1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
3
4
6 profile - Security profile file syntax, and information about building
7 new application profiles.
8
9
11 Using a specific profile:
12
13 firejail --profile=filename.profile
14
15 Example:
16 $ firejail --profile=/etc/firejail/kdenlive.profile --ap‐
17 pimage kdenlive.appimage
18
19
20 firejail --profile=profile_name
21
22 Example:
23 $ firejail --profile=kdenlive --appimage kdenlive.appim‐
24 age
25
26
27 Building a profile manually:
28
29 Start with the template in /usr/share/doc/firejail/profile.tem‐
30 plate and modify it in a text editor. To integrate the program
31 in your desktop environment copy the profile file in ~/.con‐
32 fig/firejail directory and run "sudo firecfg".
33
34 Aliases and redirections:
35
36 In some cases the same profile can be used for several applica‐
37 tions. One such example is LibreOffice. Build a regular pro‐
38 file for the main application, and for the rest use
39 /usr/share/doc/firejail/redirect_alias-profile.template.
40
41 Running the profile builder:
42
43 firejail --build=appname.profile appname
44
45 Example:
46 $ firejail --build=blobby.profile blobby
47
48 Run the program in "firejail --build" and try to exercise
49 as many program features as possible. The profile is ex‐
50 tracted and saved in the current directory. Open it in a
51 text editor and add or remove sandboxing options as nec‐
52 essary. Test again after modifying the profile. To inte‐
53 grate the program in your desktop environment copy the
54 profile file in ~/.config/firejail directory and run
55 "sudo firecfg".
56
58 Several command line options can be passed to the program using profile
59 files. Firejail chooses the profile file as follows:
60
61 1. If a profile file is provided by the user with --profile option, the
62 profile file is loaded. If a profile name is given, it is searched for
63 first in the ~/.config/firejail directory and if not found then in
64 /etc/firejail directory. Profile names do not include the .profile suf‐
65 fix. Example:
66
67 $ firejail --profile=/home/netblue/icecat.profile icecat
68 Reading profile /home/netblue/icecat.profile
69 [...]
70
71
72 $ firejail --profile=icecat icecat-wrapper.sh
73 Reading profile /etc/firejail/icecat.profile
74 [...]
75
76 2. If a profile file with the same name as the application is present
77 in ~/.config/firejail directory or in /etc/firejail, the profile is
78 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
79 ple:
80
81 $ firejail icecat
82 Command name #icecat#
83 Found icecat profile in /home/netblue/.config/firejail directory
84 Reading profile /home/netblue/.config/firejail/icecat.profile
85 [...]
86
87 3. Use a default.profile file if the sandbox is started by a regular
88 user, or a server.profile file if the sandbox is started by root. Fire‐
89 jail looks for these files in ~/.config/firejail directory, followed by
90 /etc/firejail directory. To disable default profile loading, use --no‐
91 profile command option. Example:
92
93 $ firejail
94 Reading profile /etc/firejail/default.profile
95 Parent pid 8553, child pid 8554
96 Child process initialized
97 [...]
98
99 $ firejail --noprofile
100 Parent pid 8553, child pid 8554
101 Child process initialized
102 [...]
103
104
106 In /usr/share/doc/firejail there are two templates to write new pro‐
107 files.
108 profile.template - for regular profiles
109 redirect_alias-profile.template - for aliasing/redirecting pro‐
110 files
111
112
113
115 Scripting commands:
116
117
118 File and directory names
119 File and directory names containing spaces are supported. The
120 space character ' ' should not be escaped.
121
122 Example: "blacklist ~/My Virtual Machines"
123
124
125 # this is a comment
126 Example:
127
128 # disable networking
129 net none # this command creates an empty network namespace
130
131
132 ?CONDITIONAL: profile line
133 Conditionally add profile line.
134
135 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
136
137 This example will load the whitelist profile line only if the
138 --appimage option has been specified on the command line.
139
140 Currently the only conditionals supported this way are HAS_AP‐
141 PIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and
142 HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_AL‐
143 LOW_DRM can be enabled or disabled globally in Firejail's con‐
144 figuration file.
145
146 The profile line may be any profile line that you would normally
147 use in a profile except for "quiet" and "include" lines.
