1FIREJAIL(1) firejail man page FIREJAIL(1)
2
6 Firejail - Linux namespaces sandbox program
7
9 Start a sandbox:
10 firejail [OPTIONS] [program and arguments]
12 Start an AppImage program:
14 firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and argu‐
16 ments]
17 File transfer from an existing sandbox
19 firejail {--ls | --get | --put | --cat} dir_or_filename
21 Network traffic shaping for an existing sandbox:
23 firejail --bandwidth={name|pid} bandwidth-command
25 Monitoring:
27 firejail {--list | --netstats | --top | --tree}
29 Miscellaneous:
31 firejail {-? | --debug-caps | --debug-errnos | --debug-syscalls
33 | --debug-syscalls32 | --debug-protocols | --help | --version}
34
36 Firejail is a SUID sandbox program that reduces the risk of security
37 breaches by restricting the running environment of untrusted applica‐
38 tions using Linux namespaces, seccomp-bpf and Linux capabilities. It
39 allows a process and all its descendants to have their own private view
40 of the globally shared kernel resources, such as the network stack,
41 process table, mount table. Firejail can work in a SELinux or AppArmor
42 environment, and it is integrated with Linux Control Groups.
43 Written in C with virtually no dependencies, the software runs on any
45 Linux computer with a 3.x kernel version or newer. It can sandbox any
46 type of processes: servers, graphical applications, and even user login
47 sessions.
48 Firejail allows the user to manage application security using security
50 profiles. Each profile defines a set of permissions for a specific ap‐
51 plication or group of applications. The software includes security pro‐
52 files for a number of more common Linux programs, such as Mozilla Fire‐
53 fox, Chromium, VLC, Transmission etc.
54 Firejail is currently implemented as an SUID binary, which means that
56 if a malicious or compromised user account manages to exploit a bug in
57 Firejail, that could ultimately lead to a privilege escalation to root.
58 To mitigate this, it is recommended to only allow trusted users to run
59 firejail (see firejail-users(5) for details on how to achieve that).
60 For more details on the security/usability tradeoffs of Firejail, see:
61 #4601 ⟨https://github.com/netblue30/firejail/discussions/4601⟩
62 Alternative sandbox technologies like snap (https://snapcraft.io/) and
64 flatpak (https://flatpak.org/) are not supported. Snap and flatpak
65 packages have their own native management tools and will not work when
66 sandboxed with Firejail.
67
70 Without any options, the sandbox consists of a filesystem build in a
71 new mount namespace, and new PID and UTS namespaces. IPC, network and
72 user namespaces can be added using the command line options. The de‐
73 fault Firejail filesystem is based on the host filesystem with the main
74 system directories mounted read-only. These directories are /etc, /var,
75 /usr, /bin, /sbin, /lib, /lib32, /libx32 and /lib64. Only /home and
76 /tmp are writable.
77 Upon execution Firejail first looks in ~/.config/firejail/ for a pro‐
79 file and if it doesn't find one, it looks in /etc/firejail/. For pro‐
80 file resolution detail see https://github.com/netblue30/fire‐
81 jail/wiki/Creating-Profiles#locations-and-types. If an appropriate
82 profile is not found, Firejail will use a default profile. The default
83 profile is quite restrictive. In case the application doesn't work, use
84 --noprofile option to disable it. For more information, please see SE‐
85 CURITY PROFILES section below.
86 If a program argument is not specified, Firejail starts the user's pre‐
88 ferred shell. Examples:
89 $ firejail [OPTIONS] # starting the program specified in
91 $SHELL, usually /bin/bash
92 $ firejail [OPTIONS] firefox # starting Mozilla Firefox
94 # sudo firejail [OPTIONS] /etc/init.d/nginx start
96
99 -- Signal the end of options and disables further option process‐
100 ing.
101 --allow-debuggers
103 Allow tools such as strace and gdb inside the sandbox by
104 whitelisting system calls ptrace and process_vm_readv. This op‐
105 tion is only available when running on Linux kernels 4.8 or
106 newer - a kernel bug in ptrace system call allows a full bypass
107 of the seccomp filter.
108 Example:
110 $ firejail --allow-debuggers --profile=/etc/firejail/fire‐
111 fox.profile strace -f firefox
112 --allusers
114 All directories under /home are visible inside the sandbox. By
115 default, only current user home directory is visible.
116 Example:
118 $ firejail --allusers
119 --appimage
121 Sandbox an AppImage (https://appimage.org/) application. If the
122 sandbox is started as a regular user, nonewprivs and a default
123 capabilities filter are enabled. private-bin and private-lib
124 are disabled by default when running appimages.
125 Example:
127 $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
128 $ firejail --quiet --appimage --private --profile=krita
129 krita-3.0-x86_64.appimage
130 $ firejail --appimage --net=none --x11 --profile=krita
131 krita-3.0-x86_64.appimage
132 Note: When using both --appimage and --profile, it is recom‐
134 mended to always specify the former before the latter, so that
135 any ?HAS_APPIMAGE conditionals inside of the profile evaluate to
136 true (see ?CONDITIONAL in firejail-profile(5)).
137 --bandwidth=name|pid
139 Set bandwidth limits for the sandbox identified by name or PID,
140 see TRAFFIC SHAPING section for more details.
141 --bind=filename1,filename2
143 Mount-bind filename1 on top of filename2. This option is only
144 available when running as root.
145 Example:
147 # firejail --bind=/config/etc/passwd,/etc/passwd
148 --blacklist=dirname_or_filename
150 Blacklist directory or file. File globbing is supported, see
151 FILE GLOBBING section for more details.
152 Symbolic link handling: Blacklisting a path that is a symbolic
154 link will also blacklist the path that it points to. For exam‐
155 ple, if ~/foo is blacklisted and it points to /bar, then /bar
156 will also be blacklisted.
157 Example:
159 $ firejail --blacklist=/sbin --blacklist=/usr/sbin
160 $ firejail --blacklist=~/.mozilla
161 $ firejail "--blacklist=/home/username/My Virtual Machines"
162 $ firejail --blacklist=/home/username/My\ Virtual\ Machines
163 --build
165 The command builds a whitelisted profile. The profile is printed
166 on the screen. The program is run in a very relaxed sandbox,
167 with only --caps.drop=all and --seccomp=!chroot. Programs that
168 raise user privileges are not supported.
169 Example:
171 $ firejail --build vlc ~/Videos/test.mp4
172 $ firejail --build --appimage ~/Downloads/Subsurface.AppImage
173 --build=profile-file
175 The command builds a whitelisted profile, and saves it in pro‐
176 file-file. The program is run in a very relaxed sandbox, with
177 only --caps.drop=all and --seccomp=!chroot. Programs that raise
178 user privileges are not supported.
179 Example:
181 $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
182 $ firejail --build=Subsurface.profile --appimage ~/Down‐
183 loads/Subsurface.AppImage
184 -c Login shell compatibility option. This option is use by some lo‐
186 gin programs when executing the login shell, such as when fire‐
187 jail is used as a restricted login shell. It currently does not
188 change the execution of firejail.
189 --caps Linux capabilities is a kernel feature designed to split up the
191 root privilege into a set of distinct privileges. These privi‐
192 leges can be enabled or disabled independently, thus restricting
193 what a process running as root can do in the system. See capa‐
194 bilities(7) for details.
195 By default root programs run with all capabilities enabled.
197 --caps option disables the following capabilities: CAP_SYS_MOD‐
198 ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
199 FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN. The filter is ap‐
200 plied to all processes started in the sandbox.
201 Example:
203 $ sudo firejail --caps /etc/init.d/nginx start
204 --caps.drop=all
207 Drop all capabilities for the processes running in the sandbox.
208 This option is recommended for running GUI programs or any other
209 program that doesn't require root privileges. It is a must-have
210 option for sandboxing untrusted programs installed from unoffi‐
211 cial sources - such as games, Java programs, etc.
212 Example:
214 $ firejail --caps.drop=all warzone2100
215 --caps.drop=capability,capability,capability
218 Define a custom blacklist Linux capabilities filter.
219 Example:
221 $ firejail --caps.drop=net_broadcast,net_admin,net_raw
222 --caps.keep=capability,capability,capability
225 Define a custom whitelist Linux capabilities filter.
226 Example:
228 $ sudo firejail --caps.keep=chown,net_bind_service,setgid,\ se‐
229 tuid /etc/init.d/nginx start
230 --caps.print=name|pid
233 Print the caps filter for the sandbox identified by name or by
234 PID.
235 Example:
237 $ firejail --name=mygame --caps.drop=all warzone2100 &
238 $ firejail --caps.print=mygame
239 Example:
241 $ firejail --list
242 3272:netblue::firejail --private firefox
243 $ firejail --caps.print=3272
244 --cat=name|pid filename
247 Print content of file from sandbox container, see FILE TRANSFER
248 section for more details.
249 --chroot=dirname
251 Chroot the sandbox into a root filesystem. Unlike the regular
252 filesystem container, the system directories are mounted read-
253 write. If the sandbox is started as a regular user, nonewprivs
254 and a default capabilities filter are enabled.
255 Example:
257 $ firejail --chroot=/media/ubuntu warzone2100
258 For automatic mounting of X11 and PulseAudio sockets set envi‐
260 ronment variables FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
261 Note: Support for this command is controlled in firejail.config
263 with the chroot option.
264 --cpu=cpu-number,cpu-number,cpu-number
266 Set CPU affinity.
267 Example:
269 $ firejail --cpu=0,1 handbrake
270 --cpu.print=name|pid
273 Print the CPU cores in use by the sandbox identified by name or
274 by PID.
275 Example:
277 $ firejail --name=mygame --caps.drop=all warzone2100 &
278 $ firejail --cpu.print=mygame
279 Example:
281 $ firejail --list
282 3272:netblue::firejail --private firefox
283 $ firejail --cpu.print=3272
284 --dbus-log=file
286 Specify the location for the DBus log file.
287 The log file contains events for both the system and session
289 buses if both of the --dbus-system.log and --dbus-user.log op‐
290 tions are specified. If no log file path is given, logs are
291 written to the standard output instead.
292 Example:
294 $ firejail --dbus-system=filter --dbus-system.log \
295 --dbus-log=dbus.txt
296 --dbus-system=filter|none
299 Set system DBus sandboxing policy.
300 The filter policy enables the system DBus filter. This option
302 requires installing the xdg-dbus-proxy utility. Permissions for
303 well-known can be specified with the --dbus-system.talk and
304 --dbus-system.own options.
