1FIREJAIL(1)                    firejail man page                   FIREJAIL(1)
2
3
4

NAME

6       Firejail - Linux namespaces sandbox program
7

SYNOPSIS

9       Start a sandbox:
10
11              firejail [OPTIONS] [program and arguments]
12
13       Start an AppImage program:
14
15              firejail [OPTIONS] --appimage [OPTIONS] [appimage-file and argu‐
16              ments]
17
18       File transfer from an existing sandbox
19
20              firejail {--ls | --get | --put | --cat} dir_or_filename
21
22       Network traffic shaping for an existing sandbox:
23
24              firejail --bandwidth={name|pid} bandwidth-command
25
26       Monitoring:
27
28              firejail {--list | --netstats | --top | --tree}
29
30       Miscellaneous:
31
32              firejail {-? | --debug-caps | --debug-errnos |  --debug-syscalls
33              | --debug-syscalls32 | --debug-protocols | --help | --version}
34

DESCRIPTION

36       Firejail  is  a  SUID sandbox program that reduces the risk of security
37       breaches by restricting the running environment of  untrusted  applica‐
38       tions  using  Linux namespaces, seccomp-bpf and Linux capabilities.  It
39       allows a process and all its descendants to have their own private view
40       of  the  globally  shared  kernel resources, such as the network stack,
41       process table, mount table.  Firejail can work in a SELinux or AppArmor
42       environment, and it is integrated with Linux Control Groups.
43
44       Written  in  C with virtually no dependencies, the software runs on any
45       Linux computer with a 3.x kernel version or newer.  It can sandbox  any
46       type of processes: servers, graphical applications, and even user login
47       sessions.
48
49       Firejail allows the user to manage application security using  security
50       profiles.  Each profile defines a set of permissions for a specific ap‐
51       plication or group of applications. The software includes security pro‐
52       files for a number of more common Linux programs, such as Mozilla Fire‐
53       fox, Chromium, VLC, Transmission etc.
54
55       Firejail is currently implemented as an SUID binary, which  means  that
56       if  a malicious or compromised user account manages to exploit a bug in
57       Firejail, that could ultimately lead to a privilege escalation to root.
58       To  mitigate this, it is recommended to only allow trusted users to run
59       firejail (see firejail-users(5) for details on how  to  achieve  that).
60       For  more details on the security/usability tradeoffs of Firejail, see:
61       #4601 ⟨https://github.com/netblue30/firejail/discussions/4601
62
63       Alternative sandbox technologies like snap (https://snapcraft.io/)  and
64       flatpak  (https://flatpak.org/)  are  not  supported.  Snap and flatpak
65       packages have their own native management tools and will not work  when
66       sandboxed with Firejail.
67
68

USAGE

70       Without  any  options,  the sandbox consists of a filesystem build in a
71       new mount namespace, and new PID and UTS namespaces. IPC,  network  and
72       user  namespaces  can  be added using the command line options. The de‐
73       fault Firejail filesystem is based on the host filesystem with the main
74       system directories mounted read-only. These directories are /etc, /var,
75       /usr, /bin, /sbin, /lib, /lib32, /libx32 and  /lib64.  Only  /home  and
76       /tmp are writable.
77
78       Upon  execution  Firejail first looks in ~/.config/firejail/ for a pro‐
79       file and if it doesn't find one, it looks in /etc/firejail/.  For  pro‐
80       file    resolution    detail   see   https://github.com/netblue30/fire
81       jail/wiki/Creating-Profiles#locations-and-types.   If  an   appropriate
82       profile is not found, Firejail will use a default profile.  The default
83       profile is quite restrictive. In case the application doesn't work, use
84       --noprofile  option to disable it. For more information, please see SE‐
85       CURITY PROFILES section below.
86
87       If a program argument is not specified, Firejail starts the user's pre‐
88       ferred shell.  Examples:
89
90       $ firejail [OPTIONS]                # starting the program specified in
91       $SHELL, usually /bin/bash
92
93       $ firejail [OPTIONS] firefox        # starting Mozilla Firefox
94
95       # sudo firejail [OPTIONS] /etc/init.d/nginx start
96
97

