mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
2759 lines
66 KiB
Text
2759 lines
66 KiB
Text
.TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page"
|
|
.SH NAME
|
|
Firejail \- Linux namespaces sandbox program
|
|
.SH SYNOPSIS
|
|
Start a sandbox:
|
|
.PP
|
|
.RS
|
|
firejail [OPTIONS] [program and arguments]
|
|
.RE
|
|
.PP
|
|
File transfer from an existing sandbox
|
|
.PP
|
|
.RS
|
|
firejail {\-\-ls | \-\-get | \-\-put} dir_or_filename
|
|
.RE
|
|
.PP
|
|
Network traffic shaping for an existing sandbox:
|
|
.PP
|
|
.RS
|
|
firejail \-\-bandwidth={name|pid} bandwidth-command
|
|
.RE
|
|
.PP
|
|
Monitoring:
|
|
.PP
|
|
.RS
|
|
firejail {\-\-list | \-\-netstats | \-\-top | \-\-tree}
|
|
.RE
|
|
.PP
|
|
Miscellaneous:
|
|
.PP
|
|
.RS
|
|
firejail {\-? | \-\-debug-caps | \-\-debug-errnos | \-\-debug-syscalls | \-\-debug-protocols | \-\-help | \-\-version}
|
|
.RE
|
|
.SH DESCRIPTION
|
|
Firejail is a SUID sandbox program that reduces the risk of security breaches by
|
|
restricting the running environment of untrusted applications using Linux
|
|
namespaces, seccomp-bpf and Linux capabilities.
|
|
It allows a process and all its descendants to have their own private view of the
|
|
globally shared kernel resources, such as the network stack, process table, mount table.
|
|
Firejail can work in a SELinux or AppArmor environment,
|
|
and it is integrated with Linux Control Groups.
|
|
.PP
|
|
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version
|
|
or newer.
|
|
It can sandbox any type of processes: servers, graphical applications, and even user login sessions.
|
|
.PP
|
|
Firejail allows the user to manage application security using security profiles.
|
|
Each profile defines a set of permissions for a specific application or group
|
|
of applications. The software includes security profiles for a number of more common
|
|
Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
|
|
|
|
.SH USAGE
|
|
Without any options, the sandbox consists of a filesystem build in a new mount namespace,
|
|
and new PID and UTS namespaces. IPC, network and user namespaces can be added using the
|
|
command line options. The default Firejail filesystem is based on the host filesystem with the main
|
|
system directories mounted read-only. These directories are /etc, /var, /usr, /bin, /sbin, /lib, /lib32,
|
|
/libx32 and /lib64. Only /home and /tmp are writable.
|
|
.PP
|
|
As it starts up, Firejail tries to find a security profile based on the name of the application.
|
|
If an appropriate profile is not found, Firejail will use a default profile.
|
|
The default profile is quite restrictive. In case the application doesn't work, use --noprofile option
|
|
to disable it. For more information, please see \fBSECURITY PROFILES\fR section below.
|
|
.PP
|
|
If a program argument is not specified, Firejail starts /bin/bash shell.
|
|
Examples:
|
|
.PP
|
|
$ firejail [OPTIONS] # starting a /bin/bash shell
|
|
.PP
|
|
$ firejail [OPTIONS] firefox # starting Mozilla Firefox
|
|
.PP
|
|
# sudo firejail [OPTIONS] /etc/init.d/nginx start
|
|
|
|
.SH OPTIONS
|
|
.TP
|
|
\fB\-\-
|
|
Signal the end of options and disables further option processing.
|
|
.TP
|
|
\fB\-\-allow-debuggers
|
|
Allow tools such as strace and gdb inside the sandbox by whitelisting
|
|
system calls ptrace and process_vm_readv. This option is only
|
|
available when running on Linux kernels 4.8 or newer - a kernel bug in
|
|
ptrace system call allows a full bypass of the seccomp filter.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox
|
|
.TP
|
|
\fB\-\-allusers
|
|
All directories under /home are visible inside the sandbox. By default, only current user home directory is visible.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --allusers
|
|
.TP
|
|
\fB\-\-apparmor
|
|
Enable AppArmor confinement. For more information, please see \fBAPPARMOR\fR section below.
|
|
.TP
|
|
\fB\-\-appimage
|
|
Sandbox an AppImage (https://appimage.org/) application.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --appimage krita-3.0-x86_64.appimage
|
|
.br
|
|
$ firejail --appimage --private krita-3.0-x86_64.appimage
|
|
.br
|
|
$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
|
|
|
|
.TP
|
|
\fB\-\-apparmor.print=name|pid
|
|
Print the AppArmor confinement status for the sandbox identified by name or by PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-apparmor.print=browser
|
|
.br
|
|
5074:netblue:/usr/bin/firejail /usr/bin/firefox-esr
|
|
.br
|
|
AppArmor: firejail-default enforce
|
|
|
|
.TP
|
|
\fB\-\-audit
|
|
Audit the sandbox, see \fBAUDIT\fR section for more details.
|
|
.TP
|
|
\fB\-\-audit=test-program
|
|
Audit the sandbox, see \fBAUDIT\fR section for more details.
|
|
.TP
|
|
\fB\-\-bandwidth=name|pid
|
|
Set bandwidth limits for the sandbox identified by name or PID, see \fBTRAFFIC SHAPING\fR section for more details.
|
|
.TP
|
|
\fB\-\-bind=filename1,filename2
|
|
Mount-bind filename1 on top of filename2. This option is only available when running as root.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
# firejail \-\-bind=/config/etc/passwd,/etc/passwd
|
|
.TP
|
|
\fB\-\-blacklist=dirname_or_filename
|
|
Blacklist directory or file. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-blacklist=/sbin \-\-blacklist=/usr/sbin
|
|
.br
|
|
$ firejail \-\-blacklist=~/.mozilla
|
|
.br
|
|
$ firejail "\-\-blacklist=/home/username/My Virtual Machines"
|
|
.br
|
|
$ firejail \-\-blacklist=/home/username/My\\ Virtual\\ Machines
|
|
.TP
|
|
\fB\-\-build
|
|
The command builds a whitelisted profile. The profile is printed on the screen. If /usr/bin/strace is installed on the system, it also
|
|
builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
|
|
with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
|
|
in order to allow strace to run. Chromium and Chromium-based browsers will not work.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --build=profile-file vlc ~/Videos/test.mp4
|
|
.TP
|
|
\fB\-\-build=profile-file
|
|
The command builds a whitelisted profile, and saves it in profile-file. If /usr/bin/strace is installed on the system, it also
|
|
builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox,
|
|
with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported
|
|
in order to allow strace to run. Chromium and Chromium-based browsers will not work.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --build=vlc.profile vlc ~/Videos/test.mp4
|
|
.TP
|
|
\fB\-c
|
|
Execute command and exit.
|
|
.TP
|
|
\fB\-\-caps
|
|
Linux capabilities is a kernel feature designed to split up the root privilege into a set of distinct privileges.
|
|
These privileges can be enabled or disabled independently, thus restricting what a process running
|
|
as root can do in the system.
|
|
|
|
By default root programs run with all capabilities enabled. \-\-caps option disables the following capabilities:
|
|
CAP_SYS_MODULE, CAP_SYS_RAWIO,
|
|
CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.
|
|
The filter is applied to all processes started in the sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo firejail \-\-caps /etc/init.d/nginx start
|
|
|
|
.TP
|
|
\fB\-\-caps.drop=all
|
|
Drop all capabilities for the processes running in the sandbox. This option is recommended for running GUI programs
|
|
or any other program that doesn't require root privileges. It is a must-have option for sandboxing untrusted programs
|
|
installed from unofficial sources - such as games, Java programs, etc.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-caps.drop=all warzone2100
|
|
|
|
.TP
|
|
\fB\-\-caps.drop=capability,capability,capability
|
|
Define a custom blacklist Linux capabilities filter.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-caps.drop=net_broadcast,net_admin,net_raw
|
|
|
|
.TP
|
|
\fB\-\-caps.keep=capability,capability,capability
|
|
Define a custom whitelist Linux capabilities filter.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo firejail \-\-caps.keep=chown,net_bind_service,setgid,\\
|
|
setuid /etc/init.d/nginx start
|
|
|
|
.TP
|
|
\fB\-\-caps.print=name|pid
|
|
Print the caps filter for the sandbox identified by name or by PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
|
|
.br
|
|
$ firejail \-\-caps.print=mygame
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-caps.print=3272
|
|
|
|
.TP
|
|
\fB\-\-cgroup=tasks-file
|
|
Place the sandbox in the specified control group. tasks-file is the full path of cgroup tasks file.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
# firejail \-\-cgroup=/sys/fs/cgroup/g1/tasks
|
|
|
|
.TP
|
|
\fB\-\-chroot=dirname
|
|
Chroot the sandbox into a root filesystem. Unlike the regular filesystem container,
|
|
the system directories are mounted read-write. If the sandbox is started as a
|
|
regular user, default seccomp and capabilities filters are enabled. This
|
|
option is not available on Grsecurity systems.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-chroot=/media/ubuntu warzone2100
|
|
|
|
.TP
|
|
\fB\-\-cpu=cpu-number,cpu-number,cpu-number
|
|
Set CPU affinity.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-cpu=0,1 handbrake
|
|
|
|
.TP
|
|
\fB\-\-cpu.print=name|pid
|
|
Print the CPU cores in use by the sandbox identified by name or by PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
|
|
.br
|
|
$ firejail \-\-cpu.print=mygame
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-cpu.print=3272
|
|
|
|
.TP
|
|
\fB\-\-csh
|
|
Use /bin/csh as default user shell.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-csh
|
|
.TP
|
|
\fB\-\-debug\fR
|
|
Print debug messages.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug firefox
|
|
|
|
.TP
|
|
\fB\-\-debug-blacklists\fR
|
|
Debug blacklisting.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-blacklists firefox
|
|
|
|
.TP
|
|
\fB\-\-debug-caps
|
|
Print all recognized capabilities in the current Firejail software build and exit.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-caps
|
|
.TP
|
|
\fB\-\-debug-check-filename\fR
|
|
Debug filename checking.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-check-filename firefox
|
|
|
|
.TP
|
|
\fB\-\-debug-errnos
|
|
Print all recognized error numbers in the current Firejail software build and exit.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-errnos
|
|
.TP
|
|
\fB\-\-debug-private-lib
|
|
Debug messages for --private-lib option.
