1FIREJAIL-PROFILE(5)       firejail profiles man page       FIREJAIL-PROFILE(5)
2
3
4

NAME

6       profile  - Security profile file syntax, and information about building
7       new application profiles.
8
9

SYNOPSIS

11       Using a specific profile:
12
13              firejail --profile=filename.profile
14
15                     Example:
16                     $   firejail   --appimage   --profile=/etc/firejail/kden‐
17                     live.profile kdenlive.appimage
18
19
20              firejail --profile=profile_name
21
22                     Example:
23                     $  firejail --appimage --profile=kdenlive kdenlive.appim‐
24                     age
25
26
27       Building a profile manually:
28
29              Start with the template in  /usr/share/doc/firejail/profile.tem‐
30              plate  and modify it in a text editor.  To integrate the program
31              in your desktop environment copy the  profile  file  in  ~/.con‐
32              fig/firejail directory and run "sudo firecfg".
33
34       Aliases and redirections:
35
36              In  some cases the same profile can be used for several applica‐
37              tions.  One such example is LibreOffice.  Build a  regular  pro‐
38              file   for   the   main   application,  and  for  the  rest  use
39              /usr/share/doc/firejail/redirect_alias-profile.template.
40
41       Running the profile builder:
42
43              firejail --build=appname.profile appname
44
45                     Example:
46                     $ firejail --build=blobby.profile blobby
47
48                     Run the program in "firejail --build" and try to exercise
49                     as many program features as possible.  The profile is ex‐
50                     tracted and saved in the current directory. Open it in  a
51                     text  editor and add or remove sandboxing options as nec‐
52                     essary. Test again after modifying the profile. To  inte‐
53                     grate  the  program  in your desktop environment copy the
54                     profile file  in  ~/.config/firejail  directory  and  run
55                     "sudo firecfg".
56

DESCRIPTION

58       Several command line options can be passed to the program using profile
59       files. Firejail chooses the profile file as follows:
60
61       1. If a profile file is provided by the user with --profile option, the
62       profile  file is loaded. If a profile name is given, it is searched for
63       first in the ~/.config/firejail directory and  if  not  found  then  in
64       /etc/firejail directory. Profile names do not include the .profile suf‐
65       fix.  Example:
66
67              $ firejail --profile=/home/netblue/icecat.profile icecat
68              Reading profile /home/netblue/icecat.profile
69              [...]
70
71
72              $ firejail --profile=icecat icecat-wrapper.sh
73              Reading profile /etc/firejail/icecat.profile
74              [...]
75
76       2. If a profile file with the same name as the application  is  present
77       in  ~/.config/firejail  directory  or  in /etc/firejail, the profile is
78       loaded. ~/.config/firejail takes precedence over  /etc/firejail.  Exam‐
79       ple:
80
81              $ firejail icecat
82              Command name #icecat#
83              Found icecat profile in /home/netblue/.config/firejail directory
84              Reading profile /home/netblue/.config/firejail/icecat.profile
85              [...]
86
87       3.  Use  a  default.profile file if the sandbox is started by a regular
88       user, or a server.profile file if the sandbox is started by root. Fire‐
89       jail looks for these files in ~/.config/firejail directory, followed by
90       /etc/firejail directory.  To disable default profile loading, use --no‐
91       profile command option. Example:
92
93              $ firejail
94              Reading profile /etc/firejail/default.profile
95              Parent pid 8553, child pid 8554
96              Child process initialized
97              [...]
98
99              $ firejail --noprofile
100              Parent pid 8553, child pid 8554
101              Child process initialized
102              [...]
103
104

Templates

106       In  /usr/share/doc/firejail  there  are two templates to write new pro‐
107       files.
108              profile.template - for regular profiles
109              redirect_alias-profile.template - for aliasing/redirecting  pro‐
110              files
111
112
113

