1FIREJAIL(1) firejail man page FIREJAIL(1)
2
6 Firejail - Linux namespaces sandbox program
7
9 Start a sandbox:
10 firejail [OPTIONS] [program and arguments]
12 Start an AppImage program:
14 firejail [OPTIONS] --appimage [appimage-file and arguments]
16 File transfer from an existing sandbox
18 firejail {--ls | --get | --put | --cat} dir_or_filename
20 Network traffic shaping for an existing sandbox:
22 firejail --bandwidth={name|pid} bandwidth-command
24 Monitoring:
26 firejail {--list | --netstats | --top | --tree}
28 Miscellaneous:
30 firejail {-? | --debug-caps | --debug-errnos | --debug-syscalls
32 | --debug-syscalls32 | --debug-protocols | --help | --version}
33
35 Firejail is a SUID sandbox program that reduces the risk of security
36 breaches by restricting the running environment of untrusted applica‐
37 tions using Linux namespaces, seccomp-bpf and Linux capabilities. It
38 allows a process and all its descendants to have their own private view
39 of the globally shared kernel resources, such as the network stack,
40 process table, mount table. Firejail can work in a SELinux or AppArmor
41 environment, and it is integrated with Linux Control Groups.
42 Written in C with virtually no dependencies, the software runs on any
44 Linux computer with a 3.x kernel version or newer. It can sandbox any
45 type of processes: servers, graphical applications, and even user login
46 sessions.
47 Firejail allows the user to manage application security using security
49 profiles. Each profile defines a set of permissions for a specific ap‐
50 plication or group of applications. The software includes security pro‐
51 files for a number of more common Linux programs, such as Mozilla Fire‐
52 fox, Chromium, VLC, Transmission etc.
53 Alternative sandbox technologies like snap (https://snapcraft.io/) and
55 flatpak (https://flatpak.org/) are not supported. Snap and flatpak
56 packages have their own native management tools and will not work when
57 sandboxed with Firejail.
58
61 Without any options, the sandbox consists of a filesystem build in a
62 new mount namespace, and new PID and UTS namespaces. IPC, network and
63 user namespaces can be added using the command line options. The de‐
64 fault Firejail filesystem is based on the host filesystem with the main
65 system directories mounted read-only. These directories are /etc, /var,
66 /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home and
67 /tmp are writable.
68 Upon execution Firejail first looks in ~/.config/firejail/ for a pro‐
70 file and if it doesn't find one, it looks in /etc/firejail/. For pro‐
71 file resolution detail see https://github.com/netblue30/fire‐
72 jail/wiki/Creating-Profiles#locations-and-types. If an appropriate
73 profile is not found, Firejail will use a default profile. The default
74 profile is quite restrictive. In case the application doesn't work, use
75 --noprofile option to disable it. For more information, please see SE‐
76 CURITY PROFILES section below.
77 If a program argument is not specified, Firejail starts the user's pre‐
79 ferred shell. Examples:
80 $ firejail [OPTIONS] # starting the program specified in
82 $SHELL, usually /bin/bash
83 $ firejail [OPTIONS] firefox # starting Mozilla Firefox
85 # sudo firejail [OPTIONS] /etc/init.d/nginx start
87
90 -- Signal the end of options and disables further option process‐
91 ing.
92 --allow-debuggers
94 Allow tools such as strace and gdb inside the sandbox by
95 whitelisting system calls ptrace and process_vm_readv. This op‐
96 tion is only available when running on Linux kernels 4.8 or
97 newer - a kernel bug in ptrace system call allows a full bypass
98 of the seccomp filter.
99 Example:
101 $ firejail --allow-debuggers --profile=/etc/firejail/fire‐
102 fox.profile strace -f firefox
103 --allusers
105 All directories under /home are visible inside the sandbox. By
106 default, only current user home directory is visible.
107 Example:
109 $ firejail --allusers
110 --appimage
112 Sandbox an AppImage (https://appimage.org/) application. If the
113 sandbox is started as a regular user, nonewprivs and a default
114 capabilities filter are enabled. private-bin and private-lib
115 are disabled by default when running appimages.
116 Example:
118 $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
119 $ firejail --appimage --private --profile=krita
120 krita-3.0-x86_64.appimage
121 $ firejail --appimage --net=none --x11 --profile=krita
122 krita-3.0-x86_64.appimage
123 --bandwidth=name|pid
125 Set bandwidth limits for the sandbox identified by name or PID,
126 see TRAFFIC SHAPING section for more details.
127 --bind=filename1,filename2
129 Mount-bind filename1 on top of filename2. This option is only
130 available when running as root.
131 Example:
133 # firejail --bind=/config/etc/passwd,/etc/passwd
134 --blacklist=dirname_or_filename
136 Blacklist directory or file. File globbing is supported, see
137 FILE GLOBBING section for more details.
138 Example:
140 $ firejail --blacklist=/sbin --blacklist=/usr/sbin
141 $ firejail --blacklist=~/.mozilla
142 $ firejail "--blacklist=/home/username/My Virtual Machines"
143 $ firejail --blacklist=/home/username/My\ Virtual\ Machines
144 --build
146 The command builds a whitelisted profile. The profile is printed
147 on the screen. If /usr/bin/strace is installed on the system, it
148 also builds a whitelisted seccomp profile. The program is run in
149 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
150 privs. Programs that raise user privileges are not supported in
151 order to allow strace to run. Chromium and Chromium-based
152 browsers will not work.
153 Example:
155 $ firejail --build vlc ~/Videos/test.mp4
156 --build=profile-file
158 The command builds a whitelisted profile, and saves it in pro‐
159 file-file. If /usr/bin/strace is installed on the system, it
160 also builds a whitelisted seccomp profile. The program is run in
161 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
162 privs. Programs that raise user privileges are not supported in
163 order to allow strace to run. Chromium and Chromium-based
164 browsers will not work.
165 Example:
167 $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
168 -c Login shell compatibility option. This option is use by some lo‐
170 gin programs when executing the login shell, such as when fire‐
171 jail is used as a restricted login shell. It currently does not
172 change the execution of firejail.
173 --caps Linux capabilities is a kernel feature designed to split up the
175 root privilege into a set of distinct privileges. These privi‐
176 leges can be enabled or disabled independently, thus restricting
177 what a process running as root can do in the system.
178 By default root programs run with all capabilities enabled.
180 --caps option disables the following capabilities: CAP_SYS_MOD‐
181 ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
182 FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is ap‐
183 plied to all processes started in the sandbox.
184 Example:
186 $ sudo firejail --caps /etc/init.d/nginx start
187 --caps.drop=all
190 Drop all capabilities for the processes running in the sandbox.
191 This option is recommended for running GUI programs or any other
192 program that doesn't require root privileges. It is a must-have
193 option for sandboxing untrusted programs installed from unoffi‐
194 cial sources - such as games, Java programs, etc.
195 Example:
197 $ firejail --caps.drop=all warzone2100
198 --caps.drop=capability,capability,capability
201 Define a custom blacklist Linux capabilities filter.
202 Example:
204 $ firejail --caps.drop=net_broadcast,net_admin,net_raw
205 --caps.keep=capability,capability,capability
208 Define a custom whitelist Linux capabilities filter.
209 Example:
211 $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\ se‐
212 tuid /etc/init.d/nginx start
213 --caps.print=name|pid
216 Print the caps filter for the sandbox identified by name or by
217 PID.
218 Example:
220 $ firejail --name=mygame --caps.drop=all warzone2100 &
221 $ firejail --caps.print=mygame
222 Example:
224 $ firejail --list
225 3272:netblue::firejail --private firefox
226 $ firejail --caps.print=3272
227 --cat=name|pid filename
230 Print content of file from sandbox container, see FILE TRANSFER
231 section for more details.
232 --cgroup=tasks-file
234 Place the sandbox in the specified control group. tasks-file is
235 the full path of cgroup tasks file.
236 Example:
238 # firejail --cgroup=/sys/fs/cgroup/g1/tasks
239 --chroot=dirname
241 Chroot the sandbox into a root filesystem. Unlike the regular
242 filesystem container, the system directories are mounted read-
243 write. If the sandbox is started as a regular user, nonewprivs
244 and a default capabilities filter are enabled.
245 Example:
247 $ firejail --chroot=/media/ubuntu warzone2100
248 --cpu=cpu-number,cpu-number,cpu-number
250 Set CPU affinity.
251 Example:
253 $ firejail --cpu=0,1 handbrake
254 --cpu.print=name|pid
257 Print the CPU cores in use by the sandbox identified by name or
258 by PID.
259 Example:
261 $ firejail --name=mygame --caps.drop=all warzone2100 &
262 $ firejail --cpu.print=mygame
263 Example:
265 $ firejail --list
266 3272:netblue::firejail --private firefox
267 $ firejail --cpu.print=3272
268 --dbus-log=file
270 Specify the location for the DBus log file.
271 The log file contains events for both the system and session
273 buses if both of the --dbus-system.log and --dbus-user.log op‐
274 tions are specified. If no log file path is given, logs are
275 written to the standard output instead.
