1FIREJAIL(1) firejail man page FIREJAIL(1)
2
3
4
6 Firejail - Linux namespaces sandbox program
7
9 Start a sandbox:
10
11 firejail [OPTIONS] [program and arguments]
12
13 Start an AppImage program:
14
15 firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and argu‐
16 ments]
17
18 File transfer from an existing sandbox
19
20 firejail {--ls | --get | --put | --cat} dir_or_filename
21
22 Network traffic shaping for an existing sandbox:
23
24 firejail --bandwidth={name|pid} bandwidth-command
25
26 Monitoring:
27
28 firejail {--list | --netstats | --top | --tree}
29
30 Miscellaneous:
31
32 firejail {-? | --debug-caps | --debug-errnos | --debug-syscalls
33 | --debug-syscalls32 | --debug-protocols | --help | --version}
34
36 Firejail is a SUID sandbox program that reduces the risk of security
37 breaches by restricting the running environment of untrusted applica‐
38 tions using Linux namespaces, seccomp-bpf and Linux capabilities. It
39 allows a process and all its descendants to have their own private view
40 of the globally shared kernel resources, such as the network stack,
41 process table, mount table. Firejail can work in a SELinux or AppArmor
42 environment, and it is integrated with Linux Control Groups.
43
44 Written in C with virtually no dependencies, the software runs on any
45 Linux computer with a 3.x kernel version or newer. It can sandbox any
46 type of processes: servers, graphical applications, and even user login
47 sessions.
48
49 Firejail allows the user to manage application security using security
50 profiles. Each profile defines a set of permissions for a specific ap‐
51 plication or group of applications. The software includes security pro‐
52 files for a number of more common Linux programs, such as Mozilla Fire‐
53 fox, Chromium, VLC, Transmission etc.
54
55 Firejail is currently implemented as an SUID binary, which means that
56 if a malicious or compromised user account manages to exploit a bug in
57 Firejail, that could ultimately lead to a privilege escalation to root.
58 To mitigate this, it is recommended to only allow trusted users to run
59 firejail (see firejail-users(5) for details on how to achieve that).
60 For more details on the security/usability tradeoffs of Firejail, see:
61 #4601 ⟨https://github.com/netblue30/firejail/discussions/4601⟩
62
63 Alternative sandbox technologies like snap (https://snapcraft.io/) and
64 flatpak (https://flatpak.org/) are not supported. Snap and flatpak
65 packages have their own native management tools and will not work when
66 sandboxed with Firejail.
67
68
70 Without any options, the sandbox consists of a filesystem build in a
71 new mount namespace, and new PID and UTS namespaces. IPC, network and
72 user namespaces can be added using the command line options. The de‐
73 fault Firejail filesystem is based on the host filesystem with the main
74 system directories mounted read-only. These directories are /etc, /var,
75 /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home and
76 /tmp are writable.
77
78 Upon execution Firejail first looks in ~/.config/firejail/ for a pro‐
79 file and if it doesn't find one, it looks in /etc/firejail/. For pro‐
80 file resolution detail see https://github.com/netblue30/fire‐
81 jail/wiki/Creating-Profiles#locations-and-types. If an appropriate
82 profile is not found, Firejail will use a default profile. The default
83 profile is quite restrictive. In case the application doesn't work, use
84 --noprofile option to disable it. For more information, please see SE‐
85 CURITY PROFILES section below.
86
87 If a program argument is not specified, Firejail starts the user's pre‐
88 ferred shell. Examples:
89
90 $ firejail [OPTIONS] # starting the program specified in
91 $SHELL, usually /bin/bash
92
93 $ firejail [OPTIONS] firefox # starting Mozilla Firefox
94
95 # sudo firejail [OPTIONS] /etc/init.d/nginx start
96
97
99 -- Signal the end of options and disables further option process‐
100 ing.
101
102 --allow-debuggers
103 Allow tools such as strace and gdb inside the sandbox by
104 whitelisting system calls ptrace and process_vm_readv. This op‐
105 tion is only available when running on Linux kernels 4.8 or
106 newer - a kernel bug in ptrace system call allows a full bypass
107 of the seccomp filter.
108
109 Example:
110 $ firejail --allow-debuggers --profile=/etc/firejail/fire‐
111 fox.profile strace -f firefox
112
113 --allusers
114 All directories under /home are visible inside the sandbox. By
115 default, only current user home directory is visible.
116
117 Example:
118 $ firejail --allusers
119
120 --appimage
121 Sandbox an AppImage (https://appimage.org/) application. If the
122 sandbox is started as a regular user, nonewprivs and a default
123 capabilities filter are enabled. private-bin and private-lib
124 are disabled by default when running appimages.
125
126 Example:
127 $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
128 $ firejail --quiet --appimage --private --profile=krita
129 krita-3.0-x86_64.appimage
130 $ firejail --appimage --net=none --x11 --profile=krita
131 krita-3.0-x86_64.appimage
132
133 Note: When using both --appimage and --profile, it is recom‐
134 mended to always specify the former before the latter, so that
135 any ?HAS_APPIMAGE conditionals inside of the profile evaluate to
136 true (see ?CONDITIONAL in firejail-profile(5)).
137
138 --bandwidth=name|pid
139 Set bandwidth limits for the sandbox identified by name or PID,
140 see TRAFFIC SHAPING section for more details.
141
142 --bind=filename1,filename2
143 Mount-bind filename1 on top of filename2. This option is only
144 available when running as root.
145
146 Example:
147 # firejail --bind=/config/etc/passwd,/etc/passwd
148
149 --blacklist=dirname_or_filename
150 Blacklist directory or file. File globbing is supported, see
151 FILE GLOBBING section for more details.
152
153 Symbolic link handling: Blacklisting a path that is a symbolic
154 link will also blacklist the path that it points to. For exam‐
155 ple, if ~/foo is blacklisted and it points to /bar, then /bar
156 will also be blacklisted.
157
158 Example:
159 $ firejail --blacklist=/sbin --blacklist=/usr/sbin
160 $ firejail --blacklist=~/.mozilla
161 $ firejail "--blacklist=/home/username/My Virtual Machines"
162 $ firejail --blacklist=/home/username/My\ Virtual\ Machines
163
164 --build
165 The command builds a whitelisted profile. The profile is printed
166 on the screen. The program is run in a very relaxed sandbox,
167 with only --caps.drop=all and --seccomp=!chroot. Programs that
168 raise user privileges are not supported.
169
170 Example:
171 $ firejail --build vlc ~/Videos/test.mp4
172 $ firejail --build --appimage ~/Downloads/Subsurface.AppImage
173
174 --build=profile-file
175 The command builds a whitelisted profile, and saves it in pro‐
176 file-file. The program is run in a very relaxed sandbox, with
177 only --caps.drop=all and --seccomp=!chroot. Programs that raise
178 user privileges are not supported.
179
180 Example:
181 $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
182 $ firejail --build=Subsurface.profile --appimage ~/Down‐
183 loads/Subsurface.AppImage
184
185 -c Login shell compatibility option. This option is use by some lo‐
186 gin programs when executing the login shell, such as when fire‐
187 jail is used as a restricted login shell. It currently does not
188 change the execution of firejail.
189
190 --caps Linux capabilities is a kernel feature designed to split up the
191 root privilege into a set of distinct privileges. These privi‐
192 leges can be enabled or disabled independently, thus restricting
193 what a process running as root can do in the system. See capa‐
194 bilities(7) for details.
195
196 By default root programs run with all capabilities enabled.
197 --caps option disables the following capabilities: CAP_SYS_MOD‐
198 ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
199 FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is ap‐
200 plied to all processes started in the sandbox.
201
202 Example:
203 $ sudo firejail --caps /etc/init.d/nginx start
204
205
206 --caps.drop=all
207 Drop all capabilities for the processes running in the sandbox.
208 This option is recommended for running GUI programs or any other
209 program that doesn't require root privileges. It is a must-have
210 option for sandboxing untrusted programs installed from unoffi‐
211 cial sources - such as games, Java programs, etc.
212
213 Example:
214 $ firejail --caps.drop=all warzone2100
215
216
217 --caps.drop=capability,capability,capability
218 Define a custom blacklist Linux capabilities filter.
219
220 Example:
221 $ firejail --caps.drop=net_broadcast,net_admin,net_raw
222
223
224 --caps.keep=capability,capability,capability
225 Define a custom whitelist Linux capabilities filter.
226
227 Example:
228 $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\ se‐
229 tuid /etc/init.d/nginx start
230
231
232 --caps.print=name|pid
233 Print the caps filter for the sandbox identified by name or by
234 PID.
235
236 Example:
237 $ firejail --name=mygame --caps.drop=all warzone2100 &
238 $ firejail --caps.print=mygame
239
240 Example:
241 $ firejail --list
242 3272:netblue::firejail --private firefox
243 $ firejail --caps.print=3272
244
245
246 --cat=name|pid filename
247 Print content of file from sandbox container, see FILE TRANSFER
248 section for more details.
249
250 --chroot=dirname
251 Chroot the sandbox into a root filesystem. Unlike the regular
252 filesystem container, the system directories are mounted read-
253 write. If the sandbox is started as a regular user, nonewprivs
254 and a default capabilities filter are enabled.
255
256 Example:
257 $ firejail --chroot=/media/ubuntu warzone2100
258
259 For automatic mounting of X11 and PulseAudio sockets set envi‐
260 ronment variables FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
261
262 Note: Support for this command is controlled in firejail.config
263 with the chroot option.
264
265 --cpu=cpu-number,cpu-number,cpu-number
266 Set CPU affinity.
267
268 Example:
269 $ firejail --cpu=0,1 handbrake
270
271
272 --cpu.print=name|pid
273 Print the CPU cores in use by the sandbox identified by name or
274 by PID.
275
276 Example:
277 $ firejail --name=mygame --caps.drop=all warzone2100 &
278 $ firejail --cpu.print=mygame
279
280 Example:
281 $ firejail --list
282 3272:netblue::firejail --private firefox
283 $ firejail --cpu.print=3272
284
285 --dbus-log=file
286 Specify the location for the DBus log file.
287
288 The log file contains events for both the system and session
289 buses if both of the --dbus-system.log and --dbus-user.log op‐
290 tions are specified. If no log file path is given, logs are
291 written to the standard output instead.
292
293 Example:
294 $ firejail --dbus-system=filter --dbus-system.log \
295 --dbus-log=dbus.txt
296
297
298 --dbus-system=filter|none
299 Set system DBus sandboxing policy.
300
301 The filter policy enables the system DBus filter. This option
302 requires installing the xdg-dbus-proxy utility. Permissions for
303 well-known can be specified with the --dbus-system.talk and
304 --dbus-system.own options.
