1FIREJAIL(1)                    firejail man page                   FIREJAIL(1)
2
3
4

NAME

6       Firejail - Linux namespaces sandbox program
7

SYNOPSIS

9       Start a sandbox:
10
11              firejail [OPTIONS] [program and arguments]
12
13       Start an AppImage program:
14
15              firejail [OPTIONS] --appimage [appimage-file and arguments]
16
17       File transfer from an existing sandbox
18
19              firejail {--ls | --get | --put | --cat} dir_or_filename
20
21       Network traffic shaping for an existing sandbox:
22
23              firejail --bandwidth={name|pid} bandwidth-command
24
25       Monitoring:
26
27              firejail {--list | --netstats | --top | --tree}
28
29       Miscellaneous:
30
31              firejail  {-? | --debug-caps | --debug-errnos | --debug-syscalls
32              | --debug-syscalls32 | --debug-protocols | --help | --version}
33

DESCRIPTION

35       Firejail is a SUID sandbox program that reduces the  risk  of  security
36       breaches  by  restricting the running environment of untrusted applica‐
37       tions using Linux namespaces, seccomp-bpf and Linux  capabilities.   It
38       allows a process and all its descendants to have their own private view
39       of the globally shared kernel resources, such  as  the  network  stack,
40       process table, mount table.  Firejail can work in a SELinux or AppArmor
41       environment, and it is integrated with Linux Control Groups.
42
43       Written in C with virtually no dependencies, the software runs  on  any
44       Linux  computer with a 3.x kernel version or newer.  It can sandbox any
45       type of processes: servers, graphical applications, and even user login
46       sessions.
47
48       Firejail  allows the user to manage application security using security
49       profiles.  Each profile defines a set of permissions for a specific ap‐
50       plication or group of applications. The software includes security pro‐
51       files for a number of more common Linux programs, such as Mozilla Fire‐
52       fox, Chromium, VLC, Transmission etc.
53
54       Alternative  sandbox technologies like snap (https://snapcraft.io/) and
55       flatpak (https://flatpak.org/) are  not  supported.  Snap  and  flatpak
56       packages  have their own native management tools and will not work when
57       sandboxed with Firejail.
58
59

USAGE

61       Without any options, the sandbox consists of a filesystem  build  in  a
62       new  mount  namespace, and new PID and UTS namespaces. IPC, network and
63       user namespaces can be added using the command line  options.  The  de‐
64       fault Firejail filesystem is based on the host filesystem with the main
65       system directories mounted read-only. These directories are /etc, /var,
66       /usr,  /bin,  /sbin,  /lib,  /lib32, /libx32 and /lib64. Only /home and
67       /tmp are writable.
68
69       Upon execution Firejail first looks in ~/.config/firejail/ for  a  pro‐
70       file  and if it doesn't find one, it looks in /etc/firejail/.  For pro‐
71       file   resolution   detail    see    https://github.com/netblue30/fire
72       jail/wiki/Creating-Profiles#locations-and-types.    If  an  appropriate
73       profile is not found, Firejail will use a default profile.  The default
74       profile is quite restrictive. In case the application doesn't work, use
75       --noprofile option to disable it. For more information, please see  SE‐
76       CURITY PROFILES section below.
77
78       If a program argument is not specified, Firejail starts the user's pre‐
79       ferred shell.  Examples:
80
81       $ firejail [OPTIONS]                # starting the program specified in
82       $SHELL, usually /bin/bash
83
84       $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
85
86       # sudo firejail [OPTIONS] /etc/init.d/nginx start
87
88