|
|
.TP
|
|
\fB\-\-debug-protocols
|
|
Print all recognized protocols in the current Firejail software build and exit.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-protocols
|
|
.TP
|
|
\fB\-\-debug-syscalls
|
|
Print all recognized system calls in the current Firejail software build and exit.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-syscalls
|
|
.TP
|
|
\fB\-\-debug-whitelists\fR
|
|
Debug whitelisting.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-debug-whitelists firefox
|
|
|
|
.TP
|
|
\fB\-\-defaultgw=address
|
|
Use this address as default gateway in the new network namespace.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-defaultgw=10.10.20.1 firefox
|
|
|
|
.TP
|
|
\fB\-\-disable-mnt
|
|
Disable /mnt, /media, /run/mount and /run/media access.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-disable-mnt firefox
|
|
|
|
.TP
|
|
\fB\-\-dns=address
|
|
Set a DNS server for the sandbox. Up to three DNS servers can be defined.
|
|
Use this option if you don't trust the DNS setup on your network.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-dns=8.8.8.8 \-\-dns=8.8.4.4 firefox
|
|
.br
|
|
|
|
.br
|
|
Note: this feature is not supported on systemd-resolved setups.
|
|
.TP
|
|
\fB\-\-dns.print=name|pid
|
|
Print DNS configuration for a sandbox identified by name or by PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
|
|
.br
|
|
$ firejail \-\-dns.print=mygame
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-dns.print=3272
|
|
|
|
.TP
|
|
\fB\-\-env=name=value
|
|
Set environment variable in the new sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-env=LD_LIBRARY_PATH=/opt/test/lib
|
|
|
|
.TP
|
|
\fB\-\-force
|
|
By default, if Firejail is started in an existing sandbox, it will run the program in a bash shell.
|
|
This option disables this behavior, and attempts to start Firejail in the existing sandbox.
|
|
There could be lots of reasons for it to fail, for example if the existing sandbox disables
|
|
admin capabilities, SUID binaries, or if it runs seccomp.
|
|
|
|
.TP
|
|
\fB\-\-fs.print=name|print
|
|
Print the filesystem log for the sandbox identified by name or by PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
|
|
.br
|
|
$ firejail \-\-fs.print=mygame
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-fs.print=3272
|
|
|
|
.TP
|
|
\fB\-\-get=name|pid filename
|
|
Get a file from sandbox container, see \fBFILE TRANSFER\fR section for more details.
|
|
|
|
|
|
.TP
|
|
\fB\-\-git-install
|
|
Download, compile and install mainline git version of Firejail from the official repository on GitHub.
|
|
The software is installed in /usr/local/bin, and takes precedence over the (old) version
|
|
installed in /usr/bin. If for any reason the new version doesn't work, the user can uninstall it
|
|
using \-\-git-uninstall command and revert to the old version.
|
|
.br
|
|
|
|
.br
|
|
Prerequisites: git and compile support are required for this command to work. On Debian/Ubuntu
|
|
systems this support is installed using "sudo apt-get install build-essential git".
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-git-install
|
|
|
|
.TP
|
|
\fB\-\-git-uninstall
|
|
Remove the Firejail version previously installed in /usr/local/bin using \-\-git-install command.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-git-uninstall
|
|
|
|
.TP
|
|
\fB\-?\fR, \fB\-\-help\fR
|
|
Print options end exit.
|
|
|
|
|
|
.TP
|
|
\fB\-\-hostname=name
|
|
Set sandbox hostname.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-hostname=officepc firefox
|
|
|
|
.TP
|
|
\fB\-\-hosts-file=file
|
|
Use file as /etc/hosts.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-hosts-file=~/myhosts firefox
|
|
|
|
.TP
|
|
\fB\-\-ignore=command
|
|
Ignore command in profile file.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-ignore=shell --ignore=seccomp firefox
|
|
|
|
.TP
|
|
\fB\-\-interface=interface
|
|
Move interface in a new network namespace. Up to four --interface options can be specified.
|
|
Note: wlan devices are not supported for this option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-interface=eth1 \-\-interface=eth0.vlan100
|
|
|
|
.TP
|
|
\fB\-\-ip=address
|
|
Assign IP addresses to the last network interface defined by a \-\-net option. A
|
|
default gateway is assigned by default.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-ip=10.10.20.56 firefox
|
|
|
|
.TP
|
|
\fB\-\-ip=none
|
|
No IP address and no default gateway are configured for the last interface
|
|
defined by a \-\-net option. Use this option
|
|
in case you intend to start an external DHCP client in the sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-\ip=none
|
|
.br
|
|
|
|
.br
|
|
If the corresponding interface doesn't have an IP address configured, this
|
|
option is enabled by default.
|
|
|
|
.TP
|
|
\fB\-\-ip6=address
|
|
Assign IPv6 addresses to the last network interface defined by a \-\-net option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-ip6=2001:0db8:0:f101::1/64 firefox
|
|
|
|
Note: you don't need this option if you obtain your ip6 address from router via SLAAC (your ip6 address and default route will be configured by kernel automatically).
|
|
|
|
.TP
|
|
\fB\-\-iprange=address,address
|
|
Assign an IP address in the provided range to the last network interface defined by a \-\-net option. A
|
|
default gateway is assigned by default.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-\iprange=192.168.1.100,192.168.1.150
|
|
|
|
.TP
|
|
\fB\-\-ipc-namespace
|
|
Enable a new IPC namespace if the sandbox was started as a regular user. IPC namespace is enabled by default
|
|
for sandboxes started as root.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-ipc-namespace firefox
|
|
.TP
|
|
\fB\-\-join=name|pid
|
|
Join the sandbox identified by name or by PID. By default a /bin/bash shell is started after joining the sandbox.
|
|
If a program is specified, the program is run in the sandbox. If \-\-join command is issued as a regular user,
|
|
all security filters are configured for the new process the same they are configured in the sandbox.
|
|
If \-\-join command is issued as root, the security filters, cgroups and cpus configurations are not applied
|
|
to the process joining the sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
|
|
.br
|
|
$ firejail \-\-join=mygame
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-join=3272
|
|
|
|
.TP
|
|
\fB\-\-join-filesystem=name|pid
|
|
Join the mount namespace of the sandbox identified by name or PID. By default a /bin/bash shell is started after joining the sandbox.
|
|
If a program is specified, the program is run in the sandbox. This command is available only to root user.
|
|
Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox.
|
|
|
|
.TP
|
|
\fB\-\-join-network=name|PID
|
|
Join the network namespace of the sandbox identified by name. By default a /bin/bash shell is started after joining the sandbox.
|
|
If a program is specified, the program is run in the sandbox. This command is available only to root user.
|
|
Security filters, cgroups and cpus configurations are not applied to the process joining the sandbox. Example:
|
|
.br
|
|
|
|
.br
|
|
# start firefox
|
|
.br
|
|
$ firejail --net=eth0 --name=browser firefox &
|
|
.br
|
|
|
|
.br
|
|
# change netfilter configuration
|
|
.br
|
|
$ sudo firejail --join-network=browser bash -c "cat /etc/firejail/nolocal.net | /sbin/iptables-restore"
|
|
.br
|
|
|
|
.br
|
|
# verify netfilter configuration
|
|
.br
|
|
$ sudo firejail --join-network=browser /sbin/iptables -vL
|
|
.br
|
|
|
|
.br
|
|
# verify IP addresses
|
|
.br
|
|
$ sudo firejail --join-network=browser ip addr
|
|
.br
|
|
Switching to pid 1932, the first child process inside the sandbox
|
|
.br
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
|
|
.br
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
.br
|
|
inet 127.0.0.1/8 scope host lo
|
|
.br
|
|
valid_lft forever preferred_lft forever
|
|
.br
|
|
inet6 ::1/128 scope host
|
|
.br
|
|
valid_lft forever preferred_lft forever
|
|
.br
|
|
2: eth0-1931: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
|
|
.br
|
|
link/ether 76:58:14:42:78:e4 brd ff:ff:ff:ff:ff:ff
|
|
.br
|
|
inet 192.168.1.158/24 brd 192.168.1.255 scope global eth0-1931
|
|
.br
|
|
valid_lft forever preferred_lft forever
|
|
.br
|
|
inet6 fe80::7458:14ff:fe42:78e4/64 scope link
|
|
.br
|
|
valid_lft forever preferred_lft forever
|
|
|
|
.TP
|
|
\fB\-\-join-or-start=name
|
|
Join the sandbox identified by name or start a new one.
|
|
Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..."
|
|
.br
|
|
Note that in contrary to other join options there is respective profile option.
|
|
|
|
.TP
|
|
\fB\-\-ls=name|pid dir_or_filename
|
|
List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
|
|
|
|
.TP
|
|
\fB\-\-list
|
|
List all sandboxes, see \fBMONITORING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
7015:netblue:browser:firejail firefox
|
|
.br
|
|
7056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk
|
|
.br
|
|
7064:netblue::firejail \-\-noroot xterm
|
|
.br
|
|
$
|
|
.TP
|
|
\fB\-\-mac=address
|
|
Assign MAC addresses to the last network interface defined by a \-\-net option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-mac=00:11:22:33:44:55 firefox
|
|
|
|
.TP
|
|
\fB\-\-machine-id
|
|
Spoof id number in /etc/machine-id file - a new random id is generated inside the sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-machine-id
|
|
|
|
.TP
|
|
\fB\-\-memory-deny-write-execute
|
|
Install a seccomp filter to block attempts to create memory mappings
|
|
that are both writable and executable, to change mappings to be
|
|
executable, or to create executable shared memory. The filter examines
|
|
the arguments of mmap, mmap2, mprotect, pkey_mprotect and shmat system
|
|
calls and kills the process if necessary.
|
|
.br
|
|
|
|
.br
|
|
Note: shmat is not implemented
|
|
as a system call on some platforms including i386, and it cannot be
|
|
handled by seccomp-bpf.