OPTIONS

99       --     Signal the end of options and disables further  option  process‐
100              ing.
101
102       --allow-debuggers
103              Allow  tools  such  as  strace  and  gdb  inside  the sandbox by
104              whitelisting system calls ptrace and process_vm_readv. This  op‐
105              tion  is  only  available  when  running on Linux kernels 4.8 or
106              newer - a kernel bug in ptrace system call allows a full  bypass
107              of the seccomp filter.
108
109              Example:
110              $   firejail   --allow-debuggers   --profile=/etc/firejail/fire‐
111              fox.profile strace -f firefox
112
113       --allusers
114              All directories under /home are visible inside the  sandbox.  By
115              default, only current user home directory is visible.
116
117              Example:
118              $ firejail --allusers
119
120       --appimage
121              Sandbox  an AppImage (https://appimage.org/) application. If the
122              sandbox is started as a regular user, nonewprivs and  a  default
123              capabilities  filter  are  enabled.  private-bin and private-lib
124              are disabled by default when running appimages.
125
126              Example:
127              $ firejail --appimage --profile=krita krita-3.0-x86_64.appimage
128              $  firejail   --quiet   --appimage   --private   --profile=krita
129              krita-3.0-x86_64.appimage
130              $   firejail   --appimage   --net=none   --x11   --profile=krita
131              krita-3.0-x86_64.appimage
132
133              Note: When using both --appimage and  --profile,  it  is  recom‐
134              mended  to  always specify the former before the latter, so that
135              any ?HAS_APPIMAGE conditionals inside of the profile evaluate to
136              true (see ?CONDITIONAL in firejail-profile(5)).
137
138       --bandwidth=name|pid
139              Set  bandwidth limits for the sandbox identified by name or PID,
140              see TRAFFIC SHAPING section for more details.
141
142       --bind=filename1,filename2
143              Mount-bind filename1 on top of filename2. This  option  is  only
144              available when running as root.
145
146              Example:
147              # firejail --bind=/config/etc/passwd,/etc/passwd
148
149       --blacklist=dirname_or_filename
150              Blacklist  directory  or  file.  File globbing is supported, see
151              FILE GLOBBING section for more details.
152
153              Symbolic link handling: Blacklisting a path that is  a  symbolic
154              link  will also blacklist the path that it points to.  For exam‐
155              ple, if ~/foo is blacklisted and it points to  /bar,  then  /bar
156              will also be blacklisted.
157
158              Example:
159              $ firejail --blacklist=/sbin --blacklist=/usr/sbin
160              $ firejail --blacklist=~/.mozilla
161              $ firejail "--blacklist=/home/username/My Virtual Machines"
162              $ firejail --blacklist=/home/username/My\ Virtual\ Machines
163
164       --build
165              The command builds a whitelisted profile. The profile is printed
166              on the screen. The program is run in  a  very  relaxed  sandbox,
167              with  only  --caps.drop=all and --seccomp=!chroot. Programs that
168              raise user privileges are not supported.
169
170              Example:
171              $ firejail --build vlc ~/Videos/test.mp4
172              $ firejail --build --appimage ~/Downloads/Subsurface.AppImage
173
174       --build=profile-file
175              The command builds a whitelisted profile, and saves it  in  pro‐
176              file-file.  The  program  is run in a very relaxed sandbox, with
177              only --caps.drop=all and --seccomp=!chroot. Programs that  raise
178              user privileges are not supported.
179
180              Example:
181              $ firejail --build=vlc.profile vlc ~/Videos/test.mp4
182              $   firejail   --build=Subsurface.profile   --appimage   ~/Down‐
183              loads/Subsurface.AppImage
184
185       -c     Login shell compatibility option. This option is use by some lo‐
186              gin  programs when executing the login shell, such as when fire‐
187              jail is used as a restricted login shell. It currently does  not
188              change the execution of firejail.
189
190       --caps Linux  capabilities is a kernel feature designed to split up the
191              root privilege into a set of distinct privileges.  These  privi‐
192              leges can be enabled or disabled independently, thus restricting
193              what a process running as root can do in the system.  See  capa‐
194              bilities(7) for details.
195
196              By  default  root  programs  run  with all capabilities enabled.
197              --caps option disables the following capabilities:  CAP_SYS_MOD‐
198              ULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CON‐
199              FIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.  The  filter  is  ap‐
200              plied to all processes started in the sandbox.
201
202              Example:
203              $ sudo firejail --caps /etc/init.d/nginx start
204
205
206       --caps.drop=all
207              Drop  all capabilities for the processes running in the sandbox.
208              This option is recommended for running GUI programs or any other
209              program  that doesn't require root privileges. It is a must-have
210              option for sandboxing untrusted programs installed from  unoffi‐
211              cial sources - such as games, Java programs, etc.
212
213              Example:
214              $ firejail --caps.drop=all warzone2100
215
216
217       --caps.drop=capability,capability,capability
218              Define a custom blacklist Linux capabilities filter.
219
220              Example:
221              $ firejail --caps.drop=net_broadcast,net_admin,net_raw
222
223
224       --caps.keep=capability,capability,capability
225              Define a custom whitelist Linux capabilities filter.
226
227              Example:
228              $  sudo firejail --caps.keep=chown,net_bind_service,setgid,\ se‐
229              tuid /etc/init.d/nginx start
230
231
232       --caps.print=name|pid
233              Print the caps filter for the sandbox identified by name  or  by
234              PID.
235
236              Example:
237              $ firejail --name=mygame --caps.drop=all warzone2100 &
238              $ firejail --caps.print=mygame
239
240              Example:
241              $ firejail --list
242              3272:netblue::firejail --private firefox
243              $ firejail --caps.print=3272
244
245
246       --cat=name|pid filename
247              Print  content of file from sandbox container, see FILE TRANSFER
248              section for more details.
249
250       --chroot=dirname
251              Chroot the sandbox into a root filesystem.  Unlike  the  regular
252              filesystem  container,  the system directories are mounted read-
253              write. If the sandbox is started as a regular  user,  nonewprivs
254              and a default capabilities filter are enabled.
255
256              Example:
257              $ firejail --chroot=/media/ubuntu warzone2100
258
259              For  automatic  mounting of X11 and PulseAudio sockets set envi‐
260              ronment variables FIREJAIL_CHROOT_X11 and FIREJAIL_CHROOT_PULSE.
261
262              Note: Support for this command is controlled in  firejail.config
263              with the chroot option.
264
265       --cpu=cpu-number,cpu-number,cpu-number
266              Set CPU affinity.
267
268              Example:
269              $ firejail --cpu=0,1 handbrake
270
271
272       --cpu.print=name|pid
273              Print  the CPU cores in use by the sandbox identified by name or
274              by PID.
275
276              Example:
277              $ firejail --name=mygame --caps.drop=all warzone2100 &
278              $ firejail --cpu.print=mygame
279
280              Example:
281              $ firejail --list
282              3272:netblue::firejail --private firefox
283              $ firejail --cpu.print=3272
284
285       --dbus-log=file
286              Specify the location for the DBus log file.
287
288              The log file contains events for both  the  system  and  session
289              buses  if  both of the --dbus-system.log and --dbus-user.log op‐
290              tions are specified. If no log file  path  is  given,  logs  are
291              written to the standard output instead.
292
293              Example:
294              $ firejail --dbus-system=filter --dbus-system.log \
295              --dbus-log=dbus.txt
296
297
298       --dbus-system=filter|none
299              Set system DBus sandboxing policy.
300
301              The  filter  policy  enables the system DBus filter. This option
302              requires installing the xdg-dbus-proxy utility. Permissions  for
303              well-known  can  be  specified  with  the --dbus-system.talk and
304              --dbus-system.own options.
305
306              The none policy disables access to the system DBus.
307
308              Only the regular system DBus UNIX socket is handled by this  op‐
309              tion. To disable the abstract sockets (and force applications to
310              use the filtered UNIX socket) you would need to  request  a  new
311              network  namespace using --net command. Another option is to re‐
312              move unix from the --protocol set.
313
314              Example:
315              $ firejail --dbus-system=none
316
317
318       --dbus-system.broadcast=name=[member][@path]
319              Allows the application to receive broadcast signals from the in‐
320              dicated interface member at the indicated object path exposed by
321              the indicated bus name on the system DBus.  The name may have  a
322              .*  suffix  to  match all names underneath it, including itself.
323              The interface member may have a .* to match all  members  of  an
324              interface, or be * to match all interfaces.  The path may have a
325              /* suffix to indicate all objects underneath it,  including  it‐
326              self.   Omitting  the  interface  member or the object path will
327              match all members and object paths, respectively.
328
329              Example:
330              $ firejail --dbus-system=filter --dbus-system.broadcast=\
331              org.freedesktop.Notifications=\
332              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
333
334
335       --dbus-system.call=name=[member][@path]
336              Allows the application to call the indicated interface member at
337              the  indicated  object path exposed by the indicated bus name on
338              the system DBus.  The name may have a .*  suffix  to  match  all
339              names underneath it, including itself.  The interface member may
340              have a .* to match all members of an interface, or be * to match
341              all  interfaces.   The path may have a /* suffix to indicate all
342              objects underneath it, including itself.  Omitting the interface
343              member  or  the  object  path  will match all members and object
344              paths, respectively.
345
346              Example:
347              $ firejail --dbus-system=filter --dbus-system.call=\
348              org.freedesktop.Notifications=\
349              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
350
351
352       --dbus-system.log
353              Turn on DBus logging for the system DBus. This  option  requires
354              --dbus-system=filter.
355
356              Example:
357              $ firejail --dbus-system=filter --dbus-system.log
358
359
360       --dbus-system.own=name
361              Allows  the  application to own the specified well-known name on
362              the system DBus.  The name may have a .*  suffix  to  match  all
363              names  underneath it, including itself (e.g. "foo.bar.*" matches
364              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
365              bar").
366
367              Example:
368              $ firejail --dbus-system=filter --dbus-system.own=\
369              org.gnome.ghex.*
370
371
372       --dbus-system.see=name
373              Allows  the  application  to  see, but not talk to the specified
374              well-known name on the system DBus.  The name may have a .* suf‐
375              fix  to  match  all  names underneath it, including itself (e.g.
376              "foo.bar.*"     matches     "foo.bar",     "foo.bar.baz"     and
377              "foo.bar.baz.quux", but not "foobar").
378
379              Example:
380              $ firejail --dbus-system=filter --dbus-system.see=\
381              org.freedesktop.Notifications
382
383
384       --dbus-system.talk=name
385              Allows  the application to talk to the specified well-known name
386              on the system DBus.  The name may have a .* suffix to match  all
387              names  underneath it, including itself (e.g. "foo.bar.*" matches
388              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
389              bar").
390
391              Example:
392              $ firejail --dbus-system=filter --dbus-system.talk=\
393              org.freedesktop.Notifications
394
395
396       --dbus-user=filter|none
397              Set session DBus sandboxing policy.
398
399              The  filter  policy enables the session DBus filter. This option
400              requires installing the xdg-dbus-proxy utility. Permissions  for
401              well-known  names  can  be  added  with the --dbus-user.talk and
402              --dbus-user.own options.
403
404              The none policy disables access to the session DBus.
405
406              Only the regular session DBus UNIX socket is handled by this op‐
407              tion. To disable the abstract sockets (and force applications to
408              use the filtered UNIX socket) you would need to  request  a  new
409              network  namespace using --net command. Another option is to re‐
410              move unix from the --protocol set.
411
412              Example:
413              $ firejail --dbus-user=none
414
415
416       --dbus-user.broadcast=name=[member][@path]
417              Allows the application to receive broadcast signals from the in‐
418              dicated interface member at the indicated object path exposed by
419              the indicated bus name on the session DBus.  The name may have a
420              .*  suffix  to  match all names underneath it, including itself.
421              The interface member may have a .* to match all  members  of  an
422              interface, or be * to match all interfaces.  The path may have a
423              /* suffix to indicate all objects underneath it,  including  it‐
424              self.   Omitting  the  interface  member or the object path will
425              match all members and object paths, respectively.
426
427              Example:
428              $ firejail --dbus-user=filter --dbus-user.broadcast=\
429              org.freedesktop.Notifications=\
430              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
431
432
433       --dbus-user.call=name=[member][@path]
434              Allows the application to call the indicated interface member at
435              the  indicated  object path exposed by the indicated bus name on
436              the session DBus.  The name may have a .* suffix  to  match  all
437              names underneath it, including itself.  The interface member may
438              have a .* to match all members of an interface, or be * to match
439              all  interfaces.   The path may have a /* suffix to indicate all
440              objects underneath it, including itself.  Omitting the interface
441              member  or  the  object  path  will match all members and object
442              paths, respectively.
443
444              Example:
445              $ firejail --dbus-user=filter --dbus-user.call=\
446              org.freedesktop.Notifications=\
447              org.freedesktop.Notifications.*@/org/freedesktop/Notifications
448
449
450       --dbus-user.log
451              Turn on DBus logging for the session DBus. This option  requires