305
306 The none policy disables access to the system DBus.
307
308 Only the regular system DBus UNIX socket is handled by this op‐
309 tion. To disable the abstract sockets (and force applications to
310 use the filtered UNIX socket) you would need to request a new
311 network namespace using --net command. Another option is to re‐
312 move unix from the --protocol set.
313
314 Example:
315 $ firejail --dbus-system=none
316
317
318 --dbus-system.broadcast=name=[member][@path]
319 Allows the application to receive broadcast signals from the in‐
320 dicated interface member at the indicated object path exposed by
321 the indicated bus name on the system DBus. The name may have a
322 .* suffix to match all names underneath it, including itself.
323 The interface member may have a .* to match all members of an
324 interface, or be * to match all interfaces. The path may have a
325 /* suffix to indicate all objects underneath it, including it‐
326 self. Omitting the interface member or the object path will
327 match all members and object paths, respectively.
328
329 Example:
330 $ firejail --dbus-system=filter --dbus-system.broadcast=\
331 org.freedesktop.Notifications=\
332 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
333
334
335 --dbus-system.call=name=[member][@path]
336 Allows the application to call the indicated interface member at
337 the indicated object path exposed by the indicated bus name on
338 the system DBus. The name may have a .* suffix to match all
339 names underneath it, including itself. The interface member may
340 have a .* to match all members of an interface, or be * to match
341 all interfaces. The path may have a /* suffix to indicate all
342 objects underneath it, including itself. Omitting the interface
343 member or the object path will match all members and object
344 paths, respectively.
345
346 Example:
347 $ firejail --dbus-system=filter --dbus-system.call=\
348 org.freedesktop.Notifications=\
349 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
350
351
352 --dbus-system.log
353 Turn on DBus logging for the system DBus. This option requires
354 --dbus-system=filter.
355
356 Example:
357 $ firejail --dbus-system=filter --dbus-system.log
358
359
360 --dbus-system.own=name
361 Allows the application to own the specified well-known name on
362 the system DBus. The name may have a .* suffix to match all
363 names underneath it, including itself (e.g. "foo.bar.*" matches
364 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
365 bar").
366
367 Example:
368 $ firejail --dbus-system=filter --dbus-system.own=\
369 org.gnome.ghex.*
370
371
372 --dbus-system.see=name
373 Allows the application to see, but not talk to the specified
374 well-known name on the system DBus. The name may have a .* suf‐
375 fix to match all names underneath it, including itself (e.g.
376 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
377 "foo.bar.baz.quux", but not "foobar").
378
379 Example:
380 $ firejail --dbus-system=filter --dbus-system.see=\
381 org.freedesktop.Notifications
382
383
384 --dbus-system.talk=name
385 Allows the application to talk to the specified well-known name
386 on the system DBus. The name may have a .* suffix to match all
387 names underneath it, including itself (e.g. "foo.bar.*" matches
388 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
389 bar").
390
391 Example:
392 $ firejail --dbus-system=filter --dbus-system.talk=\
393 org.freedesktop.Notifications
394
395
396 --dbus-user=filter|none
397 Set session DBus sandboxing policy.
398
399 The filter policy enables the session DBus filter. This option
400 requires installing the xdg-dbus-proxy utility. Permissions for
401 well-known names can be added with the --dbus-user.talk and
402 --dbus-user.own options.
403
404 The none policy disables access to the session DBus.
405
406 Only the regular session DBus UNIX socket is handled by this op‐
407 tion. To disable the abstract sockets (and force applications to
408 use the filtered UNIX socket) you would need to request a new
409 network namespace using --net command. Another option is to re‐
410 move unix from the --protocol set.
411
412 Example:
413 $ firejail --dbus-user=none
414
415
416 --dbus-user.broadcast=name=[member][@path]
417 Allows the application to receive broadcast signals from the in‐
418 dicated interface member at the indicated object path exposed by
419 the indicated bus name on the session DBus. The name may have a
420 .* suffix to match all names underneath it, including itself.
421 The interface member may have a .* to match all members of an
422 interface, or be * to match all interfaces. The path may have a
423 /* suffix to indicate all objects underneath it, including it‐
424 self. Omitting the interface member or the object path will
425 match all members and object paths, respectively.
426
427 Example:
428 $ firejail --dbus-user=filter --dbus-user.broadcast=\
429 org.freedesktop.Notifications=\
430 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
431
432
433 --dbus-user.call=name=[member][@path]
434 Allows the application to call the indicated interface member at
435 the indicated object path exposed by the indicated bus name on
436 the session DBus. The name may have a .* suffix to match all
437 names underneath it, including itself. The interface member may
438 have a .* to match all members of an interface, or be * to match
439 all interfaces. The path may have a /* suffix to indicate all
440 objects underneath it, including itself. Omitting the interface
441 member or the object path will match all members and object
442 paths, respectively.
443
444 Example:
445 $ firejail --dbus-user=filter --dbus-user.call=\
446 org.freedesktop.Notifications=\
447 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
448
449
450 --dbus-user.log
451 Turn on DBus logging for the session DBus. This option requires
452 --dbus-user=filter.
453
454 Example:
455 $ firejail --dbus-user=filter --dbus-user.log
456
457
458 --dbus-user.own=name
459 Allows the application to own the specified well-known name on
460 the session DBus. The name may have a .* suffix to match all
461 names underneath it, including itself (e.g. "foo.bar.*" matches
462 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
463 bar").
464
465 Example:
466 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
467
468
469 --dbus-user.talk=name
470 Allows the application to talk to the specified well-known name
471 on the session DBus. The name may have a .* suffix to match all
472 names underneath it, including itself (e.g. "foo.bar.*" matches
473 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
474 bar").
475
476 Example:
477 $ firejail --dbus-user=filter --dbus-user.talk=\
478 org.freedesktop.Notifications
479
480
481 --dbus-user.see=name
482 Allows the application to see, but not talk to the specified
483 well-known name on the session DBus. The name may have a .*
484 suffix to match all names underneath it, including itself (e.g.
485 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
486 "foo.bar.baz.quux", but not "foobar").
487
488 Example:
489 $ firejail --dbus-user=filter --dbus-user.see=\
490 org.freedesktop.Notifications
491
492 --debug
493 Print debug messages.
494
495 Example:
496 $ firejail --debug firefox
497
498
499 --debug-blacklists
500 Debug blacklisting.
501
502 Example:
503 $ firejail --debug-blacklists firefox
504
505
506 --debug-caps
507 Print all recognized capabilities in the current Firejail soft‐
508 ware build and exit.
509
510 Example:
511 $ firejail --debug-caps
512
513
514 --debug-errnos
515 Print all recognized error numbers in the current Firejail soft‐
516 ware build and exit.
517
518 Example:
519 $ firejail --debug-errnos
520
521 --debug-private-lib
522 Debug messages for --private-lib option.
523
524 --debug-protocols
525 Print all recognized protocols in the current Firejail software
526 build and exit.
527
528 Example:
529 $ firejail --debug-protocols
530
531 --debug-syscalls
532 Print all recognized system calls in the current Firejail soft‐
533 ware build and exit.
534
535 Example:
536 $ firejail --debug-syscalls
537
538 --debug-syscalls32
539 Print all recognized 32 bit system calls in the current Firejail
540 software build and exit.
541
542 --debug-whitelists
543 Debug whitelisting.
544
545 Example:
546 $ firejail --debug-whitelists firefox
547
548 --defaultgw=address
549 Use this address as default gateway in the new network name‐
550 space.
551
552 Example:
553 $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
554
555
556 --deterministic-exit-code
557 Always exit firejail with the first child's exit status. The de‐
558 fault behavior is to use the exit status of the final child to
559 exit, which can be nondeterministic.
560
561
562 --deterministic-shutdown
563 Always shut down the sandbox after the first child has termi‐
564 nated. The default behavior is to keep the sandbox alive as long
565 as it contains running processes.
566
567
568 --disable-mnt
569 Blacklist /mnt, /media, /run/mount and /run/media access.
570
571 Example:
572 $ firejail --disable-mnt firefox
573
574
575 --dns=address
576 Set a DNS server for the sandbox. Up to three DNS servers can be
577 defined. Use this option if you don't trust the DNS setup on
578 your network.
579
580 Example:
581 $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
582
583 Note: this feature is not supported on systemd-resolved setups.
584
585 --dns.print=name|pid
586 Print DNS configuration for a sandbox identified by name or by
587 PID.
588
589 Example:
590 $ firejail --name=mygame --caps.drop=all warzone2100 &
591 $ firejail --dns.print=mygame
592
593 Example:
594 $ firejail --list
595 3272:netblue::firejail --private firefox
596 $ firejail --dns.print=3272
597
598
599 --dnstrace[=name|pid]
600 Monitor DNS queries. The sandbox can be specified by name or
601 pid. Only networked sandboxes created with --net are supported.
602 This option is only available when running the sandbox as root.
603
604 Without a name/pid, Firejail will monitor the main system net‐
605 work namespace.
606
607 Example:
608 $ sudo firejail --dnstrace
609 11:31:43 9.9.9.9 linux.com (type 1)
610 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
611 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
612 11:31:45 9.9.9.9 www.linux.com (type 1)
613 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
614 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
615 11:32:05 9.9.9.9 secure.gravatar.com (type 1)
616 11:32:06 9.9.9.9 secure.gravatar.com (type 1)
617 11:32:08 9.9.9.9 taikai.network (type 1)
618 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1)
619 11:32:08 9.9.9.9 taikai.azureedge.net (type 1)
620 11:32:08 9.9.9.9 www.youtube.com (type 1)
621
622
623 --env=name=value
624 Set environment variable in the new sandbox.
625
626 Example:
627 $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
628
629
630 --fs.print=name|pid
631 Print the filesystem log for the sandbox identified by name or
632 by PID.
633
634 Example:
635 $ firejail --name=mygame --caps.drop=all warzone2100 &
636 $ firejail --fs.print=mygame
637
638 Example:
639 $ firejail --list
640 3272:netblue::firejail --private firefox
641 $ firejail --fs.print=3272
642
643
644 --get=name|pid filename
645 Get a file from sandbox container, see FILE TRANSFER section for
646 more details.
647
648 -?, --help
649 Print options end exit.
650
651
652
653 --hostname=name
654 Set sandbox hostname.
655
656 Example:
657 $ firejail --hostname=officepc firefox
658
659
660 --hosts-file=file
661 Use file as /etc/hosts.
662
663 Example:
664 $ firejail --hosts-file=~/myhosts firefox
665
666
667
668 --ignore=command
669 Ignore command in profile file.
670
671 Example:
672 $ firejail --ignore=seccomp --ignore=caps firefox
673 $ firejail --ignore="net eth0" firefox
674
675
676 --icmptrace[=name|pid]
677 Monitor ICMP traffic. The sandbox can be specified by name or
678 pid. Only networked sandboxes created with --net are supported.
