1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
3
4
6 profile - Security profile file syntax, and information about building
7 new application profiles.
8
9
11 Using a specific profile:
12
13 firejail --profile=filename.profile
14
15 Example:
16 $ firejail --appimage --profile=/etc/firejail/kden‐
17 live.profile kdenlive.appimage
18
19
20 firejail --profile=profile_name
21
22 Example:
23 $ firejail --appimage --profile=kdenlive kdenlive.appim‐
24 age
25
26
27 Building a profile manually:
28
29 Start with the template in /usr/share/doc/firejail/profile.tem‐
30 plate and modify it in a text editor. To integrate the program
31 in your desktop environment copy the profile file in ~/.con‐
32 fig/firejail directory and run "sudo firecfg".
33
34 Aliases and redirections:
35
36 In some cases the same profile can be used for several applica‐
37 tions. One such example is LibreOffice. Build a regular pro‐
38 file for the main application, and for the rest use
39 /usr/share/doc/firejail/redirect_alias-profile.template.
40
41 Running the profile builder:
42
43 firejail --build=appname.profile appname
44
45 Example:
46 $ firejail --build=blobby.profile blobby
47
48 Run the program in "firejail --build" and try to exercise
49 as many program features as possible. The profile is ex‐
50 tracted and saved in the current directory. Open it in a
51 text editor and add or remove sandboxing options as nec‐
52 essary. Test again after modifying the profile. To inte‐
53 grate the program in your desktop environment copy the
54 profile file in ~/.config/firejail directory and run
55 "sudo firecfg".
56
58 Several command line options can be passed to the program using profile
59 files. Firejail chooses the profile file as follows:
60
61 1. If a profile file is provided by the user with --profile option, the
62 profile file is loaded. If a profile name is given, it is searched for
63 first in the ~/.config/firejail directory and if not found then in
64 /etc/firejail directory. Profile names do not include the .profile suf‐
65 fix. Example:
66
67 $ firejail --profile=/home/netblue/icecat.profile icecat
68 Reading profile /home/netblue/icecat.profile
69 [...]
70
71
72 $ firejail --profile=icecat icecat-wrapper.sh
73 Reading profile /etc/firejail/icecat.profile
74 [...]
75
76 2. If a profile file with the same name as the application is present
77 in ~/.config/firejail directory or in /etc/firejail, the profile is
78 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
79 ple:
80
81 $ firejail icecat
82 Command name #icecat#
83 Found icecat profile in /home/netblue/.config/firejail directory
84 Reading profile /home/netblue/.config/firejail/icecat.profile
85 [...]
86
87 3. Use a default.profile file if the sandbox is started by a regular
88 user, or a server.profile file if the sandbox is started by root. Fire‐
89 jail looks for these files in ~/.config/firejail directory, followed by
90 /etc/firejail directory. To disable default profile loading, use --no‐
91 profile command option. Example:
92
93 $ firejail
94 Reading profile /etc/firejail/default.profile
95 Parent pid 8553, child pid 8554
96 Child process initialized
97 [...]
98
99 $ firejail --noprofile
100 Parent pid 8553, child pid 8554
101 Child process initialized
102 [...]
103
104
106 In /usr/share/doc/firejail there are two templates to write new pro‐
107 files.
108 profile.template - for regular profiles
109 redirect_alias-profile.template - for aliasing/redirecting pro‐
110 files
111
112
113
115 Scripting commands:
116
117
118 File and directory names
119 File and directory names containing spaces are supported. The
120 space character ' ' should not be escaped.
121
122 Example: "blacklist ~/My Virtual Machines"
123
124
125 # this is a comment
126 Example:
127
128 # disable networking
129 net none # this command creates an empty network namespace
130
131
132 ?CONDITIONAL: profile line
133 Conditionally add profile line.
134
135 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
136
137 This example will load the whitelist profile line only if the
138 --appimage option has been specified on the command line.
