github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6
firejail/etc/firejail.config
Kelvin M. Klann e4294defd8 build: remove remnants of overlayfs/--overlay 
Remove what remains of the overlayfs support, `--overlay` commands and
the `--enable-overlayfs` configure option.

Commands:

* `--overlay`
* `--overlay-named=`
* `--overlay-clean`
* `--overlay-tmpfs`

firejail.config:

* `overlayfs`

Related commits:

* 489cc25c2 ("cleaned up old overlayfs code; the feature was disabled by
  default in 2021 because of security problems", 2025-12-16).
* b537aa57b ("fixed /sys mounting broken during overlayfs cleanup",
  2025-12-18)

Relates to #6994.

Note: Code with `RUN_OVERLAY_ROOT` / `oroot` is left as is, since it
seems to also be used by `--chroot`:

    $ git grep -E '[^n]oroot'
    etc/apparmor/firejail-default:# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,
    etc/apparmor/firejail-default:# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
    etc/apparmor/firejail-default:#/{,run/firejail/mnt/oroot/}home/** ix,
    etc/apparmor/firejail-default:/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,
    src/firejail/chroot.c:  // create /run/firejail/mnt/oroot
    src/firejail/chroot.c:  char *oroot = RUN_OVERLAY_ROOT;
    src/firejail/chroot.c:  if (mkdir(oroot, 0755) == -1)
    src/firejail/chroot.c:  // mount the chroot dir on top of /run/firejail/mnt/oroot in order to reuse the apparmor rules for overlay
    src/firejail/chroot.c:  if (bind_mount_fd_to_path(parentfd, oroot))
    src/firejail/chroot.c:          errExit("mounting rootdir oroot");
    src/firejail/chroot.c:  if (chroot(oroot) < 0)
    src/include/rundefs.h:#define RUN_OVERLAY_ROOT          RUN_MNT_DIR "/oroot"
2025-12-19 16:35:02 -03:00

195 lines
6.9 KiB
Text
Raw Blame History

# This is Firejail system-wide configuration file. The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.
# Allow programs to display a tray icon (warning: allows escaping the sandbox;
# see https://github.com/netblue30/firejail/discussions/4053)
# allow-tray no
# Enable AppArmor functionality, default enabled.
# apparmor yes
# Maximum number of arguments in the command line.
# Example: `firejail --foo /usr/bin/bar baz` has 4 arguments.
# This limit is intended to make stack smashing harder (see
# https://github.com/netblue30/firejail/issues/4633).
# arg-max-count 128
# Maximum length of each argument in the command line.
# Example: `--foo=bar` has a length of 9.
# This limit is intended to make stack smashing harder (see
# https://github.com/netblue30/firejail/issues/4633).
# arg-max-len 4096
# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2
# Enable or disable bind support, default enabled.
# bind yes
# Allow (DRM) execution in browsers, default disabled.
# browser-allow-drm no
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
# Enable or disable chroot support, default disabled
# chroot no
# Enable or disable dbus handling, default enabled.
# dbus yes
# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist or --ignore.
# disable-mnt no
# Maximum number of environment variables.
# This limit is intended to make stack smashing harder (see
# https://github.com/netblue30/firejail/issues/4633).
# env-max-count 256
# Maximum length for each environment variable value.
# Example: `FOO=barr` has a length of 4.
# This limit is intended to make stack smashing harder (see
# https://github.com/netblue30/firejail/issues/4633).
# Note: The actual default value is based on `PATH_MAX`; see checkcfg.c.
# env-max-len 4096
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes
# Timeout when joining a sandbox, default five seconds. It is not
# possible to join a sandbox while it is still starting up. Wait up
# to the specified period of time to allow sandbox setup to finish.
# join-timeout 5
# tracelog enables auditing blacklisted files and directories. A message
# is sent to syslog in case the file or the directory is accessed.
# Disabled by default.
# tracelog no
# Enable or disable sandbox name change, default enabled.
# name-change yes
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptables-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable networking features, default enabled.
# network yes
# Set the limit for file copy in several --private-* options. The size is set
# in megabytes. By default we allow up to 500MB.
# Note: the files are copied in RAM.
# file-copy-limit 500
# Enable or disable private-bin feature, default enabled.
# private-bin yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-cache feature, default enabled
# private-cache yes
# Enable or disable private-etc feature, default enabled.
# private-etc yes
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable or disable private-lib feature, default disabled
# private-lib no
# Enable or disable private-opt feature, default enabled.
# private-opt yes
# Enable or disable private-srv feature, default enabled.
# private-srv yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Add rules to the default seccomp filter. Same syntax as for --seccomp=
# None by default; this is an example.
# seccomp-filter-add !chroot,kcmp,mincore
# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
# seccomp-error-action EPERM
# If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog.
# Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages
# even if the program is allowed to continue (see "seccomp-error-action EPERM" above).
# This logging feature is disabled by default in our implementation.
# seccomp-log no
# Enable or disable user namespace support, default enabled.
# userns yes
# Disable whitelist top level directories, in addition to those
# that are disabled out of the box. None by default; this is an example.
# whitelist-disable-topdir /etc,/usr/etc
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Enable this option if you have a version of Xpra that supports --attach switch
# for start command, default disabled.
# xpra-attach no
# Xpra server command extra parameters. None by default; this is an example.
# xpra-extra-params --dpi 96
# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
# color depth; use 24 unless you know exactly what you're doing.
# xvfb-screen 640x480x24
# xvfb-screen 800x600x24
# xvfb-screen 1024x768x24
# xvfb-screen 1280x1024x24
# Xvfb command extra parameters. None by default; this is an example.
# xvfb-extra-params -pixdepths 8 24 32
Reference in a new issue View git blame Copy permalink