|
|
|
|
.TP
|
|
\fB\-\-mtu=number
|
|
Assign a MTU value to the last network interface defined by a \-\-net option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-mtu=1492
|
|
|
|
.TP
|
|
\fB\-\-name=name
|
|
Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use
|
|
this name to identify a sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mybrowser firefox
|
|
|
|
.TP
|
|
\fB\-\-net=bridge_interface
|
|
Enable a new network namespace and connect it to this bridge interface.
|
|
Unless specified with option \-\-ip and \-\-defaultgw, an IP address and a default gateway will be assigned
|
|
automatically to the sandbox. The IP address is verified using ARP before assignment. The address
|
|
configured as default gateway is the bridge device IP address. Up to four \-\-net
|
|
bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo brctl addbr br0
|
|
.br
|
|
$ sudo ifconfig br0 10.10.20.1/24
|
|
.br
|
|
$ sudo brctl addbr br1
|
|
.br
|
|
$ sudo ifconfig br1 10.10.30.1/24
|
|
.br
|
|
$ firejail \-\-net=br0 \-\-net=br1
|
|
|
|
.TP
|
|
\fB\-\-net=ethernet_interface
|
|
Enable a new network namespace and connect it
|
|
to this ethernet interface using the standard Linux macvlan
|
|
driver. Unless specified with option \-\-ip and \-\-defaultgw, an
|
|
IP address and a default gateway will be assigned automatically
|
|
to the sandbox. The IP address is verified using ARP before
|
|
assignment. The address configured as default gateway is the
|
|
default gateway of the host. Up to four \-\-net devices can
|
|
be defined. Mixing bridge and macvlan devices is allowed.
|
|
Note: wlan devices are not supported for this option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
|
|
|
|
.TP
|
|
\fB\-\-net=none
|
|
Enable a new, unconnected network namespace. The only interface
|
|
available in the new namespace is a new loopback interface (lo).
|
|
Use this option to deny
|
|
network access to programs that don't really need network access.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=none vlc
|
|
.br
|
|
|
|
.br
|
|
Note: \-\-net=none can crash the application on some platforms.
|
|
In these cases, it can be replaced with \-\-protocol=unix.
|
|
|
|
.TP
|
|
\fB\-\-netns=name
|
|
Run the program in a named, persistent network namespace. These can
|
|
be created and configured using "ip netns".
|
|
|
|
.TP
|
|
\fB\-\-netfilter
|
|
Enable a default firewall if a new network namespace is created inside the sandbox.
|
|
This option has no effect for sandboxes using the system network namespace.
|
|
.br
|
|
|
|
.br
|
|
The default firewall is optimized for regular desktop applications. No incoming
|
|
connections are accepted:
|
|
.br
|
|
|
|
.br
|
|
*filter
|
|
.br
|
|
:INPUT DROP [0:0]
|
|
.br
|
|
:FORWARD DROP [0:0]
|
|
.br
|
|
:OUTPUT ACCEPT [0:0]
|
|
.br
|
|
\-A INPUT \-i lo \-j ACCEPT
|
|
.br
|
|
\-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT
|
|
.br
|
|
# allow ping
|
|
.br
|
|
\-A INPUT \-p icmp \-\-icmp-type destination-unreachable \-j ACCEPT
|
|
.br
|
|
\-A INPUT \-p icmp \-\-icmp-type time-exceeded \-j ACCEPT
|
|
.br
|
|
\-A INPUT \-p icmp \-\-icmp-type echo-request \-j ACCEPT
|
|
.br
|
|
# drop STUN (WebRTC) requests
|
|
.br
|
|
-A OUTPUT -p udp --dport 3478 -j DROP
|
|
.br
|
|
-A OUTPUT -p udp --dport 3479 -j DROP
|
|
.br
|
|
-A OUTPUT -p tcp --dport 3478 -j DROP
|
|
.br
|
|
-A OUTPUT -p tcp --dport 3479 -j DROP
|
|
.br
|
|
COMMIT
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-netfilter firefox
|
|
.TP
|
|
\fB\-\-netfilter=filename
|
|
Enable the firewall specified by filename if a new network namespace is created inside the sandbox.
|
|
This option has no effect for sandboxes using the system network namespace.
|
|
.br
|
|
|
|
.br
|
|
Please use the regular iptables-save/iptables-restore format for the filter file. The following
|
|
examples are available in /etc/firejail directory:
|
|
.br
|
|
|
|
.br
|
|
.B webserver.net
|
|
is a webserver firewall that allows access only to TCP ports 80 and 443.
|
|
Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --netfilter=/etc/firejail/webserver.net --net=eth0 \\
|
|
.br
|
|
/etc/init.d/apache2 start
|
|
.br
|
|
|
|
.br
|
|
.B nolocal.net
|
|
is a desktop client firewall that disable access to local network. Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --netfilter=/etc/firejail/nolocal.net \\
|
|
.br
|
|
--net=eth0 firefox
|
|
|
|
|
|
|
|
|
|
.TP
|
|
\fB\-\-netfilter=filename,arg1,arg2,arg3 ...
|
|
This is the template version of the previous command. $ARG1, $ARG2, $ARG3 ... in the firewall script
|
|
are replaced with arg1, arg2, arg3 ... passed on the command line. Up to 16 arguments are supported.
|
|
Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --net=eth0 --ip=192.168.1.105 \\
|
|
.br
|
|
--netfilter=/etc/firejail/tcpserver.net,5001 server-program
|
|
.br
|
|
|
|
|
|
|
|
.TP
|
|
\fB\-\-netfilter.print=name|pid
|
|
Print the firewall installed in the sandbox specified by name or PID. Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --name=browser --net=eth0 --netfilter firefox &
|
|
.br
|
|
$ firejail --netfilter.print=browser
|
|
|
|
.TP
|
|
\fB\-\-netfilter6=filename
|
|
Enable the IPv6 firewall specified by filename if a new network namespace is created inside the sandbox.
|
|
This option has no effect for sandboxes using the system network namespace.
|
|
Please use the regular iptables-save/iptables-restore format for the filter file.
|
|
|
|
.TP
|
|
\fB\-\-netfilter6.print=name|pid
|
|
Print the IPv6 firewall installed in the sandbox specified by name or PID. Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --name=browser --net=eth0 --netfilter firefox &
|
|
.br
|
|
$ firejail --netfilter6.print=browser
|
|
|
|
.TP
|
|
\fB\-\-netstats
|
|
Monitor network namespace statistics, see \fBMONITORING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-netstats
|
|
.br
|
|
PID User RX(KB/s) TX(KB/s) Command
|
|
.br
|
|
1294 netblue 53.355 1.473 firejail \-\-net=eth0 firefox
|
|
.br
|
|
7383 netblue 9.045 0.112 firejail \-\-net=eth0 transmission
|
|
|
|
.TP
|
|
\fB\-\-nice=value
|
|
Set nice value for all processes running inside the sandbox.
|
|
Only root may specify a negative value.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --nice=2 firefox
|
|
|
|
.TP
|
|
\fB\-\-no3d
|
|
Disable 3D hardware acceleration.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --no3d firefox
|
|
|
|
.TP
|
|
\fB\-\-noblacklist=dirname_or_filename
|
|
Disable blacklist for this directory or file.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail
|
|
.br
|
|
$ nc dict.org 2628
|
|
.br
|
|
bash: /bin/nc: Permission denied
|
|
.br
|
|
$ exit
|
|
.br
|
|
|
|
.br
|
|
$ firejail --noblacklist=/bin/nc
|
|
.br
|
|
$ nc dict.org 2628
|
|
.br
|
|
220 pan.alephnull.com dictd 1.12.1/rf on Linux 3.14-1-amd64
|
|
.br
|
|
.TP
|
|
\fB\-\-nodvd
|
|
Disable DVD and audio CD devices.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-nodvd
|
|
.TP
|
|
\fB\-\-noexec=dirname_or_filename
|
|
Remount directory or file noexec, nodev and nosuid. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-noexec=/tmp
|
|
.br
|
|
|
|
.br
|
|
/etc and /var are noexec by default if the sandbox was started as a regular user. If there are more than one mount operation
|
|
on the path of the file or directory, noexec should be applied to the last one. Always check if the change took effect inside the sandbox.
|
|
|
|
.TP
|
|
\fB\-\-nogroups
|
|
Disable supplementary groups. Without this option, supplementary groups are enabled for the user starting the
|
|
sandbox. For root user supplementary groups are always disabled.
|
|
.br
|
|
|
|
.br
|
|
Note: By default all regular user groups are removed with the exception of the current user. This can be changed
|
|
using \-\-allusers command option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ id
|
|
.br
|
|
uid=1000(netblue) gid=1000(netblue) groups=1000(netblue),24(cdrom),25(floppy),27(sudo),29(audio)
|
|
.br
|
|
$ firejail \-\-nogroups
|
|
.br
|
|
Parent pid 8704, child pid 8705
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
$ id
|
|
.br
|
|
uid=1000(netblue) gid=1000(netblue) groups=1000(netblue)
|
|
.br
|
|
$
|
|
|
|
.TP
|
|
\fB\-\-noprofile
|
|
Do not use a security profile.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail
|
|
.br
|
|
Reading profile /etc/firejail/default.profile
|
|
.br
|
|
Parent pid 8553, child pid 8554
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
[...]
