1FIREJAIL(1) firejail man page FIREJAIL(1)
2
3
4
6 Firejail - Linux namespaces sandbox program
7
9 Start a sandbox:
10
11 firejail [OPTIONS] [program and arguments]
12
13 Start an AppImage program:
14
15 firejail [OPTIONS] --appimage [appimage-file and arguments]
16
17 File transfer from an existing sandbox
18
19 firejail {--ls | --get | --put | --cat} dir_or_filename
20
21 Network traffic shaping for an existing sandbox:
22
23 firejail --bandwidth={name|pid} bandwidth-command
24
25 Monitoring:
26
27 firejail {--list | --netstats | --top | --tree}
28
29 Miscellaneous:
30
31 firejail {-? | --debug-caps | --debug-errnos | --debug-syscalls
32 | --debug-syscalls32 | --debug-protocols | --help | --version}
33
35 Firejail is a SUID sandbox program that reduces the risk of security
36 breaches by restricting the running environment of untrusted applica‐
37 tions using Linux namespaces, seccomp-bpf and Linux capabilities. It
38 allows a process and all its descendants to have their own private view
39 of the globally shared kernel resources, such as the network stack,
40 process table, mount table. Firejail can work in a SELinux or AppArmor
41 environment, and it is integrated with Linux Control Groups.
42
43 Written in C with virtually no dependencies, the software runs on any
44 Linux computer with a 3.x kernel version or newer. It can sandbox any
45 type of processes: servers, graphical applications, and even user login
46 sessions.
47
48 Firejail allows the user to manage application security using security
49 profiles. Each profile defines a set of permissions for a specific ap‐
50 plication or group of applications. The software includes security pro‐
51 files for a number of more common Linux programs, such as Mozilla Fire‐
52 fox, Chromium, VLC, Transmission etc.
53
54 Alternative sandbox technologies like snap (https://snapcraft.io/) and
55 flatpak (https://flatpak.org/) are not supported. Snap and flatpak
56 packages have their own native management tools and will not work when
57 sandboxed with Firejail.
58
59
61 Without any options, the sandbox consists of a filesystem build in a
62 new mount namespace, and new PID and UTS namespaces. IPC, network and
63 user namespaces can be added using the command line options. The de‐
64 fault Firejail filesystem is based on the host filesystem with the main
65 system directories mounted read-only. These directories are /etc, /var,
66 /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home and
67 /tmp are writable.
68
69 Upon execution Firejail first looks in ~/.config/firejail/ for a pro‐
70 file and if it doesn't find one, it looks in /etc/firejail/. For pro‐
71 file resolution detail see https://github.com/netblue30/fire‐
72 jail/wiki/Creating-Profiles#locations-and-types. If an appropriate
73 profile is not found, Firejail will use a default profile. The default
74 profile is quite restrictive. In case the application doesn't work, use
75 --noprofile option to disable it. For more information, please see SE‐
76 CURITY PROFILES section below.
77
78 If a program argument is not specified, Firejail starts the user's pre‐
79 ferred shell. Examples:
80
81 $ firejail [OPTIONS] # starting the program specified in
82 $SHELL, usually /bin/bash
83
84 $ firejail [OPTIONS] firefox # starting Mozilla Firefox
85
86 # sudo firejail [OPTIONS] /etc/init.d/nginx start
87
88
90 -- Signal the end of options and disables further option process‐
91 ing.
92
93 --allow-debuggers
94 Allow tools such as strace and gdb inside the sandbox by
95 whitelisting system calls ptrace and process_vm_readv. This op‐
96 tion is only available when running on Linux kernels 4.8 or
97 newer - a kernel bug in ptrace system call allows a full bypass
98 of the seccomp filter.
99
100 Example:
101 $ firejail --allow-debuggers --profile=/etc/firejail/fire‐
102 fox.profile strace -f firefox
103
104 --allusers
105 All directories under /home are visible inside the sandbox. By
106 default, only current user home directory is visible.
107
108 Example:
109 $ firejail --allusers
110
111 --appimage
112 Sandbox an AppImage (https://appimage.org/) application. If the
113 sandbox is started as a regular user, nonewprivs and a default
114 capabilities filter are enabled. private-bin and private-lib
115 are disabled by default when running appimages.
116
117 Example:
118 $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
119 $ firejail --appimage --private --profile=krita
120 krita-3.0-x86_64.appimage
121 $ firejail --appimage --net=none --x11 --profile=krita
122 krita-3.0-x86_64.appimage
123
124 --bandwidth=name|pid
125 Set bandwidth limits for the sandbox identified by name or PID,
126 see TRAFFIC SHAPING section for more details.
127
128 --bind=filename1,filename2
129 Mount-bind filename1 on top of filename2. This option is only
130 available when running as root.
131
132 Example:
133 # firejail --bind=/config/etc/passwd,/etc/passwd
134
135 --blacklist=dirname_or_filename
136 Blacklist directory or file. File globbing is supported, see
137 FILE GLOBBING section for more details.
138
139 Example:
140 $ firejail --blacklist=/sbin --blacklist=/usr/sbin
141 $ firejail --blacklist=~/.mozilla
142 $ firejail "--blacklist=/home/username/My Virtual Machines"
143 $ firejail --blacklist=/home/username/My\ Virtual\ Machines
144
145 --build
146 The command builds a whitelisted profile. The profile is printed
147 on the screen. If /usr/bin/strace is installed on the system, it
148 also builds a whitelisted seccomp profile. The program is run in
149 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
150 privs. Programs that raise user privileges are not supported in
151 order to allow strace to run. Chromium and Chromium-based
152 browsers will not work.
153
154 Example:
155 $ firejail --build vlc ~/Videos/test.mp4
156
157 --build=profile-file
158 The command builds a whitelisted profile, and saves it in pro‐
159 file-file. If /usr/bin/strace is installed on the system, it
160 also builds a whitelisted seccomp profile. The program is run in
161 a very relaxed sandbox, with only --caps.drop=all and --nonew‐
162 privs. Programs that raise user privileges are not supported in
163 order to allow strace to run. Chromium and Chromium-based
164 browsers will not work.
165
166 Example:
167 $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
168
169 -c Login shell compatibility option. This option is use by some lo‐
170 gin programs when executing the login shell, such as when fire‐
171 jail is used as a restricted login shell. It currently does not
172 change the execution of firejail.
173
174 --caps Linux capabilities is a kernel feature designed to split up the
175 root privilege into a set of distinct privileges. These privi‐
176 leges can be enabled or disabled independently, thus restricting
177 what a process running as root can do in the system.
178
179 By default root programs run with all capabilities enabled.
180 --caps option disables the following capabilities: CAP_SYS_MOD‐
181 ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
182 FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is ap‐
183 plied to all processes started in the sandbox.
184
185 Example:
186 $ sudo firejail --caps /etc/init.d/nginx start
187
188
189 --caps.drop=all
190 Drop all capabilities for the processes running in the sandbox.
191 This option is recommended for running GUI programs or any other
192 program that doesn't require root privileges. It is a must-have
193 option for sandboxing untrusted programs installed from unoffi‐
194 cial sources - such as games, Java programs, etc.
195
196 Example:
197 $ firejail --caps.drop=all warzone2100
198
199
200 --caps.drop=capability,capability,capability
201 Define a custom blacklist Linux capabilities filter.
202
203 Example:
204 $ firejail --caps.drop=net_broadcast,net_admin,net_raw
205
206
207 --caps.keep=capability,capability,capability
208 Define a custom whitelist Linux capabilities filter.
209
210 Example:
211 $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\ se‐
212 tuid /etc/init.d/nginx start
213
214
215 --caps.print=name|pid
216 Print the caps filter for the sandbox identified by name or by
217 PID.
218
219 Example:
220 $ firejail --name=mygame --caps.drop=all warzone2100 &
221 $ firejail --caps.print=mygame
222
223 Example:
224 $ firejail --list
225 3272:netblue::firejail --private firefox
226 $ firejail --caps.print=3272
227
228
229 --cat=name|pid filename
230 Print content of file from sandbox container, see FILE TRANSFER
231 section for more details.
232
233 --cgroup=tasks-file
234 Place the sandbox in the specified control group. tasks-file is
235 the full path of cgroup tasks file.
236
237 Example:
238 # firejail --cgroup=/sys/fs/cgroup/g1/tasks
239
240 --chroot=dirname
241 Chroot the sandbox into a root filesystem. Unlike the regular
242 filesystem container, the system directories are mounted read-
243 write. If the sandbox is started as a regular user, nonewprivs
244 and a default capabilities filter are enabled.
245
246 Example:
247 $ firejail --chroot=/media/ubuntu warzone2100
248
249 --cpu=cpu-number,cpu-number,cpu-number
250 Set CPU affinity.
251
252 Example:
253 $ firejail --cpu=0,1 handbrake
254
255
256 --cpu.print=name|pid
257 Print the CPU cores in use by the sandbox identified by name or
258 by PID.
259
260 Example:
261 $ firejail --name=mygame --caps.drop=all warzone2100 &
262 $ firejail --cpu.print=mygame
263
264 Example:
265 $ firejail --list
266 3272:netblue::firejail --private firefox
267 $ firejail --cpu.print=3272
268
269 --dbus-log=file
270 Specify the location for the DBus log file.
271
272 The log file contains events for both the system and session
273 buses if both of the --dbus-system.log and --dbus-user.log op‐
274 tions are specified. If no log file path is given, logs are
275 written to the standard output instead.
276
277 Example:
278 $ firejail --dbus-system=filter --dbus-system.log \
279 --dbus-log=dbus.txt
280
281
282 --dbus-system=filter|none
283 Set system DBus sandboxing policy.
284
285 The filter policy enables the system DBus filter. This option
286 requires installing the xdg-dbus-proxy utility. Permissions for
287 well-known can be specified with the --dbus-system.talk and
288 --dbus-system.own options.