679 This option is only available when running the sandbox as root.
680
681 Without a name/pid, Firejail will monitor the main system net‐
682 work namespace.
683
684 Example
685 $ sudo firejail --icmptrace
686 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
687 quest/0
688 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
689 ply/0
690 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
691 quest/0
692 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
693 ply/0
694 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination un‐
695 reachable/Port unreachable
696
697
698 --include=file.profile
699 Include a profile file before the regular profiles are used.
700
701 Example:
702 $ firejail --include=/etc/firejail/disable-devel.inc gedit
703
704
705 --interface=interface
706 Move interface in a new network namespace. Up to four --inter‐
707 face options can be specified. Note: wlan devices are not sup‐
708 ported for this option.
709
710 Example:
711 $ firejail --interface=eth1 --interface=eth0.vlan100
712
713
714 --ip=address
715 Assign IP addresses to the last network interface defined by a
716 --net option. A default gateway is assigned by default.
717
718 Example:
719 $ firejail --net=eth0 --ip=10.10.20.56 firefox
720
721
722 --ip=none
723 No IP address and no default gateway are configured for the last
724 interface defined by a --net option. Use this option in case you
725 intend to start an external DHCP client in the sandbox.
726
727 Example:
728 $ firejail --net=eth0 --ip=none
729
730 If the corresponding interface doesn't have an IP address con‐
731 figured, this option is enabled by default.
732
733
734 --ip=dhcp
735 Acquire an IP address and default gateway for the last interface
736 defined by a --net option, as well as set the DNS servers ac‐
737 cording to the DHCP response. This option requires the ISC
738 dhclient DHCP client to be installed and will start it automati‐
739 cally inside the sandbox.
740
741 Example:
742 $ firejail --net=br0 --ip=dhcp
743
744 This option should not be used in conjunction with the --dns op‐
745 tion if the DHCP server is set to configure DNS servers for the
746 clients, because the manually specified DNS servers will be
747 overwritten.
748
749 The DHCP client will NOT release the DHCP lease when the sandbox
750 terminates. If your DHCP server requires leases to be explic‐
751 itly released, consider running a DHCP client and releasing the
752 lease manually in conjunction with the --net=none option.
753
754
755 --ip6=address
756 Assign IPv6 addresses to the last network interface defined by a
757 --net option.
758
759 Example:
760 $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
761
762 Note: you don't need this option if you obtain your ip6 address
763 from router via SLAAC (your ip6 address and default route will
764 be configured by kernel automatically).
765
766
767 --ip6=dhcp
768 Acquire an IPv6 address and default gateway for the last inter‐
769 face defined by a --net option, as well as set the DNS servers
770 according to the DHCP response. This option requires the ISC
771 dhclient DHCP client to be installed and will start it automati‐
772 cally inside the sandbox.
773
774 Example:
775 $ firejail --net=br0 --ip6=dhcp
776
777 This option should not be used in conjunction with the --dns op‐
778 tion if the DHCP server is set to configure DNS servers for the
779 clients, because the manually specified DNS servers will be
780 overwritten.
781
782 The DHCP client will NOT release the DHCP lease when the sandbox
783 terminates. If your DHCP server requires leases to be explic‐
784 itly released, consider running a DHCP client and releasing the
785 lease manually.
786
787
788 --iprange=address,address
789 Assign an IP address in the provided range to the last network
790 interface defined by a --net option. A default gateway is as‐
791 signed by default.
792
793 Example:
794 $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
795
796
797 --ipc-namespace
798 Enable a new IPC namespace if the sandbox was started as a regu‐
799 lar user. IPC namespace is enabled by default for sandboxes
800 started as root.
801
802 Example:
803 $ firejail --ipc-namespace firefox
804
805 --join=name|pid
806 Join the sandbox identified by name or by PID. By default a
807 /bin/bash shell is started after joining the sandbox. If a pro‐
808 gram is specified, the program is run in the sandbox. If --join
809 command is issued as a regular user, all security filters are
810 configured for the new process the same they are configured in
811 the sandbox. If --join command is issued as root, the security
812 filters and cpus configurations are not applied to the process
813 joining the sandbox.
814
815 Example:
816 $ firejail --name=mygame --caps.drop=all warzone2100 &
817 $ firejail --join=mygame
818
819 Example:
820 $ firejail --list
821 3272:netblue::firejail --private firefox
822 $ firejail --join=3272
823
824
825 --join-filesystem=name|pid
826 Join the mount namespace of the sandbox identified by name or
827 PID. By default a /bin/bash shell is started after joining the
828 sandbox. If a program is specified, the program is run in the
829 sandbox. This command is available only to root user. Security
830 filters and cpus configurations are not applied to the process
831 joining the sandbox.
832
833 --join-network=name|pid
834 Join the network namespace of the sandbox identified by name. By
835 default a /bin/bash shell is started after joining the sandbox.
836 If a program is specified, the program is run in the sandbox.
837 This command is available only to root user. Security filters
838 and cpus configurations are not applied to the process joining
839 the sandbox. Example:
840
841 # start firefox
842 $ firejail --net=eth0 --name=browser firefox &
843
844 # change netfilter configuration
845 $ sudo firejail --join-network=browser bash -c "cat /etc/fire‐
846 jail/nolocal.net | /sbin/iptables-restore"
847
848 # verify netfilter configuration
849 $ sudo firejail --join-network=browser /sbin/iptables -vL
850
851 # verify IP addresses
852 $ sudo firejail --join-network=browser ip addr
853 Switching to pid 1932, the first child process inside the sand‐
854 box
855 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UN‐
856 KNOWN group default
857 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
858 inet 127.0.0.1/8 scope host lo
859 valid_lft forever preferred_lft forever
860 inet6 ::1/128 scope host
861 valid_lft forever preferred_lft forever
862 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
863 noqueue state UNKNOWN group default
864 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
865 inet 192.168.1.158/24 brd 192.168.1.255 scope global
866 eth0-1931
867 valid_lft forever preferred_lft forever
868 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
869 valid_lft forever preferred_lft forever
870
871 --join-or-start=name
872 Join the sandbox identified by name or start a new one. Same as
873 "firejail --join=name" if sandbox with specified name exists,
874 otherwise same as "firejail --name=name ..."
875 Note that in contrary to other join options there is respective
876 profile option.
877
878
879 --keep-config-pulse
880 Disable automatic ~/.config/pulse init, for complex setups such
881 as remote pulse servers or non-standard socket paths.
882
883 Example:
884 $ firejail --keep-config-pulse firefox
885
886
887 --keep-dev-shm
888 /dev/shm directory is untouched (even with --private-dev)
889
890 Example:
891 $ firejail --keep-dev-shm --private-dev
892
893
894 --keep-fd=all
895 Inherit all open file descriptors to the sandbox. By default
896 only file descriptors 0, 1 and 2 are inherited to the sandbox,
897 and all other file descriptors are closed.
898
899 Example:
900 $ firejail --keep-fd=all
901
902
903 --keep-fd=file_descriptor
904 Don't close specified open file descriptors. By default only
905 file descriptors 0, 1 and 2 are inherited to the sandbox, and
906 all other file descriptors are closed.
907
908 Example:
909 $ firejail --keep-fd=3,4,5
910
911
912 --keep-var-tmp
913 /var/tmp directory is untouched.
914
915 Example:
916 $ firejail --keep-var-tmp
917
918
919 --list List all sandboxes, see MONITORING section for more details.
920
921 Example:
922 $ firejail --list
923 7015:netblue:browser:firejail firefox
924 7056:netblue:torrent:firejail --net=eth0 transmission-gtk
925 7064:netblue::firejail --noroot xterm
926
927 --ls=name|pid dir_or_filename
928 List files in sandbox container, see FILE TRANSFER section for
929 more details.
930
931 --mac=address
932 Assign MAC addresses to the last network interface defined by a
933 --net option. This option is not supported for wireless inter‐
934 faces.
935
936 Example:
937 $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
938
939 --machine-id
940 Spoof id number in /etc/machine-id file - a new random id is
941 generated inside the sandbox. Note that this breaks audio sup‐
942 port. Enable it when sound is not required.
943
944 Example:
945 $ firejail --machine-id
946
947
948 --mkdir=dirname
949 Create a directory in user home. Parent directories are created
950 as needed.
951
952 Example:
953 $ firejail --mkdir=~/work/project
954
955
956 --mkfile=filename
957 Create an empty file in user home.
958
959 Example:
960 $ firejail --mkfile=~/work/project/readme
961
962
963 --memory-deny-write-execute
964 Install a seccomp filter to block attempts to create memory map‐
965 pings that are both writable and executable, to change mappings
966 to be executable, or to create executable shared memory. The
967 filter examines the arguments of mmap, mmap2, mprotect,
968 pkey_mprotect, memfd_create and shmat system calls and returns
969 error EPERM to the process (or kills it or log the attempt, see
970 --seccomp-error-action below) if necessary.
971
972 Note: shmat is not implemented as a system call on some plat‐
973 forms including i386, and it cannot be handled by seccomp-bpf.
974
975 --mtu=number
976 Assign a MTU value to the last network interface defined by a
977 --net option.
978
979 Example:
980 $ firejail --net=eth0 --mtu=1492
981
982 --name=name
983 Set sandbox name. Several options, such as --join and --shut‐
984 down, can use this name to identify a sandbox.
985
986 In case the name supplied by the user is already in use by an‐
987 other sandbox, Firejail will assign a new name as "name-PID",
988 where PID is the process ID of the sandbox. This functionality
989 can be disabled at run time in /etc/firejail/firejail.config
990 file, by setting "name-change" flag to "no".
991
992 Example:
993 $ firejail --name=browser firefox &
994 $ firejail --name=browser --private firefox --no-remote &
995 $ firejail --list
996 1198:netblue:browser:firejail --name=browser firefox
997 1312:netblue:browser-1312:firejail --name=browser --private
998 firefox --no-remote
999
1000 --net=bridge_interface
1001 Enable a new network namespace and connect it to this bridge in‐
1002 terface. Unless specified with option --ip and --defaultgw, an
1003 IP address and a default gateway will be assigned automatically
1004 to the sandbox. The IP address is verified using ARP before as‐
1005 signment. The address configured as default gateway is the
1006 bridge device IP address. Up to four --net options can be speci‐
1007 fied.