Scripting

115       Scripting commands:
116
117
118       File and directory names
119              File  and  directory  names containing spaces are supported. The
120              space character ' ' should not be escaped.
121
122              Example: "blacklist ~/My Virtual Machines"
123
124
125       # this is a comment
126              Example:
127
128              # disable networking
129              net none # this command creates an empty network namespace
130
131
132       ?CONDITIONAL: profile line
133              Conditionally add profile line.
134
135              Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir"
136
137              This example will load the whitelist profile line  only  if  the
138              --appimage option has been specified on the command line.
139
140              Currently  the  only conditionals supported this way are HAS_AP‐
141              PIMAGE,  HAS_NET,  HAS_NODBUS,  HAS_NOSOUND,   HAS_PRIVATE   and
142              HAS_X11.  The  conditionals  ALLOW_TRAY, BROWSER_DISABLE_U2F and
143              BROWSER_ALLOW_DRM can be enabled or disabled globally  in  Fire‐
144              jail's configuration file.
145
146              The profile line may be any profile line that you would normally
147              use in a profile except for "quiet" and "include" lines.
148
149              Note: When using one or more conditionals and --profile,  it  is
150              recommended  that the relevant option(s) (such as --appimage) be
151              specified before --profile,  so  that  their  respective  condi‐
152              tional(s) (such as ?HAS_APPIMAGE) inside of the profile evaluate
153              to true.
154
155
156       include other.profile
157              Include other.profile file.
158
159              Example: "include /etc/firejail/disable-common.inc"
160
161              The file name can be prefixed with a macro such  as  ${HOME}  or
162              ${CFG}.   ${HOME} is expanded as user home directory, and ${CFG}
163              is expanded as Firejail system configuration directory - in most
164              cases /etc/firejail or /usr/local/etc/firejail.
165
166              Example:   "include   ${HOME}/myprofiles/profile1"   will   load
167              "~/myprofiles/profile1" file.
168
169              Example: "include ${CFG}/firefox.profile" will load  "/etc/fire‐
170              jail/firefox.profile" file.
171
172              The  file name may also be just the name without the leading di‐
173              rectory components.  In this case, first the user config  direc‐
174              tory  (${HOME}/.config/firejail)  is  searched for the file name
175              and if not found then  the  system  configuration  directory  is
176              search  for  the  file  name.  Note: Unlike the --profile option
177              which takes a profile name without the  '.profile'  suffix,  in‐
178              clude must be given the full file name.
179
180              Example:  "include  firefox.profile"  will  load  "${HOME}/.con‐
181              fig/firejail/firefox.profile" file and  if  it  does  not  exist
182              "${CFG}/firefox.profile" will be loaded.
183
184              System  configuration  files  in  ${CFG}  are overwritten during
185              software installation.  Persistent configuration at system level
186              is  handled  in ".local" files. For every profile file in ${CFG}
187              directory, the user can create a corresponding .local file stor‐
188              ing  modifications  to  the persistent configuration. Persistent
189              .local files are included at the start of regular profile files.
190
191
192       noblacklist file_name
193              If the file name matches file_name, the file will not be  black‐
194              listed in any blacklist commands that follow.
195
196              Example: "noblacklist ${HOME}/.mozilla"
197
198
199       nowhitelist file_name
200              If  the  file  name  matches  file_name,  the  file  will not be
201              whitelisted in any whitelist commands that follow.
202
203              Example: "nowhitelist ~/.config"
204
205
206       ignore Ignore command.
207
208              Example: "ignore seccomp"
209              Example: "ignore net eth0"
210
211       quiet  Disable Firejail's output. This should be the first  uncommented
212              command in the profile file.
213
214              Example: "quiet"
215
216