139
140 Currently the only conditionals supported this way are HAS_AP‐
141 PIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and
142 HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and
143 BROWSER_ALLOW_DRM can be enabled or disabled globally in Fire‐
144 jail's configuration file.
145
146 The profile line may be any profile line that you would normally
147 use in a profile except for "quiet" and "include" lines.
148
149 Note: When using one or more conditionals and --profile, it is
150 recommended that the relevant option(s) (such as --appimage) be
151 specified before --profile, so that their respective condi‐
152 tional(s) (such as ?HAS_APPIMAGE) inside of the profile evaluate
153 to true.
154
155
156 include other.profile
157 Include other.profile file.
158
159 Example: "include /etc/firejail/disable-common.inc"
160
161 The file name can be prefixed with a macro such as ${HOME} or
162 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
163 is expanded as Firejail system configuration directory - in most
164 cases /etc/firejail or /usr/local/etc/firejail.
165
166 Example: "include ${HOME}/myprofiles/profile1" will load
167 "~/myprofiles/profile1" file.
168
169 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
170 jail/firefox.profile" file.
171
172 The file name may also be just the name without the leading di‐
173 rectory components. In this case, first the user config direc‐
174 tory (${HOME}/.config/firejail) is searched for the file name
175 and if not found then the system configuration directory is
176 search for the file name. Note: Unlike the --profile option
177 which takes a profile name without the '.profile' suffix, in‐
178 clude must be given the full file name.
179
180 Example: "include firefox.profile" will load "${HOME}/.con‐
181 fig/firejail/firefox.profile" file and if it does not exist
182 "${CFG}/firefox.profile" will be loaded.
183
184 System configuration files in ${CFG} are overwritten during
185 software installation. Persistent configuration at system level
186 is handled in ".local" files. For every profile file in ${CFG}
187 directory, the user can create a corresponding .local file stor‐
188 ing modifications to the persistent configuration. Persistent
189 .local files are included at the start of regular profile files.
190
191
192 noblacklist file_name
193 If the file name matches file_name, the file will not be black‐
194 listed in any blacklist commands that follow.
195
196 Example: "noblacklist ${HOME}/.mozilla"
197
198
199 nowhitelist file_name
200 If the file name matches file_name, the file will not be
201 whitelisted in any whitelist commands that follow.
202
203 Example: "nowhitelist ~/.config"
204
205
206 ignore Ignore command.
207
208 Example: "ignore seccomp"
209 Example: "ignore net eth0"
210
211 quiet Disable Firejail's output. This should be the first uncommented
212 command in the profile file.
213
214 Example: "quiet"
215
216
218 These profile entries define a chroot filesystem built on top of the
219 existing host filesystem. Each line describes a file/directory that is
220 inaccessible (blacklist), a read-only file or directory (read-only), a
221 tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a
222 directory or file on top of another directory or file (bind). Use pri‐
223 vate to set private mode. File globbing is supported, and PATH and
224 HOME directories are searched, see the firejail FILE GLOBBING section
225 for more details. Examples:
226
227 blacklist file_or_directory
228 Blacklist directory or file. Examples:
229
230 blacklist /usr/bin
231 blacklist /usr/bin/gcc*
232 blacklist ${PATH}/ifconfig
233 blacklist ${HOME}/.ssh
234
235
236 blacklist-nolog file_or_directory
237 When --tracelog flag is set, blacklisting generates syslog mes‐
238 sages if the sandbox tries to access the file or directory.
239 blacklist-nolog command disables syslog messages for this par‐
240 ticular file or directory. Examples:
241
242 blacklist-nolog /usr/bin
243 blacklist-nolog /usr/bin/gcc*
244
245
246 bind directory1,directory2
247 Mount-bind directory1 on top of directory2. This option is only
248 available when running as root.
249
250 bind file1,file2
251 Mount-bind file1 on top of file2. This option is only available
252 when running as root.
253
254 disable-mnt
255 Disable /mnt, /media, /run/mount and /run/media access.
256
257 keep-config-pulse
258 Disable automatic ~/.config/pulse init, for complex setups such
259 as remote pulse servers or non-standard socket paths.
