1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
6 profile - Security profile file syntax, and information about building
7 new application profiles.
8
11 Using a specific profile:
12 firejail --profile=filename.profile
14 Example:
16 $ firejail --profile=/etc/firejail/kdenlive.profile --ap‐
17 pimage kdenlive.appimage
18 firejail --profile=profile_name
21 Example:
23 $ firejail --profile=kdenlive --appimage kdenlive.appim‐
24 age
25 Building a profile manually:
28 Start with the template in /usr/share/doc/firejail/profile.tem‐
30 plate and modify it in a text editor. To integrate the program
31 in your desktop environment copy the profile file in ~/.con‐
32 fig/firejail directory and run "sudo firecfg".
33 Aliases and redirections:
35 In some cases the same profile can be used for several applica‐
37 tions. One such example is LibreOffice. Build a regular pro‐
38 file for the main application, and for the rest use
39 /usr/share/doc/firejail/redirect_alias-profile.template.
40 Running the profile builder:
42 firejail --build=appname.profile appname
44 Example:
46 $ firejail --build=blobby.profile blobby
47 Run the program in "firejail --build" and try to exercise
49 as many program features as possible. The profile is ex‐
50 tracted and saved in the current directory. Open it in a
51 text editor and add or remove sandboxing options as nec‐
52 essary. Test again after modifying the profile. To inte‐
53 grate the program in your desktop environment copy the
54 profile file in ~/.config/firejail directory and run
55 "sudo firecfg".
56
58 Several command line options can be passed to the program using profile
59 files. Firejail chooses the profile file as follows:
60 1. If a profile file is provided by the user with --profile option, the
62 profile file is loaded. If a profile name is given, it is searched for
63 first in the ~/.config/firejail directory and if not found then in
64 /etc/firejail directory. Profile names do not include the .profile suf‐
65 fix. Example:
66 $ firejail --profile=/home/netblue/icecat.profile icecat
68 Reading profile /home/netblue/icecat.profile
69 [...]
70 $ firejail --profile=icecat icecat-wrapper.sh
73 Reading profile /etc/firejail/icecat.profile
74 [...]
75 2. If a profile file with the same name as the application is present
77 in ~/.config/firejail directory or in /etc/firejail, the profile is
78 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
79 ple:
80 $ firejail icecat
82 Command name #icecat#
83 Found icecat profile in /home/netblue/.config/firejail directory
84 Reading profile /home/netblue/.config/firejail/icecat.profile
85 [...]
86 3. Use a default.profile file if the sandbox is started by a regular
88 user, or a server.profile file if the sandbox is started by root. Fire‐
89 jail looks for these files in ~/.config/firejail directory, followed by
90 /etc/firejail directory. To disable default profile loading, use --no‐
91 profile command option. Example:
92 $ firejail
94 Reading profile /etc/firejail/default.profile
95 Parent pid 8553, child pid 8554
96 Child process initialized
97 [...]
98 $ firejail --noprofile
100 Parent pid 8553, child pid 8554
101 Child process initialized
102 [...]
103
106 In /usr/share/doc/firejail there are two templates to write new pro‐
107 files.
108 profile.template - for regular profiles
109 redirect_alias-profile.template - for aliasing/redirecting pro‐
110 files
111
115 Scripting commands:
116 File and directory names
119 File and directory names containing spaces are supported. The
120 space character ' ' should not be escaped.
121 Example: "blacklist ~/My Virtual Machines"
123 # this is a comment
126 Example:
127 # disable networking
129 net none # this command creates an empty network namespace
130 ?CONDITIONAL: profile line
133 Conditionally add profile line.
134 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
136 This example will load the whitelist profile line only if the
138 --appimage option has been specified on the command line.
139 Currently the only conditionals supported this way are HAS_AP‐
141 PIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and
142 HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_AL‐
143 LOW_DRM can be enabled or disabled globally in Firejail's con‐
144 figuration file.
145 The profile line may be any profile line that you would normally
147 use in a profile except for "quiet" and "include" lines.