Filesystem

218       These  profile  entries  define a chroot filesystem built on top of the
219       existing host filesystem. Each line describes a file/directory that  is
220       inaccessible  (blacklist), a read-only file or directory (read-only), a
221       tmpfs mounted on top of an existing directory (tmpfs), or mount-bind  a
222       directory or file on top of another directory or file (bind).  Use pri‐
223       vate to set private mode.  File globbing is  supported,  and  PATH  and
224       HOME  directories  are searched, see the firejail FILE GLOBBING section
225       for more details.  Examples:
226
227       blacklist file_or_directory
228              Blacklist directory or file. Examples:
229
230              blacklist /usr/bin
231              blacklist /usr/bin/gcc*
232              blacklist ${PATH}/ifconfig
233              blacklist ${HOME}/.ssh
234
235
236       blacklist-nolog file_or_directory
237              When --tracelog flag is set, blacklisting generates syslog  mes‐
238              sages  if  the  sandbox  tries  to access the file or directory.
239              blacklist-nolog command disables syslog messages for  this  par‐
240              ticular file or directory. Examples:
241
242              blacklist-nolog /usr/bin
243              blacklist-nolog /usr/bin/gcc*
244
245
246       bind directory1,directory2
247              Mount-bind  directory1 on top of directory2. This option is only
248              available when running as root.
249
250       bind file1,file2
251              Mount-bind file1 on top of file2. This option is only  available
252              when running as root.
253
254       disable-mnt
255              Disable /mnt, /media, /run/mount and /run/media access.
256
257       keep-config-pulse
258              Disable  automatic ~/.config/pulse init, for complex setups such
259              as remote pulse servers or non-standard socket paths.
260
261       keep-dev-shm
262              /dev/shm directory is untouched (even with private-dev).
263
264       keep-var-tmp
265              /var/tmp directory is untouched.
266
267       mkdir directory
268              Create  a  directory  in  user  home,  under  /tmp,   or   under
269              /run/user/<UID> before the sandbox is started.  The directory is
270              created if it doesn't already exist.
271
272              Use this command for whitelisted directories you  need  to  pre‐
273              serve  when  the  sandbox is closed. Without it, the application
274              will create the directory, and the  directory  will  be  deleted
275              when  the sandbox is closed. Subdirectories are recursively cre‐
276              ated. Example from firefox profile:
277
278              mkdir ~/.mozilla
279              whitelist ~/.mozilla
280              mkdir ~/.cache/mozilla/firefox
281              whitelist ~/.cache/mozilla/firefox
282
283              For files in /run/user/<PID> use ${RUNUSER} macro:
284
285              mkdir ${RUNUSER}/firejail-testing
286
287       mkfile file
288              Similar to mkdir, this command creates an  empty  file  in  user
289              home,  or  /tmp,  or under /run/user/<UID> before the sandbox is
290              started. The file is created if it doesn't already exist.
291
292       noexec file_or_directory
293              Remount the file or the directory noexec, nodev and nosuid.
294
295       private
296              Mount new /root and /home/user directories in temporary filesys‐
297              tems.  All  modifications  are  discarded  when  the  sandbox is
298              closed.
299
300       private directory
301              Use directory as user home.  --private  and  --private=directory
302              cannot be used together.
303
304              Bug:  Even  with this enabled, some commands (such as mkdir, mk‐
305              file and private-cache) will still operate on the original  home
306              directory.   Workaround: Disable the incompatible commands, such
307              as by using "ignore mkdir" and "ignore  mkfile".   For  details,
308              see #903 ⟨https://github.com/netblue30/firejail/issues/903
309
310       private-bin file,file
311              Build  a  new  /bin in a temporary filesystem, and copy the pro‐
312              grams in the list.  The files in the list must be  expressed  as
313              relative  to  the  /bin, /sbin, /usr/bin, /usr/sbin, or /usr/lo‐
314              cal/bin directories.  The same directory  is  also  bind-mounted
315              over  /sbin,  /usr/bin and /usr/sbin.  Multiple private-bin com‐
316              mands are allowed and they accumulate.
317
318       private-cache
319              Mount an empty temporary filesystem on top of the .cache  direc‐
320              tory  in  user  home.  All  modifications are discarded when the
321              sandbox is closed.
322
323       private-cwd
324              Set working directory inside jail to  the  home  directory,  and
325              failing that, the root directory.
326
327       private-cwd directory
328              Set  working  directory  inside the jail. Full directory path is