260
261 keep-dev-shm
262 /dev/shm directory is untouched (even with private-dev).
263
264 keep-var-tmp
265 /var/tmp directory is untouched.
266
267 mkdir directory
268 Create a directory in user home, under /tmp, or under
269 /run/user/<UID> before the sandbox is started. The directory is
270 created if it doesn't already exist.
271
272 Use this command for whitelisted directories you need to pre‐
273 serve when the sandbox is closed. Without it, the application
274 will create the directory, and the directory will be deleted
275 when the sandbox is closed. Subdirectories are recursively cre‐
276 ated. Example from firefox profile:
277
278 mkdir ~/.mozilla
279 whitelist ~/.mozilla
280 mkdir ~/.cache/mozilla/firefox
281 whitelist ~/.cache/mozilla/firefox
282
283 For files in /run/user/<PID> use ${RUNUSER} macro:
284
285 mkdir ${RUNUSER}/firejail-testing
286
287 mkfile file
288 Similar to mkdir, this command creates an empty file in user
289 home, or /tmp, or under /run/user/<UID> before the sandbox is
290 started. The file is created if it doesn't already exist.
291
292 noexec file_or_directory
293 Remount the file or the directory noexec, nodev and nosuid.
294
295 private
296 Mount new /root and /home/user directories in temporary filesys‐
297 tems. All modifications are discarded when the sandbox is
298 closed.
299
300 private directory
301 Use directory as user home. --private and --private=directory
302 cannot be used together.
303
304 Bug: Even with this enabled, some commands (such as mkdir, mk‐
305 file and private-cache) will still operate on the original home
306 directory. Workaround: Disable the incompatible commands, such
307 as by using "ignore mkdir" and "ignore mkfile". For details,
308 see #903 ⟨https://github.com/netblue30/firejail/issues/903⟩
309
310 private-bin file,file
311 Build a new /bin in a temporary filesystem, and copy the pro‐
312 grams in the list. The files in the list must be expressed as
313 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
314 cal/bin directories. The same directory is also bind-mounted
315 over /sbin, /usr/bin and /usr/sbin. Multiple private-bin com‐
316 mands are allowed and they accumulate.
317
318 private-cache
319 Mount an empty temporary filesystem on top of the .cache direc‐
320 tory in user home. All modifications are discarded when the
321 sandbox is closed.
322
323 private-cwd
324 Set working directory inside jail to the home directory, and
325 failing that, the root directory.
326
327 private-cwd directory
328 Set working directory inside the jail. Full directory path is
329 required. Symbolic links are not allowed.
330
331 private-dev
332 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
333 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
334 shm and usb devices are available. Use the options no3d, nodvd,
335 nosound, notv, nou2f and novideo for additional restrictions.
336
337
338 private-etc file,directory
339 Build a new /etc in a temporary filesystem, and copy the files
340 and directories in the list. The files and directories in the
341 list must be expressed as relative to the /etc directory, and
342 must not contain the / character (e.g., /etc/foo must be ex‐
343 pressed as foo, but /etc/foo/bar -- expressed as foo/bar -- is
344 disallowed). All modifications are discarded when the sandbox
345 is closed. Multiple private-etc commands are allowed and they
346 accumulate.
347
348 private-home file,directory
349 Build a new user home in a temporary filesystem, and copy the
350 files and directories in the list in the new home. The files
351 and directories in the list must be expressed as relative to the
352 current user's home directory. All modifications are discarded
353 when the sandbox is closed.
354
355 private-lib file,directory
356 Build a new /lib directory and bring in the libraries required
357 by the application to run. The files and directories in the
358 list must be expressed as relative to the /lib directory. This
359 feature is still under development, see man 1 firejail for some
360 examples.
361
362 private-opt file,directory
363 Build a new /opt in a temporary filesystem, and copy the files
364 and directories in the list. The files and directories in the
365 list must be expressed as relative to the /opt directory, and
366 must not contain the / character (e.g., /opt/foo must be ex‐
367 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
368 disallowed). All modifications are discarded when the sandbox
369 is closed.
