1FIREJAIL-PROFILE(5)       firejail profiles man page       FIREJAIL-PROFILE(5)
2
3
4

NAME

6       profile  - Security profile file syntax, and information about building
7       new application profiles.
8
9

SYNOPSIS

11       Using a specific profile:
12
13              firejail --profile=filename.profile
14
15                     Example:
16                     $ firejail --profile=/etc/firejail/kdenlive.profile --ap‐
17                     pimage kdenlive.appimage
18
19
20              firejail --profile=profile_name
21
22                     Example:
23                     $  firejail --profile=kdenlive --appimage kdenlive.appim‐
24                     age
25
26
27       Building a profile manually:
28
29              Start with the template in  /usr/share/doc/firejail/profile.tem‐
30              plate  and modify it in a text editor.  To integrate the program
31              in your desktop environment copy the  profile  file  in  ~/.con‐
32              fig/firejail directory and run "sudo firecfg".
33
34       Aliases and redirections:
35
36              In  some cases the same profile can be used for several applica‐
37              tions.  One such example is LibreOffice.  Build a  regular  pro‐
38              file   for   the   main   application,  and  for  the  rest  use
39              /usr/share/doc/firejail/redirect_alias-profile.template.
40
41       Running the profile builder:
42
43              firejail --build=appname.profile appname
44
45                     Example:
46                     $ firejail --build=blobby.profile blobby
47
48                     Run the program in "firejail --build" and try to exercise
49                     as many program features as possible.  The profile is ex‐
50                     tracted and saved in the current directory. Open it in  a
51                     text  editor and add or remove sandboxing options as nec‐
52                     essary. Test again after modifying the profile. To  inte‐
53                     grate  the  program  in your desktop environment copy the
54                     profile file  in  ~/.config/firejail  directory  and  run
55                     "sudo firecfg".
56

DESCRIPTION

58       Several command line options can be passed to the program using profile
59       files. Firejail chooses the profile file as follows:
60
61       1. If a profile file is provided by the user with --profile option, the
62       profile  file is loaded. If a profile name is given, it is searched for
63       first in the ~/.config/firejail directory and  if  not  found  then  in
64       /etc/firejail directory. Profile names do not include the .profile suf‐
65       fix.  Example:
66
67              $ firejail --profile=/home/netblue/icecat.profile icecat
68              Reading profile /home/netblue/icecat.profile
69              [...]
70
71
72              $ firejail --profile=icecat icecat-wrapper.sh
73              Reading profile /etc/firejail/icecat.profile
74              [...]
75
76       2. If a profile file with the same name as the application  is  present
77       in  ~/.config/firejail  directory  or  in /etc/firejail, the profile is
78       loaded. ~/.config/firejail takes precedence over  /etc/firejail.  Exam‐
79       ple:
80
81              $ firejail icecat
82              Command name #icecat#
83              Found icecat profile in /home/netblue/.config/firejail directory
84              Reading profile /home/netblue/.config/firejail/icecat.profile
85              [...]
86
87       3.  Use  a  default.profile file if the sandbox is started by a regular
88       user, or a server.profile file if the sandbox is started by root. Fire‐
89       jail looks for these files in ~/.config/firejail directory, followed by
90       /etc/firejail directory.  To disable default profile loading, use --no‐
91       profile command option. Example:
92
93              $ firejail
94              Reading profile /etc/firejail/default.profile
95              Parent pid 8553, child pid 8554
96              Child process initialized
97              [...]
98
99              $ firejail --noprofile
100              Parent pid 8553, child pid 8554
101              Child process initialized
102              [...]
103
104

Templates

106       In  /usr/share/doc/firejail  there  are two templates to write new pro‐
107       files.
108              profile.template - for regular profiles
109              redirect_alias-profile.template - for aliasing/redirecting  pro‐
110              files
111
112
113

