1FIREJAIL-PROFILE(5) firejail profiles man page FIREJAIL-PROFILE(5)
2
6 profile - Security profile file syntax, and information about building
7 new application profiles.
8
11 Using a specific profile:
12 firejail --profile=filename.profile
14 Example:
16 $ firejail --appimage --profile=/etc/firejail/kden‐
17 live.profile kdenlive.appimage
18 firejail --profile=profile_name
21 Example:
23 $ firejail --appimage --profile=kdenlive kdenlive.appim‐
24 age
25 Building a profile manually:
28 Start with the template in /usr/share/doc/firejail/profile.tem‐
30 plate and modify it in a text editor. To integrate the program
31 in your desktop environment copy the profile file in ~/.con‐
32 fig/firejail directory and run "sudo firecfg".
33 Aliases and redirections:
35 In some cases the same profile can be used for several applica‐
37 tions. One such example is LibreOffice. Build a regular pro‐
38 file for the main application, and for the rest use
39 /usr/share/doc/firejail/redirect_alias-profile.template.
40 Running the profile builder:
42 firejail --build=appname.profile appname
44 Example:
46 $ firejail --build=blobby.profile blobby
47 Run the program in "firejail --build" and try to exercise
49 as many program features as possible. The profile is ex‐
50 tracted and saved in the current directory. Open it in a
51 text editor and add or remove sandboxing options as nec‐
52 essary. Test again after modifying the profile. To inte‐
53 grate the program in your desktop environment copy the
54 profile file in ~/.config/firejail directory and run
55 "sudo firecfg".
56
58 Several command line options can be passed to the program using profile
59 files. Firejail chooses the profile file as follows:
60 1. If a profile file is provided by the user with --profile option, the
62 profile file is loaded. If a profile name is given, it is searched for
63 first in the ~/.config/firejail directory and if not found then in
64 /etc/firejail directory. Profile names do not include the .profile suf‐
65 fix. Example:
66 $ firejail --profile=/home/netblue/icecat.profile icecat
68 Reading profile /home/netblue/icecat.profile
69 [...]
70 $ firejail --profile=icecat icecat-wrapper.sh
73 Reading profile /etc/firejail/icecat.profile
74 [...]
75 2. If a profile file with the same name as the application is present
77 in ~/.config/firejail directory or in /etc/firejail, the profile is
78 loaded. ~/.config/firejail takes precedence over /etc/firejail. Exam‐
79 ple:
80 $ firejail icecat
82 Command name #icecat#
83 Found icecat profile in /home/netblue/.config/firejail directory
84 Reading profile /home/netblue/.config/firejail/icecat.profile
85 [...]
86 3. Use a default.profile file if the sandbox is started by a regular
88 user, or a server.profile file if the sandbox is started by root. Fire‐
89 jail looks for these files in ~/.config/firejail directory, followed by
90 /etc/firejail directory. To disable default profile loading, use --no‐
91 profile command option. Example:
92 $ firejail
94 Reading profile /etc/firejail/default.profile
95 Parent pid 8553, child pid 8554
96 Child process initialized
97 [...]
98 $ firejail --noprofile
100 Parent pid 8553, child pid 8554
101 Child process initialized
102 [...]
103
106 In /usr/share/doc/firejail there are two templates to write new pro‐
107 files.
108 profile.template - for regular profiles
109 redirect_alias-profile.template - for aliasing/redirecting pro‐
110 files
111
115 Scripting commands:
116 File and directory names
119 File and directory names containing spaces are supported. The
120 space character ' ' should not be escaped.
121 Example: "blacklist ~/My Virtual Machines"
123 # this is a comment
126 Example:
127 # disable networking
129 net none # this command creates an empty network namespace
130 ?CONDITIONAL: profile line
133 Conditionally add profile line.
134 Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
136 This example will load the whitelist profile line only if the
138 --appimage option has been specified on the command line.