305 The none policy disables access to the system DBus.
307 Only the regular system DBus UNIX socket is handled by this op‐
309 tion. To disable the abstract sockets (and force applications to
310 use the filtered UNIX socket) you would need to request a new
311 network namespace using --net command. Another option is to re‐
312 move unix from the --protocol set.
313 Example:
315 $ firejail --dbus-system=none
316 --dbus-system.broadcast=name=[member][@path]
319 Allows the application to receive broadcast signals from the in‐
320 dicated interface member at the indicated object path exposed by
321 the indicated bus name on the system DBus. The name may have a
322 .* suffix to match all names underneath it, including itself.
323 The interface member may have a .* to match all members of an
324 interface, or be * to match all interfaces. The path may have a
325 /* suffix to indicate all objects underneath it, including it‐
326 self. Omitting the interface member or the object path will
327 match all members and object paths, respectively.
328 Example:
330 $ firejail --dbus-system=filter --dbus-system.broadcast=\
331 org.freedesktop.Notifications=\
332 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
333 --dbus-system.call=name=[member][@path]
336 Allows the application to call the indicated interface member at
337 the indicated object path exposed by the indicated bus name on
338 the system DBus. The name may have a .* suffix to match all
339 names underneath it, including itself. The interface member may
340 have a .* to match all members of an interface, or be * to match
341 all interfaces. The path may have a /* suffix to indicate all
342 objects underneath it, including itself. Omitting the interface
343 member or the object path will match all members and object
344 paths, respectively.
345 Example:
347 $ firejail --dbus-system=filter --dbus-system.call=\
348 org.freedesktop.Notifications=\
349 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
350 --dbus-system.log
353 Turn on DBus logging for the system DBus. This option requires
354 --dbus-system=filter.
355 Example:
357 $ firejail --dbus-system=filter --dbus-system.log
358 --dbus-system.own=name
361 Allows the application to own the specified well-known name on
362 the system DBus. The name may have a .* suffix to match all
363 names underneath it, including itself (e.g. "foo.bar.*" matches
364 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
365 bar").
366 Example:
368 $ firejail --dbus-system=filter --dbus-system.own=\
369 org.gnome.ghex.*
370 --dbus-system.see=name
373 Allows the application to see, but not talk to the specified
374 well-known name on the system DBus. The name may have a .* suf‐
375 fix to match all names underneath it, including itself (e.g.
376 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
377 "foo.bar.baz.quux", but not "foobar").
378 Example:
380 $ firejail --dbus-system=filter --dbus-system.see=\
381 org.freedesktop.Notifications
382 --dbus-system.talk=name
385 Allows the application to talk to the specified well-known name
386 on the system DBus. The name may have a .* suffix to match all
387 names underneath it, including itself (e.g. "foo.bar.*" matches
388 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
389 bar").
390 Example:
392 $ firejail --dbus-system=filter --dbus-system.talk=\
393 org.freedesktop.Notifications
394 --dbus-user=filter|none
397 Set session DBus sandboxing policy.
398 The filter policy enables the session DBus filter. This option
400 requires installing the xdg-dbus-proxy utility. Permissions for
401 well-known names can be added with the --dbus-user.talk and
402 --dbus-user.own options.
403 The none policy disables access to the session DBus.
405 Only the regular session DBus UNIX socket is handled by this op‐
407 tion. To disable the abstract sockets (and force applications to
408 use the filtered UNIX socket) you would need to request a new
409 network namespace using --net command. Another option is to re‐
410 move unix from the --protocol set.
411 Example:
413 $ firejail --dbus-user=none
414 --dbus-user.broadcast=name=[member][@path]
417 Allows the application to receive broadcast signals from the in‐
418 dicated interface member at the indicated object path exposed by
419 the indicated bus name on the session DBus. The name may have a
420 .* suffix to match all names underneath it, including itself.
421 The interface member may have a .* to match all members of an
422 interface, or be * to match all interfaces. The path may have a
423 /* suffix to indicate all objects underneath it, including it‐
424 self. Omitting the interface member or the object path will
425 match all members and object paths, respectively.
426 Example:
428 $ firejail --dbus-user=filter --dbus-user.broadcast=\
429 org.freedesktop.Notifications=\
430 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
431 --dbus-user.call=name=[member][@path]
434 Allows the application to call the indicated interface member at
435 the indicated object path exposed by the indicated bus name on
436 the session DBus. The name may have a .* suffix to match all
437 names underneath it, including itself. The interface member may
438 have a .* to match all members of an interface, or be * to match
439 all interfaces. The path may have a /* suffix to indicate all
440 objects underneath it, including itself. Omitting the interface
441 member or the object path will match all members and object
442 paths, respectively.
443 Example:
445 $ firejail --dbus-user=filter --dbus-user.call=\
446 org.freedesktop.Notifications=\
447 org.freedesktop.Notifications.*@/org/freedesktop/Notifications
448 --dbus-user.log
451 Turn on DBus logging for the session DBus. This option requires
452 --dbus-user=filter.
453 Example:
455 $ firejail --dbus-user=filter --dbus-user.log
456 --dbus-user.own=name
459 Allows the application to own the specified well-known name on
460 the session DBus. The name may have a .* suffix to match all
461 names underneath it, including itself (e.g. "foo.bar.*" matches
462 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
463 bar").
464 Example:
466 $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
467 --dbus-user.talk=name
470 Allows the application to talk to the specified well-known name
471 on the session DBus. The name may have a .* suffix to match all
472 names underneath it, including itself (e.g. "foo.bar.*" matches
473 "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foo‐
474 bar").
475 Example:
477 $ firejail --dbus-user=filter --dbus-user.talk=\
478 org.freedesktop.Notifications
479 --dbus-user.see=name
482 Allows the application to see, but not talk to the specified
483 well-known name on the session DBus. The name may have a .*
484 suffix to match all names underneath it, including itself (e.g.
485 "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
486 "foo.bar.baz.quux", but not "foobar").
487 Example:
489 $ firejail --dbus-user=filter --dbus-user.see=\
490 org.freedesktop.Notifications
491 --debug
493 Print debug messages.
494 Example:
496 $ firejail --debug firefox
497 --debug-blacklists
500 Debug blacklisting.
501 Example:
503 $ firejail --debug-blacklists firefox
504 --debug-caps
507 Print all recognized capabilities in the current Firejail soft‐
508 ware build and exit.
509 Example:
511 $ firejail --debug-caps
512 --debug-errnos
515 Print all recognized error numbers in the current Firejail soft‐
516 ware build and exit.
517 Example:
519 $ firejail --debug-errnos
520 --debug-private-lib
522 Debug messages for --private-lib option.
523 --debug-protocols
525 Print all recognized protocols in the current Firejail software
526 build and exit.
527 Example:
529 $ firejail --debug-protocols
530 --debug-syscalls
532 Print all recognized system calls in the current Firejail soft‐
533 ware build and exit.
534 Example:
536 $ firejail --debug-syscalls
537 --debug-syscalls32
539 Print all recognized 32 bit system calls in the current Firejail
540 software build and exit.
541 --debug-whitelists
543 Debug whitelisting.
544 Example:
546 $ firejail --debug-whitelists firefox
547 --defaultgw=address
549 Use this address as default gateway in the new network name‐
550 space.
551 Example:
553 $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
554 --deterministic-exit-code
557 Always exit firejail with the first child's exit status. The de‐
558 fault behavior is to use the exit status of the final child to
559 exit, which can be nondeterministic.
560 --deterministic-shutdown
563 Always shut down the sandbox after the first child has termi‐
564 nated. The default behavior is to keep the sandbox alive as long
565 as it contains running processes.
566 --disable-mnt
569 Blacklist /mnt, /media, /run/mount and /run/media access.
570 Example:
572 $ firejail --disable-mnt firefox
573 --dns=address
576 Set a DNS server for the sandbox. Up to three DNS servers can be
577 defined. Use this option if you don't trust the DNS setup on
578 your network.
579 Example:
581 $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
582 Note: this feature is not supported on systemd-resolved setups.
584 --dns.print=name|pid
586 Print DNS configuration for a sandbox identified by name or by
587 PID.
588 Example:
590 $ firejail --name=mygame --caps.drop=all warzone2100 &
591 $ firejail --dns.print=mygame
592 Example:
594 $ firejail --list
595 3272:netblue::firejail --private firefox
596 $ firejail --dns.print=3272
597 --dnstrace[=name|pid]
600 Monitor DNS queries. The sandbox can be specified by name or
601 pid. Only networked sandboxes created with --net are supported.
602 This option is only available when running the sandbox as root.
603 Without a name/pid, Firejail will monitor the main system net‐
605 work namespace.
606 Example:
608 $ sudo firejail --dnstrace
609 11:31:43 9.9.9.9 linux.com (type 1)
610 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
611 11:31:45 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
612 11:31:45 9.9.9.9 www.linux.com (type 1)
613 11:31:45 9.9.9.9 fonts.googleapis.com (type 1) NXDOMAIN
614 11:31:52 9.9.9.9 js.hs-scripts.com (type 1) NXDOMAIN
615 11:32:05 9.9.9.9 secure.gravatar.com (type 1)
616 11:32:06 9.9.9.9 secure.gravatar.com (type 1)
617 11:32:08 9.9.9.9 taikai.network (type 1)
618 11:32:08 9.9.9.9 cdn.jsdelivr.net (type 1)
619 11:32:08 9.9.9.9 taikai.azureedge.net (type 1)
620 11:32:08 9.9.9.9 www.youtube.com (type 1)
621 --env=name=value
624 Set environment variable in the new sandbox.
625 Example:
627 $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
628 --fs.print=name|pid
631 Print the filesystem log for the sandbox identified by name or
632 by PID.
633 Example:
635 $ firejail --name=mygame --caps.drop=all warzone2100 &
636 $ firejail --fs.print=mygame
637 Example:
639 $ firejail --list
640 3272:netblue::firejail --private firefox
641 $ firejail --fs.print=3272
642 --get=name|pid filename
645 Get a file from sandbox container, see FILE TRANSFER section for
646 more details.