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-noprofile
|
|
.br
|
|
Parent pid 8553, child pid 8554
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
[...]
|
|
|
|
.TP
|
|
\fB\-\-noroot
|
|
Install a user namespace with a single user - the current user.
|
|
root user does not exist in the new namespace. This option
|
|
requires a Linux kernel version 3.8 or newer. The option
|
|
is not supported for \-\-chroot and \-\-overlay configurations,
|
|
or for sandboxes started as root.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-noroot
|
|
.br
|
|
Parent pid 8553, child pid 8554
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
$ ping google.com
|
|
.br
|
|
ping: icmp open socket: Operation not permitted
|
|
.br
|
|
$
|
|
|
|
.TP
|
|
\fB\-\-nonewprivs
|
|
Sets the NO_NEW_PRIVS prctl. This ensures that child processes
|
|
cannot acquire new privileges using execve(2); in particular,
|
|
this means that calling a suid binary (or one with file capabilities)
|
|
does not result in an increase of privilege. This option
|
|
is enabled by default if seccomp filter is activated.
|
|
|
|
.TP
|
|
\fB\-\-nosound
|
|
Disable sound system.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-nosound firefox
|
|
|
|
.TP
|
|
\fB\-\-notv
|
|
Disable DVB (Digital Video Broadcasting) TV devices.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-notv vlc
|
|
|
|
.TP
|
|
\fB\-\-novideo
|
|
Disable video devices.
|
|
.br
|
|
|
|
.TP
|
|
\fB\-\-nowhitelist=dirname_or_filename
|
|
Disable whitelist for this directory or file.
|
|
|
|
.TP
|
|
\fB\-\-output=logfile
|
|
stdout logging and log rotation. Copy stdout to logfile, and keep the size of the file under 500KB using log
|
|
rotation. Five files with prefixes .1 to .5 are used in rotation.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-output=sandboxlog /bin/bash
|
|
.br
|
|
[...]
|
|
.br
|
|
$ ls -l sandboxlog*
|
|
.br
|
|
-rw-r--r-- 1 netblue netblue 333890 Jun 2 07:48 sandboxlog
|
|
.br
|
|
-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.1
|
|
.br
|
|
-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.2
|
|
.br
|
|
-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.3
|
|
.br
|
|
-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.4
|
|
.br
|
|
-rw-r--r-- 1 netblue netblue 511488 Jun 2 07:48 sandboxlog.5
|
|
|
|
.TP
|
|
\fB\-\-output-stderr=logfile
|
|
Similar to \-\-output, but stderr is also stored.
|
|
|
|
.TP
|
|
\fB\-\-overlay
|
|
Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
|
|
the system directories are mounted read-write. All filesystem modifications go into the overlay.
|
|
The overlay is stored in $HOME/.firejail/<PID> directory.
|
|
.br
|
|
|
|
.br
|
|
OverlayFS support is required in Linux kernel for this option to work.
|
|
OverlayFS was officially introduced in Linux kernel version 3.18.
|
|
This option is not available on Grsecurity systems.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-overlay firefox
|
|
|
|
.TP
|
|
\fB\-\-overlay-named=name
|
|
Mount a filesystem overlay on top of the current filesystem. Unlike the regular filesystem container,
|
|
the system directories are mounted read-write. All filesystem modifications go into the overlay.
|
|
The overlay is stored in $HOME/.firejail/<NAME> directory. The created overlay can be reused between multiple
|
|
sessions.
|
|
.br
|
|
|
|
.br
|
|
OverlayFS support is required in Linux kernel for this option to work.
|
|
OverlayFS was officially introduced in Linux kernel version 3.18.
|
|
This option is not available on Grsecurity systems.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-overlay-named=jail1 firefox
|
|
|
|
.TP
|
|
\fB\-\-overlay-tmpfs
|
|
Mount a filesystem overlay on top of the current filesystem. All filesystem modifications
|
|
are discarded when the sandbox is closed.
|
|
.br
|
|
|
|
.br
|
|
OverlayFS support is required in Linux kernel for this option to work.
|
|
OverlayFS was officially introduced in Linux kernel version 3.18.
|
|
This option is not available on Grsecurity systems.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-overlay-tmpfs firefox
|
|
|
|
.TP
|
|
\fB\-\-overlay-clean
|
|
Clean all overlays stored in $HOME/.firejail directory.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-overlay-clean
|
|
|
|
.TP
|
|
\fB\-\-private
|
|
Mount new /root and /home/user directories in temporary
|
|
filesystems. All modifications are discarded when the sandbox is
|
|
closed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-private firefox
|
|
.TP
|
|
\fB\-\-private=directory
|
|
Use directory as user home.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-private=/home/netblue/firefox-home firefox
|
|
|
|
.TP
|
|
\fB\-\-private-home=file,directory
|
|
Build a new user home in a temporary
|
|
filesystem, and copy the files and directories in the list in the
|
|
new home. All modifications are discarded when the sandbox is
|
|
closed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-private-home=.mozilla firefox
|
|
|
|
.TP
|
|
\fB\-\-private-bin=file,file
|
|
Build a new /bin in a temporary filesystem, and copy the programs in the list.
|
|
If no listed file is found, /bin directory will be empty.
|
|
The same directory is also bind-mounted over /sbin, /usr/bin, /usr/sbin and /usr/local/bin.
|
|
All modifications are discarded when the sandbox is closed. File globbing is supported,
|
|
see \fBFILE GLOBBING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-private-bin=bash,sed,ls,cat
|
|
.br
|
|
Parent pid 20841, child pid 20842
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
$ ls /bin
|
|
.br
|
|
bash cat ls sed
|
|
|
|
.TP
|
|
\fB\-\-private-lib=file,directory
|
|
This feature is currently under heavy development. Only amd64 platforms are supported at this moment.
|
|
The idea is to build a new /lib in a temporary filesystem,
|
|
with only the library files necessary to run the application.
|
|
It could be as simple as:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --private-lib galculator
|
|
.br
|
|
|
|
.br
|
|
but it gets complicated really fast:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --private-lib=x86_64-linux-gnu/xed,x86_64-linux-gnu/gdk-pixbuf-2.0,libenchant.so.1,librsvg-2.so.2 xed
|
|
.br
|
|
|
|
.br
|
|
The feature is integrated with \-\-private-bin:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --private-lib --private-bin=bash,ls,ps
|
|
.br
|
|
$ ls /lib
|
|
.br
|
|
ld-linux-x86-64.so.2 libgpg-error.so.0 libprocps.so.6 libsystemd.so.0
|
|
.br
|
|
libc.so.6 liblz4.so.1 libpthread.so.0 libtinfo.so.5
|
|
.br
|
|
libdl.so.2 liblzma.so.5 librt.so.1 x86_64-linux-gnu
|
|
.br
|
|
libgcrypt.so.20 libpcre.so.3 libselinux.so.1
|
|
.br
|
|
$ ps
|
|
.br
|
|
PID TTY TIME CMD
|
|
.br
|
|
1 pts/0 00:00:00 firejail
|
|
.br
|
|
45 pts/0 00:00:00 bash
|
|
.br
|
|
48 pts/0 00:00:00 ps
|
|
.br
|
|
$
|
|
.br
|
|
|
|
|
|
.TP
|
|
\fB\-\-private-dev
|
|
Create a new /dev directory. Only disc, dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-private-dev
|
|
.br
|
|
Parent pid 9887, child pid 9888
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
$ ls /dev
|
|
.br
|
|
cdrom cdrw dri dvd dvdrw full log null ptmx pts random shm snd sr0 tty urandom zero
|
|
.br
|
|
$
|
|
.TP
|
|
\fB\-\-private-etc=file,directory
|
|
Build a new /etc in a temporary
|
|
filesystem, and copy the files and directories in the list.
|
|
If no listed file is found, /etc directory will be empty.
|
|
All modifications are discarded when the sandbox is closed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --private-etc=group,hostname,localtime, \\
|
|
.br
|
|
nsswitch.conf,passwd,resolv.conf
|
|
|
|
.TP
|
|
\fB\-\-private-opt=file,directory
|
|
Build a new /opt in a temporary
|
|
filesystem, and copy the files and directories in the list.
|
|
If no listed file is found, /opt directory will be empty.
|
|
All modifications are discarded when the sandbox is closed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --private-opt=firefox /opt/firefox/firefox
|
|
|
|
.TP
|
|
\fB\-\-private-srv=file,directory
|
|
Build a new /srv in a temporary
|
|
filesystem, and copy the files and directories in the list.
|
|
If no listed file is found, /srv directory will be empty.
|
|
All modifications are discarded when the sandbox is closed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
# firejail --private-srv=www /etc/init.d/apache2 start
|
|
|
|
.TP
|
|
\fB\-\-private-tmp
|
|
Mount an empty temporary filesystem on top of /tmp directory whitelisting X11 and PulseAudio sockets.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-private-tmp
|
|
.br
|
|
$ ls -al /tmp
|
|
.br
|
|
drwxrwxrwt 4 nobody nogroup 80 Apr 30 11:46 .
|
|
.br
|
|
drwxr-xr-x 30 nobody nogroup 4096 Apr 26 22:18 ..
|
|
.br
|
|
drwx------ 2 nobody nogroup 4096 Apr 30 10:52 pulse-PKdhtXMmr18n
|
|
.br
|
|
drwxrwxrwt 2 nobody nogroup 4096 Apr 30 10:52 .X11-unix
|
|
.br
|
|
|
|
|
|
.TP
|
|
\fB\-\-profile=filename
|
|
Load a custom security profile from filename. For filename use an absolute path or a path relative to the current path.
|
|
For more information, see \fBSECURITY PROFILES\fR section below.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-profile=myprofile
|
|
|
|
.TP
|
|
\fB\-\-profile.print=name|pid
|
|
Print the name of the profile file for the sandbox identified by name or or PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-profile.print=browser
|
|
.br
|
|
/etc/firejail/firefox.profile
|
|
.br
|
|
.TP
|
|
\fB\-\-protocol=protocol,protocol,protocol
|
|
Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
|
|
Recognized values: unix, inet, inet6, netlink and packet. This option is not supported for i386 architecture.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-protocol=unix,inet,inet6 firefox
|
|
.TP
|
|
\fB\-\-protocol.print=name|pid
|
|
Print the protocol filter for the sandbox identified by name or PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mybrowser firefox &
|
|
.br
|
|
$ firejail \-\-protocol.print=mybrowser
|
|
.br
|
|
unix,inet,inet6,netlink
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-protocol.print=3272
|
|
.br
|
|
unix,inet,inet6,netlink
|
|
.TP
|
|
\fB\-\-put=name|pid src-filename dest-filename
|
|
Put a file in sandbox container, see \fBFILE TRANSFER\fR section for more details.
|
|
.TP
|
|
\fB\-\-quiet
|
|
Turn off Firejail's output.
