man firejail

man(1)                         firejail man page                        man(1)

       Firejail - Linux namespaces sandbox program

       firejail [options] [program and arguments]

       Firejail  is  a  SUID sandbox program that reduces the risk of security
       breaches by restricting the running environment of  untrusted  applica‐
       tions using Linux namespaces. It includes a sandbox profile for Mozilla

       Firejail also expands the restricted shell facility found  in  bash  by
       adding  Linux  namespace support. It supports sandboxing specific users
       upon login.

       Without any options, the sandbox consists of a filesystem chroot  build
       from  the current system directories mounted read-only, and new PID and
       IPC namespaces.  If no program is specified as an  argument,  /bin/bash
       is started by default in the sandbox.

       -c     Execute command and exit.

              Chroot into dirname directory.

       --csh  Use /bin/csh as default user shell.

              Print debug messages.

              Use  this  address  as default gateway in the new network names‐

       -?, --help
              Print options end exit.

              Use this IP address in the new network namespace.

              Join the sandbox of the specified process.

       --list List all sandboxed processes.

              Set sandbox hostname.

              Enable a new network namespace and connect  it  to  this  bridge
              device.   Unless  specified with option --ip and --defaultgw, an
              IP address and a default gateway will be assigned  automatically
              to  the  sandbox.  The  IP  address  is checked using ARP before
              assignment. The IP address assigned as default  gateway  is  the
              bridge device IP address. Up to four --net bridge devices can be

       --noip No IP address and no default gateway are configured in  the  new
              network namespace. Use this option in case you intend to start a
              DHCP client in the sandbox.

              Enable a new, unconnected network namespace.

              Mount a filesystem overlay on top  of  the  current  filesystem.
              OverlayFS support is required in Linux kernel for this option to

              Mount new /tmp, /root and /home/user directories.

              Use a custom profile, see below.

              Enable seccomp filter.

       --top  Monitor the most CPU-intensive sandboxes.

              Print program version and exit.

       --zsh  Use /usr/bin/zsh as default user shell.

       Option --list prints the tree of processes running in the sandbox.  The
       format for each process entry is as follows:


       Option  --top  is  simillar to the UNIX top command, however it applies
       only to sandboxes. Listed below are the available fields  (columns)  in
       alphabetical order:

              Command used to start the sandbox.

       CPU%   CPU  usage,  the sandbox share of the elapsed CPU time since the
              last screen update

       PID    Unique process ID for the task controlling the sandbox.

       Prcs   Number of processes running in sandbox, including  the  control‐
              ling process.

       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
              It is a sum of the RES values for all processes running  in  the

       SHR    Shared  Memory  Size (KiB), it reflects memory shared with other
              processes. It is a sum of the SHR values for all processes  run‐
              ning in the sandbox, including the controlling process.

       Uptime Sandbox running time in hours:minutes:seconds format.

       User   The owner of the sandbox.

       The profile files define a chroot filesystem built on top of the exist‐
       ing host filesystem. Each line describes a file element that is removed
       from  the  filesystem (blacklist), a read-only file or directory (read-
       only), or a tmpfs mounted on top  of  an  existing  directory  (tmpfs).

       # this is a comment

       blacklist /usr/bin
              Remove /usr/bin directory.

       blacklist /etc/password
              Remove /etc/password file.

       read-only /etc/password
              Read-only /etc/password file.

       tmpfs /etc
              Mount an empty tmpfs filesystem on top of /etc directory.

       File globbing is supported, and PATH and HOME directories are searched:

       blacklist /usr/bin/gcc*
              Remove all gcc files in /usr/bin (file globbing).

       blacklist ${PATH}/ifconfig
              Remove ifconfig from the regular path directories.

       blacklist ${HOME}/.ssh
              Remove .ssh directory from user home directory.

       Default  Firejail  profile files are stored in /etc/firejail directory,
       user profile files are  stored  in  ~/.config/firejail  directory.  See
       /etc/firejail/firefox.profile for more examples.

       To  configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
       jail in /etc/password file for each user that needs to  be  restricted.
       Alternatively, you can specify /usr/bin/firejail  in adduser command:

       adduser --shell /usr/bin/firejail username

       Additional  arguments  passed  to  firejail  executable  upon login are
       declared in /etc/firejail/login.users file.

              Start a regular /bin/bash session in sandbox.

       firejail firefox
              Start Mozilla Firefox.

       firejail --debug firefox
              Debug Firefox sandbox.

       firejail --private
              Start a /bin/bash session with a new tmpfs home directory.

       firejail --net=br0 ip=
              Start a /bin/bash session in a new network namespace.  The  ses‐
              sion  is  connected to the main network using br0 bridge device.
              An IP address of is assigned to the sandbox.

       firejail --net=br0 --net=br1 --net=br2
              Start a /bin/bash session in a new network namespace and connect
              it to br0, br1, and br2 host bridge devices.

       firejail --list
              List all sandboxed processes.

       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published  by  the
       Free  Software Foundation; either version 2 of the License, or (at your
       option) any later version.



0.9.8                              Jul 2014                             man(1)

Back to Firejail project page

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s