148
149
150 include other.profile
151 Include other.profile file.
152
153 Example: "include /etc/firejail/disable-common.inc"
154
155 The file name can be prefixed with a macro such as ${HOME} or
156 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
157 is expanded as Firejail system configuration directory - in most
158 cases /etc/firejail or /usr/local/etc/firejail.
159
160 Example: "include ${HOME}/myprofiles/profile1" will load
161 "~/myprofiles/profile1" file.
162
163 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
164 jail/firefox.profile" file.
165
166 The file name may also be just the name without the leading di‐
167 rectory components. In this case, first the user config direc‐
168 tory (${HOME}/.config/firejail) is searched for the file name
169 and if not found then the system configuration directory is
170 search for the file name. Note: Unlike the --profile option
171 which takes a profile name without the '.profile' suffix, in‐
172 clude must be given the full file name.
173
174 Example: "include firefox.profile" will load "${HOME}/.con‐
175 fig/firejail/firefox.profile" file and if it does not exist
176 "${CFG}/firefox.profile" will be loaded.
177
178 System configuration files in ${CFG} are overwritten during
179 software installation. Persistent configuration at system level
180 is handled in ".local" files. For every profile file in ${CFG}
181 directory, the user can create a corresponding .local file stor‐
182 ing modifications to the persistent configuration. Persistent
183 .local files are included at the start of regular profile files.
184
185
186 noblacklist file_name
187 If the file name matches file_name, the file will not be black‐
188 listed in any blacklist commands that follow.
189
190 Example: "noblacklist ${HOME}/.mozilla"
191
192
193 nowhitelist file_name
194 If the file name matches file_name, the file will not be
195 whitelisted in any whitelist commands that follow.
196
197 Example: "nowhitelist ~/.config"
198
199
200 ignore Ignore command.
201
202 Example: "ignore seccomp"
203 Example: "ignore net eth0"
204
205 quiet Disable Firejail's output. This should be the first uncommented
206 command in the profile file.
207
208 Example: "quiet"
209
210
212 These profile entries define a chroot filesystem built on top of the
213 existing host filesystem. Each line describes a file/directory that is
214 inaccessible (blacklist), a read-only file or directory (read-only), a
215 tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a
216 directory or file on top of another directory or file (bind). Use pri‐
217 vate to set private mode. File globbing is supported, and PATH and
218 HOME directories are searched, see the firejail FILE GLOBBING section
219 for more details. Examples:
220
221 blacklist file_or_directory
222 Blacklist directory or file. Examples:
223
224 blacklist /usr/bin
225 blacklist /usr/bin/gcc*
226 blacklist ${PATH}/ifconfig
227 blacklist ${HOME}/.ssh
228
229
230 blacklist-nolog file_or_directory
231 When --tracelog flag is set, blacklisting generates syslog mes‐
232 sages if the sandbox tries to access the file or directory.
233 blacklist-nolog command disables syslog messages for this par‐
234 ticular file or directory. Examples:
235
236 blacklist-nolog /usr/bin
237 blacklist-nolog /usr/bin/gcc*
238
239
240 bind directory1,directory2
241 Mount-bind directory1 on top of directory2. This option is only
242 available when running as root.
243
244 bind file1,file2
245 Mount-bind file1 on top of file2. This option is only available
246 when running as root.
247
248 disable-mnt
249 Disable /mnt, /media, /run/mount and /run/media access.
250
251 keep-config-pulse
252 Disable automatic ~/.config/pulse init, for complex setups such
253 as remote pulse servers or non-standard socket paths.
254
255 keep-dev-shm
256 /dev/shm directory is untouched (even with private-dev).
257
258 keep-var-tmp
259 /var/tmp directory is untouched.
260
261 mkdir directory
262 Create a directory in user home, under /tmp, or under
263 /run/user/<UID> before the sandbox is started. The directory is
264 created if it doesn't already exist.
265
266 Use this command for whitelisted directories you need to pre‐
267 serve when the sandbox is closed. Without it, the application
268 will create the directory, and the directory will be deleted
269 when the sandbox is closed. Subdirectories are recursively cre‐
270 ated. Example from firefox profile:
271
272 mkdir ~/.mozilla
273 whitelist ~/.mozilla
274 mkdir ~/.cache/mozilla/firefox
275 whitelist ~/.cache/mozilla/firefox
276
277 For files in /run/user/<PID> use ${RUNUSER} macro:
278
279 mkdir ${RUNUSER}/firejail-testing
280
281 mkfile file
282 Similar to mkdir, this command creates an empty file in user
283 home, or /tmp, or under /run/user/<UID> before the sandbox is
284 started. The file is created if it doesn't already exist.