|
|
.TP
|
|
\fB\-\-read-only=dirname_or_filename
|
|
Set directory or file read-only. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-read-only=~/.mozilla firefox
|
|
.br
|
|
|
|
.br
|
|
A short note about mixing \-\-whitelist and \-\-read-only options. Whitelisted directories
|
|
should be made read-only independently. Making a parent directory read-only, will not
|
|
make the whitelist read-only. Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --whitelist=~/work --read-only=~ --read-only=~/work
|
|
|
|
.TP
|
|
\fB\-\-read-write=dirname_or_filename
|
|
Set directory or file read-write. Only files or directories belonging to the current user are allowed for
|
|
this operation. File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
|
|
Example:
|
|
.br
|
|
|
|
.br
|
|
$ mkdir ~/test
|
|
.br
|
|
$ touch ~/test/a
|
|
.br
|
|
$ firejail --read-only=~/test --read-write=~/test/a
|
|
|
|
|
|
.TP
|
|
\fB\-\-rlimit-as=number
|
|
Set the maximum size of the process's virtual memory (address space) in bytes.
|
|
|
|
.TP
|
|
\fB\-\-rlimit-cpu=number
|
|
Set the maximum limit, in seconds, for the amount of CPU time each
|
|
sandboxed process can consume. When the limit is reached, the processes are killed.
|
|
|
|
The CPU limit is a limit on CPU seconds rather than elapsed time. CPU seconds is basically how many seconds
|
|
the CPU has been in use and does not necessarily directly relate to the elapsed time. Linux kernel keeps
|
|
track of CPU seconds for each process independently.
|
|
|
|
.TP
|
|
\fB\-\-rlimit-fsize=number
|
|
Set the maximum file size that can be created by a process.
|
|
.TP
|
|
\fB\-\-rlimit-nofile=number
|
|
Set the maximum number of files that can be opened by a process.
|
|
.TP
|
|
\fB\-\-rlimit-nproc=number
|
|
Set the maximum number of processes that can be created for the real user ID of the calling process.
|
|
.TP
|
|
\fB\-\-rlimit-sigpending=number
|
|
Set the maximum number of pending signals for a process.
|
|
|
|
.TP
|
|
\fB\-\-rmenv=name
|
|
Remove environment variable in the new sandbox.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-rmenv=DBUS_SESSION_BUS_ADDRESS
|
|
|
|
.TP
|
|
\fB\-\-scan
|
|
ARP-scan all the networks from inside a network namespace.
|
|
This makes it possible to detect macvlan kernel device drivers running on the current host.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=eth0 \-\-scan
|
|
.TP
|
|
\fB\-\-seccomp
|
|
Enable seccomp filter and blacklist the syscalls in the default list (@default). The default list is as follows:
|
|
mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_handle_at, create_module, init_module, finit_module, delete_module,
|
|
iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev,
|
|
sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp,
|
|
add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup,
|
|
io_destroy, io_getevents, io_submit, io_cancel,
|
|
remap_file_pages, mbind, set_mempolicy,
|
|
migrate_pages, move_pages, vmsplice, chroot,
|
|
tuxcall, reboot, mfsservctl, get_kernel_syms,
|
|
bpf, clock_settime, personality, process_vm_writev, query_module,
|
|
settimeofday, stime, umount, userfaultfd, ustat, vm86, vm86old,
|
|
afs_syscall, bdflush, break, ftime, getpmsg, gtty, lock, mpx, pciconfig_iobase, pciconfig_read,
|
|
pciconfig_write, prof, profil, putpmsg, rtas, s390_runtime_instr, s390_mmio_read, s390_mmio_write,
|
|
security, setdomainname, sethostname, sgetmask, ssetmask, stty, subpage_prot, switch_endian,
|
|
ulimit, vhangup and vserver.
|
|
|
|
.br
|
|
To help creating useful seccomp filters more easily, the following
|
|
system call groups are defined: @clock, @cpu-emulation, @debug,
|
|
@default, @default-nodebuggers, @default-keep, @module, @obsolete,
|
|
@privileged, @raw-io, @reboot, @resources and @swap. In addtion, a
|
|
system call can be specified by its number instead of name with prefix
|
|
$, so for example $165 would be equal to mount on i386.
|
|
|
|
.br
|
|
System architecture is strictly imposed only if flag
|
|
\-\-seccomp.block-secondary is used. The filter is applied at run time
|
|
only if the correct architecture was detected. For the case of I386
|
|
and AMD64 both 32-bit and 64-bit filters are installed.
|
|
.br
|
|
|
|
.br
|
|
Firejail will print seccomp violations to the audit log if the kernel was compiled with audit support (CONFIG_AUDIT flag).
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-seccomp
|
|
.TP
|
|
\fB\-\-seccomp=syscall,@group
|
|
Enable seccomp filter, blacklist the default list (@default) and the syscalls or syscall groups specified by the command.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-seccomp=utime,utimensat,utimes firefox
|
|
.br
|
|
$ firejail \-\-seccomp=@clock,mkdir,unlinkat transmission-gtk
|
|
.br
|
|
|
|
.br
|
|
Instead of dropping the syscall, a specific error number can be returned
|
|
using \fBsyscall:errorno\fR syntax.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
$ firejail \-\-seccomp=unlinkat:ENOENT,utimensat,utimes
|
|
.br
|
|
Parent pid 10662, child pid 10663
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
$ touch testfile
|
|
.br
|
|
$ rm testfile
|
|
.br
|
|
rm: cannot remove `testfile': Operation not permitted
|
|
.br
|
|
|
|
.br
|
|
If the blocked system calls would also block Firejail from operating,
|
|
they are handled by adding a preloaded library which performs seccomp
|
|
system calls later.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-noprofile \-\-shell=none \-\-seccomp=execve bash
|
|
.br
|
|
Parent pid 32751, child pid 32752
|
|
.br
|
|
Post-exec seccomp protector enabled
|
|
.br
|
|
list in: execve, check list: @default-keep prelist: (null), postlist: execve
|
|
.br
|
|
Child process initialized in 46.44 ms
|
|
.br
|
|
$ ls
|
|
.br
|
|
Bad system call
|
|
.br
|
|
|
|
.TP
|
|
\fB\-\-seccomp.block_secondary
|
|
Enable seccomp filter and filter system call architectures so that
|
|
only the native architecture is allowed. For example, on amd64, i386
|
|
and x32 system calls are blocked as well as changing the execution
|
|
domain with personality(2) system call.
|
|
.br
|
|
|
|
.TP
|
|
\fB\-\-seccomp.drop=syscall,@group
|
|
Enable seccomp filter, and blacklist the syscalls or the syscall groups specified by the command.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-seccomp.drop=utime,utimensat,utimes,@clock
|
|
.br
|
|
|
|
.br
|
|
Instead of dropping the syscall, a specific error number can be returned
|
|
using \fBsyscall:errorno\fR syntax.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-seccomp.drop=unlinkat:ENOENT,utimensat,utimes
|
|
.br
|
|
Parent pid 10662, child pid 10663
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
$ touch testfile
|
|
.br
|
|
$ rm testfile
|
|
.br
|
|
rm: cannot remove `testfile': Operation not permitted
|
|
.br
|
|
|
|
|
|
|
|
|
|
|
|
.TP
|
|
\fB\-\-seccomp.keep=syscall,syscall,syscall
|
|
Enable seccomp filter, and whitelist the syscalls specified by the
|
|
command. The system calls needed by Firejail (group @default-keep:
|
|
prctl, execve) are handled with the preload library.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-shell=none \-\-seccomp.keep=poll,select,[...] transmission-gtk
|
|
|
|
.TP
|
|
\fB\-\-seccomp.print=name|PID
|
|
Print the seccomp filter for the sandbox identified by name or PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=browser firefox &
|
|
.br
|
|
$ firejail --seccomp.print=browser
|
|
.br
|
|
line OP JT JF K
|
|
.br
|
|
=================================
|
|
.br
|
|
0000: 20 00 00 00000004 ld data.architecture
|
|
.br
|
|
0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
|
|
.br
|
|
0002: 06 00 00 7fff0000 ret ALLOW
|
|
.br
|
|
0003: 20 00 00 00000000 ld data.syscall-number
|
|
.br
|
|
0004: 35 01 00 40000000 jge X32_ABI true:0006 (false 0005)
|
|
.br
|
|
0005: 35 01 00 00000000 jge read 0007 (false 0006)
|
|
.br
|
|
0006: 06 00 00 00050001 ret ERRNO(1)
|
|
.br
|
|
0007: 15 41 00 0000009a jeq modify_ldt 0049 (false 0008)
|
|
.br
|
|
0008: 15 40 00 000000d4 jeq lookup_dcookie 0049 (false 0009)
|
|
.br
|
|
0009: 15 3f 00 0000012a jeq perf_event_open 0049 (false 000a)
|
|
.br
|
|
000a: 15 3e 00 00000137 jeq process_vm_writev 0049 (false 000b)
|
|
.br
|
|
000b: 15 3d 00 0000009c jeq _sysctl 0049 (false 000c)
|
|
.br
|
|
000c: 15 3c 00 000000b7 jeq afs_syscall 0049 (false 000d)
|
|
.br
|
|
000d: 15 3b 00 000000ae jeq create_module 0049 (false 000e)
|
|
.br
|
|
000e: 15 3a 00 000000b1 jeq get_kernel_syms 0049 (false 000f)
|
|
.br
|
|
000f: 15 39 00 000000b5 jeq getpmsg 0049 (false 0010)
|
|
.br
|
|
0010: 15 38 00 000000b6 jeq putpmsg 0049 (false 0011)
|
|
.br
|
|
0011: 15 37 00 000000b2 jeq query_module 0049 (false 0012)
|
|
.br
|
|
0012: 15 36 00 000000b9 jeq security 0049 (false 0013)
|
|
.br
|
|
0013: 15 35 00 0000008b jeq sysfs 0049 (false 0014)
|
|
.br
|
|
0014: 15 34 00 000000b8 jeq tuxcall 0049 (false 0015)
|
|
.br
|
|
0015: 15 33 00 00000086 jeq uselib 0049 (false 0016)
|
|
.br
|
|
0016: 15 32 00 00000088 jeq ustat 0049 (false 0017)