289
290 The none policy disables access to the system DBus.
291
292 Only the regular system DBus UNIX socket is handled by this op‐
293 tion. To disable the abstract sockets (and force applications to
294 use the filtered UNIX socket) you would need to request a new
295 network namespace using --net command. Another option is to re‐
296 move unix from the --protocol set.
297
298 Example:
299 $ firejail --dbus-system=none
300
301
302 --dbus-system.broadcast=name=[member][@path]
303 Allows the application to receive broadcast signals from
304 theindicated interface member at the indicated object path ex‐
305 posed by the indicated bus name on the system DBus. The name
306 may have a .* suffix to match all names underneath it, including
307 itself. The interface member may have a .* to match all members
308 of an interface, or be * to match all interfaces. The path may
309 have a /* suffix to indicate all objects underneath it, includ‐
310 ing itself. Omitting the interface member or the object path
311 will match all members and object paths, respectively.
312
313 Example:
314 $ firejail --dbus-system=filter --dbus-system.broadcast=\
315 org.freedesktop.Notifications=\
316 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
317
318
319 --dbus-system.call=name=[member][@path]
320 Allows the application to call the indicated interface member at
321 the indicated object path exposed by the indicated bus name on
322 the system DBus. The name may have a .* suffix to match all
323 names underneath it, including itself. The interface member may
324 have a .* to match all members of an interface, or be * to match
325 all interfaces. The path may have a /* suffix to indicate all
326 objects underneath it, including itself. Omitting the interface
327 member or the object path will match all members and object
328 paths, respectively.
329
330 Example:
331 $ firejail --dbus-system=filter --dbus-system.call=\
332 org.freedesktop.Notifications=\
333 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
334
335
336 --dbus-system.log
337 Turn on DBus logging for the system DBus. This option requires
338 --dbus-system=filter.
339
340 Example:
341 $ firejail --dbus-system=filter --dbus-system.log
342
343
344 --dbus-system.own=name
345 Allows the application to own the specified well-known name on
346 the system DBus. The name may have a .* suffix to match all
347 names underneath it, including itself (e.g. "foo.bar.*" matches
348 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
349 bar").
350
351 Example:
352 $ firejail --dbus-system=filter --dbus-system.own=\
353 org.gnome.ghex.*
354
355
356 --dbus-system.see=name
357 Allows the application to see, but not talk to the specified
358 well-known name on the system DBus. The name may have a .* suf‐
359 fix to match all names underneath it, including itself (e.g.
360 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
361 "foo.bar.baz.quux", but not "foobar").
362
363 Example:
364 $ firejail --dbus-system=filter --dbus-system.see=\
365 org.freedesktop.Notifications
366
367
368 --dbus-system.talk=name
369 Allows the application to talk to the specified well-known name
370 on the system DBus. The name may have a .* suffix to match all
371 names underneath it, including itself (e.g. "foo.bar.*" matches
372 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
373 bar").
374
375 Example:
376 $ firejail --dbus-system=filter --dbus-system.talk=\
377 org.freedesktop.Notifications
378
379
380 --dbus-user=filter|none
381 Set session DBus sandboxing policy.
382
383 The filter policy enables the session DBus filter. This option
384 requires installing the xdg-dbus-proxy utility. Permissions for
385 well-known names can be added with the --dbus-user.talk and
386 --dbus-user.own options.
387
388 The none policy disables access to the session DBus.
389
390 Only the regular session DBus UNIX socket is handled by this op‐
391 tion. To disable the abstract sockets (and force applications to
392 use the filtered UNIX socket) you would need to request a new
393 network namespace using --net command. Another option is to re‐
394 move unix from the --protocol set.
395
396 Example:
397 $ firejail --dbus-user=none
398
399
400 --dbus-user.broadcast=name=[member][@path]
401 Allows the application to receive broadcast signals from
402 theindicated interface member at the indicated object path ex‐
403 posed by the indicated bus name on the session DBus. The name
404 may have a .* suffix to match all names underneath it, including
405 itself. The interface member may have a .* to match all members
406 of an interface, or be * to match all interfaces. The path may
407 have a /* suffix to indicate all objects underneath it, includ‐
408 ing itself. Omitting the interface member or the object path
409 will match all members and object paths, respectively.
410
411 Example:
412 $ firejail --dbus-user=filter --dbus-user.broadcast=\
413 org.freedesktop.Notifications=\
414 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
415
416
417 --dbus-user.call=name=[member][@path]
418 Allows the application to call the indicated interface member at
419 the indicated object path exposed by the indicated bus name on
420 the session DBus. The name may have a .* suffix to match all
421 names underneath it, including itself. The interface member may
422 have a .* to match all members of an interface, or be * to match
423 all interfaces. The path may have a /* suffix to indicate all
424 objects underneath it, including itself. Omitting the interface
425 member or the object path will match all members and object
426 paths, respectively.
427
428 Example:
429 $ firejail --dbus-user=filter --dbus-user.call=\
430 org.freedesktop.Notifications=\
431 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
432
433
434 --dbus-user.log
435 Turn on DBus logging for the session DBus. This option requires
436 --dbus-user=filter.
437
438 Example:
439 $ firejail --dbus-user=filter --dbus-user.log
440
441
442 --dbus-user.own=name
443 Allows the application to own the specified well-known name on
444 the session DBus. The name may have a .* suffix to match all
445 names underneath it, including itself (e.g. "foo.bar.*" matches
446 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
447 bar").
448
449 Example:
450 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
451
452
453 --dbus-user.talk=name
454 Allows the application to talk to the specified well-known name
455 on the session DBus. The name may have a .* suffix to match all
456 names underneath it, including itself (e.g. "foo.bar.*" matches
457 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
458 bar").
459
460 Example:
461 $ firejail --dbus-user=filter --dbus-user.talk=\
462 org.freedesktop.Notifications
463
464
465 --dbus-user.see=name
466 Allows the application to see, but not talk to the specified
467 well-known name on the session DBus. The name may have a .*
468 suffix to match all names underneath it, including itself (e.g.
469 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
470 "foo.bar.baz.quux", but not "foobar").
471
472 Example:
473 $ firejail --dbus-user=filter --dbus-user.see=\
474 org.freedesktop.Notifications
475
476 --debug
477 Print debug messages.
478
479 Example:
480 $ firejail --debug firefox
481
482
483 --debug-blacklists
484 Debug blacklisting.
485
486 Example:
487 $ firejail --debug-blacklists firefox
488
489
490 --debug-caps
491 Print all recognized capabilities in the current Firejail soft‐
492 ware build and exit.
493
494 Example:
495 $ firejail --debug-caps
496
497
498 --debug-errnos
499 Print all recognized error numbers in the current Firejail soft‐
500 ware build and exit.
501
502 Example:
503 $ firejail --debug-errnos
504
505 --debug-private-lib
506 Debug messages for --private-lib option.
507
508 --debug-protocols
509 Print all recognized protocols in the current Firejail software
510 build and exit.
511
512 Example:
513 $ firejail --debug-protocols
514
515 --debug-syscalls
516 Print all recognized system calls in the current Firejail soft‐
517 ware build and exit.
518
519 Example:
520 $ firejail --debug-syscalls
521
522 --debug-syscalls32
523 Print all recognized 32 bit system calls in the current Firejail
524 software build and exit.
525
526 --debug-whitelists
527 Debug whitelisting.
528
529 Example:
530 $ firejail --debug-whitelists firefox
531
532 --defaultgw=address
533 Use this address as default gateway in the new network name‐
534 space.
535
536 Example:
537 $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
538
539 --deterministic-exit-code
540 Always exit firejail with the first child's exit status. The de‐
541 fault behavior is to use the exit status of the final child to
542 exit, which can be nondeterministic.
543
544 --disable-mnt
545 Blacklist /mnt, /media, /run/mount and /run/media access.
546
547 Example:
548 $ firejail --disable-mnt firefox
549
550
551 --dns=address
552 Set a DNS server for the sandbox. Up to three DNS servers can be
553 defined. Use this option if you don't trust the DNS setup on
554 your network.
555
556 Example:
557 $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
558
559 Note: this feature is not supported on systemd-resolved setups.
560
561 --dns.print=name|pid
562 Print DNS configuration for a sandbox identified by name or by
563 PID.
564
565 Example:
566 $ firejail --name=mygame --caps.drop=all warzone2100 &
567 $ firejail --dns.print=mygame
568
569 Example:
570 $ firejail --list
571 3272:netblue::firejail --private firefox
572 $ firejail --dns.print=3272
573
574
575 --env=name=value
576 Set environment variable in the new sandbox.
577
578 Example:
579 $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
580
581
582 --fs.print=name|pid
583 Print the filesystem log for the sandbox identified by name or
584 by PID.
585
586 Example:
587 $ firejail --name=mygame --caps.drop=all warzone2100 &
588 $ firejail --fs.print=mygame
589
590 Example:
591 $ firejail --list
592 3272:netblue::firejail --private firefox
593 $ firejail --fs.print=3272
594
595
596 --get=name|pid filename
597 Get a file from sandbox container, see FILE TRANSFER section for
598 more details.
