man firejail

man(1)                         firejail man page                        man(1)



NAME
       Firejail - Linux namespaces sandbox program

SYNOPSIS
       firejail [options] [program and arguments]

DESCRIPTION
       Firejail  is  a  SUID sandbox program that reduces the risk of security
       breaches by restricting the running environment of  untrusted  applica‐
       tions using Linux namespaces. It includes a sandbox profile for Mozilla
       Firefox.

       Firejail also expands the restricted shell facility found  in  bash  by
       adding  Linux  namespace support. It supports sandboxing specific users
       upon login.

USAGE
       Without any options, the sandbox consists of a filesystem chroot  build
       from  the current system directories mounted read-only, and new PID and
       IPC namespaces.  If no program is specified as an  argument,  /bin/bash
       is started by default in the sandbox.

OPTIONS
       -c     Execute command and exit.

       --chroot=dirname
              Chroot into dirname directory.

       --csh  Use /bin/csh as default user shell.

       --debug
              Print debug messages.

       --defaultgw=address
              Use  this  address  as default gateway in the new network names‐
              pace.

       -?, --help
              Print options end exit.

       --ip=address
              Use this IP address in the new network namespace.

       --join=name
              Join the sandbox started using --name option.

       --join=pid
              Join the sandbox specified by pid. Use --list option  to  get  a
              list of all active sandboxes.

       --list List all sandboxes.

       --name=name
              Set sandbox hostname.

       --net=bridgename
              Enable  a  new  network  namespace and connect it to this bridge
              device.  Unless specified with option --ip and  --defaultgw,  an
              IP  address and a default gateway will be assigned automatically
              to the sandbox. The IP  address  is  checked  using  ARP  before
              assignment.  The  IP  address assigned as default gateway is the
              bridge device IP address. Up to four --net bridge devices can be
              defined.

       --noip No  IP  address and no default gateway are configured in the new
              network namespace. Use this option in case you intend to start a
              DHCP client in the sandbox.

       --net=none
              Enable a new, unconnected network namespace.

       --overlay
              Mount  a  filesystem  overlay  on top of the current filesystem.
              OverlayFS support is required in Linux kernel for this option to
              work.

       --private
              Mount new /tmp, /root and /home/user directories.

       --profile=filename
              Use a custom profile, see below.

       --shutdown=name
              Shutdown the sandbox started using --name option.

       --shutdown=pid
              Shutdown  the sandbox specified by pid. Use --list option to get
              a list of all active sandboxes.

       --seccomp
              Enable seccomp filter.

       --top  Monitor the most CPU-intensive sandboxes.

       --tree Print a tree of all sandboxed processes.

       --version
              Print program version and exit.

       --zsh  Use /usr/bin/zsh as default user shell.


MONITORING
       Option --list prints a list  of  all  sandboxe.  The  format  for  each
       process entry is as follows:

            PID:USER:Command

       Option  --tree prints the tree of processes running in the sandbox. The
       format for each process entry is as follows:

            PID:USER:Command

       Option --top is similar to the UNIX top  command,  however  it  applies
       only  to  sandboxes. Listed below are the available fields (columns) in
       alphabetical order:


       Command
              Command used to start the sandbox.

       CPU%   CPU usage, the sandbox share of the elapsed CPU time  since  the
              last screen update

       PID    Unique process ID for the task controlling the sandbox.

       Prcs   Number  of  processes running in sandbox, including the control‐
              ling process.

       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
              It  is  a sum of the RES values for all processes running in the
              sandbox.

       SHR    Shared Memory Size (KiB), it reflects memory shared  with  other
              processes.  It is a sum of the SHR values for all processes run‐
              ning in the sandbox, including the controlling process.

       Uptime Sandbox running time in hours:minutes:seconds format.

       User   The owner of the sandbox.



PROFILES
       The profile files define a chroot filesystem built on top of the exist‐
       ing host filesystem. Each line describes a file element that is removed
       from the filesystem (blacklist), a read-only file or  directory  (read-
       only),  or  a  tmpfs  mounted  on top of an existing directory (tmpfs).
       Examples:

       # this is a comment

       blacklist /usr/bin
              Remove /usr/bin directory.

       blacklist /etc/password
              Remove /etc/password file.

       read-only /etc/password
              Read-only /etc/password file.

       tmpfs /etc
              Mount an empty tmpfs filesystem on top of /etc directory.

       File globbing is supported, and PATH and HOME directories are searched:

       blacklist /usr/bin/gcc*
              Remove all gcc files in /usr/bin (file globbing).

       blacklist ${PATH}/ifconfig
              Remove ifconfig from the regular path directories.

       blacklist ${HOME}/.ssh
              Remove .ssh directory from user home directory.

       Default Firejail profile files are stored in  /etc/firejail  directory,
       user  profile  files  are  stored  in ~/.config/firejail directory. See
       /etc/firejail/firefox.profile for more examples.

RESTRICTED SHELL
       To configure a restricted shell, replace /bin/bash with  /usr/bin/fire‐
       jail  in  /etc/password file for each user that needs to be restricted.
       Alternatively, you can specify /usr/bin/firejail  in adduser command:

       adduser --shell /usr/bin/firejail username

       Additional arguments passed  to  firejail  executable  upon  login  are
       declared in /etc/firejail/login.users file.


EXAMPLES
       firejail
              Start a regular /bin/bash session in sandbox.

       firejail firefox
              Start Mozilla Firefox.

       firejail --debug firefox
              Debug Firefox sandbox.

       firejail --private
              Start a /bin/bash session with a new tmpfs home directory.

       firejail --net=br0 ip=10.10.20.10
              Start  a  /bin/bash session in a new network namespace. The ses‐
              sion is connected to the main network using br0  bridge  device.
              An IP address of 10.10.20.10 is assigned to the sandbox.

       firejail --net=br0 --net=br1 --net=br2
              Start a /bin/bash session in a new network namespace and connect
              it to br0, br1, and br2 host bridge devices.

       firejail --list
              List all sandboxed processes.

LICENSE
       This program is free software; you can redistribute it and/or modify it
       under  the  terms of the GNU General Public License as published by the
       Free Software Foundation; either version 2 of the License, or (at  your
       option) any later version.

       Homepage: http://firejail.sourceforge.net

SEE ALSO
       firemon(1)






0.9.10                             Aug 2014                             man(1)

Back to Firejail project page

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s