|
|
.br
|
|
0017: 15 31 00 000000ec jeq vserver 0049 (false 0018)
|
|
.br
|
|
0018: 15 30 00 0000009f jeq adjtimex 0049 (false 0019)
|
|
.br
|
|
0019: 15 2f 00 00000131 jeq clock_adjtime 0049 (false 001a)
|
|
.br
|
|
001a: 15 2e 00 000000e3 jeq clock_settime 0049 (false 001b)
|
|
.br
|
|
001b: 15 2d 00 000000a4 jeq settimeofday 0049 (false 001c)
|
|
.br
|
|
001c: 15 2c 00 000000b0 jeq delete_module 0049 (false 001d)
|
|
.br
|
|
001d: 15 2b 00 00000139 jeq finit_module 0049 (false 001e)
|
|
.br
|
|
001e: 15 2a 00 000000af jeq init_module 0049 (false 001f)
|
|
.br
|
|
001f: 15 29 00 000000ad jeq ioperm 0049 (false 0020)
|
|
.br
|
|
0020: 15 28 00 000000ac jeq iopl 0049 (false 0021)
|
|
.br
|
|
0021: 15 27 00 000000f6 jeq kexec_load 0049 (false 0022)
|
|
.br
|
|
0022: 15 26 00 00000140 jeq kexec_file_load 0049 (false 0023)
|
|
.br
|
|
0023: 15 25 00 000000a9 jeq reboot 0049 (false 0024)
|
|
.br
|
|
0024: 15 24 00 000000a7 jeq swapon 0049 (false 0025)
|
|
.br
|
|
0025: 15 23 00 000000a8 jeq swapoff 0049 (false 0026)
|
|
.br
|
|
0026: 15 22 00 000000a3 jeq acct 0049 (false 0027)
|
|
.br
|
|
0027: 15 21 00 00000141 jeq bpf 0049 (false 0028)
|
|
.br
|
|
0028: 15 20 00 000000a1 jeq chroot 0049 (false 0029)
|
|
.br
|
|
0029: 15 1f 00 000000a5 jeq mount 0049 (false 002a)
|
|
.br
|
|
002a: 15 1e 00 000000b4 jeq nfsservctl 0049 (false 002b)
|
|
.br
|
|
002b: 15 1d 00 0000009b jeq pivot_root 0049 (false 002c)
|
|
.br
|
|
002c: 15 1c 00 000000ab jeq setdomainname 0049 (false 002d)
|
|
.br
|
|
002d: 15 1b 00 000000aa jeq sethostname 0049 (false 002e)
|
|
.br
|
|
002e: 15 1a 00 000000a6 jeq umount2 0049 (false 002f)
|
|
.br
|
|
002f: 15 19 00 00000099 jeq vhangup 0049 (false 0030)
|
|
.br
|
|
0030: 15 18 00 000000ee jeq set_mempolicy 0049 (false 0031)
|
|
.br
|
|
0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032)
|
|
.br
|
|
0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033)
|
|
.br
|
|
0033: 15 15 00 000000ed jeq mbind 0049 (false 0034)
|
|
.br
|
|
0034: 15 14 00 00000130 jeq open_by_handle_at 0049 (false 0035)
|
|
.br
|
|
0035: 15 13 00 0000012f jeq name_to_handle_at 0049 (false 0036)
|
|
.br
|
|
0036: 15 12 00 000000fb jeq ioprio_set 0049 (false 0037)
|
|
.br
|
|
0037: 15 11 00 00000067 jeq syslog 0049 (false 0038)
|
|
.br
|
|
0038: 15 10 00 0000012c jeq fanotify_init 0049 (false 0039)
|
|
.br
|
|
0039: 15 0f 00 00000138 jeq kcmp 0049 (false 003a)
|
|
.br
|
|
003a: 15 0e 00 000000f8 jeq add_key 0049 (false 003b)
|
|
.br
|
|
003b: 15 0d 00 000000f9 jeq request_key 0049 (false 003c)
|
|
.br
|
|
003c: 15 0c 00 000000fa jeq keyctl 0049 (false 003d)
|
|
.br
|
|
003d: 15 0b 00 000000ce jeq io_setup 0049 (false 003e)
|
|
.br
|
|
003e: 15 0a 00 000000cf jeq io_destroy 0049 (false 003f)
|
|
.br
|
|
003f: 15 09 00 000000d0 jeq io_getevents 0049 (false 0040)
|
|
.br
|
|
0040: 15 08 00 000000d1 jeq io_submit 0049 (false 0041)
|
|
.br
|
|
0041: 15 07 00 000000d2 jeq io_cancel 0049 (false 0042)
|
|
.br
|
|
0042: 15 06 00 000000d8 jeq remap_file_pages 0049 (false 0043)
|
|
.br
|
|
0043: 15 05 00 00000116 jeq vmsplice 0049 (false 0044)
|
|
.br
|
|
0044: 15 04 00 00000087 jeq personality 0049 (false 0045)
|
|
.br
|
|
0045: 15 03 00 00000143 jeq userfaultfd 0049 (false 0046)
|
|
.br
|
|
0046: 15 02 00 00000065 jeq ptrace 0049 (false 0047)
|
|
.br
|
|
0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048)
|
|
.br
|
|
0048: 06 00 00 7fff0000 ret ALLOW
|
|
.br
|
|
0049: 06 00 01 00000000 ret KILL
|
|
.br
|
|
$
|
|
.TP
|
|
\fB\-\-shell=none
|
|
Run the program directly, without a user shell.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-shell=none script.sh
|
|
.TP
|
|
\fB\-\-shell=program
|
|
Set default user shell. Use this shell to run the application using \-c shell option.
|
|
For example "firejail \-\-shell=/bin/dash firefox" will start Mozilla Firefox as "/bin/dash \-c firefox".
|
|
By default Bash shell (/bin/bash) is used. Options such as \-\-zsh and \-\-csh can also set the default
|
|
shell.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
$firejail \-\-shell=/bin/dash script.sh
|
|
.TP
|
|
\fB\-\-shutdown=name|PID
|
|
Shutdown the sandbox identified by name or PID.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mygame \-\-caps.drop=all warzone2100 &
|
|
.br
|
|
$ firejail \-\-shutdown=mygame
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-list
|
|
.br
|
|
3272:netblue::firejail \-\-private firefox
|
|
.br
|
|
$ firejail \-\-shutdown=3272
|
|
.TP
|
|
\fB\-\-timeout=hh:mm:ss
|
|
Kill the sandbox automatically after the time has elapsed. The time is specified in hours/minutes/seconds format.
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-timeout=01:30:00 firefox
|
|
.TP
|
|
\fB\-\-tmpfs=dirname
|
|
Mount a tmpfs filesystem on directory dirname. This option is available only when running the sandbox as root.
|
|
File globbing is supported, see \fBFILE GLOBBING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
# firejail \-\-tmpfs=/var
|
|
.TP
|
|
\fB\-\-top
|
|
Monitor the most CPU-intensive sandboxes, see \fBMONITORING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-top
|
|
.TP
|
|
\fB\-\-trace
|
|
Trace open, access and connect system calls.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-trace wget -q www.debian.org
|
|
.br
|
|
Reading profile /etc/firejail/wget.profile
|
|
.br
|
|
3:wget:fopen64 /etc/wgetrc:0x5c8e8ce6c0
|
|
.br
|
|
3:wget:fopen /etc/hosts:0x5c8e8cfb70
|
|
.br
|
|
3:wget:socket AF_INET SOCK_DGRAM IPPROTO_IP:3
|
|
.br
|
|
3:wget:connect 3 8.8.8.8 port 53:0
|
|
.br
|
|
3:wget:socket AF_INET SOCK_STREAM IPPROTO_IP:3
|
|
.br
|
|
3:wget:connect 3 130.89.148.14 port 80:0
|
|
.br
|
|
3:wget:fopen64 index.html:0x5c8e8d1a60
|
|
.br
|
|
|
|
.br
|
|
parent is shutting down, bye...
|
|
.TP
|
|
\fB\-\-tracelog
|
|
This option enables auditing blacklisted files and directories. A message
|
|
is sent to syslog in case the file or the directory is accessed.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --tracelog firefox
|
|
.br
|
|
|
|
.br
|
|
Sample messages:
|
|
.br
|
|
$ sudo tail -f /var/log/syslog
|
|
.br
|
|
[...]
|
|
.br
|
|
Dec 3 11:43:25 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall open64, path /etc/shadow
|
|
.br
|
|
Dec 3 11:46:17 debian firejail[70]: blacklist violation - sandbox 26370, exe firefox, syscall opendir, path /boot
|
|
.br
|
|
[...]
|
|
.TP
|
|
\fB\-\-tree
|
|
Print a tree of all sandboxed processes, see \fBMONITORING\fR section for more details.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-tree
|
|
.br
|
|
11903:netblue:firejail iceweasel
|
|
.br
|
|
11904:netblue:iceweasel
|
|
.br
|
|
11957:netblue:/usr/lib/iceweasel/plugin-container
|
|
.br
|
|
11969:netblue:firejail \-\-net=eth0 transmission-gtk
|
|
.br
|
|
11970:netblue:transmission-gtk
|
|
|
|
.TP
|
|
\fB\-\-version
|
|
Print program version and exit.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-version
|
|
.br
|
|
firejail version 0.9.27
|
|
|
|
.TP
|
|
\fB\-\-veth-name=name
|
|
Use this name for the interface connected to the bridge for --net=bridge_interface commands,
|
|
instead of the default one.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-net=br0 --veth-name=if0
|
|
|
|
.TP
|
|
\fB\-\-whitelist=dirname_or_filename
|
|
Whitelist directory or file. A temporary file system is mounted on the top directory, and the
|
|
whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
|
|
everything else is discarded when the sandbox is closed. The top directory could be
|
|
user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
|
|
.br
|
|
|
|
.br
|
|
Symbolic link handling: with the exception of user home, both the link and the real file should be in
|
|
the same top directory. For user home, both the link and the real file should be owned by the user.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-noprofile \-\-whitelist=~/.mozilla
|
|
.br
|
|
$ firejail \-\-whitelist=/tmp/.X11-unix --whitelist=/dev/null
|
|
.br
|
|
$ firejail "\-\-whitelist=/home/username/My Virtual Machines"
|
|
|
|
.TP
|
|
\fB\-\-writable-etc
|
|
Mount /etc directory read-write.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo firejail --writable-etc
|
|
|
|
.TP
|
|
\fB\-\-writable-run-user
|
|
Disable the default blacklisting of /run/user/$UID/systemd and /run/user/$UID/gnupg.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo firejail --writable-run-user
|
|
|
|
.TP
|
|
\fB\-\-writable-var
|
|
Mount /var directory read-write.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo firejail --writable-var
|
|
|
|
.TP
|
|
\fB\-\-writable-var-log
|
|
Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log
|
|
directory, and a skeleton filesystem is created based on the original /var/log.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ sudo firejail --writable-var-log
|
|
|
|
|
|
.TP
|
|
\fB\-\-x11
|
|
Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
|
|
The sandbox will prevents screenshot and keylogger applications started inside the sandbox from accessing
|
|
clients running outside the sandbox.