139 Currently the only conditionals supported this way are HAS_AP‐
141 PIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and
142 HAS_X11. The conditionals ALLOW_TRAY, BROWSER_DISABLE_U2F and
143 BROWSER_ALLOW_DRM can be enabled or disabled globally in Fire‐
144 jail's configuration file.
145 The profile line may be any profile line that you would normally
147 use in a profile except for "quiet" and "include" lines.
148 Note: When using one or more conditionals and --profile, it is
150 recommended that the relevant option(s) (such as --appimage) be
151 specified before --profile, so that their respective condi‐
152 tional(s) (such as ?HAS_APPIMAGE) inside of the profile evaluate
153 to true.
154 include other.profile
157 Include other.profile file.
158 Example: "include /etc/firejail/disable-common.inc"
160 The file name can be prefixed with a macro such as ${HOME} or
162 ${CFG}. ${HOME} is expanded as user home directory, and ${CFG}
163 is expanded as Firejail system configuration directory - in most
164 cases /etc/firejail or /usr/local/etc/firejail.
165 Example: "include ${HOME}/myprofiles/profile1" will load
167 "~/myprofiles/profile1" file.
168 Example: "include ${CFG}/firefox.profile" will load "/etc/fire‐
170 jail/firefox.profile" file.
171 The file name may also be just the name without the leading di‐
173 rectory components. In this case, first the user config direc‐
174 tory (${HOME}/.config/firejail) is searched for the file name
175 and if not found then the system configuration directory is
176 search for the file name. Note: Unlike the --profile option
177 which takes a profile name without the '.profile' suffix, in‐
178 clude must be given the full file name.
179 Example: "include firefox.profile" will load "${HOME}/.con‐
181 fig/firejail/firefox.profile" file and if it does not exist
182 "${CFG}/firefox.profile" will be loaded.
183 System configuration files in ${CFG} are overwritten during
185 software installation. Persistent configuration at system level
186 is handled in ".local" files. For every profile file in ${CFG}
187 directory, the user can create a corresponding .local file stor‐
188 ing modifications to the persistent configuration. Persistent
189 .local files are included at the start of regular profile files.
190 noblacklist file_name
193 If the file name matches file_name, the file will not be black‐
194 listed in any blacklist commands that follow.
195 Example: "noblacklist ${HOME}/.mozilla"
197 nowhitelist file_name
200 If the file name matches file_name, the file will not be
201 whitelisted in any whitelist commands that follow.
202 Example: "nowhitelist ~/.config"
204 ignore Ignore command.
207 Example: "ignore seccomp"
209 Example: "ignore net eth0"
210 quiet Disable Firejail's output. This should be the first uncommented
212 command in the profile file.
213 Example: "quiet"
215
218 These profile entries define a chroot filesystem built on top of the
219 existing host filesystem. Each line describes a file/directory that is
220 inaccessible (blacklist), a read-only file or directory (read-only), a
221 tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a
222 directory or file on top of another directory or file (bind). Use pri‐
223 vate to set private mode. File globbing is supported, and PATH and
224 HOME directories are searched, see the firejail FILE GLOBBING section
225 for more details. Examples:
226 blacklist file_or_directory
228 Blacklist directory or file. Examples:
229 blacklist /usr/bin
231 blacklist /usr/bin/gcc*
232 blacklist ${PATH}/ifconfig
233 blacklist ${HOME}/.ssh
234 blacklist-nolog file_or_directory
237 When --tracelog flag is set, blacklisting generates syslog mes‐
238 sages if the sandbox tries to access the file or directory.
239 blacklist-nolog command disables syslog messages for this par‐
240 ticular file or directory. Examples:
241 blacklist-nolog /usr/bin
243 blacklist-nolog /usr/bin/gcc*
244 bind directory1,directory2
247 Mount-bind directory1 on top of directory2. This option is only
248 available when running as root.