452              --dbus-user=filter.
453
454              Example:
455              $ firejail --dbus-user=filter --dbus-user.log
456
457
458       --dbus-user.own=name
459              Allows  the  application to own the specified well-known name on
460              the session DBus.  The name may have a .* suffix  to  match  all
461              names  underneath it, including itself (e.g. "foo.bar.*" matches
462              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
463              bar").
464
465              Example:
466              $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
467
468
469       --dbus-user.talk=name
470              Allows  the application to talk to the specified well-known name
471              on the session DBus.  The name may have a .* suffix to match all
472              names  underneath it, including itself (e.g. "foo.bar.*" matches
473              "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but  not  "foo‐
474              bar").
475
476              Example:
477              $ firejail --dbus-user=filter --dbus-user.talk=\
478              org.freedesktop.Notifications
479
480
481       --dbus-user.see=name
482              Allows  the  application  to  see, but not talk to the specified
483              well-known name on the session DBus.  The name  may  have  a  .*
484              suffix  to match all names underneath it, including itself (e.g.
485              "foo.bar.*"     matches     "foo.bar",     "foo.bar.baz"     and
486              "foo.bar.baz.quux", but not "foobar").
487
488              Example:
489              $ firejail --dbus-user=filter --dbus-user.see=\
490              org.freedesktop.Notifications
491
492       --debug
493              Print debug messages.
494
495              Example:
496              $ firejail --debug firefox
497
498
499       --debug-blacklists
500              Debug blacklisting.
501
502              Example:
503              $ firejail --debug-blacklists firefox
504
505
506       --debug-caps
507              Print  all recognized capabilities in the current Firejail soft‐
508              ware build and exit.
509
510              Example:
511              $ firejail --debug-caps
512
513
514       --debug-errnos
515              Print all recognized error numbers in the current Firejail soft‐
516              ware build and exit.
517
518              Example:
519              $ firejail --debug-errnos
520
521       --debug-private-lib
522              Debug messages for --private-lib option.
523
524       --debug-protocols
525              Print  all recognized protocols in the current Firejail software
526              build and exit.
527
528              Example:
529              $ firejail --debug-protocols
530
531       --debug-syscalls
532              Print all recognized system calls in the current Firejail  soft‐
533              ware build and exit.
534
535              Example:
536              $ firejail --debug-syscalls
537
538       --debug-syscalls32
539              Print all recognized 32 bit system calls in the current Firejail
540              software build and exit.
541
542       --debug-whitelists
543              Debug whitelisting.
544
545              Example:
546              $ firejail --debug-whitelists firefox
547
548       --defaultgw=address
549              Use this address as default gateway in  the  new  network  name‐
550              space.
551
552              Example:
553              $ firejail --net=eth0 --defaultgw=10.10.20.1 firefox
554
555
556       --deterministic-exit-code
557              Always exit firejail with the first child's exit status. The de‐
558              fault behavior is to use the exit status of the final  child  to
559              exit, which can be nondeterministic.
560
561
562       --deterministic-shutdown
563              Always  shut  down  the sandbox after the first child has termi‐
564              nated. The default behavior is to keep the sandbox alive as long
565              as it contains running processes.
566
567
568       --disable-mnt
569              Blacklist /mnt, /media, /run/mount and /run/media access.
570
571              Example:
572              $ firejail --disable-mnt firefox
573
574
575       --dns=address
576              Set a DNS server for the sandbox. Up to three DNS servers can be
577              defined.  Use this option if you don't trust the  DNS  setup  on
578              your network.
579
580              Example:
581              $ firejail --dns=8.8.8.8 --dns=8.8.4.4 firefox
582
583              Note: this feature is not supported on systemd-resolved setups.
584
585       --dns.print=name|pid
586              Print  DNS  configuration for a sandbox identified by name or by
587              PID.
588
589              Example:
590              $ firejail --name=mygame --caps.drop=all warzone2100 &
591              $ firejail --dns.print=mygame
592
593              Example:
594              $ firejail --list
595              3272:netblue::firejail --private firefox
596              $ firejail --dns.print=3272
597
598
599       --dnstrace[=name|pid]
600              Monitor DNS queries. The sandbox can be  specified  by  name  or
601              pid.  Only networked sandboxes created with --net are supported.
602              This option is only available when running the sandbox as root.
603
604              Without a name/pid, Firejail will monitor the main  system  net‐
605              work namespace.
606
607              Example:
608              $ sudo firejail --dnstrace
609              11:31:43  9.9.9.9        linux.com (type 1)
610              11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
611              11:31:45  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
612              11:31:45  9.9.9.9        www.linux.com (type 1)
613              11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
614              11:31:52  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
615              11:32:05  9.9.9.9        secure.gravatar.com (type 1)
616              11:32:06  9.9.9.9        secure.gravatar.com (type 1)
617              11:32:08  9.9.9.9        taikai.network (type 1)
618              11:32:08  9.9.9.9        cdn.jsdelivr.net (type 1)
619              11:32:08  9.9.9.9        taikai.azureedge.net (type 1)
620              11:32:08  9.9.9.9        www.youtube.com (type 1)
621
622
623       --env=name=value
624              Set environment variable in the new sandbox.
625
626              Example:
627              $ firejail --env=LD_LIBRARY_PATH=/opt/test/lib
628
629
630       --fs.print=name|pid
631              Print  the  filesystem log for the sandbox identified by name or
632              by PID.
633
634              Example:
635              $ firejail --name=mygame --caps.drop=all warzone2100 &
636              $ firejail --fs.print=mygame
637
638              Example:
639              $ firejail --list
640              3272:netblue::firejail --private firefox
641              $ firejail --fs.print=3272
642
643
644       --get=name|pid filename
645              Get a file from sandbox container, see FILE TRANSFER section for
646              more details.
647
648       -?, --help
649              Print options end exit.
650
651
652
653       --hostname=name
654              Set sandbox hostname.
655
656              Example:
657              $ firejail --hostname=officepc firefox
658
659
660       --hosts-file=file
661              Use file as /etc/hosts.
662
663              Example:
664              $ firejail --hosts-file=~/myhosts firefox
665
666
667
668       --ignore=command
669              Ignore command in profile file.
670
671              Example:
672              $ firejail --ignore=seccomp --ignore=caps firefox
673              $ firejail --ignore="net eth0" firefox
674
675
676       --icmptrace[=name|pid]
677              Monitor  ICMP  traffic.  The sandbox can be specified by name or
678              pid. Only networked sandboxes created with --net are  supported.
679              This option is only available when running the sandbox as root.
680
681              Without  a  name/pid, Firejail will monitor the main system net‐
682              work namespace.
683
684              Example
685              $ sudo firejail --icmptrace
686              20:53:54  192.168.1.60 -> 142.250.65.174 - 98 bytes -  Echo  re‐
687              quest/0
688              20:53:54   142.250.65.174  -> 192.168.1.60 - 98 bytes - Echo re‐
689              ply/0
690              20:53:55  192.168.1.60 -> 142.250.65.174 - 98 bytes -  Echo  re‐
691              quest/0
692              20:53:55   142.250.65.174  -> 192.168.1.60 - 98 bytes - Echo re‐
693              ply/0
694              20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination  un‐
695              reachable/Port unreachable
696
697
698       --include=file.profile
699              Include a profile file before the regular profiles are used.
700
701              Example:
702              $ firejail --include=/etc/firejail/disable-devel.inc gedit
703
704
705       --interface=interface
706              Move  interface  in a new network namespace. Up to four --inter‐
707              face options can be specified.  Note: wlan devices are not  sup‐
708              ported for this option.
709
710              Example:
711              $ firejail --interface=eth1 --interface=eth0.vlan100
712
713
714       --ip=address
715              Assign  IP  addresses to the last network interface defined by a
716              --net option. A default gateway is assigned by default.
717
718              Example:
719              $ firejail --net=eth0 --ip=10.10.20.56 firefox
720
721
722       --ip=none
723              No IP address and no default gateway are configured for the last
724              interface defined by a --net option. Use this option in case you
725              intend to start an external DHCP client in the sandbox.
726
727              Example:
728              $ firejail --net=eth0 --ip=none
729
730              If the corresponding interface doesn't have an IP  address  con‐
731              figured, this option is enabled by default.
732
733
734       --ip=dhcp
735              Acquire an IP address and default gateway for the last interface
736              defined by a --net option, as well as set the  DNS  servers  ac‐
737              cording  to  the  DHCP  response.   This option requires the ISC
738              dhclient DHCP client to be installed and will start it automati‐
739              cally inside the sandbox.
740
741              Example:
742              $ firejail --net=br0 --ip=dhcp
743
744              This option should not be used in conjunction with the --dns op‐
745              tion if the DHCP server is set to configure DNS servers for  the
746              clients,  because  the  manually  specified  DNS servers will be
747              overwritten.
748
749              The DHCP client will NOT release the DHCP lease when the sandbox
750              terminates.   If  your DHCP server requires leases to be explic‐
751              itly released, consider running a DHCP client and releasing  the
752              lease manually in conjunction with the --net=none option.
753
754
755       --ip6=address
756              Assign IPv6 addresses to the last network interface defined by a
757              --net option.
758
759              Example:
760              $ firejail --net=eth0 --ip6=2001:0db8:0:f101::1/64 firefox
761
762              Note: you don't need this option if you obtain your ip6  address
763              from  router  via SLAAC (your ip6 address and default route will
764              be configured by kernel automatically).
765
766
767       --ip6=dhcp
768              Acquire an IPv6 address and default gateway for the last  inter‐
769              face  defined  by a --net option, as well as set the DNS servers
770              according to the DHCP response.  This option  requires  the  ISC
771              dhclient DHCP client to be installed and will start it automati‐
772              cally inside the sandbox.
773
774              Example:
775              $ firejail --net=br0 --ip6=dhcp
776
777              This option should not be used in conjunction with the --dns op‐
778              tion  if the DHCP server is set to configure DNS servers for the
779              clients, because the manually  specified  DNS  servers  will  be
780              overwritten.
781
782              The DHCP client will NOT release the DHCP lease when the sandbox
783              terminates.  If your DHCP server requires leases to  be  explic‐
784              itly  released, consider running a DHCP client and releasing the
785              lease manually.
786
787
788       --iprange=address,address
789              Assign an IP address in the provided range to the  last  network
790              interface  defined  by  a --net option. A default gateway is as‐
791              signed by default.
792
793              Example:
794              $ firejail --net=eth0 --iprange=192.168.1.100,192.168.1.150
795
796
797       --ipc-namespace
798              Enable a new IPC namespace if the sandbox was started as a regu‐
799              lar  user.  IPC  namespace  is  enabled by default for sandboxes
800              started as root.
801
802              Example:
803              $ firejail --ipc-namespace firefox
804
805       --join=name|pid
806              Join the sandbox identified by name or  by  PID.  By  default  a
807              /bin/bash shell is started after joining the sandbox.  If a pro‐
808              gram is specified, the program is run in the sandbox. If  --join
809              command  is  issued  as a regular user, all security filters are
810              configured for the new process the same they are  configured  in
811              the  sandbox.  If --join command is issued as root, the security
812              filters and cpus configurations are not applied to  the  process
813              joining the sandbox.
814
815              Example:
816              $ firejail --name=mygame --caps.drop=all warzone2100 &
817              $ firejail --join=mygame
818
819              Example:
820              $ firejail --list
821              3272:netblue::firejail --private firefox
822              $ firejail --join=3272
823
824
825       --join-filesystem=name|pid
826              Join  the  mount  namespace of the sandbox identified by name or
827              PID. By default a /bin/bash shell is started after  joining  the
828              sandbox.   If  a program is specified, the program is run in the
829              sandbox. This command is available only to root user.   Security
830              filters  and  cpus configurations are not applied to the process
831              joining the sandbox.
832
833       --join-network=name|pid
834              Join the network namespace of the sandbox identified by name. By
835              default  a /bin/bash shell is started after joining the sandbox.
836              If a program is specified, the program is run  in  the  sandbox.
837              This  command  is available only to root user.  Security filters
838              and cpus configurations are not applied to the  process  joining
839              the sandbox. Example:
840
841              # start firefox
842              $ firejail --net=eth0 --name=browser firefox &
843
844              # change netfilter configuration
845              $  sudo  firejail --join-network=browser bash -c "cat /etc/fire‐
846              jail/nolocal.net | /sbin/iptables-restore"
847
848              # verify netfilter configuration
849              $ sudo firejail --join-network=browser /sbin/iptables -vL
850
851              # verify IP addresses
852              $ sudo firejail --join-network=browser ip addr
853              Switching to pid 1932, the first child process inside the  sand‐
854              box
855              1:  lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UN‐
856              KNOWN group default
857                  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
858                  inet 127.0.0.1/8 scope host lo
859                     valid_lft forever preferred_lft forever
860                  inet6 ::1/128 scope host
861                     valid_lft forever preferred_lft forever
862              2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu  1500  qdisc
863              noqueue state UNKNOWN group default
