mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
76 lines
2.8 KiB
Text
76 lines
2.8 KiB
Text
# This is Firejail system-wide configuration file. The file contains
|
|
# keyword-argument pairs, one per line. Most features are enabled by default.
|
|
# Use 'yes' or 'no' as configuration values.
|
|
|
|
# Enable AppArmor functionality, default enabled.
|
|
# apparmor yes
|
|
|
|
# Number of ARP probes sent when assigning an IP address for --net option,
|
|
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
|
|
# timeout is implemented for each probe. Increase this number to 4 if your
|
|
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
|
|
# between 1 and 30.
|
|
# arp-probes 2
|
|
|
|
# Enable or disable bind support, default enabled.
|
|
# bind yes
|
|
|
|
# Enable or disable dbus handling by --nodbus flag, default enabled.
|
|
# dbus yes
|
|
|
|
# Disable /mnt, /media, /run/mount and /run/media access. By default access
|
|
# to these directories is enabled.
|
|
# disable-mnt no
|
|
|
|
# Enable or disable file transfer support, default enabled.
|
|
# file-transfer yes
|
|
|
|
# Enable Firejail green prompt in terminal, default disabled
|
|
# firejail-prompt no
|
|
|
|
# Follow symlink as user. While using --whitelist feature,
|
|
# symlinks pointing outside home directory are followed only
|
|
# if both the link and the real file are owned by the user.
|
|
# Enabled by default
|
|
# follow-symlink-as-user yes
|
|
|
|
# Force use of nonewprivs. This mitigates the possibility of
|
|
# a user abusing firejail's features to trick a privileged (suid
|
|
# or file capabilities) process into loading code or configuration
|
|
# that is partially under their control. Default disabled.
|
|
# force-nonewprivs no
|
|
|
|
# Allow sandbox joining as a regular user, default enabled.
|
|
# root user can always join sandboxes.
|
|
# join yes
|
|
|
|
# Enable or disable networking features, default enabled.
|
|
# network yes
|
|
|
|
# Enable or disable private-cache feature, default enabled
|
|
# private-cache yes
|
|
|
|
# Enable --quiet as default every time the sandbox is started. Default disabled.
|
|
# quiet-by-default no
|
|
|
|
# Enable or disable restricted network support, default disabled. If enabled,
|
|
# networking features should also be enabled (network yes).
|
|
# Restricted networking grants access to --interface, --net=ethXXX and
|
|
# --netfilter only to root user. Regular users are only allowed --net=none.
|
|
# restricted-network no
|
|
|
|
# Change default netfilter configuration. When using --netfilter option without
|
|
# a file argument, the default filter is hardcoded (see man 1 firejail). This
|
|
# configuration entry allows the user to change the default by specifying
|
|
# a file containing the filter configuration. The filter file format is the
|
|
# format of iptables-save and iptable-restore commands. Example:
|
|
# netfilter-default /etc/iptables.iptables.rules
|
|
|
|
# Enable or disable seccomp support, default enabled.
|
|
# seccomp yes
|
|
|
|
# Enable or disable user namespace support, default enabled.
|
|
# userns yes
|
|
|
|
# Enable or disable whitelisting support, default enabled.
|
|
# whitelist yes
|