249 bind file1,file2
251 Mount-bind file1 on top of file2. This option is only available
252 when running as root.
253 disable-mnt
255 Disable /mnt, /media, /run/mount and /run/media access.
256 keep-config-pulse
258 Disable automatic ~/.config/pulse init, for complex setups such
259 as remote pulse servers or non-standard socket paths.
260 keep-dev-shm
262 /dev/shm directory is untouched (even with private-dev).
263 keep-var-tmp
265 /var/tmp directory is untouched.
266 mkdir directory
268 Create a directory in user home, under /tmp, or under
269 /run/user/<UID> before the sandbox is started. The directory is
270 created if it doesn't already exist.
271 Use this command for whitelisted directories you need to pre‐
273 serve when the sandbox is closed. Without it, the application
274 will create the directory, and the directory will be deleted
275 when the sandbox is closed. Subdirectories are recursively cre‐
276 ated. Example from firefox profile:
277 mkdir ~/.mozilla
279 whitelist ~/.mozilla
280 mkdir ~/.cache/mozilla/firefox
281 whitelist ~/.cache/mozilla/firefox
282 For files in /run/user/<PID> use ${RUNUSER} macro:
284 mkdir ${RUNUSER}/firejail-testing
286 mkfile file
288 Similar to mkdir, this command creates an empty file in user
289 home, or /tmp, or under /run/user/<UID> before the sandbox is
290 started. The file is created if it doesn't already exist.
291 noexec file_or_directory
293 Remount the file or the directory noexec, nodev and nosuid.
294 private
296 Mount new /root and /home/user directories in temporary filesys‐
297 tems. All modifications are discarded when the sandbox is
298 closed.
299 private directory
301 Use directory as user home. --private and --private=directory
302 cannot be used together.
303 Bug: Even with this enabled, some commands (such as mkdir, mk‐
305 file and private-cache) will still operate on the original home
306 directory. Workaround: Disable the incompatible commands, such
307 as by using "ignore mkdir" and "ignore mkfile". For details,
308 see #903 ⟨https://github.com/netblue30/firejail/issues/903⟩
309 private-bin file,file
311 Build a new /bin in a temporary filesystem, and copy the pro‐
312 grams in the list. The files in the list must be expressed as
313 relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
314 cal/bin directories. The same directory is also bind-mounted
315 over /sbin, /usr/bin and /usr/sbin. Multiple private-bin com‐
316 mands are allowed and they accumulate.
317 private-cache
319 Mount an empty temporary filesystem on top of the .cache direc‐
320 tory in user home. All modifications are discarded when the
321 sandbox is closed.
322 private-cwd
324 Set working directory inside jail to the home directory, and
325 failing that, the root directory.
326 private-cwd directory
328 Set working directory inside the jail. Full directory path is
329 required. Symbolic links are not allowed.
330 private-dev
332 Create a new /dev directory. Only disc, dri, dvb, hidraw, null,
333 full, zero, tty, pts, ptmx, random, snd, urandom, video, log,
334 shm and usb devices are available. Use the options no3d, nodvd,
335 nosound, notv, nou2f and novideo for additional restrictions.
336 private-etc file,directory
339 Build a new /etc in a temporary filesystem, and copy the files
340 and directories in the list. The files and directories in the
341 list must be expressed as relative to the /etc directory, and
342 must not contain the / character (e.g., /etc/foo must be ex‐
343 pressed as foo, but /etc/foo/bar -- expressed as foo/bar -- is
344 disallowed). All modifications are discarded when the sandbox
345 is closed. Multiple private-etc commands are allowed and they
346 accumulate.
347 private-home file,directory
349 Build a new user home in a temporary filesystem, and copy the
350 files and directories in the list in the new home. The files
351 and directories in the list must be expressed as relative to the
352 current user's home directory. All modifications are discarded
353 when the sandbox is closed.