148 include other.profile
151 Include other.profile file.
152 Example: "include /etc/firejail/disable-common.inc"
154 The file name can be prefixed with a macro such as ${HOME} or
156 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
157 is expanded as Firejail system configuration directory - in most
158 cases /etc/firejail or /usr/local/etc/firejail.
159 Example: "include ${HOME}/myprofiles/profile1" will load
161 "~/myprofiles/profile1" file.
162 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
164 jail/firefox.profile" file.
165 The file name may also be just the name without the leading di‐
167 rectory components. In this case, first the user config direc‐
168 tory (${HOME}/.config/firejail) is searched for the file name
169 and if not found then the system configuration directory is
170 search for the file name. Note: Unlike the --profile option
171 which takes a profile name without the '.profile' suffix, in‐
172 clude must be given the full file name.
173 Example: "include firefox.profile" will load "${HOME}/.con‐
175 fig/firejail/firefox.profile" file and if it does not exist
176 "${CFG}/firefox.profile" will be loaded.
177 System configuration files in ${CFG} are overwritten during
179 software installation. Persistent configuration at system level
180 is handled in ".local" files. For every profile file in ${CFG}
181 directory, the user can create a corresponding .local file stor‐
182 ing modifications to the persistent configuration. Persistent
183 .local files are included at the start of regular profile files.
184 noblacklist file_name
187 If the file name matches file_name, the file will not be black‐
188 listed in any blacklist commands that follow.
189 Example: "noblacklist ${HOME}/.mozilla"
191 nowhitelist file_name
194 If the file name matches file_name, the file will not be
195 whitelisted in any whitelist commands that follow.
196 Example: "nowhitelist ~/.config"
198 ignore Ignore command.
201 Example: "ignore seccomp"
203 Example: "ignore net eth0"
204 quiet Disable Firejail's output. This should be the first uncommented
206 command in the profile file.
207 Example: "quiet"
209
212 These profile entries define a chroot filesystem built on top of the
213 existing host filesystem. Each line describes a file/directory that is
214 inaccessible (blacklist), a read-only file or directory (read-only), a
215 tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a
216 directory or file on top of another directory or file (bind). Use pri‐
217 vate to set private mode. File globbing is supported, and PATH and
218 HOME directories are searched, see the firejail FILE GLOBBING section
219 for more details. Examples:
220 blacklist file_or_directory
222 Blacklist directory or file. Examples:
223 blacklist /usr/bin
225 blacklist /usr/bin/gcc*
226 blacklist ${PATH}/ifconfig
227 blacklist ${HOME}/.ssh
228 blacklist-nolog file_or_directory
231 When --tracelog flag is set, blacklisting generates syslog mes‐
232 sages if the sandbox tries to access the file or directory.
233 blacklist-nolog command disables syslog messages for this par‐
234 ticular file or directory. Examples:
235 blacklist-nolog /usr/bin
237 blacklist-nolog /usr/bin/gcc*
238 bind directory1,directory2
241 Mount-bind directory1 on top of directory2. This option is only
242 available when running as root.
243 bind file1,file2
245 Mount-bind file1 on top of file2. This option is only available
246 when running as root.
247 disable-mnt
249 Disable /mnt, /media, /run/mount and /run/media access.
250 keep-config-pulse
252 Disable automatic ~/.config/pulse init, for complex setups such
253 as remote pulse servers or non-standard socket paths.
254 keep-dev-shm
256 /dev/shm directory is untouched (even with private-dev).
257 keep-var-tmp
259 /var/tmp directory is untouched.
260 mkdir directory
262 Create a directory in user home, under /tmp, or under
263 /run/user/<UID> before the sandbox is started. The directory is
264 created if it doesn't already exist.
265 Use this command for whitelisted directories you need to pre‐
267 serve when the sandbox is closed. Without it, the application
268 will create the directory, and the directory will be deleted
269 when the sandbox is closed. Subdirectories are recursively cre‐
270 ated. Example from firefox profile:
271 mkdir ~/.mozilla
273 whitelist ~/.mozilla
274 mkdir ~/.cache/mozilla/firefox
275 whitelist ~/.cache/mozilla/firefox
276 For files in /run/user/<PID> use ${RUNUSER} macro:
278 mkdir ${RUNUSER}/firejail-testing
280 mkfile file
282 Similar to mkdir, this command creates an empty file in user
283 home, or /tmp, or under /run/user/<UID> before the sandbox is
284 started. The file is created if it doesn't already exist.