647 -?, --help
649 Print options end exit.
650 --hostname=name
654 Set sandbox hostname.
655 Example:
657 $ firejail --hostname=officepc firefox
658 --hosts-file=file
661 Use file as /etc/hosts.
662 Example:
664 $ firejail --hosts-file=~/myhosts firefox
665 --ignore=command
669 Ignore command in profile file.
670 Example:
672 $ firejail --ignore=seccomp --ignore=caps firefox
673 $ firejail --ignore="net eth0" firefox
674 --icmptrace[=name|pid]
677 Monitor ICMP traffic. The sandbox can be specified by name or
678 pid. Only networked sandboxes created with --net are supported.
679 This option is only available when running the sandbox as root.
680 Without a name/pid, Firejail will monitor the main system net‐
682 work namespace.
683 Example
685 $ sudo firejail --icmptrace
686 20:53:54 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
687 quest/0
688 20:53:54 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
689 ply/0
690 20:53:55 192.168.1.60 -> 142.250.65.174 - 98 bytes - Echo re‐
691 quest/0
692 20:53:55 142.250.65.174 -> 192.168.1.60 - 98 bytes - Echo re‐
693 ply/0
694 20:53:55 192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination un‐
695 reachable/Port unreachable
696 --include=file.profile
699 Include a profile file before the regular profiles are used.
700 Example:
702 $ firejail --include=/etc/firejail/disable-devel.inc gedit
703 --interface=interface
706 Move interface in a new network namespace. Up to four --inter‐
707 face options can be specified. Note: wlan devices are not sup‐
708 ported for this option.
709 Example:
711 $ firejail --interface=eth1 --interface=eth0.vlan100
712 --ip=address
715 Assign IP addresses to the last network interface defined by a
716 --net option. A default gateway is assigned by default.
717 Example:
719 $ firejail --net=eth0 --ip=10.10.20.56 firefox
720 --ip=none
723 No IP address and no default gateway are configured for the last
724 interface defined by a --net option. Use this option in case you
725 intend to start an external DHCP client in the sandbox.
726 Example:
728 $ firejail --net=eth0 --ip=none
729 If the corresponding interface doesn't have an IP address con‐
731 figured, this option is enabled by default.
732 --ip=dhcp
735 Acquire an IP address and default gateway for the last interface
736 defined by a --net option, as well as set the DNS servers ac‐
737 cording to the DHCP response. This option requires the ISC
738 dhclient DHCP client to be installed and will start it automati‐
739 cally inside the sandbox.
740 Example:
742 $ firejail --net=br0 --ip=dhcp
743 This option should not be used in conjunction with the --dns op‐
745 tion if the DHCP server is set to configure DNS servers for the
746 clients, because the manually specified DNS servers will be
747 overwritten.
748 The DHCP client will NOT release the DHCP lease when the sandbox
750 terminates. If your DHCP server requires leases to be explic‐
751 itly released, consider running a DHCP client and releasing the
752 lease manually in conjunction with the --net=none option.
753 --ip6=address
756 Assign IPv6 addresses to the last network interface defined by a
757 --net option.
758 Example:
760 $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
761 Note: you don't need this option if you obtain your ip6 address
763 from router via SLAAC (your ip6 address and default route will
764 be configured by kernel automatically).
765 --ip6=dhcp
768 Acquire an IPv6 address and default gateway for the last inter‐
769 face defined by a --net option, as well as set the DNS servers
770 according to the DHCP response. This option requires the ISC
771 dhclient DHCP client to be installed and will start it automati‐
772 cally inside the sandbox.
773 Example:
775 $ firejail --net=br0 --ip6=dhcp
776 This option should not be used in conjunction with the --dns op‐
778 tion if the DHCP server is set to configure DNS servers for the
779 clients, because the manually specified DNS servers will be
780 overwritten.
781 The DHCP client will NOT release the DHCP lease when the sandbox
783 terminates. If your DHCP server requires leases to be explic‐
784 itly released, consider running a DHCP client and releasing the
785 lease manually.
786 --iprange=address,address
789 Assign an IP address in the provided range to the last network
790 interface defined by a --net option. A default gateway is as‐
791 signed by default.
792 Example:
794 $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
795 --ipc-namespace
798 Enable a new IPC namespace if the sandbox was started as a regu‐
799 lar user. IPC namespace is enabled by default for sandboxes
800 started as root.
801 Example:
803 $ firejail --ipc-namespace firefox
804 --join=name|pid
806 Join the sandbox identified by name or by PID. By default a
807 /bin/bash shell is started after joining the sandbox. If a pro‐
808 gram is specified, the program is run in the sandbox. If --join
809 command is issued as a regular user, all security filters are
810 configured for the new process the same they are configured in
811 the sandbox. If --join command is issued as root, the security
812 filters and cpus configurations are not applied to the process
813 joining the sandbox.
814 Example:
816 $ firejail --name=mygame --caps.drop=all warzone2100 &
817 $ firejail --join=mygame
818 Example:
820 $ firejail --list
821 3272:netblue::firejail --private firefox
822 $ firejail --join=3272
823 --join-filesystem=name|pid
826 Join the mount namespace of the sandbox identified by name or
827 PID. By default a /bin/bash shell is started after joining the
828 sandbox. If a program is specified, the program is run in the
829 sandbox. This command is available only to root user. Security
830 filters and cpus configurations are not applied to the process
831 joining the sandbox.
832 --join-network=name|pid
834 Join the network namespace of the sandbox identified by name. By
835 default a /bin/bash shell is started after joining the sandbox.
836 If a program is specified, the program is run in the sandbox.
837 This command is available only to root user. Security filters
838 and cpus configurations are not applied to the process joining
839 the sandbox. Example:
840 # start firefox
842 $ firejail --net=eth0 --name=browser firefox &
843 # change netfilter configuration
845 $ sudo firejail --join-network=browser bash -c "cat /etc/fire‐
846 jail/nolocal.net | /sbin/iptables-restore"
847 # verify netfilter configuration
849 $ sudo firejail --join-network=browser /sbin/iptables -vL
850 # verify IP addresses
852 $ sudo firejail --join-network=browser ip addr
853 Switching to pid 1932, the first child process inside the sand‐
854 box
855 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UN‐
856 KNOWN group default
857 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
858 inet 127.0.0.1/8 scope host lo
859 valid_lft forever preferred_lft forever
860 inet6 ::1/128 scope host
861 valid_lft forever preferred_lft forever
862 2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
863 noqueue state UNKNOWN group default
864 link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
865 inet 192.168.1.158/24 brd 192.168.1.255 scope global
866 eth0-1931
867 valid_lft forever preferred_lft forever
868 inet6 fe80::7458:14ff:fe42:78e4/64 scope link
869 valid_lft forever preferred_lft forever
870 --join-or-start=name
872 Join the sandbox identified by name or start a new one. Same as
873 "firejail --join=name" if sandbox with specified name exists,
874 otherwise same as "firejail --name=name ..."
875 Note that in contrary to other join options there is respective
876 profile option.
877 --keep-config-pulse
880 Disable automatic ~/.config/pulse init, for complex setups such
881 as remote pulse servers or non-standard socket paths.
882 Example:
884 $ firejail --keep-config-pulse firefox
885 --keep-dev-shm
888 /dev/shm directory is untouched (even with --private-dev)
889 Example:
891 $ firejail --keep-dev-shm --private-dev
892 --keep-fd=all
895 Inherit all open file descriptors to the sandbox. By default
896 only file descriptors 0, 1 and 2 are inherited to the sandbox,
897 and all other file descriptors are closed.
898 Example:
900 $ firejail --keep-fd=all
901 --keep-fd=file_descriptor
904 Don't close specified open file descriptors. By default only
905 file descriptors 0, 1 and 2 are inherited to the sandbox, and
906 all other file descriptors are closed.
907 Example:
909 $ firejail --keep-fd=3,4,5
910 --keep-var-tmp
913 /var/tmp directory is untouched.
914 Example:
916 $ firejail --keep-var-tmp
917 --list List all sandboxes, see MONITORING section for more details.
920 Example:
922 $ firejail --list
923 7015:netblue:browser:firejail firefox
924 7056:netblue:torrent:firejail --net=eth0 transmission-gtk
925 7064:netblue::firejail --noroot xterm
926 --ls=name|pid dir_or_filename
928 List files in sandbox container, see FILE TRANSFER section for
929 more details.
930 --mac=address
932 Assign MAC addresses to the last network interface defined by a
933 --net option. This option is not supported for wireless inter‐
934 faces.
935 Example:
937 $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
938 --machine-id
940 Spoof id number in /etc/machine-id file - a new random id is
941 generated inside the sandbox. Note that this breaks audio sup‐
942 port. Enable it when sound is not required.
943 Example:
945 $ firejail --machine-id
946 --mkdir=dirname
949 Create a directory in user home. Parent directories are created
950 as needed.
951 Example:
953 $ firejail --mkdir=~/work/project
954 --mkfile=filename
957 Create an empty file in user home.
958 Example:
960 $ firejail --mkfile=~/work/project/readme
961 --memory-deny-write-execute
964 Install a seccomp filter to block attempts to create memory map‐
965 pings that are both writable and executable, to change mappings
966 to be executable, or to create executable shared memory. The
967 filter examines the arguments of mmap, mmap2, mprotect,
968 pkey_mprotect, memfd_create and shmat system calls and returns
969 error EPERM to the process (or kills it or log the attempt, see
970 --seccomp-error-action below) if necessary.
971 Note: shmat is not implemented as a system call on some plat‐
973 forms including i386, and it cannot be handled by seccomp-bpf.
974 --mtu=number
976 Assign a MTU value to the last network interface defined by a
977 --net option.
978 Example:
980 $ firejail --net=eth0 --mtu=1492
981 --name=name
983 Set sandbox name. Several options, such as --join and --shut‐
984 down, can use this name to identify a sandbox.
985 In case the name supplied by the user is already in use by an‐
987 other sandbox, Firejail will assign a new name as "name-PID",
988 where PID is the process ID of the sandbox. This functionality
989 can be disabled at run time in /etc/firejail/firejail.config
990 file, by setting "name-change" flag to "no".