864                  link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
865                  inet   192.168.1.158/24   brd   192.168.1.255  scope  global
866              eth0-1931
867                     valid_lft forever preferred_lft forever
868                  inet6 fe80::7458:14ff:fe42:78e4/64 scope link
869                     valid_lft forever preferred_lft forever
870
871       --join-or-start=name
872              Join the sandbox identified by name or start a new one.  Same as
873              "firejail  --join=name"  if  sandbox with specified name exists,
874              otherwise same as "firejail --name=name ..."
875              Note that in contrary to other join options there is  respective
876              profile option.
877
878
879       --keep-config-pulse
880              Disable  automatic ~/.config/pulse init, for complex setups such
881              as remote pulse servers or non-standard socket paths.
882
883              Example:
884              $ firejail --keep-config-pulse firefox
885
886
887       --keep-dev-shm
888              /dev/shm directory is untouched (even with --private-dev)
889
890              Example:
891              $ firejail --keep-dev-shm --private-dev
892
893
894       --keep-fd=all
895              Inherit all open file descriptors to  the  sandbox.  By  default
896              only  file  descriptors 0, 1 and 2 are inherited to the sandbox,
897              and all other file descriptors are closed.
898
899              Example:
900              $ firejail --keep-fd=all
901
902
903       --keep-fd=file_descriptor
904              Don't close specified open file  descriptors.  By  default  only
905              file  descriptors  0,  1 and 2 are inherited to the sandbox, and
906              all other file descriptors are closed.
907
908              Example:
909              $ firejail --keep-fd=3,4,5
910
911
912       --keep-var-tmp
913              /var/tmp directory is untouched.
914
915              Example:
916              $ firejail --keep-var-tmp
917
918
919       --list List all sandboxes, see MONITORING section for more details.
920
921              Example:
922              $ firejail --list
923              7015:netblue:browser:firejail firefox
924              7056:netblue:torrent:firejail --net=eth0 transmission-gtk
925              7064:netblue::firejail --noroot xterm
926
927       --ls=name|pid dir_or_filename
928              List files in sandbox container, see FILE TRANSFER  section  for
929              more details.
930
931       --mac=address
932              Assign  MAC addresses to the last network interface defined by a
933              --net option. This option is not supported for  wireless  inter‐
934              faces.
935
936              Example:
937              $ firejail --net=eth0 --mac=00:11:22:33:44:55 firefox
938
939       --machine-id
940              Spoof  id  number  in  /etc/machine-id file - a new random id is
941              generated inside the sandbox.  Note that this breaks audio  sup‐
942              port. Enable it when sound is not required.
943
944              Example:
945              $ firejail --machine-id
946
947
948       --mkdir=dirname
949              Create  a directory in user home. Parent directories are created
950              as needed.
951
952              Example:
953              $ firejail --mkdir=~/work/project
954
955
956       --mkfile=filename
957              Create an empty file in user home.
958
959              Example:
960              $ firejail --mkfile=~/work/project/readme
961
962
963       --memory-deny-write-execute
964              Install a seccomp filter to block attempts to create memory map‐
965              pings  that are both writable and executable, to change mappings
966              to be executable, or to create  executable  shared  memory.  The
967              filter   examines   the  arguments  of  mmap,  mmap2,  mprotect,
968              pkey_mprotect, memfd_create and shmat system calls  and  returns
969              error  EPERM to the process (or kills it or log the attempt, see
970              --seccomp-error-action below) if necessary.
971
972              Note: shmat is not implemented as a system call  on  some  plat‐
973              forms including i386, and it cannot be handled by seccomp-bpf.
974
975       --mtu=number
976              Assign  a  MTU  value to the last network interface defined by a
977              --net option.
978
979              Example:
980              $ firejail --net=eth0 --mtu=1492
981
982       --name=name
983              Set sandbox name. Several options, such as  --join  and  --shut‐
984              down, can use this name to identify a sandbox.
985
986              In  case  the name supplied by the user is already in use by an‐
987              other sandbox, Firejail will assign a new  name  as  "name-PID",
988              where  PID  is the process ID of the sandbox. This functionality
989              can be disabled at  run  time  in  /etc/firejail/firejail.config
990              file, by setting "name-change" flag to "no".
991
992              Example:
993              $ firejail --name=browser firefox &
994              $ firejail --name=browser --private firefox --no-remote &
995              $ firejail --list
996              1198:netblue:browser:firejail --name=browser firefox
997              1312:netblue:browser-1312:firejail    --name=browser   --private
998              firefox --no-remote
999
1000       --net=bridge_interface
1001              Enable a new network namespace and connect it to this bridge in‐
1002              terface.   Unless specified with option --ip and --defaultgw, an
1003              IP address and a default gateway will be assigned  automatically
1004              to  the sandbox. The IP address is verified using ARP before as‐
1005              signment. The address  configured  as  default  gateway  is  the
1006              bridge device IP address. Up to four --net options can be speci‐
1007              fied.
1008
1009              Example:
1010              $ sudo brctl addbr br0
1011              $ sudo ifconfig br0 10.10.20.1/24
1012              $ sudo brctl addbr br1
1013              $ sudo ifconfig br1 10.10.30.1/24
1014              $ firejail --net=br0 --net=br1
1015
1016
1017       --net=ethernet_interface|wireless_interface
1018              Enable a new network namespace and connect it to  this  ethernet
1019              interface using the standard Linux macvlan|ipvlan driver. Unless
1020              specified with option --ip and --defaultgw, an IP address and  a
1021              default  gateway  will be assigned automatically to the sandbox.
1022              The IP address is verified using ARP before assignment. The  ad‐
1023              dress  configured  as  default gateway is the default gateway of
1024              the host. Up to four --net options can  be  specified.   Support
1025              for ipvlan driver was introduced in Linux kernel 3.19.
1026
1027              Example:
1028              $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
1029              $ firejail --net=wlan0 firefox
1030
1031       --net=none
1032              Enable  a new, unconnected network namespace. The only interface
1033              available in the new namespace is a new loopback interface (lo).
1034              Use  this  option  to deny network access to programs that don't
1035              really need network access.
1036
1037              Example:
1038              $ firejail --net=none vlc
1039
1040              Note: --net=none can crash the application  on  some  platforms.
1041              In these cases, it can be replaced with --protocol=unix.
1042
1043       --net=tap_interface
1044              Enable  a  new network namespace and connect it to this ethernet
1045              tap interface using the standard Linux macvlan  driver.  If  the
1046              tap  interface  is  not  configured, the sandbox will not try to
1047              configure the interface inside the sandbox.   Please  use  --ip,
1048              --netmask and --defaultgw to specify the configuration.
1049
1050              Example:
1051              $  firejail  --net=tap0 --ip=10.10.20.80 --netmask=255.255.255.0
1052              --defaultgw=10.10.20.1 firefox
1053
1054
1055       --net.print=name|pid
1056              If a new network namespace is enabled, print  network  interface
1057              configuration for the sandbox specified by name or PID. Example:
1058
1059              $ firejail --net.print=browser
1060              Switching  to pid 1853, the first child process inside the sand‐
1061              box
1062              Interface  MAC               IP            Mask        Status
1063              lo                           127.0.0.1     255.0.0.0     UP
1064              eth0-1852  5e:fb:8e:27:29:26 192.168.1.186 255.255.255.0 UP
1065
1066
1067       --netfilter
1068              Enable a default firewall if a new network namespace is  created
1069              inside the sandbox.  This option has no effect for sandboxes us‐
1070              ing the system network namespace.
1071
1072              The default firewall is optimized for regular  desktop  applica‐
1073              tions. No incoming connections are accepted:
1074
1075              *filter
1076              :INPUT DROP [0:0]
1077              :FORWARD DROP [0:0]
1078              :OUTPUT ACCEPT [0:0]
1079              -A INPUT -i lo -j ACCEPT
1080              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
1081              # allow ping
1082              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
1083              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
1084              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
1085              # drop STUN (WebRTC) requests
1086              -A OUTPUT -p udp --dport 3478 -j DROP
1087              -A OUTPUT -p udp --dport 3479 -j DROP
1088              -A OUTPUT -p tcp --dport 3478 -j DROP
1089              -A OUTPUT -p tcp --dport 3479 -j DROP
1090              COMMIT
1091
1092              Example:
1093              $ firejail --net=eth0 --netfilter firefox
1094
1095       --netfilter=filename
1096              Enable the firewall specified by filename if a new network name‐
1097              space is created inside the sandbox.  This option has no  effect
1098              for sandboxes using the system network namespace.
1099
1100              Please use the regular iptables-save/iptables-restore format for
1101              the  filter  file.  The  following  examples  are  available  in
1102              /etc/firejail directory:
1103
1104              webserver.net is a webserver firewall that allows access only to
1105              TCP ports 80 and 443.  Example:
1106
1107              $ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \
1108              /etc/init.d/apache2 start
1109
1110              nolocal.net/nolocal6.net is a desktop client firewall that  dis‐
1111              able access to local network. Example:
1112
1113              $ firejail --netfilter=/etc/firejail/nolocal.net \
1114              --net=eth0 firefox
1115
1116
1117       --netfilter=filename,arg1,arg2,arg3 ...
1118              This  is  the  template  version of the previous command. $ARG1,
1119              $ARG2, $ARG3 ... in the firewall script are replaced with  arg1,
1120              arg2,  arg3  ...  passed on the command line. Up to 16 arguments
1121              are supported.  Example:
1122
1123              $ firejail --net=eth0 --ip=192.168.1.105 \
1124              --netfilter=/etc/firejail/tcpserver.net,5001 server-program
1125
1126
1127       --netfilter.print=name|pid
1128              Print the firewall installed in the sandbox specified by name or
1129              PID. Example:
1130
1131              $ firejail --name=browser --net=eth0 --netfilter firefox &
1132              $ firejail --netfilter.print=browser
1133
1134
1135       --netfilter6=filename
1136              Enable  the IPv6 firewall specified by filename if a new network
1137              namespace is created inside the sandbox.  This option has no ef‐
1138              fect  for  sandboxes using the system network namespace.  Please
1139              use the regular iptables-save/iptables-restore  format  for  the
1140              filter file.
1141
1142
1143       --netfilter6.print=name|pid
1144              Print  the  IPv6  firewall installed in the sandbox specified by
1145              name or PID. Example:
1146
1147              $ firejail --name=browser --net=eth0 --netfilter firefox &
1148              $ firejail --netfilter6.print=browser
1149
1150
1151       --netlock
1152              Several type of programs (email clients, multiplayer games etc.)
1153              talk  to a very small number of IP addresses. But the best exam‐
1154              ple is tor browser. It only talks to a guard node, and there are
1155              two or three more on standby in case the main one fails.  During
1156              startup, the browser contacts all of them, after that  it  keeps
1157              talking to the main one... for weeks!
1158
1159              Use  the  network  locking  feature to build and deploy a custom
1160              network firewall in your sandbox.  The firewall allows only  the
1161              traffic to the IP addresses detected during the program startup.
1162              Traffic to any other address is quietly dropped. By default  the
1163              network monitoring time is one minute.
1164
1165              A network namespace (--net=eth0) is required for this feature to
1166              work. Example:
1167
1168              $ firejail --net=eth0 --netlock \
1169              --private=~/tor-browser_en-US ./start-tor-browser.desktop
1170
1171
1172
1173       --netmask=address
1174              Use this option when you want to assign an IP address in  a  new
1175              namespace  and  the  parent  interface specified by --net is not
1176              configured. An IP address and a  default  gateway  address  also
1177              have  to  be added. By default the new namespace interface comes
1178              without IP address and default gateway configured. Example:
1179
1180              $ sudo /sbin/brctl addbr br0
1181              $ sudo /sbin/ifconfig br0 up
1182              $  firejail   --ip=10.10.20.67   --netmask=255.255.255.0   --de‐
1183              faultgw=10.10.20.1
1184
1185
1186       --netns=name
1187              Run the program in a named, persistent network namespace.  These
1188              can be created and configured using "ip netns".
1189
1190
1191       --netstats
1192              Monitor network namespace statistics, see MONITORING section for
1193              more details.
1194
1195              Example:
1196
1197              $ firejail --netstats
1198              PID  User    RX(KB/s) TX(KB/s) Command
1199              1294 netblue 53.355   1.473    firejail --net=eth0 firefox
1200              7383 netblue 9.045    0.112    firejail --net=eth0 transmission
1201
1202       --nettrace[=name|pid]
1203              Monitor  received TCP. UDP, and ICMP traffic. The sandbox can be
1204              specified by name or pid. Only networked sandboxes created  with
1205              --net  are supported. This option is only available when running
1206              the sandbox as root.
1207
1208              Without a name/pid, Firejail will monitor the main  system  net‐
1209              work namespace.
1210
1211              Example:
1212              $ sudo firejail --nettrace
1213                                      95 KB/s  geoip 457, IP database 4436
1214                 52 KB/s ***********           64.222.84.207:443 United States
1215                 33 KB/s *******               89.147.74.105:63930 Hungary
1216                  0 B/s                        45.90.28.0:443 NextDNS
1217                  0 B/s                        94.70.122.176:52309(UDP) Greece
1218                339 B/s                        104.26.7.35:443 Cloudflare
1219
1220              If  /usr/bin/geoiplookup  is installed (geoip-bin package in De‐
1221              bian), the country the traffic originates from is added  to  the
1222              trace.   We  also  use  the  static  IP  map  in  /usr/lib/fire‐
1223              jail/static-ip-map to print the domain names  for  some  of  the
1224              more  common websites and cloud platforms.  No external services
1225              are contacted for reverse IP lookup.
1226