OPTIONS

90       --     Signal  the  end of options and disables further option process‐
91              ing.
92
93       --allow-debuggers
94              Allow tools such  as  strace  and  gdb  inside  the  sandbox  by
95              whitelisting  system calls ptrace and process_vm_readv. This op‐
96              tion is only available when running  on  Linux  kernels  4.8  or
97              newer  - a kernel bug in ptrace system call allows a full bypass
98              of the seccomp filter.
99
100              Example:
101              $  firejail    --allow-debuggers   --profile=/etc/firejail/fire‐
102              fox.profile strace -f firefox
103
104       --allusers
105              All  directories  under /home are visible inside the sandbox. By
106              default, only current user home directory is visible.
107
108              Example:
109              $ firejail --allusers
110
111       --appimage
112              Sandbox an AppImage (https://appimage.org/) application. If  the
113              sandbox  is  started as a regular user, nonewprivs and a default
114              capabilities filter are enabled.   private-bin  and  private-lib
115              are disabled by default when running appimages.
116
117              Example:
118              $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
119              $      firejail     --appimage     --private     --profile=krita
120              krita-3.0-x86_64.appimage
121              $   firejail   --appimage   --net=none   --x11   --profile=krita
122              krita-3.0-x86_64.appimage
123
124       --bandwidth=name|pid
125              Set  bandwidth limits for the sandbox identified by name or PID,
126              see TRAFFIC SHAPING section for more details.
127
128       --bind=filename1,filename2
129              Mount-bind filename1 on top of filename2. This  option  is  only
130              available when running as root.
131
132              Example:
133              # firejail --bind=/config/etc/passwd,/etc/passwd
134
135       --blacklist=dirname_or_filename
136              Blacklist  directory  or  file.  File globbing is supported, see
137              FILE GLOBBING section for more details.
138
139              Example:
140              $ firejail --blacklist=/sbin --blacklist=/usr/sbin
141              $ firejail --blacklist=~/.mozilla
142              $ firejail "--blacklist=/home/username/My Virtual Machines"
143              $ firejail --blacklist=/home/username/My\ Virtual\ Machines
144
145       --build
146              The command builds a whitelisted profile. The profile is printed
147              on the screen. If /usr/bin/strace is installed on the system, it
148              also builds a whitelisted seccomp profile. The program is run in
149              a  very  relaxed sandbox, with only --caps.drop=all and --nonew‐
150              privs. Programs that raise user privileges are not supported  in
151              order  to  allow  strace  to  run.  Chromium  and Chromium-based
152              browsers will not work.
153
154              Example:
155              $ firejail --build vlc ~/Videos/test.mp4
156
157       --build=profile-file
158              The command builds a whitelisted profile, and saves it  in  pro‐
159              file-file.  If  /usr/bin/strace  is  installed on the system, it
160              also builds a whitelisted seccomp profile. The program is run in
161              a  very  relaxed sandbox, with only --caps.drop=all and --nonew‐
162              privs. Programs that raise user privileges are not supported  in
163              order  to  allow  strace  to  run.  Chromium  and Chromium-based
164              browsers will not work.
165
166              Example:
167              $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
168
169       -c     Login shell compatibility option. This option is use by some lo‐
170              gin  programs when executing the login shell, such as when fire‐
171              jail is used as a restricted login shell. It currently does  not
172              change the execution of firejail.
173
174       --caps Linux  capabilities is a kernel feature designed to split up the
175              root privilege into a set of distinct privileges.  These  privi‐
176              leges can be enabled or disabled independently, thus restricting
177              what a process running as root can do in the system.
178
179              By default root programs  run  with  all  capabilities  enabled.
180              --caps  option disables the following capabilities: CAP_SYS_MOD‐
181              ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
182              FIG,  CAP_SYSLOG,  CAP_MKNOD,  CAP_SYS_ADMIN.  The filter is ap‐
183              plied to all processes started in the sandbox.
184
185              Example:
186              $ sudo firejail --caps /etc/init.d/nginx start
187
188
189       --caps.drop=all
190              Drop all capabilities for the processes running in the  sandbox.
191              This option is recommended for running GUI programs or any other
192              program that doesn't require root privileges. It is a  must-have
193              option  for sandboxing untrusted programs installed from unoffi‐
194              cial sources - such as games, Java programs, etc.
195
196              Example:
197              $ firejail --caps.drop=all warzone2100
198
199
200       --caps.drop=capability,capability,capability
201              Define a custom blacklist Linux capabilities filter.
202
203              Example:
204              $ firejail --caps.drop=net_broadcast,net_admin,net_raw
205
206
207       --caps.keep=capability,capability,capability
208              Define a custom whitelist Linux capabilities filter.
209
210              Example:
211              $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\  se‐
212              tuid /etc/init.d/nginx start
213
214
215       --caps.print=name|pid
216              Print  the  caps filter for the sandbox identified by name or by
217              PID.
218
219              Example:
220              $ firejail --name=mygame --caps.drop=all warzone2100 &
221              $ firejail --caps.print=mygame
222
223              Example:
224              $ firejail --list
225              3272:netblue::firejail --private firefox
226              $ firejail --caps.print=3272
227
228
229       --cat=name|pid filename
230              Print content of file from sandbox container, see FILE  TRANSFER
231              section for more details.
232
233       --cgroup=tasks-file
234              Place  the sandbox in the specified control group. tasks-file is
235              the full path of cgroup tasks file.
236
237              Example:
238              # firejail --cgroup=/sys/fs/cgroup/g1/tasks
239
240       --chroot=dirname
241              Chroot the sandbox into a root filesystem.  Unlike  the  regular
242              filesystem  container,  the system directories are mounted read-
243              write. If the sandbox is started as a regular  user,  nonewprivs
244              and a default capabilities filter are enabled.
245
246              Example:
247              $ firejail --chroot=/media/ubuntu warzone2100
248
249       --cpu=cpu-number,cpu-number,cpu-number
250              Set CPU affinity.
251
252              Example:
253              $ firejail --cpu=0,1 handbrake
254
255
256       --cpu.print=name|pid
257              Print  the CPU cores in use by the sandbox identified by name or
258              by PID.
259
260              Example:
261              $ firejail --name=mygame --caps.drop=all warzone2100 &
262              $ firejail --cpu.print=mygame
263
264              Example:
265              $ firejail --list
266              3272:netblue::firejail --private firefox
267              $ firejail --cpu.print=3272
268
269       --dbus-log=file
270              Specify the location for the DBus log file.
271
272              The log file contains events for both  the  system  and  session
273              buses  if  both of the --dbus-system.log and --dbus-user.log op‐
274              tions are specified. If no log file  path  is  given,  logs  are
275              written to the standard output instead.
276
277              Example:
278              $ firejail --dbus-system=filter --dbus-system.log \
279              --dbus-log=dbus.txt
280
281
282       --dbus-system=filter|none
283              Set system DBus sandboxing policy.
284
285              The  filter  policy  enables the system DBus filter. This option
286              requires installing the xdg-dbus-proxy utility. Permissions  for
287              well-known  can  be  specified  with  the --dbus-system.talk and
288              --dbus-system.own options.
289
290              The none policy disables access to the system DBus.
291
292              Only the regular system DBus UNIX socket is handled by this  op‐
293              tion. To disable the abstract sockets (and force applications to
294              use the filtered UNIX socket) you would need to  request  a  new
295              network  namespace using --net command. Another option is to re‐
296              move unix from the --protocol set.
297
298              Example:
299              $ firejail --dbus-system=none
300
301
302       --dbus-system.broadcast=name=[member][@path]
303              Allows  the  application  to  receive  broadcast  signals   from
304              theindicated  interface  member at the indicated object path ex‐
305              posed by the indicated bus name on the system  DBus.   The  name
306              may have a .* suffix to match all names underneath it, including
307              itself.  The interface member may have a .* to match all members
308              of  an interface, or be * to match all interfaces.  The path may
309              have a /* suffix to indicate all objects underneath it,  includ‐
310              ing  itself.   Omitting  the interface member or the object path
311              will match all members and object paths, respectively.
312
313              Example:
314              $ firejail --dbus-system=filter --dbus-system.broadcast=\
315              org.freedesktop.Notifications=\
316              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
317
318
319       --dbus-system.call=name=[member][@path]
320              Allows the application to call the indicated interface member at
321              the  indicated  object path exposed by the indicated bus name on
322              the system DBus.  The name may have a .*  suffix  to  match  all
323              names underneath it, including itself.  The interface member may
324              have a .* to match all members of an interface, or be * to match
325              all  interfaces.   The path may have a /* suffix to indicate all
326              objects underneath it, including itself.  Omitting the interface
327              member  or  the  object  path  will match all members and object
328              paths, respectively.
329
330              Example:
331              $ firejail --dbus-system=filter --dbus-system.call=\
332              org.freedesktop.Notifications=\
333              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
334
335
336       --dbus-system.log
337              Turn on DBus logging for the system DBus. This  option  requires
338              --dbus-system=filter.
339
340              Example:
341              $ firejail --dbus-system=filter --dbus-system.log
342
343
344       --dbus-system.own=name
345              Allows  the  application to own the specified well-known name on
346              the system DBus.  The name may have a .*  suffix  to  match  all
347              names  underneath it, including itself (e.g. "foo.bar.*" matches
348              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
349              bar").
350
351              Example:
352              $ firejail --dbus-system=filter --dbus-system.own=\
353              org.gnome.ghex.*
354
355
356       --dbus-system.see=name
357              Allows  the  application  to  see, but not talk to the specified
358              well-known name on the system DBus.  The name may have a .* suf‐
359              fix  to  match  all  names underneath it, including itself (e.g.
360              "foo.bar.*"     matches     "foo.bar",     "foo.bar.baz"     and
361              "foo.bar.baz.quux", but not "foobar").
362
363              Example:
364              $ firejail --dbus-system=filter --dbus-system.see=\
365              org.freedesktop.Notifications
366
367
368       --dbus-system.talk=name
369              Allows  the application to talk to the specified well-known name
370              on the system DBus.  The name may have a .* suffix to match  all
371              names  underneath it, including itself (e.g. "foo.bar.*" matches
372              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
373              bar").
374
375              Example:
376              $ firejail --dbus-system=filter --dbus-system.talk=\
377              org.freedesktop.Notifications
378
379
380       --dbus-user=filter|none
381              Set session DBus sandboxing policy.
382
383              The  filter  policy enables the session DBus filter. This option
384              requires installing the xdg-dbus-proxy utility. Permissions  for
385              well-known  names  can  be  added  with the --dbus-user.talk and
386              --dbus-user.own options.
387
388              The none policy disables access to the session DBus.
389
390              Only the regular session DBus UNIX socket is handled by this op‐
391              tion. To disable the abstract sockets (and force applications to
392              use the filtered UNIX socket) you would need to  request  a  new
393              network  namespace using --net command. Another option is to re‐
394              move unix from the --protocol set.
395
396              Example:
397              $ firejail --dbus-user=none
398
399
400       --dbus-user.broadcast=name=[member][@path]
401              Allows  the  application  to  receive  broadcast  signals   from
402              theindicated  interface  member at the indicated object path ex‐
403              posed by the indicated bus name on the session DBus.   The  name
404              may have a .* suffix to match all names underneath it, including
405              itself.  The interface member may have a .* to match all members
406              of  an interface, or be * to match all interfaces.  The path may
407              have a /* suffix to indicate all objects underneath it,  includ‐
408              ing  itself.   Omitting  the interface member or the object path
409              will match all members and object paths, respectively.
410
411              Example:
412              $ firejail --dbus-user=filter --dbus-user.broadcast=\
413              org.freedesktop.Notifications=\