991 Example:
993 $ firejail --name=browser firefox &
994 $ firejail --name=browser --private firefox --no-remote &
995 $ firejail --list
996 1198:netblue:browser:firejail --name=browser firefox
997 1312:netblue:browser-1312:firejail --name=browser --private
998 firefox --no-remote
999 --net=bridge_interface
1001 Enable a new network namespace and connect it to this bridge in‐
1002 terface. Unless specified with option --ip and --defaultgw, an
1003 IP address and a default gateway will be assigned automatically
1004 to the sandbox. The IP address is verified using ARP before as‐
1005 signment. The address configured as default gateway is the
1006 bridge device IP address. Up to four --net options can be speci‐
1007 fied.
1008 Example:
1010 $ sudo brctl addbr br0
1011 $ sudo ifconfig br0 10.10.20.1/24
1012 $ sudo brctl addbr br1
1013 $ sudo ifconfig br1 10.10.30.1/24
1014 $ firejail --net=br0 --net=br1
1015 --net=ethernet_interface|wireless_interface
1018 Enable a new network namespace and connect it to this ethernet
1019 interface using the standard Linux macvlan|ipvlan driver. Unless
1020 specified with option --ip and --defaultgw, an IP address and a
1021 default gateway will be assigned automatically to the sandbox.
1022 The IP address is verified using ARP before assignment. The ad‐
1023 dress configured as default gateway is the default gateway of
1024 the host. Up to four --net options can be specified. Support
1025 for ipvlan driver was introduced in Linux kernel 3.19.
1026 Example:
1028 $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
1029 $ firejail --net=wlan0 firefox
1030 --net=none
1032 Enable a new, unconnected network namespace. The only interface
1033 available in the new namespace is a new loopback interface (lo).
1034 Use this option to deny network access to programs that don't
1035 really need network access.
1036 Example:
1038 $ firejail --net=none vlc
1039 Note: --net=none can crash the application on some platforms.
1041 In these cases, it can be replaced with --protocol=unix.
1042 --net=tap_interface
1044 Enable a new network namespace and connect it to this ethernet
1045 tap interface using the standard Linux macvlan driver. If the
1046 tap interface is not configured, the sandbox will not try to
1047 configure the interface inside the sandbox. Please use --ip,
1048 --netmask and --defaultgw to specify the configuration.
1049 Example:
1051 $ firejail --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
1052 --defaultgw=10.10.20.1 firefox
1053 --net.print=name|pid
1056 If a new network namespace is enabled, print network interface
1057 configuration for the sandbox specified by name or PID. Example:
1058 $ firejail --net.print=browser
1060 Switching to pid 1853, the first child process inside the sand‐
1061 box
1062 Interface MAC IP Mask Status
1063 lo 127.0.0.1 255.0.0.0 UP
1064 eth0-1852 5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
1065 --netfilter
1068 Enable a default firewall if a new network namespace is created
1069 inside the sandbox. This option has no effect for sandboxes us‐
1070 ing the system network namespace.
1071 The default firewall is optimized for regular desktop applica‐
1073 tions. No incoming connections are accepted:
1074 *filter
1076 :INPUT DROP [0:0]
1077 :FORWARD DROP [0:0]
1078 :OUTPUT ACCEPT [0:0]
1079 -A INPUT -i lo -j ACCEPT
1080 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1081 # allow ping
1082 -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
1083 -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
1084 -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
1085 # drop STUN (WebRTC) requests
1086 -A OUTPUT -p udp --dport 3478 -j DROP
1087 -A OUTPUT -p udp --dport 3479 -j DROP
1088 -A OUTPUT -p tcp --dport 3478 -j DROP
1089 -A OUTPUT -p tcp --dport 3479 -j DROP
1090 COMMIT
1091 Example:
1093 $ firejail --net=eth0 --netfilter firefox
1094 --netfilter=filename
1096 Enable the firewall specified by filename if a new network name‐
1097 space is created inside the sandbox. This option has no effect
1098 for sandboxes using the system network namespace.
1099 Please use the regular iptables-save/iptables-restore format for
1101 the filter file. The following examples are available in
1102 /etc/firejail directory:
1103 webserver.net is a webserver firewall that allows access only to
1105 TCP ports 80 and 443. Example:
1106 $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
1108 /etc/init.d/apache2 start
1109 nolocal.net/nolocal6.net is a desktop client firewall that dis‐
1111 able access to local network. Example:
1112 $ firejail --netfilter=/etc/firejail/nolocal.net \
1114 --net=eth0 firefox
1115 --netfilter=filename,arg1,arg2,arg3 ...
1118 This is the template version of the previous command. $ARG1,
1119 $ARG2, $ARG3 ... in the firewall script are replaced with arg1,
1120 arg2, arg3 ... passed on the command line. Up to 16 arguments
1121 are supported. Example:
1122 $ firejail --net=eth0 --ip=192.168.1.105 \
1124 --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1125 --netfilter.print=name|pid
1128 Print the firewall installed in the sandbox specified by name or
1129 PID. Example:
1130 $ firejail --name=browser --net=eth0 --netfilter firefox &
1132 $ firejail --netfilter.print=browser
1133 --netfilter6=filename
1136 Enable the IPv6 firewall specified by filename if a new network
1137 namespace is created inside the sandbox. This option has no ef‐
1138 fect for sandboxes using the system network namespace. Please
1139 use the regular iptables-save/iptables-restore format for the
1140 filter file.
1141 --netfilter6.print=name|pid
1144 Print the IPv6 firewall installed in the sandbox specified by
1145 name or PID. Example:
1146 $ firejail --name=browser --net=eth0 --netfilter firefox &
1148 $ firejail --netfilter6.print=browser
1149 --netlock
1152 Several type of programs (email clients, multiplayer games etc.)
1153 talk to a very small number of IP addresses. But the best exam‐
1154 ple is tor browser. It only talks to a guard node, and there are
1155 two or three more on standby in case the main one fails. During
1156 startup, the browser contacts all of them, after that it keeps
1157 talking to the main one... for weeks!
1158 Use the network locking feature to build and deploy a custom
1160 network firewall in your sandbox. The firewall allows only the
1161 traffic to the IP addresses detected during the program startup.
1162 Traffic to any other address is quietly dropped. By default the
1163 network monitoring time is one minute.
1164 A network namespace (--net=eth0) is required for this feature to
1166 work. Example:
1167 $ firejail --net=eth0 --netlock \
1169 --private=~/tor-browser_en-US ./start-tor-browser.desktop
1170 --netmask=address
1174 Use this option when you want to assign an IP address in a new
1175 namespace and the parent interface specified by --net is not
1176 configured. An IP address and a default gateway address also
1177 have to be added. By default the new namespace interface comes
1178 without IP address and default gateway configured. Example:
1179 $ sudo /sbin/brctl addbr br0
1181 $ sudo /sbin/ifconfig br0 up
1182 $ firejail --ip=10.10.20.67 --netmask=255.255.255.0 --de‐
1183 faultgw=10.10.20.1
1184 --netns=name
1187 Run the program in a named, persistent network namespace. These
1188 can be created and configured using "ip netns".
1189 --netstats
1192 Monitor network namespace statistics, see MONITORING section for
1193 more details.
1194 Example:
1196 $ firejail --netstats
1198 PID User RX(KB/s) TX(KB/s) Command
1199 1294 netblue 53.355 1.473 firejail --net=eth0 firefox
1200 7383 netblue 9.045 0.112 firejail --net=eth0 transmission
1201 --nettrace[=name|pid]
1203 Monitor received TCP. UDP, and ICMP traffic. The sandbox can be
1204 specified by name or pid. Only networked sandboxes created with
1205 --net are supported. This option is only available when running
1206 the sandbox as root.
1207 Without a name/pid, Firejail will monitor the main system net‐
1209 work namespace.
1210 Example:
1212 $ sudo firejail --nettrace
1213 95 KB/s geoip 457, IP database 4436
1214 52 KB/s *********** 64.222.84.207:443 United States
1215 33 KB/s ******* 89.147.74.105:63930 Hungary
1216 0 B/s 45.90.28.0:443 NextDNS
1217 0 B/s 94.70.122.176:52309(UDP) Greece
1218 339 B/s 104.26.7.35:443 Cloudflare
1219 If /usr/bin/geoiplookup is installed (geoip-bin package in De‐
1221 bian), the country the traffic originates from is added to the
1222 trace. We also use the static IP map in /usr/lib/fire‐
1223 jail/static-ip-map to print the domain names for some of the
1224 more common websites and cloud platforms. No external services
1225 are contacted for reverse IP lookup.
1226 --nice=value
1228 Set nice value for all processes running inside the sandbox.
1229 Only root may specify a negative value.
1230 Example:
1232 $ firejail --nice=2 firefox
1233 --no3d Disable 3D hardware acceleration.
1236 Example:
1238 $ firejail --no3d firefox
1239 --noautopulse (deprecated)
1242 See --keep-config-pulse.
1243 --noblacklist=dirname_or_filename
1246 Disable blacklist for this directory or file.
1247 Example:
1249 $ firejail
1250 $ nc dict.org 2628
1251 bash: /bin/nc: Permission denied
1252 $ exit
1253 $ firejail --noblacklist=/bin/nc
1255 $ nc dict.org 2628
1256 220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1257 --nodbus (deprecated)
1259 Disable D-Bus access (both system and session buses). Equivalent
1260 to --dbus-system=none --dbus-user=none.
1261 Example:
1263 $ firejail --nodbus --net=none
1264 --nodvd
1266 Disable DVD and audio CD devices.
1267 Example:
1269 $ firejail --nodvd
1270 --noinput
1272 Disable input devices.
1273 Example:
1275 $ firejail --noinput
1276 --noexec=dirname_or_filename
1278 Remount directory or file noexec, nodev and nosuid. File glob‐
1279 bing is supported, see FILE GLOBBING section for more details.
1280 Example:
1282 $ firejail --noexec=/tmp
1283 /etc and /var are noexec by default if the sandbox was started
1285 as a regular user.
1286 --nogroups
1289 Disable supplementary groups. Without this option, supplementary
1290 groups are enabled for the user starting the sandbox. For root
1291 user supplementary groups are always disabled.
1292 Note: By default all regular user groups are removed with the
1294 exception of the current user. This can be changed using --al‐
1295 lusers command option.