285 noexec file_or_directory
287 Remount the file or the directory noexec, nodev and nosuid.
288 private
290 Mount new /root and /home/user directories in temporary filesys‐
291 tems. All modifications are discarded when the sandbox is
292 closed.
293 private directory
295 Use directory as user home.
296 private-bin file,file
298 Build a new /bin in a temporary filesystem, and copy the pro‐
299 grams in the list. The files in the list must be expressed as
300 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
301 cal/bin directories. The same directory is also bind-mounted
302 over /sbin, /usr/bin and /usr/sbin.
303 private-cache
305 Mount an empty temporary filesystem on top of the .cache direc‐
306 tory in user home. All modifications are discarded when the
307 sandbox is closed.
308 private-cwd
310 Set working directory inside jail to the home directory, and
311 failing that, the root directory.
312 private-cwd directory
314 Set working directory inside the jail.
315 private-dev
317 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
318 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
319 shm and usb devices are available. Use the options no3d, nodvd,
320 nosound, notv, nou2f and novideo for additional restrictions.
321 private-etc file,directory
324 Build a new /etc in a temporary filesystem, and copy the files
325 and directories in the list. The files and directories in the
326 list must be expressed as relative to the /etc directory, and
327 must not contain the / character (e.g., /etc/foo must be ex‐
328 pressed as foo, but /etc/foo/bar -- expressed as foo/bar -- is
329 disallowed). All modifications are discarded when the sandbox
330 is closed.
331 private-home file,directory
333 Build a new user home in a temporary filesystem, and copy the
334 files and directories in the list in the new home. The files
335 and directories in the list must be expressed as relative to the
336 current user's home directory. All modifications are discarded
337 when the sandbox is closed.
338 private-lib file,directory
340 Build a new /lib directory and bring in the libraries required
341 by the application to run. The files and directories in the
342 list must be expressed as relative to the /lib directory. This
343 feature is still under development, see man 1 firejail for some
344 examples.
345 private-opt file,directory
347 Build a new /opt in a temporary filesystem, and copy the files
348 and directories in the list. The files and directories in the
349 list must be expressed as relative to the /opt directory, and
350 must not contain the / character (e.g., /opt/foo must be ex‐
351 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
352 disallowed). All modifications are discarded when the sandbox
353 is closed.
354 private-srv file,directory
356 Build a new /srv in a temporary filesystem, and copy the files
357 and directories in the list. The files and directories in the
358 list must be expressed as relative to the /srv directory, and
359 must not contain the / character (e.g., /srv/foo must be ex‐
360 pressed as foo, but /srv/foo/bar -- expressed as foo/bar -- is
361 disallowed). All modifications are discarded when the sandbox
362 is closed.
363 private-tmp
365 Mount an empty temporary filesystem on top of /tmp directory
366 whitelisting /tmp/.X11-unix.
367 read-only file_or_directory
369 Make directory or file read-only.
370 read-write file_or_directory
372 Make directory or file read-write.
373 tmpfs directory
375 Mount an empty tmpfs filesystem on top of directory. Directories
376 outside user home or not owned by the user are not allowed.
377 Sandboxes running as root are exempt from these restrictions.
378 tracelog
380 Blacklist violations logged to syslog.
381 whitelist file_or_directory
383 Whitelist directory or file. A temporary file system is mounted
384 on the top directory, and the whitelisted files are mount-binded
385 inside. Modifications to whitelisted files are persistent, ev‐
386 erything else is discarded when the sandbox is closed. The top
387 directory can be all directories in / (except /proc and /sys),
388 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
389 Symbolic link handling: with the exception of user home, both
391 the link and the real file should be in the same top directory.
392 For user home, both the link and the real file should be owned
393 by the user.
394 writable-etc
396 Mount /etc directory read-write.
397 writable-run-user
399 Disable the default blacklisting of run/user/$UID/systemd and
400 /run/user/$UID/gnupg.
