When to use overrides
Use an override if you would like to modify a profile. Modifying a profile file (.profile) in /etc/firejail is discouraged. Changes will be overwritten when you update Firejail. This does not apply to .local files.
You may want to use parameters instead if your change is temporary.
firejail --net=none --x11=xephyr vlc
How to use overrides
Create ~/.config/firejail if it does not exist. If you would like to add a globally available override, place the file in /etc/firejail instead.
The override file has to be named appropriately. If you want to create an override for firefox.profile, the override file has to be firefox.local.
Use globals.local to affect every profile.
Common overrides
Disallow network access for an application
net none
Allow access to a file or directory
whitelist ~/MyPictures
noblacklist ~/MyPictures
whitelist /mydisk/videos
noblacklist /mydisk/videos
whitelist /srv/myimportant.file
noblacklist /srv/myimportant.file
IMPORTANT: Do NOT use whitelist for non-whitelisting profiles. It will break the profile.
If a profile or any of its includes do not contain any whitelist ${HOME}/… or include whitelist-common.inc statements, it is not a whitelisting profile and will break.
This happens because whitelist statements affecting /home will make everything in /home inaccessible except the whitelisted paths.
Disallow access to a file or directory
nowhitelist ~/MyPictures
blacklist ~/MyPictures
nowhitelist /mydisk/videos
blacklist /mydisk/videos
nowhitelist /srv/myimportant.file
blacklist /srv/myimportant.file
If the profile does not contain include whitelist-common.inc, the file or directory will still be visible but not accessible.
Ignore a specific directive
ignore nou2f
ignore net