354 private-lib file,directory
356 Build a new /lib directory and bring in the libraries required
357 by the application to run. The files and directories in the
358 list must be expressed as relative to the /lib directory. This
359 feature is still under development, see man 1 firejail for some
360 examples.
361 private-opt file,directory
363 Build a new /opt in a temporary filesystem, and copy the files
364 and directories in the list. The files and directories in the
365 list must be expressed as relative to the /opt directory, and
366 must not contain the / character (e.g., /opt/foo must be ex‐
367 pressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is
368 disallowed). All modifications are discarded when the sandbox
369 is closed.
370 private-srv file,directory
372 Build a new /srv in a temporary filesystem, and copy the files
373 and directories in the list. The files and directories in the
374 list must be expressed as relative to the /srv directory, and
375 must not contain the / character (e.g., /srv/foo must be ex‐
376 pressed as foo, but /srv/foo/bar -- expressed as foo/bar -- is
377 disallowed). All modifications are discarded when the sandbox
378 is closed.
379 private-tmp
381 Mount an empty temporary filesystem on top of /tmp directory
382 whitelisting /tmp/.X11-unix.
383 read-only file_or_directory
385 Make directory or file read-only.
386 read-write file_or_directory
388 Make directory or file read-write.
389 tmpfs directory
391 Mount an empty tmpfs filesystem on top of directory. Directories
392 outside user home or not owned by the user are not allowed.
393 Sandboxes running as root are exempt from these restrictions.
394 tracelog
396 Blacklist violations logged to syslog.
397 whitelist file_or_directory
399 Whitelist directory or file. A temporary file system is mounted
400 on the top directory, and the whitelisted files are mount-binded
401 inside. Modifications to whitelisted files are persistent, ev‐
402 erything else is discarded when the sandbox is closed. The top
403 directory can be all directories in / (except /proc and /sys),
404 /sys/module, /run/user/$UID, $HOME and all directories in /usr.
405 Symbolic link handling: with the exception of user home, both
407 the link and the real file should be in the same top directory.
408 For user home, both the link and the real file should be owned
409 by the user.
410 whitelist-ro file_or_directory
413 Equivalent to "whitelist file_or_directory" followed by "read-
414 only file_or_directory"
415 writable-etc
418 Mount /etc directory read-write.
419 writable-run-user
421 Disable the default blacklisting of run/user/$UID/systemd and
422 /run/user/$UID/gnupg.
423 writable-var
425 Mount /var directory read-write.
426 writable-var-log
428 Use the real /var/log directory, not a clone. By default, a
429 tmpfs is mounted on top of /var/log directory, and a skeleton
430 filesystem is created based on the original /var/log.
431
434 The following security filters are currently implemented:
435 allow-debuggers
438 Allow tools such as strace and gdb inside the sandbox by
439 whitelisting system calls ptrace and process_vm_readv.
440 caps Enable default Linux capabilities filter. See capabilities(7)
442 for details.
443 caps.drop capability,capability,capability
445 Blacklist given Linux capabilities.
446 caps.drop all
448 Blacklist all Linux capabilities.
449 caps.keep capability,capability,capability
451 Whitelist given Linux capabilities.
452 memory-deny-write-execute
454 Install a seccomp filter to block attempts to create memory map‐
455 pings that are both writable and executable, to change mappings
456 to be executable or to create executable shared memory.
457 nonewprivs
459 Sets the NO_NEW_PRIVS prctl. This ensures that child processes
460 cannot acquire new privileges using execve(2); in particular,
461 this means that calling a suid binary (or one with file capabil‐
462 ities) does not result in an increase of privilege.
463 noprinters
465 Disable printers.
466 noroot Use this command to enable an user namespace. The namespace has
468 only one user, the current user. There is no root account (uid
469 0) defined in the namespace.
470 protocol protocol1,protocol2,protocol3
472 Enable protocol filter. The filter is based on seccomp and
473 checks the first argument to socket system call. Recognized val‐
474 ues: unix, inet, inet6, netlink, packet, and bluetooth. Multi‐
475 ple protocol commands are allowed and they accumulate.