401 writable-var
403 Mount /var directory read-write.
404 writable-var-log
406 Use the real /var/log directory, not a clone. By default, a
407 tmpfs is mounted on top of /var/log directory, and a skeleton
408 filesystem is created based on the original /var/log.
409
412 The following security filters are currently implemented:
413 allow-debuggers
416 Allow tools such as strace and gdb inside the sandbox by
417 whitelisting system calls ptrace and process_vm_readv.
418 caps Enable default Linux capabilities filter.
420 caps.drop capability,capability,capability
422 Blacklist given Linux capabilities.
423 caps.drop all
425 Blacklist all Linux capabilities.
426 caps.keep capability,capability,capability
428 Whitelist given Linux capabilities.
429 memory-deny-write-execute
431 Install a seccomp filter to block attempts to create memory map‐
432 pings that are both writable and executable, to change mappings
433 to be executable or to create executable shared memory.
434 nonewprivs
436 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
437 cannot acquire new privileges using execve(2); in particular,
438 this means that calling a suid binary (or one with file capabil‐
439 ities) does not result in an increase of privilege.
440 noroot Use this command to enable an user namespace. The namespace has
442 only one user, the current user. There is no root account (uid
443 0) defined in the namespace.
444 protocol protocol1,protocol2,protocol3
446 Enable protocol filter. The filter is based on seccomp and
447 checks the first argument to socket system call. Recognized val‐
448 ues: unix, inet, inet6, netlink, packet and bluetooth.
449 seccomp
451 Enable seccomp filter and blacklist the syscalls in the default
452 list. See man 1 firejail for more details.
453 seccomp.32
455 Enable seccomp filter and blacklist the syscalls in the default
456 list for 32 bit system calls on a 64 bit architecture system.
457 seccomp syscall,syscall,syscall
459 Enable seccomp filter and blacklist the system calls in the list
460 on top of default seccomp filter.
461 seccomp.32 syscall,syscall,syscall
463 Enable seccomp filter and blacklist the system calls in the list
464 on top of default seccomp filter for 32 bit system calls on a 64
465 bit architecture system.
466 seccomp.block-secondary
468 Enable seccomp filter and filter system call architectures so
469 that only the native architecture is allowed.
470 seccomp.drop syscall,syscall,syscall
472 Enable seccomp filter and blacklist the system calls in the
473 list.
474 seccomp.32.drop syscall,syscall,syscall
476 Enable seccomp filter and blacklist the system calls in the list
477 for 32 bit system calls on a 64 bit architecture system.
478 seccomp.keep syscall,syscall,syscall
480 Enable seccomp filter and whitelist the system calls in the
481 list.
482 seccomp.32.keep syscall,syscall,syscall
484 Enable seccomp filter and whitelist the system calls in the list
485 for 32 bit system calls on a 64 bit architecture system.
486 seccomp-error-action kill | log | ERRNO
488 Return a different error instead of EPERM to the process, kill
489 it when an attempt is made to call a blocked system call, or al‐
490 low but log the attempt.
491 x11 Enable X11 sandboxing.
493 x11 none
495 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
496 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
497 and XAUTHORITY environment variables. Stop with error message
498 if X11 abstract socket will be accessible in jail.
499 x11 xephyr
501 Enable X11 sandboxing with Xephyr server.
502 x11 xorg
504 Enable X11 sandboxing with X11 security extension.
505 x11 xpra
507 Enable X11 sandboxing with Xpra server.
508 x11 xvfb
510 Enable X11 sandboxing with Xvfb server.
511 xephyr-screen WIDTHxHEIGHT
513 Set screen size for x11 xephyr. This command should be included
514 in the profile file before x11 xephyr command.
515 Example:
517 xephyr-screen 640x480
519 x11 xephyr
520
522 Access to the session and system DBus UNIX sockets can be allowed, fil‐
523 tered or disabled. To disable the abstract sockets (and force applica‐
524 tions to use the filtered UNIX socket) you would need to request a new
525 network namespace using --net command. Another option is to remove unix
526 from the --protocol set.