414              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
415
416
417       --dbus-user.call=name=[member][@path]
418              Allows the application to call the indicated interface member at
419              the  indicated  object path exposed by the indicated bus name on
420              the session DBus.  The name may have a .* suffix  to  match  all
421              names underneath it, including itself.  The interface member may
422              have a .* to match all members of an interface, or be * to match
423              all  interfaces.   The path may have a /* suffix to indicate all
424              objects underneath it, including itself.  Omitting the interface
425              member  or  the  object  path  will match all members and object
426              paths, respectively.
427
428              Example:
429              $ firejail --dbus-user=filter --dbus-user.call=\
430              org.freedesktop.Notifications=\
431              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
432
433
434       --dbus-user.log
435              Turn on DBus logging for the session DBus. This option  requires
436              --dbus-user=filter.
437
438              Example:
439              $ firejail --dbus-user=filter --dbus-user.log
440
441
442       --dbus-user.own=name
443              Allows  the  application to own the specified well-known name on
444              the session DBus.  The name may have a .* suffix  to  match  all
445              names  underneath it, including itself (e.g. "foo.bar.*" matches
446              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
447              bar").
448
449              Example:
450              $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
451
452
453       --dbus-user.talk=name
454              Allows  the application to talk to the specified well-known name
455              on the session DBus.  The name may have a .* suffix to match all
456              names  underneath it, including itself (e.g. "foo.bar.*" matches
457              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
458              bar").
459
460              Example:
461              $ firejail --dbus-user=filter --dbus-user.talk=\
462              org.freedesktop.Notifications
463
464
465       --dbus-user.see=name
466              Allows  the  application  to  see, but not talk to the specified
467              well-known name on the session DBus.  The name  may  have  a  .*
468              suffix  to match all names underneath it, including itself (e.g.
469              "foo.bar.*"     matches     "foo.bar",     "foo.bar.baz"     and
470              "foo.bar.baz.quux", but not "foobar").
471
472              Example:
473              $ firejail --dbus-user=filter --dbus-user.see=\
474              org.freedesktop.Notifications
475
476       --debug
477              Print debug messages.
478
479              Example:
480              $ firejail --debug firefox
481
482
483       --debug-blacklists
484              Debug blacklisting.
485
486              Example:
487              $ firejail --debug-blacklists firefox
488
489
490       --debug-caps
491              Print  all recognized capabilities in the current Firejail soft‐
492              ware build and exit.
493
494              Example:
495              $ firejail --debug-caps
496
497
498       --debug-errnos
499              Print all recognized error numbers in the current Firejail soft‐
500              ware build and exit.
501
502              Example:
503              $ firejail --debug-errnos
504
505       --debug-private-lib
506              Debug messages for --private-lib option.
507
508       --debug-protocols
509              Print  all recognized protocols in the current Firejail software
510              build and exit.
511
512              Example:
513              $ firejail --debug-protocols
514
515       --debug-syscalls
516              Print all recognized system calls in the current Firejail  soft‐
517              ware build and exit.
518
519              Example:
520              $ firejail --debug-syscalls
521
522       --debug-syscalls32
523              Print all recognized 32 bit system calls in the current Firejail
524              software build and exit.
525
526       --debug-whitelists
527              Debug whitelisting.
528
529              Example:
530              $ firejail --debug-whitelists firefox
531
532       --defaultgw=address
533              Use this address as default gateway in  the  new  network  name‐
534              space.
535
536              Example:
537              $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
538
539       --deterministic-exit-code
540              Always exit firejail with the first child's exit status. The de‐
541              fault behavior is to use the exit status of the final  child  to
542              exit, which can be nondeterministic.
543
544       --disable-mnt
545              Blacklist /mnt, /media, /run/mount and /run/media access.
546
547              Example:
548              $ firejail --disable-mnt firefox
549
550
551       --dns=address
552              Set a DNS server for the sandbox. Up to three DNS servers can be
553              defined.  Use this option if you don't trust the  DNS  setup  on
554              your network.
555
556              Example:
557              $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
558
559              Note: this feature is not supported on systemd-resolved setups.
560
561       --dns.print=name|pid
562              Print  DNS  configuration for a sandbox identified by name or by
563              PID.
564
565              Example:
566              $ firejail --name=mygame --caps.drop=all warzone2100 &
567              $ firejail --dns.print=mygame
568
569              Example:
570              $ firejail --list
571              3272:netblue::firejail --private firefox
572              $ firejail --dns.print=3272
573
574
575       --env=name=value
576              Set environment variable in the new sandbox.
577
578              Example:
579              $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
580
581
582       --fs.print=name|pid
583              Print the filesystem log for the sandbox identified by  name  or
584              by PID.
585
586              Example:
587              $ firejail --name=mygame --caps.drop=all warzone2100 &
588              $ firejail --fs.print=mygame
589
590              Example:
591              $ firejail --list
592              3272:netblue::firejail --private firefox
593              $ firejail --fs.print=3272
594
595
596       --get=name|pid filename
597              Get a file from sandbox container, see FILE TRANSFER section for
598              more details.
599
600       -?, --help
601              Print options end exit.
602
603
604
605       --hostname=name
606              Set sandbox hostname.
607
608              Example:
609              $ firejail --hostname=officepc firefox
610
611
612       --hosts-file=file
613              Use file as /etc/hosts.
614
615              Example:
616              $ firejail --hosts-file=~/myhosts firefox
617
618
619       --ignore=command
620              Ignore command in profile file.
621
622              Example:
623              $ firejail --ignore=shell --ignore=seccomp firefox
624              $ firejail --ignore="net eth0" firefox
625
626
627       --include=file.profile
628              Include a profile file before the regular profiles are used.
629
630              Example:
631              $ firejail --include=/etc/firejail/disable-devel.inc gedit
632
633
634       --interface=interface
635              Move interface in a new network namespace. Up to  four  --inter‐
636              face  options can be specified.  Note: wlan devices are not sup‐
637              ported for this option.
638
639              Example:
640              $ firejail --interface=eth1 --interface=eth0.vlan100
641
642
643       --ip=address
644              Assign IP addresses to the last network interface defined  by  a
645              --net option. A default gateway is assigned by default.
646
647              Example:
648              $ firejail --net=eth0 --ip=10.10.20.56 firefox
649
650
651       --ip=none
652              No IP address and no default gateway are configured for the last
653              interface defined by a --net option. Use this option in case you
654              intend to start an external DHCP client in the sandbox.
655
656              Example:
657              $ firejail --net=eth0 --ip=none
658
659              If  the  corresponding interface doesn't have an IP address con‐
660              figured, this option is enabled by default.
661
662
663       --ip=dhcp
664              Acquire an IP address and default gateway for the last interface
665              defined  by  a  --net option, as well as set the DNS servers ac‐
666              cording to the DHCP response.   This  option  requires  the  ISC
667              dhclient DHCP client to be installed and will start it automati‐
668              cally inside the sandbox.
669
670              Example:
671              $ firejail --net=br0 --ip=dhcp
672
673              This option should not be used in conjunction with the --dns op‐
674              tion  if the DHCP server is set to configure DNS servers for the
675              clients, because the manually  specified  DNS  servers  will  be
676              overwritten.
677
678              The DHCP client will NOT release the DHCP lease when the sandbox
679              terminates.  If your DHCP server requires leases to  be  explic‐
680              itly  released, consider running a DHCP client and releasing the
681              lease manually in conjunction with the --net=none option.
682
683
684       --ip6=address
685              Assign IPv6 addresses to the last network interface defined by a
686              --net option.
687
688              Example:
689              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
690
691              Note:  you don't need this option if you obtain your ip6 address
692              from router via SLAAC (your ip6 address and default  route  will
693              be configured by kernel automatically).
694
695
696       --ip6=dhcp
697              Acquire  an IPv6 address and default gateway for the last inter‐
698              face defined by a --net option, as well as set the  DNS  servers
699              according  to  the  DHCP response.  This option requires the ISC
700              dhclient DHCP client to be installed and will start it automati‐
701              cally inside the sandbox.
702
703              Example:
704              $ firejail --net=br0 --ip6=dhcp
705
706              This option should not be used in conjunction with the --dns op‐
707              tion if the DHCP server is set to configure DNS servers for  the
708              clients,  because  the  manually  specified  DNS servers will be
709              overwritten.
710
711              The DHCP client will NOT release the DHCP lease when the sandbox
712              terminates.   If  your DHCP server requires leases to be explic‐
713              itly released, consider running a DHCP client and releasing  the
714              lease manually.
715
716
717       --iprange=address,address
718              Assign  an  IP address in the provided range to the last network
719              interface defined by a --net option. A default  gateway  is  as‐
720              signed by default.
721
722              Example:
723              $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
724
725
726       --ipc-namespace
727              Enable  a new IPC namespace if the sandbox was started as a reg‐
728              ular user. IPC namespace is enabled  by  default  for  sandboxes
729              started as root.
730
731              Example:
732              $ firejail --ipc-namespace firefox
733
734       --join=name|pid
735              Join  the  sandbox  identified  by  name or by PID. By default a
736              /bin/bash shell is started after joining the sandbox.  If a pro‐
737              gram  is specified, the program is run in the sandbox. If --join
738              command is issued as a regular user, all  security  filters  are
739              configured  for  the new process the same they are configured in
740              the sandbox.  If --join command is issued as root, the  security
741              filters,  cgroups and cpus configurations are not applied to the
742              process joining the sandbox.
743
744              Example:
745              $ firejail --name=mygame --caps.drop=all warzone2100 &
746              $ firejail --join=mygame
747
748              Example:
749              $ firejail --list
750              3272:netblue::firejail --private firefox
751              $ firejail --join=3272
752
753
754       --join-filesystem=name|pid
755              Join the mount namespace of the sandbox identified  by  name  or
756              PID.  By  default a /bin/bash shell is started after joining the
757              sandbox.  If a program is specified, the program is run  in  the
758              sandbox.  This command is available only to root user.  Security
759              filters, cgroups and cpus configurations are not applied to  the
760              process joining the sandbox.
761
762       --join-network=name|pid
763              Join the network namespace of the sandbox identified by name. By
764              default a /bin/bash shell is started after joining the  sandbox.
765              If  a  program  is specified, the program is run in the sandbox.
766              This command is available only to root user.  Security  filters,
767              cgroups  and  cpus configurations are not applied to the process
768              joining the sandbox. Example:
769
770              # start firefox
771              $ firejail --net=eth0 --name=browser firefox &
772
773              # change netfilter configuration
774              $ sudo firejail --join-network=browser bash -c  "cat  /etc/fire‐
775              jail/nolocal.net | /sbin/iptables-restore"
776
777              # verify netfilter configuration
778              $ sudo firejail --join-network=browser /sbin/iptables -vL
779
780              # verify  IP addresses
781              $ sudo firejail --join-network=browser ip addr
782              Switching  to pid 1932, the first child process inside the sand‐
783              box
784              1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state  UN‐
785              KNOWN group default
786                  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
787                  inet 127.0.0.1/8 scope host lo
788                     valid_lft forever preferred_lft forever
789                  inet6 ::1/128 scope host
790                     valid_lft forever preferred_lft forever
791              2:  eth0-1931:  <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