1227       --nice=value
1228              Set nice value for all processes  running  inside  the  sandbox.
1229              Only root may specify a negative value.
1230
1231              Example:
1232              $ firejail --nice=2 firefox
1233
1234
1235       --no3d Disable 3D hardware acceleration.
1236
1237              Example:
1238              $ firejail --no3d firefox
1239
1240
1241       --noautopulse (deprecated)
1242              See --keep-config-pulse.
1243
1244
1245       --noblacklist=dirname_or_filename
1246              Disable blacklist for this directory or file.
1247
1248              Example:
1249              $ firejail
1250              $ nc dict.org 2628
1251              bash: /bin/nc: Permission denied
1252              $ exit
1253
1254              $ firejail --noblacklist=/bin/nc
1255              $ nc dict.org 2628
1256              220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
1257
1258       --nodbus (deprecated)
1259              Disable D-Bus access (both system and session buses). Equivalent
1260              to --dbus-system=none --dbus-user=none.
1261
1262              Example:
1263              $ firejail --nodbus --net=none
1264
1265       --nodvd
1266              Disable DVD and audio CD devices.
1267
1268              Example:
1269              $ firejail --nodvd
1270
1271       --noinput
1272              Disable input devices.
1273
1274              Example:
1275              $ firejail --noinput
1276
1277       --noexec=dirname_or_filename
1278              Remount directory or file noexec, nodev and nosuid.  File  glob‐
1279              bing is supported, see FILE GLOBBING section for more details.
1280
1281              Example:
1282              $ firejail --noexec=/tmp
1283
1284              /etc  and  /var are noexec by default if the sandbox was started
1285              as a regular user.
1286
1287
1288       --nogroups
1289              Disable supplementary groups. Without this option, supplementary
1290              groups  are  enabled for the user starting the sandbox. For root
1291              user supplementary groups are always disabled.
1292
1293              Note: By default all regular user groups are  removed  with  the
1294              exception  of  the current user. This can be changed using --al‐
1295              lusers command option.
1296
1297              Example:
1298              $ id
1299              uid=1000(netblue)       gid=1000(netblue)       groups=1000(net‐
1300              blue),24(cdrom),25(floppy),27(sudo),29(audio)
1301              $ firejail --nogroups
1302              Parent pid 8704, child pid 8705
1303              Child process initialized
1304              $ id
1305              uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
1306              $
1307
1308
1309       --nonewprivs
1310              Sets  the NO_NEW_PRIVS prctl.  This ensures that child processes
1311              cannot acquire new privileges using execve(2);   in  particular,
1312              this means that calling a suid binary (or one with file capabil‐
1313              ities) does not result in an increase of privilege. This  option
1314              is enabled by default if seccomp filter is activated.
1315
1316
1317       --noprinters
1318              Disable printers.
1319
1320
1321       --noprofile
1322              Do not use a security profile.
1323
1324              Example:
1325              $ firejail
1326              Reading profile /etc/firejail/default.profile
1327              Parent pid 8553, child pid 8554
1328              Child process initialized
1329              [...]
1330
1331              $ firejail --noprofile
1332              Parent pid 8553, child pid 8554
1333              Child process initialized
1334              [...]
1335
1336       --noroot
1337              Install  a user namespace with a single user - the current user.
1338              root user does not exist in the new namespace. This  option  re‐
1339              quires  a  Linux  kernel version 3.8 or newer. The option is not
1340              supported for --chroot  and  --overlay  configurations,  or  for
1341              sandboxes started as root.
1342
1343              Example:
1344              $ firejail --noroot
1345              Parent pid 8553, child pid 8554
1346              Child process initialized
1347              $ ping google.com
1348              ping: icmp open socket: Operation not permitted
1349              $
1350
1351       --nosound
1352              Disable sound system.
1353
1354              Example:
1355              $ firejail --nosound firefox
1356
1357
1358       --notv Disable DVB (Digital Video Broadcasting) TV devices.
1359
1360              Example:
1361              $ firejail --notv vlc
1362
1363
1364       --nou2f
1365              Disable U2F devices.
1366
1367              Example:
1368              $ firejail --nou2f
1369
1370
1371       --novideo
1372              Disable video devices.
1373
1374
1375       --nowhitelist=dirname_or_filename
1376              Disable whitelist for this directory or file.
1377
1378
1379       --oom=value
1380              Configure  kernel's  OutOfMemory-killer  score for this sandbox.
1381              The acceptable score values are between 0 and 1000  for  regular
1382              users,  and  -1000 to 1000 for root. For more information on OOM
1383              kernel feature see man choom.
1384
1385              Example:
1386              $ firejail --oom=300 firefox
1387
1388
1389       --output=logfile
1390              stdout logging and log rotation. Copy  stdout  to  logfile,  and
1391              keep  the  size of the file under 500KB using log rotation. Five
1392              files with prefixes .1 to .5 are used in rotation.
1393
1394              Example:
1395              $ firejail --output=sandboxlog /bin/bash
1396              [...]
1397              $ ls -l sandboxlog*
1398              -rw-r--r-- 1 netblue netblue 333890 Jun  2 07:48 sandboxlog
1399              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.1
1400              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.2
1401              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.3
1402              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.4
1403              -rw-r--r-- 1 netblue netblue 511488 Jun  2 07:48 sandboxlog.5
1404
1405
1406       --output-stderr=logfile
1407              Similar to --output, but stderr is also stored.
1408
1409
1410       --private
1411              Mount new /root and /home/user directories in temporary filesys‐
1412              tems.  All  modifications  are  discarded  when  the  sandbox is
1413              closed.
1414
1415              Example:
1416              $ firejail --private firefox
1417
1418
1419       --private=directory
1420              Use directory as user home.  --private  and  --private=directory
1421              cannot be used together.
1422
1423              Example:
1424              $ firejail --private=/home/netblue/firefox-home firefox
1425
1426              Bug:  Even  with this enabled, some commands (such as mkdir, mk‐
1427              file and private-cache) will still operate on the original  home
1428              directory.   Workaround: Disable the incompatible commands, such
1429              as by using "ignore mkdir" and "ignore  mkfile".   For  details,
1430              see #903 ⟨https://github.com/netblue30/firejail/issues/903
1431
1432
1433       --private-bin=file,file
1434              Build  a  new  /bin in a temporary filesystem, and copy the pro‐
1435              grams in the list.  The files in the list must be  expressed  as
1436              relative  to  the  /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
1437              cal/bin directories.  If no listed files are found, /bin  direc‐
1438              tory  will  be  empty.   The same directory is also bind-mounted
1439              over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.  All modifi‐
1440              cations are discarded when the sandbox is closed.  Multiple pri‐
1441              vate-bin commands are allowed and they accumulate.   File  glob‐
1442              bing is supported, see FILE GLOBBING section for more details.
1443
1444              Example:
1445              $ firejail --private-bin=bash,sed,ls,cat
1446              Parent pid 20841, child pid 20842
1447              Child process initialized
1448              $ ls /bin
1449              bash  cat  ls  sed
1450
1451
1452       --private-cache
1453              Mount  an empty temporary filesystem on top of the .cache direc‐
1454              tory in user home. All  modifications  are  discarded  when  the
1455              sandbox is closed.
1456
1457              Example:
1458              $ firejail --private-cache openbox
1459
1460
1461       --private-cwd
1462              Set  working  directory  inside  jail to the home directory, and
1463              failing that, the root directory.  Does not impact  working  di‐
1464              rectory of profile include paths.
1465
1466              Example:
1467              $ pwd
1468              /tmp
1469              $ firejail --private-cwd
1470              $ pwd
1471              /home/user
1472
1473
1474       --private-cwd=directory
1475              Set  working  directory inside the jail.  Full directory path is
1476              required. Symbolic links are not allowed.  Does not impact work‐
1477              ing directory of profile include paths.
1478
1479              Example:
1480              $ pwd
1481              /tmp
1482              $ firejail --private-cwd=/opt
1483              $ pwd
1484              /opt
1485
1486
1487       --private-dev
1488              Create  a new /dev directory. Only disc, dri, dvb, hidraw, null,
1489              full, zero, tty, pts, ptmx, random, snd,  urandom,  video,  log,
1490              shm  and  usb  devices  are  available.  Use the options --no3d,
1491              --nodvd, --nosound, --notv, --nou2f and --novideo for additional
1492              restrictions.
1493
1494              Example:
1495              $ firejail --private-dev
1496              Parent pid 9887, child pid 9888
1497              Child process initialized
1498              $ ls /dev
1499              cdrom  cdrw  dri  dvd  dvdrw  full  log  null  ptmx  pts  random
1500              shm  snd  sr0  tty  urandom  zero
1501              $
1502
1503       --private-etc=file,directory
1504              Build a new /etc in a temporary filesystem, and copy  the  files
1505              and  directories  in the list.  The files and directories in the
1506              list must be expressed as relative to the /etc directory  (e.g.,
1507              /etc/foo must be expressed as foo).  If no listed file is found,
1508              /etc directory will be empty.  All modifications  are  discarded
1509              when  the  sandbox is closed.  Multiple private-etc commands are
1510              allowed and they accumulate.
1511
1512              Example:
1513              $ firejail --private-etc=group,hostname,localtime, \
1514              nsswitch.conf,passwd,resolv.conf
1515
1516       --private-home=file,directory
1517              Build a new user home in a temporary filesystem,  and  copy  the
1518              files  and  directories  in the list in the new home.  The files
1519              and directories in the list must be expressed as relative to the
1520              current  user's home directory.  All modifications are discarded
1521              when the sandbox is closed.
1522
1523              Example:
1524              $ firejail --private-home=.mozilla firefox
1525
1526       --private-lib=file,directory
1527              This feature is currently under heavy  development.  Only  amd64
1528              platforms  are supported at this moment.  The files and directo‐
1529              ries in the list must be expressed as relative to the  /lib  di‐
1530              rectory.   The  idea  is  to  build  a  new  /lib in a temporary
1531              filesystem, with only the library files necessary to run the ap‐
1532              plication.  It could be as simple as:
1533
1534              $ firejail --private-lib galculator
1535
1536              but it gets complicated really fast:
1537
1538              $    firejail   --private-lib=x86_64-linux-gnu/xed,x86_64-linux-
1539              gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
1540
1541              The feature is integrated with --private-bin:
1542
1543              $ firejail --private-lib --private-bin=bash,ls,ps
1544              $ ls /lib
1545              ld-linux-x86-64.so.2  libgpg-error.so.0  libprocps.so.6  libsys‐
1546              temd.so.0
1547              libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
1548              libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
1549              libgcrypt.so.20 libpcre.so.3 libselinux.so.1
1550              $ ps
1551               PID TTY          TIME CMD
1552                  1 pts/0    00:00:00 firejail
1553                 45 pts/0    00:00:00 bash
1554                 48 pts/0    00:00:00 ps
1555              $
1556
1557              Note:  Support for this command is controlled in firejail.config
1558              with the private-lib option.
1559
1560       --private-opt=file,directory
1561              Build a new /opt in a temporary filesystem, and copy  the  files
1562              and  directories  in the list.  The files and directories in the
1563              list must be expressed as relative to the  /opt  directory,  and
1564              must  not  contain  the  / character (e.g., /opt/foo must be ex‐
1565              pressed as foo, but /opt/foo/bar -- expressed as foo/bar  --  is
1566              disallowed).  If no listed file is found, /opt directory will be
1567              empty.  All modifications are  discarded  when  the  sandbox  is
1568              closed.
1569
1570              Example:
1571              $ firejail --private-opt=firefox /opt/firefox/firefox
1572
1573
1574       --private-srv=file,directory
1575              Build  a  new /srv in a temporary filesystem, and copy the files
1576              and directories in the list.  The files and directories  in  the
1577              list  must  be  expressed as relative to the /srv directory, and
1578              must not contain the / character (e.g.,  /srv/foo  must  be  ex‐
1579              pressed  as  foo, but /srv/foo/bar -- expressed as srv/bar -- is
1580              disallowed).  If no listed file is found, /srv directory will be
1581              empty.   All  modifications  are  discarded  when the sandbox is
1582              closed.
1583
1584              Example:
1585              # firejail --private-srv=www /etc/init.d/apache2 start
1586
1587
1588       --private-tmp
1589              Mount an empty temporary filesystem on  top  of  /tmp  directory
1590              whitelisting X11 and PulseAudio sockets.
1591
1592              Example:
1593              $ firejail --private-tmp
1594              $ ls -al /tmp
1595              drwxrwxrwt  4 nobody nogroup   80 Apr 30 11:46 .
1596              drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
1597              drwx------   2  nobody  nogroup  4096  Apr  30  10:52 pulse-PKd‐
1598              htXMmr18n
1599              drwxrwxrwt  2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
1600
1601
1602       --profile=filename_or_profilename
1603              Load a custom security profile from filename. For  filename  use
1604              an  absolute  path  or a path relative to the current path.  For
1605              more information, see SECURITY PROFILES section below.
1606
1607              Example:
1608              $ firejail --profile=myprofile
1609
1610
1611       --profile.print=name|pid
1612              Print the name of the profile file for the sandbox identified by
1613              name or or PID.
1614
1615              Example:
1616              $ firejail --profile.print=browser
1617              /etc/firejail/firefox.profile
1618
1619       --protocol=protocol,protocol,protocol
1620              Enable  protocol  filter.  The  filter  is  based on seccomp and
1621              checks the first argument to  socket  system  call.   Recognized
1622              values:  unix, inet, inet6, netlink, packet, and bluetooth. This
1623              option is not supported for i386 architecture.  Multiple  proto‐
1624              col commands are allowed and they accumulate.
1625
1626              Example:
1627              $ firejail --protocol=unix,inet,inet6 firefox
1628
1629       --protocol.print=name|pid
1630              Print  the protocol filter for the sandbox identified by name or
1631              PID.
1632
1633              Example:
1634              $ firejail --name=mybrowser firefox &
1635              $ firejail --protocol.print=mybrowser
1636              unix,inet,inet6,netlink
1637
1638              Example:
1639              $ firejail --list
1640              3272:netblue::firejail --private firefox
1641              $ firejail --protocol.print=3272
1642              unix,inet,inet6,netlink
1643
1644       --put=name|pid src-filename dest-filename
1645              Put a file in sandbox container, see FILE TRANSFER  section  for
1646              more details.
1647
1648       --quiet
1649              Turn off Firejail's output.
1650
1651              The  same effect can be obtained by setting an environment vari‐
1652              able FIREJAIL_QUIET to yes.
1653
1654       --read-only=dirname_or_filename
1655              Set directory or file read-only. File globbing is supported, see
1656              FILE GLOBBING section for more details.
1657
1658              Example:
1659              $ firejail --read-only=~/.mozilla firefox
1660
1661       --read-write=dirname_or_filename
1662              Set  directory or file read-write. Only files or directories be‐
1663              longing to the current user are allowed for this operation. File
1664              globbing  is  supported,  see FILE GLOBBING section for more de‐
1665              tails.  Example:
1666
1667              $ mkdir ~/test
1668              $ touch ~/test/a
1669              $ firejail --read-only=~/test --read-write=~/test/a
1670
1671
1672
1673       --restrict-namespaces
1674              Install a seccomp filter that  blocks  attempts  to  create  new
1675              cgroup, ipc, net, mount, pid, time, user or uts namespaces.
1676
1677              Example:
1678              $ firejail --restrict-namespaces
1679
1680
1681       --restrict-namespaces=cgroup,ipc,net,mnt,pid,time,user,uts
1682              Install  a  seccomp filter that blocks attempts to create any of
1683              the specified namespaces. The filter examines the  arguments  of
1684              clone, unshare and setns system calls and returns error EPERM to
1685              the process (or kills it or logs the attempt, see  --seccomp-er‐
1686              ror-action below) if necessary. Note that the filter is not able
1687              to examine the arguments of clone3 system calls, and always  re‐
1688              sponds to these calls with error ENOSYS.
1689
1690              Example:
1691              $ firejail --restrict-namespaces=user,net
1692
1693
1694       --rlimit-as=number
1695              Set  the  maximum  size of the process's virtual memory (address
1696              space) in bytes.  Use k(ilobyte), m(egabyte) or  g(igabyte)  for
1697              size suffix (base 1024).
1698
1699
1700       --rlimit-cpu=number
1701              Set  the  maximum  limit, in seconds, for the amount of CPU time
1702              each sandboxed process can consume. When the limit  is  reached,
1703              the processes are killed.
1704
1705              The  CPU  limit  is  a  limit on CPU seconds rather than elapsed
1706              time. CPU seconds is basically how many seconds the CPU has been
1707              in  use  and does not necessarily directly relate to the elapsed
1708              time. Linux kernel keeps track of CPU seconds for  each  process
1709              independently.
1710
1711
1712       --rlimit-fsize=number
1713              Set the maximum file size that can be created by a process.  Use
1714              k(ilobyte), m(egabyte)  or  g(igabyte)  for  size  suffix  (base
1715              1024).
1716
1717       --rlimit-nofile=number
1718              Set the maximum number of files that can be opened by a process.
1719
1720       --rlimit-nproc=number
1721              Set  the maximum number of processes that can be created for the
1722              real user ID of the calling process.
1723
1724       --rlimit-sigpending=number
1725              Set the maximum number of pending signals for a process.
1726
1727
1728       --rmenv=name
1729              Remove environment variable in the new sandbox.
1730
1731              Example:
1732              $ firejail --rmenv=DBUS_SESSION_BUS_ADDRESS
1733
1734       --scan ARP-scan all the networks from inside a network namespace.  This
1735              makes  it  possible to detect macvlan kernel device drivers run‐
1736              ning on the current host.
1737
1738              Example:
1739              $ firejail --net=eth0 --scan
1740
1741       --seccomp
1742              Enable seccomp filter and blacklist the syscalls in the  default
1743              list,  which is @default-nodebuggers unless --allow-debuggers is
1744              specified, then it is @default.
1745
1746              To help creating useful seccomp filters more easily, the follow‐
1747              ing  system  call  groups  are defined: @aio, @basic-io, @chown,
1748              @clock, @cpu-emulation, @debug, @default,  @default-nodebuggers,
1749              @default-keep,  @file-system,  @io-event,  @ipc, @keyring, @mem‐
1750              lock,  @module,  @mount,  @network-io,  @obsolete,  @privileged,
1751              @process,  @raw-io,  @reboot, @resources, @setuid, @swap, @sync,
1752              @system-service and @timer.  More information about  groups  can
1753              be found in /usr/share/doc/firejail/syscalls.txt
1754
1755              The  default  list  can  be customized, see --seccomp= for a de‐
1756              scription.  It can be customized  also  globally  in  /etc/fire‐
1757              jail/firejail.config file.
1758
1759              System  architecture  is  strictly  imposed  only if flag --sec‐
1760              comp.block-secondary is used. The filter is applied at run  time
1761              only  if  the correct architecture was detected. For the case of
1762              I386 and AMD64 both 32-bit and 64-bit filters are installed.
1763
1764              Firejail will print seccomp violations to the audit log  if  the
1765              kernel was compiled with audit support (CONFIG_AUDIT flag).
1766
1767              Example:
1768              $ firejail --seccomp
1769
1770
1771
1772       --seccomp=syscall,@group,!syscall2
1773              Enable  seccomp  filter,  blacklist  the  default  list  and the
1774              syscalls or syscall groups specified by the command,  but  don't
1775              blacklist  "syscall2".  On  a 64 bit architecture, an additional
1776              filter for 32 bit system calls  can  be  installed  with  --sec‐
1777              comp.32.
1778
1779              Example:
1780              $ firejail --seccomp=utime,utimensat,utimes firefox
1781              $ firejail --seccomp=@clock,mkdir,unlinkat transmission-gtk
1782              $ firejail '--seccomp=@ipc,!pipe,!pipe2' audacious
1783
1784              Syscalls  can be specified by their number if prefix $ is added,
1785              so for example $165 would be equal to mount on i386.
1786
1787              Instead of dropping the syscall by returning EPERM, another  er‐
1788              ror  number can be returned using syscall:errno syntax. This can
1789              be also  changed  globally  with  --seccomp-error-action  or  in
1790              /etc/firejail/firejail.config  file.   The  process  can also be
1791              killed by using syscall:kill  syntax,  or  the  attempt  may  be
1792              logged with syscall:log.
1793
1794              Example:
1795              $ firejail --seccomp=unlinkat:ENOENT,utimensat,utimes
1796              Parent pid 10662, child pid 10663
1797              Child process initialized
1798              $ touch testfile
1799              $ ls testfile
1800              testfile
1801              $ rm testfile
1802              rm: cannot remove `testfile': No such file or directory
1803
1804              If the blocked system calls would also block Firejail from oper‐
1805              ating, they are handled by adding a preloaded library which per‐
1806              forms  seccomp system calls later. However, this is incompatible
1807              with 32 bit seccomp filters.
1808
1809              Example:
1810              $ firejail --noprofile --seccomp=execve sh
1811              Parent pid 32751, child pid 32752
1812              Post-exec seccomp protector enabled
1813              list in: execve,  check  list:  @default-keep  prelist:  (null),
1814              postlist: execve
1815              Child process initialized in 46.44 ms
1816              $ ls
1817              Operation not permitted
1818
1819
1820       --seccomp.block-secondary
1821              Enable  seccomp  filter  and filter system call architectures so
1822              that only the native architecture is allowed.  For  example,  on
1823              amd64, i386 and x32 system calls are blocked as well as changing
1824              the execution domain with personality(2) system call.
1825
1826
1827       --seccomp.drop=syscall,@group
1828              Enable seccomp filter, and blacklist the syscalls or the syscall
1829              groups  specified  by  the command. On a 64 bit architecture, an
1830              additional filter for 32 bit system calls can be installed  with
1831              --seccomp.32.drop.
1832
1833              Example:
1834              $ firejail --seccomp.drop=utime,utimensat,utimes,@clock
1835
1836              Instead  of dropping the syscall by returning EPERM, another er‐
1837              ror number can be returned using syscall:errno syntax. This  can
1838              be  also  changed  globally  with  --seccomp-error-action  or in
1839              /etc/firejail/firejail.config file.  The  process  can  also  be
1840              killed  by  using  syscall:kill  syntax,  or  the attempt may be
1841              logged with syscall:log.
1842
1843              Example:
1844              $ firejail --seccomp.drop=unlinkat:ENOENT,utimensat,utimes
1845              Parent pid 10662, child pid 10663
1846              Child process initialized
1847              $ touch testfile
1848              $ ls testfile
1849              testfile
1850              $ rm testfile
1851              rm: cannot remove `testfile': No such file or directory
1852
1853
1854       --seccomp.keep=syscall,@group,!syscall2
1855              Enable seccomp filter, blacklist  all  syscall  not  listed  and
1856              "syscall2".   The  system  calls  needed by Firejail (group @de‐
1857              fault-keep:  prctl,  execve,  execveat)  are  handled  with  the
1858              preload  library. On a 64 bit architecture, an additional filter
1859              for 32 bit system calls can be installed with --seccomp.32.keep.
1860
1861              Example:
1862              $ firejail --seccomp.keep=poll,select,[...] transmission-gtk
1863
1864
1865       --seccomp.print=name|pid
1866              Print the seccomp filter for the sandbox identified by  name  or
1867              PID.
1868
1869              Example:
1870              $ firejail --name=browser firefox &
1871              $ firejail --seccomp.print=browser
1872               line  OP JT JF    K
1873              =================================
1874               0000: 20 00 00 00000004   ld  data.architecture
1875               0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
1876               0002: 06 00 00 7fff0000   ret ALLOW
1877               0003: 20 00 00 00000000   ld  data.syscall-number
1878               0004: 35 01 00 40000000   jge X32_ABI true:0006 (false 0005)
1879               0005: 35 01 00 00000000   jge read 0007 (false 0006)
1880               0006: 06 00 00 00050001   ret ERRNO(1)
1881               0007: 15 41 00 0000009a   jeq modify_ldt 0049 (false 0008)
1882               0008: 15 40 00 000000d4   jeq lookup_dcookie 0049 (false 0009)
1883               0009: 15 3f 00 0000012a   jeq perf_event_open 0049 (false 000a)
1884               000a:  15  3e  00  00000137   jeq process_vm_writev 0049 (false
1885              000b)
1886               000b: 15 3d 00 0000009c   jeq _sysctl 0049 (false 000c)
1887               000c: 15 3c 00 000000b7   jeq afs_syscall 0049 (false 000d)
1888               000d: 15 3b 00 000000ae   jeq create_module 0049 (false 000e)
1889               000e: 15 3a 00 000000b1   jeq get_kernel_syms 0049 (false 000f)
1890               000f: 15 39 00 000000b5   jeq getpmsg 0049 (false 0010)
1891               0010: 15 38 00 000000b6   jeq putpmsg 0049 (false 0011)
1892               0011: 15 37 00 000000b2   jeq query_module 0049 (false 0012)
1893               0012: 15 36 00 000000b9   jeq security 0049 (false 0013)
1894               0013: 15 35 00 0000008b   jeq sysfs 0049 (false 0014)
1895               0014: 15 34 00 000000b8   jeq tuxcall 0049 (false 0015)
1896               0015: 15 33 00 00000086   jeq uselib 0049 (false 0016)
1897               0016: 15 32 00 00000088   jeq ustat 0049 (false 0017)
1898               0017: 15 31 00 000000ec   jeq vserver 0049 (false 0018)
1899               0018: 15 30 00 0000009f   jeq adjtimex 0049 (false 0019)
1900               0019: 15 2f 00 00000131   jeq clock_adjtime 0049 (false 001a)
1901               001a: 15 2e 00 000000e3   jeq clock_settime 0049 (false 001b)
1902               001b: 15 2d 00 000000a4   jeq settimeofday 0049 (false 001c)
1903               001c: 15 2c 00 000000b0   jeq delete_module 0049 (false 001d)
1904               001d: 15 2b 00 00000139   jeq finit_module 0049 (false 001e)
1905               001e: 15 2a 00 000000af   jeq init_module 0049 (false 001f)
1906               001f: 15 29 00 000000ad   jeq ioperm 0049 (false 0020)
1907               0020: 15 28 00 000000ac   jeq iopl 0049 (false 0021)
1908               0021: 15 27 00 000000f6   jeq kexec_load 0049 (false 0022)
1909               0022: 15 26 00 00000140   jeq kexec_file_load 0049 (false 0023)
1910               0023: 15 25 00 000000a9   jeq reboot 0049 (false 0024)
1911               0024: 15 24 00 000000a7   jeq swapon 0049 (false 0025)
1912               0025: 15 23 00 000000a8   jeq swapoff 0049 (false 0026)
1913               0026: 15 22 00 000000a3   jeq acct 0049 (false 0027)
1914               0027: 15 21 00 00000141   jeq bpf 0049 (false 0028)
1915               0028: 15 20 00 000000a1   jeq chroot 0049 (false 0029)
1916               0029: 15 1f 00 000000a5   jeq mount 0049 (false 002a)
1917               002a: 15 1e 00 000000b4   jeq nfsservctl 0049 (false 002b)
1918               002b: 15 1d 00 0000009b   jeq pivot_root 0049 (false 002c)
1919               002c: 15 1c 00 000000ab   jeq setdomainname 0049 (false 002d)
1920               002d: 15 1b 00 000000aa   jeq sethostname 0049 (false 002e)
1921               002e: 15 1a 00 000000a6   jeq umount2 0049 (false 002f)
1922               002f: 15 19 00 00000099   jeq vhangup 0049 (false 0030)
1923               0030: 15 18 00 000000ee   jeq set_mempolicy 0049 (false 0031)
1924               0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
1925               0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
1926               0033: 15 15 00 000000ed   jeq mbind 0049 (false 0034)
1927               0034: 15 14 00 00000130    jeq  open_by_handle_at  0049  (false
1928              0035)
1929               0035:  15  13  00  0000012f   jeq name_to_handle_at 0049 (false
1930              0036)
1931               0036: 15 12 00 000000fb   jeq ioprio_set 0049 (false 0037)
1932               0037: 15 11 00 00000067   jeq syslog 0049 (false 0038)
1933               0038: 15 10 00 0000012c   jeq fanotify_init 0049 (false 0039)
1934               0039: 15 0f 00 00000138   jeq kcmp 0049 (false 003a)
1935               003a: 15 0e 00 000000f8   jeq add_key 0049 (false 003b)
1936               003b: 15 0d 00 000000f9   jeq request_key 0049 (false 003c)
1937               003c: 15 0c 00 000000fa   jeq keyctl 0049 (false 003d)
1938               003d: 15 0b 00 000000ce   jeq io_setup 0049 (false 003e)
1939               003e: 15 0a 00 000000cf   jeq io_destroy 0049 (false 003f)
1940               003f: 15 09 00 000000d0   jeq io_getevents 0049 (false 0040)
1941               0040: 15 08 00 000000d1   jeq io_submit 0049 (false 0041)
1942               0041: 15 07 00 000000d2   jeq io_cancel 0049 (false 0042)
1943               0042: 15 06 00  000000d8    jeq  remap_file_pages  0049  (false