370
371 private-srv file,directory
372 Build a new /srv in a temporary filesystem, and copy the files
373 and directories in the list. The files and directories in the
374 list must be expressed as relative to the /srv directory, and
375 must not contain the / character (e.g., /srv/foo must be ex‐
376 pressed as foo, but /srv/foo/bar -- expressed as foo/bar -- is
377 disallowed). All modifications are discarded when the sandbox
378 is closed.
379
380 private-tmp
381 Mount an empty temporary filesystem on top of /tmp directory
382 whitelisting /tmp/.X11-unix.
383
384 read-only file_or_directory
385 Make directory or file read-only.
386
387 read-write file_or_directory
388 Make directory or file read-write.
389
390 tmpfs directory
391 Mount an empty tmpfs filesystem on top of directory. Directories
392 outside user home or not owned by the user are not allowed.
393 Sandboxes running as root are exempt from these restrictions.
394
395 tracelog
396 Blacklist violations logged to syslog.
397
398 whitelist file_or_directory
399 Whitelist directory or file. A temporary file system is mounted
400 on the top directory, and the whitelisted files are mount-binded
401 inside. Modifications to whitelisted files are persistent, ev‐
402 erything else is discarded when the sandbox is closed. The top
403 directory can be all directories in / (except /proc and /sys),
404 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
405
406 Symbolic link handling: with the exception of user home, both
407 the link and the real file should be in the same top directory.
408 For user home, both the link and the real file should be owned
409 by the user.
410
411
412 whitelist-ro file_or_directory
413 Equivalent to "whitelist file_or_directory" followed by "read-
414 only file_or_directory"
415
416
417 writable-etc
418 Mount /etc directory read-write.
419
420 writable-run-user
421 Disable the default blacklisting of run/user/$UID/systemd and
422 /run/user/$UID/gnupg.
423
424 writable-var
425 Mount /var directory read-write.
426
427 writable-var-log
428 Use the real /var/log directory, not a clone. By default, a
429 tmpfs is mounted on top of /var/log directory, and a skeleton
430 filesystem is created based on the original /var/log.
431
432
434 The following security filters are currently implemented:
435
436
437 allow-debuggers
438 Allow tools such as strace and gdb inside the sandbox by
439 whitelisting system calls ptrace and process_vm_readv.
440
441 caps Enable default Linux capabilities filter. See capabilities(7)
442 for details.
443
444 caps.drop capability,capability,capability
445 Blacklist given Linux capabilities.
446
447 caps.drop all
448 Blacklist all Linux capabilities.
449
450 caps.keep capability,capability,capability
451 Whitelist given Linux capabilities.
452
453 memory-deny-write-execute
454 Install a seccomp filter to block attempts to create memory map‐
455 pings that are both writable and executable, to change mappings
456 to be executable or to create executable shared memory.
457
458 nonewprivs
459 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
460 cannot acquire new privileges using execve(2); in particular,
461 this means that calling a suid binary (or one with file capabil‐
462 ities) does not result in an increase of privilege.
463
464 noprinters
465 Disable printers.
466
467 noroot Use this command to enable an user namespace. The namespace has
468 only one user, the current user. There is no root account (uid
469 0) defined in the namespace.
470
471 protocol protocol1,protocol2,protocol3
472 Enable protocol filter. The filter is based on seccomp and
473 checks the first argument to socket system call. Recognized val‐
474 ues: unix, inet, inet6, netlink, packet, and bluetooth. Multi‐
475 ple protocol commands are allowed and they accumulate.
476
477 restrict-namespaces
478 Install a seccomp filter that blocks attempts to create new
479 cgroup, ipc, net, mount, pid, time, user or uts namespaces.
480
481 restrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts
482 Install a seccomp filter that blocks attempts to create any of
483 the specified namespaces.