276 Example:
278 $ firejail --dbus-system=filter --dbus-system.log \
279 --dbus-log=dbus.txt
280 --dbus-system=filter|none
283 Set system DBus sandboxing policy.
284 The filter policy enables the system DBus filter. This option
286 requires installing the xdg-dbus-proxy utility. Permissions for
287 well-known can be specified with the --dbus-system.talk and
288 --dbus-system.own options.
289 The none policy disables access to the system DBus.
291 Only the regular system DBus UNIX socket is handled by this op‐
293 tion. To disable the abstract sockets (and force applications to
294 use the filtered UNIX socket) you would need to request a new
295 network namespace using --net command. Another option is to re‐
296 move unix from the --protocol set.
297 Example:
299 $ firejail --dbus-system=none
300 --dbus-system.broadcast=name=[member][@path]
303 Allows the application to receive broadcast signals from
304 theindicated interface member at the indicated object path ex‐
305 posed by the indicated bus name on the system DBus. The name
306 may have a .* suffix to match all names underneath it, including
307 itself. The interface member may have a .* to match all members
308 of an interface, or be * to match all interfaces. The path may
309 have a /* suffix to indicate all objects underneath it, includ‐
310 ing itself. Omitting the interface member or the object path
311 will match all members and object paths, respectively.
312 Example:
314 $ firejail --dbus-system=filter --dbus-system.broadcast=\
315 org.freedesktop.Notifications=\
316 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
317 --dbus-system.call=name=[member][@path]
320 Allows the application to call the indicated interface member at
321 the indicated object path exposed by the indicated bus name on
322 the system DBus. The name may have a .* suffix to match all
323 names underneath it, including itself. The interface member may
324 have a .* to match all members of an interface, or be * to match
325 all interfaces. The path may have a /* suffix to indicate all
326 objects underneath it, including itself. Omitting the interface
327 member or the object path will match all members and object
328 paths, respectively.
329 Example:
331 $ firejail --dbus-system=filter --dbus-system.call=\
332 org.freedesktop.Notifications=\
333 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
334 --dbus-system.log
337 Turn on DBus logging for the system DBus. This option requires
338 --dbus-system=filter.
339 Example:
341 $ firejail --dbus-system=filter --dbus-system.log
342 --dbus-system.own=name
345 Allows the application to own the specified well-known name on
346 the system DBus. The name may have a .* suffix to match all
347 names underneath it, including itself (e.g. "foo.bar.*" matches
348 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
349 bar").
350 Example:
352 $ firejail --dbus-system=filter --dbus-system.own=\
353 org.gnome.ghex.*
354 --dbus-system.see=name
357 Allows the application to see, but not talk to the specified
358 well-known name on the system DBus. The name may have a .* suf‐
359 fix to match all names underneath it, including itself (e.g.
360 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
361 "foo.bar.baz.quux", but not "foobar").
362 Example:
364 $ firejail --dbus-system=filter --dbus-system.see=\
365 org.freedesktop.Notifications
366 --dbus-system.talk=name
369 Allows the application to talk to the specified well-known name
370 on the system DBus. The name may have a .* suffix to match all
371 names underneath it, including itself (e.g. "foo.bar.*" matches
372 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
373 bar").
374 Example:
376 $ firejail --dbus-system=filter --dbus-system.talk=\
377 org.freedesktop.Notifications
378 --dbus-user=filter|none
381 Set session DBus sandboxing policy.
382 The filter policy enables the session DBus filter. This option
384 requires installing the xdg-dbus-proxy utility. Permissions for
385 well-known names can be added with the --dbus-user.talk and
386 --dbus-user.own options.
387 The none policy disables access to the session DBus.
389 Only the regular session DBus UNIX socket is handled by this op‐
391 tion. To disable the abstract sockets (and force applications to
392 use the filtered UNIX socket) you would need to request a new
393 network namespace using --net command. Another option is to re‐
394 move unix from the --protocol set.
395 Example:
397 $ firejail --dbus-user=none
398 --dbus-user.broadcast=name=[member][@path]
401 Allows the application to receive broadcast signals from
402 theindicated interface member at the indicated object path ex‐
403 posed by the indicated bus name on the session DBus. The name
404 may have a .* suffix to match all names underneath it, including
405 itself. The interface member may have a .* to match all members
406 of an interface, or be * to match all interfaces. The path may
407 have a /* suffix to indicate all objects underneath it, includ‐
408 ing itself. Omitting the interface member or the object path
409 will match all members and object paths, respectively.
410 Example:
412 $ firejail --dbus-user=filter --dbus-user.broadcast=\
413 org.freedesktop.Notifications=\
414 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
415 --dbus-user.call=name=[member][@path]
418 Allows the application to call the indicated interface member at
419 the indicated object path exposed by the indicated bus name on
420 the session DBus. The name may have a .* suffix to match all
421 names underneath it, including itself. The interface member may
422 have a .* to match all members of an interface, or be * to match
423 all interfaces. The path may have a /* suffix to indicate all
424 objects underneath it, including itself. Omitting the interface
425 member or the object path will match all members and object
426 paths, respectively.
427 Example:
429 $ firejail --dbus-user=filter --dbus-user.call=\
430 org.freedesktop.Notifications=\
431 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
432 --dbus-user.log
435 Turn on DBus logging for the session DBus. This option requires
436 --dbus-user=filter.
437 Example:
439 $ firejail --dbus-user=filter --dbus-user.log
440 --dbus-user.own=name
443 Allows the application to own the specified well-known name on
444 the session DBus. The name may have a .* suffix to match all
445 names underneath it, including itself (e.g. "foo.bar.*" matches
446 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
447 bar").
448 Example:
450 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
451 --dbus-user.talk=name
454 Allows the application to talk to the specified well-known name
455 on the session DBus. The name may have a .* suffix to match all
456 names underneath it, including itself (e.g. "foo.bar.*" matches
457 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
458 bar").
459 Example:
461 $ firejail --dbus-user=filter --dbus-user.talk=\
462 org.freedesktop.Notifications
463 --dbus-user.see=name
466 Allows the application to see, but not talk to the specified
467 well-known name on the session DBus. The name may have a .*
468 suffix to match all names underneath it, including itself (e.g.
469 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
470 "foo.bar.baz.quux", but not "foobar").
471 Example:
473 $ firejail --dbus-user=filter --dbus-user.see=\
474 org.freedesktop.Notifications
475 --debug
477 Print debug messages.
478 Example:
480 $ firejail --debug firefox
481 --debug-blacklists
484 Debug blacklisting.
485 Example:
487 $ firejail --debug-blacklists firefox
488 --debug-caps
491 Print all recognized capabilities in the current Firejail soft‐
492 ware build and exit.
493 Example:
495 $ firejail --debug-caps
496 --debug-errnos
499 Print all recognized error numbers in the current Firejail soft‐
500 ware build and exit.
501 Example:
503 $ firejail --debug-errnos
504 --debug-private-lib
506 Debug messages for --private-lib option.
507 --debug-protocols
509 Print all recognized protocols in the current Firejail software
510 build and exit.
511 Example:
513 $ firejail --debug-protocols
514 --debug-syscalls
516 Print all recognized system calls in the current Firejail soft‐
517 ware build and exit.
518 Example:
520 $ firejail --debug-syscalls
521 --debug-syscalls32
523 Print all recognized 32 bit system calls in the current Firejail
524 software build and exit.
525 --debug-whitelists
527 Debug whitelisting.
528 Example:
530 $ firejail --debug-whitelists firefox
531 --defaultgw=address
533 Use this address as default gateway in the new network name‐
534 space.
535 Example:
537 $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
538 --deterministic-exit-code
540 Always exit firejail with the first child's exit status. The de‐
541 fault behavior is to use the exit status of the final child to
542 exit, which can be nondeterministic.
543 --disable-mnt
545 Blacklist /mnt, /media, /run/mount and /run/media access.
546 Example:
548 $ firejail --disable-mnt firefox
549 --dns=address
552 Set a DNS server for the sandbox. Up to three DNS servers can be
553 defined. Use this option if you don't trust the DNS setup on
554 your network.
555 Example:
557 $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
558 Note: this feature is not supported on systemd-resolved setups.
560 --dns.print=name|pid
562 Print DNS configuration for a sandbox identified by name or by
563 PID.
564 Example:
566 $ firejail --name=mygame --caps.drop=all warzone2100 &
567 $ firejail --dns.print=mygame
568 Example:
570 $ firejail --list
571 3272:netblue::firejail --private firefox
572 $ firejail --dns.print=3272
573 --env=name=value
576 Set environment variable in the new sandbox.
577 Example:
579 $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
580 --fs.print=name|pid
583 Print the filesystem log for the sandbox identified by name or
584 by PID.
585 Example:
587 $ firejail --name=mygame --caps.drop=all warzone2100 &
588 $ firejail --fs.print=mygame
589 Example:
591 $ firejail --list
592 3272:netblue::firejail --private firefox
593 $ firejail --fs.print=3272
594 --get=name|pid filename
597 Get a file from sandbox container, see FILE TRANSFER section for
598 more details.