476 restrict-namespaces
478 Install a seccomp filter that blocks attempts to create new
479 cgroup, ipc, net, mount, pid, time, user or uts namespaces.
480 restrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts
482 Install a seccomp filter that blocks attempts to create any of
483 the specified namespaces.
484 seccomp
486 Enable seccomp filter and blacklist the syscalls in the default
487 list. See man 1 firejail for more details.
488 seccomp.32
490 Enable seccomp filter and blacklist the syscalls in the default
491 list for 32 bit system calls on a 64 bit architecture system.
492 seccomp syscall,syscall,syscall
494 Enable seccomp filter and blacklist the system calls in the list
495 on top of default seccomp filter.
496 seccomp.32 syscall,syscall,syscall
498 Enable seccomp filter and blacklist the system calls in the list
499 on top of default seccomp filter for 32 bit system calls on a 64
500 bit architecture system.
501 seccomp.block-secondary
503 Enable seccomp filter and filter system call architectures so
504 that only the native architecture is allowed.
505 seccomp.drop syscall,syscall,syscall
507 Enable seccomp filter and blacklist the system calls in the
508 list.
509 seccomp.32.drop syscall,syscall,syscall
511 Enable seccomp filter and blacklist the system calls in the list
512 for 32 bit system calls on a 64 bit architecture system.
513 seccomp.keep syscall,syscall,syscall
515 Enable seccomp filter and whitelist the system calls in the
516 list.
517 seccomp.32.keep syscall,syscall,syscall
519 Enable seccomp filter and whitelist the system calls in the list
520 for 32 bit system calls on a 64 bit architecture system.
521 seccomp-error-action kill | log | ERRNO
523 Return a different error instead of EPERM to the process, kill
524 it when an attempt is made to call a blocked system call, or al‐
525 low but log the attempt.
526 x11 Enable X11 sandboxing.
528 x11 none
530 Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
531 specified in ${XAUTHORITY} environment variable. Remove DISPLAY
532 and XAUTHORITY environment variables. Stop with error message
533 if X11 abstract socket will be accessible in jail.
534 x11 xephyr
536 Enable X11 sandboxing with Xephyr server.
537 x11 xorg
539 Enable X11 sandboxing with X11 security extension.
540 x11 xpra
542 Enable X11 sandboxing with Xpra server.
543 x11 xvfb
545 Enable X11 sandboxing with Xvfb server.
546 xephyr-screen WIDTHxHEIGHT
548 Set screen size for x11 xephyr. This command should be included
549 in the profile file before x11 xephyr command.
550 Example:
552 xephyr-screen 640x480
554 x11 xephyr
555
557 Access to the session and system DBus UNIX sockets can be allowed, fil‐
558 tered or disabled. To disable the abstract sockets (and force applica‐
559 tions to use the filtered UNIX socket) you would need to request a new
560 network namespace using --net command. Another option is to remove unix
561 from the --protocol set.
562 Filtering requires installing the xdg-dbus-proxy utility. Filter rules
564 can be specified for well-known DBus names, but they are also propa‐
565 gated to the owning unique name, too. The permissions are "sticky" and
566 are kept even if the corresponding well-known name is released (how‐
567 ever, applications rarely release well-known names in practice). Names
568 may have a .* suffix to match all names underneath them, including
569 themselves (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and
570 "foo.bar.baz.quux", but not "foobar"). For more information, see xdg-
571 dbus-proxy(1).
572 Examples:
574 dbus-system filter
577 Enable filtered access to the system DBus. Filters can be speci‐
578 fied with the dbus-system.talk and dbus-system.own commands.
579 dbus-system none
581 Disable access to the system DBus. Once access is disabled, it
582 cannot be relaxed to filtering.