527 Filtering requires installing the xdg-dbus-proxy utility. Filter rules
529 can be specified for well-known DBus names, but they are also propa‐
530 gated to the owning unique name, too. The permissions are "sticky" and
531 are kept even if the corresponding well-known name is released (how‐
532 ever, applications rarely release well-known names in practice). Names
533 may have a .* suffix to match all names underneath them, including
534 themselves (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
535 "foo.bar.baz.quux", but not "foobar"). For more information, see xdg-
536 dbus-proxy(1).
537 Examples:
539 dbus-system filter
542 Enable filtered access to the system DBus. Filters can be speci‐
543 fied with the dbus-system.talk and dbus-system.own commands.
544 dbus-system none
546 Disable access to the system DBus. Once access is disabled, it
547 cannot be relaxed to filtering.
548 dbus-system.own org.gnome.ghex.*
550 Allow the application to own the name org.gnome.ghex and all
551 names underneath in on the system DBus.
552 dbus-system.talk org.freedesktop.Notifications
554 Allow the application to talk to the name org.freedesktop.Noti‐
555 fications on the system DBus.
556 dbus-system.see org.freedesktop.Notifications
558 Allow the application to see but not talk to the name
559 org.freedesktop.Notifications on the system DBus.
560 dbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifi‐
562 cations.*@/org/freedesktop/Notifications
563 Allow the application to call methods of the interface
564 org.freedesktop.Notifications of the object exposed at the path
565 /org/freedesktop/Notifications by the client owning the bus name
566 org.freedesktop.Notifications on the system DBus.
567 dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
569 tifications.*@/org/freedesktop/Notifications
570 Allow the application to receive broadcast signals from the the
571 interface org.freedesktop.Notifications of the object exposed at
572 the path /org/freedesktop/Notifications by the client owning the
573 bus name org.freedesktop.Notifications on the system DBus.
574 dbus-user filter
576 Enable filtered access to the session DBus. Filters can be spec‐
577 ified with the dbus-user.talk and dbus-user.own commands.
578 dbus-user none
580 Disable access to the session DBus. Once access is disabled, it
581 cannot be relaxed to filtering.
582 dbus-user.own org.gnome.ghex.*
584 Allow the application to own the name org.gnome.ghex and all
585 names underneath in on the session DBus.
586 dbus-user.talk org.freedesktop.Notifications
588 Allow the application to talk to the name org.freedesktop.Noti‐
589 fications on the session DBus.
590 dbus-user.see org.freedesktop.Notifications
592 Allow the application to see but not talk to the name
593 org.freedesktop.Notifications on the session DBus.
594 dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifica‐
596 tions.*@/org/freedesktop/Notifications
597 Allow the application to call methods of the interface
598 org.freedesktop.Notifications of the object exposed at the path
599 /org/freedesktop/Notifications by the client owning the bus name
600 org.freedesktop.Notifications on the session DBus.
601 dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
603 fications.*@/org/freedesktop/Notifications
604 Allow the application to receive broadcast signals from the the
605 interface org.freedesktop.Notifications of the object exposed at
606 the path /org/freedesktop/Notifications by the client owning the
607 bus name org.freedesktop.Notifications on the session DBus.
608 nodbus (deprecated)
610 Disable D-Bus access (both system and session buses). Equivalent
611 to dbus-system none and dbus-user none.
612 Individual filters can be overridden via the --ignore command. Suppos‐
615 ing a profile has
616 [...]
617 dbus-user filter
618 dbus-user.own org.mozilla.firefox.*
619 dbus-user.talk org.freedesktop.Notifications
620 dbus-system none
621 [...]
622 and the user wants to disable notifications, this can be
624 achieved by putting the below in a local override file:
625 [...]
626 ignore dbus-user.talk org.freedesktop.Notifications
627 [...]
628
630 These profile entries define the limits on system resources (rlimits)
631 for the processes inside the sandbox. The limits can be modified in‐
632 side the sandbox using the regular ulimit command. cpu command config‐
633 ures the CPU cores available, and cgroup command place the sandbox in
634 an existing control group.