484
485 seccomp
486 Enable seccomp filter and blacklist the syscalls in the default
487 list. See man 1 firejail for more details.
488
489 seccomp.32
490 Enable seccomp filter and blacklist the syscalls in the default
491 list for 32 bit system calls on a 64 bit architecture system.
492
493 seccomp syscall,syscall,syscall
494 Enable seccomp filter and blacklist the system calls in the list
495 on top of default seccomp filter.
496
497 seccomp.32 syscall,syscall,syscall
498 Enable seccomp filter and blacklist the system calls in the list
499 on top of default seccomp filter for 32 bit system calls on a 64
500 bit architecture system.
501
502 seccomp.block-secondary
503 Enable seccomp filter and filter system call architectures so
504 that only the native architecture is allowed.
505
506 seccomp.drop syscall,syscall,syscall
507 Enable seccomp filter and blacklist the system calls in the
508 list.
509
510 seccomp.32.drop syscall,syscall,syscall
511 Enable seccomp filter and blacklist the system calls in the list
512 for 32 bit system calls on a 64 bit architecture system.
513
514 seccomp.keep syscall,syscall,syscall
515 Enable seccomp filter and whitelist the system calls in the
516 list.
517
518 seccomp.32.keep syscall,syscall,syscall
519 Enable seccomp filter and whitelist the system calls in the list
520 for 32 bit system calls on a 64 bit architecture system.
521
522 seccomp-error-action kill | log | ERRNO
523 Return a different error instead of EPERM to the process, kill
524 it when an attempt is made to call a blocked system call, or al‐
525 low but log the attempt.
526
527 x11 Enable X11 sandboxing.
528
529 x11 none
530 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
531 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
532 and XAUTHORITY environment variables. Stop with error message
533 if X11 abstract socket will be accessible in jail.
534
535 x11 xephyr
536 Enable X11 sandboxing with Xephyr server.
537
538 x11 xorg
539 Enable X11 sandboxing with X11 security extension.
540
541 x11 xpra
542 Enable X11 sandboxing with Xpra server.
543
544 x11 xvfb
545 Enable X11 sandboxing with Xvfb server.
546
547 xephyr-screen WIDTHxHEIGHT
548 Set screen size for x11 xephyr. This command should be included
549 in the profile file before x11 xephyr command.
550
551 Example:
552
553 xephyr-screen 640x480
554 x11 xephyr
555
557 Access to the session and system DBus UNIX sockets can be allowed, fil‐
558 tered or disabled. To disable the abstract sockets (and force applica‐
559 tions to use the filtered UNIX socket) you would need to request a new
560 network namespace using --net command. Another option is to remove unix
561 from the --protocol set.
562
563 Filtering requires installing the xdg-dbus-proxy utility. Filter rules
564 can be specified for well-known DBus names, but they are also propa‐
565 gated to the owning unique name, too. The permissions are "sticky" and
566 are kept even if the corresponding well-known name is released (how‐
567 ever, applications rarely release well-known names in practice). Names
568 may have a .* suffix to match all names underneath them, including
569 themselves (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
570 "foo.bar.baz.quux", but not "foobar"). For more information, see xdg-
571 dbus-proxy(1).
572
573 Examples:
574
575
576 dbus-system filter
577 Enable filtered access to the system DBus. Filters can be speci‐
578 fied with the dbus-system.talk and dbus-system.own commands.
579
580 dbus-system none
581 Disable access to the system DBus. Once access is disabled, it
582 cannot be relaxed to filtering.
583
584 dbus-system.own org.gnome.ghex.*
585 Allow the application to own the name org.gnome.ghex and all
586 names underneath in on the system DBus.
587
588 dbus-system.talk org.freedesktop.Notifications
589 Allow the application to talk to the name org.freedesktop.Noti‐
590 fications on the system DBus.
591
592 dbus-system.see org.freedesktop.Notifications
593 Allow the application to see but not talk to the name
594 org.freedesktop.Notifications on the system DBus.