599
600 -?, --help
601 Print options end exit.
602
603
604
605 --hostname=name
606 Set sandbox hostname.
607
608 Example:
609 $ firejail --hostname=officepc firefox
610
611
612 --hosts-file=file
613 Use file as /etc/hosts.
614
615 Example:
616 $ firejail --hosts-file=~/myhosts firefox
617
618
619 --ignore=command
620 Ignore command in profile file.
621
622 Example:
623 $ firejail --ignore=shell --ignore=seccomp firefox
624 $ firejail --ignore="net eth0" firefox
625
626
627 --include=file.profile
628 Include a profile file before the regular profiles are used.
629
630 Example:
631 $ firejail --include=/etc/firejail/disable-devel.inc gedit
632
633
634 --interface=interface
635 Move interface in a new network namespace. Up to four --inter‐
636 face options can be specified. Note: wlan devices are not sup‐
637 ported for this option.
638
639 Example:
640 $ firejail --interface=eth1 --interface=eth0.vlan100
641
642
643 --ip=address
644 Assign IP addresses to the last network interface defined by a
645 --net option. A default gateway is assigned by default.
646
647 Example:
648 $ firejail --net=eth0 --ip=10.10.20.56 firefox
649
650
651 --ip=none
652 No IP address and no default gateway are configured for the last
653 interface defined by a --net option. Use this option in case you
654 intend to start an external DHCP client in the sandbox.
655
656 Example:
657 $ firejail --net=eth0 --ip=none
658
659 If the corresponding interface doesn't have an IP address con‐
660 figured, this option is enabled by default.
661
662
663 --ip=dhcp
664 Acquire an IP address and default gateway for the last interface
665 defined by a --net option, as well as set the DNS servers ac‐
666 cording to the DHCP response. This option requires the ISC
667 dhclient DHCP client to be installed and will start it automati‐
668 cally inside the sandbox.
669
670 Example:
671 $ firejail --net=br0 --ip=dhcp
672
673 This option should not be used in conjunction with the --dns op‐
674 tion if the DHCP server is set to configure DNS servers for the
675 clients, because the manually specified DNS servers will be
676 overwritten.
677
678 The DHCP client will NOT release the DHCP lease when the sandbox
679 terminates. If your DHCP server requires leases to be explic‐
680 itly released, consider running a DHCP client and releasing the
681 lease manually in conjunction with the --net=none option.
682
683
684 --ip6=address
685 Assign IPv6 addresses to the last network interface defined by a
686 --net option.
687
688 Example:
689 $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
690
691 Note: you don't need this option if you obtain your ip6 address
692 from router via SLAAC (your ip6 address and default route will
693 be configured by kernel automatically).
694
695
696 --ip6=dhcp
697 Acquire an IPv6 address and default gateway for the last inter‐
698 face defined by a --net option, as well as set the DNS servers
699 according to the DHCP response. This option requires the ISC
700 dhclient DHCP client to be installed and will start it automati‐
701 cally inside the sandbox.
702
703 Example:
704 $ firejail --net=br0 --ip6=dhcp
705
706 This option should not be used in conjunction with the --dns op‐
707 tion if the DHCP server is set to configure DNS servers for the
708 clients, because the manually specified DNS servers will be
709 overwritten.
710
711 The DHCP client will NOT release the DHCP lease when the sandbox
712 terminates. If your DHCP server requires leases to be explic‐
713 itly released, consider running a DHCP client and releasing the
714 lease manually.
715
716
717 --iprange=address,address
718 Assign an IP address in the provided range to the last network
719 interface defined by a --net option. A default gateway is as‐
720 signed by default.
721
722 Example:
723 $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
724
725
726 --ipc-namespace
727 Enable a new IPC namespace if the sandbox was started as a reg‐
728 ular user. IPC namespace is enabled by default for sandboxes
729 started as root.
730
731 Example:
732 $ firejail --ipc-namespace firefox
733
734 --join=name|pid
735 Join the sandbox identified by name or by PID. By default a
736 /bin/bash shell is started after joining the sandbox. If a pro‐
737 gram is specified, the program is run in the sandbox. If --join
738 command is issued as a regular user, all security filters are
739 configured for the new process the same they are configured in
740 the sandbox. If --join command is issued as root, the security
741 filters, cgroups and cpus configurations are not applied to the
742 process joining the sandbox.
743
744 Example:
745 $ firejail --name=mygame --caps.drop=all warzone2100 &
746 $ firejail --join=mygame
747
748 Example:
749 $ firejail --list
750 3272:netblue::firejail --private firefox
751 $ firejail --join=3272
752
753
754 --join-filesystem=name|pid
755 Join the mount namespace of the sandbox identified by name or
756 PID. By default a /bin/bash shell is started after joining the
757 sandbox. If a program is specified, the program is run in the
758 sandbox. This command is available only to root user. Security
759 filters, cgroups and cpus configurations are not applied to the
760 process joining the sandbox.
761
762 --join-network=name|pid
763 Join the network namespace of the sandbox identified by name. By
764 default a /bin/bash shell is started after joining the sandbox.
765 If a program is specified, the program is run in the sandbox.
766 This command is available only to root user. Security filters,
767 cgroups and cpus configurations are not applied to the process
768 joining the sandbox. Example:
769
770 # start firefox
771 $ firejail --net=eth0 --name=browser firefox &
772
773 # change netfilter configuration
774 $ sudo firejail --join-network=browser bash -c "cat /etc/fire‐
775 jail/nolocal.net | /sbin/iptables-restore"
776
777 # verify netfilter configuration
778 $ sudo firejail --join-network=browser /sbin/iptables -vL
779
780 # verify IP addresses
781 $ sudo firejail --join-network=browser ip addr
782 Switching to pid 1932, the first child process inside the sand‐
783 box
784 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UN‐
785 KNOWN group default
786 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
787 inet 127.0.0.1/8 scope host lo
788 valid_lft forever preferred_lft forever
789 inet6 ::1/128 scope host
790 valid_lft forever preferred_lft forever
791 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
792 noqueue state UNKNOWN group default
793 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
794 inet 192.168.1.158/24 brd 192.168.1.255 scope global
795 eth0-1931
796 valid_lft forever preferred_lft forever
797 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
798 valid_lft forever preferred_lft forever
799
800 --join-or-start=name
801 Join the sandbox identified by name or start a new one. Same as
802 "firejail --join=name" if sandbox with specified name exists,
803 otherwise same as "firejail --name=name ..."
804 Note that in contrary to other join options there is respective
805 profile option.
806
807
808 --keep-config-pulse
809 Disable automatic ~/.config/pulse init, for complex setups such
810 as remote pulse servers or non-standard socket paths.
811
812 Example:
813 $ firejail --keep-config-pulse firefox
814
815
816 --keep-dev-shm
817 /dev/shm directory is untouched (even with --private-dev)
818
819 Example:
820 $ firejail --keep-dev-shm --private-dev
821
822
823 --keep-var-tmp
824 /var/tmp directory is untouched.
825
826 Example:
827 $ firejail --keep-var-tmp
828
829
830 --list List all sandboxes, see MONITORING section for more details.
831
832 Example:
833 $ firejail --list
834 7015:netblue:browser:firejail firefox
835 7056:netblue:torrent:firejail --net=eth0 transmission-gtk
836 7064:netblue::firejail --noroot xterm
837
838 --ls=name|pid dir_or_filename
839 List files in sandbox container, see FILE TRANSFER section for
840 more details.
841
842 --mac=address
843 Assign MAC addresses to the last network interface defined by a
844 --net option. This option is not supported for wireless inter‐
845 faces.
846
847 Example:
848 $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
849
850 --machine-id
851 Spoof id number in /etc/machine-id file - a new random id is
852 generated inside the sandbox. Note that this breaks audio sup‐
853 port. Enable it when sound is not required.
854
855 Example:
856 $ firejail --machine-id
857
858
859 --mkdir=dirname
860 Create a directory in user home. Parent directories are created
861 as needed.
862
863 Example:
864 $ firejail --mkdir=~/work/project
865
866
867 --mkfile=filename
868 Create an empty file in user home.
869
870 Example:
871 $ firejail --mkfile=~/work/project/readme
872
873
874 --memory-deny-write-execute
875 Install a seccomp filter to block attempts to create memory map‐
876 pings that are both writable and executable, to change mappings
877 to be executable, or to create executable shared memory. The
878 filter examines the arguments of mmap, mmap2, mprotect,
879 pkey_mprotect, memfd_create and shmat system calls and returns
880 error EPERM to the process (or kills it or log the attempt, see
881 --seccomp-error-action below) if necessary.
882
883 Note: shmat is not implemented as a system call on some plat‐
884 forms including i386, and it cannot be handled by seccomp-bpf.
885
886 --mtu=number
887 Assign a MTU value to the last network interface defined by a
888 --net option.
889
890 Example:
891 $ firejail --net=eth0 --mtu=1492
892
893 --name=name
894 Set sandbox name. Several options, such as --join and --shut‐
895 down, can use this name to identify a sandbox.
896
897 In case the name supplied by the user is already in use by an‐
898 other sandbox, Firejail will assign a new name as "name-PID",
899 where PID is the process ID of the sandbox. This functionality
900 can be disabled at run time in /etc/firejail/firejail.config
901 file, by setting "name-change" flag to "no".
902
903 Example:
904 $ firejail --name=browser firefox &
905 $ firejail --name=browser --private firefox --no-remote &
906 $ firejail --list
907 1198:netblue:browser:firejail --name=browser firefox
908 1312:netblue:browser-1312:firejail --name=browser --private
909 firefox --no-remote
910
911 --net=bridge_interface
912 Enable a new network namespace and connect it to this bridge in‐
913 terface. Unless specified with option --ip and --defaultgw, an
914 IP address and a default gateway will be assigned automatically
915 to the sandbox. The IP address is verified using ARP before as‐
916 signment. The address configured as default gateway is the
917 bridge device IP address. Up to four --net options can be speci‐
918 fied.