635 Examples:
637 cgroup /sys/fs/cgroup/g1/tasks
640 The sandbox is placed in g1 control group.
641 cpu 0,1,2
643 Use only CPU cores 0, 1 and 2.
644 nice -5
646 Set a nice value of -5 to all processes running inside the sand‐
647 box.
648 rlimit-as 123456789012
650 Set the maximum size of the process's virtual memory to
651 123456789012 bytes.
652 rlimit-cpu 123
654 Set the maximum CPU time in seconds.
655 rlimit-fsize 1024
657 Set the maximum file size that can be created by a process to
658 1024 bytes.
659 rlimit-nproc 1000
661 Set the maximum number of processes that can be created for the
662 real user ID of the calling process to 1000.
663 rlimit-nofile 500
665 Set the maximum number of files that can be opened by a process
666 to 500.
667 rlimit-sigpending 200
669 Set the maximum number of processes that can be created for the
670 real user ID of the calling process to 200.
671 timeout hh:mm:ss
673 Kill the sandbox automatically after the time has elapsed. The
674 time is specified in hours/minutes/seconds format.
675
678 allusers
679 All user home directories are visible inside the sandbox. By de‐
680 fault, only current user home directory is visible.
681 env name=value
684 Set environment variable. Examples:
685 env LD_LIBRARY_PATH=/opt/test/lib
687 env CFLAGS="-W -Wall -Werror"
688 ipc-namespace
691 Enable IPC namespace.
692 name sandboxname
694 Set sandbox name. Example:
695 name browser
697 no3d Disable 3D hardware acceleration.
700 noautopulse (deprecated)
702 See keep-config-pulse.
703 nodvd Disable DVD and audio CD devices.
705 nogroups
707 Disable supplementary user groups
708 noinput
710 Disable input devices.
711 nosound
713 Disable sound system.
714 notv Disable DVB (Digital Video Broadcasting) TV devices.
716 nou2f Disable U2F devices.
718 novideo
720 Disable video capture devices.
721 shell none
723 Run the program directly, without a shell.
724
728 Networking features available in profile files.
729 defaultgw address
732 Use this address as default gateway in the new network name‐
733 space.
734 dns address
737 Set a DNS server for the sandbox. Up to three DNS servers can be
738 defined.
739 hostname name
742 Set a hostname for the sandbox.
743 hosts-file file
746 Use file as /etc/hosts.
747 ip address
750 Assign IP addresses to the last network interface defined by a
751 net command. A default gateway is assigned by default.
752 Example:
754 net eth0
755 ip 10.10.20.56
756 ip none
759 No IP address and no default gateway are configured for the last
760 interface defined by a net command. Use this option in case you
761 intend to start an external DHCP client in the sandbox.
762 Example:
764 net eth0
765 ip none
766 ip dhcp
769 Acquire an IP address and default gateway for the last interface
770 defined by a net command, as well as set the DNS servers accord‐
771 ing to the DHCP response. This command requires the ISC
772 dhclient DHCP client to be installed and will start it automati‐
773 cally inside the sandbox.
774 Example:
776 net br0
777 ip dhcp
778 This command should not be used in conjunction with the dns com‐
780 mand if the DHCP server is set to configure DNS servers for the
781 clients, because the manually specified DNS servers will be
782 overwritten.
783 The DHCP client will NOT release the DHCP lease when the sandbox
785 terminates. If your DHCP server requires leases to be explic‐
786 itly released, consider running a DHCP client and releasing the
787 lease manually in conjunction with the net none command.
788 ip6 address
791 Assign IPv6 addresses to the last network interface defined by a
792 net command.
793 Example:
795 net eth0
796 ip6 2001:0db8:0:f101::1/64
797 ip6 dhcp
800 Acquire an IPv6 address and default gateway for the last inter‐
801 face defined by a net command, as well as set the DNS servers
802 according to the DHCP response. This command requires the ISC
803 dhclient DHCP client to be installed and will start it automati‐
804 cally inside the sandbox.
805 Example:
807 net br0
808 ip6 dhcp
809 This command should not be used in conjunction with the dns com‐
811 mand if the DHCP server is set to configure DNS servers for the
812 clients, because the manually specified DNS servers will be
813 overwritten.
