 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
435 and XAUTHORITY environment variables. Stop with error message
436 if X11 abstract socket will be accessible in jail.
437 x11 xephyr
439 Enable X11 sandboxing with Xephyr server.
440 x11 xorg
442 Enable X11 sandboxing with X11 security extension.
443 x11 xpra
445 Enable X11 sandboxing with Xpra server.
446 x11 xvfb
448 Enable X11 sandboxing with Xvfb server.
449 xephyr-screen WIDTHxHEIGHT
451 Set screen size for x11 xephyr. This command should be included
452 in the profile file before x11 xephyr command.
453 Example:
455 xephyr-screen 640x480
457 x11 xephyr
458
460 Access to the session and system DBus UNIX sockets can be allowed, fil‐
461 tered or disabled. To disable the abstract sockets (and force applica‐
462 tions to use the filtered UNIX socket) you would need to request a new
463 network namespace using --net command. Another option is to remove unix
464 from the --protocol set.
465 Filtering requires installing the xdg-dbus-proxy utility. Filter rules
467 can be specified for well-known DBus names, but they are also propa‐
468 gated to the owning unique name, too. The permissions are "sticky" and
469 are kept even if the corresponding well-known name is released (how‐
470 ever, applications rarely release well-known names in practice). Names
471 may have a .* suffix to match all names underneath them, including
472 themselves (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
473 "foo.bar.baz.quux", but not "foobar"). For more information, see xdg-
474 dbus-proxy(1).
475 Examples:
477 dbus-system filter
480 Enable filtered access to the system DBus. Filters can be speci‐
481 fied with the dbus-system.talk and dbus-system.own commands.
482 dbus-system none
484 Disable access to the system DBus. Once access is disabled, it
485 cannot be relaxed to filtering.
486 dbus-system.own org.gnome.ghex.*
488 Allow the application to own the name org.gnome.ghex and all
489 names underneath in on the system DBus.
490 dbus-system.talk org.freedesktop.Notifications
492 Allow the application to talk to the name org.freedesktop.Noti‐
493 fications on the system DBus.
494 dbus-system.see org.freedesktop.Notifications
496 Allow the application to see but not talk to the name
497 org.freedesktop.Notifications on the system DBus.
498 dbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifi‐
500 cations.*@/org/freedesktop/Notifications
501 Allow the application to call methods of the interface
502 org.freedesktop.Notifications of the object exposed at the path
503 /org/freedesktop/Notifications by the client owning the bus name
504 org.freedesktop.Notifications on the system DBus.
505 dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
507 tifications.*@/org/freedesktop/Notifications
508 Allow the application to receive broadcast signals from the the
509 interface org.freedesktop.Notifications of the object exposed at
510 the path /org/freedesktop/Notifications by the client owning the
511 bus name org.freedesktop.Notifications on the system DBus.
512 dbus-user filter
514 Enable filtered access to the session DBus. Filters can be spec‐
515 ified with the dbus-user.talk and dbus-user.own commands.
516 dbus-user none
518 Disable access to the session DBus. Once access is disabled, it
519 cannot be relaxed to filtering.
520 dbus-user.own org.gnome.ghex.*
522 Allow the application to own the name org.gnome.ghex and all
523 names underneath in on the session DBus.
524 dbus-user.talk org.freedesktop.Notifications
526 Allow the application to talk to the name org.freedesktop.Noti‐
527 fications on the session DBus.
528 dbus-user.see org.freedesktop.Notifications
530 Allow the application to see but not talk to the name
531 org.freedesktop.Notifications on the session DBus.
532 dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifica‐
534 tions.*@/org/freedesktop/Notifications
535 Allow the application to call methods of the interface
536 org.freedesktop.Notifications of the object exposed at the path
537 /org/freedesktop/Notifications by the client owning the bus name
538 org.freedesktop.Notifications on the session DBus.
539 dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
541 fications.*@/org/freedesktop/Notifications
542 Allow the application to receive broadcast signals from the the
543 interface org.freedesktop.Notifications of the object exposed at
544 the path /org/freedesktop/Notifications by the client owning the
545 bus name org.freedesktop.Notifications on the session DBus.
546 nodbus (deprecated)
548 Disable D-Bus access (both system and session buses). Equivalent
549 to dbus-system none and dbus-user none.