Scripting

115       Scripting commands:
116
117
118       File and directory names
119              File  and  directory  names containing spaces are supported. The
120              space character ' ' should not be escaped.
121
122              Example: "blacklist ~/My Virtual Machines"
123
124
125       # this is a comment
126              Example:
127
128              # disable networking
129              net none # this command creates an empty network namespace
130
131
132       ?CONDITIONAL: profile line
133              Conditionally add profile line.
134
135              Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
136
137              This example will load the whitelist profile line  only  if  the
138              --appimage option has been specified on the command line.
139
140              Currently  the  only conditionals supported this way are HAS_AP‐
141              PIMAGE,  HAS_NET,  HAS_NODBUS,  HAS_NOSOUND,   HAS_PRIVATE   and
142              HAS_X11.  The  conditionals  BROWSER_DISABLE_U2F and BROWSER_AL‐
143              LOW_DRM can be enabled or disabled globally in  Firejail's  con‐
144              figuration file.
145
146              The profile line may be any profile line that you would normally
147              use in a profile except for "quiet" and "include" lines.
148
149
150       include other.profile
151              Include other.profile file.
152
153              Example: "include /etc/firejail/disable-common.inc"
154
155              The file name can be prefixed with a macro such  as  ${HOME}  or
156              ${CFG}.   ${HOME} is expanded as user home directory, and ${CFG}
157              is expanded as Firejail system configuration directory - in most
158              cases /etc/firejail or /usr/local/etc/firejail.
159
160              Example:   "include   ${HOME}/myprofiles/profile1"   will   load
161              "~/myprofiles/profile1" file.
162
163              Example: "include ${CFG}/firefox.profile" will load  "/etc/fire‐
164              jail/firefox.profile" file.
165
166              The  file name may also be just the name without the leading di‐
167              rectory components.  In this case, first the user config  direc‐
168              tory  (${HOME}/.config/firejail)  is  searched for the file name
169              and if not found then  the  system  configuration  directory  is
170              search  for  the  file  name.  Note: Unlike the --profile option
171              which takes a profile name without the  '.profile'  suffix,  in‐
172              clude must be given the full file name.
173
174              Example:  "include  firefox.profile"  will  load  "${HOME}/.con‐
175              fig/firejail/firefox.profile" file and  if  it  does  not  exist
176              "${CFG}/firefox.profile" will be loaded.
177
178              System  configuration  files  in  ${CFG}  are overwritten during
179              software installation.  Persistent configuration at system level
180              is  handled  in ".local" files. For every profile file in ${CFG}
181              directory, the user can create a corresponding .local file stor‐
182              ing  modifications  to  the persistent configuration. Persistent
183              .local files are included at the start of regular profile files.
184
185
186       noblacklist file_name
187              If the file name matches file_name, the file will not be  black‐
188              listed in any blacklist commands that follow.
189
190              Example: "noblacklist ${HOME}/.mozilla"
191
192
193       nowhitelist file_name
194              If  the  file  name  matches  file_name,  the  file  will not be
195              whitelisted in any whitelist commands that follow.
196
197              Example: "nowhitelist ~/.config"
198
199
200       ignore Ignore command.
201
202              Example: "ignore seccomp"
203              Example: "ignore net eth0"
204
205       quiet  Disable Firejail's output. This should be the first  uncommented
206              command in the profile file.
207
208              Example: "quiet"
209
210