1008
1009 Example:
1010 $ sudo brctl addbr br0
1011 $ sudo ifconfig br0 10.10.20.1/24
1012 $ sudo brctl addbr br1
1013 $ sudo ifconfig br1 10.10.30.1/24
1014 $ firejail --net=br0 --net=br1
1015
1016
1017 --net=ethernet_interface|wireless_interface
1018 Enable a new network namespace and connect it to this ethernet
1019 interface using the standard Linux macvlan|ipvlan driver. Unless
1020 specified with option --ip and --defaultgw, an IP address and a
1021 default gateway will be assigned automatically to the sandbox.
1022 The IP address is verified using ARP before assignment. The ad‐
1023 dress configured as default gateway is the default gateway of
1024 the host. Up to four --net options can be specified. Support
1025 for ipvlan driver was introduced in Linux kernel 3.19.
1026
1027 Example:
1028 $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
1029 $ firejail --net=wlan0 firefox
1030
1031 --net=none
1032 Enable a new, unconnected network namespace. The only interface
1033 available in the new namespace is a new loopback interface (lo).
1034 Use this option to deny network access to programs that don't
1035 really need network access.
1036
1037 Example:
1038 $ firejail --net=none vlc
1039
1040 Note: --net=none can crash the application on some platforms.
1041 In these cases, it can be replaced with --protocol=unix.
1042
1043 --net=tap_interface
1044 Enable a new network namespace and connect it to this ethernet
1045 tap interface using the standard Linux macvlan driver. If the
1046 tap interface is not configured, the sandbox will not try to
1047 configure the interface inside the sandbox. Please use --ip,
1048 --netmask and --defaultgw to specify the configuration.
1049
1050 Example:
1051 $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
1052 --defaultgw=10.10.20.1 firefox
1053
1054
1055 --net.print=name|pid
1056 If a new network namespace is enabled, print network interface
1057 configuration for the sandbox specified by name or PID. Example:
1058
1059 $ firejail --net.print=browser
1060 Switching to pid 1853, the first child process inside the sand‐
1061 box
1062 Interface MAC IP Mask Status
1063 lo 127.0.0.1 255.0.0.0 UP
1064 eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
1065
1066
1067 --netfilter
1068 Enable a default firewall if a new network namespace is created
1069 inside the sandbox. This option has no effect for sandboxes us‐
1070 ing the system network namespace.
1071
1072 The default firewall is optimized for regular desktop applica‐
1073 tions. No incoming connections are accepted:
1074
1075 *filter
1076 :INPUT DROP [0:0]
1077 :FORWARD DROP [0:0]
1078 :OUTPUT ACCEPT [0:0]
1079 -A INPUT -i lo -j ACCEPT
1080 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1081 # allow ping
1082 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
1083 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
1084 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
1085 # drop STUN (WebRTC) requests
1086 -A OUTPUT -p udp --dport 3478 -j DROP
1087 -A OUTPUT -p udp --dport 3479 -j DROP
1088 -A OUTPUT -p tcp --dport 3478 -j DROP
1089 -A OUTPUT -p tcp --dport 3479 -j DROP
1090 COMMIT
1091
1092 Example:
1093 $ firejail --net=eth0 --netfilter firefox
1094
1095 --netfilter=filename
1096 Enable the firewall specified by filename if a new network name‐
1097 space is created inside the sandbox. This option has no effect
1098 for sandboxes using the system network namespace.
1099
1100 Please use the regular iptables-save/iptables-restore format for
1101 the filter file. The following examples are available in
1102 /etc/firejail directory:
1103
1104 webserver.net is a webserver firewall that allows access only to
1105 TCP ports 80 and 443. Example:
1106
1107 $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
1108 /etc/init.d/apache2 start
1109
1110 nolocal.net/nolocal6.net is a desktop client firewall that dis‐
1111 able access to local network. Example:
1112
1113 $ firejail --netfilter=/etc/firejail/nolocal.net \
1114 --net=eth0 firefox
1115
1116
1117 --netfilter=filename,arg1,arg2,arg3 ...
1118 This is the template version of the previous command. $ARG1,
1119 $ARG2, $ARG3 ... in the firewall script are replaced with arg1,
1120 arg2, arg3 ... passed on the command line. Up to 16 arguments
1121 are supported. Example:
1122
1123 $ firejail --net=eth0 --ip=192.168.1.105 \
1124 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1125
1126
1127 --netfilter.print=name|pid
1128 Print the firewall installed in the sandbox specified by name or
1129 PID. Example:
1130
1131 $ firejail --name=browser --net=eth0 --netfilter firefox &
1132 $ firejail --netfilter.print=browser
1133
1134
1135 --netfilter6=filename
1136 Enable the IPv6 firewall specified by filename if a new network
1137 namespace is created inside the sandbox. This option has no ef‐
1138 fect for sandboxes using the system network namespace. Please
1139 use the regular iptables-save/iptables-restore format for the
1140 filter file.
1141
1142
1143 --netfilter6.print=name|pid
1144 Print the IPv6 firewall installed in the sandbox specified by
1145 name or PID. Example:
1146
1147 $ firejail --name=browser --net=eth0 --netfilter firefox &
1148 $ firejail --netfilter6.print=browser
1149
1150
1151 --netlock
1152 Several type of programs (email clients, multiplayer games etc.)
1153 talk to a very small number of IP addresses. But the best exam‐
1154 ple is tor browser. It only talks to a guard node, and there are
1155 two or three more on standby in case the main one fails. During
1156 startup, the browser contacts all of them, after that it keeps
1157 talking to the main one... for weeks!
1158
1159 Use the network locking feature to build and deploy a custom
1160 network firewall in your sandbox. The firewall allows only the
1161 traffic to the IP addresses detected during the program startup.
1162 Traffic to any other address is quietly dropped. By default the
1163 network monitoring time is one minute.
1164
1165 A network namespace (--net=eth0) is required for this feature to
1166 work. Example:
1167
1168 $ firejail --net=eth0 --netlock \
1169 --private=~/tor-browser_en-US ./start-tor-browser.desktop
1170
1171
1172
1173 --netmask=address
1174 Use this option when you want to assign an IP address in a new
1175 namespace and the parent interface specified by --net is not
1176 configured. An IP address and a default gateway address also
1177 have to be added. By default the new namespace interface comes
1178 without IP address and default gateway configured. Example:
1179
1180 $ sudo /sbin/brctl addbr br0
1181 $ sudo /sbin/ifconfig br0 up
1182 $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 --de‐
1183 faultgw=10.10.20.1
1184
1185
1186 --netns=name
1187 Run the program in a named, persistent network namespace. These
1188 can be created and configured using "ip netns".
1189
1190
1191 --netstats
1192 Monitor network namespace statistics, see MONITORING section for
1193 more details.
1194
1195 Example:
1196
1197 $ firejail --netstats
1198 PID User RX(KB/s) TX(KB/s) Command
1199 1294 netblue 53.355 1.473 firejail --net=eth0 firefox
1200 7383 netblue 9.045 0.112 firejail --net=eth0 transmission
1201
1202 --nettrace[=name|pid]
1203 Monitor received TCP. UDP, and ICMP traffic. The sandbox can be
1204 specified by name or pid. Only networked sandboxes created with
1205 --net are supported. This option is only available when running
1206 the sandbox as root.
1207
1208 Without a name/pid, Firejail will monitor the main system net‐
1209 work namespace.
1210
1211 Example:
1212 $ sudo firejail --nettrace
1213 95 KB/s geoip 457, IP database 4436
1214 52 KB/s *********** 64.222.84.207:443 United States
1215 33 KB/s ******* 89.147.74.105:63930 Hungary
1216 0 B/s 45.90.28.0:443 NextDNS
1217 0 B/s 94.70.122.176:52309(UDP) Greece
1218 339 B/s 104.26.7.35:443 Cloudflare
1219
1220 If /usr/bin/geoiplookup is installed (geoip-bin package in De‐
1221 bian), the country the traffic originates from is added to the
1222 trace. We also use the static IP map in /usr/lib/fire‐
1223 jail/static-ip-map to print the domain names for some of the
1224 more common websites and cloud platforms. No external services
1225 are contacted for reverse IP lookup.
1226
1227 --nice=value
1228 Set nice value for all processes running inside the sandbox.
1229 Only root may specify a negative value.
1230
1231 Example:
1232 $ firejail --nice=2 firefox
1233
1234
1235 --no3d Disable 3D hardware acceleration.
1236
1237 Example:
1238 $ firejail --no3d firefox
1239
1240
1241 --noautopulse (deprecated)
1242 See --keep-config-pulse.
1243
1244
1245 --noblacklist=dirname_or_filename
1246 Disable blacklist for this directory or file.
1247
1248 Example:
1249 $ firejail
1250 $ nc dict.org 2628
1251 bash: /bin/nc: Permission denied
1252 $ exit
1253
1254 $ firejail --noblacklist=/bin/nc
1255 $ nc dict.org 2628
1256 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1257
1258 --nodbus (deprecated)
1259 Disable D-Bus access (both system and session buses). Equivalent
1260 to --dbus-system=none --dbus-user=none.
1261
1262 Example:
1263 $ firejail --nodbus --net=none
1264
1265 --nodvd
1266 Disable DVD and audio CD devices.
1267
1268 Example:
1269 $ firejail --nodvd
1270
1271 --noinput
1272 Disable input devices.
1273
1274 Example:
1275 $ firejail --noinput
1276
1277 --noexec=dirname_or_filename
1278 Remount directory or file noexec, nodev and nosuid. File glob‐
1279 bing is supported, see FILE GLOBBING section for more details.
1280
1281 Example:
1282 $ firejail --noexec=/tmp
1283
1284 /etc and /var are noexec by default if the sandbox was started
1285 as a regular user.
1286
1287
1288 --nogroups
1289 Disable supplementary groups. Without this option, supplementary
1290 groups are enabled for the user starting the sandbox. For root
1291 user supplementary groups are always disabled.
1292
1293 Note: By default all regular user groups are removed with the
1294 exception of the current user. This can be changed using --al‐
1295 lusers command option.
1296
1297 Example:
1298 $ id
1299 uid=1000(netblue) gid=1000(netblue) groups=1000(net‐
1300 blue),24(cdrom),25(floppy),27(sudo),29(audio)
1301 $ firejail --nogroups
1302 Parent pid 8704, child pid 8705
1303 Child process initialized
1304 $ id
1305 uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1306 $
1307
1308
1309 --nonewprivs
1310 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
1311 cannot acquire new privileges using execve(2); in particular,
1312 this means that calling a suid binary (or one with file capabil‐
1313 ities) does not result in an increase of privilege. This option
1314 is enabled by default if seccomp filter is activated.