550 Individual filters can be overridden via the --ignore command. Suppos‐
553 ing a profile has
554 [...]
555 dbus-user filter
556 dbus-user.own org.mozilla.firefox.*
557 dbus-user.talk org.freedesktop.Notifications
558 dbus-system none
559 [...]
560 and the user wants to disable notifications, this can be
562 achieved by putting the below in a local override file:
563 [...]
564 ignore dbus-user.talk org.freedesktop.Notifications
565 [...]
566
568 These profile entries define the limits on system resources (rlimits)
569 for the processes inside the sandbox. The limits can be modified in‐
570 side the sandbox using the regular ulimit command. cpu command config‐
571 ures the CPU cores available, and cgroup command place the sandbox in
572 an existing control group.
573 Examples:
575 cgroup /sys/fs/cgroup/g1/tasks
578 The sandbox is placed in g1 control group.
579 cpu 0,1,2
581 Use only CPU cores 0, 1 and 2.
582 nice -5
584 Set a nice value of -5 to all processes running inside the sand‐
585 box.
586 rlimit-as 123456789012
588 Set the maximum size of the process's virtual memory to
589 123456789012 bytes.
590 rlimit-cpu 123
592 Set the maximum CPU time in seconds.
593 rlimit-fsize 1024
595 Set the maximum file size that can be created by a process to
596 1024 bytes.
597 rlimit-nproc 1000
599 Set the maximum number of processes that can be created for the
600 real user ID of the calling process to 1000.
601 rlimit-nofile 500
603 Set the maximum number of files that can be opened by a process
604 to 500.
605 rlimit-sigpending 200
607 Set the maximum number of processes that can be created for the
608 real user ID of the calling process to 200.
609 timeout hh:mm:ss
611 Kill the sandbox automatically after the time has elapsed. The
612 time is specified in hours/minutes/seconds format.
613
616 allusers
617 All user home directories are visible inside the sandbox. By de‐
618 fault, only current user home directory is visible.
619 env name=value
622 Set environment variable. Examples:
623 env LD_LIBRARY_PATH=/opt/test/lib
625 env CFLAGS="-W -Wall -Werror"
626 ipc-namespace
629 Enable IPC namespace.
630 name sandboxname
632 Set sandbox name. Example:
633 name browser
635 no3d Disable 3D hardware acceleration.
638 noautopulse
640 Disable automatic ~/.config/pulse init, for complex setups such
641 as remote pulse servers or non-standard socket paths.
642 nodvd Disable DVD and audio CD devices.
644 nogroups
646 Disable supplementary user groups
647 nosound
649 Disable sound system.
650 notv Disable DVB (Digital Video Broadcasting) TV devices.
652 nou2f Disable U2F devices.
654 novideo
656 Disable video devices.
657 shell none
659 Run the program directly, without a shell.
660
664 Networking features available in profile files.
665 defaultgw address
668 Use this address as default gateway in the new network name‐
669 space.
670 dns address
673 Set a DNS server for the sandbox. Up to three DNS servers can be
674 defined.
675 hostname name
678 Set a hostname for the sandbox.
679 hosts-file file
682 Use file as /etc/hosts.
683 ip address
686 Assign IP addresses to the last network interface defined by a
687 net command. A default gateway is assigned by default.
688 Example:
690 net eth0
691 ip 10.10.20.56
692 ip none
695 No IP address and no default gateway are configured for the last
696 interface defined by a net command. Use this option in case you
697 intend to start an external DHCP client in the sandbox.
698 Example:
700 net eth0
701 ip none
702 ip dhcp
705 Acquire an IP address and default gateway for the last interface
706 defined by a net command, as well as set the DNS servers accord‐
707 ing to the DHCP response. This command requires the ISC
708 dhclient DHCP client to be installed and will start it automati‐
709 cally inside the sandbox.
710 Example:
712 net br0
713 ip dhcp
714 This command should not be used in conjunction with the dns com‐
716 mand if the DHCP server is set to configure DNS servers for the
717 clients, because the manually specified DNS servers will be
718 overwritten.
719 The DHCP client will NOT release the DHCP lease when the sandbox
721 terminates. If your DHCP server requires leases to be explic‐
722 itly released, consider running a DHCP client and releasing the
723 lease manually in conjunction with the net none command.
724 ip6 address
727 Assign IPv6 addresses to the last network interface defined by a
728 net command.