Filesystem

212       These  profile  entries  define a chroot filesystem built on top of the
213       existing host filesystem. Each line describes a file/directory that  is
214       inaccessible  (blacklist), a read-only file or directory (read-only), a
215       tmpfs mounted on top of an existing directory (tmpfs), or mount-bind  a
216       directory or file on top of another directory or file (bind).  Use pri‐
217       vate to set private mode.  File globbing is  supported,  and  PATH  and
218       HOME  directories  are searched, see the firejail FILE GLOBBING section
219       for more details.  Examples:
220
221       blacklist file_or_directory
222              Blacklist directory or file. Examples:
223
224              blacklist /usr/bin
225              blacklist /usr/bin/gcc*
226              blacklist ${PATH}/ifconfig
227              blacklist ${HOME}/.ssh
228
229
230       blacklist-nolog file_or_directory
231              When --tracelog flag is set, blacklisting generates syslog  mes‐
232              sages  if  the  sandbox  tries  to access the file or directory.
233              blacklist-nolog command disables syslog messages for  this  par‐
234              ticular file or directory. Examples:
235
236              blacklist-nolog /usr/bin
237              blacklist-nolog /usr/bin/gcc*
238
239
240       bind directory1,directory2
241              Mount-bind  directory1 on top of directory2. This option is only
242              available when running as root.
243
244       bind file1,file2
245              Mount-bind file1 on top of file2. This option is only  available
246              when running as root.
247
248       disable-mnt
249              Disable /mnt, /media, /run/mount and /run/media access.
250
251       keep-config-pulse
252              Disable  automatic ~/.config/pulse init, for complex setups such
253              as remote pulse servers or non-standard socket paths.
254
255       keep-dev-shm
256              /dev/shm directory is untouched (even with private-dev).
257
258       keep-var-tmp
259              /var/tmp directory is untouched.
260
261       mkdir directory
262              Create  a  directory  in  user  home,  under  /tmp,   or   under
263              /run/user/<UID> before the sandbox is started.  The directory is
264              created if it doesn't already exist.
265
266              Use this command for whitelisted directories you  need  to  pre‐
267              serve  when  the  sandbox is closed. Without it, the application
268              will create the directory, and the  directory  will  be  deleted
269              when  the sandbox is closed. Subdirectories are recursively cre‐
270              ated. Example from firefox profile:
271
272              mkdir ~/.mozilla
273              whitelist ~/.mozilla
274              mkdir ~/.cache/mozilla/firefox
275              whitelist ~/.cache/mozilla/firefox
276
277              For files in /run/user/<PID> use ${RUNUSER} macro:
278
279              mkdir ${RUNUSER}/firejail-testing
280
281       mkfile file
282              Similar to mkdir, this command creates an  empty  file  in  user
283              home,  or  /tmp,  or under /run/user/<UID> before the sandbox is
284              started. The file is created if it doesn't already exist.
285
286       noexec file_or_directory
287              Remount the file or the directory noexec, nodev and nosuid.
288
289       private
290              Mount new /root and /home/user directories in temporary filesys‐
291              tems.  All  modifications  are  discarded  when  the  sandbox is
292              closed.
293
294       private directory
295              Use directory as user home.
296
297       private-bin file,file
298              Build a new /bin in a temporary filesystem, and  copy  the  pro‐
299              grams  in  the list.  The files in the list must be expressed as
300              relative to the /bin, /sbin, /usr/bin,  /usr/sbin,  or  /usr/lo‐
301              cal/bin  directories.   The  same directory is also bind-mounted
302              over /sbin, /usr/bin and /usr/sbin.
303
304       private-cache
305              Mount an empty temporary filesystem on top of the .cache  direc‐
306              tory  in  user  home.  All  modifications are discarded when the
307              sandbox is closed.
308
309       private-cwd
310              Set working directory inside jail to  the  home  directory,  and
311              failing that, the root directory.
312
313       private-cwd directory
314              Set working directory inside the jail.
315
316       private-dev
317              Create  a new /dev directory. Only disc, dri, dvb, hidraw, null,
318              full, zero, tty, pts, ptmx, random, snd,  urandom,  video,  log,