1296 Example:
1298 $ id
1299 uid=1000(netblue) gid=1000(netblue) groups=1000(net‐
1300 blue),24(cdrom),25(floppy),27(sudo),29(audio)
1301 $ firejail --nogroups
1302 Parent pid 8704, child pid 8705
1303 Child process initialized
1304 $ id
1305 uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1306 $
1307 --nonewprivs
1310 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
1311 cannot acquire new privileges using execve(2); in particular,
1312 this means that calling a suid binary (or one with file capabil‐
1313 ities) does not result in an increase of privilege. This option
1314 is enabled by default if seccomp filter is activated.
1315 --noprinters
1318 Disable printers.
1319 --noprofile
1322 Do not use a security profile.
1323 Example:
1325 $ firejail
1326 Reading profile /etc/firejail/default.profile
1327 Parent pid 8553, child pid 8554
1328 Child process initialized
1329 [...]
1330 $ firejail --noprofile
1332 Parent pid 8553, child pid 8554
1333 Child process initialized
1334 [...]
1335 --noroot
1337 Install a user namespace with a single user - the current user.
1338 root user does not exist in the new namespace. This option re‐
1339 quires a Linux kernel version 3.8 or newer. The option is not
1340 supported for --chroot and --overlay configurations, or for
1341 sandboxes started as root.
1342 Example:
1344 $ firejail --noroot
1345 Parent pid 8553, child pid 8554
1346 Child process initialized
1347 $ ping google.com
1348 ping: icmp open socket: Operation not permitted
1349 $
1350 --nosound
1352 Disable sound system.
1353 Example:
1355 $ firejail --nosound firefox
1356 --notv Disable DVB (Digital Video Broadcasting) TV devices.
1359 Example:
1361 $ firejail --notv vlc
1362 --nou2f
1365 Disable U2F devices.
1366 Example:
1368 $ firejail --nou2f
1369 --novideo
1372 Disable video devices.
1373 --nowhitelist=dirname_or_filename
1376 Disable whitelist for this directory or file.
1377 --oom=value
1380 Configure kernel's OutOfMemory-killer score for this sandbox.
1381 The acceptable score values are between 0 and 1000 for regular
1382 users, and -1000 to 1000 for root. For more information on OOM
1383 kernel feature see man choom.
1384 Example:
1386 $ firejail --oom=300 firefox
1387 --output=logfile
1390 stdout logging and log rotation. Copy stdout to logfile, and
1391 keep the size of the file under 500KB using log rotation. Five
1392 files with prefixes .1 to .5 are used in rotation.
1393 Example:
1395 $ firejail --output=sandboxlog /bin/bash
1396 [...]
1397 $ ls -l sandboxlog*
1398 -rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
1399 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
1400 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
1401 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
1402 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
1403 -rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
1404 --output-stderr=logfile
1407 Similar to --output, but stderr is also stored.
1408 --private
1411 Mount new /root and /home/user directories in temporary filesys‐
1412 tems. All modifications are discarded when the sandbox is
1413 closed.
1414 Example:
1416 $ firejail --private firefox
1417 --private=directory
1420 Use directory as user home. --private and --private=directory
1421 cannot be used together.
1422 Example:
1424 $ firejail --private=/home/netblue/firefox-home firefox
1425 Bug: Even with this enabled, some commands (such as mkdir, mk‐
1427 file and private-cache) will still operate on the original home
1428 directory. Workaround: Disable the incompatible commands, such
1429 as by using "ignore mkdir" and "ignore mkfile". For details,
1430 see #903 ⟨https://github.com/netblue30/firejail/issues/903⟩
1431 --private-bin=file,file
1434 Build a new /bin in a temporary filesystem, and copy the pro‐
1435 grams in the list. The files in the list must be expressed as
1436 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
1437 cal/bin directories. If no listed files are found, /bin direc‐
1438 tory will be empty. The same directory is also bind-mounted
1439 over /sbin, /usr/bin, /usr/sbin and /usr/local/bin. All modifi‐
1440 cations are discarded when the sandbox is closed. Multiple pri‐
1441 vate-bin commands are allowed and they accumulate. File glob‐
1442 bing is supported, see FILE GLOBBING section for more details.
1443 Example:
1445 $ firejail --private-bin=bash,sed,ls,cat
1446 Parent pid 20841, child pid 20842
1447 Child process initialized
1448 $ ls /bin
1449 bash cat ls sed
1450 --private-cache
1453 Mount an empty temporary filesystem on top of the .cache direc‐
1454 tory in user home. All modifications are discarded when the
1455 sandbox is closed.
1456 Example:
1458 $ firejail --private-cache openbox
1459 --private-cwd
1462 Set working directory inside jail to the home directory, and
1463 failing that, the root directory. Does not impact working di‐
1464 rectory of profile include paths.
1465 Example:
1467 $ pwd
1468 /tmp
1469 $ firejail --private-cwd
1470 $ pwd
1471 /home/user
1472 --private-cwd=directory
1475 Set working directory inside the jail. Full directory path is
1476 required. Symbolic links are not allowed. Does not impact work‐
1477 ing directory of profile include paths.
1478 Example:
1480 $ pwd
1481 /tmp
1482 $ firejail --private-cwd=/opt
1483 $ pwd
1484 /opt
1485 --private-dev
1488 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
1489 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
1490 shm and usb devices are available. Use the options --no3d,
1491 --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1492 restrictions.
1493 Example:
1495 $ firejail --private-dev
1496 Parent pid 9887, child pid 9888
1497 Child process initialized
1498 $ ls /dev
1499 cdrom cdrw dri dvd dvdrw full log null ptmx pts random
1500 shm snd sr0 tty urandom zero
1501 $
1502 --private-etc=file,directory
1504 Build a new /etc in a temporary filesystem, and copy the files
1505 and directories in the list. The files and directories in the
1506 list must be expressed as relative to the /etc directory (e.g.,
1507 /etc/foo must be expressed as foo). If no listed file is found,
1508 /etc directory will be empty. All modifications are discarded
1509 when the sandbox is closed. Multiple private-etc commands are
1510 allowed and they accumulate.
1511 Example:
1513 $ firejail --private-etc=group,hostname,localtime, \
1514 nsswitch.conf,passwd,resolv.conf
1515 --private-home=file,directory
1517 Build a new user home in a temporary filesystem, and copy the
1518 files and directories in the list in the new home. The files
1519 and directories in the list must be expressed as relative to the
1520 current user's home directory. All modifications are discarded
1521 when the sandbox is closed.
1522 Example:
1524 $ firejail --private-home=.mozilla firefox
1525 --private-lib=file,directory
1527 This feature is currently under heavy development. Only amd64
1528 platforms are supported at this moment. The files and directo‐
1529 ries in the list must be expressed as relative to the /lib di‐
1530 rectory. The idea is to build a new /lib in a temporary
1531 filesystem, with only the library files necessary to run the ap‐
1532 plication. It could be as simple as:
1533 $ firejail --private-lib galculator
1535 but it gets complicated really fast:
1537 $ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1539 gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1540 The feature is integrated with --private-bin:
1542 $ firejail --private-lib --private-bin=bash,ls,ps
1544 $ ls /lib
1545 ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsys‐
1546 temd.so.0
1547 libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1548 libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1549 libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1550 $ ps
1551 PID TTY TIME CMD
1552 1 pts/0 00:00:00 firejail
1553 45 pts/0 00:00:00 bash
1554 48 pts/0 00:00:00 ps
1555 $
1556 Note: Support for this command is controlled in firejail.config
1558 with the private-lib option.
1559 --private-opt=file,directory
1561 Build a new /opt in a temporary filesystem, and copy the files
1562 and directories in the list. The files and directories in the
1563 list must be expressed as relative to the /opt directory, and
1564 must not contain the / character (e.g., /opt/foo must be ex‐
1565 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
1566 disallowed). If no listed file is found, /opt directory will be
1567 empty. All modifications are discarded when the sandbox is
1568 closed.
1569 Example:
1571 $ firejail --private-opt=firefox /opt/firefox/firefox
1572 --private-srv=file,directory
1575 Build a new /srv in a temporary filesystem, and copy the files
1576 and directories in the list. The files and directories in the
1577 list must be expressed as relative to the /srv directory, and
1578 must not contain the / character (e.g., /srv/foo must be ex‐
1579 pressed as foo, but /srv/foo/bar -- expressed as srv/bar -- is
1580 disallowed). If no listed file is found, /srv directory will be
1581 empty. All modifications are discarded when the sandbox is
1582 closed.
1583 Example:
1585 # firejail --private-srv=www /etc/init.d/apache2 start
1586 --private-tmp
1589 Mount an empty temporary filesystem on top of /tmp directory
1590 whitelisting X11 and PulseAudio sockets.
1591 Example:
1593 $ firejail --private-tmp
1594 $ ls -al /tmp
1595 drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
1596 drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1597 drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKd‐
1598 htXMmr18n
1599 drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1600 --profile=filename_or_profilename
1603 Load a custom security profile from filename. For filename use
1604 an absolute path or a path relative to the current path. For
1605 more information, see SECURITY PROFILES section below.
1606 Example:
1608 $ firejail --profile=myprofile
1609 --profile.print=name|pid
1612 Print the name of the profile file for the sandbox identified by
1613 name or or PID.
1614 Example:
1616 $ firejail --profile.print=browser
1617 /etc/firejail/firefox.profile
1618 --protocol=protocol,protocol,protocol
1620 Enable protocol filter. The filter is based on seccomp and
1621 checks the first argument to socket system call. Recognized
1622 values: unix, inet, inet6, netlink, packet, and bluetooth. This
1623 option is not supported for i386 architecture. Multiple proto‐
1624 col commands are allowed and they accumulate.
1625 Example:
1627 $ firejail --protocol=unix,inet,inet6 firefox
1628 --protocol.print=name|pid
1630 Print the protocol filter for the sandbox identified by name or
1631 PID.
1632 Example:
1634 $ firejail --name=mybrowser firefox &
1635 $ firejail --protocol.print=mybrowser
1636 unix,inet,inet6,netlink
1637 Example:
1639 $ firejail --list
1640 3272:netblue::firejail --private firefox
1641 $ firejail --protocol.print=3272
1642 unix,inet,inet6,netlink
1643 --put=name|pid src-filename dest-filename
1645 Put a file in sandbox container, see FILE TRANSFER section for
1646 more details.
1647 --quiet
1649 Turn off Firejail's output.
1650 The same effect can be obtained by setting an environment vari‐
1652 able FIREJAIL_QUIET to yes.