|
|
Firejail will try first Xpra, and if Xpra is not installed on the system, it will try to find Xephyr.
|
|
If all fails, Firejail will not attempt to use Xvfb or X11 security extension.
|
|
.br
|
|
|
|
.br
|
|
Xpra, Xephyr and Xvfb modes require a network namespace to be instantiated in order to disable
|
|
X11 abstract Unix socket. If this is not possible, the user can disable the abstract socket
|
|
by adding "-nolisten local" on Xorg command line at system level.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-x11 --net=eth0 firefox
|
|
|
|
.TP
|
|
\fB\-\-x11=none
|
|
Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and the file specified in ${XAUTHORITY} environment variable.
|
|
Remove DISPLAY and XAUTHORITY environment variables.
|
|
Stop with error message if X11 abstract socket will be accessible in jail.
|
|
|
|
.TP
|
|
\fB\-\-x11=xephyr
|
|
Start Xephyr and attach the sandbox to this server.
|
|
Xephyr is a display server implementing the X11 display server protocol.
|
|
A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
|
|
.br
|
|
|
|
.br
|
|
Xephyr runs in a window just like any other X11 application. The default window size is 800x600.
|
|
This can be modified in /etc/firejail/firejail.config file.
|
|
.br
|
|
|
|
.br
|
|
The recommended way to use this feature is to run a window manager inside the sandbox.
|
|
A security profile for OpenBox is provided.
|
|
.br
|
|
|
|
.br
|
|
Xephyr is developed by Xorg project. On Debian platforms it is installed with the command \fBsudo apt-get install xserver-xephyr\fR.
|
|
This feature is not available when running as root.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-x11=xephyr --net=eth0 openbox
|
|
|
|
.TP
|
|
\fB\-\-x11=xorg
|
|
Sandbox the application using the untrusted mode implemented by X11 security extension.
|
|
The extension is available in Xorg package
|
|
and it is installed by default on most Linux distributions. It provides support for a simple trusted/untrusted
|
|
connection model. Untrusted clients are restricted in certain ways to prevent them from reading window
|
|
contents of other clients, stealing input events, etc.
|
|
|
|
The untrusted mode has several limitations. A lot of regular programs assume they are a trusted X11 clients
|
|
and will crash or lock up when run in untrusted mode. Chromium browser and xterm are two examples.
|
|
Firefox and transmission-gtk seem to be working fine.
|
|
A network namespace is not required for this option.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-x11=xorg firefox
|
|
|
|
.TP
|
|
\fB\-\-x11=xpra
|
|
Start Xpra (https://xpra.org) and attach the sandbox to this server.
|
|
Xpra is a persistent remote display server and client for forwarding X11 applications and desktop screens.
|
|
A network namespace needs to be instantiated in order to deny access to X11 abstract Unix domain socket.
|
|
.br
|
|
|
|
.br
|
|
On Debian platforms Xpra is installed with the command \fBsudo apt-get install xpra\fR.
|
|
This feature is not available when running as root.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-x11=xpra --net=eth0 firefox
|
|
|
|
|
|
.TP
|
|
\fB\-\-x11=xvfb
|
|
Start Xvfb X11 server and attach the sandbox to this server.
|
|
Xvfb, short for X virtual framebuffer, performs all graphical operations in memory
|
|
without showing any screen output. Xvfb is mainly used for remote access and software
|
|
testing on headless servers.
|
|
.br
|
|
|
|
.br
|
|
On Debian platforms Xvfb is installed with the command \fBsudo apt-get install xvfb\fR.
|
|
This feature is not available when running as root.
|
|
.br
|
|
|
|
.br
|
|
Example: remote VNC access
|
|
.br
|
|
|
|
.br
|
|
On the server we start a sandbox using Xvfb and openbox
|
|
window manager. The default size of Xvfb screen is 800x600 - it can be changed
|
|
in /etc/firejail/firejail.config (xvfb-screen). Some sort of networking (--net) is required
|
|
in order to isolate the abstract sockets used by other X servers.
|
|
.br
|
|
|
|
.br
|
|
$ firejail --net=none --x11=xvfb openbox
|
|
.br
|
|
|
|
.br
|
|
*** Attaching to Xvfb display 792 ***
|
|
.br
|
|
|
|
.br
|
|
Reading profile /etc/firejail/openbox.profile
|
|
.br
|
|
Reading profile /etc/firejail/disable-common.inc
|
|
.br
|
|
Reading profile /etc/firejail/disable-common.local
|
|
.br
|
|
Parent pid 5400, child pid 5401
|
|
.br
|
|
|
|
.br
|
|
On the server we also start a VNC server and attach it to the display handled by our
|
|
Xvfb server (792).
|
|
.br
|
|
|
|
.br
|
|
$ x11vnc -display :792
|
|
.br
|
|
|
|
.br
|
|
On the client machine we start a VNC viewer and use it to connect to our server:
|
|
.br
|
|
|
|
.br
|
|
$ vncviewer
|
|
.br
|
|
|
|
.TP
|
|
\fB\-\-xephyr-screen=WIDTHxHEIGHT
|
|
Set screen size for --x11=xephyr. The setting will overwrite the default set in /etc/firejail/firejail.config
|
|
for the current sandbox. Run xrandr to get a list of supported resolutions on your computer.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
|
|
.br
|
|
|
|
.TP
|
|
\fB\-\-zsh
|
|
Use /usr/bin/zsh as default user shell.
|
|
.br
|
|
|
|
.br
|
|
Example:
|
|
.br
|
|
$ firejail \-\-zsh
|
|
|
|
.SH DESKTOP INTEGRATION
|
|
A symbolic link to /usr/bin/firejail under the name of a program, will start the program in Firejail sandbox.
|
|
The symbolic link should be placed in the first $PATH position. On most systems, a good place
|
|
is /usr/local/bin directory. Example:
|
|
.PP
|
|
.RS
|
|
.br
|
|
|
|
.br
|
|
Make a firefox symlink to /usr/bin/firejail:
|
|
.br
|
|
|
|
.br
|
|
$ ln -s /usr/bin/firejail /usr/local/bin/firefox
|
|
.br
|
|
|
|
.br
|
|
Verify $PATH
|
|
.br
|
|
|
|
.br
|
|
$ which -a firefox
|
|
.br
|
|
/usr/local/bin/firefox
|
|
.br
|
|
/usr/bin/firefox
|
|
.br
|
|
|
|
.br
|
|
Starting firefox in this moment, automatically invokes “firejail firefox”.
|
|
.RE
|
|
.br
|
|
|
|
.br
|
|
This works for clicking on desktop environment icons, menus etc. Use "firejail --tree"
|
|
to verify the program is sandboxed.
|
|
.PP
|
|
.RS
|
|
.br
|
|
|
|
.br
|
|
.br
|
|
$ firejail --tree
|
|
.br
|
|
1189:netblue:firejail firefox
|
|
.br
|
|
1190:netblue:firejail firefox
|
|
.br
|
|
1220:netblue:/bin/sh -c "/usr/lib/firefox/firefox"
|
|
.br
|
|
1221:netblue:/usr/lib/firefox/firefox
|
|
.RE
|
|
|
|
We provide a tool that automates all this integration, please see \fBman 1 firecfg\fR for more details.
|
|
|
|
.SH FILE GLOBBING
|
|
.TP
|
|
Globbing is the operation that expands a wildcard pattern into the list of pathnames matching the pattern. Matching is defined by:
|
|
.br
|
|
|
|
.br
|
|
- '?' matches any character
|
|
.br
|
|
- '*' matches any string
|
|
.br
|
|
- '[' denotes a range of characters
|
|
.br
|
|
.TP
|
|
The gobing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.
|
|
.br
|
|
|
|
.br
|
|
.TP
|
|
The following command line options are supported: \-\-blacklist, \-\-private-bin, \-\-noexec, \-\-read-only, \-\-read-write, and \-\-tmpfs.
|
|
.br
|
|
|
|
.br
|
|
.TP
|
|
Examples:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --private-bin=sh,bash,python*
|
|
.br
|
|
$ firejail --blacklist=~/dir[1234]
|
|
.br
|
|
$ firejail --read-only=~/dir[1-4]
|
|
.br
|
|
|
|
.SH APPARMOR
|
|
.TP
|
|
AppArmor support is disabled by default at compile time. Use --enable-apparmor configuration option to enable it:
|
|
.br
|
|
|
|
.br
|
|
$ ./configure --prefix=/usr --enable-apparmor
|
|
.TP
|
|
During software install, a generic AppArmor profile file, firejail-default, is placed in /etc/apparmor.d directory. The profile needs to be loaded into the kernel by running the following command as root:
|
|
.br
|
|
|
|
.br
|
|
# aa-enforce firejail-default
|
|
.TP
|
|
The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:
|
|
.br
|
|
|
|
.br
|
|
- Prevent information leakage in /proc and /sys directories. The resulting filesystem is barely enough for running
|
|
commands such as "top" and "ps aux".
|
|
.br
|
|
|
|
.br
|
|
- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running
|
|
programs and scripts from user home or other directories writable by the user is not allowed.
|
|
.br
|
|
|
|
.br
|
|
- Allow access to files only in the following standard directories: /bin, /dev, /etc, /home, /lib*, /media, /mnt, /opt,
|
|
/proc, /root, /run, /sbin, /srv, /sys, /tmp, /usr, and /var
|
|
.br
|
|
|
|
.br
|
|
- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway.