329              required. Symbolic links are not allowed.
330
331       private-dev
332              Create a new /dev directory. Only disc, dri, dvb, hidraw,  null,
333              full,  zero,  tty,  pts, ptmx, random, snd, urandom, video, log,
334              shm and usb devices are available.  Use the options no3d, nodvd,
335              nosound, notv, nou2f and novideo for additional restrictions.
336
337
338       private-etc file,directory
339              Build  a  new /etc in a temporary filesystem, and copy the files
340              and directories in the list.  The files and directories  in  the
341              list  must  be  expressed as relative to the /etc directory, and
342              must not contain the / character (e.g.,  /etc/foo  must  be  ex‐
343              pressed  as  foo, but /etc/foo/bar -- expressed as foo/bar -- is
344              disallowed).  All modifications are discarded when  the  sandbox
345              is  closed.   Multiple private-etc commands are allowed and they
346              accumulate.
347
348       private-home file,directory
349              Build a new user home in a temporary filesystem,  and  copy  the
350              files  and  directories  in the list in the new home.  The files
351              and directories in the list must be expressed as relative to the
352              current  user's home directory.  All modifications are discarded
353              when the sandbox is closed.
354
355       private-lib file,directory
356              Build a new /lib directory and bring in the  libraries  required
357              by  the  application  to  run.  The files and directories in the
358              list must be expressed as relative to the /lib directory.   This
359              feature  is still under development, see man 1 firejail for some
360              examples.
361
362       private-opt file,directory
363              Build a new /opt in a temporary filesystem, and copy  the  files
364              and  directories  in the list.  The files and directories in the
365              list must be expressed as relative to the  /opt  directory,  and
366              must  not  contain  the  / character (e.g., /opt/foo must be ex‐
367              pressed as foo, but /opt/foo/bar -- expressed as foo/bar  --  is
368              disallowed).   All  modifications are discarded when the sandbox
369              is closed.
370
371       private-srv file,directory
372              Build a new /srv in a temporary filesystem, and copy  the  files
373              and  directories  in the list.  The files and directories in the
374              list must be expressed as relative to the  /srv  directory,  and
375              must  not  contain  the  / character (e.g., /srv/foo must be ex‐
376              pressed as foo, but /srv/foo/bar -- expressed as foo/bar  --  is
377              disallowed).   All  modifications are discarded when the sandbox
378              is closed.
379
380       private-tmp
381              Mount an empty temporary filesystem on  top  of  /tmp  directory
382              whitelisting /tmp/.X11-unix.
383
384       read-only file_or_directory
385              Make directory or file read-only.
386
387       read-write file_or_directory
388              Make directory or file read-write.
389
390       tmpfs directory
391              Mount an empty tmpfs filesystem on top of directory. Directories
392              outside user home or not owned by  the  user  are  not  allowed.
393              Sandboxes running as root are exempt from these restrictions.
394
395       tracelog
396              Blacklist violations logged to syslog.
397
398       whitelist file_or_directory
399              Whitelist  directory or file. A temporary file system is mounted
400              on the top directory, and the whitelisted files are mount-binded
401              inside.  Modifications  to whitelisted files are persistent, ev‐
402              erything else is discarded when the sandbox is closed.  The  top
403              directory  can  be all directories in / (except /proc and /sys),
404              /sys/module, /run/user/$UID, $HOME and all directories in /usr.
405
406              Symbolic link handling: with the exception of  user  home,  both
407              the  link and the real file should be in the same top directory.
408              For user home, both the link and the real file should  be  owned
409              by the user.
410
411
412       whitelist-ro file_or_directory
413              Equivalent  to  "whitelist file_or_directory" followed by "read-
414              only file_or_directory"
415
416
417       writable-etc
418              Mount /etc directory read-write.
419
420       writable-run-user
421              Disable the default blacklisting  of  run/user/$UID/systemd  and
422              /run/user/$UID/gnupg.
423
424       writable-var
425              Mount /var directory read-write.
426
427       writable-var-log
428              Use  the  real  /var/log  directory,  not a clone. By default, a
429              tmpfs is mounted on top of /var/log directory,  and  a  skeleton
430              filesystem is created based on the original /var/log.
431
432