1653 --read-only=dirname_or_filename
1655 Set directory or file read-only. File globbing is supported, see
1656 FILE GLOBBING section for more details.
1657 Example:
1659 $ firejail --read-only=~/.mozilla firefox
1660 --read-write=dirname_or_filename
1662 Set directory or file read-write. Only files or directories be‐
1663 longing to the current user are allowed for this operation. File
1664 globbing is supported, see FILE GLOBBING section for more de‐
1665 tails. Example:
1666 $ mkdir ~/test
1668 $ touch ~/test/a
1669 $ firejail --read-only=~/test --read-write=~/test/a
1670 --restrict-namespaces
1674 Install a seccomp filter that blocks attempts to create new
1675 cgroup, ipc, net, mount, pid, time, user or uts namespaces.
1676 Example:
1678 $ firejail --restrict-namespaces
1679 --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
1682 Install a seccomp filter that blocks attempts to create any of
1683 the specified namespaces. The filter examines the arguments of
1684 clone, unshare and setns system calls and returns error EPERM to
1685 the process (or kills it or logs the attempt, see --seccomp-er‐
1686 ror-action below) if necessary. Note that the filter is not able
1687 to examine the arguments of clone3 system calls, and always re‐
1688 sponds to these calls with error ENOSYS.
1689 Example:
1691 $ firejail --restrict-namespaces=user,net
1692 --rlimit-as=number
1695 Set the maximum size of the process's virtual memory (address
1696 space) in bytes. Use k(ilobyte), m(egabyte) or g(igabyte) for
1697 size suffix (base 1024).
1698 --rlimit-cpu=number
1701 Set the maximum limit, in seconds, for the amount of CPU time
1702 each sandboxed process can consume. When the limit is reached,
1703 the processes are killed.
1704 The CPU limit is a limit on CPU seconds rather than elapsed
1706 time. CPU seconds is basically how many seconds the CPU has been
1707 in use and does not necessarily directly relate to the elapsed
1708 time. Linux kernel keeps track of CPU seconds for each process
1709 independently.
1710 --rlimit-fsize=number
1713 Set the maximum file size that can be created by a process. Use
1714 k(ilobyte), m(egabyte) or g(igabyte) for size suffix (base
1715 1024).
1716 --rlimit-nofile=number
1718 Set the maximum number of files that can be opened by a process.
1719 --rlimit-nproc=number
1721 Set the maximum number of processes that can be created for the
1722 real user ID of the calling process.
1723 --rlimit-sigpending=number
1725 Set the maximum number of pending signals for a process.
1726 --rmenv=name
1729 Remove environment variable in the new sandbox.
1730 Example:
1732 $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1733 --scan ARP-scan all the networks from inside a network namespace. This
1735 makes it possible to detect macvlan kernel device drivers run‐
1736 ning on the current host.
1737 Example:
1739 $ firejail --net=eth0 --scan
1740 --seccomp
1742 Enable seccomp filter and blacklist the syscalls in the default
1743 list, which is @default-nodebuggers unless --allow-debuggers is
1744 specified, then it is @default.
1745 To help creating useful seccomp filters more easily, the follow‐
1747 ing system call groups are defined: @aio, @basic-io, @chown,
1748 @clock, @cpu-emulation, @debug, @default, @default-nodebuggers,
1749 @default-keep, @file-system, @io-event, @ipc, @keyring, @mem‐
1750 lock, @module, @mount, @network-io, @obsolete, @privileged,
1751 @process, @raw-io, @reboot, @resources, @setuid, @swap, @sync,
1752 @system-service and @timer. More information about groups can
1753 be found in /usr/share/doc/firejail/syscalls.txt
1754 The default list can be customized, see --seccomp= for a de‐
1756 scription. It can be customized also globally in /etc/fire‐
1757 jail/firejail.config file.
1758 System architecture is strictly imposed only if flag --sec‐
1760 comp.block-secondary is used. The filter is applied at run time
1761 only if the correct architecture was detected. For the case of
1762 I386 and AMD64 both 32-bit and 64-bit filters are installed.
1763 Firejail will print seccomp violations to the audit log if the
1765 kernel was compiled with audit support (CONFIG_AUDIT flag).
1766 Example:
1768 $ firejail --seccomp
1769 --seccomp=syscall,@group,!syscall2
1773 Enable seccomp filter, blacklist the default list and the
1774 syscalls or syscall groups specified by the command, but don't
1775 blacklist "syscall2". On a 64 bit architecture, an additional
1776 filter for 32 bit system calls can be installed with --sec‐
1777 comp.32.
1778 Example:
1780 $ firejail --seccomp=utime,utimensat,utimes firefox
1781 $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1782 $ firejail '--seccomp=@ipc,!pipe,!pipe2' audacious
1783 Syscalls can be specified by their number if prefix $ is added,
1785 so for example $165 would be equal to mount on i386.
1786 Instead of dropping the syscall by returning EPERM, another er‐
1788 ror number can be returned using syscall:errno syntax. This can
1789 be also changed globally with --seccomp-error-action or in
1790 /etc/firejail/firejail.config file. The process can also be
1791 killed by using syscall:kill syntax, or the attempt may be
1792 logged with syscall:log.
1793 Example:
1795 $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1796 Parent pid 10662, child pid 10663
1797 Child process initialized
1798 $ touch testfile
1799 $ ls testfile
1800 testfile
1801 $ rm testfile
1802 rm: cannot remove `testfile': No such file or directory
1803 If the blocked system calls would also block Firejail from oper‐
1805 ating, they are handled by adding a preloaded library which per‐
1806 forms seccomp system calls later. However, this is incompatible
1807 with 32 bit seccomp filters.
1808 Example:
1810 $ firejail --noprofile --seccomp=execve sh
1811 Parent pid 32751, child pid 32752
1812 Post-exec seccomp protector enabled
1813 list in: execve, check list: @default-keep prelist: (null),
1814 postlist: execve
1815 Child process initialized in 46.44 ms
1816 $ ls
1817 Operation not permitted
1818 --seccomp.block-secondary
1821 Enable seccomp filter and filter system call architectures so
1822 that only the native architecture is allowed. For example, on
1823 amd64, i386 and x32 system calls are blocked as well as changing
1824 the execution domain with personality(2) system call.
1825 --seccomp.drop=syscall,@group
1828 Enable seccomp filter, and blacklist the syscalls or the syscall
1829 groups specified by the command. On a 64 bit architecture, an
1830 additional filter for 32 bit system calls can be installed with
1831 --seccomp.32.drop.
1832 Example:
1834 $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1835 Instead of dropping the syscall by returning EPERM, another er‐
1837 ror number can be returned using syscall:errno syntax. This can
1838 be also changed globally with --seccomp-error-action or in
1839 /etc/firejail/firejail.config file. The process can also be
1840 killed by using syscall:kill syntax, or the attempt may be
1841 logged with syscall:log.
1842 Example:
1844 $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1845 Parent pid 10662, child pid 10663
1846 Child process initialized
1847 $ touch testfile
1848 $ ls testfile
1849 testfile
1850 $ rm testfile
1851 rm: cannot remove `testfile': No such file or directory
1852 --seccomp.keep=syscall,@group,!syscall2
1855 Enable seccomp filter, blacklist all syscall not listed and
1856 "syscall2". The system calls needed by Firejail (group @de‐
1857 fault-keep: prctl, execve, execveat) are handled with the
1858 preload library. On a 64 bit architecture, an additional filter
1859 for 32 bit system calls can be installed with --seccomp.32.keep.
1860 Example:
1862 $ firejail --seccomp.keep=poll,select,[...] transmission-gtk
1863 --seccomp.print=name|pid
1866 Print the seccomp filter for the sandbox identified by name or
1867 PID.
1868 Example:
1870 $ firejail --name=browser firefox &
1871 $ firejail --seccomp.print=browser
1872 line OP JT JF K
1873 =================================
1874 0000: 20 00 00 00000004 ld data.architecture
1875 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
1876 0002: 06 00 00 7fff0000 ret ALLOW
1877 0003: 20 00 00 00000000 ld data.syscall-number
1878 0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
1879 0005: 35 01 00 00000000 jge read 0007 (false 0006)
1880 0006: 06 00 00 00050001 ret ERRNO(1)
1881 0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
1882 0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
1883 0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
1884 000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false
1885 000b)
1886 000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
1887 000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
1888 000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
1889 000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
1890 000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
1891 0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
1892 0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
1893 0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
1894 0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
1895 0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
1896 0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
1897 0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
1898 0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
1899 0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
1900 0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
1901 001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
1902 001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
1903 001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
1904 001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
1905 001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
1906 001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
1907 0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
1908 0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
1909 0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
1910 0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
1911 0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
1912 0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
1913 0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
1914 0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
1915 0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
1916 0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
1917 002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
1918 002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
1919 002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
1920 002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
1921 002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
1922 002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
1923 0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
1924 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
1925 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
1926 0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
1927 0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false
1928 0035)
1929 0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false
1930 0036)
1931 0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
1932 0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
1933 0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
1934 0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
1935 003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
1936 003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
1937 003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
1938 003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
1939 003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
1940 003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
1941 0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
1942 0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
1943 0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false
1944 0043)
1945 0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
1946 0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
1947 0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
1948 0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
1949 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false
1950 0048)
1951 0048: 06 00 00 7fff0000 ret ALLOW
1952 0049: 06 00 01 00000000 ret KILL
1953 $
1954 --seccomp-error-action= kill | ERRNO | log
1957 By default, if a seccomp filter blocks a system call, the
1958 process gets EPERM as the error. With --seccomp-error-action=er‐
1959 ror, another error number can be returned, for example ENOSYS or
1960 EACCES. The process can also be killed (like in versions <0.9.63
1961 of Firejail) by using --seccomp-error-action=kill syntax, or the
1962 attempt may be logged with --seccomp-error-action=log. Not
1963 killing the process weakens Firejail slightly when trying to
1964 contain intrusion, but it may also allow tighter filters if the
1965 only alternative is to allow a system call.