1315
1316
1317 --noprinters
1318 Disable printers.
1319
1320
1321 --noprofile
1322 Do not use a security profile.
1323
1324 Example:
1325 $ firejail
1326 Reading profile /etc/firejail/default.profile
1327 Parent pid 8553, child pid 8554
1328 Child process initialized
1329 [...]
1330
1331 $ firejail --noprofile
1332 Parent pid 8553, child pid 8554
1333 Child process initialized
1334 [...]
1335
1336 --noroot
1337 Install a user namespace with a single user - the current user.
1338 root user does not exist in the new namespace. This option re‐
1339 quires a Linux kernel version 3.8 or newer. The option is not
1340 supported for --chroot and --overlay configurations, or for
1341 sandboxes started as root.
1342
1343 Example:
1344 $ firejail --noroot
1345 Parent pid 8553, child pid 8554
1346 Child process initialized
1347 $ ping google.com
1348 ping: icmp open socket: Operation not permitted
1349 $
1350
1351 --nosound
1352 Disable sound system.
1353
1354 Example:
1355 $ firejail --nosound firefox
1356
1357
1358 --notv Disable DVB (Digital Video Broadcasting) TV devices.
1359
1360 Example:
1361 $ firejail --notv vlc
1362
1363
1364 --nou2f
1365 Disable U2F devices.
1366
1367 Example:
1368 $ firejail --nou2f
1369
1370
1371 --novideo
1372 Disable video devices.
1373
1374
1375 --nowhitelist=dirname_or_filename
1376 Disable whitelist for this directory or file.
1377
1378
1379 --oom=value
1380 Configure kernel's OutOfMemory-killer score for this sandbox.
1381 The acceptable score values are between 0 and 1000 for regular
1382 users, and -1000 to 1000 for root. For more information on OOM
1383 kernel feature see man choom.
1384
1385 Example:
1386 $ firejail --oom=300 firefox
1387
1388
1389 --output=logfile
1390 stdout logging and log rotation. Copy stdout to logfile, and
1391 keep the size of the file under 500KB using log rotation. Five
1392 files with prefixes .1 to .5 are used in rotation.
1393
1394 Example:
1395 $ firejail --output=sandboxlog /bin/bash
1396 [...]
1397 $ ls -l sandboxlog*
1398 -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
1399 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
1400 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
1401 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
1402 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
1403 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
1404
1405
1406 --output-stderr=logfile
1407 Similar to --output, but stderr is also stored.
1408
1409
1410 --private
1411 Mount new /root and /home/user directories in temporary filesys‐
1412 tems. All modifications are discarded when the sandbox is
1413 closed.
1414
1415 Example:
1416 $ firejail --private firefox
1417
1418
1419 --private=directory
1420 Use directory as user home. --private and --private=directory
1421 cannot be used together.
1422
1423 Example:
1424 $ firejail --private=/home/netblue/firefox-home firefox
1425
1426 Bug: Even with this enabled, some commands (such as mkdir, mk‐
1427 file and private-cache) will still operate on the original home
1428 directory. Workaround: Disable the incompatible commands, such
1429 as by using "ignore mkdir" and "ignore mkfile". For details,
1430 see #903 ⟨https://github.com/netblue30/firejail/issues/903⟩
1431
1432
1433 --private-bin=file,file
1434 Build a new /bin in a temporary filesystem, and copy the pro‐
1435 grams in the list. The files in the list must be expressed as
1436 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
1437 cal/bin directories. If no listed files are found, /bin direc‐
1438 tory will be empty. The same directory is also bind-mounted
1439 over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifi‐
1440 cations are discarded when the sandbox is closed. Multiple pri‐
1441 vate-bin commands are allowed and they accumulate. File glob‐
1442 bing is supported, see FILE GLOBBING section for more details.
1443
1444 Example:
1445 $ firejail --private-bin=bash,sed,ls,cat
1446 Parent pid 20841, child pid 20842
1447 Child process initialized
1448 $ ls /bin
1449 bash cat ls sed
1450
1451
1452 --private-cache
1453 Mount an empty temporary filesystem on top of the .cache direc‐
1454 tory in user home. All modifications are discarded when the
1455 sandbox is closed.
1456
1457 Example:
1458 $ firejail --private-cache openbox
1459
1460
1461 --private-cwd
1462 Set working directory inside jail to the home directory, and
1463 failing that, the root directory. Does not impact working di‐
1464 rectory of profile include paths.
1465
1466 Example:
1467 $ pwd
1468 /tmp
1469 $ firejail --private-cwd
1470 $ pwd
1471 /home/user
1472
1473
1474 --private-cwd=directory
1475 Set working directory inside the jail. Full directory path is
1476 required. Symbolic links are not allowed. Does not impact work‐
1477 ing directory of profile include paths.
1478
1479 Example:
1480 $ pwd
1481 /tmp
1482 $ firejail --private-cwd=/opt
1483 $ pwd
1484 /opt
1485
1486
1487 --private-dev
1488 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
1489 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
1490 shm and usb devices are available. Use the options --no3d,
1491 --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1492 restrictions.
1493
1494 Example:
1495 $ firejail --private-dev
1496 Parent pid 9887, child pid 9888
1497 Child process initialized
1498 $ ls /dev
1499 cdrom cdrw dri dvd dvdrw full log null ptmx pts random
1500 shm snd sr0 tty urandom zero
1501 $
1502
1503 --private-etc=file,directory
1504 Build a new /etc in a temporary filesystem, and copy the files
1505 and directories in the list. The files and directories in the
1506 list must be expressed as relative to the /etc directory (e.g.,
1507 /etc/foo must be expressed as foo). If no listed file is found,
1508 /etc directory will be empty. All modifications are discarded
1509 when the sandbox is closed. Multiple private-etc commands are
1510 allowed and they accumulate.
1511
1512 Example:
1513 $ firejail --private-etc=group,hostname,localtime, \
1514 nsswitch.conf,passwd,resolv.conf
1515
1516 --private-home=file,directory
1517 Build a new user home in a temporary filesystem, and copy the
1518 files and directories in the list in the new home. The files
1519 and directories in the list must be expressed as relative to the
1520 current user's home directory. All modifications are discarded
1521 when the sandbox is closed.
1522
1523 Example:
1524 $ firejail --private-home=.mozilla firefox
1525
1526 --private-lib=file,directory
1527 This feature is currently under heavy development. Only amd64
1528 platforms are supported at this moment. The files and directo‐
1529 ries in the list must be expressed as relative to the /lib di‐
1530 rectory. The idea is to build a new /lib in a temporary
1531 filesystem, with only the library files necessary to run the ap‐
1532 plication. It could be as simple as:
1533
1534 $ firejail --private-lib galculator
1535
1536 but it gets complicated really fast:
1537
1538 $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1539 gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1540
1541 The feature is integrated with --private-bin:
1542
1543 $ firejail --private-lib --private-bin=bash,ls,ps
1544 $ ls /lib
1545 ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
1546 temd.so.0
1547 libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1548 libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1549 libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1550 $ ps
1551 PID TTY TIME CMD
1552 1 pts/0 00:00:00 firejail
1553 45 pts/0 00:00:00 bash
1554 48 pts/0 00:00:00 ps
1555 $
1556
1557 Note: Support for this command is controlled in firejail.config
1558 with the private-lib option.
1559
1560 --private-opt=file,directory
1561 Build a new /opt in a temporary filesystem, and copy the files
1562 and directories in the list. The files and directories in the
1563 list must be expressed as relative to the /opt directory, and
1564 must not contain the / character (e.g., /opt/foo must be ex‐
1565 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
1566 disallowed). If no listed file is found, /opt directory will be
1567 empty. All modifications are discarded when the sandbox is
1568 closed.
1569
1570 Example:
1571 $ firejail --private-opt=firefox /opt/firefox/firefox
1572
1573
1574 --private-srv=file,directory
1575 Build a new /srv in a temporary filesystem, and copy the files
1576 and directories in the list. The files and directories in the
1577 list must be expressed as relative to the /srv directory, and
1578 must not contain the / character (e.g., /srv/foo must be ex‐
1579 pressed as foo, but /srv/foo/bar -- expressed as srv/bar -- is
1580 disallowed). If no listed file is found, /srv directory will be
1581 empty. All modifications are discarded when the sandbox is
1582 closed.
1583
1584 Example:
1585 # firejail --private-srv=www /etc/init.d/apache2 start
1586
1587
1588 --private-tmp
1589 Mount an empty temporary filesystem on top of /tmp directory
1590 whitelisting X11 and PulseAudio sockets.
1591
1592 Example:
1593 $ firejail --private-tmp
1594 $ ls -al /tmp
1595 drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
1596 drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1597 drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKd‐
1598 htXMmr18n
1599 drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1600
1601
1602 --profile=filename_or_profilename
1603 Load a custom security profile from filename. For filename use
1604 an absolute path or a path relative to the current path. For
1605 more information, see SECURITY PROFILES section below.
1606
1607 Example:
1608 $ firejail --profile=myprofile
1609
1610
1611 --profile.print=name|pid
1612 Print the name of the profile file for the sandbox identified by
1613 name or or PID.
1614
1615 Example:
1616 $ firejail --profile.print=browser
1617 /etc/firejail/firefox.profile
1618
1619 --protocol=protocol,protocol,protocol
1620 Enable protocol filter. The filter is based on seccomp and
1621 checks the first argument to socket system call. Recognized
1622 values: unix, inet, inet6, netlink, packet, and bluetooth. This
1623 option is not supported for i386 architecture. Multiple proto‐
1624 col commands are allowed and they accumulate.
1625
1626 Example:
1627 $ firejail --protocol=unix,inet,inet6 firefox
1628
1629 --protocol.print=name|pid
1630 Print the protocol filter for the sandbox identified by name or
1631 PID.
1632
1633 Example:
1634 $ firejail --name=mybrowser firefox &
1635 $ firejail --protocol.print=mybrowser
1636 unix,inet,inet6,netlink
1637
1638 Example:
1639 $ firejail --list
1640 3272:netblue::firejail --private firefox
1641 $ firejail --protocol.print=3272
1642 unix,inet,inet6,netlink
1643
1644 --put=name|pid src-filename dest-filename
1645 Put a file in sandbox container, see FILE TRANSFER section for
1646 more details.
1647
1648 --quiet
1649 Turn off Firejail's output.
1650
1651 The same effect can be obtained by setting an environment vari‐
1652 able FIREJAIL_QUIET to yes.