Security filters

434       The following security filters are currently implemented:
435
436
437       allow-debuggers
438              Allow  tools  such  as  strace  and  gdb  inside  the sandbox by
439              whitelisting system calls ptrace and process_vm_readv.
440
441       caps   Enable default Linux capabilities filter.   See  capabilities(7)
442              for details.
443
444       caps.drop capability,capability,capability
445              Blacklist given Linux capabilities.
446
447       caps.drop all
448              Blacklist all Linux capabilities.
449
450       caps.keep capability,capability,capability
451              Whitelist given Linux capabilities.
452
453       memory-deny-write-execute
454              Install a seccomp filter to block attempts to create memory map‐
455              pings that are both writable and executable, to change  mappings
456              to be executable or to create executable shared memory.
457
458       nonewprivs
459              Sets  the NO_NEW_PRIVS prctl.  This ensures that child processes
460              cannot acquire new privileges using execve(2);   in  particular,
461              this means that calling a suid binary (or one with file capabil‐
462              ities) does not result in an increase of privilege.
463
464       noprinters
465              Disable printers.
466
467       noroot Use this command to enable an user namespace. The namespace  has
468              only  one user, the current user.  There is no root account (uid
469              0) defined in the namespace.
470
471       protocol protocol1,protocol2,protocol3
472              Enable protocol filter. The  filter  is  based  on  seccomp  and
473              checks the first argument to socket system call. Recognized val‐
474              ues: unix, inet, inet6, netlink, packet, and bluetooth.   Multi‐
475              ple protocol commands are allowed and they accumulate.
476
477       restrict-namespaces
478              Install  a  seccomp  filter  that  blocks attempts to create new
479              cgroup, ipc, net, mount, pid, time, user or uts namespaces.
480
481       restrict-namespaces cgroup,ipc,net,mnt,pid,time,user,uts
482              Install a seccomp filter that blocks attempts to create  any  of
483              the specified namespaces.
484
485       seccomp
486              Enable  seccomp filter and blacklist the syscalls in the default
487              list. See man 1 firejail for more details.
488
489       seccomp.32
490              Enable seccomp filter and blacklist the syscalls in the  default
491              list for 32 bit system calls on a 64 bit architecture system.
492
493       seccomp syscall,syscall,syscall
494              Enable seccomp filter and blacklist the system calls in the list
495              on top of default seccomp filter.
496
497       seccomp.32 syscall,syscall,syscall
498              Enable seccomp filter and blacklist the system calls in the list
499              on top of default seccomp filter for 32 bit system calls on a 64
500              bit architecture system.
501
502       seccomp.block-secondary
503              Enable seccomp filter and filter system  call  architectures  so
504              that only the native architecture is allowed.
505
506       seccomp.drop syscall,syscall,syscall
507              Enable  seccomp  filter  and  blacklist  the system calls in the
508              list.
509
510       seccomp.32.drop syscall,syscall,syscall
511              Enable seccomp filter and blacklist the system calls in the list
512              for 32 bit system calls on a 64 bit architecture system.
513
514       seccomp.keep syscall,syscall,syscall
515              Enable  seccomp  filter  and  whitelist  the system calls in the
516              list.
517
518       seccomp.32.keep syscall,syscall,syscall
519              Enable seccomp filter and whitelist the system calls in the list
520              for 32 bit system calls on a 64 bit architecture system.
521
522       seccomp-error-action kill | log | ERRNO
523              Return  a  different error instead of EPERM to the process, kill
524              it when an attempt is made to call a blocked system call, or al‐
525              low but log the attempt.
526
527       x11    Enable X11 sandboxing.
528
529       x11 none
530              Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file
531              specified in ${XAUTHORITY} environment variable.  Remove DISPLAY
532              and  XAUTHORITY  environment variables.  Stop with error message
533              if X11 abstract socket will be accessible in jail.
534
535       x11 xephyr
536              Enable X11 sandboxing with Xephyr server.
537
538       x11 xorg
539              Enable X11 sandboxing with X11 security extension.
540
541       x11 xpra
542              Enable X11 sandboxing with Xpra server.
543
544       x11 xvfb
545              Enable X11 sandboxing with Xvfb server.
546
547       xephyr-screen WIDTHxHEIGHT
548              Set screen size for x11 xephyr. This command should be  included
549              in the profile file before x11 xephyr command.
550
551              Example:
552
553              xephyr-screen 640x480
554              x11 xephyr
555