319              shm and usb devices are available.  Use the options no3d, nodvd,
320              nosound, notv, nou2f and novideo for additional restrictions.
321
322
323       private-etc file,directory
324              Build a new /etc in a temporary filesystem, and copy  the  files
325              and  directories  in the list.  The files and directories in the
326              list must be expressed as relative to the  /etc  directory,  and
327              must  not  contain  the  / character (e.g., /etc/foo must be ex‐
328              pressed as foo, but /etc/foo/bar -- expressed as foo/bar  --  is
329              disallowed).   All  modifications are discarded when the sandbox
330              is closed.
331
332       private-home file,directory
333              Build a new user home in a temporary filesystem,  and  copy  the
334              files  and  directories  in the list in the new home.  The files
335              and directories in the list must be expressed as relative to the
336              current  user's home directory.  All modifications are discarded
337              when the sandbox is closed.
338
339       private-lib file,directory
340              Build a new /lib directory and bring in the  libraries  required
341              by  the  application  to  run.  The files and directories in the
342              list must be expressed as relative to the /lib directory.   This
343              feature  is still under development, see man 1 firejail for some
344              examples.
345
346       private-opt file,directory
347              Build a new /opt in a temporary filesystem, and copy  the  files
348              and  directories  in the list.  The files and directories in the
349              list must be expressed as relative to the  /opt  directory,  and
350              must  not  contain  the  / character (e.g., /opt/foo must be ex‐
351              pressed as foo, but /opt/foo/bar -- expressed as foo/bar  --  is
352              disallowed).   All  modifications are discarded when the sandbox
353              is closed.
354
355       private-srv file,directory
356              Build a new /srv in a temporary filesystem, and copy  the  files
357              and  directories  in the list.  The files and directories in the
358              list must be expressed as relative to the  /srv  directory,  and
359              must  not  contain  the  / character (e.g., /srv/foo must be ex‐
360              pressed as foo, but /srv/foo/bar -- expressed as foo/bar  --  is
361              disallowed).   All  modifications are discarded when the sandbox
362              is closed.
363
364       private-tmp
365              Mount an empty temporary filesystem on  top  of  /tmp  directory
366              whitelisting /tmp/.X11-unix.
367
368       read-only file_or_directory
369              Make directory or file read-only.
370
371       read-write file_or_directory
372              Make directory or file read-write.
373
374       tmpfs directory
375              Mount an empty tmpfs filesystem on top of directory. Directories
376              outside user home or not owned by  the  user  are  not  allowed.
377              Sandboxes running as root are exempt from these restrictions.
378
379       tracelog
380              Blacklist violations logged to syslog.
381
382       whitelist file_or_directory
383              Whitelist  directory or file. A temporary file system is mounted
384              on the top directory, and the whitelisted files are mount-binded
385              inside.  Modifications  to whitelisted files are persistent, ev‐
386              erything else is discarded when the sandbox is closed.  The  top
387              directory  can  be all directories in / (except /proc and /sys),
388              /sys/module, /run/user/$UID, $HOME and all directories in /usr.
389
390              Symbolic link handling: with the exception of  user  home,  both
391              the  link and the real file should be in the same top directory.
392              For user home, both the link and the real file should  be  owned
393              by the user.
394
395       writable-etc
396              Mount /etc directory read-write.
397
398       writable-run-user
399              Disable  the  default  blacklisting of run/user/$UID/systemd and
400              /run/user/$UID/gnupg.
401
402       writable-var
403              Mount /var directory read-write.
404
405       writable-var-log
406              Use the real /var/log directory, not  a  clone.  By  default,  a
407              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
408              filesystem is created based on the original /var/log.
409
410