599 -?, --help
601 Print options end exit.
602 --hostname=name
606 Set sandbox hostname.
607 Example:
609 $ firejail --hostname=officepc firefox
610 --hosts-file=file
613 Use file as /etc/hosts.
614 Example:
616 $ firejail --hosts-file=~/myhosts firefox
617 --ignore=command
620 Ignore command in profile file.
621 Example:
623 $ firejail --ignore=shell --ignore=seccomp firefox
624 $ firejail --ignore="net eth0" firefox
625 --include=file.profile
628 Include a profile file before the regular profiles are used.
629 Example:
631 $ firejail --include=/etc/firejail/disable-devel.inc gedit
632 --interface=interface
635 Move interface in a new network namespace. Up to four --inter‐
636 face options can be specified. Note: wlan devices are not sup‐
637 ported for this option.
638 Example:
640 $ firejail --interface=eth1 --interface=eth0.vlan100
641 --ip=address
644 Assign IP addresses to the last network interface defined by a
645 --net option. A default gateway is assigned by default.
646 Example:
648 $ firejail --net=eth0 --ip=10.10.20.56 firefox
649 --ip=none
652 No IP address and no default gateway are configured for the last
653 interface defined by a --net option. Use this option in case you
654 intend to start an external DHCP client in the sandbox.
655 Example:
657 $ firejail --net=eth0 --ip=none
658 If the corresponding interface doesn't have an IP address con‐
660 figured, this option is enabled by default.
661 --ip=dhcp
664 Acquire an IP address and default gateway for the last interface
665 defined by a --net option, as well as set the DNS servers ac‐
666 cording to the DHCP response. This option requires the ISC
667 dhclient DHCP client to be installed and will start it automati‐
668 cally inside the sandbox.
669 Example:
671 $ firejail --net=br0 --ip=dhcp
672 This option should not be used in conjunction with the --dns op‐
674 tion if the DHCP server is set to configure DNS servers for the
675 clients, because the manually specified DNS servers will be
676 overwritten.
677 The DHCP client will NOT release the DHCP lease when the sandbox
679 terminates. If your DHCP server requires leases to be explic‐
680 itly released, consider running a DHCP client and releasing the
681 lease manually in conjunction with the --net=none option.
682 --ip6=address
685 Assign IPv6 addresses to the last network interface defined by a
686 --net option.
687 Example:
689 $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
690 Note: you don't need this option if you obtain your ip6 address
692 from router via SLAAC (your ip6 address and default route will
693 be configured by kernel automatically).
694 --ip6=dhcp
697 Acquire an IPv6 address and default gateway for the last inter‐
698 face defined by a --net option, as well as set the DNS servers
699 according to the DHCP response. This option requires the ISC
700 dhclient DHCP client to be installed and will start it automati‐
701 cally inside the sandbox.
702 Example:
704 $ firejail --net=br0 --ip6=dhcp
705 This option should not be used in conjunction with the --dns op‐
707 tion if the DHCP server is set to configure DNS servers for the
708 clients, because the manually specified DNS servers will be
709 overwritten.
710 The DHCP client will NOT release the DHCP lease when the sandbox
712 terminates. If your DHCP server requires leases to be explic‐
713 itly released, consider running a DHCP client and releasing the
714 lease manually.
715 --iprange=address,address
718 Assign an IP address in the provided range to the last network
719 interface defined by a --net option. A default gateway is as‐
720 signed by default.
721 Example:
723 $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
724 --ipc-namespace
727 Enable a new IPC namespace if the sandbox was started as a reg‐
728 ular user. IPC namespace is enabled by default for sandboxes
729 started as root.
730 Example:
732 $ firejail --ipc-namespace firefox
733 --join=name|pid
735 Join the sandbox identified by name or by PID. By default a
736 /bin/bash shell is started after joining the sandbox. If a pro‐
737 gram is specified, the program is run in the sandbox. If --join
738 command is issued as a regular user, all security filters are
739 configured for the new process the same they are configured in
740 the sandbox. If --join command is issued as root, the security
741 filters, cgroups and cpus configurations are not applied to the
742 process joining the sandbox.
743 Example:
745 $ firejail --name=mygame --caps.drop=all warzone2100 &
746 $ firejail --join=mygame
747 Example:
749 $ firejail --list
750 3272:netblue::firejail --private firefox
751 $ firejail --join=3272
752 --join-filesystem=name|pid
755 Join the mount namespace of the sandbox identified by name or
756 PID. By default a /bin/bash shell is started after joining the
757 sandbox. If a program is specified, the program is run in the
758 sandbox. This command is available only to root user. Security
759 filters, cgroups and cpus configurations are not applied to the
760 process joining the sandbox.
761 --join-network=name|pid
763 Join the network namespace of the sandbox identified by name. By
764 default a /bin/bash shell is started after joining the sandbox.
765 If a program is specified, the program is run in the sandbox.
766 This command is available only to root user. Security filters,
767 cgroups and cpus configurations are not applied to the process
768 joining the sandbox. Example:
769 # start firefox
771 $ firejail --net=eth0 --name=browser firefox &
772 # change netfilter configuration
774 $ sudo firejail --join-network=browser bash -c "cat /etc/fire‐
775 jail/nolocal.net | /sbin/iptables-restore"
776 # verify netfilter configuration
778 $ sudo firejail --join-network=browser /sbin/iptables -vL
779 # verify IP addresses
781 $ sudo firejail --join-network=browser ip addr
782 Switching to pid 1932, the first child process inside the sand‐
783 box
784 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UN‐
785 KNOWN group default
786 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
787 inet 127.0.0.1/8 scope host lo
788 valid_lft forever preferred_lft forever
789 inet6 ::1/128 scope host
790 valid_lft forever preferred_lft forever
791 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
792 noqueue state UNKNOWN group default
793 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
794 inet 192.168.1.158/24 brd 192.168.1.255 scope global
795 eth0-1931
796 valid_lft forever preferred_lft forever
797 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
798 valid_lft forever preferred_lft forever
799 --join-or-start=name
801 Join the sandbox identified by name or start a new one. Same as
802 "firejail --join=name" if sandbox with specified name exists,
803 otherwise same as "firejail --name=name ..."
804 Note that in contrary to other join options there is respective
805 profile option.
806 --keep-config-pulse
809 Disable automatic ~/.config/pulse init, for complex setups such
810 as remote pulse servers or non-standard socket paths.
811 Example:
813 $ firejail --keep-config-pulse firefox
814 --keep-dev-shm
817 /dev/shm directory is untouched (even with --private-dev)
818 Example:
820 $ firejail --keep-dev-shm --private-dev
821 --keep-var-tmp
824 /var/tmp directory is untouched.
825 Example:
827 $ firejail --keep-var-tmp
828 --list List all sandboxes, see MONITORING section for more details.
831 Example:
833 $ firejail --list
834 7015:netblue:browser:firejail firefox
835 7056:netblue:torrent:firejail --net=eth0 transmission-gtk
836 7064:netblue::firejail --noroot xterm
837 --ls=name|pid dir_or_filename
839 List files in sandbox container, see FILE TRANSFER section for
840 more details.
841 --mac=address
843 Assign MAC addresses to the last network interface defined by a
844 --net option. This option is not supported for wireless inter‐
845 faces.
846 Example:
848 $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
849 --machine-id
851 Spoof id number in /etc/machine-id file - a new random id is
852 generated inside the sandbox. Note that this breaks audio sup‐
853 port. Enable it when sound is not required.
854 Example:
856 $ firejail --machine-id
857 --mkdir=dirname
860 Create a directory in user home. Parent directories are created
861 as needed.
862 Example:
864 $ firejail --mkdir=~/work/project
865 --mkfile=filename
868 Create an empty file in user home.
869 Example:
871 $ firejail --mkfile=~/work/project/readme
872 --memory-deny-write-execute
875 Install a seccomp filter to block attempts to create memory map‐
876 pings that are both writable and executable, to change mappings
877 to be executable, or to create executable shared memory. The
878 filter examines the arguments of mmap, mmap2, mprotect,
879 pkey_mprotect, memfd_create and shmat system calls and returns
880 error EPERM to the process (or kills it or log the attempt, see
881 --seccomp-error-action below) if necessary.
882 Note: shmat is not implemented as a system call on some plat‐
884 forms including i386, and it cannot be handled by seccomp-bpf.
885 --mtu=number
887 Assign a MTU value to the last network interface defined by a
888 --net option.
889 Example:
891 $ firejail --net=eth0 --mtu=1492
892 --name=name
894 Set sandbox name. Several options, such as --join and --shut‐
895 down, can use this name to identify a sandbox.
896 In case the name supplied by the user is already in use by an‐
898 other sandbox, Firejail will assign a new name as "name-PID",
899 where PID is the process ID of the sandbox. This functionality
900 can be disabled at run time in /etc/firejail/firejail.config
901 file, by setting "name-change" flag to "no".
902 Example:
904 $ firejail --name=browser firefox &
905 $ firejail --name=browser --private firefox --no-remote &
906 $ firejail --list
907 1198:netblue:browser:firejail --name=browser firefox
908 1312:netblue:browser-1312:firejail --name=browser --private
909 firefox --no-remote
910 --net=bridge_interface
912 Enable a new network namespace and connect it to this bridge in‐
913 terface. Unless specified with option --ip and --defaultgw, an
914 IP address and a default gateway will be assigned automatically
915 to the sandbox. The IP address is verified using ARP before as‐
916 signment. The address configured as default gateway is the
917 bridge device IP address. Up to four --net options can be speci‐
918 fied.