DBus filtering

557       Access to the session and system DBus UNIX sockets can be allowed, fil‐
558       tered or disabled. To disable the abstract sockets (and force  applica‐
559       tions  to use the filtered UNIX socket) you would need to request a new
560       network namespace using --net command. Another option is to remove unix
561       from the --protocol set.
562
563       Filtering  requires installing the xdg-dbus-proxy utility. Filter rules
564       can be specified for well-known DBus names, but they  are  also  propa‐
565       gated  to the owning unique name, too. The permissions are "sticky" and
566       are kept even if the corresponding well-known name  is  released  (how‐
567       ever,  applications rarely release well-known names in practice). Names
568       may have a .* suffix to match  all  names  underneath  them,  including
569       themselves  (e.g.  "foo.bar.*"  matches  "foo.bar",  "foo.bar.baz"  and
570       "foo.bar.baz.quux", but not "foobar"). For more information,  see  xdg-
571       dbus-proxy(1).
572
573       Examples:
574
575
576       dbus-system filter
577              Enable filtered access to the system DBus. Filters can be speci‐
578              fied with the dbus-system.talk and dbus-system.own commands.
579
580       dbus-system none
581              Disable access to the system DBus. Once access is  disabled,  it
582              cannot be relaxed to filtering.
583
584       dbus-system.own org.gnome.ghex.*
585              Allow  the  application  to  own the name org.gnome.ghex and all
586              names underneath in on the system DBus.
587
588       dbus-system.talk org.freedesktop.Notifications
589              Allow the application to talk to the name  org.freedesktop.Noti‐
590              fications on the system DBus.
591
592       dbus-system.see org.freedesktop.Notifications
593              Allow   the  application  to  see  but  not  talk  to  the  name
594              org.freedesktop.Notifications on the system DBus.
595
596       dbus-system.call  org.freedesktop.Notifications=org.freedesktop.Notifi‐
597       cations.*@/org/freedesktop/Notifications
598              Allow   the   application  to  call  methods  of  the  interface
599              org.freedesktop.Notifications of the object exposed at the  path
600              /org/freedesktop/Notifications by the client owning the bus name
601              org.freedesktop.Notifications on the system DBus.
602
603       dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.No‐
604       tifications.*@/org/freedesktop/Notifications
605              Allow  the application to receive broadcast signals from the in‐
606              terface org.freedesktop.Notifications of the object  exposed  at
607              the path /org/freedesktop/Notifications by the client owning the
608              bus name org.freedesktop.Notifications on the system DBus.
609
610       dbus-user filter
611              Enable filtered access to the session DBus. Filters can be spec‐
612              ified with the dbus-user.talk and dbus-user.own commands.
613
614       dbus-user none
615              Disable  access to the session DBus. Once access is disabled, it
616              cannot be relaxed to filtering.
617
618       dbus-user.own org.gnome.ghex.*
619              Allow the application to own the  name  org.gnome.ghex  and  all
620              names underneath in on the session DBus.
621
622       dbus-user.talk org.freedesktop.Notifications
623              Allow  the application to talk to the name org.freedesktop.Noti‐
624              fications on the session DBus.
625
626       dbus-user.see org.freedesktop.Notifications
627              Allow  the  application  to  see  but  not  talk  to  the   name
628              org.freedesktop.Notifications on the session DBus.
629
630       dbus-user.call  org.freedesktop.Notifications=org.freedesktop.Notifica‐
631       tions.*@/org/freedesktop/Notifications
632              Allow  the  application  to  call  methods  of   the   interface
633              org.freedesktop.Notifications  of the object exposed at the path
634              /org/freedesktop/Notifications by the client owning the bus name
635              org.freedesktop.Notifications on the session DBus.
636
637       dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Noti‐
638       fications.*@/org/freedesktop/Notifications
639              Allow the application to receive broadcast signals from the  the
640              interface org.freedesktop.Notifications of the object exposed at
641              the path /org/freedesktop/Notifications by the client owning the
642              bus name org.freedesktop.Notifications on the session DBus.
643
644       nodbus (deprecated)
645              Disable D-Bus access (both system and session buses). Equivalent
646              to dbus-system none and dbus-user none.
647
648
649       Individual filters can be overridden via the --ignore command.  Suppos‐
650       ing a profile has
651              [...]
652              dbus-user filter
653              dbus-user.own org.mozilla.firefox.*
654              dbus-user.talk org.freedesktop.Notifications
655              dbus-system none
656              [...]
657
658              and  the  user  wants  to  disable  notifications,  this  can be
659              achieved by putting the below in a local override file:
660              [...]
661              ignore dbus-user.talk org.freedesktop.Notifications
662              [...]
663

Resource limits, CPU affinity

665       These profile entries define the limits on system  resources  (rlimits)
666       for  the  processes inside the sandbox.  The limits can be modified in‐
667       side the sandbox using the regular ulimit command. cpu command  config‐
668       ures the CPU cores available.
669
670       Examples:
671
672
673       cpu 0,1,2
674              Use only CPU cores 0, 1 and 2.
675
676       nice -5
677              Set a nice value of -5 to all processes running inside the sand‐
678              box.
679
680       rlimit-as 123456789012
681              Set  the  maximum  size  of  the  process's  virtual  memory  to
682              123456789012 bytes.
683
684       rlimit-cpu 123
685              Set the maximum CPU time in seconds.
686
687       rlimit-fsize 1024
688              Set  the  maximum  file size that can be created by a process to
689              1024 bytes.
690
691       rlimit-nproc 1000
692              Set the maximum number of processes that can be created for  the
693              real user ID of the calling process to 1000.
694
695       rlimit-nofile 500
696              Set  the maximum number of files that can be opened by a process
697              to 500.
698
699       rlimit-sigpending 200
700              Set the maximum number of processes that can be created for  the
701              real user ID of the calling process to 200.
702
703       timeout hh:mm:ss
704              Kill  the  sandbox automatically after the time has elapsed. The
705              time is specified in hours/minutes/seconds format.
706
707