814 The DHCP client will NOT release the DHCP lease when the sandbox
816 terminates. If your DHCP server requires leases to be explic‐
817 itly released, consider running a DHCP client and releasing the
818 lease manually.
819 iprange address,address
822 Assign an IP address in the provided range to the last network
823 interface defined by a net command. A default gateway is
824 assigned by default.
825 Example:
827 net eth0
829 iprange 192.168.1.150,192.168.1.160
830 mac address
833 Assign MAC addresses to the last network interface defined by a
834 net command.
835 machine-id
838 Spoof id number in /etc/machine-id file - a new random id is
839 generated inside the sandbox.
840 mtu number
843 Assign a MTU value to the last network interface defined by a
844 net command.
845 net bridge_interface
848 Enable a new network namespace and connect it to this bridge in‐
849 terface. Unless specified with option --ip and --defaultgw, an
850 IP address and a default gateway will be assigned automatically
851 to the sandbox. The IP address is verified using ARP before as‐
852 signment. The address configured as default gateway is the
853 bridge device IP address. Up to four --net bridge devices can be
854 defined. Mixing bridge and macvlan devices is allowed.
855 net ethernet_interface|wireless_interface
858 Enable a new network namespace and connect it to this ethernet
859 interface using the standard Linux macvlan or ipvlan driver. Un‐
860 less specified with option --ip and --defaultgw, an IP address
861 and a default gateway will be assigned automatically to the
862 sandbox. The IP address is verified using ARP before assignment.
863 The address configured as default gateway is the default gateway
864 of the host. Up to four --net devices can be defined. Mixing
865 bridge and macvlan devices is allowed.
866 net none
869 Enable a new, unconnected network namespace. The only interface
870 available in the new namespace is a new loopback interface (lo).
871 Use this option to deny network access to programs that don't
872 really need network access.
873 net tap_interface
876 Enable a new network namespace and connect it to this ethernet
877 tap interface using the standard Linux macvlan driver. If the
878 tap interface is not configured, the sandbox will not try to
879 configure the interface inside the sandbox. Please use ip, net‐
880 mask and defaultgw to specify the configuration.
881 netfilter
884 If a new network namespace is created, enabled default network
885 filter.
886 netfilter filename
889 If a new network namespace is created, enabled the network fil‐
890 ter in filename.
891 netmask address
895 Use this option when you want to assign an IP address in a new
896 namespace and the parent interface specified by --net is not
897 configured. An IP address and a default gateway address also
898 have to be added.
899 netns namespace
902 Run the program in a named, persistent network namespace. These
903 can be created and configured using "ip netns".
904 veth-name name
907 Use this name for the interface connected to the bridge for
908 --net=bridge_interface commands, instead of the default one.
909
911 deterministic-exit-code
912 Always exit firejail with the first child's exit status. The de‐
913 fault behavior is to use the exit status of the final child to
914 exit, which can be nondeterministic.
915 join-or-start sandboxname
918 Join the sandbox identified by name or start a new one. Same as
919 "firejail --join=sandboxname" command if sandbox with specified
920 name exists, otherwise same as "name sandboxname".
921
924 /etc/firejail/appname.profile
925 Global Firejail configuration consisting mainly of profiles for
926 each application supported by default.
927 $HOME/.config/firejail/appname.profile
930 User application profiles, will take precedence over the global
931 profiles.
932 /usr/share/doc/firejail/profile.template
935 Template for building new profiles.
936 /usr/share/doc/firejail/redirect_alias-profile.template
939 Template for aliasing/redirecting profiles.
940
943 Firejail is free software; you can redistribute it and/or modify it un‐
944 der the terms of the GNU General Public License as published by the
945 Free Software Foundation; either version 2 of the License, or (at your
946 option) any later version.
947 Homepage: https://firejail.wordpress.com
949
951 firejail(1), firemon(1), firecfg(1), firejail-login(5), firejail-
952 users(5), jailcheck(1)
953 ⟨https://github.com/netblue30/firejail/wiki/Creating-Profiles⟩
9550.9.66 Jan 2022 FIREJAIL-PROFILE(5)