919 Example:
921 $ sudo brctl addbr br0
922 $ sudo ifconfig br0 10.10.20.1/24
923 $ sudo brctl addbr br1
924 $ sudo ifconfig br1 10.10.30.1/24
925 $ firejail --net=br0 --net=br1
926 --net=ethernet_interface|wireless_interface
929 Enable a new network namespace and connect it to this ethernet
930 interface using the standard Linux macvlan|ipvaln driver. Unless
931 specified with option --ip and --defaultgw, an IP address and a
932 default gateway will be assigned automatically to the sandbox.
933 The IP address is verified using ARP before assignment. The ad‐
934 dress configured as default gateway is the default gateway of
935 the host. Up to four --net options can be specified. Support
936 for ipvlan driver was introduced in Linux kernel 3.19.
937 Example:
939 $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
940 $ firejail --net=wlan0 firefox
941 --net=none
943 Enable a new, unconnected network namespace. The only interface
944 available in the new namespace is a new loopback interface (lo).
945 Use this option to deny network access to programs that don't
946 really need network access.
947 Example:
949 $ firejail --net=none vlc
950 Note: --net=none can crash the application on some platforms.
952 In these cases, it can be replaced with --protocol=unix.
953 --net=tap_interface
955 Enable a new network namespace and connect it to this ethernet
956 tap interface using the standard Linux macvlan driver. If the
957 tap interface is not configured, the sandbox will not try to
958 configure the interface inside the sandbox. Please use --ip,
959 --netmask and --defaultgw to specify the configuration.
960 Example:
962 $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
963 --defaultgw=10.10.20.1 firefox
964 --net.print=name|pid
967 If a new network namespace is enabled, print network interface
968 configuration for the sandbox specified by name or PID. Example:
969 $ firejail --net.print=browser
971 Switching to pid 1853, the first child process inside the sand‐
972 box
973 Interface MAC IP Mask Status
974 lo 127.0.0.1 255.0.0.0 UP
975 eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
976 --netfilter
979 Enable a default firewall if a new network namespace is created
980 inside the sandbox. This option has no effect for sandboxes us‐
981 ing the system network namespace.
982 The default firewall is optimized for regular desktop applica‐
984 tions. No incoming connections are accepted:
985 *filter
987 :INPUT DROP [0:0]
988 :FORWARD DROP [0:0]
989 :OUTPUT ACCEPT [0:0]
990 -A INPUT -i lo -j ACCEPT
991 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
992 # allow ping
993 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
994 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
995 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
996 # drop STUN (WebRTC) requests
997 -A OUTPUT -p udp --dport 3478 -j DROP
998 -A OUTPUT -p udp --dport 3479 -j DROP
999 -A OUTPUT -p tcp --dport 3478 -j DROP
1000 -A OUTPUT -p tcp --dport 3479 -j DROP
1001 COMMIT
1002 Example:
1004 $ firejail --net=eth0 --netfilter firefox
1005 --netfilter=filename
1007 Enable the firewall specified by filename if a new network name‐
1008 space is created inside the sandbox. This option has no effect
1009 for sandboxes using the system network namespace.
1010 Please use the regular iptables-save/iptables-restore format for
1012 the filter file. The following examples are available in
1013 /etc/firejail directory:
1014 webserver.net is a webserver firewall that allows access only to
1016 TCP ports 80 and 443. Example:
1017 $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
1019 /etc/init.d/apache2 start
1020 nolocal.net/nolocal6.net is a desktop client firewall that dis‐
1022 able access to local network. Example:
1023 $ firejail --netfilter=/etc/firejail/nolocal.net \
1025 --net=eth0 firefox
1026 --netfilter=filename,arg1,arg2,arg3 ...
1029 This is the template version of the previous command. $ARG1,
1030 $ARG2, $ARG3 ... in the firewall script are replaced with arg1,
1031 arg2, arg3 ... passed on the command line. Up to 16 arguments
1032 are supported. Example:
1033 $ firejail --net=eth0 --ip=192.168.1.105 \
1035 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1036 --netfilter.print=name|pid
1039 Print the firewall installed in the sandbox specified by name or
1040 PID. Example:
1041 $ firejail --name=browser --net=eth0 --netfilter firefox &
1043 $ firejail --netfilter.print=browser
1044 --netfilter6=filename
1047 Enable the IPv6 firewall specified by filename if a new network
1048 namespace is created inside the sandbox. This option has no ef‐
1049 fect for sandboxes using the system network namespace. Please
1050 use the regular iptables-save/iptables-restore format for the
1051 filter file.
1052 --netfilter6.print=name|pid
1055 Print the IPv6 firewall installed in the sandbox specified by
1056 name or PID. Example:
1057 $ firejail --name=browser --net=eth0 --netfilter firefox &
1059 $ firejail --netfilter6.print=browser
1060 --netmask=address
1063 Use this option when you want to assign an IP address in a new
1064 namespace and the parent interface specified by --net is not
1065 configured. An IP address and a default gateway address also
1066 have to be added. By default the new namespace interface comes
1067 without IP address and default gateway configured. Example:
1068 $ sudo /sbin/brctl addbr br0
1070 $ sudo /sbin/ifconfig br0 up
1071 $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 --de‐
1072 faultgw=10.10.20.1
1073 --netns=name
1076 Run the program in a named, persistent network namespace. These
1077 can be created and configured using "ip netns".
1078 --netstats
1081 Monitor network namespace statistics, see MONITORING section for
1082 more details.
1083 Example:
1085 $ firejail --netstats
1087 PID User RX(KB/s) TX(KB/s) Command
1088 1294 netblue 53.355 1.473 firejail --net=eth0 firefox
1089 7383 netblue 9.045 0.112 firejail --net=eth0 transmission
1090 --nice=value
1092 Set nice value for all processes running inside the sandbox.
1093 Only root may specify a negative value.
1094 Example:
1096 $ firejail --nice=2 firefox
1097 --no3d Disable 3D hardware acceleration.
1100 Example:
1102 $ firejail --no3d firefox
1103 --noautopulse (deprecated)
1106 See --keep-config-pulse.
1107 --noblacklist=dirname_or_filename
1110 Disable blacklist for this directory or file.
1111 Example:
1113 $ firejail
1114 $ nc dict.org 2628
1115 bash: /bin/nc: Permission denied
1116 $ exit
1117 $ firejail --noblacklist=/bin/nc
1119 $ nc dict.org 2628
1120 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1121 --nodbus (deprecated)
1123 Disable D-Bus access (both system and session buses). Equivalent
1124 to --dbus-system=none --dbus-user=none.
1125 Example:
1127 $ firejail --nodbus --net=none
1128 --nodvd
1130 Disable DVD and audio CD devices.
1131 Example:
1133 $ firejail --nodvd
1134 --noinput
1136 Disable input devices.
1137 Example:
1139 $ firejail --noinput
1140 --noexec=dirname_or_filename
1142 Remount directory or file noexec, nodev and nosuid. File glob‐
1143 bing is supported, see FILE GLOBBING section for more details.
1144 Example:
1146 $ firejail --noexec=/tmp
1147 /etc and /var are noexec by default if the sandbox was started
1149 as a regular user.
1150 --nogroups
1153 Disable supplementary groups. Without this option, supplementary
1154 groups are enabled for the user starting the sandbox. For root
1155 user supplementary groups are always disabled.
1156 Note: By default all regular user groups are removed with the
1158 exception of the current user. This can be changed using --al‐
1159 lusers command option.
1160 Example:
1162 $ id
1163 uid=1000(netblue) gid=1000(netblue) groups=1000(net‐
1164 blue),24(cdrom),25(floppy),27(sudo),29(audio)
1165 $ firejail --nogroups
1166 Parent pid 8704, child pid 8705
1167 Child process initialized
1168 $ id
1169 uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1170 $
1171 --nonewprivs
1174 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
1175 cannot acquire new privileges using execve(2); in particular,
1176 this means that calling a suid binary (or one with file capabil‐
1177 ities) does not result in an increase of privilege. This option
1178 is enabled by default if seccomp filter is activated.
1179 --noprofile
1182 Do not use a security profile.
1183 Example:
1185 $ firejail
1186 Reading profile /etc/firejail/default.profile
1187 Parent pid 8553, child pid 8554
1188 Child process initialized
1189 [...]
1190 $ firejail --noprofile
1192 Parent pid 8553, child pid 8554
1193 Child process initialized
1194 [...]
1195 --noroot
1197 Install a user namespace with a single user - the current user.
1198 root user does not exist in the new namespace. This option re‐
1199 quires a Linux kernel version 3.8 or newer. The option is not
1200 supported for --chroot and --overlay configurations, or for
1201 sandboxes started as root.
1202 Example:
1204 $ firejail --noroot
1205 Parent pid 8553, child pid 8554
1206 Child process initialized
1207 $ ping google.com
1208 ping: icmp open socket: Operation not permitted
1209 $
1210 --nosound
1212 Disable sound system.
1213 Example:
1215 $ firejail --nosound firefox
1216 --notv Disable DVB (Digital Video Broadcasting) TV devices.