1653
1654 --read-only=dirname_or_filename
1655 Set directory or file read-only. File globbing is supported, see
1656 FILE GLOBBING section for more details.
1657
1658 Example:
1659 $ firejail --read-only=~/.mozilla firefox
1660
1661 --read-write=dirname_or_filename
1662 Set directory or file read-write. Only files or directories be‐
1663 longing to the current user are allowed for this operation. File
1664 globbing is supported, see FILE GLOBBING section for more de‐
1665 tails. Example:
1666
1667 $ mkdir ~/test
1668 $ touch ~/test/a
1669 $ firejail --read-only=~/test --read-write=~/test/a
1670
1671
1672
1673 --restrict-namespaces
1674 Install a seccomp filter that blocks attempts to create new
1675 cgroup, ipc, net, mount, pid, time, user or uts namespaces.
1676
1677 Example:
1678 $ firejail --restrict-namespaces
1679
1680
1681 --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
1682 Install a seccomp filter that blocks attempts to create any of
1683 the specified namespaces. The filter examines the arguments of
1684 clone, unshare and setns system calls and returns error EPERM to
1685 the process (or kills it or logs the attempt, see --seccomp-er‐
1686 ror-action below) if necessary. Note that the filter is not able
1687 to examine the arguments of clone3 system calls, and always re‐
1688 sponds to these calls with error ENOSYS.
1689
1690 Example:
1691 $ firejail --restrict-namespaces=user,net
1692
1693
1694 --rlimit-as=number
1695 Set the maximum size of the process's virtual memory (address
1696 space) in bytes. Use k(ilobyte), m(egabyte) or g(igabyte) for
1697 size suffix (base 1024).
1698
1699
1700 --rlimit-cpu=number
1701 Set the maximum limit, in seconds, for the amount of CPU time
1702 each sandboxed process can consume. When the limit is reached,
1703 the processes are killed.
1704
1705 The CPU limit is a limit on CPU seconds rather than elapsed
1706 time. CPU seconds is basically how many seconds the CPU has been
1707 in use and does not necessarily directly relate to the elapsed
1708 time. Linux kernel keeps track of CPU seconds for each process
1709 independently.
1710
1711
1712 --rlimit-fsize=number
1713 Set the maximum file size that can be created by a process. Use
1714 k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base
1715 1024).
1716
1717 --rlimit-nofile=number
1718 Set the maximum number of files that can be opened by a process.
1719
1720 --rlimit-nproc=number
1721 Set the maximum number of processes that can be created for the
1722 real user ID of the calling process.
1723
1724 --rlimit-sigpending=number
1725 Set the maximum number of pending signals for a process.
1726
1727
1728 --rmenv=name
1729 Remove environment variable in the new sandbox.
1730
1731 Example:
1732 $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1733
1734 --scan ARP-scan all the networks from inside a network namespace. This
1735 makes it possible to detect macvlan kernel device drivers run‐
1736 ning on the current host.
1737
1738 Example:
1739 $ firejail --net=eth0 --scan
1740
1741 --seccomp
1742 Enable seccomp filter and blacklist the syscalls in the default
1743 list, which is @default-nodebuggers unless --allow-debuggers is
1744 specified, then it is @default.
1745
1746 To help creating useful seccomp filters more easily, the follow‐
1747 ing system call groups are defined: @aio, @basic-io, @chown,
1748 @clock, @cpu-emulation, @debug, @default, @default-nodebuggers,
1749 @default-keep, @file-system, @io-event, @ipc, @keyring, @mem‐
1750 lock, @module, @mount, @network-io, @obsolete, @privileged,
1751 @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync,
1752 @system-service and @timer. More information about groups can
1753 be found in /usr/share/doc/firejail/syscalls.txt
1754
1755 The default list can be customized, see --seccomp= for a de‐
1756 scription. It can be customized also globally in /etc/fire‐
1757 jail/firejail.config file.
1758
1759 System architecture is strictly imposed only if flag --sec‐
1760 comp.block-secondary is used. The filter is applied at run time
1761 only if the correct architecture was detected. For the case of
1762 I386 and AMD64 both 32-bit and 64-bit filters are installed.
1763
1764 Firejail will print seccomp violations to the audit log if the
1765 kernel was compiled with audit support (CONFIG_AUDIT flag).
1766
1767 Example:
1768 $ firejail --seccomp
1769
1770
1771
1772 --seccomp=syscall,@group,!syscall2
1773 Enable seccomp filter, blacklist the default list and the
1774 syscalls or syscall groups specified by the command, but don't
1775 blacklist "syscall2". On a 64 bit architecture, an additional
1776 filter for 32 bit system calls can be installed with --sec‐
1777 comp.32.
1778
1779 Example:
1780 $ firejail --seccomp=utime,utimensat,utimes firefox
1781 $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1782 $ firejail '--seccomp=@ipc,!pipe,!pipe2' audacious
1783
1784 Syscalls can be specified by their number if prefix $ is added,
1785 so for example $165 would be equal to mount on i386.
1786
1787 Instead of dropping the syscall by returning EPERM, another er‐
1788 ror number can be returned using syscall:errno syntax. This can
1789 be also changed globally with --seccomp-error-action or in
1790 /etc/firejail/firejail.config file. The process can also be
1791 killed by using syscall:kill syntax, or the attempt may be
1792 logged with syscall:log.
1793
1794 Example:
1795 $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1796 Parent pid 10662, child pid 10663
1797 Child process initialized
1798 $ touch testfile
1799 $ ls testfile
1800 testfile
1801 $ rm testfile
1802 rm: cannot remove `testfile': No such file or directory
1803
1804 If the blocked system calls would also block Firejail from oper‐
1805 ating, they are handled by adding a preloaded library which per‐
1806 forms seccomp system calls later. However, this is incompatible
1807 with 32 bit seccomp filters.
1808
1809 Example:
1810 $ firejail --noprofile --seccomp=execve sh
1811 Parent pid 32751, child pid 32752
1812 Post-exec seccomp protector enabled
1813 list in: execve, check list: @default-keep prelist: (null),
1814 postlist: execve
1815 Child process initialized in 46.44 ms
1816 $ ls
1817 Operation not permitted
1818
1819
1820 --seccomp.block-secondary
1821 Enable seccomp filter and filter system call architectures so
1822 that only the native architecture is allowed. For example, on
1823 amd64, i386 and x32 system calls are blocked as well as changing
1824 the execution domain with personality(2) system call.
1825
1826
1827 --seccomp.drop=syscall,@group
1828 Enable seccomp filter, and blacklist the syscalls or the syscall
1829 groups specified by the command. On a 64 bit architecture, an
1830 additional filter for 32 bit system calls can be installed with
1831 --seccomp.32.drop.
1832
1833 Example:
1834 $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1835
1836 Instead of dropping the syscall by returning EPERM, another er‐
1837 ror number can be returned using syscall:errno syntax. This can
1838 be also changed globally with --seccomp-error-action or in
1839 /etc/firejail/firejail.config file. The process can also be
1840 killed by using syscall:kill syntax, or the attempt may be
1841 logged with syscall:log.
1842
1843 Example:
1844 $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1845 Parent pid 10662, child pid 10663
1846 Child process initialized
1847 $ touch testfile
1848 $ ls testfile
1849 testfile
1850 $ rm testfile
1851 rm: cannot remove `testfile': No such file or directory
1852
1853
1854 --seccomp.keep=syscall,@group,!syscall2
1855 Enable seccomp filter, blacklist all syscall not listed and
1856 "syscall2". The system calls needed by Firejail (group @de‐
1857 fault-keep: prctl, execve, execveat) are handled with the
1858 preload library. On a 64 bit architecture, an additional filter
1859 for 32 bit system calls can be installed with --seccomp.32.keep.
1860
1861 Example:
1862 $ firejail --seccomp.keep=poll,select,[...] transmission-gtk
1863
1864
1865 --seccomp.print=name|pid
1866 Print the seccomp filter for the sandbox identified by name or
1867 PID.
1868
1869 Example:
1870 $ firejail --name=browser firefox &
1871 $ firejail --seccomp.print=browser
1872 line OP JT JF K
1873 =================================
1874 0000: 20 00 00 00000004 ld data.architecture
1875 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1876 0002: 06 00 00 7fff0000 ret ALLOW
1877 0003: 20 00 00 00000000 ld data.syscall-number
1878 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1879 0005: 35 01 00 00000000 jge read 0007 (false 0006)
1880 0006: 06 00 00 00050001 ret ERRNO(1)
1881 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1882 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1883 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1884 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false
1885 000b)
1886 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1887 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1888 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1889 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1890 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1891 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1892 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1893 0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1894 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1895 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1896 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1897 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1898 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
1899 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
1900 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
1901 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
1902 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
1903 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
1904 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
1905 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
1906 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
1907 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
1908 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
1909 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
1910 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
1911 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
1912 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
1913 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
1914 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
1915 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
1916 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
1917 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
1918 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
1919 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
1920 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
1921 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
1922 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
1923 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
1924 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
1925 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
1926 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
1927 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false
1928 0035)
1929 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false
1930 0036)
1931 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
1932 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
1933 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
1934 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
1935 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
1936 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
1937 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
1938 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
1939 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
1940 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
1941 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
1942 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
1943 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false
1944 0043)
1945 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
1946 0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
1947 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
1948 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
1949 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false
1950 0048)
1951 0048: 06 00 00 7fff0000 ret ALLOW
1952 0049: 06 00 01 00000000 ret KILL
1953 $
1954
1955
1956 --seccomp-error-action= kill | ERRNO | log
1957 By default, if a seccomp filter blocks a system call, the
1958 process gets EPERM as the error. With --seccomp-error-action=er‐
1959 ror, another error number can be returned, for example ENOSYS or
1960 EACCES. The process can also be killed (like in versions <0.9.63
1961 of Firejail) by using --seccomp-error-action=kill syntax, or the
1962 attempt may be logged with --seccomp-error-action=log. Not
1963 killing the process weakens Firejail slightly when trying to
1964 contain intrusion, but it may also allow tighter filters if the
1965 only alternative is to allow a system call.
1966
1967
1968 --shutdown=name|pid
1969 Shutdown the sandbox identified by name or PID.
1970
1971 Example:
1972 $ firejail --name=mygame --caps.drop=all warzone2100 &
1973 $ firejail --shutdown=mygame
1974
1975 Example:
1976 $ firejail --list
1977 3272:netblue::firejail --private firefox
1978 $ firejail --shutdown=3272
1979
1980
1981 --snitrace[=name|pid]
1982 Monitor Server Name Indication (TLS/SNI). The sandbox can be
1983 specified by name or pid. Only networked sandboxes created with
1984 --net are supported. This option is only available when running
1985 the sandbox as root.
1986
1987 Without a name/pid, Firejail will monitor the main system net‐
1988 work namespace.