595
596 dbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifi‐
597 cations.*@/org/freedesktop/Notifications
598 Allow the application to call methods of the interface
599 org.freedesktop.Notifications of the object exposed at the path
600 /org/freedesktop/Notifications by the client owning the bus name
601 org.freedesktop.Notifications on the system DBus.
602
603 dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
604 tifications.*@/org/freedesktop/Notifications
605 Allow the application to receive broadcast signals from the in‐
606 terface org.freedesktop.Notifications of the object exposed at
607 the path /org/freedesktop/Notifications by the client owning the
608 bus name org.freedesktop.Notifications on the system DBus.
609
610 dbus-user filter
611 Enable filtered access to the session DBus. Filters can be spec‐
612 ified with the dbus-user.talk and dbus-user.own commands.
613
614 dbus-user none
615 Disable access to the session DBus. Once access is disabled, it
616 cannot be relaxed to filtering.
617
618 dbus-user.own org.gnome.ghex.*
619 Allow the application to own the name org.gnome.ghex and all
620 names underneath in on the session DBus.
621
622 dbus-user.talk org.freedesktop.Notifications
623 Allow the application to talk to the name org.freedesktop.Noti‐
624 fications on the session DBus.
625
626 dbus-user.see org.freedesktop.Notifications
627 Allow the application to see but not talk to the name
628 org.freedesktop.Notifications on the session DBus.
629
630 dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifica‐
631 tions.*@/org/freedesktop/Notifications
632 Allow the application to call methods of the interface
633 org.freedesktop.Notifications of the object exposed at the path
634 /org/freedesktop/Notifications by the client owning the bus name
635 org.freedesktop.Notifications on the session DBus.
636
637 dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
638 fications.*@/org/freedesktop/Notifications
639 Allow the application to receive broadcast signals from the the
640 interface org.freedesktop.Notifications of the object exposed at
641 the path /org/freedesktop/Notifications by the client owning the
642 bus name org.freedesktop.Notifications on the session DBus.
643
644 nodbus (deprecated)
645 Disable D-Bus access (both system and session buses). Equivalent
646 to dbus-system none and dbus-user none.
647
648
649 Individual filters can be overridden via the --ignore command. Suppos‐
650 ing a profile has
651 [...]
652 dbus-user filter
653 dbus-user.own org.mozilla.firefox.*
654 dbus-user.talk org.freedesktop.Notifications
655 dbus-system none
656 [...]
657
658 and the user wants to disable notifications, this can be
659 achieved by putting the below in a local override file:
660 [...]
661 ignore dbus-user.talk org.freedesktop.Notifications
662 [...]
663
665 These profile entries define the limits on system resources (rlimits)
666 for the processes inside the sandbox. The limits can be modified in‐
667 side the sandbox using the regular ulimit command. cpu command config‐
668 ures the CPU cores available.
669
670 Examples:
671
672
673 cpu 0,1,2
674 Use only CPU cores 0, 1 and 2.
675
676 nice -5
677 Set a nice value of -5 to all processes running inside the sand‐
678 box.
679
680 rlimit-as 123456789012
681 Set the maximum size of the process's virtual memory to
682 123456789012 bytes.
683
684 rlimit-cpu 123
685 Set the maximum CPU time in seconds.
686
687 rlimit-fsize 1024
688 Set the maximum file size that can be created by a process to
689 1024 bytes.
690
691 rlimit-nproc 1000
692 Set the maximum number of processes that can be created for the
693 real user ID of the calling process to 1000.
694
695 rlimit-nofile 500
696 Set the maximum number of files that can be opened by a process
697 to 500.
698
699 rlimit-sigpending 200
700 Set the maximum number of processes that can be created for the
701 real user ID of the calling process to 200.
702
703 timeout hh:mm:ss
704 Kill the sandbox automatically after the time has elapsed. The
705 time is specified in hours/minutes/seconds format.
706
707
709 allusers
710 All user home directories are visible inside the sandbox. By de‐
711 fault, only current user home directory is visible.