|
|
You should have no problems running Chromium or Firefox. This feature is available only on Ubuntu kernels.
|
|
|
|
.TP
|
|
To enable AppArmor confinement on top of your current Firejail security features, pass \fB\-\-apparmor\fR flag to Firejail command line. You can also include \fBapparmor\fR command in a Firejail profile file. Example:
|
|
.br
|
|
|
|
.br
|
|
$ firejail --apparmor firefox
|
|
|
|
.SH FILE TRANSFER
|
|
These features allow the user to inspect the filesystem container of an existing sandbox
|
|
and transfer files from the container to the host filesystem.
|
|
|
|
.TP
|
|
\fB\-\-get=name|pid filename
|
|
Retrieve the container file and store it on the host in the current working directory.
|
|
The container is specified by name or PID.
|
|
|
|
.TP
|
|
\fB\-\-ls=name|pid dir_or_filename
|
|
List container files. The container is specified by name or PID.
|
|
|
|
.TP
|
|
\fB\-\-put=name|pid src-filename dest-filename
|
|
Put src-filename in sandbox container.
|
|
The container is specified by name or PID.
|
|
|
|
.TP
|
|
Examples:
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-name=mybrowser --private firefox
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-ls=mybrowser ~/Downloads
|
|
.br
|
|
drwxr-xr-x netblue netblue 4096 .
|
|
.br
|
|
drwxr-xr-x netblue netblue 4096 ..
|
|
.br
|
|
-rw-r--r-- netblue netblue 7847 x11-x305.png
|
|
.br
|
|
-rw-r--r-- netblue netblue 6800 x11-x642.png
|
|
.br
|
|
-rw-r--r-- netblue netblue 34139 xpra-clipboard.png
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-get=mybrowser ~/Downloads/xpra-clipboard.png
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-put=mybrowser xpra-clipboard.png ~/Downloads/xpra-clipboard.png
|
|
.br
|
|
|
|
.SH TRAFFIC SHAPING
|
|
Network bandwidth is an expensive resource shared among all sandboxes running on a system.
|
|
Traffic shaping allows the user to increase network performance by controlling
|
|
the amount of data that flows into and out of the sandboxes.
|
|
|
|
Firejail implements a simple rate-limiting shaper based on Linux command tc.
|
|
The shaper works at sandbox level, and can be used only for sandboxes configured with new network namespaces.
|
|
|
|
Set rate-limits:
|
|
|
|
$ firejail --bandwidth=name|pid set network download upload
|
|
|
|
Clear rate-limits:
|
|
|
|
$ firejail --bandwidth=name|pid clear network
|
|
|
|
Status:
|
|
|
|
$ firejail --bandwidth=name|pid status
|
|
|
|
where:
|
|
.br
|
|
name - sandbox name
|
|
.br
|
|
pid - sandbox pid
|
|
.br
|
|
network - network interface as used by \-\-net option
|
|
.br
|
|
download - download speed in KB/s (kilobyte per second)
|
|
.br
|
|
upload - upload speed in KB/s (kilobyte per second)
|
|
|
|
Example:
|
|
.br
|
|
$ firejail \-\-name=mybrowser \-\-net=eth0 firefox &
|
|
.br
|
|
$ firejail \-\-bandwidth=mybrowser set eth0 80 20
|
|
.br
|
|
$ firejail \-\-bandwidth=mybrowser status
|
|
.br
|
|
$ firejail \-\-bandwidth=mybrowser clear eth0
|
|
|
|
.SH AUDIT
|
|
Audit feature allows the user to point out gaps in security profiles. The
|
|
implementation replaces the program to be sandboxed with a test program. By
|
|
default, we use faudit program distributed with Firejail. A custom test program
|
|
can also be supplied by the user. Examples:
|
|
|
|
Running the default audit program:
|
|
.br
|
|
$ firejail --audit transmission-gtk
|
|
|
|
Running a custom audit program:
|
|
.br
|
|
$ firejail --audit=~/sandbox-test transmission-gtk
|
|
|
|
In the examples above, the sandbox configures transmission-gtk profile and
|
|
starts the test program. The real program, transmission-gtk, will not be
|
|
started.
|
|
|
|
Limitations: audit feature is not implemented for --x11 commands.
|
|
|
|
.SH MONITORING
|
|
Option \-\-list prints a list of all sandboxes. The format
|
|
for each process entry is as follows:
|
|
|
|
PID:USER:Sandbox Name:Command
|
|
|
|
Option \-\-tree prints the tree of processes running in the sandbox. The format
|
|
for each process entry is as follows:
|
|
|
|
PID:USER:Sandbox Name:Command
|
|
|
|
Option \-\-top is similar to the UNIX top command, however it applies only to
|
|
sandboxes.
|
|
|
|
Option \-\-netstats prints network statistics for active sandboxes installing new network namespaces.
|
|
|
|
|
|
Listed below are the available fields (columns) in alphabetical
|
|
order for \-\-top and \-\-netstat options:
|
|
|
|
.TP
|
|
Command
|
|
Command used to start the sandbox.
|
|
.TP
|
|
CPU%
|
|
CPU usage, the sandbox share of the elapsed CPU time since the
|
|
last screen update
|
|
.TP
|
|
PID
|
|
Unique process ID for the task controlling the sandbox.
|
|
.TP
|
|
Prcs
|
|
Number of processes running in sandbox, including the controlling process.
|
|
.TP
|
|
RES
|
|
Resident Memory Size (KiB), sandbox non-swapped physical memory.
|
|
It is a sum of the RES values for all processes running in the sandbox.
|
|
.TP
|
|
RX(KB/s)
|
|
Network receive speed.
|
|
.TP
|
|
Sandbox Name
|
|
The name of the sandbox, if any.
|
|
.TP
|
|
SHR
|
|
Shared Memory Size (KiB), it reflects memory shared with other
|
|
processes. It is a sum of the SHR values for all processes running
|
|
in the sandbox, including the controlling process.
|
|
.TP
|
|
TX(KB/s)
|
|
Network transmit speed.
|
|
.TP
|
|
Uptime
|
|
Sandbox running time in hours:minutes:seconds format.
|
|
.TP
|
|
USER
|
|
The owner of the sandbox.
|
|
|
|
.SH SECURITY PROFILES
|
|
Several command line options can be passed to the program using
|
|
profile files. Firejail chooses the profile file as follows:
|
|
|
|
1. If a profile file is provided by the user with --profile option, the profile file is loaded.
|
|
Example:
|
|
.PP
|
|
.RS
|
|
$ firejail --profile=/home/netblue/icecat.profile icecat
|
|
.br
|
|
Reading profile /home/netblue/icecat.profile
|
|
.br
|
|
[...]
|
|
.RE
|
|
|
|
2. If a profile file with the same name as the application is present in ~/.config/firejail directory or
|
|
in /etc/firejail, the profile is loaded. ~/.config/firejail takes precedence over /etc/firejail. Example:
|
|
.PP
|
|
.RS
|
|
$ firejail icecat
|
|
.br
|
|
Command name #icecat#
|
|
.br
|
|
Found icecat profile in /home/netblue/.config/firejail directory
|
|
.br
|
|
Reading profile /home/netblue/.config/firejail/icecat.profile
|
|
.br
|
|
[...]
|
|
.RE
|
|
|
|
3. Use default.profile file if the sandbox
|
|
is started by a regular user, or server.profile file if the sandbox
|
|
is started by root. Firejail looks for these files in ~/.config/firejail directory, followed by /etc/firejail directory.
|
|
To disable default profile loading, use --noprofile command option. Example:
|
|
.PP
|
|
.RS
|
|
$ firejail
|
|
.br
|
|
Reading profile /etc/firejail/default.profile
|
|
.br
|
|
Parent pid 8553, child pid 8554
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
[...]
|
|
.br
|
|
|
|
.br
|
|
$ firejail \-\-noprofile
|
|
.br
|
|
Parent pid 8553, child pid 8554
|
|
.br
|
|
Child process initialized
|
|
.br
|
|
[...]
|
|
.RE
|
|
|
|
See man 5 firejail-profile for profile file syntax information.
|
|
|
|
.SH RESTRICTED SHELL
|
|
To configure a restricted shell, replace /bin/bash with /usr/bin/firejail in
|
|
/etc/passwd file for each user that needs to be restricted. Alternatively,
|
|
you can specify /usr/bin/firejail in adduser command:
|
|
|
|
adduser \-\-shell /usr/bin/firejail username
|
|
|
|
Additional arguments passed to firejail executable upon login are declared in /etc/firejail/login.users file.
|
|
|
|
.SH EXAMPLES
|
|
.TP
|
|
\f\firejail
|
|
Sandbox a regular /bin/bash session.
|
|
.TP
|
|
\f\firejail firefox
|
|
Start Mozilla Firefox.
|
|
.TP
|
|
\f\firejail \-\-debug firefox
|
|
Debug Firefox sandbox.
|
|
.TP
|
|
\f\firejail \-\-private firefox
|
|
Start Firefox with a new, empty home directory.
|
|
.TP
|
|
\f\firejail --net=none vlc
|
|
Start VLC in an unconnected network namespace.
|
|
.TP
|
|
\f\firejail \-\-net=eth0 firefox
|
|
Start Firefox in a new network namespace. An IP address is
|
|
assigned automatically.
|
|
.TP
|
|
\f\firejail \-\-net=br0 \-\-ip=10.10.20.5 \-\-net=br1 \-\-net=br2
|
|
Start a /bin/bash session in a new network namespace and connect it
|
|
to br0, br1, and br2 host bridge devices. IP addresses are assigned
|
|
automatically for the interfaces connected to br1 and b2
|
|
.TP
|
|
\f\firejail \-\-list
|
|
List all sandboxed processes.
|
|
.SH LICENSE
|
|
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
|
|
.PP
|
|
Homepage: https://firejail.wordpress.com
|
|
.SH SEE ALSO
|
|
\&\flfiremon\fR\|(1),
|
|
\&\flfirecfg\fR\|(1),
|
|
\&\flfirejail-profile\fR\|(5),
|
|
\&\flfirejail-login\fR\|(5)
|