285
286 noexec file_or_directory
287 Remount the file or the directory noexec, nodev and nosuid.
288
289 private
290 Mount new /root and /home/user directories in temporary filesys‐
291 tems. All modifications are discarded when the sandbox is
292 closed.
293
294 private directory
295 Use directory as user home.
296
297 private-bin file,file
298 Build a new /bin in a temporary filesystem, and copy the pro‐
299 grams in the list. The files in the list must be expressed as
300 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
301 cal/bin directories. The same directory is also bind-mounted
302 over /sbin, /usr/bin and /usr/sbin.
303
304 private-cache
305 Mount an empty temporary filesystem on top of the .cache direc‐
306 tory in user home. All modifications are discarded when the
307 sandbox is closed.
308
309 private-cwd
310 Set working directory inside jail to the home directory, and
311 failing that, the root directory.
312
313 private-cwd directory
314 Set working directory inside the jail.
315
316 private-dev
317 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
318 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
319 shm and usb devices are available. Use the options no3d, nodvd,
320 nosound, notv, nou2f and novideo for additional restrictions.
321
322
323 private-etc file,directory
324 Build a new /etc in a temporary filesystem, and copy the files
325 and directories in the list. The files and directories in the
326 list must be expressed as relative to the /etc directory, and
327 must not contain the / character (e.g., /etc/foo must be ex‐
328 pressed as foo, but /etc/foo/bar -- expressed as foo/bar -- is
329 disallowed). All modifications are discarded when the sandbox
330 is closed.
331
332 private-home file,directory
333 Build a new user home in a temporary filesystem, and copy the
334 files and directories in the list in the new home. The files
335 and directories in the list must be expressed as relative to the
336 current user's home directory. All modifications are discarded
337 when the sandbox is closed.
338
339 private-lib file,directory
340 Build a new /lib directory and bring in the libraries required
341 by the application to run. The files and directories in the
342 list must be expressed as relative to the /lib directory. This
343 feature is still under development, see man 1 firejail for some
344 examples.
345
346 private-opt file,directory
347 Build a new /opt in a temporary filesystem, and copy the files
348 and directories in the list. The files and directories in the
349 list must be expressed as relative to the /opt directory, and
350 must not contain the / character (e.g., /opt/foo must be ex‐
351 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
352 disallowed). All modifications are discarded when the sandbox
353 is closed.
354
355 private-srv file,directory
356 Build a new /srv in a temporary filesystem, and copy the files
357 and directories in the list. The files and directories in the
358 list must be expressed as relative to the /srv directory, and
359 must not contain the / character (e.g., /srv/foo must be ex‐
360 pressed as foo, but /srv/foo/bar -- expressed as foo/bar -- is
361 disallowed). All modifications are discarded when the sandbox
362 is closed.
363
364 private-tmp
365 Mount an empty temporary filesystem on top of /tmp directory
366 whitelisting /tmp/.X11-unix.
367
368 read-only file_or_directory
369 Make directory or file read-only.
370
371 read-write file_or_directory
372 Make directory or file read-write.
373
374 tmpfs directory
375 Mount an empty tmpfs filesystem on top of directory. Directories
376 outside user home or not owned by the user are not allowed.
377 Sandboxes running as root are exempt from these restrictions.
378
379 tracelog
380 Blacklist violations logged to syslog.
381
382 whitelist file_or_directory
383 Whitelist directory or file. A temporary file system is mounted
384 on the top directory, and the whitelisted files are mount-binded
385 inside. Modifications to whitelisted files are persistent, ev‐
386 erything else is discarded when the sandbox is closed. The top
387 directory can be all directories in / (except /proc and /sys),
388 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
389
390 Symbolic link handling: with the exception of user home, both
391 the link and the real file should be in the same top directory.
392 For user home, both the link and the real file should be owned
393 by the user.
394
395 writable-etc
396 Mount /etc directory read-write.
397
398 writable-run-user
399 Disable the default blacklisting of run/user/$UID/systemd and
400 /run/user/$UID/gnupg.