729 Example:
731 net eth0
732 ip6 2001:0db8:0:f101::1/64
733 ip6 dhcp
736 Acquire an IPv6 address and default gateway for the last inter‐
737 face defined by a net command, as well as set the DNS servers
738 according to the DHCP response. This command requires the ISC
739 dhclient DHCP client to be installed and will start it automati‐
740 cally inside the sandbox.
741 Example:
743 net br0
744 ip6 dhcp
745 This command should not be used in conjunction with the dns com‐
747 mand if the DHCP server is set to configure DNS servers for the
748 clients, because the manually specified DNS servers will be
749 overwritten.
750 The DHCP client will NOT release the DHCP lease when the sandbox
752 terminates. If your DHCP server requires leases to be explic‐
753 itly released, consider running a DHCP client and releasing the
754 lease manually.
755 iprange address,address
758 Assign an IP address in the provided range to the last network
759 interface defined by a net command. A default gateway is
760 assigned by default.
761 Example:
763 net eth0
765 iprange 192.168.1.150,192.168.1.160
766 mac address
769 Assign MAC addresses to the last network interface defined by a
770 net command.
771 machine-id
774 Spoof id number in /etc/machine-id file - a new random id is
775 generated inside the sandbox.
776 mtu number
779 Assign a MTU value to the last network interface defined by a
780 net command.
781 net bridge_interface
784 Enable a new network namespace and connect it to this bridge in‐
785 terface. Unless specified with option --ip and --defaultgw, an
786 IP address and a default gateway will be assigned automatically
787 to the sandbox. The IP address is verified using ARP before as‐
788 signment. The address configured as default gateway is the
789 bridge device IP address. Up to four --net bridge devices can be
790 defined. Mixing bridge and macvlan devices is allowed.
791 net ethernet_interface|wireless_interface
794 Enable a new network namespace and connect it to this ethernet
795 interface using the standard Linux macvlan or ipvlan driver. Un‐
796 less specified with option --ip and --defaultgw, an IP address
797 and a default gateway will be assigned automatically to the
798 sandbox. The IP address is verified using ARP before assignment.
799 The address configured as default gateway is the default gateway
800 of the host. Up to four --net devices can be defined. Mixing
801 bridge and macvlan devices is allowed.
802 net none
805 Enable a new, unconnected network namespace. The only interface
806 available in the new namespace is a new loopback interface (lo).
807 Use this option to deny network access to programs that don't
808 really need network access.
809 net tap_interface
812 Enable a new network namespace and connect it to this ethernet
813 tap interface using the standard Linux macvlan driver. If the
814 tap interface is not configured, the sandbox will not try to
815 configure the interface inside the sandbox. Please use ip, net‐
816 mask and defaultgw to specify the configuration.
817 netfilter
820 If a new network namespace is created, enabled default network
821 filter.
822 netfilter filename
825 If a new network namespace is created, enabled the network fil‐
826 ter in filename.
827 netmask address
831 Use this option when you want to assign an IP address in a new
832 namespace and the parent interface specified by --net is not
833 configured. An IP address and a default gateway address also
834 have to be added.
835 netns namespace
838 Run the program in a named, persistent network namespace. These
839 can be created and configured using "ip netns".
840 veth-name name
843 Use this name for the interface connected to the bridge for
844 --net=bridge_interface commands, instead of the default one.
845
847 deterministic-exit-code
848 Always exit firejail with the first child's exit status. The de‐
849 fault behavior is to use the exit status of the final child to
850 exit, which can be nondeterministic.
851 join-or-start sandboxname
854 Join the sandbox identified by name or start a new one. Same as
855 "firejail --join=sandboxname" command if sandbox with specified
856 name exists, otherwise same as "name sandboxname".
857
860 /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile
861
864 Firejail is free software; you can redistribute it and/or modify it un‐
865 der the terms of the GNU General Public License as published by the
866 Free Software Foundation; either version 2 of the License, or (at your
867 option) any later version.
868 Homepage: https://firejail.wordpress.com
870
872 firejail(1), firemon(1), firecfg(1), firejail-login(5), firejail-
873 users(5), ⟨https://github.com/netblue30/firejail/wiki/Creating-
874 Profiles⟩
8750.9.64.4 Feb 2021 FIREJAIL-PROFILE(5)