712
713
714 env name=value
715 Set environment variable. Examples:
716
717 env LD_LIBRARY_PATH=/opt/test/lib
718 env CFLAGS="-W -Wall -Werror"
719
720
721 ipc-namespace
722 Enable IPC namespace.
723
724
725 keep-fd
726 Inherit open file descriptors to sandbox.
727
728
729 name sandboxname
730 Set sandbox name. Example:
731
732 name browser
733
734
735 no3d Disable 3D hardware acceleration.
736
737 noautopulse (deprecated)
738 See keep-config-pulse.
739
740 nodvd Disable DVD and audio CD devices.
741
742 nogroups
743 Disable supplementary user groups
744
745 noinput
746 Disable input devices.
747
748 nosound
749 Disable sound system.
750
751 notv Disable DVB (Digital Video Broadcasting) TV devices.
752
753 nou2f Disable U2F devices.
754
755 novideo
756 Disable video capture devices.
757
758 machine-id
759 Spoof id number in /etc/machine-id file - a new random id is
760 generated inside the sandbox.
761
762 shell none
763 Run the program directly, without a shell.
764
765
766
768 Networking features available in profile files.
769
770
771 defaultgw address
772 Use this address as default gateway in the new network name‐
773 space.
774
775
776 dns address
777 Set a DNS server for the sandbox. Up to three DNS servers can be
778 defined.
779
780
781 hostname name
782 Set a hostname for the sandbox.
783
784
785 hosts-file file
786 Use file as /etc/hosts.
787
788
789 ip address
790 Assign IP addresses to the last network interface defined by a
791 net command. A default gateway is assigned by default.
792
793 Example:
794 net eth0
795 ip 10.10.20.56
796
797
798 ip none
799 No IP address and no default gateway are configured for the last
800 interface defined by a net command. Use this option in case you
801 intend to start an external DHCP client in the sandbox.
802
803 Example:
804 net eth0
805 ip none
806
807
808 ip dhcp
809 Acquire an IP address and default gateway for the last interface
810 defined by a net command, as well as set the DNS servers accord‐
811 ing to the DHCP response. This command requires the ISC
812 dhclient DHCP client to be installed and will start it automati‐
813 cally inside the sandbox.
814
815 Example:
816 net br0
817 ip dhcp
818
819 This command should not be used in conjunction with the dns com‐
820 mand if the DHCP server is set to configure DNS servers for the
821 clients, because the manually specified DNS servers will be
822 overwritten.
823
824 The DHCP client will NOT release the DHCP lease when the sandbox
825 terminates. If your DHCP server requires leases to be explic‐
826 itly released, consider running a DHCP client and releasing the
827 lease manually in conjunction with the net none command.
828
829
830 ip6 address
831 Assign IPv6 addresses to the last network interface defined by a
832 net command.
833
834 Example:
835 net eth0
836 ip6 2001:0db8:0:f101::1/64
837
838
839 ip6 dhcp
840 Acquire an IPv6 address and default gateway for the last inter‐
841 face defined by a net command, as well as set the DNS servers
842 according to the DHCP response. This command requires the ISC
843 dhclient DHCP client to be installed and will start it automati‐
844 cally inside the sandbox.
845
846 Example:
847 net br0
848 ip6 dhcp
849
850 This command should not be used in conjunction with the dns com‐
851 mand if the DHCP server is set to configure DNS servers for the
852 clients, because the manually specified DNS servers will be
853 overwritten.
854
855 The DHCP client will NOT release the DHCP lease when the sandbox
856 terminates. If your DHCP server requires leases to be explic‐
857 itly released, consider running a DHCP client and releasing the
858 lease manually.
859
860
861 iprange address,address
862 Assign an IP address in the provided range to the last network
863 interface defined by a net command. A default gateway is as‐
864 signed by default.
865
866 Example:
867
868 net eth0
869 iprange 192.168.1.150,192.168.1.160
870
871
872 mac address
873 Assign MAC addresses to the last network interface defined by a
874 net command.