1219 Example:
1221 $ firejail --notv vlc
1222 --nou2f
1225 Disable U2F devices.
1226 Example:
1228 $ firejail --nou2f
1229 --novideo
1232 Disable video devices.
1233 --nowhitelist=dirname_or_filename
1236 Disable whitelist for this directory or file.
1237 --output=logfile
1240 stdout logging and log rotation. Copy stdout to logfile, and
1241 keep the size of the file under 500KB using log rotation. Five
1242 files with prefixes .1 to .5 are used in rotation.
1243 Example:
1245 $ firejail --output=sandboxlog /bin/bash
1246 [...]
1247 $ ls -l sandboxlog*
1248 -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
1249 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
1250 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
1251 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
1252 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
1253 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
1254 --output-stderr=logfile
1257 Similar to --output, but stderr is also stored.
1258 --private
1261 Mount new /root and /home/user directories in temporary filesys‐
1262 tems. All modifications are discarded when the sandbox is
1263 closed.
1264 Example:
1266 $ firejail --private firefox
1267 --private=directory
1270 Use directory as user home. --private and --private=directory
1271 cannot be used together.
1272 Example:
1274 $ firejail --private=/home/netblue/firefox-home firefox
1275 --private-bin=file,file
1278 Build a new /bin in a temporary filesystem, and copy the pro‐
1279 grams in the list. The files in the list must be expressed as
1280 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
1281 cal/bin directories. If no listed files are found, /bin direc‐
1282 tory will be empty. The same directory is also bind-mounted
1283 over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifi‐
1284 cations are discarded when the sandbox is closed. File globbing
1285 is supported, see FILE GLOBBING section for more details.
1286 Example:
1288 $ firejail --private-bin=bash,sed,ls,cat
1289 Parent pid 20841, child pid 20842
1290 Child process initialized
1291 $ ls /bin
1292 bash cat ls sed
1293 --private-cache
1296 Mount an empty temporary filesystem on top of the .cache direc‐
1297 tory in user home. All modifications are discarded when the
1298 sandbox is closed.
1299 Example:
1301 $ firejail --private-cache openbox
1302 --private-cwd
1305 Set working directory inside jail to the home directory, and
1306 failing that, the root directory.
1307 Does not impact working directory of profile include paths.
1308 Example:
1310 $ pwd
1311 /tmp
1312 $ firejail --private-cwd
1313 $ pwd
1314 /home/user
1315 --private-cwd=directory
1318 Set working directory inside the jail.
1319 Does not impact working directory of profile include paths.
1320 Example:
1322 $ pwd
1323 /tmp
1324 $ firejail --private-cwd=/opt
1325 $ pwd
1326 /opt
1327 --private-dev
1330 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
1331 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
1332 shm and usb devices are available. Use the options --no3d,
1333 --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1334 restrictions.
1335 Example:
1337 $ firejail --private-dev
1338 Parent pid 9887, child pid 9888
1339 Child process initialized
1340 $ ls /dev
1341 cdrom cdrw dri dvd dvdrw full log null ptmx pts random
1342 shm snd sr0 tty urandom zero
1343 $
1344 --private-etc=file,directory
1346 Build a new /etc in a temporary filesystem, and copy the files
1347 and directories in the list. The files and directories in the
1348 list must be expressed as relative to the /etc directory (e.g.,
1349 /etc/foo must be expressed as foo). If no listed file is found,
1350 /etc directory will be empty. All modifications are discarded
1351 when the sandbox is closed.
1352 Example:
1354 $ firejail --private-etc=group,hostname,localtime, \
1355 nsswitch.conf,passwd,resolv.conf
1356 --private-home=file,directory
1358 Build a new user home in a temporary filesystem, and copy the
1359 files and directories in the list in the new home. The files
1360 and directories in the list must be expressed as relative to the
1361 current user's home directory. All modifications are discarded
1362 when the sandbox is closed.
1363 Example:
1365 $ firejail --private-home=.mozilla firefox
1366 --private-lib=file,directory
1368 This feature is currently under heavy development. Only amd64
1369 platforms are supported at this moment. The files and directo‐
1370 ries in the list must be expressed as relative to the /lib di‐
1371 rectory. The idea is to build a new /lib in a temporary
1372 filesystem, with only the library files necessary to run the ap‐
1373 plication. It could be as simple as:
1374 $ firejail --private-lib galculator
1376 but it gets complicated really fast:
1378 $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1380 gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1381 The feature is integrated with --private-bin:
1383 $ firejail --private-lib --private-bin=bash,ls,ps
1385 $ ls /lib
1386 ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
1387 temd.so.0
1388 libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1389 libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1390 libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1391 $ ps
1392 PID TTY TIME CMD
1393 1 pts/0 00:00:00 firejail
1394 45 pts/0 00:00:00 bash
1395 48 pts/0 00:00:00 ps
1396 $
1397 --private-opt=file,directory
1400 Build a new /opt in a temporary filesystem, and copy the files
1401 and directories in the list. The files and directories in the
1402 list must be expressed as relative to the /opt directory, and
1403 must not contain the / character (e.g., /opt/foo must be ex‐
1404 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
1405 disallowed). If no listed file is found, /opt directory will be
1406 empty. All modifications are discarded when the sandbox is
1407 closed.
1408 Example:
1410 $ firejail --private-opt=firefox /opt/firefox/firefox
1411 --private-srv=file,directory
1414 Build a new /srv in a temporary filesystem, and copy the files
1415 and directories in the list. The files and directories in the
1416 list must be expressed as relative to the /srv directory, and
1417 must not contain the / character (e.g., /srv/foo must be ex‐
1418 pressed as foo, but /srv/foo/bar -- expressed as srv/bar -- is
1419 disallowed). If no listed file is found, /srv directory will be
1420 empty. All modifications are discarded when the sandbox is
1421 closed.
1422 Example:
1424 # firejail --private-srv=www /etc/init.d/apache2 start
1425 --private-tmp
1428 Mount an empty temporary filesystem on top of /tmp directory
1429 whitelisting X11 and PulseAudio sockets.
1430 Example:
1432 $ firejail --private-tmp
1433 $ ls -al /tmp
1434 drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
1435 drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1436 drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKd‐
1437 htXMmr18n
1438 drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1439 --profile=filename_or_profilename
1442 Load a custom security profile from filename. For filename use
1443 an absolute path or a path relative to the current path. For
1444 more information, see SECURITY PROFILES section below.
1445 Example:
1447 $ firejail --profile=myprofile
1448 --profile.print=name|pid
1451 Print the name of the profile file for the sandbox identified by
1452 name or or PID.
1453 Example:
1455 $ firejail --profile.print=browser
1456 /etc/firejail/firefox.profile
1457 --protocol=protocol,protocol,protocol
1459 Enable protocol filter. The filter is based on seccomp and
1460 checks the first argument to socket system call. Recognized
1461 values: unix, inet, inet6, netlink, packet and bluetooth. This
1462 option is not supported for i386 architecture.
1463 Example:
1465 $ firejail --protocol=unix,inet,inet6 firefox
1466 --protocol.print=name|pid
1468 Print the protocol filter for the sandbox identified by name or
1469 PID.
1470 Example:
1472 $ firejail --name=mybrowser firefox &
1473 $ firejail --protocol.print=mybrowser
1474 unix,inet,inet6,netlink
1475 Example:
1477 $ firejail --list
1478 3272:netblue::firejail --private firefox
1479 $ firejail --protocol.print=3272
1480 unix,inet,inet6,netlink
1481 --put=name|pid src-filename dest-filename
1483 Put a file in sandbox container, see FILE TRANSFER section for
1484 more details.
1485 --quiet
1487 Turn off Firejail's output.
1488 The same effect can be obtained by setting an environment vari‐
1490 able FIREJAIL_QUIET to yes.
1491 --read-only=dirname_or_filename
1493 Set directory or file read-only. File globbing is supported, see
1494 FILE GLOBBING section for more details.
1495 Example:
1497 $ firejail --read-only=~/.mozilla firefox
1498 --read-write=dirname_or_filename
1500 Set directory or file read-write. Only files or directories be‐
1501 longing to the current user are allowed for this operation. File
1502 globbing is supported, see FILE GLOBBING section for more de‐
1503 tails. Example:
1504 $ mkdir ~/test
1506 $ touch ~/test/a
1507 $ firejail --read-only=~/test --read-write=~/test/a
1508 --rlimit-as=number
1512 Set the maximum size of the process's virtual memory (address
1513 space) in bytes. Use k(ilobyte), m(egabyte) or g(igabyte) for
1514 size suffix (base 1024).
1515 --rlimit-cpu=number
1518 Set the maximum limit, in seconds, for the amount of CPU time
1519 each sandboxed process can consume. When the limit is reached,
1520 the processes are killed.
1521 The CPU limit is a limit on CPU seconds rather than elapsed
1523 time. CPU seconds is basically how many seconds the CPU has been
1524 in use and does not necessarily directly relate to the elapsed
1525 time. Linux kernel keeps track of CPU seconds for each process
1526 independently.
1527 --rlimit-fsize=number
1530 Set the maximum file size that can be created by a process. Use
1531 k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base
1532 1024).
1533 --rlimit-nofile=number
1535 Set the maximum number of files that can be opened by a process.
1536 --rlimit-nproc=number
1538 Set the maximum number of processes that can be created for the
1539 real user ID of the calling process.