Security filters

412       The following security filters are currently implemented:
413
414
415       allow-debuggers
416              Allow tools such  as  strace  and  gdb  inside  the  sandbox  by
417              whitelisting system calls ptrace and process_vm_readv.
418
419       caps   Enable default Linux capabilities filter.
420
421       caps.drop capability,capability,capability
422              Blacklist given Linux capabilities.
423
424       caps.drop all
425              Blacklist all Linux capabilities.
426
427       caps.keep capability,capability,capability
428              Whitelist given Linux capabilities.
429
430       memory-deny-write-execute
431              Install a seccomp filter to block attempts to create memory map‐
432              pings that are both writable and executable, to change  mappings
433              to be executable or to create executable shared memory.
434
435       nonewprivs
436              Sets  the NO_NEW_PRIVS prctl.  This ensures that child processes
437              cannot acquire new privileges using execve(2);   in  particular,
438              this means that calling a suid binary (or one with file capabil‐
439              ities) does not result in an increase of privilege.
440
441       noroot Use this command  to enable an user namespace. The namespace has
442              only  one user, the current user.  There is no root account (uid
443              0) defined in the namespace.
444
445       protocol protocol1,protocol2,protocol3
446              Enable protocol filter. The  filter  is  based  on  seccomp  and
447              checks the first argument to socket system call. Recognized val‐
448              ues: unix, inet, inet6, netlink, packet and bluetooth.
449
450       seccomp
451              Enable seccomp filter and blacklist the syscalls in the  default
452              list. See man 1 firejail for more details.
453
454       seccomp.32
455              Enable  seccomp filter and blacklist the syscalls in the default
456              list for 32 bit system calls on a 64 bit architecture system.
457
458       seccomp syscall,syscall,syscall
459              Enable seccomp filter and blacklist the system calls in the list
460              on top of default seccomp filter.
461
462       seccomp.32 syscall,syscall,syscall
463              Enable seccomp filter and blacklist the system calls in the list
464              on top of default seccomp filter for 32 bit system calls on a 64
465              bit architecture system.
466
467       seccomp.block-secondary
468              Enable  seccomp  filter  and filter system call architectures so
469              that only the native architecture is allowed.
470
471       seccomp.drop syscall,syscall,syscall
472              Enable seccomp filter and blacklist  the  system  calls  in  the
473              list.
474
475       seccomp.32.drop syscall,syscall,syscall
476              Enable seccomp filter and blacklist the system calls in the list
477              for 32 bit system calls on a 64 bit architecture system.
478
479       seccomp.keep syscall,syscall,syscall
480              Enable seccomp filter and whitelist  the  system  calls  in  the
481              list.
482
483       seccomp.32.keep syscall,syscall,syscall
484              Enable seccomp filter and whitelist the system calls in the list
485              for 32 bit system calls on a 64 bit architecture system.
486
487       seccomp-error-action kill | log | ERRNO
488              Return a different error instead of EPERM to the  process,  kill
489              it when an attempt is made to call a blocked system call, or al‐
490              low but log the attempt.
491
492       x11    Enable X11 sandboxing.
493
494       x11 none
495              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
496              specified in ${XAUTHORITY} environment variable.  Remove DISPLAY
497              and XAUTHORITY environment variables.  Stop with  error  message
498              if X11 abstract socket will be accessible in jail.
499
500       x11 xephyr
501              Enable X11 sandboxing with Xephyr server.
502
503       x11 xorg
504              Enable X11 sandboxing with X11 security extension.
505
506       x11 xpra
507              Enable X11 sandboxing with Xpra server.
508
509       x11 xvfb
510              Enable X11 sandboxing with Xvfb server.
511
512       xephyr-screen WIDTHxHEIGHT
513              Set  screen size for x11 xephyr. This command should be included
514              in the profile file before x11 xephyr command.
515
516              Example:
517
518              xephyr-screen 640x480
519              x11 xephyr
520