401
402 writable-var
403 Mount /var directory read-write.
404
405 writable-var-log
406 Use the real /var/log directory, not a clone. By default, a
407 tmpfs is mounted on top of /var/log directory, and a skeleton
408 filesystem is created based on the original /var/log.
409
410
412 The following security filters are currently implemented:
413
414
415 allow-debuggers
416 Allow tools such as strace and gdb inside the sandbox by
417 whitelisting system calls ptrace and process_vm_readv.
418
419 caps Enable default Linux capabilities filter.
420
421 caps.drop capability,capability,capability
422 Blacklist given Linux capabilities.
423
424 caps.drop all
425 Blacklist all Linux capabilities.
426
427 caps.keep capability,capability,capability
428 Whitelist given Linux capabilities.
429
430 memory-deny-write-execute
431 Install a seccomp filter to block attempts to create memory map‐
432 pings that are both writable and executable, to change mappings
433 to be executable or to create executable shared memory.
434
435 nonewprivs
436 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
437 cannot acquire new privileges using execve(2); in particular,
438 this means that calling a suid binary (or one with file capabil‐
439 ities) does not result in an increase of privilege.
440
441 noroot Use this command to enable an user namespace. The namespace has
442 only one user, the current user. There is no root account (uid
443 0) defined in the namespace.
444
445 protocol protocol1,protocol2,protocol3
446 Enable protocol filter. The filter is based on seccomp and
447 checks the first argument to socket system call. Recognized val‐
448 ues: unix, inet, inet6, netlink, packet and bluetooth.
449
450 seccomp
451 Enable seccomp filter and blacklist the syscalls in the default
452 list. See man 1 firejail for more details.
453
454 seccomp.32
455 Enable seccomp filter and blacklist the syscalls in the default
456 list for 32 bit system calls on a 64 bit architecture system.
457
458 seccomp syscall,syscall,syscall
459 Enable seccomp filter and blacklist the system calls in the list
460 on top of default seccomp filter.
461
462 seccomp.32 syscall,syscall,syscall
463 Enable seccomp filter and blacklist the system calls in the list
464 on top of default seccomp filter for 32 bit system calls on a 64
465 bit architecture system.
466
467 seccomp.block-secondary
468 Enable seccomp filter and filter system call architectures so
469 that only the native architecture is allowed.
470
471 seccomp.drop syscall,syscall,syscall
472 Enable seccomp filter and blacklist the system calls in the
473 list.
474
475 seccomp.32.drop syscall,syscall,syscall
476 Enable seccomp filter and blacklist the system calls in the list
477 for 32 bit system calls on a 64 bit architecture system.
478
479 seccomp.keep syscall,syscall,syscall
480 Enable seccomp filter and whitelist the system calls in the
481 list.
482
483 seccomp.32.keep syscall,syscall,syscall
484 Enable seccomp filter and whitelist the system calls in the list
485 for 32 bit system calls on a 64 bit architecture system.
486
487 seccomp-error-action kill | log | ERRNO
488 Return a different error instead of EPERM to the process, kill
489 it when an attempt is made to call a blocked system call, or al‐
490 low but log the attempt.
491
492 x11 Enable X11 sandboxing.
493
494 x11 none
495 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
496 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
497 and XAUTHORITY environment variables. Stop with error message
498 if X11 abstract socket will be accessible in jail.
499
500 x11 xephyr
501 Enable X11 sandboxing with Xephyr server.
502
503 x11 xorg
504 Enable X11 sandboxing with X11 security extension.
505
506 x11 xpra
507 Enable X11 sandboxing with Xpra server.
508
509 x11 xvfb
510 Enable X11 sandboxing with Xvfb server.
511
512 xephyr-screen WIDTHxHEIGHT
513 Set screen size for x11 xephyr. This command should be included
514 in the profile file before x11 xephyr command.
515
516 Example:
517
518 xephyr-screen 640x480
519 x11 xephyr
520
522 Access to the session and system DBus UNIX sockets can be allowed, fil‐
523 tered or disabled. To disable the abstract sockets (and force applica‐
524 tions to use the filtered UNIX socket) you would need to request a new
525 network namespace using --net command. Another option is to remove unix
526 from the --protocol set.