1540 --rlimit-sigpending=number
1542 Set the maximum number of pending signals for a process.
1543 --rmenv=name
1546 Remove environment variable in the new sandbox.
1547 Example:
1549 $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1550 --scan ARP-scan all the networks from inside a network namespace. This
1552 makes it possible to detect macvlan kernel device drivers run‐
1553 ning on the current host.
1554 Example:
1556 $ firejail --net=eth0 --scan
1557 --seccomp
1559 Enable seccomp filter and blacklist the syscalls in the default
1560 list, which is @default-nodebuggers unless --allow-debuggers is
1561 specified, then it is @default.
1562 To help creating useful seccomp filters more easily, the follow‐
1564 ing system call groups are defined: @aio, @basic-io, @chown,
1565 @clock, @cpu-emulation, @debug, @default, @default-nodebuggers,
1566 @default-keep, @file-system, @io-event, @ipc, @keyring, @mem‐
1567 lock, @module, @mount, @network-io, @obsolete, @privileged,
1568 @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync,
1569 @system-service and @timer. More information about groups can
1570 be found in /usr/share/doc/firejail/syscalls.txt
1571 System architecture is strictly imposed only if flag --sec‐
1573 comp.block-secondary is used. The filter is applied at run time
1574 only if the correct architecture was detected. For the case of
1575 I386 and AMD64 both 32-bit and 64-bit filters are installed.
1576 Firejail will print seccomp violations to the audit log if the
1578 kernel was compiled with audit support (CONFIG_AUDIT flag).
1579 Example:
1581 $ firejail --seccomp
1582 The default list can be customized, see --seccomp= for a de‐
1584 scription. It can be customized also globally in /etc/fire‐
1585 jail/firejail.config file.
1586 --seccomp=syscall,@group,!syscall2
1589 Enable seccomp filter, blacklist the default list and the
1590 syscalls or syscall groups specified by the command, but don't
1591 blacklist "syscall2". On a 64 bit architecture, an additional
1592 filter for 32 bit system calls can be installed with --sec‐
1593 comp.32.
1594 Example:
1596 $ firejail --seccomp=utime,utimensat,utimes firefox
1597 $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1598 $ firejail '--seccomp=@ipc,!pipe,!pipe2' audacious
1599 Syscalls can be specified by their number if prefix $ is added,
1601 so for example $165 would be equal to mount on i386.
1602 Instead of dropping the syscall by returning EPERM, another er‐
1604 ror number can be returned using syscall:errno syntax. This can
1605 be also changed globally with --seccomp-error-action or in
1606 /etc/firejail/firejail.config file. The process can also be
1607 killed by using syscall:kill syntax, or the attempt may be
1608 logged with syscall:log.
1609 Example:
1611 $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1612 Parent pid 10662, child pid 10663
1613 Child process initialized
1614 $ touch testfile
1615 $ ls testfile
1616 testfile
1617 $ rm testfile
1618 rm: cannot remove `testfile': No such file or directory
1619 If the blocked system calls would also block Firejail from oper‐
1621 ating, they are handled by adding a preloaded library which per‐
1622 forms seccomp system calls later. However, this is incompatible
1623 with 32 bit seccomp filters.
1624 Example:
1626 $ firejail --noprofile --shell=none --seccomp=execve sh
1627 Parent pid 32751, child pid 32752
1628 Post-exec seccomp protector enabled
1629 list in: execve, check list: @default-keep prelist: (null),
1630 postlist: execve
1631 Child process initialized in 46.44 ms
1632 $ ls
1633 Operation not permitted
1634 --seccomp.block-secondary
1637 Enable seccomp filter and filter system call architectures so
1638 that only the native architecture is allowed. For example, on
1639 amd64, i386 and x32 system calls are blocked as well as changing
1640 the execution domain with personality(2) system call.
1641 --seccomp.drop=syscall,@group
1644 Enable seccomp filter, and blacklist the syscalls or the syscall
1645 groups specified by the command. On a 64 bit architecture, an
1646 additional filter for 32 bit system calls can be installed with
1647 --seccomp.32.drop.
1648 Example:
1650 $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1651 Instead of dropping the syscall by returning EPERM, another er‐
1653 ror number can be returned using syscall:errno syntax. This can
1654 be also changed globally with --seccomp-error-action or in
1655 /etc/firejail/firejail.config file. The process can also be
1656 killed by using syscall:kill syntax, or the attempt may be
1657 logged with syscall:log.
1658 Example:
1660 $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1661 Parent pid 10662, child pid 10663
1662 Child process initialized
1663 $ touch testfile
1664 $ ls testfile
1665 testfile
1666 $ rm testfile
1667 rm: cannot remove `testfile': No such file or directory
1668 --seccomp.keep=syscall,@group,!syscall2
1671 Enable seccomp filter, blacklist all syscall not listed and
1672 "syscall2". The system calls needed by Firejail (group @de‐
1673 fault-keep: prctl, execve, execveat) are handled with the
1674 preload library. On a 64 bit architecture, an additional filter
1675 for 32 bit system calls can be installed with --seccomp.32.keep.
1676 Example:
1678 $ firejail --shell=none --seccomp.keep=poll,select,[...] trans‐
1679 mission-gtk
1680 --seccomp.print=name|pid
1683 Print the seccomp filter for the sandbox identified by name or
1684 PID.
1685 Example:
1687 $ firejail --name=browser firefox &
1688 $ firejail --seccomp.print=browser
1689 line OP JT JF K
1690 =================================
1691 0000: 20 00 00 00000004 ld data.architecture
1692 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1693 0002: 06 00 00 7fff0000 ret ALLOW
1694 0003: 20 00 00 00000000 ld data.syscall-number
1695 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1696 0005: 35 01 00 00000000 jge read 0007 (false 0006)
1697 0006: 06 00 00 00050001 ret ERRNO(1)
1698 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1699 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1700 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1701 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false
1702 000b)
1703 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1704 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1705 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1706 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1707 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1708 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1709 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1710 0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1711 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1712 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1713 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1714 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1715 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
1716 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
1717 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
1718 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
1719 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
1720 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
1721 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
1722 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
1723 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
1724 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
1725 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
1726 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
1727 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
1728 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
1729 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
1730 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
1731 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
1732 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
1733 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
1734 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
1735 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
1736 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
1737 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
1738 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
1739 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
1740 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
1741 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
1742 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
1743 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
1744 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false
1745 0035)
1746 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false
1747 0036)
1748 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
1749 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
1750 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
1751 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
1752 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
1753 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
1754 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
1755 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
1756 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
1757 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
1758 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
1759 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
1760 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false
1761 0043)
1762 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
1763 0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
1764 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
1765 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
1766 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false
1767 0048)
1768 0048: 06 00 00 7fff0000 ret ALLOW
1769 0049: 06 00 01 00000000 ret KILL
1770 $
1771 --seccomp-error-action= kill | ERRNO | log
1774 By default, if a seccomp filter blocks a system call, the
1775 process gets EPERM as the error. With --seccomp-error-action=er‐
1776 ror, another error number can be returned, for example ENOSYS or
1777 EACCES. The process can also be killed (like in versions <0.9.63
1778 of Firejail) by using --seccomp-error-action=kill syntax, or the
1779 attempt may be logged with --seccomp-error-action=log. Not
1780 killing the process weakens Firejail slightly when trying to
1781 contain intrusion, but it may also allow tighter filters if the
1782 only alternative is to allow a system call.
1783 --shell=none
1786 Run the program directly, without a user shell.
1787 Example:
1789 $ firejail --shell=none script.sh
1790 --shell=program
1792 Set default user shell. Use this shell to run the application
1793 using -c shell option. For example "firejail --shell=/bin/dash
1794 firefox" will start Mozilla Firefox as "/bin/dash -c firefox".
1795 By default the user's preferred shell is used.
1796 Example: $firejail --shell=/bin/dash script.sh
1798 --shutdown=name|pid
1800 Shutdown the sandbox identified by name or PID.
1801 Example:
1803 $ firejail --name=mygame --caps.drop=all warzone2100 &
1804 $ firejail --shutdown=mygame
1805 Example:
1807 $ firejail --list
1808 3272:netblue::firejail --private firefox
1809 $ firejail --shutdown=3272
1810 --timeout=hh:mm:ss
1812 Kill the sandbox automatically after the time has elapsed. The
1813 time is specified in hours/minutes/seconds format.
1814 $ firejail --timeout=01:30:00 firefox
1816 --tmpfs=dirname
1818 Mount a writable tmpfs filesystem on directory dirname. Directo‐
1819 ries outside user home or not owned by the user are not allowed.
1820 Sandboxes running as root are exempt from these restrictions.
1821 File globbing is supported, see FILE GLOBBING section for more
1822 details.
1823 Example:
1825 $ firejail --tmpfs=~/.local/share
1826 --top Monitor the most CPU-intensive sandboxes, see MONITORING section
1828 for more details.
1829 Example:
1831 $ firejail --top
1832 --trace[=filename]
1834 Trace open, access and connect system calls. If filename is
1835 specified, log trace output to filename, otherwise log to con‐
1836 sole.