User Environment

709       allusers
710              All user home directories are visible inside the sandbox. By de‐
711              fault, only current user home directory is visible.
712
713
714       env name=value
715              Set environment variable. Examples:
716
717              env LD_LIBRARY_PATH=/opt/test/lib
718              env CFLAGS="-W -Wall -Werror"
719
720
721       ipc-namespace
722              Enable IPC namespace.
723
724
725       keep-fd
726              Inherit open file descriptors to sandbox.
727
728
729       name sandboxname
730              Set sandbox name. Example:
731
732              name browser
733
734
735       no3d   Disable 3D hardware acceleration.
736
737       noautopulse (deprecated)
738              See keep-config-pulse.
739
740       nodvd  Disable DVD and audio CD devices.
741
742       nogroups
743              Disable supplementary user groups
744
745       noinput
746              Disable input devices.
747
748       nosound
749              Disable sound system.
750
751       notv   Disable DVB (Digital Video Broadcasting) TV devices.
752
753       nou2f  Disable U2F devices.
754
755       novideo
756              Disable video capture devices.
757
758       machine-id
759              Spoof  id  number  in  /etc/machine-id file - a new random id is
760              generated inside the sandbox.
761
762       shell none
763              Run the program directly, without a shell.
764
765
766

Networking

768       Networking features available in profile files.
769
770
771       defaultgw address
772              Use this address as default gateway in  the  new  network  name‐
773              space.
774
775
776       dns address
777              Set a DNS server for the sandbox. Up to three DNS servers can be
778              defined.
779
780
781       hostname name
782              Set a hostname for the sandbox.
783
784
785       hosts-file file
786              Use file as /etc/hosts.
787
788
789       ip address
790              Assign IP addresses to the last network interface defined  by  a
791              net command. A default gateway is assigned by default.
792
793              Example:
794              net eth0
795              ip 10.10.20.56
796
797
798       ip none
799              No IP address and no default gateway are configured for the last
800              interface defined by a net command. Use this option in case  you
801              intend to start an external DHCP client in the sandbox.
802
803              Example:
804              net eth0
805              ip none
806
807
808       ip dhcp
809              Acquire an IP address and default gateway for the last interface
810              defined by a net command, as well as set the DNS servers accord‐
811              ing  to  the  DHCP  response.   This  command  requires  the ISC
812              dhclient DHCP client to be installed and will start it automati‐
813              cally inside the sandbox.
814
815              Example:
816              net br0
817              ip dhcp
818
819              This command should not be used in conjunction with the dns com‐
820              mand if the DHCP server is set to configure DNS servers for  the
821              clients,  because  the  manually  specified  DNS servers will be
822              overwritten.
823
824              The DHCP client will NOT release the DHCP lease when the sandbox
825              terminates.   If  your DHCP server requires leases to be explic‐
826              itly released, consider running a DHCP client and releasing  the
827              lease manually in conjunction with the net none command.
828
829
830       ip6 address
831              Assign IPv6 addresses to the last network interface defined by a
832              net command.
833
834              Example:
835              net eth0
836              ip6 2001:0db8:0:f101::1/64
837
838
839       ip6 dhcp
840              Acquire an IPv6 address and default gateway for the last  inter‐
841              face  defined  by  a net command, as well as set the DNS servers
842              according to the DHCP response.  This command requires  the  ISC
843              dhclient DHCP client to be installed and will start it automati‐
844              cally inside the sandbox.
845
846              Example:
847              net br0
848              ip6 dhcp
849
850              This command should not be used in conjunction with the dns com‐
851              mand  if the DHCP server is set to configure DNS servers for the
852              clients, because the manually  specified  DNS  servers  will  be
853              overwritten.
854
855              The DHCP client will NOT release the DHCP lease when the sandbox
856              terminates.  If your DHCP server requires leases to  be  explic‐
857              itly  released, consider running a DHCP client and releasing the
858              lease manually.
859
860
861       iprange address,address
862              Assign an IP address in the provided range to the  last  network
863              interface  defined  by  a net command.  A default gateway is as‐
864              signed by default.
865
866              Example:
867
868              net eth0
869              iprange 192.168.1.150,192.168.1.160
870
871
872       mac address
873              Assign MAC addresses to the last network interface defined by  a
874              net command.
875
876
877       mtu number
878              Assign  a  MTU  value to the last network interface defined by a
879              net command.
880
881
882       net bridge_interface
883              Enable a new network namespace and connect it to this bridge in‐
884              terface.   Unless specified with option --ip and --defaultgw, an
885              IP address and a default gateway will be assigned  automatically
886              to  the sandbox. The IP address is verified using ARP before as‐
887              signment. The address  configured  as  default  gateway  is  the
888              bridge device IP address. Up to four --net bridge devices can be
889              defined. Mixing bridge and macvlan devices is allowed.
890
891
892       net ethernet_interface|wireless_interface
893              Enable a new network namespace and connect it to  this  ethernet
894              interface using the standard Linux macvlan or ipvlan driver. Un‐
895              less specified with option --ip and --defaultgw, an  IP  address
896              and  a  default  gateway  will  be assigned automatically to the
897              sandbox. The IP address is verified using ARP before assignment.
898              The address configured as default gateway is the default gateway
899              of the host. Up to four --net devices  can  be  defined.  Mixing
900              bridge and macvlan devices is allowed.
901
902
903       net none
904              Enable  a new, unconnected network namespace. The only interface
905              available in the new namespace is a new loopback interface (lo).
906              Use  this  option  to deny network access to programs that don't
907              really need network access.
908
909
910       net tap_interface
911              Enable a new network namespace and connect it to  this  ethernet
912              tap  interface  using the standard Linux macvlan driver.  If the
913              tap interface is not configured, the sandbox  will  not  try  to
914              configure the interface inside the sandbox.  Please use ip, net‐
915              mask and defaultgw to specify the configuration.
916
917
918       netfilter
919              If a new network namespace is created, enabled  default  network
920              filter.
921
922
923       netfilter filename
924              If  a new network namespace is created, enabled the network fil‐
925              ter in filename.
926
927
928       netlock
929              Generate a custom network filter and enable it.
930
931
932
933       netmask address
934              Use this option when you want to assign an IP address in  a  new
935              namespace  and  the  parent  interface specified by --net is not
936              configured. An IP address and a  default  gateway  address  also
937              have to be added.
938
939
940       netns namespace
941              Run  the program in a named, persistent network namespace. These
942              can be created and configured using "ip netns".
943
944
945       veth-name name
946              Use this name for the interface  connected  to  the  bridge  for
947              --net=bridge_interface commands, instead of the default one.
948
949