DBus filtering

522       Access to the session and system DBus UNIX sockets can be allowed, fil‐
523       tered  or disabled. To disable the abstract sockets (and force applica‐
524       tions to use the filtered UNIX socket) you would need to request a  new
525       network namespace using --net command. Another option is to remove unix
526       from the --protocol set.
527
528       Filtering requires installing the xdg-dbus-proxy utility. Filter  rules
529       can  be  specified  for well-known DBus names, but they are also propa‐
530       gated to the owning unique name, too. The permissions are "sticky"  and
531       are  kept  even  if the corresponding well-known name is released (how‐
532       ever, applications rarely release well-known names in practice).  Names
533       may  have  a  .*  suffix  to match all names underneath them, including
534       themselves  (e.g.  "foo.bar.*"  matches  "foo.bar",  "foo.bar.baz"  and
535       "foo.bar.baz.quux",  but  not "foobar"). For more information, see xdg-
536       dbus-proxy(1).
537
538       Examples:
539
540
541       dbus-system filter
542              Enable filtered access to the system DBus. Filters can be speci‐
543              fied with the dbus-system.talk and dbus-system.own commands.
544
545       dbus-system none
546              Disable  access  to the system DBus. Once access is disabled, it
547              cannot be relaxed to filtering.
548
549       dbus-system.own org.gnome.ghex.*
550              Allow the application to own the  name  org.gnome.ghex  and  all
551              names underneath in on the system DBus.
552
553       dbus-system.talk org.freedesktop.Notifications
554              Allow  the application to talk to the name org.freedesktop.Noti‐
555              fications on the system DBus.
556
557       dbus-system.see org.freedesktop.Notifications
558              Allow  the  application  to  see  but  not  talk  to  the   name
559              org.freedesktop.Notifications on the system DBus.
560
561       dbus-system.call  org.freedesktop.Notifications=org.freedesktop.Notifi‐
562       cations.*@/org/freedesktop/Notifications
563              Allow  the  application  to  call  methods  of   the   interface
564              org.freedesktop.Notifications  of the object exposed at the path
565              /org/freedesktop/Notifications by the client owning the bus name
566              org.freedesktop.Notifications on the system DBus.
567
568       dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
569       tifications.*@/org/freedesktop/Notifications
570              Allow the application to receive broadcast signals from the  the
571              interface org.freedesktop.Notifications of the object exposed at
572              the path /org/freedesktop/Notifications by the client owning the
573              bus name org.freedesktop.Notifications on the system DBus.
574
575       dbus-user filter
576              Enable filtered access to the session DBus. Filters can be spec‐
577              ified with the dbus-user.talk and dbus-user.own commands.
578
579       dbus-user none
580              Disable access to the session DBus. Once access is disabled,  it
581              cannot be relaxed to filtering.
582
583       dbus-user.own org.gnome.ghex.*
584              Allow  the  application  to  own the name org.gnome.ghex and all
585              names underneath in on the session DBus.
586
587       dbus-user.talk org.freedesktop.Notifications
588              Allow the application to talk to the name  org.freedesktop.Noti‐
589              fications on the session DBus.
590
591       dbus-user.see org.freedesktop.Notifications
592              Allow   the  application  to  see  but  not  talk  to  the  name
593              org.freedesktop.Notifications on the session DBus.
594
595       dbus-user.call  org.freedesktop.Notifications=org.freedesktop.Notifica‐
596       tions.*@/org/freedesktop/Notifications
597              Allow   the   application  to  call  methods  of  the  interface
598              org.freedesktop.Notifications of the object exposed at the  path
599              /org/freedesktop/Notifications by the client owning the bus name
600              org.freedesktop.Notifications on the session DBus.
601
602       dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
603       fications.*@/org/freedesktop/Notifications
604              Allow  the application to receive broadcast signals from the the
605              interface org.freedesktop.Notifications of the object exposed at
606              the path /org/freedesktop/Notifications by the client owning the
607              bus name org.freedesktop.Notifications on the session DBus.
608
609       nodbus (deprecated)
610              Disable D-Bus access (both system and session buses). Equivalent
611              to dbus-system none and dbus-user none.
612
613
614       Individual  filters can be overridden via the --ignore command. Suppos‐
615       ing a profile has
616              [...]
617              dbus-user filter
618              dbus-user.own org.mozilla.firefox.*
619              dbus-user.talk org.freedesktop.Notifications
620              dbus-system none
621              [...]
622
623              and the  user  wants  to  disable  notifications,  this  can  be
624              achieved by putting the below in a local override file:
625              [...]
626              ignore dbus-user.talk org.freedesktop.Notifications
627              [...]
628

Resource limits, CPU affinity, Control Groups

630       These  profile  entries define the limits on system resources (rlimits)
631       for the processes inside the sandbox.  The limits can be  modified  in‐
632       side  the sandbox using the regular ulimit command. cpu command config‐
633       ures the CPU cores available, and cgroup command place the  sandbox  in
634       an existing control group.
635
636       Examples:
637
638
639       cgroup /sys/fs/cgroup/g1/tasks
640              The sandbox is placed in g1 control group.
641
642       cpu 0,1,2
643              Use only CPU cores 0, 1 and 2.
644
645       nice -5
646              Set a nice value of -5 to all processes running inside the sand‐
647              box.
648
649       rlimit-as 123456789012
650              Set  the  maximum  size  of  the  process's  virtual  memory  to
651              123456789012 bytes.
652
653       rlimit-cpu 123
654              Set the maximum CPU time in seconds.
655
656       rlimit-fsize 1024
657              Set  the  maximum  file size that can be created by a process to
658              1024 bytes.
659
660       rlimit-nproc 1000
661              Set the maximum number of processes that can be created for  the
662              real user ID of the calling process to 1000.
663
664       rlimit-nofile 500
665              Set  the maximum number of files that can be opened by a process
666              to 500.
667
668       rlimit-sigpending 200
669              Set the maximum number of processes that can be created for  the
670              real user ID of the calling process to 200.
671
672       timeout hh:mm:ss
673              Kill  the  sandbox automatically after the time has elapsed. The
674              time is specified in hours/minutes/seconds format.
675
676