919
920 Example:
921 $ sudo brctl addbr br0
922 $ sudo ifconfig br0 10.10.20.1/24
923 $ sudo brctl addbr br1
924 $ sudo ifconfig br1 10.10.30.1/24
925 $ firejail --net=br0 --net=br1
926
927
928 --net=ethernet_interface|wireless_interface
929 Enable a new network namespace and connect it to this ethernet
930 interface using the standard Linux macvlan|ipvaln driver. Unless
931 specified with option --ip and --defaultgw, an IP address and a
932 default gateway will be assigned automatically to the sandbox.
933 The IP address is verified using ARP before assignment. The ad‐
934 dress configured as default gateway is the default gateway of
935 the host. Up to four --net options can be specified. Support
936 for ipvlan driver was introduced in Linux kernel 3.19.
937
938 Example:
939 $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
940 $ firejail --net=wlan0 firefox
941
942 --net=none
943 Enable a new, unconnected network namespace. The only interface
944 available in the new namespace is a new loopback interface (lo).
945 Use this option to deny network access to programs that don't
946 really need network access.
947
948 Example:
949 $ firejail --net=none vlc
950
951 Note: --net=none can crash the application on some platforms.
952 In these cases, it can be replaced with --protocol=unix.
953
954 --net=tap_interface
955 Enable a new network namespace and connect it to this ethernet
956 tap interface using the standard Linux macvlan driver. If the
957 tap interface is not configured, the sandbox will not try to
958 configure the interface inside the sandbox. Please use --ip,
959 --netmask and --defaultgw to specify the configuration.
960
961 Example:
962 $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
963 --defaultgw=10.10.20.1 firefox
964
965
966 --net.print=name|pid
967 If a new network namespace is enabled, print network interface
968 configuration for the sandbox specified by name or PID. Example:
969
970 $ firejail --net.print=browser
971 Switching to pid 1853, the first child process inside the sand‐
972 box
973 Interface MAC IP Mask Status
974 lo 127.0.0.1 255.0.0.0 UP
975 eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
976
977
978 --netfilter
979 Enable a default firewall if a new network namespace is created
980 inside the sandbox. This option has no effect for sandboxes us‐
981 ing the system network namespace.
982
983 The default firewall is optimized for regular desktop applica‐
984 tions. No incoming connections are accepted:
985
986 *filter
987 :INPUT DROP [0:0]
988 :FORWARD DROP [0:0]
989 :OUTPUT ACCEPT [0:0]
990 -A INPUT -i lo -j ACCEPT
991 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
992 # allow ping
993 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
994 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
995 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
996 # drop STUN (WebRTC) requests
997 -A OUTPUT -p udp --dport 3478 -j DROP
998 -A OUTPUT -p udp --dport 3479 -j DROP
999 -A OUTPUT -p tcp --dport 3478 -j DROP
1000 -A OUTPUT -p tcp --dport 3479 -j DROP
1001 COMMIT
1002
1003 Example:
1004 $ firejail --net=eth0 --netfilter firefox
1005
1006 --netfilter=filename
1007 Enable the firewall specified by filename if a new network name‐
1008 space is created inside the sandbox. This option has no effect
1009 for sandboxes using the system network namespace.
1010
1011 Please use the regular iptables-save/iptables-restore format for
1012 the filter file. The following examples are available in
1013 /etc/firejail directory:
1014
1015 webserver.net is a webserver firewall that allows access only to
1016 TCP ports 80 and 443. Example:
1017
1018 $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
1019 /etc/init.d/apache2 start
1020
1021 nolocal.net/nolocal6.net is a desktop client firewall that dis‐
1022 able access to local network. Example:
1023
1024 $ firejail --netfilter=/etc/firejail/nolocal.net \
1025 --net=eth0 firefox
1026
1027
1028 --netfilter=filename,arg1,arg2,arg3 ...
1029 This is the template version of the previous command. $ARG1,
1030 $ARG2, $ARG3 ... in the firewall script are replaced with arg1,
1031 arg2, arg3 ... passed on the command line. Up to 16 arguments
1032 are supported. Example:
1033
1034 $ firejail --net=eth0 --ip=192.168.1.105 \
1035 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1036
1037
1038 --netfilter.print=name|pid
1039 Print the firewall installed in the sandbox specified by name or
1040 PID. Example:
1041
1042 $ firejail --name=browser --net=eth0 --netfilter firefox &
1043 $ firejail --netfilter.print=browser
1044
1045
1046 --netfilter6=filename
1047 Enable the IPv6 firewall specified by filename if a new network
1048 namespace is created inside the sandbox. This option has no ef‐
1049 fect for sandboxes using the system network namespace. Please
1050 use the regular iptables-save/iptables-restore format for the
1051 filter file.
1052
1053
1054 --netfilter6.print=name|pid
1055 Print the IPv6 firewall installed in the sandbox specified by
1056 name or PID. Example:
1057
1058 $ firejail --name=browser --net=eth0 --netfilter firefox &
1059 $ firejail --netfilter6.print=browser
1060
1061
1062 --netmask=address
1063 Use this option when you want to assign an IP address in a new
1064 namespace and the parent interface specified by --net is not
1065 configured. An IP address and a default gateway address also
1066 have to be added. By default the new namespace interface comes
1067 without IP address and default gateway configured. Example:
1068
1069 $ sudo /sbin/brctl addbr br0
1070 $ sudo /sbin/ifconfig br0 up
1071 $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 --de‐
1072 faultgw=10.10.20.1
1073
1074
1075 --netns=name
1076 Run the program in a named, persistent network namespace. These
1077 can be created and configured using "ip netns".
1078
1079
1080 --netstats
1081 Monitor network namespace statistics, see MONITORING section for
1082 more details.
1083
1084 Example:
1085
1086 $ firejail --netstats
1087 PID User RX(KB/s) TX(KB/s) Command
1088 1294 netblue 53.355 1.473 firejail --net=eth0 firefox
1089 7383 netblue 9.045 0.112 firejail --net=eth0 transmission
1090
1091 --nice=value
1092 Set nice value for all processes running inside the sandbox.
1093 Only root may specify a negative value.
1094
1095 Example:
1096 $ firejail --nice=2 firefox
1097
1098
1099 --no3d Disable 3D hardware acceleration.
1100
1101 Example:
1102 $ firejail --no3d firefox
1103
1104
1105 --noautopulse (deprecated)
1106 See --keep-config-pulse.
1107
1108
1109 --noblacklist=dirname_or_filename
1110 Disable blacklist for this directory or file.
1111
1112 Example:
1113 $ firejail
1114 $ nc dict.org 2628
1115 bash: /bin/nc: Permission denied
1116 $ exit
1117
1118 $ firejail --noblacklist=/bin/nc
1119 $ nc dict.org 2628
1120 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1121
1122 --nodbus (deprecated)
1123 Disable D-Bus access (both system and session buses). Equivalent
1124 to --dbus-system=none --dbus-user=none.
1125
1126 Example:
1127 $ firejail --nodbus --net=none
1128
1129 --nodvd
1130 Disable DVD and audio CD devices.
1131
1132 Example:
1133 $ firejail --nodvd
1134
1135 --noinput
1136 Disable input devices.
1137
1138 Example:
1139 $ firejail --noinput
1140
1141 --noexec=dirname_or_filename
1142 Remount directory or file noexec, nodev and nosuid. File glob‐
1143 bing is supported, see FILE GLOBBING section for more details.
1144
1145 Example:
1146 $ firejail --noexec=/tmp
1147
1148 /etc and /var are noexec by default if the sandbox was started
1149 as a regular user.
1150
1151
1152 --nogroups
1153 Disable supplementary groups. Without this option, supplementary
1154 groups are enabled for the user starting the sandbox. For root
1155 user supplementary groups are always disabled.
1156
1157 Note: By default all regular user groups are removed with the
1158 exception of the current user. This can be changed using --al‐
1159 lusers command option.
1160
1161 Example:
1162 $ id
1163 uid=1000(netblue) gid=1000(netblue) groups=1000(net‐
1164 blue),24(cdrom),25(floppy),27(sudo),29(audio)
1165 $ firejail --nogroups
1166 Parent pid 8704, child pid 8705
1167 Child process initialized
1168 $ id
1169 uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1170 $
1171
1172
1173 --nonewprivs
1174 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
1175 cannot acquire new privileges using execve(2); in particular,
1176 this means that calling a suid binary (or one with file capabil‐
1177 ities) does not result in an increase of privilege. This option
1178 is enabled by default if seccomp filter is activated.
1179
1180
1181 --noprofile
1182 Do not use a security profile.
1183
1184 Example:
1185 $ firejail
1186 Reading profile /etc/firejail/default.profile
1187 Parent pid 8553, child pid 8554
1188 Child process initialized
1189 [...]
1190
1191 $ firejail --noprofile
1192 Parent pid 8553, child pid 8554
1193 Child process initialized
1194 [...]
1195
1196 --noroot
1197 Install a user namespace with a single user - the current user.
1198 root user does not exist in the new namespace. This option re‐
1199 quires a Linux kernel version 3.8 or newer. The option is not
1200 supported for --chroot and --overlay configurations, or for
1201 sandboxes started as root.
1202
1203 Example:
1204 $ firejail --noroot
1205 Parent pid 8553, child pid 8554
1206 Child process initialized
1207 $ ping google.com
1208 ping: icmp open socket: Operation not permitted
1209 $
1210
1211 --nosound
1212 Disable sound system.
1213
1214 Example:
1215 $ firejail --nosound firefox
1216
1217
1218 --notv Disable DVB (Digital Video Broadcasting) TV devices.