527
528 Filtering requires installing the xdg-dbus-proxy utility. Filter rules
529 can be specified for well-known DBus names, but they are also propa‐
530 gated to the owning unique name, too. The permissions are "sticky" and
531 are kept even if the corresponding well-known name is released (how‐
532 ever, applications rarely release well-known names in practice). Names
533 may have a .* suffix to match all names underneath them, including
534 themselves (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
535 "foo.bar.baz.quux", but not "foobar"). For more information, see xdg-
536 dbus-proxy(1).
537
538 Examples:
539
540
541 dbus-system filter
542 Enable filtered access to the system DBus. Filters can be speci‐
543 fied with the dbus-system.talk and dbus-system.own commands.
544
545 dbus-system none
546 Disable access to the system DBus. Once access is disabled, it
547 cannot be relaxed to filtering.
548
549 dbus-system.own org.gnome.ghex.*
550 Allow the application to own the name org.gnome.ghex and all
551 names underneath in on the system DBus.
552
553 dbus-system.talk org.freedesktop.Notifications
554 Allow the application to talk to the name org.freedesktop.Noti‐
555 fications on the system DBus.
556
557 dbus-system.see org.freedesktop.Notifications
558 Allow the application to see but not talk to the name
559 org.freedesktop.Notifications on the system DBus.
560
561 dbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifi‐
562 cations.*@/org/freedesktop/Notifications
563 Allow the application to call methods of the interface
564 org.freedesktop.Notifications of the object exposed at the path
565 /org/freedesktop/Notifications by the client owning the bus name
566 org.freedesktop.Notifications on the system DBus.
567
568 dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
569 tifications.*@/org/freedesktop/Notifications
570 Allow the application to receive broadcast signals from the the
571 interface org.freedesktop.Notifications of the object exposed at
572 the path /org/freedesktop/Notifications by the client owning the
573 bus name org.freedesktop.Notifications on the system DBus.
574
575 dbus-user filter
576 Enable filtered access to the session DBus. Filters can be spec‐
577 ified with the dbus-user.talk and dbus-user.own commands.
578
579 dbus-user none
580 Disable access to the session DBus. Once access is disabled, it
581 cannot be relaxed to filtering.
582
583 dbus-user.own org.gnome.ghex.*
584 Allow the application to own the name org.gnome.ghex and all
585 names underneath in on the session DBus.
586
587 dbus-user.talk org.freedesktop.Notifications
588 Allow the application to talk to the name org.freedesktop.Noti‐
589 fications on the session DBus.
590
591 dbus-user.see org.freedesktop.Notifications
592 Allow the application to see but not talk to the name
593 org.freedesktop.Notifications on the session DBus.
594
595 dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifica‐
596 tions.*@/org/freedesktop/Notifications
597 Allow the application to call methods of the interface
598 org.freedesktop.Notifications of the object exposed at the path
599 /org/freedesktop/Notifications by the client owning the bus name
600 org.freedesktop.Notifications on the session DBus.
601
602 dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
603 fications.*@/org/freedesktop/Notifications
604 Allow the application to receive broadcast signals from the the
605 interface org.freedesktop.Notifications of the object exposed at
606 the path /org/freedesktop/Notifications by the client owning the
607 bus name org.freedesktop.Notifications on the session DBus.
608
609 nodbus (deprecated)
610 Disable D-Bus access (both system and session buses). Equivalent
611 to dbus-system none and dbus-user none.
612
613
614 Individual filters can be overridden via the --ignore command. Suppos‐
615 ing a profile has
616 [...]
617 dbus-user filter
618 dbus-user.own org.mozilla.firefox.*
619 dbus-user.talk org.freedesktop.Notifications
620 dbus-system none
621 [...]
622
623 and the user wants to disable notifications, this can be
624 achieved by putting the below in a local override file:
625 [...]
626 ignore dbus-user.talk org.freedesktop.Notifications
627 [...]
628
630 These profile entries define the limits on system resources (rlimits)
631 for the processes inside the sandbox. The limits can be modified in‐
632 side the sandbox using the regular ulimit command. cpu command config‐
633 ures the CPU cores available, and cgroup command place the sandbox in
634 an existing control group.
635
636 Examples:
637
638
639 cgroup /sys/fs/cgroup/g1/tasks
640 The sandbox is placed in g1 control group.
641
642 cpu 0,1,2
643 Use only CPU cores 0, 1 and 2.
644
645 nice -5
646 Set a nice value of -5 to all processes running inside the sand‐
647 box.