1966 --shutdown=name|pid
1969 Shutdown the sandbox identified by name or PID.
1970 Example:
1972 $ firejail --name=mygame --caps.drop=all warzone2100 &
1973 $ firejail --shutdown=mygame
1974 Example:
1976 $ firejail --list
1977 3272:netblue::firejail --private firefox
1978 $ firejail --shutdown=3272
1979 --snitrace[=name|pid]
1982 Monitor Server Name Indication (TLS/SNI). The sandbox can be
1983 specified by name or pid. Only networked sandboxes created with
1984 --net are supported. This option is only available when running
1985 the sandbox as root.
1986 Without a name/pid, Firejail will monitor the main system net‐
1988 work namespace.
1989 Example:
1991 $ sudo firejail --snitrace
1992 07:49:51 23.185.0.3 linux.com
1993 07:49:51 23.185.0.3 www.linux.com
1994 07:50:05 192.0.73.2 secure.gravatar.com
1995 07:52:35 172.67.68.93 www.howtoforge.com
1996 07:52:37 13.225.103.59 sf.ezoiccdn.com
1997 07:52:42 142.250.176.3 www.gstatic.com
1998 07:53:03 173.236.250.32 www.linuxlinks.com
1999 07:53:05 192.0.77.37 c0.wp.com
2000 07:53:08 192.0.78.32 jetpack.wordpress.com
2001 07:53:09 192.0.77.32 s0.wp.com
2002 07:53:09 192.0.77.2 i0.wp.com
2003 07:53:10 192.0.77.2 i0.wp.com
2004 07:53:11 192.0.73.2 1.gravatar.com
2005 --tab Enable shell tab completion in sandboxes using private or
2008 whitelisted home directories.
2009 $ firejail --private --tab
2011 --timeout=hh:mm:ss
2013 Kill the sandbox automatically after the time has elapsed. The
2014 time is specified in hours/minutes/seconds format.
2015 $ firejail --timeout=01:30:00 firefox
2017 --tmpfs=dirname
2019 Mount a writable tmpfs filesystem on directory dirname. Directo‐
2020 ries outside user home or not owned by the user are not allowed.
2021 Sandboxes running as root are exempt from these restrictions.
2022 File globbing is supported, see FILE GLOBBING section for more
2023 details.
2024 Example:
2026 $ firejail --tmpfs=~/.local/share
2027 --top Monitor the most CPU-intensive sandboxes, see MONITORING section
2029 for more details.
2030 Example:
2032 $ firejail --top
2033 --trace[=filename]
2035 Trace open, access and connect system calls. If filename is
2036 specified, log trace output to filename, otherwise log to con‐
2037 sole.
2038 Example:
2040 $ firejail --trace wget -q www.debian.org
2041 Reading profile /etc/firejail/wget.profile
2042 3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
2043 3:wget:fopen /etc/hosts:0x5c8e8cfb70
2044 3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
2045 3:wget:connect 3 8.8.8.8 port 53:0
2046 3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
2047 3:wget:connect 3 130.89.148.14 port 80:0
2048 3:wget:fopen64 index.html:0x5c8e8d1a60
2049 parent is shutting down, bye...
2051 --tracelog
2053 This option enables auditing blacklisted files and directories.
2054 A message is sent to syslog in case the file or the directory is
2055 accessed.
2056 Example:
2058 $ firejail --tracelog firefox
2059 Sample messages:
2061 $ sudo tail -f /var/log/syslog
2062 [...]
2063 Dec 3 11:43:25 debian firejail[70]: blacklist violation - sand‐
2064 box 26370, exe firefox, syscall open64, path /etc/shadow
2065 Dec 3 11:46:17 debian firejail[70]: blacklist violation - sand‐
2066 box 26370, exe firefox, syscall opendir, path /boot
2067 [...]
2068 Note: Support for this command is controlled in firejail.config
2070 with the tracelog option.
2071 --tree Print a tree of all sandboxed processes, see MONITORING section
2073 for more details.
2074 Example:
2076 $ firejail --tree
2077 11903:netblue:firejail iceweasel
2078 11904:netblue:iceweasel
2079 11957:netblue:/usr/lib/iceweasel/plugin-container
2080 11969:netblue:firejail --net=eth0 transmission-gtk
2081 11970:netblue:transmission-gtk
2082 --version
2085 Print program version/compile time support and exit.
2086 Example:
2088 $ firejail --version
2089 firejail version 0.9.27
2090 Compile time support:
2092 - AppArmor support is enabled
2093 - AppImage support is enabled
2094 - chroot support is enabled
2095 - file and directory whitelisting support is enabled
2096 - file transfer support is enabled
2097 - firetunnel support is enabled
2098 - networking support is enabled
2099 - overlayfs support is enabled
2100 - private-home support is enabled
2101 - seccomp-bpf support is enabled
2102 - user namespace support is enabled
2103 - X11 sandboxing support is enabled
2104 --veth-name=name
2106 Use this name for the interface connected to the bridge for
2107 --net=bridge_interface commands, instead of the default one.
2108 Example:
2110 $ firejail --net=br0 --veth-name=if0
2111 --whitelist=dirname_or_filename
2113 Whitelist directory or file. A temporary file system is mounted
2114 on the top directory, and the whitelisted files are mount-binded
2115 inside. Modifications to whitelisted files are persistent, ev‐
2116 erything else is discarded when the sandbox is closed. The top
2117 directory can be all directories in / (except /proc and /sys),
2118 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
2119 Symbolic link handling: Whitelisting a path that is a symbolic
2121 link will also whitelist the path that it points to. For exam‐
2122 ple, if ~/foo is whitelisted and it points to ~/bar, then ~/bar
2123 will also be whitelisted. Restrictions: With the exception of
2124 the user home directory, both the link and the real file should
2125 be in the same top directory. For symbolic links in the user
2126 home directory, both the link and the real file should be owned
2127 by the user.
2128 File globbing is supported, see FILE GLOBBING section for more
2130 details.
2131 Example:
2133 $ firejail --noprofile --whitelist=~/.mozilla
2134 $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
2135 $ firejail "--whitelist=/home/username/My Virtual Machines"
2136 $ firejail --whitelist=~/work* --whitelist=/var/backups*
2137 --writable-etc
2140 Mount /etc directory read-write.
2141 Example:
2143 $ sudo firejail --writable-etc
2144 --writable-run-user
2147 Disable the default blacklisting of /run/user/$UID/systemd and
2148 /run/user/$UID/gnupg.
2149 Example:
2151 $ sudo firejail --writable-run-user
2152 --writable-var
2155 Mount /var directory read-write.
2156 Example:
2158 $ sudo firejail --writable-var
2159 --writable-var-log
2162 Use the real /var/log directory, not a clone. By default, a
2163 tmpfs is mounted on top of /var/log directory, and a skeleton
2164 filesystem is created based on the original /var/log.
2165 Example:
2167 $ sudo firejail --writable-var-log
2168 --x11 Sandbox the application using Xpra, Xephyr, Xvfb or Xorg secu‐
2171 rity extension. The sandbox will prevent screenshot and keylog‐
2172 ger applications started inside the sandbox from accessing
2173 clients running outside the sandbox. Firejail will try Xpra
2174 first, and if Xpra is not installed on the system, it will try
2175 to find Xephyr. If all fails, Firejail will not attempt to use
2176 Xvfb or X11 security extension.
2177 Xpra, Xephyr and Xvfb modes require a network namespace to be
2179 instantiated in order to disable X11 abstract Unix socket. If
2180 this is not possible, the user can disable the abstract socket
2181 by adding "-nolisten local" on Xorg command line at system
2182 level.
2183 Example:
2185 $ firejail --x11 --net=eth0 firefox
2186 --x11=none
2189 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the
2190 file specified in ${XAUTHORITY} environment variable. Remove
2191 DISPLAY and XAUTHORITY environment variables. Stop with error
2192 message if X11 abstract socket will be accessible in jail.
2193 --x11=xephyr
2196 Start Xephyr and attach the sandbox to this server. Xephyr is a
2197 display server implementing the X11 display server protocol. A
2198 network namespace needs to be instantiated in order to deny ac‐
2199 cess to X11 abstract Unix domain socket.
2200 Xephyr runs in a window just like any other X11 application. The
2202 default window size is 800x600. This can be modified in
2203 /etc/firejail/firejail.config file.
2204 The recommended way to use this feature is to run a window man‐
2206 ager inside the sandbox. A security profile for OpenBox is pro‐
2207 vided.
2208 Xephyr is developed by Xorg project. On Debian platforms it is
2210 installed with the command sudo apt-get install xserver-xephyr.
2211 This feature is not available when running as root.
2212 Example:
2214 $ firejail --x11=xephyr --net=eth0 openbox
2215 --x11=xorg
2218 Sandbox the application using the untrusted mode implemented by
2219 X11 security extension. The extension is available in Xorg
2220 package and it is installed by default on most Linux distribu‐
2221 tions. It provides support for a simple trusted/untrusted con‐
2222 nection model. Untrusted clients are restricted in certain ways
2223 to prevent them from reading window contents of other clients,
2224 stealing input events, etc.
2225 The untrusted mode has several limitations. A lot of regular
2227 programs assume they are a trusted X11 clients and will crash or
2228 lock up when run in untrusted mode. Chromium browser and xterm
2229 are two examples. Firefox and transmission-gtk seem to be work‐
2230 ing fine. A network namespace is not required for this option.
2231 Example:
2233 $ firejail --x11=xorg firefox
2234 --x11=xpra
2237 Start Xpra (https://xpra.org) and attach the sandbox to this
2238 server. Xpra is a persistent remote display server and client
2239 for forwarding X11 applications and desktop screens. A network
2240 namespace needs to be instantiated in order to deny access to
2241 X11 abstract Unix domain socket.
2242 On Debian platforms Xpra is installed with the command sudo apt-
2244 get install xpra. This feature is not available when running as
2245 root.
2246 Example:
2248 $ firejail --x11=xpra --net=eth0 firefox
2249 --x11=xvfb
2253 Start Xvfb X11 server and attach the sandbox to this server.
2254 Xvfb, short for X virtual framebuffer, performs all graphical
2255 operations in memory without showing any screen output. Xvfb is
2256 mainly used for remote access and software testing on headless
2257 servers.
2258 On Debian platforms Xvfb is installed with the command sudo apt-
2260 get install xvfb. This feature is not available when running as
2261 root.
2262 Example: remote VNC access
2264 On the server we start a sandbox using Xvfb and openbox window
2266 manager. The default size of Xvfb screen is 800x600 - it can be
2267 changed in /etc/firejail/firejail.config (xvfb-screen). Some
2268 sort of networking (--net) is required in order to isolate the
2269 abstract sockets used by other X servers.