1219
1220 Example:
1221 $ firejail --notv vlc
1222
1223
1224 --nou2f
1225 Disable U2F devices.
1226
1227 Example:
1228 $ firejail --nou2f
1229
1230
1231 --novideo
1232 Disable video devices.
1233
1234
1235 --nowhitelist=dirname_or_filename
1236 Disable whitelist for this directory or file.
1237
1238
1239 --output=logfile
1240 stdout logging and log rotation. Copy stdout to logfile, and
1241 keep the size of the file under 500KB using log rotation. Five
1242 files with prefixes .1 to .5 are used in rotation.
1243
1244 Example:
1245 $ firejail --output=sandboxlog /bin/bash
1246 [...]
1247 $ ls -l sandboxlog*
1248 -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
1249 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
1250 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
1251 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
1252 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
1253 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
1254
1255
1256 --output-stderr=logfile
1257 Similar to --output, but stderr is also stored.
1258
1259
1260 --private
1261 Mount new /root and /home/user directories in temporary filesys‐
1262 tems. All modifications are discarded when the sandbox is
1263 closed.
1264
1265 Example:
1266 $ firejail --private firefox
1267
1268
1269 --private=directory
1270 Use directory as user home. --private and --private=directory
1271 cannot be used together.
1272
1273 Example:
1274 $ firejail --private=/home/netblue/firefox-home firefox
1275
1276
1277 --private-bin=file,file
1278 Build a new /bin in a temporary filesystem, and copy the pro‐
1279 grams in the list. The files in the list must be expressed as
1280 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
1281 cal/bin directories. If no listed files are found, /bin direc‐
1282 tory will be empty. The same directory is also bind-mounted
1283 over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifi‐
1284 cations are discarded when the sandbox is closed. File globbing
1285 is supported, see FILE GLOBBING section for more details.
1286
1287 Example:
1288 $ firejail --private-bin=bash,sed,ls,cat
1289 Parent pid 20841, child pid 20842
1290 Child process initialized
1291 $ ls /bin
1292 bash cat ls sed
1293
1294
1295 --private-cache
1296 Mount an empty temporary filesystem on top of the .cache direc‐
1297 tory in user home. All modifications are discarded when the
1298 sandbox is closed.
1299
1300 Example:
1301 $ firejail --private-cache openbox
1302
1303
1304 --private-cwd
1305 Set working directory inside jail to the home directory, and
1306 failing that, the root directory.
1307 Does not impact working directory of profile include paths.
1308
1309 Example:
1310 $ pwd
1311 /tmp
1312 $ firejail --private-cwd
1313 $ pwd
1314 /home/user
1315
1316
1317 --private-cwd=directory
1318 Set working directory inside the jail.
1319 Does not impact working directory of profile include paths.
1320
1321 Example:
1322 $ pwd
1323 /tmp
1324 $ firejail --private-cwd=/opt
1325 $ pwd
1326 /opt
1327
1328
1329 --private-dev
1330 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
1331 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
1332 shm and usb devices are available. Use the options --no3d,
1333 --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1334 restrictions.
1335
1336 Example:
1337 $ firejail --private-dev
1338 Parent pid 9887, child pid 9888
1339 Child process initialized
1340 $ ls /dev
1341 cdrom cdrw dri dvd dvdrw full log null ptmx pts random
1342 shm snd sr0 tty urandom zero
1343 $
1344
1345 --private-etc=file,directory
1346 Build a new /etc in a temporary filesystem, and copy the files
1347 and directories in the list. The files and directories in the
1348 list must be expressed as relative to the /etc directory (e.g.,
1349 /etc/foo must be expressed as foo). If no listed file is found,
1350 /etc directory will be empty. All modifications are discarded
1351 when the sandbox is closed.
1352
1353 Example:
1354 $ firejail --private-etc=group,hostname,localtime, \
1355 nsswitch.conf,passwd,resolv.conf
1356
1357 --private-home=file,directory
1358 Build a new user home in a temporary filesystem, and copy the
1359 files and directories in the list in the new home. The files
1360 and directories in the list must be expressed as relative to the
1361 current user's home directory. All modifications are discarded
1362 when the sandbox is closed.
1363
1364 Example:
1365 $ firejail --private-home=.mozilla firefox
1366
1367 --private-lib=file,directory
1368 This feature is currently under heavy development. Only amd64
1369 platforms are supported at this moment. The files and directo‐
1370 ries in the list must be expressed as relative to the /lib di‐
1371 rectory. The idea is to build a new /lib in a temporary
1372 filesystem, with only the library files necessary to run the ap‐
1373 plication. It could be as simple as:
1374
1375 $ firejail --private-lib galculator
1376
1377 but it gets complicated really fast:
1378
1379 $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1380 gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1381
1382 The feature is integrated with --private-bin:
1383
1384 $ firejail --private-lib --private-bin=bash,ls,ps
1385 $ ls /lib
1386 ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
1387 temd.so.0
1388 libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1389 libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1390 libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1391 $ ps
1392 PID TTY TIME CMD
1393 1 pts/0 00:00:00 firejail
1394 45 pts/0 00:00:00 bash
1395 48 pts/0 00:00:00 ps
1396 $
1397
1398
1399 --private-opt=file,directory
1400 Build a new /opt in a temporary filesystem, and copy the files
1401 and directories in the list. The files and directories in the
1402 list must be expressed as relative to the /opt directory, and
1403 must not contain the / character (e.g., /opt/foo must be ex‐
1404 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
1405 disallowed). If no listed file is found, /opt directory will be
1406 empty. All modifications are discarded when the sandbox is
1407 closed.
1408
1409 Example:
1410 $ firejail --private-opt=firefox /opt/firefox/firefox
1411
1412
1413 --private-srv=file,directory
1414 Build a new /srv in a temporary filesystem, and copy the files
1415 and directories in the list. The files and directories in the
1416 list must be expressed as relative to the /srv directory, and
1417 must not contain the / character (e.g., /srv/foo must be ex‐
1418 pressed as foo, but /srv/foo/bar -- expressed as srv/bar -- is
1419 disallowed). If no listed file is found, /srv directory will be
1420 empty. All modifications are discarded when the sandbox is
1421 closed.
1422
1423 Example:
1424 # firejail --private-srv=www /etc/init.d/apache2 start
1425
1426
1427 --private-tmp
1428 Mount an empty temporary filesystem on top of /tmp directory
1429 whitelisting X11 and PulseAudio sockets.
1430
1431 Example:
1432 $ firejail --private-tmp
1433 $ ls -al /tmp
1434 drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
1435 drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1436 drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKd‐
1437 htXMmr18n
1438 drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1439
1440
1441 --profile=filename_or_profilename
1442 Load a custom security profile from filename. For filename use
1443 an absolute path or a path relative to the current path. For
1444 more information, see SECURITY PROFILES section below.
1445
1446 Example:
1447 $ firejail --profile=myprofile
1448
1449
1450 --profile.print=name|pid
1451 Print the name of the profile file for the sandbox identified by
1452 name or or PID.
1453
1454 Example:
1455 $ firejail --profile.print=browser
1456 /etc/firejail/firefox.profile
1457
1458 --protocol=protocol,protocol,protocol
1459 Enable protocol filter. The filter is based on seccomp and
1460 checks the first argument to socket system call. Recognized
1461 values: unix, inet, inet6, netlink, packet and bluetooth. This
1462 option is not supported for i386 architecture.
1463
1464 Example:
1465 $ firejail --protocol=unix,inet,inet6 firefox
1466
1467 --protocol.print=name|pid
1468 Print the protocol filter for the sandbox identified by name or
1469 PID.
1470
1471 Example:
1472 $ firejail --name=mybrowser firefox &
1473 $ firejail --protocol.print=mybrowser
1474 unix,inet,inet6,netlink
1475
1476 Example:
1477 $ firejail --list
1478 3272:netblue::firejail --private firefox
1479 $ firejail --protocol.print=3272
1480 unix,inet,inet6,netlink
1481
1482 --put=name|pid src-filename dest-filename
1483 Put a file in sandbox container, see FILE TRANSFER section for
1484 more details.
1485
1486 --quiet
1487 Turn off Firejail's output.
1488
1489 The same effect can be obtained by setting an environment vari‐
1490 able FIREJAIL_QUIET to yes.
1491
1492 --read-only=dirname_or_filename
1493 Set directory or file read-only. File globbing is supported, see
1494 FILE GLOBBING section for more details.
1495
1496 Example:
1497 $ firejail --read-only=~/.mozilla firefox
1498
1499 --read-write=dirname_or_filename
1500 Set directory or file read-write. Only files or directories be‐
1501 longing to the current user are allowed for this operation. File
1502 globbing is supported, see FILE GLOBBING section for more de‐
1503 tails. Example:
1504
1505 $ mkdir ~/test
1506 $ touch ~/test/a
1507 $ firejail --read-only=~/test --read-write=~/test/a
1508
1509
1510
1511 --rlimit-as=number
1512 Set the maximum size of the process's virtual memory (address
1513 space) in bytes. Use k(ilobyte), m(egabyte) or g(igabyte) for
1514 size suffix (base 1024).
1515
1516
1517 --rlimit-cpu=number
1518 Set the maximum limit, in seconds, for the amount of CPU time
1519 each sandboxed process can consume. When the limit is reached,
1520 the processes are killed.
1521
1522 The CPU limit is a limit on CPU seconds rather than elapsed
1523 time. CPU seconds is basically how many seconds the CPU has been
1524 in use and does not necessarily directly relate to the elapsed
1525 time. Linux kernel keeps track of CPU seconds for each process
1526 independently.
1527
1528
1529 --rlimit-fsize=number
1530 Set the maximum file size that can be created by a process. Use
1531 k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base
1532 1024).
1533
1534 --rlimit-nofile=number
1535 Set the maximum number of files that can be opened by a process.
1536
1537 --rlimit-nproc=number
1538 Set the maximum number of processes that can be created for the
1539 real user ID of the calling process.