User Environment

678       allusers
679              All user home directories are visible inside the sandbox. By de‐
680              fault, only current user home directory is visible.
681
682
683       env name=value
684              Set environment variable. Examples:
685
686              env LD_LIBRARY_PATH=/opt/test/lib
687              env CFLAGS="-W -Wall -Werror"
688
689
690       ipc-namespace
691              Enable IPC namespace.
692
693       name sandboxname
694              Set sandbox name. Example:
695
696              name browser
697
698
699       no3d   Disable 3D hardware acceleration.
700
701       noautopulse (deprecated)
702              See keep-config-pulse.
703
704       nodvd  Disable DVD and audio CD devices.
705
706       nogroups
707              Disable supplementary user groups
708
709       noinput
710              Disable input devices.
711
712       nosound
713              Disable sound system.
714
715       notv   Disable DVB (Digital Video Broadcasting) TV devices.
716
717       nou2f  Disable U2F devices.
718
719       novideo
720              Disable video capture devices.
721
722       shell none
723              Run the program directly, without a shell.
724
725
726

Networking

728       Networking features available in profile files.
729
730
731       defaultgw address
732              Use  this  address  as  default gateway in the new network name‐
733              space.
734
735
736       dns address
737              Set a DNS server for the sandbox. Up to three DNS servers can be
738              defined.
739
740
741       hostname name
742              Set a hostname for the sandbox.
743
744
745       hosts-file file
746              Use file as /etc/hosts.
747
748
749       ip address
750              Assign  IP  addresses to the last network interface defined by a
751              net command. A default gateway is assigned by default.
752
753              Example:
754              net eth0
755              ip 10.10.20.56
756
757
758       ip none
759              No IP address and no default gateway are configured for the last
760              interface  defined by a net command. Use this option in case you
761              intend to start an external DHCP client in the sandbox.
762
763              Example:
764              net eth0
765              ip none
766
767
768       ip dhcp
769              Acquire an IP address and default gateway for the last interface
770              defined by a net command, as well as set the DNS servers accord‐
771              ing to  the  DHCP  response.   This  command  requires  the  ISC
772              dhclient DHCP client to be installed and will start it automati‐
773              cally inside the sandbox.
774
775              Example:
776              net br0
777              ip dhcp
778
779              This command should not be used in conjunction with the dns com‐
780              mand  if the DHCP server is set to configure DNS servers for the
781              clients, because the manually  specified  DNS  servers  will  be
782              overwritten.
783
784              The DHCP client will NOT release the DHCP lease when the sandbox
785              terminates.  If your DHCP server requires leases to  be  explic‐
786              itly  released, consider running a DHCP client and releasing the
787              lease manually in conjunction with the net none command.
788
789
790       ip6 address
791              Assign IPv6 addresses to the last network interface defined by a
792              net command.
793
794              Example:
795              net eth0
796              ip6 2001:0db8:0:f101::1/64
797
798
799       ip6 dhcp
800              Acquire  an IPv6 address and default gateway for the last inter‐
801              face defined by a net command, as well as set  the  DNS  servers
802              according  to  the DHCP response.  This command requires the ISC
803              dhclient DHCP client to be installed and will start it automati‐
804              cally inside the sandbox.
805
806              Example:
807              net br0
808              ip6 dhcp
809
810              This command should not be used in conjunction with the dns com‐
811              mand if the DHCP server is set to configure DNS servers for  the
812              clients,  because  the  manually  specified  DNS servers will be
813              overwritten.
814
815              The DHCP client will NOT release the DHCP lease when the sandbox
816              terminates.   If  your DHCP server requires leases to be explic‐
817              itly released, consider running a DHCP client and releasing  the
818              lease manually.
819
820
821       iprange address,address
822              Assign  an  IP address in the provided range to the last network
823              interface defined by  a  net command.  A  default   gateway   is
824              assigned by default.
825
826              Example:
827
828              net eth0
829              iprange 192.168.1.150,192.168.1.160
830
831
832       mac address
833              Assign  MAC addresses to the last network interface defined by a
834              net command.
835
836
837       machine-id
838              Spoof id number in /etc/machine-id file - a  new  random  id  is
839              generated inside the sandbox.
840
841
842       mtu number
843              Assign  a  MTU  value to the last network interface defined by a
844              net command.
845
846
847       net bridge_interface
848              Enable a new network namespace and connect it to this bridge in‐
849              terface.   Unless specified with option --ip and --defaultgw, an
850              IP address and a default gateway will be assigned  automatically
851              to  the sandbox. The IP address is verified using ARP before as‐
852              signment. The address  configured  as  default  gateway  is  the
853              bridge device IP address. Up to four --net bridge devices can be
854              defined. Mixing bridge and macvlan devices is allowed.
855
856
857       net ethernet_interface|wireless_interface
858              Enable a new network namespace and connect it to  this  ethernet
859              interface using the standard Linux macvlan or ipvlan driver. Un‐
860              less specified with option --ip and --defaultgw, an  IP  address
861              and  a  default  gateway  will  be assigned automatically to the
862              sandbox. The IP address is verified using ARP before assignment.
863              The address configured as default gateway is the default gateway
864              of the host. Up to four --net devices  can  be  defined.  Mixing
865              bridge and macvlan devices is allowed.
866
867
868       net none
869              Enable  a new, unconnected network namespace. The only interface
870              available in the new namespace is a new loopback interface (lo).
871              Use  this  option  to deny network access to programs that don't
872              really need network access.
873
874
875       net tap_interface
876              Enable a new network namespace and connect it to  this  ethernet
877              tap  interface  using the standard Linux macvlan driver.  If the
878              tap interface is not configured, the sandbox  will  not  try  to
879              configure the interface inside the sandbox.  Please use ip, net‐
880              mask and defaultgw to specify the configuration.
881
882
883       netfilter
884              If a new network namespace is created, enabled  default  network
885              filter.
886
887
888       netfilter filename
889              If  a new network namespace is created, enabled the network fil‐
890              ter in filename.
891
892
893
894       netmask address
895              Use this option when you want to assign an IP address in  a  new
896              namespace  and  the  parent  interface specified by --net is not
897              configured. An IP address and a  default  gateway  address  also
898              have to be added.
899
900
901       netns namespace
902              Run  the program in a named, persistent network namespace. These
903              can be created and configured using "ip netns".
904
905
906       veth-name name
907              Use this name for the interface  connected  to  the  bridge  for
908              --net=bridge_interface commands, instead of the default one.
909