792              noqueue state UNKNOWN group default
793                  link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
794                  inet  192.168.1.158/24  brd   192.168.1.255   scope   global
795              eth0-1931
796                     valid_lft forever preferred_lft forever
797                  inet6 fe80::7458:14ff:fe42:78e4/64 scope link
798                     valid_lft forever preferred_lft forever
799
800       --join-or-start=name
801              Join the sandbox identified by name or start a new one.  Same as
802              "firejail --join=name" if sandbox with  specified  name  exists,
803              otherwise same as "firejail --name=name ..."
804              Note  that in contrary to other join options there is respective
805              profile option.
806
807
808       --keep-config-pulse
809              Disable automatic ~/.config/pulse init, for complex setups  such
810              as remote pulse servers or non-standard socket paths.
811
812              Example:
813              $ firejail --keep-config-pulse firefox
814
815
816       --keep-dev-shm
817              /dev/shm directory is untouched (even with --private-dev)
818
819              Example:
820              $ firejail --keep-dev-shm --private-dev
821
822
823       --keep-var-tmp
824              /var/tmp directory is untouched.
825
826              Example:
827              $ firejail --keep-var-tmp
828
829
830       --list List all sandboxes, see MONITORING section for more details.
831
832              Example:
833              $ firejail --list
834              7015:netblue:browser:firejail firefox
835              7056:netblue:torrent:firejail --net=eth0 transmission-gtk
836              7064:netblue::firejail --noroot xterm
837
838       --ls=name|pid dir_or_filename
839              List  files  in sandbox container, see FILE TRANSFER section for
840              more details.
841
842       --mac=address
843              Assign MAC addresses to the last network interface defined by  a
844              --net  option.  This option is not supported for wireless inter‐
845              faces.
846
847              Example:
848              $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
849
850       --machine-id
851              Spoof id number in /etc/machine-id file - a  new  random  id  is
852              generated  inside the sandbox.  Note that this breaks audio sup‐
853              port. Enable it when sound is not required.
854
855              Example:
856              $ firejail --machine-id
857
858
859       --mkdir=dirname
860              Create a directory in user home. Parent directories are  created
861              as needed.
862
863              Example:
864              $ firejail --mkdir=~/work/project
865
866
867       --mkfile=filename
868              Create an empty file in user home.
869
870              Example:
871              $ firejail --mkfile=~/work/project/readme
872
873
874       --memory-deny-write-execute
875              Install a seccomp filter to block attempts to create memory map‐
876              pings that are both writable and executable, to change  mappings
877              to  be  executable,  or  to create executable shared memory. The
878              filter  examines  the  arguments  of  mmap,   mmap2,   mprotect,
879              pkey_mprotect,  memfd_create  and shmat system calls and returns
880              error EPERM to the process (or kills it or log the attempt,  see
881              --seccomp-error-action below) if necessary.
882
883              Note:  shmat  is  not implemented as a system call on some plat‐
884              forms including i386, and it cannot be handled by seccomp-bpf.
885
886       --mtu=number
887              Assign a MTU value to the last network interface  defined  by  a
888              --net option.
889
890              Example:
891              $ firejail --net=eth0 --mtu=1492
892
893       --name=name
894              Set  sandbox  name.  Several options, such as --join and --shut‐
895              down, can use this name to identify a sandbox.
896
897              In case the name supplied by the user is already in use  by  an‐
898              other  sandbox,  Firejail  will assign a new name as "name-PID",
899              where PID is the process ID of the sandbox.  This  functionality
900              can  be  disabled  at  run time in /etc/firejail/firejail.config
901              file, by setting "name-change" flag to "no".
902
903              Example:
904              $ firejail --name=browser firefox &
905              $ firejail --name=browser --private firefox --no-remote &
906              $ firejail --list
907              1198:netblue:browser:firejail --name=browser firefox
908              1312:netblue:browser-1312:firejail   --name=browser    --private
909              firefox --no-remote
910
911       --net=bridge_interface
912              Enable a new network namespace and connect it to this bridge in‐
913              terface.  Unless specified with option --ip and --defaultgw,  an
914              IP  address and a default gateway will be assigned automatically
915              to the sandbox. The IP address is verified using ARP before  as‐
916              signment.  The  address  configured  as  default  gateway is the
917              bridge device IP address. Up to four --net options can be speci‐
918              fied.
919
920              Example:
921              $ sudo brctl addbr br0
922              $ sudo ifconfig br0 10.10.20.1/24
923              $ sudo brctl addbr br1
924              $ sudo ifconfig br1 10.10.30.1/24
925              $ firejail --net=br0 --net=br1
926
927
928       --net=ethernet_interface|wireless_interface
929              Enable  a  new network namespace and connect it to this ethernet
930              interface using the standard Linux macvlan|ipvaln driver. Unless
931              specified  with option --ip and --defaultgw, an IP address and a
932              default gateway will be assigned automatically to  the  sandbox.
933              The  IP address is verified using ARP before assignment. The ad‐
934              dress configured as default gateway is the  default  gateway  of
935              the  host.  Up  to four --net options can be specified.  Support
936              for ipvlan driver was introduced in Linux kernel 3.19.
937
938              Example:
939              $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
940              $ firejail --net=wlan0 firefox
941
942       --net=none
943              Enable a new, unconnected network namespace. The only  interface
944              available in the new namespace is a new loopback interface (lo).
945              Use this option to deny network access to  programs  that  don't
946              really need network access.
947
948              Example:
949              $ firejail --net=none vlc
950
951              Note:  --net=none  can  crash the application on some platforms.
952              In these cases, it can be replaced with --protocol=unix.
953
954       --net=tap_interface
955              Enable a new network namespace and connect it to  this  ethernet
956              tap  interface  using  the standard Linux macvlan driver. If the
957              tap interface is not configured, the sandbox  will  not  try  to
958              configure  the  interface  inside the sandbox.  Please use --ip,
959              --netmask and --defaultgw to specify the configuration.
960
961              Example:
962              $ firejail --net=tap0  --ip=10.10.20.80  --netmask=255.255.255.0
963              --defaultgw=10.10.20.1 firefox
964
965
966       --net.print=name|pid
967              If  a  new network namespace is enabled, print network interface
968              configuration for the sandbox specified by name or PID. Example:
969
970              $ firejail --net.print=browser
971              Switching to pid 1853, the first child process inside the  sand‐
972              box
973              Interface  MAC               IP            Mask        Status
974              lo                           127.0.0.1     255.0.0.0     UP
975              eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
976
977
978       --netfilter
979              Enable  a default firewall if a new network namespace is created
980              inside the sandbox.  This option has no effect for sandboxes us‐
981              ing the system network namespace.
982
983              The  default  firewall is optimized for regular desktop applica‐
984              tions. No incoming connections are accepted:
985
986              *filter
987              :INPUT DROP [0:0]
988              :FORWARD DROP [0:0]
989              :OUTPUT ACCEPT [0:0]
990              -A INPUT -i lo -j ACCEPT
991              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
992              # allow ping
993              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
994              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
995              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
996              # drop STUN (WebRTC) requests
997              -A OUTPUT -p udp --dport 3478 -j DROP
998              -A OUTPUT -p udp --dport 3479 -j DROP
999              -A OUTPUT -p tcp --dport 3478 -j DROP
1000              -A OUTPUT -p tcp --dport 3479 -j DROP
1001              COMMIT
1002
1003              Example:
1004              $ firejail --net=eth0 --netfilter firefox
1005
1006       --netfilter=filename
1007              Enable the firewall specified by filename if a new network name‐
1008              space  is created inside the sandbox.  This option has no effect
1009              for sandboxes using the system network namespace.
1010
1011              Please use the regular iptables-save/iptables-restore format for
1012              the  filter  file.  The  following  examples  are  available  in
1013              /etc/firejail directory:
1014
1015              webserver.net is a webserver firewall that allows access only to
1016              TCP ports 80 and 443.  Example:
1017
1018              $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
1019              /etc/init.d/apache2 start
1020
1021              nolocal.net/nolocal6.net  is a desktop client firewall that dis‐
1022              able access to local network. Example:
1023
1024              $ firejail --netfilter=/etc/firejail/nolocal.net \
1025              --net=eth0 firefox
1026
1027
1028       --netfilter=filename,arg1,arg2,arg3 ...
1029              This is the template version of  the  previous  command.  $ARG1,
1030              $ARG2,  $ARG3 ... in the firewall script are replaced with arg1,
1031              arg2, arg3 ... passed on the command line. Up  to  16  arguments
1032              are supported.  Example:
1033
1034              $ firejail --net=eth0 --ip=192.168.1.105 \
1035              --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1036
1037
1038       --netfilter.print=name|pid
1039              Print the firewall installed in the sandbox specified by name or
1040              PID. Example:
1041
1042              $ firejail --name=browser --net=eth0 --netfilter firefox &
1043              $ firejail --netfilter.print=browser
1044
1045
1046       --netfilter6=filename
1047              Enable the IPv6 firewall specified by filename if a new  network
1048              namespace is created inside the sandbox.  This option has no ef‐
1049              fect for sandboxes using the system network  namespace.   Please
1050              use  the  regular  iptables-save/iptables-restore format for the
1051              filter file.
1052
1053
1054       --netfilter6.print=name|pid
1055              Print the IPv6 firewall installed in the  sandbox  specified  by
1056              name or PID. Example:
1057
1058              $ firejail --name=browser --net=eth0 --netfilter firefox &
1059              $ firejail --netfilter6.print=browser
1060
1061
1062       --netmask=address
1063              Use  this  option when you want to assign an IP address in a new
1064              namespace and the parent interface specified  by  --net  is  not
1065              configured.  An  IP  address  and a default gateway address also
1066              have to be added. By default the new namespace  interface  comes
1067              without IP address and default gateway configured. Example:
1068
1069              $ sudo /sbin/brctl addbr br0
1070              $ sudo /sbin/ifconfig br0 up
1071              $   firejail   --ip=10.10.20.67   --netmask=255.255.255.0  --de‐
1072              faultgw=10.10.20.1
1073
1074
1075       --netns=name
1076              Run the program in a named, persistent network namespace.  These
1077              can be created and configured using "ip netns".
1078
1079
1080       --netstats
1081              Monitor network namespace statistics, see MONITORING section for
1082              more details.
1083
1084              Example:
1085
1086              $ firejail --netstats
1087              PID  User    RX(KB/s) TX(KB/s) Command
1088              1294 netblue 53.355   1.473    firejail --net=eth0 firefox
1089              7383 netblue 9.045    0.112    firejail --net=eth0 transmission
1090
1091       --nice=value
1092              Set nice value for all processes  running  inside  the  sandbox.
1093              Only root may specify a negative value.
1094
1095              Example:
1096              $ firejail --nice=2 firefox
1097
1098
1099       --no3d Disable 3D hardware acceleration.
1100
1101              Example:
1102              $ firejail --no3d firefox
1103
1104
1105       --noautopulse (deprecated)
1106              See --keep-config-pulse.
1107
1108
1109       --noblacklist=dirname_or_filename
1110              Disable blacklist for this directory or file.
1111
1112              Example:
1113              $ firejail
1114              $ nc dict.org 2628
1115              bash: /bin/nc: Permission denied
1116              $ exit
1117
1118              $ firejail --noblacklist=/bin/nc
1119              $ nc dict.org 2628
1120              220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1121
1122       --nodbus (deprecated)
1123              Disable D-Bus access (both system and session buses). Equivalent
1124              to --dbus-system=none --dbus-user=none.
1125
1126              Example:
1127              $ firejail --nodbus --net=none
1128
1129       --nodvd
1130              Disable DVD and audio CD devices.
1131
1132              Example:
1133              $ firejail --nodvd
1134
1135       --noinput
1136              Disable input devices.
1137
1138              Example:
1139              $ firejail --noinput
1140
1141       --noexec=dirname_or_filename
1142              Remount directory or file noexec, nodev and nosuid.  File  glob‐
1143              bing is supported, see FILE GLOBBING section for more details.
1144
1145              Example:
1146              $ firejail --noexec=/tmp
1147