583 dbus-system.own org.gnome.ghex.*
585 Allow the application to own the name org.gnome.ghex and all
586 names underneath in on the system DBus.
587 dbus-system.talk org.freedesktop.Notifications
589 Allow the application to talk to the name org.freedesktop.Noti‐
590 fications on the system DBus.
591 dbus-system.see org.freedesktop.Notifications
593 Allow the application to see but not talk to the name
594 org.freedesktop.Notifications on the system DBus.
595 dbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifi‐
597 cations.*@/org/freedesktop/Notifications
598 Allow the application to call methods of the interface
599 org.freedesktop.Notifications of the object exposed at the path
600 /org/freedesktop/Notifications by the client owning the bus name
601 org.freedesktop.Notifications on the system DBus.
602 dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
604 tifications.*@/org/freedesktop/Notifications
605 Allow the application to receive broadcast signals from the in‐
606 terface org.freedesktop.Notifications of the object exposed at
607 the path /org/freedesktop/Notifications by the client owning the
608 bus name org.freedesktop.Notifications on the system DBus.
609 dbus-user filter
611 Enable filtered access to the session DBus. Filters can be spec‐
612 ified with the dbus-user.talk and dbus-user.own commands.
613 dbus-user none
615 Disable access to the session DBus. Once access is disabled, it
616 cannot be relaxed to filtering.
617 dbus-user.own org.gnome.ghex.*
619 Allow the application to own the name org.gnome.ghex and all
620 names underneath in on the session DBus.
621 dbus-user.talk org.freedesktop.Notifications
623 Allow the application to talk to the name org.freedesktop.Noti‐
624 fications on the session DBus.
625 dbus-user.see org.freedesktop.Notifications
627 Allow the application to see but not talk to the name
628 org.freedesktop.Notifications on the session DBus.
629 dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifica‐
631 tions.*@/org/freedesktop/Notifications
632 Allow the application to call methods of the interface
633 org.freedesktop.Notifications of the object exposed at the path
634 /org/freedesktop/Notifications by the client owning the bus name
635 org.freedesktop.Notifications on the session DBus.
636 dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
638 fications.*@/org/freedesktop/Notifications
639 Allow the application to receive broadcast signals from the the
640 interface org.freedesktop.Notifications of the object exposed at
641 the path /org/freedesktop/Notifications by the client owning the
642 bus name org.freedesktop.Notifications on the session DBus.
643 nodbus (deprecated)
645 Disable D-Bus access (both system and session buses). Equivalent
646 to dbus-system none and dbus-user none.
647 Individual filters can be overridden via the --ignore command. Suppos‐
650 ing a profile has
651 [...]
652 dbus-user filter
653 dbus-user.own org.mozilla.firefox.*
654 dbus-user.talk org.freedesktop.Notifications
655 dbus-system none
656 [...]
657 and the user wants to disable notifications, this can be
659 achieved by putting the below in a local override file:
660 [...]
661 ignore dbus-user.talk org.freedesktop.Notifications
662 [...]
663
665 These profile entries define the limits on system resources (rlimits)
666 for the processes inside the sandbox. The limits can be modified in‐
667 side the sandbox using the regular ulimit command. cpu command config‐
668 ures the CPU cores available.
669 Examples:
671 cpu 0,1,2
674 Use only CPU cores 0, 1 and 2.
675 nice -5
677 Set a nice value of -5 to all processes running inside the sand‐
678 box.
679 rlimit-as 123456789012
681 Set the maximum size of the process's virtual memory to
682 123456789012 bytes.
683 rlimit-cpu 123
685 Set the maximum CPU time in seconds.
686 rlimit-fsize 1024
688 Set the maximum file size that can be created by a process to
689 1024 bytes.
690 rlimit-nproc 1000
692 Set the maximum number of processes that can be created for the
693 real user ID of the calling process to 1000.
694 rlimit-nofile 500
696 Set the maximum number of files that can be opened by a process
697 to 500.