648
649 rlimit-as 123456789012
650 Set the maximum size of the process's virtual memory to
651 123456789012 bytes.
652
653 rlimit-cpu 123
654 Set the maximum CPU time in seconds.
655
656 rlimit-fsize 1024
657 Set the maximum file size that can be created by a process to
658 1024 bytes.
659
660 rlimit-nproc 1000
661 Set the maximum number of processes that can be created for the
662 real user ID of the calling process to 1000.
663
664 rlimit-nofile 500
665 Set the maximum number of files that can be opened by a process
666 to 500.
667
668 rlimit-sigpending 200
669 Set the maximum number of processes that can be created for the
670 real user ID of the calling process to 200.
671
672 timeout hh:mm:ss
673 Kill the sandbox automatically after the time has elapsed. The
674 time is specified in hours/minutes/seconds format.
675
676
678 allusers
679 All user home directories are visible inside the sandbox. By de‐
680 fault, only current user home directory is visible.
681
682
683 env name=value
684 Set environment variable. Examples:
685
686 env LD_LIBRARY_PATH=/opt/test/lib
687 env CFLAGS="-W -Wall -Werror"
688
689
690 ipc-namespace
691 Enable IPC namespace.
692
693 name sandboxname
694 Set sandbox name. Example:
695
696 name browser
697
698
699 no3d Disable 3D hardware acceleration.
700
701 noautopulse (deprecated)
702 See keep-config-pulse.
703
704 nodvd Disable DVD and audio CD devices.
705
706 nogroups
707 Disable supplementary user groups
708
709 noinput
710 Disable input devices.
711
712 nosound
713 Disable sound system.
714
715 notv Disable DVB (Digital Video Broadcasting) TV devices.
716
717 nou2f Disable U2F devices.
718
719 novideo
720 Disable video capture devices.
721
722 shell none
723 Run the program directly, without a shell.
724
725
726
728 Networking features available in profile files.
729
730
731 defaultgw address
732 Use this address as default gateway in the new network name‐
733 space.
734
735
736 dns address
737 Set a DNS server for the sandbox. Up to three DNS servers can be
738 defined.
739
740
741 hostname name
742 Set a hostname for the sandbox.
743
744
745 hosts-file file
746 Use file as /etc/hosts.
747
748
749 ip address
750 Assign IP addresses to the last network interface defined by a
751 net command. A default gateway is assigned by default.
752
753 Example:
754 net eth0
755 ip 10.10.20.56
756
757
758 ip none
759 No IP address and no default gateway are configured for the last
760 interface defined by a net command. Use this option in case you
761 intend to start an external DHCP client in the sandbox.
762
763 Example:
764 net eth0
765 ip none
766
767
768 ip dhcp
769 Acquire an IP address and default gateway for the last interface
770 defined by a net command, as well as set the DNS servers accord‐
771 ing to the DHCP response. This command requires the ISC
772 dhclient DHCP client to be installed and will start it automati‐
773 cally inside the sandbox.
774
775 Example:
776 net br0
777 ip dhcp
778
779 This command should not be used in conjunction with the dns com‐
780 mand if the DHCP server is set to configure DNS servers for the
781 clients, because the manually specified DNS servers will be
782 overwritten.
783
784 The DHCP client will NOT release the DHCP lease when the sandbox
785 terminates. If your DHCP server requires leases to be explic‐
786 itly released, consider running a DHCP client and releasing the
787 lease manually in conjunction with the net none command.
788
789
790 ip6 address
791 Assign IPv6 addresses to the last network interface defined by a
792 net command.
793
794 Example:
795 net eth0
796 ip6 2001:0db8:0:f101::1/64
797
798
799 ip6 dhcp
800 Acquire an IPv6 address and default gateway for the last inter‐
801 face defined by a net command, as well as set the DNS servers
802 according to the DHCP response. This command requires the ISC
803 dhclient DHCP client to be installed and will start it automati‐
804 cally inside the sandbox.
805
806 Example:
807 net br0
808 ip6 dhcp
809
810 This command should not be used in conjunction with the dns com‐
811 mand if the DHCP server is set to configure DNS servers for the
812 clients, because the manually specified DNS servers will be
813 overwritten.