1540
1541 --rlimit-sigpending=number
1542 Set the maximum number of pending signals for a process.
1543
1544
1545 --rmenv=name
1546 Remove environment variable in the new sandbox.
1547
1548 Example:
1549 $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1550
1551 --scan ARP-scan all the networks from inside a network namespace. This
1552 makes it possible to detect macvlan kernel device drivers run‐
1553 ning on the current host.
1554
1555 Example:
1556 $ firejail --net=eth0 --scan
1557
1558 --seccomp
1559 Enable seccomp filter and blacklist the syscalls in the default
1560 list, which is @default-nodebuggers unless --allow-debuggers is
1561 specified, then it is @default.
1562
1563 To help creating useful seccomp filters more easily, the follow‐
1564 ing system call groups are defined: @aio, @basic-io, @chown,
1565 @clock, @cpu-emulation, @debug, @default, @default-nodebuggers,
1566 @default-keep, @file-system, @io-event, @ipc, @keyring, @mem‐
1567 lock, @module, @mount, @network-io, @obsolete, @privileged,
1568 @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync,
1569 @system-service and @timer. More information about groups can
1570 be found in /usr/share/doc/firejail/syscalls.txt
1571
1572 System architecture is strictly imposed only if flag --sec‐
1573 comp.block-secondary is used. The filter is applied at run time
1574 only if the correct architecture was detected. For the case of
1575 I386 and AMD64 both 32-bit and 64-bit filters are installed.
1576
1577 Firejail will print seccomp violations to the audit log if the
1578 kernel was compiled with audit support (CONFIG_AUDIT flag).
1579
1580 Example:
1581 $ firejail --seccomp
1582
1583 The default list can be customized, see --seccomp= for a de‐
1584 scription. It can be customized also globally in /etc/fire‐
1585 jail/firejail.config file.
1586
1587
1588 --seccomp=syscall,@group,!syscall2
1589 Enable seccomp filter, blacklist the default list and the
1590 syscalls or syscall groups specified by the command, but don't
1591 blacklist "syscall2". On a 64 bit architecture, an additional
1592 filter for 32 bit system calls can be installed with --sec‐
1593 comp.32.
1594
1595 Example:
1596 $ firejail --seccomp=utime,utimensat,utimes firefox
1597 $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1598 $ firejail '--seccomp=@ipc,!pipe,!pipe2' audacious
1599
1600 Syscalls can be specified by their number if prefix $ is added,
1601 so for example $165 would be equal to mount on i386.
1602
1603 Instead of dropping the syscall by returning EPERM, another er‐
1604 ror number can be returned using syscall:errno syntax. This can
1605 be also changed globally with --seccomp-error-action or in
1606 /etc/firejail/firejail.config file. The process can also be
1607 killed by using syscall:kill syntax, or the attempt may be
1608 logged with syscall:log.
1609
1610 Example:
1611 $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1612 Parent pid 10662, child pid 10663
1613 Child process initialized
1614 $ touch testfile
1615 $ ls testfile
1616 testfile
1617 $ rm testfile
1618 rm: cannot remove `testfile': No such file or directory
1619
1620 If the blocked system calls would also block Firejail from oper‐
1621 ating, they are handled by adding a preloaded library which per‐
1622 forms seccomp system calls later. However, this is incompatible
1623 with 32 bit seccomp filters.
1624
1625 Example:
1626 $ firejail --noprofile --shell=none --seccomp=execve sh
1627 Parent pid 32751, child pid 32752
1628 Post-exec seccomp protector enabled
1629 list in: execve, check list: @default-keep prelist: (null),
1630 postlist: execve
1631 Child process initialized in 46.44 ms
1632 $ ls
1633 Operation not permitted
1634
1635
1636 --seccomp.block-secondary
1637 Enable seccomp filter and filter system call architectures so
1638 that only the native architecture is allowed. For example, on
1639 amd64, i386 and x32 system calls are blocked as well as changing
1640 the execution domain with personality(2) system call.
1641
1642
1643 --seccomp.drop=syscall,@group
1644 Enable seccomp filter, and blacklist the syscalls or the syscall
1645 groups specified by the command. On a 64 bit architecture, an
1646 additional filter for 32 bit system calls can be installed with
1647 --seccomp.32.drop.
1648
1649 Example:
1650 $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1651
1652 Instead of dropping the syscall by returning EPERM, another er‐
1653 ror number can be returned using syscall:errno syntax. This can
1654 be also changed globally with --seccomp-error-action or in
1655 /etc/firejail/firejail.config file. The process can also be
1656 killed by using syscall:kill syntax, or the attempt may be
1657 logged with syscall:log.
1658
1659 Example:
1660 $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1661 Parent pid 10662, child pid 10663
1662 Child process initialized
1663 $ touch testfile
1664 $ ls testfile
1665 testfile
1666 $ rm testfile
1667 rm: cannot remove `testfile': No such file or directory
1668
1669
1670 --seccomp.keep=syscall,@group,!syscall2
1671 Enable seccomp filter, blacklist all syscall not listed and
1672 "syscall2". The system calls needed by Firejail (group @de‐
1673 fault-keep: prctl, execve, execveat) are handled with the
1674 preload library. On a 64 bit architecture, an additional filter
1675 for 32 bit system calls can be installed with --seccomp.32.keep.
1676
1677 Example:
1678 $ firejail --shell=none --seccomp.keep=poll,select,[...] trans‐
1679 mission-gtk
1680
1681
1682 --seccomp.print=name|pid
1683 Print the seccomp filter for the sandbox identified by name or
1684 PID.
1685
1686 Example:
1687 $ firejail --name=browser firefox &
1688 $ firejail --seccomp.print=browser
1689 line OP JT JF K
1690 =================================
1691 0000: 20 00 00 00000004 ld data.architecture
1692 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1693 0002: 06 00 00 7fff0000 ret ALLOW
1694 0003: 20 00 00 00000000 ld data.syscall-number
1695 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1696 0005: 35 01 00 00000000 jge read 0007 (false 0006)
1697 0006: 06 00 00 00050001 ret ERRNO(1)
1698 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1699 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1700 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1701 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false
1702 000b)
1703 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1704 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1705 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1706 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1707 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1708 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1709 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1710 0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1711 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1712 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1713 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1714 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1715 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
1716 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
1717 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
1718 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
1719 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
1720 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
1721 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
1722 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
1723 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
1724 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
1725 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
1726 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
1727 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
1728 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
1729 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
1730 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
1731 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
1732 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
1733 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
1734 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
1735 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
1736 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
1737 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
1738 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
1739 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
1740 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
1741 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
1742 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
1743 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
1744 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false
1745 0035)
1746 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false
1747 0036)
1748 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
1749 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
1750 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
1751 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
1752 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
1753 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
1754 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
1755 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
1756 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
1757 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
1758 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
1759 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
1760 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false
1761 0043)
1762 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
1763 0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
1764 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
1765 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
1766 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false
1767 0048)
1768 0048: 06 00 00 7fff0000 ret ALLOW
1769 0049: 06 00 01 00000000 ret KILL
1770 $
1771
1772
1773 --seccomp-error-action= kill | ERRNO | log
1774 By default, if a seccomp filter blocks a system call, the
1775 process gets EPERM as the error. With --seccomp-error-action=er‐
1776 ror, another error number can be returned, for example ENOSYS or
1777 EACCES. The process can also be killed (like in versions <0.9.63
1778 of Firejail) by using --seccomp-error-action=kill syntax, or the
1779 attempt may be logged with --seccomp-error-action=log. Not
1780 killing the process weakens Firejail slightly when trying to
1781 contain intrusion, but it may also allow tighter filters if the
1782 only alternative is to allow a system call.
1783
1784
1785 --shell=none
1786 Run the program directly, without a user shell.
1787
1788 Example:
1789 $ firejail --shell=none script.sh
1790
1791 --shell=program
1792 Set default user shell. Use this shell to run the application
1793 using -c shell option. For example "firejail --shell=/bin/dash
1794 firefox" will start Mozilla Firefox as "/bin/dash -c firefox".
1795 By default the user's preferred shell is used.
1796
1797 Example: $firejail --shell=/bin/dash script.sh
1798
1799 --shutdown=name|pid
1800 Shutdown the sandbox identified by name or PID.
1801
1802 Example:
1803 $ firejail --name=mygame --caps.drop=all warzone2100 &
1804 $ firejail --shutdown=mygame
1805
1806 Example:
1807 $ firejail --list
1808 3272:netblue::firejail --private firefox
1809 $ firejail --shutdown=3272
1810
1811 --timeout=hh:mm:ss
1812 Kill the sandbox automatically after the time has elapsed. The
1813 time is specified in hours/minutes/seconds format.
1814
1815 $ firejail --timeout=01:30:00 firefox
1816
1817 --tmpfs=dirname
1818 Mount a writable tmpfs filesystem on directory dirname. Directo‐
1819 ries outside user home or not owned by the user are not allowed.
1820 Sandboxes running as root are exempt from these restrictions.
1821 File globbing is supported, see FILE GLOBBING section for more
1822 details.
1823
1824 Example:
1825 $ firejail --tmpfs=~/.local/share
1826
1827 --top Monitor the most CPU-intensive sandboxes, see MONITORING section
1828 for more details.
1829
1830 Example:
1831 $ firejail --top
1832
1833 --trace[=filename]
1834 Trace open, access and connect system calls. If filename is
1835 specified, log trace output to filename, otherwise log to con‐
1836 sole.