698 rlimit-sigpending 200
700 Set the maximum number of processes that can be created for the
701 real user ID of the calling process to 200.
702 timeout hh:mm:ss
704 Kill the sandbox automatically after the time has elapsed. The
705 time is specified in hours/minutes/seconds format.
706
709 allusers
710 All user home directories are visible inside the sandbox. By de‐
711 fault, only current user home directory is visible.
712 env name=value
715 Set environment variable. Examples:
716 env LD_LIBRARY_PATH=/opt/test/lib
718 env CFLAGS="-W -Wall -Werror"
719 ipc-namespace
722 Enable IPC namespace.
723 keep-fd
726 Inherit open file descriptors to sandbox.
727 name sandboxname
730 Set sandbox name. Example:
731 name browser
733 no3d Disable 3D hardware acceleration.
736 noautopulse (deprecated)
738 See keep-config-pulse.
739 nodvd Disable DVD and audio CD devices.
741 nogroups
743 Disable supplementary user groups
744 noinput
746 Disable input devices.
747 nosound
749 Disable sound system.
750 notv Disable DVB (Digital Video Broadcasting) TV devices.
752 nou2f Disable U2F devices.
754 novideo
756 Disable video capture devices.
757 machine-id
759 Spoof id number in /etc/machine-id file - a new random id is
760 generated inside the sandbox.
761 shell none
763 Run the program directly, without a shell.
764
768 Networking features available in profile files.
769 defaultgw address
772 Use this address as default gateway in the new network name‐
773 space.
774 dns address
777 Set a DNS server for the sandbox. Up to three DNS servers can be
778 defined.
779 hostname name
782 Set a hostname for the sandbox.
783 hosts-file file
786 Use file as /etc/hosts.
787 ip address
790 Assign IP addresses to the last network interface defined by a
791 net command. A default gateway is assigned by default.
792 Example:
794 net eth0
795 ip 10.10.20.56
796 ip none
799 No IP address and no default gateway are configured for the last
800 interface defined by a net command. Use this option in case you
801 intend to start an external DHCP client in the sandbox.
802 Example:
804 net eth0
805 ip none
806 ip dhcp
809 Acquire an IP address and default gateway for the last interface
810 defined by a net command, as well as set the DNS servers accord‐
811 ing to the DHCP response. This command requires the ISC
812 dhclient DHCP client to be installed and will start it automati‐
813 cally inside the sandbox.
814 Example:
816 net br0
817 ip dhcp
818 This command should not be used in conjunction with the dns com‐
820 mand if the DHCP server is set to configure DNS servers for the
821 clients, because the manually specified DNS servers will be
822 overwritten.
823 The DHCP client will NOT release the DHCP lease when the sandbox
825 terminates. If your DHCP server requires leases to be explic‐
826 itly released, consider running a DHCP client and releasing the
827 lease manually in conjunction with the net none command.
828 ip6 address
831 Assign IPv6 addresses to the last network interface defined by a
832 net command.
833 Example:
835 net eth0
836 ip6 2001:0db8:0:f101::1/64
837 ip6 dhcp
840 Acquire an IPv6 address and default gateway for the last inter‐
841 face defined by a net command, as well as set the DNS servers
842 according to the DHCP response. This command requires the ISC
843 dhclient DHCP client to be installed and will start it automati‐
844 cally inside the sandbox.
845 Example:
847 net br0
848 ip6 dhcp
849 This command should not be used in conjunction with the dns com‐
851 mand if the DHCP server is set to configure DNS servers for the
852 clients, because the manually specified DNS servers will be
853 overwritten.
854 The DHCP client will NOT release the DHCP lease when the sandbox
856 terminates. If your DHCP server requires leases to be explic‐
857 itly released, consider running a DHCP client and releasing the
858 lease manually.
859 iprange address,address
862 Assign an IP address in the provided range to the last network
863 interface defined by a net command. A default gateway is as‐
864 signed by default.