1148              /etc  and  /var are noexec by default if the sandbox was started
1149              as a regular user.
1150
1151
1152       --nogroups
1153              Disable supplementary groups. Without this option, supplementary
1154              groups  are  enabled for the user starting the sandbox. For root
1155              user supplementary groups are always disabled.
1156
1157              Note: By default all regular user groups are  removed  with  the
1158              exception  of  the current user. This can be changed using --al‐
1159              lusers command option.
1160
1161              Example:
1162              $ id
1163              uid=1000(netblue)       gid=1000(netblue)       groups=1000(net‐
1164              blue),24(cdrom),25(floppy),27(sudo),29(audio)
1165              $ firejail --nogroups
1166              Parent pid 8704, child pid 8705
1167              Child process initialized
1168              $ id
1169              uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1170              $
1171
1172
1173       --nonewprivs
1174              Sets  the NO_NEW_PRIVS prctl.  This ensures that child processes
1175              cannot acquire new privileges using execve(2);   in  particular,
1176              this means that calling a suid binary (or one with file capabil‐
1177              ities) does not result in an increase of privilege. This  option
1178              is enabled by default if seccomp filter is activated.
1179
1180
1181       --noprofile
1182              Do not use a security profile.
1183
1184              Example:
1185              $ firejail
1186              Reading profile /etc/firejail/default.profile
1187              Parent pid 8553, child pid 8554
1188              Child process initialized
1189              [...]
1190
1191              $ firejail --noprofile
1192              Parent pid 8553, child pid 8554
1193              Child process initialized
1194              [...]
1195
1196       --noroot
1197              Install  a user namespace with a single user - the current user.
1198              root user does not exist in the new namespace. This  option  re‐
1199              quires  a  Linux  kernel version 3.8 or newer. The option is not
1200              supported for --chroot  and  --overlay  configurations,  or  for
1201              sandboxes started as root.
1202
1203              Example:
1204              $ firejail --noroot
1205              Parent pid 8553, child pid 8554
1206              Child process initialized
1207              $ ping google.com
1208              ping: icmp open socket: Operation not permitted
1209              $
1210
1211       --nosound
1212              Disable sound system.
1213
1214              Example:
1215              $ firejail --nosound firefox
1216
1217
1218       --notv Disable DVB (Digital Video Broadcasting) TV devices.
1219
1220              Example:
1221              $ firejail --notv vlc
1222
1223
1224       --nou2f
1225              Disable U2F devices.
1226
1227              Example:
1228              $ firejail --nou2f
1229
1230
1231       --novideo
1232              Disable video devices.
1233
1234
1235       --nowhitelist=dirname_or_filename
1236              Disable whitelist for this directory or file.
1237
1238
1239       --output=logfile
1240              stdout  logging  and  log  rotation. Copy stdout to logfile, and
1241              keep the size of the file under 500KB using log  rotation.  Five
1242              files with prefixes .1 to .5 are used in rotation.
1243
1244              Example:
1245              $ firejail --output=sandboxlog /bin/bash
1246              [...]
1247              $ ls -l sandboxlog*
1248              -rw-r--r-- 1 netblue netblue 333890 Jun  2 07:48 sandboxlog
1249              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.1
1250              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.2
1251              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.3
1252              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.4
1253              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.5
1254
1255
1256       --output-stderr=logfile
1257              Similar to --output, but stderr is also stored.
1258
1259
1260       --private
1261              Mount new /root and /home/user directories in temporary filesys‐
1262              tems. All  modifications  are  discarded  when  the  sandbox  is
1263              closed.
1264
1265              Example:
1266              $ firejail --private firefox
1267
1268
1269       --private=directory
1270              Use  directory  as user home.  --private and --private=directory
1271              cannot be used together.
1272
1273              Example:
1274              $ firejail --private=/home/netblue/firefox-home firefox
1275
1276
1277       --private-bin=file,file
1278              Build a new /bin in a temporary filesystem, and  copy  the  pro‐
1279              grams  in  the list.  The files in the list must be expressed as
1280              relative to the /bin, /sbin, /usr/bin,  /usr/sbin,  or  /usr/lo‐
1281              cal/bin  directories.  If no listed files are found, /bin direc‐
1282              tory will be empty.  The same  directory  is  also  bind-mounted
1283              over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.  All modifi‐
1284              cations are discarded when the sandbox is closed. File  globbing
1285              is supported, see FILE GLOBBING section for more details.
1286
1287              Example:
1288              $ firejail --private-bin=bash,sed,ls,cat
1289              Parent pid 20841, child pid 20842
1290              Child process initialized
1291              $ ls /bin
1292              bash  cat  ls  sed
1293
1294
1295       --private-cache
1296              Mount  an empty temporary filesystem on top of the .cache direc‐
1297              tory in user home. All  modifications  are  discarded  when  the
1298              sandbox is closed.
1299
1300              Example:
1301              $ firejail --private-cache openbox
1302
1303
1304       --private-cwd
1305              Set  working  directory  inside  jail to the home directory, and
1306              failing that, the root directory.
1307              Does not impact working directory of profile include paths.
1308
1309              Example:
1310              $ pwd
1311              /tmp
1312              $ firejail --private-cwd
1313              $ pwd
1314              /home/user
1315
1316
1317       --private-cwd=directory
1318              Set working directory inside the jail.
1319              Does not impact working directory of profile include paths.
1320
1321              Example:
1322              $ pwd
1323              /tmp
1324              $ firejail --private-cwd=/opt
1325              $ pwd
1326              /opt
1327
1328
1329       --private-dev
1330              Create a new /dev directory. Only disc, dri, dvb, hidraw,  null,
1331              full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log,
1332              shm and usb devices are  available.   Use  the  options  --no3d,
1333              --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1334              restrictions.
1335
1336              Example:
1337              $ firejail --private-dev
1338              Parent pid 9887, child pid 9888
1339              Child process initialized
1340              $ ls /dev
1341              cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random
1342              shm  snd  sr0  tty  urandom  zero
1343              $
1344
1345       --private-etc=file,directory
1346              Build  a  new /etc in a temporary filesystem, and copy the files
1347              and directories in the list.  The files and directories  in  the
1348              list  must be expressed as relative to the /etc directory (e.g.,
1349              /etc/foo must be expressed as foo).  If no listed file is found,
1350              /etc  directory  will be empty.  All modifications are discarded
1351              when the sandbox is closed.
1352
1353              Example:
1354              $ firejail --private-etc=group,hostname,localtime, \
1355              nsswitch.conf,passwd,resolv.conf
1356
1357       --private-home=file,directory
1358              Build a new user home in a temporary filesystem,  and  copy  the
1359              files  and  directories  in the list in the new home.  The files
1360              and directories in the list must be expressed as relative to the
1361              current  user's home directory.  All modifications are discarded
1362              when the sandbox is closed.
1363
1364              Example:
1365              $ firejail --private-home=.mozilla firefox
1366
1367       --private-lib=file,directory
1368              This feature is currently under heavy  development.  Only  amd64
1369              platforms  are supported at this moment.  The files and directo‐
1370              ries in the list must be expressed as relative to the  /lib  di‐
1371              rectory.   The  idea  is  to  build  a  new  /lib in a temporary
1372              filesystem, with only the library files necessary to run the ap‐
1373              plication.  It could be as simple as:
1374
1375              $ firejail --private-lib galculator
1376
1377              but it gets complicated really fast:
1378
1379              $    firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1380              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1381
1382              The feature is integrated with --private-bin:
1383
1384              $ firejail --private-lib --private-bin=bash,ls,ps
1385              $ ls /lib
1386              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6  libsys‐
1387              temd.so.0
1388              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1389              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1390              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1391              $ ps
1392               PID TTY          TIME CMD
1393                  1 pts/0    00:00:00 firejail
1394                 45 pts/0    00:00:00 bash
1395                 48 pts/0    00:00:00 ps
1396              $
1397
1398
1399       --private-opt=file,directory
1400              Build  a  new /opt in a temporary filesystem, and copy the files
1401              and directories in the list.  The files and directories  in  the
1402              list  must  be  expressed as relative to the /opt directory, and
1403              must not contain the / character (e.g.,  /opt/foo  must  be  ex‐
1404              pressed  as  foo, but /opt/foo/bar -- expressed as foo/bar -- is
1405              disallowed).  If no listed file is found, /opt directory will be
1406              empty.   All  modifications  are  discarded  when the sandbox is
1407              closed.
1408
1409              Example:
1410              $ firejail --private-opt=firefox /opt/firefox/firefox
1411
1412
1413       --private-srv=file,directory
1414              Build a new /srv in a temporary filesystem, and copy  the  files
1415              and  directories  in the list.  The files and directories in the
1416              list must be expressed as relative to the  /srv  directory,  and
1417              must  not  contain  the  / character (e.g., /srv/foo must be ex‐
1418              pressed as foo, but /srv/foo/bar -- expressed as srv/bar  --  is
1419              disallowed).  If no listed file is found, /srv directory will be
1420              empty.  All modifications are  discarded  when  the  sandbox  is
1421              closed.
1422
1423              Example:
1424              # firejail --private-srv=www /etc/init.d/apache2 start
1425
1426
1427       --private-tmp
1428              Mount  an  empty  temporary  filesystem on top of /tmp directory
1429              whitelisting X11 and PulseAudio sockets.
1430
1431              Example:
1432              $ firejail --private-tmp
1433              $ ls -al /tmp
1434              drwxrwxrwt  4 nobody nogroup   80 Apr 30 11:46 .
1435              drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1436              drwx------  2  nobody  nogroup  4096  Apr  30  10:52  pulse-PKd‐
1437              htXMmr18n
1438              drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1439
1440
1441       --profile=filename_or_profilename
1442              Load  a  custom security profile from filename. For filename use
1443              an absolute path or a path relative to the  current  path.   For
1444              more information, see SECURITY PROFILES section below.
1445
1446              Example:
1447              $ firejail --profile=myprofile
1448
1449
1450       --profile.print=name|pid
1451              Print the name of the profile file for the sandbox identified by
1452              name or or PID.
1453
1454              Example:
1455              $ firejail --profile.print=browser
1456              /etc/firejail/firefox.profile
1457
1458       --protocol=protocol,protocol,protocol
1459              Enable protocol filter. The  filter  is  based  on  seccomp  and
1460              checks  the  first  argument  to socket system call.  Recognized
1461              values: unix, inet, inet6, netlink, packet and  bluetooth.  This
1462              option is not supported for i386 architecture.
1463
1464              Example:
1465              $ firejail --protocol=unix,inet,inet6 firefox
1466
1467       --protocol.print=name|pid
1468              Print  the protocol filter for the sandbox identified by name or
1469              PID.
1470
1471              Example:
1472              $ firejail --name=mybrowser firefox &
1473              $ firejail --protocol.print=mybrowser
1474              unix,inet,inet6,netlink
1475
1476              Example:
1477              $ firejail --list
1478              3272:netblue::firejail --private firefox
1479              $ firejail --protocol.print=3272
1480              unix,inet,inet6,netlink
1481
1482       --put=name|pid src-filename dest-filename
1483              Put a file in sandbox container, see FILE TRANSFER  section  for
1484              more details.
1485
1486       --quiet
1487              Turn off Firejail's output.
1488
1489              The  same effect can be obtained by setting an environment vari‐
1490              able FIREJAIL_QUIET to yes.
1491
1492       --read-only=dirname_or_filename
1493              Set directory or file read-only. File globbing is supported, see
1494              FILE GLOBBING section for more details.
1495
1496              Example:
1497              $ firejail --read-only=~/.mozilla firefox
1498
1499       --read-write=dirname_or_filename
1500              Set  directory or file read-write. Only files or directories be‐
1501              longing to the current user are allowed for this operation. File
1502              globbing  is  supported,  see FILE GLOBBING section for more de‐
1503              tails.  Example:
1504
1505              $ mkdir ~/test
1506              $ touch ~/test/a
1507              $ firejail --read-only=~/test --read-write=~/test/a
1508
1509
1510
1511       --rlimit-as=number
1512              Set the maximum size of the process's  virtual  memory  (address
1513              space)  in  bytes.  Use k(ilobyte), m(egabyte) or g(igabyte) for
1514              size suffix (base 1024).
1515
1516
1517       --rlimit-cpu=number
1518              Set the maximum limit, in seconds, for the amount  of  CPU  time
1519              each  sandboxed process  can consume. When the limit is reached,
1520              the processes are killed.
1521
1522              The CPU limit is a limit on  CPU  seconds  rather  than  elapsed
1523              time. CPU seconds is basically how many seconds the CPU has been
1524              in use and does not necessarily directly relate to  the  elapsed
1525              time.  Linux  kernel keeps track of CPU seconds for each process
1526              independently.
1527
1528
1529       --rlimit-fsize=number
1530              Set the maximum file size that can be created by a process.  Use
1531              k(ilobyte),  m(egabyte)  or  g(igabyte)  for  size  suffix (base
1532              1024).
1533
1534       --rlimit-nofile=number
1535              Set the maximum number of files that can be opened by a process.
1536
1537       --rlimit-nproc=number
1538              Set the maximum number of processes that can be created for  the
1539              real user ID of the calling process.
1540
1541       --rlimit-sigpending=number
1542              Set the maximum number of pending signals for a process.
1543
1544
1545       --rmenv=name
1546              Remove environment variable in the new sandbox.
1547
1548              Example:
1549              $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1550
1551       --scan ARP-scan all the networks from inside a network namespace.  This
1552              makes it possible to detect macvlan kernel device  drivers  run‐
1553              ning on the current host.
1554
1555              Example:
1556              $ firejail --net=eth0 --scan
1557
1558       --seccomp
1559              Enable  seccomp filter and blacklist the syscalls in the default
1560              list, which is  @default-nodebuggers unless --allow-debuggers is
1561              specified, then it is @default.
1562
1563              To help creating useful seccomp filters more easily, the follow‐
1564              ing system call groups are  defined:  @aio,  @basic-io,  @chown,
1565              @clock,  @cpu-emulation, @debug, @default, @default-nodebuggers,
1566              @default-keep, @file-system, @io-event,  @ipc,  @keyring,  @mem‐
1567              lock,  @module,  @mount,  @network-io,  @obsolete,  @privileged,
1568              @process, @raw-io, @reboot, @resources, @setuid,  @swap,  @sync,
1569              @system-service  and  @timer.  More information about groups can
1570              be found in /usr/share/doc/firejail/syscalls.txt
1571
1572              System architecture is strictly  imposed  only  if  flag  --sec‐
1573              comp.block-secondary  is used. The filter is applied at run time
1574              only if the correct architecture was detected. For the  case  of
1575              I386 and AMD64 both 32-bit and 64-bit filters are installed.
1576
1577              Firejail  will  print seccomp violations to the audit log if the
1578              kernel was compiled with audit support (CONFIG_AUDIT flag).
1579
1580              Example:
1581              $ firejail --seccomp
1582
1583              The default list can be customized, see  --seccomp=  for  a  de‐
1584              scription.  It  can  be  customized  also globally in /etc/fire‐
1585              jail/firejail.config file.
1586
1587
1588       --seccomp=syscall,@group,!syscall2
1589              Enable seccomp  filter,  blacklist  the  default  list  and  the
1590              syscalls  or  syscall groups specified by the command, but don't
1591              blacklist "syscall2". On a 64 bit  architecture,  an  additional
1592              filter  for  32  bit  system  calls can be installed with --sec‐
1593              comp.32.
1594
1595              Example:
1596              $ firejail --seccomp=utime,utimensat,utimes firefox
1597              $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1598              $ firejail '--seccomp=@ipc,!pipe,!pipe2' audacious
1599
1600              Syscalls can be specified by their number if prefix $ is  added,
1601              so for example $165 would be equal to mount on i386.
1602
1603              Instead  of dropping the syscall by returning EPERM, another er‐
1604              ror number can be returned using syscall:errno syntax. This  can
1605              be  also  changed  globally  with  --seccomp-error-action  or in
1606              /etc/firejail/firejail.config file.  The  process  can  also  be
1607              killed  by  using  syscall:kill  syntax,  or  the attempt may be
1608              logged with syscall:log.
1609
1610              Example:
1611              $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1612              Parent pid 10662, child pid 10663
1613              Child process initialized
1614              $ touch testfile
1615              $ ls testfile
1616              testfile
1617              $ rm testfile
1618              rm: cannot remove `testfile': No such file or directory
1619
1620              If the blocked system calls would also block Firejail from oper‐
1621              ating, they are handled by adding a preloaded library which per‐
1622              forms seccomp system calls later. However, this is  incompatible
1623              with 32 bit seccomp filters.
1624
1625              Example:
1626              $ firejail --noprofile --shell=none --seccomp=execve sh
1627              Parent pid 32751, child pid 32752
1628              Post-exec seccomp protector enabled
1629              list  in:  execve,  check  list:  @default-keep prelist: (null),
1630              postlist: execve
1631              Child process initialized in 46.44 ms
1632              $ ls
1633              Operation not permitted
1634
1635
1636       --seccomp.block-secondary
1637              Enable seccomp filter and filter system  call  architectures  so
1638              that  only  the  native architecture is allowed. For example, on
1639              amd64, i386 and x32 system calls are blocked as well as changing
1640              the execution domain with personality(2) system call.
1641
1642
1643       --seccomp.drop=syscall,@group
1644              Enable seccomp filter, and blacklist the syscalls or the syscall
1645              groups specified by the command. On a 64  bit  architecture,  an
1646              additional  filter for 32 bit system calls can be installed with
1647              --seccomp.32.drop.
1648
1649              Example:
1650              $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1651
1652              Instead of dropping the syscall by returning EPERM, another  er‐
1653              ror  number can be returned using syscall:errno syntax. This can
1654              be also  changed  globally  with  --seccomp-error-action  or  in
1655              /etc/firejail/firejail.config  file.   The  process  can also be
1656              killed by using syscall:kill  syntax,  or  the  attempt  may  be
1657              logged with syscall:log.
1658
1659              Example:
1660              $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1661              Parent pid 10662, child pid 10663
1662              Child process initialized
1663              $ touch testfile
1664              $ ls testfile
1665              testfile
1666              $ rm testfile
1667              rm: cannot remove `testfile': No such file or directory
1668
1669
1670       --seccomp.keep=syscall,@group,!syscall2
1671              Enable  seccomp  filter,  blacklist  all  syscall not listed and
1672              "syscall2".  The system calls needed  by  Firejail  (group  @de‐
1673              fault-keep:  prctl,  execve,  execveat)  are  handled  with  the
1674              preload library. On a 64 bit architecture, an additional  filter
1675              for 32 bit system calls can be installed with --seccomp.32.keep.
1676
1677              Example:
1678              $  firejail --shell=none --seccomp.keep=poll,select,[...] trans‐
1679              mission-gtk
1680
1681
1682       --seccomp.print=name|pid
1683              Print the seccomp filter for the sandbox identified by  name  or
1684              PID.
1685
1686              Example:
1687              $ firejail --name=browser firefox &
1688              $ firejail --seccomp.print=browser
1689               line  OP JT JF    K
1690              =================================
1691               0000: 20 00 00 00000004   ld  data.architecture
1692               0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
1693               0002: 06 00 00 7fff0000   ret ALLOW
1694               0003: 20 00 00 00000000   ld  data.syscall-number
1695               0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
1696               0005: 35 01 00 00000000   jge read 0007 (false 0006)
1697               0006: 06 00 00 00050001   ret ERRNO(1)
1698               0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
1699               0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
1700               0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
1701               000a:  15  3e  00  00000137   jeq process_vm_writev 0049 (false
1702              000b)
1703               000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
1704               000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
1705               000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
1706               000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
1707               000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
1708               0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
1709               0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
1710               0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
1711               0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
1712               0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
1713               0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
1714               0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
1715               0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
1716               0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
1717               0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
1718               001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
1719               001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
1720               001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
1721               001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
1722               001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
1723               001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
1724               0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
1725               0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
1726               0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
1727               0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
1728               0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
1729               0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
1730               0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
1731               0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
1732               0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
1733               0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
1734               002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
1735               002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
1736               002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
1737               002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
1738               002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
1739               002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
1740               0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
1741               0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
1742               0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
1743               0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
1744               0034: 15 14 00 00000130    jeq  open_by_handle_at  0049  (false
1745              0035)
1746               0035:  15  13  00  0000012f   jeq name_to_handle_at 0049 (false
1747              0036)
1748               0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
1749               0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
1750               0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
1751               0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
1752               003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
1753               003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
1754               003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
1755               003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
1756               003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
1757               003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
1758               0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
1759               0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
1760               0042: 15 06 00  000000d8    jeq  remap_file_pages  0049  (false
1761              0043)
1762               0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
1763               0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
1764               0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
1765               0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
1766               0047:  15  01  00  00000136    jeq process_vm_readv 0049 (false
1767              0048)
1768               0048: 06 00 00 7fff0000   ret ALLOW
1769               0049: 06 00 01 00000000   ret KILL
1770              $
1771
1772
1773       --seccomp-error-action= kill | ERRNO | log
1774              By default, if a  seccomp  filter  blocks  a  system  call,  the
1775              process gets EPERM as the error. With --seccomp-error-action=er‐
1776              ror, another error number can be returned, for example ENOSYS or
1777              EACCES. The process can also be killed (like in versions <0.9.63
1778              of Firejail) by using --seccomp-error-action=kill syntax, or the
1779              attempt  may  be  logged  with  --seccomp-error-action=log.  Not