1837
1838 Example:
1839 $ firejail --trace wget -q www.debian.org
1840 Reading profile /etc/firejail/wget.profile
1841 3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1842 3:wget:fopen /etc/hosts:0x5c8e8cfb70
1843 3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1844 3:wget:connect 3 8.8.8.8 port 53:0
1845 3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1846 3:wget:connect 3 130.89.148.14 port 80:0
1847 3:wget:fopen64 index.html:0x5c8e8d1a60
1848
1849 parent is shutting down, bye...
1850
1851 --tracelog
1852 This option enables auditing blacklisted files and directories.
1853 A message is sent to syslog in case the file or the directory is
1854 accessed.
1855
1856 Example:
1857 $ firejail --tracelog firefox
1858
1859 Sample messages:
1860 $ sudo tail -f /var/log/syslog
1861 [...]
1862 Dec 3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1863 box 26370, exe firefox, syscall open64, path /etc/shadow
1864 Dec 3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1865 box 26370, exe firefox, syscall opendir, path /boot
1866 [...]
1867
1868 --tree Print a tree of all sandboxed processes, see MONITORING section
1869 for more details.
1870
1871 Example:
1872 $ firejail --tree
1873 11903:netblue:firejail iceweasel
1874 11904:netblue:iceweasel
1875 11957:netblue:/usr/lib/iceweasel/plugin-container
1876 11969:netblue:firejail --net=eth0 transmission-gtk
1877 11970:netblue:transmission-gtk
1878
1879
1880 --tunnel[=devname]
1881 Connect the sandbox to a network overlay/VPN tunnel created by
1882 firetunnel utility. This options tries first the client side of
1883 the tunnel. If this fails, it tries the server side. If multiple
1884 tunnels are active, please specify the tunnel device using
1885 --tunnel=devname.
1886
1887 The available tunnel devices are listed in /etc/firetunnel di‐
1888 rectory, one file for each device. The files are regular fire‐
1889 jail profile files containing the network configuration, and are
1890 created and managed by firetunnel utility. By default ftc is
1891 the client-side device and fts is the server-side device. For
1892 more information please see man 1 firetunnel.
1893
1894 Example:
1895 $ firejail --tunnel firefox
1896
1897 --version
1898 Print program version/compile time support and exit.
1899
1900 Example:
1901 $ firejail --version
1902 firejail version 0.9.27
1903
1904 Compile time support:
1905 - AppArmor support is enabled
1906 - AppImage support is enabled
1907 - chroot support is enabled
1908 - file and directory whitelisting support is enabled
1909 - file transfer support is enabled
1910 - firetunnel support is enabled
1911 - networking support is enabled
1912 - overlayfs support is enabled
1913 - private-home support is enabled
1914 - seccomp-bpf support is enabled
1915 - user namespace support is enabled
1916 - X11 sandboxing support is enabled
1917
1918 --veth-name=name
1919 Use this name for the interface connected to the bridge for
1920 --net=bridge_interface commands, instead of the default one.
1921
1922 Example:
1923 $ firejail --net=br0 --veth-name=if0
1924
1925 --whitelist=dirname_or_filename
1926 Whitelist directory or file. A temporary file system is mounted
1927 on the top directory, and the whitelisted files are mount-binded
1928 inside. Modifications to whitelisted files are persistent, ev‐
1929 erything else is discarded when the sandbox is closed. The top
1930 directory can be all directories in / (except /proc and /sys),
1931 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
1932
1933 Symbolic link handling: with the exception of user home, both
1934 the link and the real file should be in the same top directory.
1935 For user home, both the link and the real file should be owned
1936 by the user.
1937
1938 File globbing is supported, see FILE GLOBBING section for more
1939 details.
1940
1941 Example:
1942 $ firejail --noprofile --whitelist=~/.mozilla
1943 $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1944 $ firejail "--whitelist=/home/username/My Virtual Machines"
1945 $ firejail --whitelist=~/work* --whitelist=/var/backups*
1946
1947
1948 --writable-etc
1949 Mount /etc directory read-write.
1950
1951 Example:
1952 $ sudo firejail --writable-etc
1953
1954
1955 --writable-run-user
1956 Disable the default blacklisting of /run/user/$UID/systemd and
1957 /run/user/$UID/gnupg.
1958
1959 Example:
1960 $ sudo firejail --writable-run-user
1961
1962
1963 --writable-var
1964 Mount /var directory read-write.
1965
1966 Example:
1967 $ sudo firejail --writable-var
1968
1969
1970 --writable-var-log
1971 Use the real /var/log directory, not a clone. By default, a
1972 tmpfs is mounted on top of /var/log directory, and a skeleton
1973 filesystem is created based on the original /var/log.
1974
1975 Example:
1976 $ sudo firejail --writable-var-log
1977
1978
1979 --x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg secu‐
1980 rity extension. The sandbox will prevent screenshot and keylog‐
1981 ger applications started inside the sandbox from accessing
1982 clients running outside the sandbox. Firejail will try Xpra
1983 first, and if Xpra is not installed on the system, it will try
1984 to find Xephyr. If all fails, Firejail will not attempt to use
1985 Xvfb or X11 security extension.
1986
1987 Xpra, Xephyr and Xvfb modes require a network namespace to be
1988 instantiated in order to disable X11 abstract Unix socket. If
1989 this is not possible, the user can disable the abstract socket
1990 by adding "-nolisten local" on Xorg command line at system
1991 level.
1992
1993 Example:
1994 $ firejail --x11 --net=eth0 firefox
1995
1996
1997 --x11=none
1998 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
1999 file specified in ${XAUTHORITY} environment variable. Remove
2000 DISPLAY and XAUTHORITY environment variables. Stop with error
2001 message if X11 abstract socket will be accessible in jail.
2002
2003
2004 --x11=xephyr
2005 Start Xephyr and attach the sandbox to this server. Xephyr is a
2006 display server implementing the X11 display server protocol. A
2007 network namespace needs to be instantiated in order to deny ac‐
2008 cess to X11 abstract Unix domain socket.
2009
2010 Xephyr runs in a window just like any other X11 application. The
2011 default window size is 800x600. This can be modified in
2012 /etc/firejail/firejail.config file.
2013
2014 The recommended way to use this feature is to run a window man‐
2015 ager inside the sandbox. A security profile for OpenBox is pro‐
2016 vided.
2017
2018 Xephyr is developed by Xorg project. On Debian platforms it is
2019 installed with the command sudo apt-get install xserver-xephyr.
2020 This feature is not available when running as root.
2021
2022 Example:
2023 $ firejail --x11=xephyr --net=eth0 openbox
2024
2025
2026 --x11=xorg
2027 Sandbox the application using the untrusted mode implemented by
2028 X11 security extension. The extension is available in Xorg
2029 package and it is installed by default on most Linux distribu‐
2030 tions. It provides support for a simple trusted/untrusted con‐
2031 nection model. Untrusted clients are restricted in certain ways
2032 to prevent them from reading window contents of other clients,
2033 stealing input events, etc.
2034
2035 The untrusted mode has several limitations. A lot of regular
2036 programs assume they are a trusted X11 clients and will crash
2037 or lock up when run in untrusted mode. Chromium browser and
2038 xterm are two examples. Firefox and transmission-gtk seem to be
2039 working fine. A network namespace is not required for this op‐
2040 tion.
2041
2042 Example:
2043 $ firejail --x11=xorg firefox
2044
2045
2046 --x11=xpra
2047 Start Xpra (https://xpra.org) and attach the sandbox to this
2048 server. Xpra is a persistent remote display server and client
2049 for forwarding X11 applications and desktop screens. A network
2050 namespace needs to be instantiated in order to deny access to
2051 X11 abstract Unix domain socket.
2052
2053 On Debian platforms Xpra is installed with the command sudo apt-
2054 get install xpra. This feature is not available when running as
2055 root.
2056
2057 Example:
2058 $ firejail --x11=xpra --net=eth0 firefox
2059
2060
2061
2062 --x11=xvfb
2063 Start Xvfb X11 server and attach the sandbox to this server.
2064 Xvfb, short for X virtual framebuffer, performs all graphical
2065 operations in memory without showing any screen output. Xvfb is
2066 mainly used for remote access and software testing on headless
2067 servers.
2068
2069 On Debian platforms Xvfb is installed with the command sudo apt-
2070 get install xvfb. This feature is not available when running as
2071 root.
2072
2073 Example: remote VNC access
2074
2075 On the server we start a sandbox using Xvfb and openbox window
2076 manager. The default size of Xvfb screen is 800x600 - it can be
2077 changed in /etc/firejail/firejail.config (xvfb-screen). Some
2078 sort of networking (--net) is required in order to isolate the
2079 abstract sockets used by other X servers.
2080
2081 $ firejail --net=none --x11=xvfb openbox
2082
2083 *** Attaching to Xvfb display 792 ***
2084
2085 Reading profile /etc/firejail/openbox.profile
2086 Reading profile /etc/firejail/disable-common.inc
2087 Reading profile /etc/firejail/disable-common.local
2088 Parent pid 5400, child pid 5401
2089
2090 On the server we also start a VNC server and attach it to the
2091 display handled by our Xvfb server (792).
2092
2093 $ x11vnc -display :792
2094
2095 On the client machine we start a VNC viewer and use it to con‐
2096 nect to our server:
2097
2098 $ vncviewer
2099
2100
2101 --xephyr-screen=WIDTHxHEIGHT
2102 Set screen size for --x11=xephyr. The setting will overwrite the
2103 default set in /etc/firejail/firejail.config for the current
2104 sandbox. Run xrandr to get a list of supported resolutions on
2105 your computer.