1944              0043)
1945               0043: 15 05 00 00000116   jeq vmsplice 0049 (false 0044)
1946               0044: 15 04 00 00000087   jeq personality 0049 (false 0045)
1947               0045: 15 03 00 00000143   jeq userfaultfd 0049 (false 0046)
1948               0046: 15 02 00 00000065   jeq ptrace 0049 (false 0047)
1949               0047:  15  01  00  00000136    jeq process_vm_readv 0049 (false
1950              0048)
1951               0048: 06 00 00 7fff0000   ret ALLOW
1952               0049: 06 00 01 00000000   ret KILL
1953              $
1954
1955
1956       --seccomp-error-action= kill | ERRNO | log
1957              By default, if a  seccomp  filter  blocks  a  system  call,  the
1958              process gets EPERM as the error. With --seccomp-error-action=er‐
1959              ror, another error number can be returned, for example ENOSYS or
1960              EACCES. The process can also be killed (like in versions <0.9.63
1961              of Firejail) by using --seccomp-error-action=kill syntax, or the
1962              attempt  may  be  logged  with  --seccomp-error-action=log.  Not
1963              killing the process weakens Firejail  slightly  when  trying  to
1964              contain  intrusion, but it may also allow tighter filters if the
1965              only alternative is to allow a system call.
1966
1967
1968       --shutdown=name|pid
1969              Shutdown the sandbox identified by name or PID.
1970
1971              Example:
1972              $ firejail --name=mygame --caps.drop=all warzone2100 &
1973              $ firejail --shutdown=mygame
1974
1975              Example:
1976              $ firejail --list
1977              3272:netblue::firejail --private firefox
1978              $ firejail --shutdown=3272
1979
1980
1981       --snitrace[=name|pid]
1982              Monitor Server Name Indication (TLS/SNI).  The  sandbox  can  be
1983              specified  by name or pid. Only networked sandboxes created with
1984              --net are supported. This option is only available when  running
1985              the sandbox as root.
1986
1987              Without  a  name/pid, Firejail will monitor the main system net‐
1988              work namespace.
1989
1990              Example:
1991              $ sudo firejail --snitrace
1992              07:49:51  23.185.0.3       linux.com
1993              07:49:51  23.185.0.3       www.linux.com
1994              07:50:05  192.0.73.2       secure.gravatar.com
1995              07:52:35  172.67.68.93     www.howtoforge.com
1996              07:52:37  13.225.103.59    sf.ezoiccdn.com
1997              07:52:42  142.250.176.3    www.gstatic.com
1998              07:53:03  173.236.250.32   www.linuxlinks.com
1999              07:53:05  192.0.77.37      c0.wp.com
2000              07:53:08  192.0.78.32      jetpack.wordpress.com
2001              07:53:09  192.0.77.32      s0.wp.com
2002              07:53:09  192.0.77.2       i0.wp.com
2003              07:53:10  192.0.77.2       i0.wp.com
2004              07:53:11  192.0.73.2       1.gravatar.com
2005
2006
2007       --tab  Enable shell  tab  completion  in  sandboxes  using  private  or
2008              whitelisted home directories.
2009
2010              $ firejail --private --tab
2011
2012       --timeout=hh:mm:ss
2013              Kill  the  sandbox automatically after the time has elapsed. The
2014              time is specified in hours/minutes/seconds format.
2015
2016              $ firejail --timeout=01:30:00 firefox
2017
2018       --tmpfs=dirname
2019              Mount a writable tmpfs filesystem on directory dirname. Directo‐
2020              ries outside user home or not owned by the user are not allowed.
2021              Sandboxes running as root are exempt  from  these  restrictions.
2022              File  globbing  is supported, see FILE GLOBBING section for more
2023              details.
2024
2025              Example:
2026              $ firejail --tmpfs=~/.local/share
2027
2028       --top  Monitor the most CPU-intensive sandboxes, see MONITORING section
2029              for more details.
2030
2031              Example:
2032              $ firejail --top
2033
2034       --trace[=filename]
2035              Trace  open,  access  and  connect  system calls. If filename is
2036              specified, log trace output to filename, otherwise log  to  con‐
2037              sole.
2038
2039              Example:
2040              $ firejail --trace wget -q www.debian.org
2041              Reading profile /etc/firejail/wget.profile
2042              3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
2043              3:wget:fopen /etc/hosts:0x5c8e8cfb70
2044              3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
2045              3:wget:connect 3 8.8.8.8 port 53:0
2046              3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
2047              3:wget:connect 3 130.89.148.14 port 80:0
2048              3:wget:fopen64 index.html:0x5c8e8d1a60
2049
2050              parent is shutting down, bye...
2051
2052       --tracelog
2053              This  option enables auditing blacklisted files and directories.
2054              A message is sent to syslog in case the file or the directory is
2055              accessed.
2056
2057              Example:
2058              $ firejail --tracelog firefox
2059
2060              Sample messages:
2061              $ sudo tail -f /var/log/syslog
2062              [...]
2063              Dec  3 11:43:25 debian firejail[70]: blacklist violation - sand‐
2064              box 26370, exe firefox, syscall open64, path /etc/shadow
2065              Dec  3 11:46:17 debian firejail[70]: blacklist violation - sand‐
2066              box 26370, exe firefox, syscall opendir, path /boot
2067              [...]
2068
2069              Note:  Support for this command is controlled in firejail.config
2070              with the tracelog option.
2071
2072       --tree Print a tree of all sandboxed processes, see MONITORING  section
2073              for more details.
2074
2075              Example:
2076              $ firejail --tree
2077              11903:netblue:firejail iceweasel
2078                11904:netblue:iceweasel
2079                  11957:netblue:/usr/lib/iceweasel/plugin-container
2080              11969:netblue:firejail --net=eth0 transmission-gtk
2081                11970:netblue:transmission-gtk
2082
2083
2084       --version
2085              Print program version/compile time support and exit.
2086
2087              Example:
2088              $ firejail --version
2089              firejail version 0.9.27
2090
2091              Compile time support:
2092                  - AppArmor support is enabled
2093                  - AppImage support is enabled
2094                  - chroot support is enabled
2095                  - file and directory whitelisting support is enabled
2096                  - file transfer support is enabled
2097                  - firetunnel support is enabled
2098                  - networking support is enabled
2099                  - overlayfs support is enabled
2100                  - private-home support is enabled
2101                  - seccomp-bpf support is enabled
2102                  - user namespace support is enabled
2103                  - X11 sandboxing support is enabled
2104
2105       --veth-name=name
2106              Use  this  name  for  the  interface connected to the bridge for
2107              --net=bridge_interface commands, instead of the default one.
2108
2109              Example:
2110              $ firejail --net=br0 --veth-name=if0
2111
2112       --whitelist=dirname_or_filename
2113              Whitelist directory or file. A temporary file system is  mounted
2114              on the top directory, and the whitelisted files are mount-binded
2115              inside. Modifications to whitelisted files are  persistent,  ev‐
2116              erything  else  is discarded when the sandbox is closed. The top
2117              directory can be all directories in / (except /proc  and  /sys),
2118              /sys/module, /run/user/$UID, $HOME and all directories in /usr.
2119
2120              Symbolic  link  handling: Whitelisting a path that is a symbolic
2121              link will also whitelist the path that it points to.  For  exam‐
2122              ple,  if ~/foo is whitelisted and it points to ~/bar, then ~/bar
2123              will also be whitelisted.  Restrictions: With the  exception  of
2124              the  user home directory, both the link and the real file should
2125              be in the same top directory.  For symbolic links  in  the  user
2126              home  directory, both the link and the real file should be owned
2127              by the user.
2128
2129              File globbing is supported, see FILE GLOBBING section  for  more
2130              details.
2131
2132              Example:
2133              $ firejail --noprofile --whitelist=~/.mozilla
2134              $ firejail --whitelist=/tmp/.X11-unix --whitelist=/dev/null
2135              $ firejail "--whitelist=/home/username/My Virtual Machines"
2136              $ firejail --whitelist=~/work* --whitelist=/var/backups*
2137
2138
2139       --writable-etc
2140              Mount /etc directory read-write.
2141
2142              Example:
2143              $ sudo firejail --writable-etc
2144
2145
2146       --writable-run-user
2147              Disable  the  default blacklisting of /run/user/$UID/systemd and
2148              /run/user/$UID/gnupg.
2149
2150              Example:
2151              $ sudo firejail --writable-run-user
2152
2153
2154       --writable-var
2155              Mount /var directory read-write.
2156
2157              Example:
2158              $ sudo firejail --writable-var
2159
2160
2161       --writable-var-log
2162              Use the real /var/log directory, not  a  clone.  By  default,  a
2163              tmpfs  is  mounted  on top of /var/log directory, and a skeleton
2164              filesystem is created based on the original /var/log.
2165
2166              Example:
2167              $ sudo firejail --writable-var-log
2168
2169
2170       --x11  Sandbox the application using Xpra, Xephyr, Xvfb or  Xorg  secu‐
2171              rity extension.  The sandbox will prevent screenshot and keylog‐
2172              ger applications  started  inside  the  sandbox  from  accessing
2173              clients  running  outside  the  sandbox.  Firejail will try Xpra
2174              first, and if Xpra is not installed on the system, it  will  try
2175              to  find Xephyr.  If all fails, Firejail will not attempt to use
2176              Xvfb or X11 security extension.
2177
2178              Xpra, Xephyr and Xvfb modes require a network  namespace  to  be
2179              instantiated  in  order  to disable X11 abstract Unix socket. If
2180              this is not possible, the user can disable the  abstract  socket
2181              by  adding  "-nolisten  local"  on  Xorg  command line at system
2182              level.
2183
2184              Example:
2185              $ firejail --x11 --net=eth0 firefox
2186
2187
2188       --x11=none
2189              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and  the
2190              file  specified  in  ${XAUTHORITY} environment variable.  Remove
2191              DISPLAY and XAUTHORITY environment variables.  Stop  with  error
2192              message if X11 abstract socket will be accessible in jail.
2193
2194
2195       --x11=xephyr
2196              Start Xephyr and attach the sandbox to this server.  Xephyr is a
2197              display server implementing the X11 display server protocol.   A
2198              network  namespace needs to be instantiated in order to deny ac‐
2199              cess to X11 abstract Unix domain socket.
2200
2201              Xephyr runs in a window just like any other X11 application. The
2202              default  window  size  is  800x600.   This  can  be  modified in
2203              /etc/firejail/firejail.config file.
2204
2205              The recommended way to use this feature is to run a window  man‐
2206              ager inside the sandbox.  A security profile for OpenBox is pro‐
2207              vided.
2208
2209              Xephyr is developed by Xorg project. On Debian platforms  it  is
2210              installed  with the command sudo apt-get install xserver-xephyr.
2211              This feature is not available when running as root.
2212
2213              Example:
2214              $ firejail --x11=xephyr --net=eth0 openbox
2215
2216
2217       --x11=xorg
2218              Sandbox the application using the untrusted mode implemented  by
2219              X11  security  extension.   The  extension  is available in Xorg
2220              package and it is installed by default on most  Linux  distribu‐
2221              tions.  It  provides support for a simple trusted/untrusted con‐
2222              nection model. Untrusted clients are restricted in certain  ways
2223              to  prevent  them from reading window contents of other clients,
2224              stealing input events, etc.
2225
2226              The untrusted mode has several limitations.  A  lot  of  regular
2227              programs assume they are a trusted X11 clients and will crash or
2228              lock up when run in untrusted mode. Chromium browser  and  xterm
2229              are two examples.  Firefox and transmission-gtk seem to be work‐
2230              ing fine.  A network namespace is not required for this option.
2231
2232              Example:
2233              $ firejail --x11=xorg firefox
2234
2235
2236       --x11=xpra
2237              Start Xpra (https://xpra.org) and attach  the  sandbox  to  this
2238              server.   Xpra  is a persistent remote display server and client
2239              for forwarding X11 applications and desktop screens.  A  network
2240              namespace  needs  to  be instantiated in order to deny access to
2241              X11 abstract Unix domain socket.
2242
2243              On Debian platforms Xpra is installed with the command sudo apt-
2244              get install xpra.  This feature is not available when running as
2245              root.
2246
2247              Example:
2248              $ firejail --x11=xpra --net=eth0 firefox
2249
2250
2251
2252       --x11=xvfb
2253              Start Xvfb X11 server and attach the  sandbox  to  this  server.
2254              Xvfb,  short  for  X virtual framebuffer, performs all graphical
2255              operations in memory without showing any screen output. Xvfb  is
2256              mainly  used  for remote access and software testing on headless
2257              servers.
2258
2259              On Debian platforms Xvfb is installed with the command sudo apt-
2260              get install xvfb.  This feature is not available when running as
2261              root.
2262
2263              Example: remote VNC access
2264
2265              On the server we start a sandbox using Xvfb and  openbox  window
2266              manager.  The default size of Xvfb screen is 800x600 - it can be
2267              changed  in  /etc/firejail/firejail.config  (xvfb-screen).  Some
2268              sort  of  networking (--net) is required in order to isolate the
2269              abstract sockets used by other X servers.
2270
2271              $ firejail --net=none --x11=xvfb openbox
2272
2273              *** Attaching to Xvfb display 792 ***
2274
2275              Reading profile /etc/firejail/openbox.profile
2276              Reading profile /etc/firejail/disable-common.inc
2277              Reading profile /etc/firejail/disable-common.local
2278              Parent pid 5400, child pid 5401
2279
2280              On the server we also start a VNC server and attach  it  to  the
2281              display handled by our Xvfb server (792).
2282
2283              $ x11vnc -display :792
2284
2285              On  the  client machine we start a VNC viewer and use it to con‐
2286              nect to our server:
2287
2288              $ vncviewer
2289
2290
2291       --xephyr-screen=WIDTHxHEIGHT
2292              Set screen size for --x11=xephyr. The setting will overwrite the
2293              default  set  in  /etc/firejail/firejail.config  for the current
2294              sandbox. Run xrandr to get a list of  supported  resolutions  on
2295              your computer.
2296
2297              Example:
2298              $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 fire‐
2299              fox
2300
2301