1780              killing the process weakens Firejail  slightly  when  trying  to
1781              contain  intrusion, but it may also allow tighter filters if the
1782              only alternative is to allow a system call.
1783
1784
1785       --shell=none
1786              Run the program directly, without a user shell.
1787
1788              Example:
1789              $ firejail --shell=none script.sh
1790
1791       --shell=program
1792              Set default user shell. Use this shell to  run  the  application
1793              using  -c shell option.  For example "firejail --shell=/bin/dash
1794              firefox" will start Mozilla Firefox as "/bin/dash  -c  firefox".
1795              By default the user's preferred shell is used.
1796
1797              Example: $firejail --shell=/bin/dash script.sh
1798
1799       --shutdown=name|pid
1800              Shutdown the sandbox identified by name or PID.
1801
1802              Example:
1803              $ firejail --name=mygame --caps.drop=all warzone2100 &
1804              $ firejail --shutdown=mygame
1805
1806              Example:
1807              $ firejail --list
1808              3272:netblue::firejail --private firefox
1809              $ firejail --shutdown=3272
1810
1811       --timeout=hh:mm:ss
1812              Kill  the  sandbox automatically after the time has elapsed. The
1813              time is specified in hours/minutes/seconds format.
1814
1815              $ firejail --timeout=01:30:00 firefox
1816
1817       --tmpfs=dirname
1818              Mount a writable tmpfs filesystem on directory dirname. Directo‐
1819              ries outside user home or not owned by the user are not allowed.
1820              Sandboxes running as root are exempt  from  these  restrictions.
1821              File  globbing  is supported, see FILE GLOBBING section for more
1822              details.
1823
1824              Example:
1825              $ firejail --tmpfs=~/.local/share
1826
1827       --top  Monitor the most CPU-intensive sandboxes, see MONITORING section
1828              for more details.
1829
1830              Example:
1831              $ firejail --top
1832
1833       --trace[=filename]
1834              Trace  open,  access  and  connect  system calls. If filename is
1835              specified, log trace output to filename, otherwise log  to  con‐
1836              sole.
1837
1838              Example:
1839              $ firejail --trace wget -q www.debian.org
1840              Reading profile /etc/firejail/wget.profile
1841              3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
1842              3:wget:fopen /etc/hosts:0x5c8e8cfb70
1843              3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
1844              3:wget:connect 3 8.8.8.8 port 53:0
1845              3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
1846              3:wget:connect 3 130.89.148.14 port 80:0
1847              3:wget:fopen64 index.html:0x5c8e8d1a60
1848
1849              parent is shutting down, bye...
1850
1851       --tracelog
1852              This  option enables auditing blacklisted files and directories.
1853              A message is sent to syslog in case the file or the directory is
1854              accessed.
1855
1856              Example:
1857              $ firejail --tracelog firefox
1858
1859              Sample messages:
1860              $ sudo tail -f /var/log/syslog
1861              [...]
1862              Dec  3 11:43:25 debian firejail[70]: blacklist violation - sand‐
1863              box 26370, exe firefox, syscall open64, path /etc/shadow
1864              Dec  3 11:46:17 debian firejail[70]: blacklist violation - sand‐
1865              box 26370, exe firefox, syscall opendir, path /boot
1866              [...]
1867
1868       --tree Print  a tree of all sandboxed processes, see MONITORING section
1869              for more details.
1870
1871              Example:
1872              $ firejail --tree
1873              11903:netblue:firejail iceweasel
1874                11904:netblue:iceweasel
1875                  11957:netblue:/usr/lib/iceweasel/plugin-container
1876              11969:netblue:firejail --net=eth0 transmission-gtk
1877                11970:netblue:transmission-gtk
1878
1879
1880       --tunnel[=devname]
1881              Connect the sandbox to a network overlay/VPN tunnel  created  by
1882              firetunnel  utility. This options tries first the client side of
1883              the tunnel. If this fails, it tries the server side. If multiple
1884              tunnels  are  active,  please  specify  the  tunnel device using
1885              --tunnel=devname.
1886
1887              The available tunnel devices are listed in  /etc/firetunnel  di‐
1888              rectory,  one file for each device.  The files are regular fire‐
1889              jail profile files containing the network configuration, and are
1890              created  and  managed  by firetunnel utility.  By default ftc is
1891              the client-side device and fts is the  server-side  device.  For
1892              more information please see man 1 firetunnel.
1893
1894              Example:
1895              $ firejail --tunnel firefox
1896
1897       --version
1898              Print program version/compile time support and exit.
1899
1900              Example:
1901              $ firejail --version
1902              firejail version 0.9.27
1903
1904              Compile time support:
1905                  - AppArmor support is enabled
1906                  - AppImage support is enabled
1907                  - chroot support is enabled
1908                  - file and directory whitelisting support is enabled
1909                  - file transfer support is enabled
1910                  - firetunnel support is enabled
1911                  - networking support is enabled
1912                  - overlayfs support is enabled
1913                  - private-home support is enabled
1914                  - seccomp-bpf support is enabled
1915                  - user namespace support is enabled
1916                  - X11 sandboxing support is enabled
1917
1918       --veth-name=name
1919              Use  this  name  for  the  interface connected to the bridge for
1920              --net=bridge_interface commands, instead of the default one.
1921
1922              Example:
1923              $ firejail --net=br0 --veth-name=if0
1924
1925       --whitelist=dirname_or_filename
1926              Whitelist directory or file. A temporary file system is  mounted
1927              on the top directory, and the whitelisted files are mount-binded
1928              inside. Modifications to whitelisted files are  persistent,  ev‐
1929              erything  else  is discarded when the sandbox is closed. The top
1930              directory can be all directories in / (except /proc  and  /sys),
1931              /sys/module, /run/user/$UID, $HOME and all directories in /usr.
1932
1933              Symbolic  link  handling:  with the exception of user home, both
1934              the link and the real file should be in the same top  directory.
1935              For  user  home, both the link and the real file should be owned
1936              by the user.
1937
1938              File globbing is supported, see FILE GLOBBING section  for  more
1939              details.
1940
1941              Example:
1942              $ firejail --noprofile --whitelist=~/.mozilla
1943              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
1944              $ firejail "--whitelist=/home/username/My Virtual Machines"
1945              $ firejail --whitelist=~/work* --whitelist=/var/backups*
1946
1947
1948       --writable-etc
1949              Mount /etc directory read-write.
1950
1951              Example:
1952              $ sudo firejail --writable-etc
1953
1954
1955       --writable-run-user
1956              Disable  the  default blacklisting of /run/user/$UID/systemd and
1957              /run/user/$UID/gnupg.
1958
1959              Example:
1960              $ sudo firejail --writable-run-user
1961
1962
1963       --writable-var
1964              Mount /var directory read-write.
1965
1966              Example:
1967              $ sudo firejail --writable-var
1968
1969
1970       --writable-var-log
1971              Use the real /var/log directory, not  a  clone.  By  default,  a
1972              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
1973              filesystem is created based on the original /var/log.
1974
1975              Example:
1976              $ sudo firejail --writable-var-log
1977
1978
1979       --x11  Sandbox the application using Xpra, Xephyr, Xvfb or  Xorg  secu‐
1980              rity extension.  The sandbox will prevent screenshot and keylog‐
1981              ger applications  started  inside  the  sandbox  from  accessing
1982              clients  running  outside  the  sandbox.  Firejail will try Xpra
1983              first, and if Xpra is not installed on the system, it  will  try
1984              to  find Xephyr.  If all fails, Firejail will not attempt to use
1985              Xvfb or X11 security extension.
1986
1987              Xpra, Xephyr and Xvfb modes require a network  namespace  to  be
1988              instantiated  in  order  to disable X11 abstract Unix socket. If
1989              this is not possible, the user can disable the  abstract  socket
1990              by  adding  "-nolisten  local"  on  Xorg  command line at system
1991              level.
1992
1993              Example:
1994              $ firejail --x11 --net=eth0 firefox
1995
1996
1997       --x11=none
1998              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
1999              file  specified  in  ${XAUTHORITY} environment variable.  Remove
2000              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
2001              message if X11 abstract socket will be accessible in jail.
2002
2003
2004       --x11=xephyr
2005              Start Xephyr and attach the sandbox to this server.  Xephyr is a
2006              display server implementing the X11 display server protocol.   A
2007              network  namespace needs to be instantiated in order to deny ac‐
2008              cess to X11 abstract Unix domain socket.
2009
2010              Xephyr runs in a window just like any other X11 application. The
2011              default  window  size  is  800x600.   This  can  be  modified in
2012              /etc/firejail/firejail.config file.
2013
2014              The recommended way to use this feature is to run a window  man‐
2015              ager inside the sandbox.  A security profile for OpenBox is pro‐
2016              vided.
2017
2018              Xephyr is developed by Xorg project. On Debian platforms  it  is
2019              installed  with the command sudo apt-get install xserver-xephyr.
2020              This feature is not available when running as root.
2021
2022              Example:
2023              $ firejail --x11=xephyr --net=eth0 openbox
2024
2025
2026       --x11=xorg
2027              Sandbox the application using the untrusted mode implemented  by
2028              X11  security  extension.   The  extension  is available in Xorg
2029              package and it is installed by default on most  Linux  distribu‐
2030              tions.  It  provides support for a simple trusted/untrusted con‐
2031              nection model. Untrusted clients are restricted in certain  ways
2032              to  prevent  them from reading window contents of other clients,
2033              stealing input events, etc.
2034
2035              The untrusted mode has several limitations.  A  lot  of  regular
2036              programs   assume  they are a trusted X11 clients and will crash
2037              or lock up when run in  untrusted  mode.  Chromium  browser  and
2038              xterm are two examples.  Firefox and transmission-gtk seem to be
2039              working fine.  A network namespace is not required for this  op‐
2040              tion.
2041
2042              Example:
2043              $ firejail --x11=xorg firefox
2044
2045
2046       --x11=xpra
2047              Start  Xpra  (https://xpra.org)  and  attach the sandbox to this
2048              server.  Xpra is a persistent remote display server  and  client
2049              for  forwarding X11 applications and desktop screens.  A network
2050              namespace needs to be instantiated in order to  deny  access  to
2051              X11 abstract Unix domain socket.
2052
2053              On Debian platforms Xpra is installed with the command sudo apt-
2054              get install xpra.  This feature is not available when running as
2055              root.
2056
2057              Example:
2058              $ firejail --x11=xpra --net=eth0 firefox
2059
2060
2061
2062       --x11=xvfb
2063              Start  Xvfb  X11  server  and attach the sandbox to this server.
2064              Xvfb, short for X virtual framebuffer,  performs  all  graphical
2065              operations  in memory without showing any screen output. Xvfb is
2066              mainly used for remote access and software testing  on  headless
2067              servers.
2068
2069              On Debian platforms Xvfb is installed with the command sudo apt-
2070              get install xvfb.  This feature is not available when running as
2071              root.
2072
2073              Example: remote VNC access
2074
2075              On  the  server we start a sandbox using Xvfb and openbox window
2076              manager. The default size of Xvfb screen is 800x600 - it can  be
2077              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
2078              sort of networking (--net) is required in order to  isolate  the
2079              abstract sockets used by other X servers.
2080
2081              $ firejail --net=none --x11=xvfb openbox
2082
2083              *** Attaching to Xvfb display 792 ***
2084
2085              Reading profile /etc/firejail/openbox.profile
2086              Reading profile /etc/firejail/disable-common.inc
2087              Reading profile /etc/firejail/disable-common.local
2088              Parent pid 5400, child pid 5401
2089
2090              On  the  server  we also start a VNC server and attach it to the
2091              display handled by our Xvfb server (792).
2092
2093              $ x11vnc -display :792
2094
2095              On the client machine we start a VNC viewer and use it  to  con‐
2096              nect to our server:
2097
2098              $ vncviewer
2099
2100
2101       --xephyr-screen=WIDTHxHEIGHT
2102              Set screen size for --x11=xephyr. The setting will overwrite the
2103              default set in  /etc/firejail/firejail.config  for  the  current
2104              sandbox.  Run  xrandr  to get a list of supported resolutions on
2105              your computer.
2106
2107              Example:
2108              $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2109              fox
2110
2111