875
876
877 mtu number
878 Assign a MTU value to the last network interface defined by a
879 net command.
880
881
882 net bridge_interface
883 Enable a new network namespace and connect it to this bridge in‐
884 terface. Unless specified with option --ip and --defaultgw, an
885 IP address and a default gateway will be assigned automatically
886 to the sandbox. The IP address is verified using ARP before as‐
887 signment. The address configured as default gateway is the
888 bridge device IP address. Up to four --net bridge devices can be
889 defined. Mixing bridge and macvlan devices is allowed.
890
891
892 net ethernet_interface|wireless_interface
893 Enable a new network namespace and connect it to this ethernet
894 interface using the standard Linux macvlan or ipvlan driver. Un‐
895 less specified with option --ip and --defaultgw, an IP address
896 and a default gateway will be assigned automatically to the
897 sandbox. The IP address is verified using ARP before assignment.
898 The address configured as default gateway is the default gateway
899 of the host. Up to four --net devices can be defined. Mixing
900 bridge and macvlan devices is allowed.
901
902
903 net none
904 Enable a new, unconnected network namespace. The only interface
905 available in the new namespace is a new loopback interface (lo).
906 Use this option to deny network access to programs that don't
907 really need network access.
908
909
910 net tap_interface
911 Enable a new network namespace and connect it to this ethernet
912 tap interface using the standard Linux macvlan driver. If the
913 tap interface is not configured, the sandbox will not try to
914 configure the interface inside the sandbox. Please use ip, net‐
915 mask and defaultgw to specify the configuration.
916
917
918 netfilter
919 If a new network namespace is created, enabled default network
920 filter.
921
922
923 netfilter filename
924 If a new network namespace is created, enabled the network fil‐
925 ter in filename.
926
927
928 netlock
929 Generate a custom network filter and enable it.
930
931
932
933 netmask address
934 Use this option when you want to assign an IP address in a new
935 namespace and the parent interface specified by --net is not
936 configured. An IP address and a default gateway address also
937 have to be added.
938
939
940 netns namespace
941 Run the program in a named, persistent network namespace. These
942 can be created and configured using "ip netns".
943
944
945 veth-name name
946 Use this name for the interface connected to the bridge for
947 --net=bridge_interface commands, instead of the default one.
948
949
951 deterministic-exit-code
952 Always exit firejail with the first child's exit status. The de‐
953 fault behavior is to use the exit status of the final child to
954 exit, which can be nondeterministic.
955
956
957 deterministic-shutdown
958 Always shut down the sandbox after the first child has termi‐
959 nated. The default behavior is to keep the sandbox alive as long
960 as it contains running processes.
961
962
963 join-or-start sandboxname
964 Join the sandbox identified by name or start a new one. Same as
965 "firejail --join=sandboxname" command if sandbox with specified
966 name exists, otherwise same as "name sandboxname".
967
968
970 /etc/firejail/appname.profile
971 Global Firejail configuration consisting mainly of profiles for
972 each application supported by default.
973
974
975 $HOME/.config/firejail/appname.profile
976 User application profiles, will take precedence over the global
977 profiles.
978
979
980 /usr/share/doc/firejail/profile.template
981 Template for building new profiles.
982
983
984 /usr/share/doc/firejail/redirect_alias-profile.template
985 Template for aliasing/redirecting profiles.
986
987
989 Firejail is free software; you can redistribute it and/or modify it un‐
990 der the terms of the GNU General Public License as published by the
991 Free Software Foundation; either version 2 of the License, or (at your
992 option) any later version.
993
994 Homepage: https://firejail.wordpress.com
995
997 firejail(1), firemon(1), firecfg(1), firejail-login(5), firejail-
998 users(5), jailcheck(1)
999
1000 ⟨https://github.com/netblue30/firejail/wiki/Creating-Profiles⟩
1001
1002
1003
10040.9.72 Jan 2023 FIREJAIL-PROFILE(5)