1989
1990 Example:
1991 $ sudo firejail --snitrace
1992 07:49:51 23.185.0.3 linux.com
1993 07:49:51 23.185.0.3 www.linux.com
1994 07:50:05 192.0.73.2 secure.gravatar.com
1995 07:52:35 172.67.68.93 www.howtoforge.com
1996 07:52:37 13.225.103.59 sf.ezoiccdn.com
1997 07:52:42 142.250.176.3 www.gstatic.com
1998 07:53:03 173.236.250.32 www.linuxlinks.com
1999 07:53:05 192.0.77.37 c0.wp.com
2000 07:53:08 192.0.78.32 jetpack.wordpress.com
2001 07:53:09 192.0.77.32 s0.wp.com
2002 07:53:09 192.0.77.2 i0.wp.com
2003 07:53:10 192.0.77.2 i0.wp.com
2004 07:53:11 192.0.73.2 1.gravatar.com
2005
2006
2007 --tab Enable shell tab completion in sandboxes using private or
2008 whitelisted home directories.
2009
2010 $ firejail --private --tab
2011
2012 --timeout=hh:mm:ss
2013 Kill the sandbox automatically after the time has elapsed. The
2014 time is specified in hours/minutes/seconds format.
2015
2016 $ firejail --timeout=01:30:00 firefox
2017
2018 --tmpfs=dirname
2019 Mount a writable tmpfs filesystem on directory dirname. Directo‐
2020 ries outside user home or not owned by the user are not allowed.
2021 Sandboxes running as root are exempt from these restrictions.
2022 File globbing is supported, see FILE GLOBBING section for more
2023 details.
2024
2025 Example:
2026 $ firejail --tmpfs=~/.local/share
2027
2028 --top Monitor the most CPU-intensive sandboxes, see MONITORING section
2029 for more details.
2030
2031 Example:
2032 $ firejail --top
2033
2034 --trace[=filename]
2035 Trace open, access and connect system calls. If filename is
2036 specified, log trace output to filename, otherwise log to con‐
2037 sole.
2038
2039 Example:
2040 $ firejail --trace wget -q www.debian.org
2041 Reading profile /etc/firejail/wget.profile
2042 3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
2043 3:wget:fopen /etc/hosts:0x5c8e8cfb70
2044 3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
2045 3:wget:connect 3 8.8.8.8 port 53:0
2046 3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
2047 3:wget:connect 3 130.89.148.14 port 80:0
2048 3:wget:fopen64 index.html:0x5c8e8d1a60
2049
2050 parent is shutting down, bye...
2051
2052 --tracelog
2053 This option enables auditing blacklisted files and directories.
2054 A message is sent to syslog in case the file or the directory is
2055 accessed.
2056
2057 Example:
2058 $ firejail --tracelog firefox
2059
2060 Sample messages:
2061 $ sudo tail -f /var/log/syslog
2062 [...]
2063 Dec 3 11:43:25 debian firejail[70]: blacklist violation - sand‐
2064 box 26370, exe firefox, syscall open64, path /etc/shadow
2065 Dec 3 11:46:17 debian firejail[70]: blacklist violation - sand‐
2066 box 26370, exe firefox, syscall opendir, path /boot
2067 [...]
2068
2069 Note: Support for this command is controlled in firejail.config
2070 with the tracelog option.
2071
2072 --tree Print a tree of all sandboxed processes, see MONITORING section
2073 for more details.
2074
2075 Example:
2076 $ firejail --tree
2077 11903:netblue:firejail iceweasel
2078 11904:netblue:iceweasel
2079 11957:netblue:/usr/lib/iceweasel/plugin-container
2080 11969:netblue:firejail --net=eth0 transmission-gtk
2081 11970:netblue:transmission-gtk
2082
2083
2084 --version
2085 Print program version/compile time support and exit.
2086
2087 Example:
2088 $ firejail --version
2089 firejail version 0.9.27
2090
2091 Compile time support:
2092 - AppArmor support is enabled
2093 - AppImage support is enabled
2094 - chroot support is enabled
2095 - file and directory whitelisting support is enabled
2096 - file transfer support is enabled
2097 - firetunnel support is enabled
2098 - networking support is enabled
2099 - overlayfs support is enabled
2100 - private-home support is enabled
2101 - seccomp-bpf support is enabled
2102 - user namespace support is enabled
2103 - X11 sandboxing support is enabled
2104
2105 --veth-name=name
2106 Use this name for the interface connected to the bridge for
2107 --net=bridge_interface commands, instead of the default one.
2108
2109 Example:
2110 $ firejail --net=br0 --veth-name=if0
2111
2112 --whitelist=dirname_or_filename
2113 Whitelist directory or file. A temporary file system is mounted
2114 on the top directory, and the whitelisted files are mount-binded
2115 inside. Modifications to whitelisted files are persistent, ev‐
2116 erything else is discarded when the sandbox is closed. The top
2117 directory can be all directories in / (except /proc and /sys),
2118 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
2119
2120 Symbolic link handling: Whitelisting a path that is a symbolic
2121 link will also whitelist the path that it points to. For exam‐
2122 ple, if ~/foo is whitelisted and it points to ~/bar, then ~/bar
2123 will also be whitelisted. Restrictions: With the exception of
2124 the user home directory, both the link and the real file should
2125 be in the same top directory. For symbolic links in the user
2126 home directory, both the link and the real file should be owned
2127 by the user.
2128
2129 File globbing is supported, see FILE GLOBBING section for more
2130 details.
2131
2132 Example:
2133 $ firejail --noprofile --whitelist=~/.mozilla
2134 $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
2135 $ firejail "--whitelist=/home/username/My Virtual Machines"
2136 $ firejail --whitelist=~/work* --whitelist=/var/backups*
2137
2138
2139 --writable-etc
2140 Mount /etc directory read-write.
2141
2142 Example:
2143 $ sudo firejail --writable-etc
2144
2145
2146 --writable-run-user
2147 Disable the default blacklisting of /run/user/$UID/systemd and
2148 /run/user/$UID/gnupg.
2149
2150 Example:
2151 $ sudo firejail --writable-run-user
2152
2153
2154 --writable-var
2155 Mount /var directory read-write.
2156
2157 Example:
2158 $ sudo firejail --writable-var
2159
2160
2161 --writable-var-log
2162 Use the real /var/log directory, not a clone. By default, a
2163 tmpfs is mounted on top of /var/log directory, and a skeleton
2164 filesystem is created based on the original /var/log.
2165
2166 Example:
2167 $ sudo firejail --writable-var-log
2168
2169
2170 --x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg secu‐
2171 rity extension. The sandbox will prevent screenshot and keylog‐
2172 ger applications started inside the sandbox from accessing
2173 clients running outside the sandbox. Firejail will try Xpra
2174 first, and if Xpra is not installed on the system, it will try
2175 to find Xephyr. If all fails, Firejail will not attempt to use
2176 Xvfb or X11 security extension.
2177
2178 Xpra, Xephyr and Xvfb modes require a network namespace to be
2179 instantiated in order to disable X11 abstract Unix socket. If
2180 this is not possible, the user can disable the abstract socket
2181 by adding "-nolisten local" on Xorg command line at system
2182 level.
2183
2184 Example:
2185 $ firejail --x11 --net=eth0 firefox
2186
2187
2188 --x11=none
2189 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
2190 file specified in ${XAUTHORITY} environment variable. Remove
2191 DISPLAY and XAUTHORITY environment variables. Stop with error
2192 message if X11 abstract socket will be accessible in jail.
2193
2194
2195 --x11=xephyr
2196 Start Xephyr and attach the sandbox to this server. Xephyr is a
2197 display server implementing the X11 display server protocol. A
2198 network namespace needs to be instantiated in order to deny ac‐
2199 cess to X11 abstract Unix domain socket.
2200
2201 Xephyr runs in a window just like any other X11 application. The
2202 default window size is 800x600. This can be modified in
2203 /etc/firejail/firejail.config file.
2204
2205 The recommended way to use this feature is to run a window man‐
2206 ager inside the sandbox. A security profile for OpenBox is pro‐
2207 vided.
2208
2209 Xephyr is developed by Xorg project. On Debian platforms it is
2210 installed with the command sudo apt-get install xserver-xephyr.
2211 This feature is not available when running as root.
2212
2213 Example:
2214 $ firejail --x11=xephyr --net=eth0 openbox
2215
2216
2217 --x11=xorg
2218 Sandbox the application using the untrusted mode implemented by
2219 X11 security extension. The extension is available in Xorg
2220 package and it is installed by default on most Linux distribu‐
2221 tions. It provides support for a simple trusted/untrusted con‐
2222 nection model. Untrusted clients are restricted in certain ways
2223 to prevent them from reading window contents of other clients,
2224 stealing input events, etc.
2225
2226 The untrusted mode has several limitations. A lot of regular
2227 programs assume they are a trusted X11 clients and will crash or
2228 lock up when run in untrusted mode. Chromium browser and xterm
2229 are two examples. Firefox and transmission-gtk seem to be work‐
2230 ing fine. A network namespace is not required for this option.
2231
2232 Example:
2233 $ firejail --x11=xorg firefox
2234
2235
2236 --x11=xpra
2237 Start Xpra (https://xpra.org) and attach the sandbox to this
2238 server. Xpra is a persistent remote display server and client
2239 for forwarding X11 applications and desktop screens. A network
2240 namespace needs to be instantiated in order to deny access to
2241 X11 abstract Unix domain socket.
2242
2243 On Debian platforms Xpra is installed with the command sudo apt-
2244 get install xpra. This feature is not available when running as
2245 root.
2246
2247 Example:
2248 $ firejail --x11=xpra --net=eth0 firefox
2249
2250
2251
2252 --x11=xvfb
2253 Start Xvfb X11 server and attach the sandbox to this server.
2254 Xvfb, short for X virtual framebuffer, performs all graphical
2255 operations in memory without showing any screen output. Xvfb is
2256 mainly used for remote access and software testing on headless
2257 servers.
2258
2259 On Debian platforms Xvfb is installed with the command sudo apt-
2260 get install xvfb. This feature is not available when running as
2261 root.
2262
2263 Example: remote VNC access
2264
2265 On the server we start a sandbox using Xvfb and openbox window
2266 manager. The default size of Xvfb screen is 800x600 - it can be
2267 changed in /etc/firejail/firejail.config (xvfb-screen). Some
2268 sort of networking (--net) is required in order to isolate the
2269 abstract sockets used by other X servers.