865 Example:
867 net eth0
869 iprange 192.168.1.150,192.168.1.160
870 mac address
873 Assign MAC addresses to the last network interface defined by a
874 net command.
875 mtu number
878 Assign a MTU value to the last network interface defined by a
879 net command.
880 net bridge_interface
883 Enable a new network namespace and connect it to this bridge in‐
884 terface. Unless specified with option --ip and --defaultgw, an
885 IP address and a default gateway will be assigned automatically
886 to the sandbox. The IP address is verified using ARP before as‐
887 signment. The address configured as default gateway is the
888 bridge device IP address. Up to four --net bridge devices can be
889 defined. Mixing bridge and macvlan devices is allowed.
890 net ethernet_interface|wireless_interface
893 Enable a new network namespace and connect it to this ethernet
894 interface using the standard Linux macvlan or ipvlan driver. Un‐
895 less specified with option --ip and --defaultgw, an IP address
896 and a default gateway will be assigned automatically to the
897 sandbox. The IP address is verified using ARP before assignment.
898 The address configured as default gateway is the default gateway
899 of the host. Up to four --net devices can be defined. Mixing
900 bridge and macvlan devices is allowed.
901 net none
904 Enable a new, unconnected network namespace. The only interface
905 available in the new namespace is a new loopback interface (lo).
906 Use this option to deny network access to programs that don't
907 really need network access.
908 net tap_interface
911 Enable a new network namespace and connect it to this ethernet
912 tap interface using the standard Linux macvlan driver. If the
913 tap interface is not configured, the sandbox will not try to
914 configure the interface inside the sandbox. Please use ip, net‐
915 mask and defaultgw to specify the configuration.
916 netfilter
919 If a new network namespace is created, enabled default network
920 filter.
921 netfilter filename
924 If a new network namespace is created, enabled the network fil‐
925 ter in filename.
926 netlock
929 Generate a custom network filter and enable it.
930 netmask address
934 Use this option when you want to assign an IP address in a new
935 namespace and the parent interface specified by --net is not
936 configured. An IP address and a default gateway address also
937 have to be added.
938 netns namespace
941 Run the program in a named, persistent network namespace. These
942 can be created and configured using "ip netns".
943 veth-name name
946 Use this name for the interface connected to the bridge for
947 --net=bridge_interface commands, instead of the default one.
948
951 deterministic-exit-code
952 Always exit firejail with the first child's exit status. The de‐
953 fault behavior is to use the exit status of the final child to
954 exit, which can be nondeterministic.
955 deterministic-shutdown
958 Always shut down the sandbox after the first child has termi‐
959 nated. The default behavior is to keep the sandbox alive as long
960 as it contains running processes.
961 join-or-start sandboxname
964 Join the sandbox identified by name or start a new one. Same as
965 "firejail --join=sandboxname" command if sandbox with specified
966 name exists, otherwise same as "name sandboxname".
967
970 /etc/firejail/appname.profile
971 Global Firejail configuration consisting mainly of profiles for
972 each application supported by default.
973 $HOME/.config/firejail/appname.profile
976 User application profiles, will take precedence over the global
977 profiles.
978 /usr/share/doc/firejail/profile.template
981 Template for building new profiles.
982 /usr/share/doc/firejail/redirect_alias-profile.template
985 Template for aliasing/redirecting profiles.
986
989 Firejail is free software; you can redistribute it and/or modify it un‐
990 der the terms of the GNU General Public License as published by the
991 Free Software Foundation; either version 2 of the License, or (at your
992 option) any later version.
993 Homepage: https://firejail.wordpress.com
995
997 firejail(1), firemon(1), firecfg(1), firejail-login(5), firejail-
998 users(5), jailcheck(1)
999 ⟨https://github.com/netblue30/firejail/wiki/Creating-Profiles⟩
10010.9.72 Jan 2023 FIREJAIL-PROFILE(5)