2270 $ firejail --net=none --x11=xvfb openbox
2272 *** Attaching to Xvfb display 792 ***
2274 Reading profile /etc/firejail/openbox.profile
2276 Reading profile /etc/firejail/disable-common.inc
2277 Reading profile /etc/firejail/disable-common.local
2278 Parent pid 5400, child pid 5401
2279 On the server we also start a VNC server and attach it to the
2281 display handled by our Xvfb server (792).
2282 $ x11vnc -display :792
2284 On the client machine we start a VNC viewer and use it to con‐
2286 nect to our server:
2287 $ vncviewer
2289 --xephyr-screen=WIDTHxHEIGHT
2292 Set screen size for --x11=xephyr. The setting will overwrite the
2293 default set in /etc/firejail/firejail.config for the current
2294 sandbox. Run xrandr to get a list of supported resolutions on
2295 your computer.
2296 Example:
2298 $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2299 fox
2300
2303 A symbolic link to /usr/bin/firejail under the name of a program, will
2304 start the program in Firejail sandbox. The symbolic link should be
2305 placed in the first $PATH position. On most systems, a good place is
2306 /usr/local/bin directory. Example:
2307 Make a firefox symlink to /usr/bin/firejail:
2309 $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2311 Verify $PATH
2313 $ which -a firefox
2315 /usr/local/bin/firefox
2316 /usr/bin/firefox
2317 Starting firefox in this moment, automatically invokes “firejail
2319 firefox”.
2320 This works for clicking on desktop environment icons, menus etc. Use
2322 "firejail --tree" to verify the program is sandboxed.
2323 $ firejail --tree
2325 1189:netblue:firejail firefox
2326 1190:netblue:firejail firefox
2327 1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2328 1221:netblue:/usr/lib/firefox/firefox
2329 We provide a tool that automates all this integration, please see
2331 firecfg(1) for more details.
2332
2335 firejail
2336 Sandbox a regular shell session.
2337 firejail firefox
2339 Start Mozilla Firefox.
2340 firejail --debug firefox
2342 Debug Firefox sandbox.
2343 firejail --private firefox
2345 Start Firefox with a new, empty home directory.
2346 firejail --net=none vlc
2348 Start VLC in an unconnected network namespace.
2349 firejail --net=eth0 firefox
2351 Start Firefox in a new network namespace. An IP address is as‐
2352 signed automatically.
2353 firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2355 Start a shell session in a new network namespace and connect it
2356 to br0, br1, and br2 host bridge devices. IP addresses are as‐
2357 signed automatically for the interfaces connected to br1 and b2
2358 firejail --list
2360 List all sandboxed processes.
2361
2364 Globbing is the operation that expands a wildcard pattern into the
2365 list of pathnames matching the pattern. This pattern is matched
2366 at firejail start, and is NOT UPDATED at runtime. Files match‐
2367 ing a blacklist, but created after firejail start will be acces‐
2368 sible within the jail. Matching is defined by:
2369 - '?' matches any character
2371 - '*' matches any string
2372 - '[' denotes a range of characters
2373 The globbing feature is implemented using glibc glob command. For
2375 more information on the wildcard syntax see man 7 glob.
2376 The following command line options are supported: --blacklist,
2379 --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2380 --whitelist.
2381 Examples:
2384 $ firejail --private-bin=sh,bash,python*
2386 $ firejail --blacklist=~/dir[1234]
2387 $ firejail --read-only=~/dir[1-4]
2388
2391 These features allow the user to inspect the filesystem container of an
2392 existing sandbox and transfer files between the container and the host
2393 filesystem.
2394 --cat=name|pid filename
2397 Write content of a container file to standard out. The container
2398 is specified by name or PID. If standard out is a terminal, all
2399 ASCII control characters except new line and horizontal tab are
2400 replaced.
2401 --get=name|pid filename
2404 Retrieve the container file and store it on the host in the cur‐
2405 rent working directory. The container is specified by name or
2406 PID.
2407 --ls=name|pid dir_or_filename
2410 List container files. The container is specified by name or PID.
2411 --put=name|pid src-filename dest-filename
2414 Put src-filename in sandbox container. The container is speci‐
2415 fied by name or PID.
2416 Examples:
2419 $ firejail --name=mybrowser --private firefox
2421 $ firejail --ls=mybrowser ~/Downloads
2423 drwxr-xr-x netblue netblue 4096 .
2424 drwxr-xr-x netblue netblue 4096 ..
2425 -rw-r--r-- netblue netblue 7847 x11-x305.png
2426 -rw-r--r-- netblue netblue 6800 x11-x642.png
2427 -rw-r--r-- netblue netblue 34139 xpra-clipboard.png
2428 $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2430 $ firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
2432 clipboard.png
2433 $ firejail --cat=mybrowser ~/.bashrc
2435
2439 Option --list prints a list of all sandboxes. The format for each
2440 process entry is as follows:
2441 PID:USER:Sandbox Name:Command
2443 Option --tree prints the tree of processes running in the sandbox. The
2445 format for each process entry is as follows:
2446 PID:USER:Sandbox Name:Command
2448 Option --top is similar to the UNIX top command, however it applies
2450 only to sandboxes.
2451 Option --netstats prints network statistics for active sandboxes in‐
2453 stalling new network namespaces.
2454 Listed below are the available fields (columns) in alphabetical order
2456 for --top and --netstats options:
2457 Command
2460 Command used to start the sandbox.
2461 CPU% CPU usage, the sandbox share of the elapsed CPU time since the
2463 last screen update
2464 PID Unique process ID for the task controlling the sandbox.
2466 Prcs Number of processes running in sandbox, including the control‐
2468 ling process.
2469 RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
2471 It is a sum of the RES values for all processes running in the
2472 sandbox.
2473 RX(KB/s)
2475 Network receive speed.
2476 Sandbox Name
2478 The name of the sandbox, if any.
2479 SHR Shared Memory Size (KiB), it reflects memory shared with other
2481 processes. It is a sum of the SHR values for all processes run‐
2482 ning in the sandbox, including the controlling process.
2483 TX(KB/s)
2485 Network transmit speed.
2486 Uptime Sandbox running time in hours:minutes:seconds format.
2488 USER The owner of the sandbox.
2490
2493 To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2494 jail in /etc/passwd file for each user that needs to be restricted. Al‐
2495 ternatively, you can specify /usr/bin/firejail in adduser command:
2496 adduser --shell /usr/bin/firejail username
2498 Additional arguments passed to firejail executable upon login are de‐
2500 clared in /etc/firejail/login.users file.
2501
2504 Several command line options can be passed to the program using profile
2505 files. Firejail chooses the profile file as follows:
2506 1. If a profile file is provided by the user with --profile=FILE op‐
2508 tion, the profile FILE is loaded. If a profile name is given, it is
2509 searched for first in the ~/.config/firejail directory and if not found
2510 then in /etc/firejail directory. Profile names do not include the .pro‐
2511 file suffix. If there is a file with the same name as the given profile
2512 name, it will be used instead of doing the profile search. To force a
2513 profile search, prefix the profile name with a colon (:), eg. --pro‐
2514 file=:PROFILE_NAME. Example:
2515 $ firejail --profile=/home/netblue/icecat.profile icecat
2517 Reading profile /home/netblue/icecat.profile
2518 [...]
2519 $ firejail --profile=icecat icecat-wrapper.sh
2522 Reading profile /etc/firejail/icecat.profile
2523 [...]
2524 2. If a profile file with the same name as the application is present
2526 in ~/.config/firejail directory or in /etc/firejail, the profile is
2527 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
2528 ple:
2529 $ firejail icecat
2531 Command name #icecat#
2532 Found icecat profile in /home/netblue/.config/firejail directory
2533 Reading profile /home/netblue/.config/firejail/icecat.profile
2534 [...]
2535 3. Use default.profile file if the sandbox is started by a regular
2537 user, or server.profile file if the sandbox is started by root. Fire‐
2538 jail looks for these files in ~/.config/firejail directory, followed by
2539 /etc/firejail directory. To disable default profile loading, use --no‐
2540 profile command option. Example:
2541 $ firejail
2543 Reading profile /etc/firejail/default.profile
2544 Parent pid 8553, child pid 8554
2545 Child process initialized
2546 [...]
2547 $ firejail --noprofile
2549 Parent pid 8553, child pid 8554
2550 Child process initialized
2551 [...]
2552 See man 5 firejail-profile for profile file syntax information.
2554
2556 Network bandwidth is an expensive resource shared among all sandboxes
2557 running on a system. Traffic shaping allows the user to increase net‐
2558 work performance by controlling the amount of data that flows into and
2559 out of the sandboxes.
2560 Firejail implements a simple rate-limiting shaper based on Linux com‐
2562 mand tc. The shaper works at sandbox level, and can be used only for
2563 sandboxes configured with new network namespaces.
2564 Set rate-limits:
2566 $ firejail --bandwidth=name|pid set network download upload
2568 Clear rate-limits:
2570 $ firejail --bandwidth=name|pid clear network
2572 Status:
2574 $ firejail --bandwidth=name|pid status
2576 where:
2578 name - sandbox name
2579 pid - sandbox pid
2580 network - network interface as used by --net option
2581 download - download speed in KB/s (kilobyte per second)
2582 upload - upload speed in KB/s (kilobyte per second)
2583 Example:
2585 $ firejail --name=mybrowser --net=eth0 firefox &
2586 $ firejail --bandwidth=mybrowser set eth0 80 20
2587 $ firejail --bandwidth=mybrowser status
2588 $ firejail --bandwidth=mybrowser clear eth0
2589
2591 This program is free software; you can redistribute it and/or modify it
2592 under the terms of the GNU General Public License as published by the
2593 Free Software Foundation; either version 2 of the License, or (at your
2594 option) any later version.
2595 Homepage: https://firejail.wordpress.com
2597
2599 firemon(1), firecfg(1), firejail-profile(5), firejail-login(5), fire‐
2600 jail-users(5), jailcheck(1)
2601 ⟨https://github.com/netblue30/firejail/wiki⟩,
2603 ⟨https://github.com/netblue30/firejail⟩
26040.9.72 Jan 2023 FIREJAIL(1)