2270
2271 $ firejail --net=none --x11=xvfb openbox
2272
2273 *** Attaching to Xvfb display 792 ***
2274
2275 Reading profile /etc/firejail/openbox.profile
2276 Reading profile /etc/firejail/disable-common.inc
2277 Reading profile /etc/firejail/disable-common.local
2278 Parent pid 5400, child pid 5401
2279
2280 On the server we also start a VNC server and attach it to the
2281 display handled by our Xvfb server (792).
2282
2283 $ x11vnc -display :792
2284
2285 On the client machine we start a VNC viewer and use it to con‐
2286 nect to our server:
2287
2288 $ vncviewer
2289
2290
2291 --xephyr-screen=WIDTHxHEIGHT
2292 Set screen size for --x11=xephyr. The setting will overwrite the
2293 default set in /etc/firejail/firejail.config for the current
2294 sandbox. Run xrandr to get a list of supported resolutions on
2295 your computer.
2296
2297 Example:
2298 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2299 fox
2300
2301
2303 A symbolic link to /usr/bin/firejail under the name of a program, will
2304 start the program in Firejail sandbox. The symbolic link should be
2305 placed in the first $PATH position. On most systems, a good place is
2306 /usr/local/bin directory. Example:
2307
2308 Make a firefox symlink to /usr/bin/firejail:
2309
2310 $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2311
2312 Verify $PATH
2313
2314 $ which -a firefox
2315 /usr/local/bin/firefox
2316 /usr/bin/firefox
2317
2318 Starting firefox in this moment, automatically invokes “firejail
2319 firefox”.
2320
2321 This works for clicking on desktop environment icons, menus etc. Use
2322 "firejail --tree" to verify the program is sandboxed.
2323
2324 $ firejail --tree
2325 1189:netblue:firejail firefox
2326 1190:netblue:firejail firefox
2327 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2328 1221:netblue:/usr/lib/firefox/firefox
2329
2330 We provide a tool that automates all this integration, please see
2331 firecfg(1) for more details.
2332
2333
2335 firejail
2336 Sandbox a regular shell session.
2337
2338 firejail firefox
2339 Start Mozilla Firefox.
2340
2341 firejail --debug firefox
2342 Debug Firefox sandbox.
2343
2344 firejail --private firefox
2345 Start Firefox with a new, empty home directory.
2346
2347 firejail --net=none vlc
2348 Start VLC in an unconnected network namespace.
2349
2350 firejail --net=eth0 firefox
2351 Start Firefox in a new network namespace. An IP address is as‐
2352 signed automatically.
2353
2354 firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2355 Start a shell session in a new network namespace and connect it
2356 to br0, br1, and br2 host bridge devices. IP addresses are as‐
2357 signed automatically for the interfaces connected to br1 and b2
2358
2359 firejail --list
2360 List all sandboxed processes.
2361
2362
2364 Globbing is the operation that expands a wildcard pattern into the
2365 list of pathnames matching the pattern. This pattern is matched
2366 at firejail start, and is NOT UPDATED at runtime. Files match‐
2367 ing a blacklist, but created after firejail start will be acces‐
2368 sible within the jail. Matching is defined by:
2369
2370 - '?' matches any character
2371 - '*' matches any string
2372 - '[' denotes a range of characters
2373
2374 The globbing feature is implemented using glibc glob command. For
2375 more information on the wildcard syntax see man 7 glob.
2376
2377
2378 The following command line options are supported: --blacklist,
2379 --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2380 --whitelist.
2381
2382
2383 Examples:
2384
2385 $ firejail --private-bin=sh,bash,python*
2386 $ firejail --blacklist=~/dir[1234]
2387 $ firejail --read-only=~/dir[1-4]
2388
2389
2391 These features allow the user to inspect the filesystem container of an
2392 existing sandbox and transfer files between the container and the host
2393 filesystem.
2394
2395
2396 --cat=name|pid filename
2397 Write content of a container file to standard out. The container
2398 is specified by name or PID. If standard out is a terminal, all
2399 ASCII control characters except new line and horizontal tab are
2400 replaced.
2401
2402
2403 --get=name|pid filename
2404 Retrieve the container file and store it on the host in the cur‐
2405 rent working directory. The container is specified by name or
2406 PID.
2407
2408
2409 --ls=name|pid dir_or_filename
2410 List container files. The container is specified by name or PID.
2411
2412
2413 --put=name|pid src-filename dest-filename
2414 Put src-filename in sandbox container. The container is speci‐
2415 fied by name or PID.
2416
2417
2418 Examples:
2419
2420 $ firejail --name=mybrowser --private firefox
2421
2422 $ firejail --ls=mybrowser ~/Downloads
2423 drwxr-xr-x netblue netblue 4096 .
2424 drwxr-xr-x netblue netblue 4096 ..
2425 -rw-r--r-- netblue netblue 7847 x11-x305.png
2426 -rw-r--r-- netblue netblue 6800 x11-x642.png
2427 -rw-r--r-- netblue netblue 34139 xpra-clipboard.png
2428
2429 $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2430
2431 $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
2432 clipboard.png
2433
2434 $ firejail --cat=mybrowser ~/.bashrc
2435
2436
2437
2439 Option --list prints a list of all sandboxes. The format for each
2440 process entry is as follows:
2441
2442 PID:USER:Sandbox Name:Command
2443
2444 Option --tree prints the tree of processes running in the sandbox. The
2445 format for each process entry is as follows:
2446
2447 PID:USER:Sandbox Name:Command
2448
2449 Option --top is similar to the UNIX top command, however it applies
2450 only to sandboxes.
2451
2452 Option --netstats prints network statistics for active sandboxes in‐
2453 stalling new network namespaces.
2454
2455 Listed below are the available fields (columns) in alphabetical order
2456 for --top and --netstats options:
2457
2458
2459 Command
2460 Command used to start the sandbox.
2461
2462 CPU% CPU usage, the sandbox share of the elapsed CPU time since the
2463 last screen update
2464
2465 PID Unique process ID for the task controlling the sandbox.
2466
2467 Prcs Number of processes running in sandbox, including the control‐
2468 ling process.
2469
2470 RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
2471 It is a sum of the RES values for all processes running in the
2472 sandbox.
2473
2474 RX(KB/s)
2475 Network receive speed.
2476
2477 Sandbox Name
2478 The name of the sandbox, if any.
2479
2480 SHR Shared Memory Size (KiB), it reflects memory shared with other
2481 processes. It is a sum of the SHR values for all processes run‐
2482 ning in the sandbox, including the controlling process.
2483
2484 TX(KB/s)
2485 Network transmit speed.
2486
2487 Uptime Sandbox running time in hours:minutes:seconds format.
2488
2489 USER The owner of the sandbox.
2490
2491
2493 To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2494 jail in /etc/passwd file for each user that needs to be restricted. Al‐
2495 ternatively, you can specify /usr/bin/firejail in adduser command:
2496
2497 adduser --shell /usr/bin/firejail username
2498
2499 Additional arguments passed to firejail executable upon login are de‐
2500 clared in /etc/firejail/login.users file.
2501
2502
2504 Several command line options can be passed to the program using profile
2505 files. Firejail chooses the profile file as follows:
2506
2507 1. If a profile file is provided by the user with --profile=FILE op‐
2508 tion, the profile FILE is loaded. If a profile name is given, it is
2509 searched for first in the ~/.config/firejail directory and if not found
2510 then in /etc/firejail directory. Profile names do not include the .pro‐
2511 file suffix. If there is a file with the same name as the given profile
2512 name, it will be used instead of doing the profile search. To force a
2513 profile search, prefix the profile name with a colon (:), eg. --pro‐
2514 file=:PROFILE_NAME. Example:
2515
2516 $ firejail --profile=/home/netblue/icecat.profile icecat
2517 Reading profile /home/netblue/icecat.profile
2518 [...]
2519
2520
2521 $ firejail --profile=icecat icecat-wrapper.sh
2522 Reading profile /etc/firejail/icecat.profile
2523 [...]
2524
2525 2. If a profile file with the same name as the application is present
2526 in ~/.config/firejail directory or in /etc/firejail, the profile is
2527 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
2528 ple:
2529
2530 $ firejail icecat
2531 Command name #icecat#
2532 Found icecat profile in /home/netblue/.config/firejail directory
2533 Reading profile /home/netblue/.config/firejail/icecat.profile
2534 [...]
2535
2536 3. Use default.profile file if the sandbox is started by a regular
2537 user, or server.profile file if the sandbox is started by root. Fire‐
2538 jail looks for these files in ~/.config/firejail directory, followed by
2539 /etc/firejail directory. To disable default profile loading, use --no‐
2540 profile command option. Example:
2541
2542 $ firejail
2543 Reading profile /etc/firejail/default.profile
2544 Parent pid 8553, child pid 8554
2545 Child process initialized
2546 [...]
2547
2548 $ firejail --noprofile
2549 Parent pid 8553, child pid 8554
2550 Child process initialized
2551 [...]
2552
2553 See man 5 firejail-profile for profile file syntax information.
2554
2556 Network bandwidth is an expensive resource shared among all sandboxes
2557 running on a system. Traffic shaping allows the user to increase net‐
2558 work performance by controlling the amount of data that flows into and
2559 out of the sandboxes.
2560
2561 Firejail implements a simple rate-limiting shaper based on Linux com‐
2562 mand tc. The shaper works at sandbox level, and can be used only for
2563 sandboxes configured with new network namespaces.
2564
2565 Set rate-limits:
2566
2567 $ firejail --bandwidth=name|pid set network download upload
2568
2569 Clear rate-limits:
2570
2571 $ firejail --bandwidth=name|pid clear network
2572
2573 Status:
2574
2575 $ firejail --bandwidth=name|pid status
2576
2577 where:
2578 name - sandbox name
2579 pid - sandbox pid
2580 network - network interface as used by --net option
2581 download - download speed in KB/s (kilobyte per second)
2582 upload - upload speed in KB/s (kilobyte per second)
2583
2584 Example:
2585 $ firejail --name=mybrowser --net=eth0 firefox &
2586 $ firejail --bandwidth=mybrowser set eth0 80 20
2587 $ firejail --bandwidth=mybrowser status
2588 $ firejail --bandwidth=mybrowser clear eth0
2589
2591 This program is free software; you can redistribute it and/or modify it
2592 under the terms of the GNU General Public License as published by the
2593 Free Software Foundation; either version 2 of the License, or (at your
2594 option) any later version.
2595
2596 Homepage: https://firejail.wordpress.com
2597
2599 firemon(1), firecfg(1), firejail-profile(5), firejail-login(5), fire‐
2600 jail-users(5), jailcheck(1)
2601
2602 ⟨https://github.com/netblue30/firejail/wiki⟩,
2603 ⟨https://github.com/netblue30/firejail⟩
2604
2605
2606
26070.9.72 Jan 2023 FIREJAIL(1)