Other

911       deterministic-exit-code
912              Always exit firejail with the first child's exit status. The de‐
913              fault behavior is to use the exit status of the final  child  to
914              exit, which can be nondeterministic.
915
916
917       join-or-start sandboxname
918              Join the sandbox identified by name or start a new one.  Same as
919              "firejail --join=sandboxname" command if sandbox with  specified
920              name exists, otherwise same as "name sandboxname".
921
922

FILES

924       /etc/firejail/appname.profile
925              Global  Firejail configuration consisting mainly of profiles for
926              each application supported by default.
927
928
929       $HOME/.config/firejail/appname.profile
930              User application profiles, will take precedence over the  global
931              profiles.
932
933
934       /usr/share/doc/firejail/profile.template
935              Template for building new profiles.
936
937
938       /usr/share/doc/firejail/redirect_alias-profile.template
939              Template for aliasing/redirecting profiles.
940
941

LICENSE

943       Firejail is free software; you can redistribute it and/or modify it un‐
944       der the terms of the GNU General Public License  as  published  by  the
945       Free  Software Foundation; either version 2 of the License, or (at your
946       option) any later version.
947
948       Homepage: https://firejail.wordpress.com
949

SEE ALSO

951       firejail(1),  firemon(1),  firecfg(1),   firejail-login(5),   firejail-
952       users(5), jailcheck(1)
953
954https://github.com/netblue30/firejail/wiki/Creating-Profiles
955
956
957
9580.9.66                             Jan 2022                FIREJAIL-PROFILE(5)
Impressum