1837 Example:
1839 $ firejail --trace wget -q www.debian.org
1840 Reading profile /etc/firejail/wget.profile
1841 3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1842 3:wget:fopen /etc/hosts:0x5c8e8cfb70
1843 3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1844 3:wget:connect 3 8.8.8.8 port 53:0
1845 3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1846 3:wget:connect 3 130.89.148.14 port 80:0
1847 3:wget:fopen64 index.html:0x5c8e8d1a60
1848 parent is shutting down, bye...
1850 --tracelog
1852 This option enables auditing blacklisted files and directories.
1853 A message is sent to syslog in case the file or the directory is
1854 accessed.
1855 Example:
1857 $ firejail --tracelog firefox
1858 Sample messages:
1860 $ sudo tail -f /var/log/syslog
1861 [...]
1862 Dec 3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1863 box 26370, exe firefox, syscall open64, path /etc/shadow
1864 Dec 3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1865 box 26370, exe firefox, syscall opendir, path /boot
1866 [...]
1867 --tree Print a tree of all sandboxed processes, see MONITORING section
1869 for more details.
1870 Example:
1872 $ firejail --tree
1873 11903:netblue:firejail iceweasel
1874 11904:netblue:iceweasel
1875 11957:netblue:/usr/lib/iceweasel/plugin-container
1876 11969:netblue:firejail --net=eth0 transmission-gtk
1877 11970:netblue:transmission-gtk
1878 --tunnel[=devname]
1881 Connect the sandbox to a network overlay/VPN tunnel created by
1882 firetunnel utility. This options tries first the client side of
1883 the tunnel. If this fails, it tries the server side. If multiple
1884 tunnels are active, please specify the tunnel device using
1885 --tunnel=devname.
1886 The available tunnel devices are listed in /etc/firetunnel di‐
1888 rectory, one file for each device. The files are regular fire‐
1889 jail profile files containing the network configuration, and are
1890 created and managed by firetunnel utility. By default ftc is
1891 the client-side device and fts is the server-side device. For
1892 more information please see man 1 firetunnel.
1893 Example:
1895 $ firejail --tunnel firefox
1896 --version
1898 Print program version/compile time support and exit.
1899 Example:
1901 $ firejail --version
1902 firejail version 0.9.27
1903 Compile time support:
1905 - AppArmor support is enabled
1906 - AppImage support is enabled
1907 - chroot support is enabled
1908 - file and directory whitelisting support is enabled
1909 - file transfer support is enabled
1910 - firetunnel support is enabled
1911 - networking support is enabled
1912 - overlayfs support is enabled
1913 - private-home support is enabled
1914 - seccomp-bpf support is enabled
1915 - user namespace support is enabled
1916 - X11 sandboxing support is enabled
1917 --veth-name=name
1919 Use this name for the interface connected to the bridge for
1920 --net=bridge_interface commands, instead of the default one.
1921 Example:
1923 $ firejail --net=br0 --veth-name=if0
1924 --whitelist=dirname_or_filename
1926 Whitelist directory or file. A temporary file system is mounted
1927 on the top directory, and the whitelisted files are mount-binded
1928 inside. Modifications to whitelisted files are persistent, ev‐
1929 erything else is discarded when the sandbox is closed. The top
1930 directory can be all directories in / (except /proc and /sys),
1931 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
1932 Symbolic link handling: with the exception of user home, both
1934 the link and the real file should be in the same top directory.
1935 For user home, both the link and the real file should be owned
1936 by the user.
1937 File globbing is supported, see FILE GLOBBING section for more
1939 details.
1940 Example:
1942 $ firejail --noprofile --whitelist=~/.mozilla
1943 $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1944 $ firejail "--whitelist=/home/username/My Virtual Machines"
1945 $ firejail --whitelist=~/work* --whitelist=/var/backups*
1946 --writable-etc
1949 Mount /etc directory read-write.
1950 Example:
1952 $ sudo firejail --writable-etc
1953 --writable-run-user
1956 Disable the default blacklisting of /run/user/$UID/systemd and
1957 /run/user/$UID/gnupg.
1958 Example:
1960 $ sudo firejail --writable-run-user
1961 --writable-var
1964 Mount /var directory read-write.
1965 Example:
1967 $ sudo firejail --writable-var
1968 --writable-var-log
1971 Use the real /var/log directory, not a clone. By default, a
1972 tmpfs is mounted on top of /var/log directory, and a skeleton
1973 filesystem is created based on the original /var/log.
1974 Example:
1976 $ sudo firejail --writable-var-log
1977 --x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg secu‐
1980 rity extension. The sandbox will prevent screenshot and keylog‐
1981 ger applications started inside the sandbox from accessing
1982 clients running outside the sandbox. Firejail will try Xpra
1983 first, and if Xpra is not installed on the system, it will try
1984 to find Xephyr. If all fails, Firejail will not attempt to use
1985 Xvfb or X11 security extension.
1986 Xpra, Xephyr and Xvfb modes require a network namespace to be
1988 instantiated in order to disable X11 abstract Unix socket. If
1989 this is not possible, the user can disable the abstract socket
1990 by adding "-nolisten local" on Xorg command line at system
1991 level.
1992 Example:
1994 $ firejail --x11 --net=eth0 firefox
1995 --x11=none
1998 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
1999 file specified in ${XAUTHORITY} environment variable. Remove
2000 DISPLAY and XAUTHORITY environment variables. Stop with error
2001 message if X11 abstract socket will be accessible in jail.
2002 --x11=xephyr
2005 Start Xephyr and attach the sandbox to this server. Xephyr is a
2006 display server implementing the X11 display server protocol. A
2007 network namespace needs to be instantiated in order to deny ac‐
2008 cess to X11 abstract Unix domain socket.
2009 Xephyr runs in a window just like any other X11 application. The
2011 default window size is 800x600. This can be modified in
2012 /etc/firejail/firejail.config file.
2013 The recommended way to use this feature is to run a window man‐
2015 ager inside the sandbox. A security profile for OpenBox is pro‐
2016 vided.
2017 Xephyr is developed by Xorg project. On Debian platforms it is
2019 installed with the command sudo apt-get install xserver-xephyr.
2020 This feature is not available when running as root.
2021 Example:
2023 $ firejail --x11=xephyr --net=eth0 openbox
2024 --x11=xorg
2027 Sandbox the application using the untrusted mode implemented by
2028 X11 security extension. The extension is available in Xorg
2029 package and it is installed by default on most Linux distribu‐
2030 tions. It provides support for a simple trusted/untrusted con‐
2031 nection model. Untrusted clients are restricted in certain ways
2032 to prevent them from reading window contents of other clients,
2033 stealing input events, etc.
2034 The untrusted mode has several limitations. A lot of regular
2036 programs assume they are a trusted X11 clients and will crash
2037 or lock up when run in untrusted mode. Chromium browser and
2038 xterm are two examples. Firefox and transmission-gtk seem to be
2039 working fine. A network namespace is not required for this op‐
2040 tion.
2041 Example:
2043 $ firejail --x11=xorg firefox
2044 --x11=xpra
2047 Start Xpra (https://xpra.org) and attach the sandbox to this
2048 server. Xpra is a persistent remote display server and client
2049 for forwarding X11 applications and desktop screens. A network
2050 namespace needs to be instantiated in order to deny access to
2051 X11 abstract Unix domain socket.
2052 On Debian platforms Xpra is installed with the command sudo apt-
2054 get install xpra. This feature is not available when running as
2055 root.
2056 Example:
2058 $ firejail --x11=xpra --net=eth0 firefox
2059 --x11=xvfb
2063 Start Xvfb X11 server and attach the sandbox to this server.
2064 Xvfb, short for X virtual framebuffer, performs all graphical
2065 operations in memory without showing any screen output. Xvfb is
2066 mainly used for remote access and software testing on headless
2067 servers.
2068 On Debian platforms Xvfb is installed with the command sudo apt-
2070 get install xvfb. This feature is not available when running as
2071 root.
2072 Example: remote VNC access
2074 On the server we start a sandbox using Xvfb and openbox window
2076 manager. The default size of Xvfb screen is 800x600 - it can be
2077 changed in /etc/firejail/firejail.config (xvfb-screen). Some
2078 sort of networking (--net) is required in order to isolate the
2079 abstract sockets used by other X servers.
2080 $ firejail --net=none --x11=xvfb openbox
2082 *** Attaching to Xvfb display 792 ***
2084 Reading profile /etc/firejail/openbox.profile
2086 Reading profile /etc/firejail/disable-common.inc
2087 Reading profile /etc/firejail/disable-common.local
2088 Parent pid 5400, child pid 5401
2089 On the server we also start a VNC server and attach it to the
2091 display handled by our Xvfb server (792).
2092 $ x11vnc -display :792
2094 On the client machine we start a VNC viewer and use it to con‐
2096 nect to our server:
2097 $ vncviewer
2099 --xephyr-screen=WIDTHxHEIGHT
2102 Set screen size for --x11=xephyr. The setting will overwrite the
2103 default set in /etc/firejail/firejail.config for the current
2104 sandbox. Run xrandr to get a list of supported resolutions on
2105 your computer.