814
815 The DHCP client will NOT release the DHCP lease when the sandbox
816 terminates. If your DHCP server requires leases to be explic‐
817 itly released, consider running a DHCP client and releasing the
818 lease manually.
819
820
821 iprange address,address
822 Assign an IP address in the provided range to the last network
823 interface defined by a net command. A default gateway is
824 assigned by default.
825
826 Example:
827
828 net eth0
829 iprange 192.168.1.150,192.168.1.160
830
831
832 mac address
833 Assign MAC addresses to the last network interface defined by a
834 net command.
835
836
837 machine-id
838 Spoof id number in /etc/machine-id file - a new random id is
839 generated inside the sandbox.
840
841
842 mtu number
843 Assign a MTU value to the last network interface defined by a
844 net command.
845
846
847 net bridge_interface
848 Enable a new network namespace and connect it to this bridge in‐
849 terface. Unless specified with option --ip and --defaultgw, an
850 IP address and a default gateway will be assigned automatically
851 to the sandbox. The IP address is verified using ARP before as‐
852 signment. The address configured as default gateway is the
853 bridge device IP address. Up to four --net bridge devices can be
854 defined. Mixing bridge and macvlan devices is allowed.
855
856
857 net ethernet_interface|wireless_interface
858 Enable a new network namespace and connect it to this ethernet
859 interface using the standard Linux macvlan or ipvlan driver. Un‐
860 less specified with option --ip and --defaultgw, an IP address
861 and a default gateway will be assigned automatically to the
862 sandbox. The IP address is verified using ARP before assignment.
863 The address configured as default gateway is the default gateway
864 of the host. Up to four --net devices can be defined. Mixing
865 bridge and macvlan devices is allowed.
866
867
868 net none
869 Enable a new, unconnected network namespace. The only interface
870 available in the new namespace is a new loopback interface (lo).
871 Use this option to deny network access to programs that don't
872 really need network access.
873
874
875 net tap_interface
876 Enable a new network namespace and connect it to this ethernet
877 tap interface using the standard Linux macvlan driver. If the
878 tap interface is not configured, the sandbox will not try to
879 configure the interface inside the sandbox. Please use ip, net‐
880 mask and defaultgw to specify the configuration.
881
882
883 netfilter
884 If a new network namespace is created, enabled default network
885 filter.
886
887
888 netfilter filename
889 If a new network namespace is created, enabled the network fil‐
890 ter in filename.
891
892
893
894 netmask address
895 Use this option when you want to assign an IP address in a new
896 namespace and the parent interface specified by --net is not
897 configured. An IP address and a default gateway address also
898 have to be added.
899
900
901 netns namespace
902 Run the program in a named, persistent network namespace. These
903 can be created and configured using "ip netns".
904
905
906 veth-name name
907 Use this name for the interface connected to the bridge for
908 --net=bridge_interface commands, instead of the default one.
909
911 deterministic-exit-code
912 Always exit firejail with the first child's exit status. The de‐
913 fault behavior is to use the exit status of the final child to
914 exit, which can be nondeterministic.
915
916
917 join-or-start sandboxname
918 Join the sandbox identified by name or start a new one. Same as
919 "firejail --join=sandboxname" command if sandbox with specified
920 name exists, otherwise same as "name sandboxname".
921
922
924 /etc/firejail/appname.profile
925 Global Firejail configuration consisting mainly of profiles for
926 each application supported by default.
927
928
929 $HOME/.config/firejail/appname.profile
930 User application profiles, will take precedence over the global
931 profiles.
932
933
934 /usr/share/doc/firejail/profile.template
935 Template for building new profiles.
936
937
938 /usr/share/doc/firejail/redirect_alias-profile.template
939 Template for aliasing/redirecting profiles.
940
941
943 Firejail is free software; you can redistribute it and/or modify it un‐
944 der the terms of the GNU General Public License as published by the
945 Free Software Foundation; either version 2 of the License, or (at your
946 option) any later version.
947
948 Homepage: https://firejail.wordpress.com
949
951 firejail(1), firemon(1), firecfg(1), firejail-login(5), firejail-
952 users(5), jailcheck(1)
953
954 ⟨https://github.com/netblue30/firejail/wiki/Creating-Profiles⟩
955
956
957
9580.9.66 Jan 2022 FIREJAIL-PROFILE(5)