Other

951       deterministic-exit-code
952              Always exit firejail with the first child's exit status. The de‐
953              fault behavior is to use the exit status of the final  child  to
954              exit, which can be nondeterministic.
955
956
957       deterministic-shutdown
958              Always  shut  down  the sandbox after the first child has termi‐
959              nated. The default behavior is to keep the sandbox alive as long
960              as it contains running processes.
961
962
963       join-or-start sandboxname
964              Join the sandbox identified by name or start a new one.  Same as
965              "firejail --join=sandboxname" command if sandbox with  specified
966              name exists, otherwise same as "name sandboxname".
967
968

FILES

970       /etc/firejail/appname.profile
971              Global  Firejail configuration consisting mainly of profiles for
972              each application supported by default.
973
974
975       $HOME/.config/firejail/appname.profile
976              User application profiles, will take precedence over the  global
977              profiles.
978
979
980       /usr/share/doc/firejail/profile.template
981              Template for building new profiles.
982
983
984       /usr/share/doc/firejail/redirect_alias-profile.template
985              Template for aliasing/redirecting profiles.
986
987

LICENSE

989       Firejail is free software; you can redistribute it and/or modify it un‐
990       der the terms of the GNU General Public License  as  published  by  the
991       Free  Software Foundation; either version 2 of the License, or (at your
992       option) any later version.
993
994       Homepage: https://firejail.wordpress.com
995

SEE ALSO

997       firejail(1),  firemon(1),  firecfg(1),   firejail-login(5),   firejail-
998       users(5), jailcheck(1)
999
1000https://github.com/netblue30/firejail/wiki/Creating-Profiles
1001
1002
1003
10040.9.72                             Jul 2023                FIREJAIL-PROFILE(5)
Impressum