DESKTOP INTEGRATION

2113       A  symbolic link to /usr/bin/firejail under the name of a program, will
2114       start the program in Firejail sandbox.  The  symbolic  link  should  be
2115       placed  in  the  first $PATH position. On most systems, a good place is
2116       /usr/local/bin directory. Example:
2117
2118              Make a firefox symlink to /usr/bin/firejail:
2119
2120              $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2121
2122              Verify $PATH
2123
2124              $ which -a firefox
2125              /usr/local/bin/firefox
2126              /usr/bin/firefox
2127
2128              Starting firefox in this moment, automatically invokes “firejail
2129              firefox”.
2130
2131       This  works  for  clicking on desktop environment icons, menus etc. Use
2132       "firejail --tree" to verify the program is sandboxed.
2133
2134              $ firejail --tree
2135              1189:netblue:firejail firefox
2136                1190:netblue:firejail firefox
2137                  1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2138                    1221:netblue:/usr/lib/firefox/firefox
2139
2140       We provide a tool that  automates  all  this  integration,  please  see
2141       firecfg(1) for more details.
2142
2143

EXAMPLES

2145       firejail
2146              Sandbox a regular shell session.
2147
2148       firejail firefox
2149              Start Mozilla Firefox.
2150
2151       firejail --debug firefox
2152              Debug Firefox sandbox.
2153
2154       firejail --private firefox
2155              Start Firefox with a new, empty home directory.
2156
2157       firejail --net=none vlc
2158              Start VLC in an unconnected network namespace.
2159
2160       firejail --net=eth0 firefox
2161              Start  Firefox  in a new network namespace. An IP address is as‐
2162              signed automatically.
2163
2164       firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2165              Start a shell session in a new network namespace and connect  it
2166              to  br0,  br1, and br2 host bridge devices. IP addresses are as‐
2167              signed automatically for the interfaces connected to br1 and b2
2168
2169       firejail --list
2170              List all sandboxed processes.
2171
2172

FILE GLOBBING

2174       Globbing is the operation that expands a wildcard pattern into the
2175              list of pathnames matching the pattern.  This pattern is matched
2176              at  firejail start, and is NOT UPDATED at runtime.  Files match‐
2177              ing a blacklist, but created after firejail start will be acces‐
2178              sible within the jail. Matching is defined by:
2179
2180              - '?' matches any character
2181              - '*' matches any string
2182              - '[' denotes a range of characters
2183
2184       The globbing feature is implemented using glibc glob command. For
2185              more information on the wildcard syntax see man 7 glob.
2186
2187
2188       The following command line options are supported: --blacklist,
2189              --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2190              --whitelist.
2191
2192
2193       Examples:
2194
2195              $ firejail --private-bin=sh,bash,python*
2196              $ firejail --blacklist=~/dir[1234]
2197              $ firejail --read-only=~/dir[1-4]
2198
2199

FILE TRANSFER

2201       These features allow the user to inspect the filesystem container of an
2202       existing  sandbox and transfer files between the container and the host
2203       filesystem.
2204
2205
2206       --cat=name|pid filename
2207              Write content of a container file to standard out. The container
2208              is specified by name or PID.  If standard out is a terminal, all
2209              ASCII control characters except new line and horizontal tab  are
2210              replaced.
2211
2212
2213       --get=name|pid filename
2214              Retrieve the container file and store it on the host in the cur‐
2215              rent working directory.  The container is specified by  name  or
2216              PID.
2217
2218
2219       --ls=name|pid dir_or_filename
2220              List container files. The container is specified by name or PID.
2221
2222
2223       --put=name|pid src-filename dest-filename
2224              Put  src-filename in sandbox container.  The container is speci‐
2225              fied by name or PID.
2226
2227
2228       Examples:
2229
2230              $ firejail --name=mybrowser --private firefox
2231
2232              $ firejail --ls=mybrowser ~/Downloads
2233              drwxr-xr-x netblue  netblue         4096 .
2234              drwxr-xr-x netblue  netblue         4096 ..
2235              -rw-r--r-- netblue  netblue         7847 x11-x305.png
2236              -rw-r--r-- netblue  netblue         6800 x11-x642.png
2237              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
2238
2239              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2240
2241              $ firejail --put=mybrowser xpra-clipboard.png  ~/Downloads/xpra-
2242              clipboard.png
2243
2244              $ firejail --cat=mybrowser ~/.bashrc
2245

MONITORING

2247       Option  --list  prints  a  list  of  all sandboxes. The format for each
2248       process entry is as follows:
2249
2250            PID:USER:Sandbox Name:Command
2251
2252       Option --tree prints the tree of processes running in the sandbox.  The
2253       format for each process entry is as follows:
2254
2255            PID:USER:Sandbox Name:Command
2256
2257       Option  --top  is  similar  to the UNIX top command, however it applies
2258       only to sandboxes.
2259
2260       Option --netstats prints network statistics for  active  sandboxes  in‐
2261       stalling new network namespaces.
2262
2263       Listed  below  are the available fields (columns) in alphabetical order
2264       for --top and --netstats options:
2265
2266
2267       Command
2268              Command used to start the sandbox.
2269
2270       CPU%   CPU usage, the sandbox share of the elapsed CPU time  since  the
2271              last screen update
2272
2273       PID    Unique process ID for the task controlling the sandbox.
2274
2275       Prcs   Number  of  processes running in sandbox, including the control‐
2276              ling process.
2277
2278       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
2279              It  is  a sum of the RES values for all processes running in the
2280              sandbox.
2281
2282       RX(KB/s)
2283              Network receive speed.
2284
2285       Sandbox Name
2286              The name of the sandbox, if any.
2287
2288       SHR    Shared Memory Size (KiB), it reflects memory shared  with  other
2289              processes.  It is a sum of the SHR values for all processes run‐
2290              ning in the sandbox, including the controlling process.
2291
2292       TX(KB/s)
2293              Network transmit speed.
2294
2295       Uptime Sandbox running time in hours:minutes:seconds format.
2296
2297       USER   The owner of the sandbox.
2298
2299

RESTRICTED SHELL

2301       To configure a restricted shell, replace /bin/bash with  /usr/bin/fire‐
2302       jail in /etc/passwd file for each user that needs to be restricted. Al‐
2303       ternatively, you can specify /usr/bin/firejail  in adduser command:
2304
2305       adduser --shell /usr/bin/firejail username
2306
2307       Additional arguments passed to firejail executable upon login  are  de‐
2308       clared in /etc/firejail/login.users file.
2309
2310

SECURITY PROFILES

2312       Several command line options can be passed to the program using profile
2313       files. Firejail chooses the profile file as follows:
2314
2315       1. If a profile file is provided by the user  with  --profile=FILE  op‐
2316       tion,  the  profile  FILE  is loaded. If a profile name is given, it is
2317       searched for first in the ~/.config/firejail directory and if not found
2318       then  in   /etc/firejail  directory.  Profile  names do not include the
2319       .profile suffix. If there is a file with the same  name  as  the  given
2320       profile  name,  it will be used instead of doing the profile search. To
2321       force a profile search, prefix the profile name with a colon  (:),  eg.
2322       --profile=:PROFILE_NAME.  Example:
2323
2324              $ firejail --profile=/home/netblue/icecat.profile icecat
2325              Reading profile /home/netblue/icecat.profile
2326              [...]
2327
2328
2329              $ firejail --profile=icecat icecat-wrapper.sh
2330              Reading profile /etc/firejail/icecat.profile
2331              [...]
2332
2333       2.  If  a profile file with the same name as the application is present
2334       in ~/.config/firejail directory or in  /etc/firejail,  the  profile  is
2335       loaded.  ~/.config/firejail  takes precedence over /etc/firejail. Exam‐
2336       ple:
2337
2338              $ firejail icecat
2339              Command name #icecat#
2340              Found icecat profile in /home/netblue/.config/firejail directory
2341              Reading profile /home/netblue/.config/firejail/icecat.profile
2342              [...]
2343
2344       3. Use default.profile file if the sandbox  is  started  by  a  regular
2345       user,  or  server.profile file if the sandbox is started by root. Fire‐
2346       jail looks for these files in ~/.config/firejail directory, followed by
2347       /etc/firejail directory.  To disable default profile loading, use --no‐
2348       profile command option. Example:
2349
2350              $ firejail
2351              Reading profile /etc/firejail/default.profile
2352              Parent pid 8553, child pid 8554
2353              Child process initialized
2354              [...]
2355
2356              $ firejail --noprofile
2357              Parent pid 8553, child pid 8554
2358              Child process initialized
2359              [...]
2360
2361       See man 5 firejail-profile for profile file syntax information.
2362

TRAFFIC SHAPING

2364       Network bandwidth is an expensive resource shared among  all  sandboxes
2365       running  on a system.  Traffic shaping allows the user to increase net‐
2366       work performance by controlling the amount of data that flows into  and
2367       out of the sandboxes.
2368
2369       Firejail  implements  a simple rate-limiting shaper based on Linux com‐
2370       mand tc.  The shaper works at sandbox level, and can be used  only  for
2371       sandboxes configured with new network namespaces.
2372
2373       Set rate-limits:
2374
2375            $ firejail --bandwidth=name|pid set network download upload
2376
2377       Clear rate-limits:
2378
2379            $ firejail --bandwidth=name|pid clear network
2380
2381       Status:
2382
2383            $ firejail --bandwidth=name|pid status
2384
2385       where:
2386            name - sandbox name
2387            pid - sandbox pid
2388            network - network interface as used by --net option
2389            download - download speed in KB/s (kilobyte per second)
2390            upload - upload speed in KB/s (kilobyte per second)
2391
2392       Example:
2393            $ firejail --name=mybrowser --net=eth0 firefox &
2394            $ firejail --bandwidth=mybrowser set eth0 80 20
2395            $ firejail --bandwidth=mybrowser status
2396            $ firejail --bandwidth=mybrowser clear eth0
2397

LICENSE

2399       This program is free software; you can redistribute it and/or modify it
2400       under the terms of the GNU General Public License as published  by  the
2401       Free  Software Foundation; either version 2 of the License, or (at your
2402       option) any later version.
2403
2404       Homepage: https://firejail.wordpress.com
2405

SEE ALSO

2407       firemon(1), firecfg(1), firejail-profile(5),  firejail-login(5),  fire‐
2408       jail-users(5), jailcheck(1)
2409
2410https://github.com/netblue30/firejail/wiki⟩,
2411https://github.com/netblue30/firejail
2412
2413
2414
24150.9.66                             Jul 2021                        FIREJAIL(1)
Impressum