2106 Example:
2108 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2109 fox
2110
2113 A symbolic link to /usr/bin/firejail under the name of a program, will
2114 start the program in Firejail sandbox. The symbolic link should be
2115 placed in the first $PATH position. On most systems, a good place is
2116 /usr/local/bin directory. Example:
2117 Make a firefox symlink to /usr/bin/firejail:
2119 $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2121 Verify $PATH
2123 $ which -a firefox
2125 /usr/local/bin/firefox
2126 /usr/bin/firefox
2127 Starting firefox in this moment, automatically invokes “firejail
2129 firefox”.
2130 This works for clicking on desktop environment icons, menus etc. Use
2132 "firejail --tree" to verify the program is sandboxed.
2133 $ firejail --tree
2135 1189:netblue:firejail firefox
2136 1190:netblue:firejail firefox
2137 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2138 1221:netblue:/usr/lib/firefox/firefox
2139 We provide a tool that automates all this integration, please see
2141 firecfg(1) for more details.
2142
2145 firejail
2146 Sandbox a regular shell session.
2147 firejail firefox
2149 Start Mozilla Firefox.
2150 firejail --debug firefox
2152 Debug Firefox sandbox.
2153 firejail --private firefox
2155 Start Firefox with a new, empty home directory.
2156 firejail --net=none vlc
2158 Start VLC in an unconnected network namespace.
2159 firejail --net=eth0 firefox
2161 Start Firefox in a new network namespace. An IP address is as‐
2162 signed automatically.
2163 firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2165 Start a shell session in a new network namespace and connect it
2166 to br0, br1, and br2 host bridge devices. IP addresses are as‐
2167 signed automatically for the interfaces connected to br1 and b2
2168 firejail --list
2170 List all sandboxed processes.
2171
2174 Globbing is the operation that expands a wildcard pattern into the
2175 list of pathnames matching the pattern. This pattern is matched
2176 at firejail start, and is NOT UPDATED at runtime. Files match‐
2177 ing a blacklist, but created after firejail start will be acces‐
2178 sible within the jail. Matching is defined by:
2179 - '?' matches any character
2181 - '*' matches any string
2182 - '[' denotes a range of characters
2183 The globbing feature is implemented using glibc glob command. For
2185 more information on the wildcard syntax see man 7 glob.
2186 The following command line options are supported: --blacklist,
2189 --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2190 --whitelist.
2191 Examples:
2194 $ firejail --private-bin=sh,bash,python*
2196 $ firejail --blacklist=~/dir[1234]
2197 $ firejail --read-only=~/dir[1-4]
2198
2201 These features allow the user to inspect the filesystem container of an
2202 existing sandbox and transfer files between the container and the host
2203 filesystem.
2204 --cat=name|pid filename
2207 Write content of a container file to standard out. The container
2208 is specified by name or PID. If standard out is a terminal, all
2209 ASCII control characters except new line and horizontal tab are
2210 replaced.
2211 --get=name|pid filename
2214 Retrieve the container file and store it on the host in the cur‐
2215 rent working directory. The container is specified by name or
2216 PID.
2217 --ls=name|pid dir_or_filename
2220 List container files. The container is specified by name or PID.
2221 --put=name|pid src-filename dest-filename
2224 Put src-filename in sandbox container. The container is speci‐
2225 fied by name or PID.
2226 Examples:
2229 $ firejail --name=mybrowser --private firefox
2231 $ firejail --ls=mybrowser ~/Downloads
2233 drwxr-xr-x netblue netblue 4096 .
2234 drwxr-xr-x netblue netblue 4096 ..
2235 -rw-r--r-- netblue netblue 7847 x11-x305.png
2236 -rw-r--r-- netblue netblue 6800 x11-x642.png
2237 -rw-r--r-- netblue netblue 34139 xpra-clipboard.png
2238 $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2240 $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
2242 clipboard.png
2243 $ firejail --cat=mybrowser ~/.bashrc
2245
2247 Option --list prints a list of all sandboxes. The format for each
2248 process entry is as follows:
2249 PID:USER:Sandbox Name:Command
2251 Option --tree prints the tree of processes running in the sandbox. The
2253 format for each process entry is as follows:
2254 PID:USER:Sandbox Name:Command
2256 Option --top is similar to the UNIX top command, however it applies
2258 only to sandboxes.
2259 Option --netstats prints network statistics for active sandboxes in‐
2261 stalling new network namespaces.
2262 Listed below are the available fields (columns) in alphabetical order
2264 for --top and --netstats options:
2265 Command
2268 Command used to start the sandbox.
2269 CPU% CPU usage, the sandbox share of the elapsed CPU time since the
2271 last screen update
2272 PID Unique process ID for the task controlling the sandbox.
2274 Prcs Number of processes running in sandbox, including the control‐
2276 ling process.
2277 RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
2279 It is a sum of the RES values for all processes running in the
2280 sandbox.
2281 RX(KB/s)
2283 Network receive speed.
2284 Sandbox Name
2286 The name of the sandbox, if any.
2287 SHR Shared Memory Size (KiB), it reflects memory shared with other
2289 processes. It is a sum of the SHR values for all processes run‐
2290 ning in the sandbox, including the controlling process.
2291 TX(KB/s)
2293 Network transmit speed.
2294 Uptime Sandbox running time in hours:minutes:seconds format.
2296 USER The owner of the sandbox.
2298
2301 To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2302 jail in /etc/passwd file for each user that needs to be restricted. Al‐
2303 ternatively, you can specify /usr/bin/firejail in adduser command:
2304 adduser --shell /usr/bin/firejail username
2306 Additional arguments passed to firejail executable upon login are de‐
2308 clared in /etc/firejail/login.users file.
2309
2312 Several command line options can be passed to the program using profile
2313 files. Firejail chooses the profile file as follows:
2314 1. If a profile file is provided by the user with --profile=FILE op‐
2316 tion, the profile FILE is loaded. If a profile name is given, it is
2317 searched for first in the ~/.config/firejail directory and if not found
2318 then in /etc/firejail directory. Profile names do not include the
2319 .profile suffix. If there is a file with the same name as the given
2320 profile name, it will be used instead of doing the profile search. To
2321 force a profile search, prefix the profile name with a colon (:), eg.
2322 --profile=:PROFILE_NAME. Example:
2323 $ firejail --profile=/home/netblue/icecat.profile icecat
2325 Reading profile /home/netblue/icecat.profile
2326 [...]
2327 $ firejail --profile=icecat icecat-wrapper.sh
2330 Reading profile /etc/firejail/icecat.profile
2331 [...]
2332 2. If a profile file with the same name as the application is present
2334 in ~/.config/firejail directory or in /etc/firejail, the profile is
2335 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
2336 ple:
2337 $ firejail icecat
2339 Command name #icecat#
2340 Found icecat profile in /home/netblue/.config/firejail directory
2341 Reading profile /home/netblue/.config/firejail/icecat.profile
2342 [...]
2343 3. Use default.profile file if the sandbox is started by a regular
2345 user, or server.profile file if the sandbox is started by root. Fire‐
2346 jail looks for these files in ~/.config/firejail directory, followed by
2347 /etc/firejail directory. To disable default profile loading, use --no‐
2348 profile command option. Example:
2349 $ firejail
2351 Reading profile /etc/firejail/default.profile
2352 Parent pid 8553, child pid 8554
2353 Child process initialized
2354 [...]
2355 $ firejail --noprofile
2357 Parent pid 8553, child pid 8554
2358 Child process initialized
2359 [...]
2360 See man 5 firejail-profile for profile file syntax information.
2362
2364 Network bandwidth is an expensive resource shared among all sandboxes
2365 running on a system. Traffic shaping allows the user to increase net‐
2366 work performance by controlling the amount of data that flows into and
2367 out of the sandboxes.
2368 Firejail implements a simple rate-limiting shaper based on Linux com‐
2370 mand tc. The shaper works at sandbox level, and can be used only for
2371 sandboxes configured with new network namespaces.
2372 Set rate-limits:
2374 $ firejail --bandwidth=name|pid set network download upload
2376 Clear rate-limits:
2378 $ firejail --bandwidth=name|pid clear network
2380 Status:
2382 $ firejail --bandwidth=name|pid status
2384 where:
2386 name - sandbox name
2387 pid - sandbox pid
2388 network - network interface as used by --net option
2389 download - download speed in KB/s (kilobyte per second)
2390 upload - upload speed in KB/s (kilobyte per second)
2391 Example:
2393 $ firejail --name=mybrowser --net=eth0 firefox &
2394 $ firejail --bandwidth=mybrowser set eth0 80 20
2395 $ firejail --bandwidth=mybrowser status
2396 $ firejail --bandwidth=mybrowser clear eth0
2397
2399 This program is free software; you can redistribute it and/or modify it
2400 under the terms of the GNU General Public License as published by the
2401 Free Software Foundation; either version 2 of the License, or (at your
2402 option) any later version.
2403 Homepage: https://firejail.wordpress.com
2405
2407 firemon(1), firecfg(1), firejail-profile(5), firejail-login(5), fire‐
2408 jail-users(5), jailcheck(1)
2409 ⟨https://github.com/netblue30/firejail/wiki⟩,
2411 ⟨https://github.com/netblue30/firejail⟩
24120.9.66 Jul 2021 FIREJAIL(1)