DESKTOP INTEGRATION

2303       A symbolic link to /usr/bin/firejail under the name of a program,  will
2304       start  the  program  in  Firejail sandbox.  The symbolic link should be
2305       placed in the first $PATH position. On most systems, a  good  place  is
2306       /usr/local/bin directory. Example:
2307
2308              Make a firefox symlink to /usr/bin/firejail:
2309
2310              $ sudo ln -s /usr/bin/firejail /usr/local/bin/firefox
2311
2312              Verify $PATH
2313
2314              $ which -a firefox
2315              /usr/local/bin/firefox
2316              /usr/bin/firefox
2317
2318              Starting firefox in this moment, automatically invokes “firejail
2319              firefox”.
2320
2321       This works for clicking on desktop environment icons,  menus  etc.  Use
2322       "firejail --tree" to verify the program is sandboxed.
2323
2324              $ firejail --tree
2325              1189:netblue:firejail firefox
2326                1190:netblue:firejail firefox
2327                  1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
2328                    1221:netblue:/usr/lib/firefox/firefox
2329
2330       We  provide  a  tool  that  automates  all this integration, please see
2331       firecfg(1) for more details.
2332
2333

EXAMPLES

2335       firejail
2336              Sandbox a regular shell session.
2337
2338       firejail firefox
2339              Start Mozilla Firefox.
2340
2341       firejail --debug firefox
2342              Debug Firefox sandbox.
2343
2344       firejail --private firefox
2345              Start Firefox with a new, empty home directory.
2346
2347       firejail --net=none vlc
2348              Start VLC in an unconnected network namespace.
2349
2350       firejail --net=eth0 firefox
2351              Start Firefox in a new network namespace. An IP address  is  as‐
2352              signed automatically.
2353
2354       firejail --net=br0 --ip=10.10.20.5 --net=br1 --net=br2
2355              Start  a shell session in a new network namespace and connect it
2356              to br0, br1, and br2 host bridge devices. IP addresses  are  as‐
2357              signed automatically for the interfaces connected to br1 and b2
2358
2359       firejail --list
2360              List all sandboxed processes.
2361
2362

FILE GLOBBING

2364       Globbing is the operation that expands a wildcard pattern into the
2365              list of pathnames matching the pattern.  This pattern is matched
2366              at firejail start, and is NOT UPDATED at runtime.  Files  match‐
2367              ing a blacklist, but created after firejail start will be acces‐
2368              sible within the jail. Matching is defined by:
2369
2370              - '?' matches any character
2371              - '*' matches any string
2372              - '[' denotes a range of characters
2373
2374       The globbing feature is implemented using glibc glob command. For
2375              more information on the wildcard syntax see man 7 glob.
2376
2377
2378       The following command line options are supported: --blacklist,
2379              --private-bin, --noexec, --read-only, --read-write, --tmpfs, and
2380              --whitelist.
2381
2382
2383       Examples:
2384
2385              $ firejail --private-bin=sh,bash,python*
2386              $ firejail --blacklist=~/dir[1234]
2387              $ firejail --read-only=~/dir[1-4]
2388
2389

FILE TRANSFER

2391       These features allow the user to inspect the filesystem container of an
2392       existing sandbox and transfer files between the container and the  host
2393       filesystem.
2394
2395
2396       --cat=name|pid filename
2397              Write content of a container file to standard out. The container
2398              is specified by name or PID.  If standard out is a terminal, all
2399              ASCII  control characters except new line and horizontal tab are
2400              replaced.
2401
2402
2403       --get=name|pid filename
2404              Retrieve the container file and store it on the host in the cur‐
2405              rent  working  directory.  The container is specified by name or
2406              PID.
2407
2408
2409       --ls=name|pid dir_or_filename
2410              List container files. The container is specified by name or PID.
2411
2412
2413       --put=name|pid src-filename dest-filename
2414              Put src-filename in sandbox container.  The container is  speci‐
2415              fied by name or PID.
2416
2417
2418       Examples:
2419
2420              $ firejail --name=mybrowser --private firefox
2421
2422              $ firejail --ls=mybrowser ~/Downloads
2423              drwxr-xr-x netblue  netblue         4096 .
2424              drwxr-xr-x netblue  netblue         4096 ..
2425              -rw-r--r-- netblue  netblue         7847 x11-x305.png
2426              -rw-r--r-- netblue  netblue         6800 x11-x642.png
2427              -rw-r--r-- netblue  netblue        34139 xpra-clipboard.png
2428
2429              $ firejail --get=mybrowser ~/Downloads/xpra-clipboard.png
2430
2431              $  firejail --put=mybrowser xpra-clipboard.png ~/Downloads/xpra-
2432              clipboard.png
2433
2434              $ firejail --cat=mybrowser ~/.bashrc
2435
2436
2437

MONITORING

2439       Option --list prints a list of  all  sandboxes.  The  format  for  each
2440       process entry is as follows:
2441
2442            PID:USER:Sandbox Name:Command
2443
2444       Option  --tree prints the tree of processes running in the sandbox. The
2445       format for each process entry is as follows:
2446
2447            PID:USER:Sandbox Name:Command
2448
2449       Option --top is similar to the UNIX top  command,  however  it  applies
2450       only to sandboxes.
2451
2452       Option  --netstats  prints  network statistics for active sandboxes in‐
2453       stalling new network namespaces.
2454
2455       Listed below are the available fields (columns) in  alphabetical  order
2456       for --top and --netstats options:
2457
2458
2459       Command
2460              Command used to start the sandbox.
2461
2462       CPU%   CPU  usage,  the sandbox share of the elapsed CPU time since the
2463              last screen update
2464
2465       PID    Unique process ID for the task controlling the sandbox.
2466
2467       Prcs   Number of processes running in sandbox, including  the  control‐
2468              ling process.
2469
2470       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
2471              It is a sum of the RES values for all processes running  in  the
2472              sandbox.
2473
2474       RX(KB/s)
2475              Network receive speed.
2476
2477       Sandbox Name
2478              The name of the sandbox, if any.
2479
2480       SHR    Shared  Memory  Size (KiB), it reflects memory shared with other
2481              processes. It is a sum of the SHR values for all processes  run‐
2482              ning in the sandbox, including the controlling process.
2483
2484       TX(KB/s)
2485              Network transmit speed.
2486
2487       Uptime Sandbox running time in hours:minutes:seconds format.
2488
2489       USER   The owner of the sandbox.
2490
2491

RESTRICTED SHELL

2493       To  configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
2494       jail in /etc/passwd file for each user that needs to be restricted. Al‐
2495       ternatively, you can specify /usr/bin/firejail in adduser command:
2496
2497       adduser --shell /usr/bin/firejail username
2498
2499       Additional  arguments  passed to firejail executable upon login are de‐
2500       clared in /etc/firejail/login.users file.
2501
2502

SECURITY PROFILES

2504       Several command line options can be passed to the program using profile
2505       files. Firejail chooses the profile file as follows:
2506
2507       1.  If  a  profile file is provided by the user with --profile=FILE op‐
2508       tion, the profile FILE is loaded. If a profile name  is  given,  it  is
2509       searched for first in the ~/.config/firejail directory and if not found
2510       then in /etc/firejail directory. Profile names do not include the .pro‐
2511       file suffix. If there is a file with the same name as the given profile
2512       name, it will be used instead of doing the profile search. To  force  a
2513       profile  search,  prefix  the profile name with a colon (:), eg. --pro‐
2514       file=:PROFILE_NAME.  Example:
2515
2516              $ firejail --profile=/home/netblue/icecat.profile icecat
2517              Reading profile /home/netblue/icecat.profile
2518              [...]
2519
2520
2521              $ firejail --profile=icecat icecat-wrapper.sh
2522              Reading profile /etc/firejail/icecat.profile
2523              [...]
2524
2525       2. If a profile file with the same name as the application  is  present
2526       in  ~/.config/firejail  directory  or  in /etc/firejail, the profile is
2527       loaded. ~/.config/firejail takes precedence over  /etc/firejail.  Exam‐
2528       ple:
2529
2530              $ firejail icecat
2531              Command name #icecat#
2532              Found icecat profile in /home/netblue/.config/firejail directory
2533              Reading profile /home/netblue/.config/firejail/icecat.profile
2534              [...]
2535
2536       3.  Use  default.profile  file  if  the sandbox is started by a regular
2537       user, or server.profile file if the sandbox is started by  root.  Fire‐
2538       jail looks for these files in ~/.config/firejail directory, followed by
2539       /etc/firejail directory.  To disable default profile loading, use --no‐
2540       profile command option. Example:
2541
2542              $ firejail
2543              Reading profile /etc/firejail/default.profile
2544              Parent pid 8553, child pid 8554
2545              Child process initialized
2546              [...]
2547
2548              $ firejail --noprofile
2549              Parent pid 8553, child pid 8554
2550              Child process initialized
2551              [...]
2552
2553       See man 5 firejail-profile for profile file syntax information.
2554

TRAFFIC SHAPING

2556       Network  bandwidth  is an expensive resource shared among all sandboxes
2557       running on a system.  Traffic shaping allows the user to increase  net‐
2558       work  performance by controlling the amount of data that flows into and
2559       out of the sandboxes.
2560
2561       Firejail implements a simple rate-limiting shaper based on  Linux  com‐
2562       mand  tc.   The shaper works at sandbox level, and can be used only for
2563       sandboxes configured with new network namespaces.
2564
2565       Set rate-limits:
2566
2567            $ firejail --bandwidth=name|pid set network download upload
2568
2569       Clear rate-limits:
2570
2571            $ firejail --bandwidth=name|pid clear network
2572
2573       Status:
2574
2575            $ firejail --bandwidth=name|pid status
2576
2577       where:
2578            name - sandbox name
2579            pid - sandbox pid
2580            network - network interface as used by --net option
2581            download - download speed in KB/s (kilobyte per second)
2582            upload - upload speed in KB/s (kilobyte per second)
2583
2584       Example:
2585            $ firejail --name=mybrowser --net=eth0 firefox &
2586            $ firejail --bandwidth=mybrowser set eth0 80 20
2587            $ firejail --bandwidth=mybrowser status
2588            $ firejail --bandwidth=mybrowser clear eth0
2589

LICENSE

2591       This program is free software; you can redistribute it and/or modify it
2592       under  the  terms of the GNU General Public License as published by the
2593       Free Software Foundation; either version 2 of the License, or (at  your
2594       option) any later version.
2595
2596       Homepage: https://firejail.wordpress.com
2597

SEE ALSO

2599       firemon(1),  firecfg(1),  firejail-profile(5), firejail-login(5), fire‐
2600       jail-users(5), jailcheck(1)
2601
2602https://github.com/netblue30/firejail/wiki⟩,
2603https://github.com/netblue30/firejail
2604
2605
2606
26070.9.72                             Jan 2023                        FIREJAIL(1)
Impressum