2106
2107 Example:
2108 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2109 fox
2110
2111
2113 A symbolic link to /usr/bin/firejail under the name of a program, will
2114 start the program in Firejail sandbox. The symbolic link should be
2115 placed in the first $PATH position. On most systems, a good place is
2116 /usr/local/bin directory. Example:
2117
2118 Make a firefox symlink to /usr/bin/firejail:
2119
2120 $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2121
2122 Verify $PATH
2123
2124 $ which -a firefox
2125 /usr/local/bin/firefox
2126 /usr/bin/firefox
2127
2128 Starting firefox in this moment, automatically invokes “firejail
2129 firefox”.
2130
2131 This works for clicking on desktop environment icons, menus etc. Use
2132 "firejail --tree" to verify the program is sandboxed.
2133
2134 $ firejail --tree
2135 1189:netblue:firejail firefox
2136 1190:netblue:firejail firefox
2137 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2138 1221:netblue:/usr/lib/firefox/firefox
2139
2140 We provide a tool that automates all this integration, please see
2141 firecfg(1) for more details.
2142
2143
2145 firejail
2146 Sandbox a regular shell session.
2147
2148 firejail firefox
2149 Start Mozilla Firefox.
2150
2151 firejail --debug firefox
2152 Debug Firefox sandbox.
2153
2154 firejail --private firefox
2155 Start Firefox with a new, empty home directory.
2156
2157 firejail --net=none vlc
2158 Start VLC in an unconnected network namespace.
2159
2160 firejail --net=eth0 firefox
2161 Start Firefox in a new network namespace. An IP address is as‐
2162 signed automatically.
2163
2164 firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2165 Start a shell session in a new network namespace and connect it
2166 to br0, br1, and br2 host bridge devices. IP addresses are as‐
2167 signed automatically for the interfaces connected to br1 and b2
2168
2169 firejail --list
2170 List all sandboxed processes.
2171
2172
2174 Globbing is the operation that expands a wildcard pattern into the
2175 list of pathnames matching the pattern. This pattern is matched
2176 at firejail start, and is NOT UPDATED at runtime. Files match‐
2177 ing a blacklist, but created after firejail start will be acces‐
2178 sible within the jail. Matching is defined by:
2179
2180 - '?' matches any character
2181 - '*' matches any string
2182 - '[' denotes a range of characters
2183
2184 The globbing feature is implemented using glibc glob command. For
2185 more information on the wildcard syntax see man 7 glob.
2186
2187
2188 The following command line options are supported: --blacklist,
2189 --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2190 --whitelist.
2191
2192
2193 Examples:
2194
2195 $ firejail --private-bin=sh,bash,python*
2196 $ firejail --blacklist=~/dir[1234]
2197 $ firejail --read-only=~/dir[1-4]
2198
2199
2201 These features allow the user to inspect the filesystem container of an
2202 existing sandbox and transfer files between the container and the host
2203 filesystem.
2204
2205
2206 --cat=name|pid filename
2207 Write content of a container file to standard out. The container
2208 is specified by name or PID. If standard out is a terminal, all
2209 ASCII control characters except new line and horizontal tab are
2210 replaced.
2211
2212
2213 --get=name|pid filename
2214 Retrieve the container file and store it on the host in the cur‐
2215 rent working directory. The container is specified by name or
2216 PID.
2217
2218
2219 --ls=name|pid dir_or_filename
2220 List container files. The container is specified by name or PID.
2221
2222
2223 --put=name|pid src-filename dest-filename
2224 Put src-filename in sandbox container. The container is speci‐
2225 fied by name or PID.
2226
2227
2228 Examples:
2229
2230 $ firejail --name=mybrowser --private firefox
2231
2232 $ firejail --ls=mybrowser ~/Downloads
2233 drwxr-xr-x netblue netblue 4096 .
2234 drwxr-xr-x netblue netblue 4096 ..
2235 -rw-r--r-- netblue netblue 7847 x11-x305.png
2236 -rw-r--r-- netblue netblue 6800 x11-x642.png
2237 -rw-r--r-- netblue netblue 34139 xpra-clipboard.png
2238
2239 $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2240
2241 $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
2242 clipboard.png
2243
2244 $ firejail --cat=mybrowser ~/.bashrc
2245
2247 Option --list prints a list of all sandboxes. The format for each
2248 process entry is as follows:
2249
2250 PID:USER:Sandbox Name:Command
2251
2252 Option --tree prints the tree of processes running in the sandbox. The
2253 format for each process entry is as follows:
2254
2255 PID:USER:Sandbox Name:Command
2256
2257 Option --top is similar to the UNIX top command, however it applies
2258 only to sandboxes.
2259
2260 Option --netstats prints network statistics for active sandboxes in‐
2261 stalling new network namespaces.
2262
2263 Listed below are the available fields (columns) in alphabetical order
2264 for --top and --netstats options:
2265
2266
2267 Command
2268 Command used to start the sandbox.
2269
2270 CPU% CPU usage, the sandbox share of the elapsed CPU time since the
2271 last screen update
2272
2273 PID Unique process ID for the task controlling the sandbox.
2274
2275 Prcs Number of processes running in sandbox, including the control‐
2276 ling process.
2277
2278 RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
2279 It is a sum of the RES values for all processes running in the
2280 sandbox.
2281
2282 RX(KB/s)
2283 Network receive speed.
2284
2285 Sandbox Name
2286 The name of the sandbox, if any.
2287
2288 SHR Shared Memory Size (KiB), it reflects memory shared with other
2289 processes. It is a sum of the SHR values for all processes run‐
2290 ning in the sandbox, including the controlling process.
2291
2292 TX(KB/s)
2293 Network transmit speed.
2294
2295 Uptime Sandbox running time in hours:minutes:seconds format.
2296
2297 USER The owner of the sandbox.
2298
2299
2301 To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2302 jail in /etc/passwd file for each user that needs to be restricted. Al‐
2303 ternatively, you can specify /usr/bin/firejail in adduser command:
2304
2305 adduser --shell /usr/bin/firejail username
2306
2307 Additional arguments passed to firejail executable upon login are de‐
2308 clared in /etc/firejail/login.users file.
2309
2310
2312 Several command line options can be passed to the program using profile
2313 files. Firejail chooses the profile file as follows:
2314
2315 1. If a profile file is provided by the user with --profile=FILE op‐
2316 tion, the profile FILE is loaded. If a profile name is given, it is
2317 searched for first in the ~/.config/firejail directory and if not found
2318 then in /etc/firejail directory. Profile names do not include the
2319 .profile suffix. If there is a file with the same name as the given
2320 profile name, it will be used instead of doing the profile search. To
2321 force a profile search, prefix the profile name with a colon (:), eg.
2322 --profile=:PROFILE_NAME. Example:
2323
2324 $ firejail --profile=/home/netblue/icecat.profile icecat
2325 Reading profile /home/netblue/icecat.profile
2326 [...]
2327
2328
2329 $ firejail --profile=icecat icecat-wrapper.sh
2330 Reading profile /etc/firejail/icecat.profile
2331 [...]
2332
2333 2. If a profile file with the same name as the application is present
2334 in ~/.config/firejail directory or in /etc/firejail, the profile is
2335 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
2336 ple:
2337
2338 $ firejail icecat
2339 Command name #icecat#
2340 Found icecat profile in /home/netblue/.config/firejail directory
2341 Reading profile /home/netblue/.config/firejail/icecat.profile
2342 [...]
2343
2344 3. Use default.profile file if the sandbox is started by a regular
2345 user, or server.profile file if the sandbox is started by root. Fire‐
2346 jail looks for these files in ~/.config/firejail directory, followed by
2347 /etc/firejail directory. To disable default profile loading, use --no‐
2348 profile command option. Example:
2349
2350 $ firejail
2351 Reading profile /etc/firejail/default.profile
2352 Parent pid 8553, child pid 8554
2353 Child process initialized
2354 [...]
2355
2356 $ firejail --noprofile
2357 Parent pid 8553, child pid 8554
2358 Child process initialized
2359 [...]
2360
2361 See man 5 firejail-profile for profile file syntax information.
2362
2364 Network bandwidth is an expensive resource shared among all sandboxes
2365 running on a system. Traffic shaping allows the user to increase net‐
2366 work performance by controlling the amount of data that flows into and
2367 out of the sandboxes.
2368
2369 Firejail implements a simple rate-limiting shaper based on Linux com‐
2370 mand tc. The shaper works at sandbox level, and can be used only for
2371 sandboxes configured with new network namespaces.
2372
2373 Set rate-limits:
2374
2375 $ firejail --bandwidth=name|pid set network download upload
2376
2377 Clear rate-limits:
2378
2379 $ firejail --bandwidth=name|pid clear network
2380
2381 Status:
2382
2383 $ firejail --bandwidth=name|pid status
2384
2385 where:
2386 name - sandbox name
2387 pid - sandbox pid
2388 network - network interface as used by --net option
2389 download - download speed in KB/s (kilobyte per second)
2390 upload - upload speed in KB/s (kilobyte per second)
2391
2392 Example:
2393 $ firejail --name=mybrowser --net=eth0 firefox &
2394 $ firejail --bandwidth=mybrowser set eth0 80 20
2395 $ firejail --bandwidth=mybrowser status
2396 $ firejail --bandwidth=mybrowser clear eth0
2397
2399 This program is free software; you can redistribute it and/or modify it
2400 under the terms of the GNU General Public License as published by the
2401 Free Software Foundation; either version 2 of the License, or (at your
2402 option) any later version.
2403
2404 Homepage: https://firejail.wordpress.com
2405
2407 firemon(1), firecfg(1), firejail-profile(5), firejail-login(5), fire‐
2408 jail-users(5), jailcheck(1)
2409
2410 ⟨https://github.com/netblue30/firejail/wiki⟩,
2411 ⟨https://github.com/netblue30/firejail⟩
2412
2413
2414
24150.9.66 Jul 2021 FIREJAIL(1)