man(1) firejail man page man(1)
Firejail - Linux namespaces sandbox program
firejail [options] [program and arguments]
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted applica‐
tions using Linux namespaces. It includes a sandbox profile for Mozilla
Firejail also expands the restricted shell facility found in bash by
adding Linux namespace support. It supports sandboxing specific users
Without any options, the sandbox consists of a filesystem chroot build
from the current system directories mounted read-only, and new PID and
IPC namespaces. If no program is specified as an argument, /bin/bash
is started by default in the sandbox.
Mount-bind dirname1 on top of dirname2. This option is only
available when running as root.
Mount-bind filename1 on top of filename2. This option is only
available when running as root.
Blacklist directory or file.
-c Execute command and exit.
--caps Enable default Linux capabilities filter. The filter disables
CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE,
CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.
Drop all capabilities.
Blacklist Linux capabilities filter.
Whitelist Linux capabilities filter.
Place the sandbox in the specified control group. tasks-file is
the full path of cgroup tasks file. Example:
Chroot into dirname directory.
Set CPU affinity. Example: --cpu=0,1,2
--csh Use /bin/csh as default user shell.
Print debug messages.
Print all recognized system calls in the current Firejail soft‐
ware build and exit.
Print all recognized capabilities in the current Firejail soft‐
ware build and exit.
Use this address as default gateway in the new network names‐
Set a DNS server for the sandbox. This option is valid only if
at least one new network interface was defined using --net
option. Up to three DNS servers can be defined.
Print options end exit.
Use this IP address in the new network namespace.
No IP address and no default gateway are configured in the new
network namespace. Use this option in case you intend to start
an external DHCP client in the sandbox.
Enable a new IPC namespace if the sandbox was started as a reg‐
ular user. IPC namespace is enabled by default only if the sand‐
box is started as root.
Join the sandbox started using --name option.
Join the sandbox specified by pid. Use --list option to get a
list of all active sandboxes.
--list List all sandboxes.
Set sandbox hostname.
Enable a new network namespace and connect it to this bridge
device. Unless specified with option --ip and --defaultgw, an
IP address and a default gateway will be assigned automatically
to the sandbox. The IP address is checked using ARP before
assignment. The IP address assigned as default gateway is the
bridge device IP address. Up to four --net bridge devices can be
defined. Mixing bridge and macvlan devices is allowed.
Enable a new network namespace and connect it to this ether‐
net_interface using the standard Linux macvlan driver. Unless
specified with option --ip and --defaultgw, an IP address and a
default gateway will be assigned automatically to the sandbox.
The IP address is checked using ARP before assignment. The IP
address assigned as default gateway is the default gateway of
the host. Up to four --net devices can be defined. Mixing bridge
and macvlan devices is allowed.
Enable a new, unconnected network namespace.
Enable the default client network filter in the new network
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
Enable the network filter specified by filename in the new net‐
work namespace. The filter file format is the format of ipta‐
bles-save and iptable-restore commands.
Monitor network statistics for sandboxes creating a new network
Disable supplementary groups. Without this option, supplementary
groups are enabled for the user starting the sandbox. For root
user supplementary groups are always disabled.
stdout logging and log rotation. Copy stdout to logfile, and
keep the size of the file under 500KB using log rotation. Five
files with prefixes .1 to .5 are used in rotation.
Mount a filesystem overlay on top of the current filesystem.
OverlayFS support is required in Linux kernel for this option to
Mount new /root and /home/user directories.
Use directory as user home.
Use a custom profile, see below.
Set directory or file read-only.
Set the maximum file size that can be created by a process.
Set the maximum number of files that can be opened by a process.
Set the maximum number of processes that can be created for the
real user ID of the calling process.
Set the maximum number of pending signals for a process.
Enable seccomp filter and disable the syscalls in the default
list. The default list is as follows: mount, umount2, ptrace,
kexec_load, open_by_handle_at, init_module, finit_module,
delete_module, iopl, ioperm, swapon, swapoff and syslog.
Enable seccomp filter, apply the default list and the syscalls
specified by the command.
Enable seccomp filter, and apply the syscalls specified by the
command. The default syscall list is not applied.
Set default user shell. Use this shell to run the application
using -c shell option. For example "firejail --shell=/bin/dash
firefox" will start Mozilla Firefox as "/bin/dash -c firefox".
By default Bash shell (/bin/bash) is used. Options such as --zsh
and --csh can also set the default shell.
Shutdown the sandbox started using --name option.
Shutdown the sandbox specified by pid. Use --list option to get
a list of all active sandboxes.
Mount a tmpfs filesystem on directory dirname.
--top Monitor the most CPU-intensive sandboxes.
Trace open, access and connect system calls.
--tree Print a tree of all sandboxed processes.
Print program version and exit.
--zsh Use /usr/bin/zsh as default user shell.
Option --list prints a list of all sandboxes. The format for each
process entry is as follows:
Option --tree prints the tree of processes running in the sandbox. The
format for each process entry is as follows:
Option --top is similar to the UNIX top command, however it applies
only to sandboxes. Listed below are the available fields (columns) in
Command used to start the sandbox.
CPU% CPU usage, the sandbox share of the elapsed CPU time since the
last screen update
PID Unique process ID for the task controlling the sandbox.
Prcs Number of processes running in sandbox, including the control‐
RES Resident Memory Size (KiB), sandbox non-swapped physical memory.
It is a sum of the RES values for all processes running in the
SHR Shared Memory Size (KiB), it reflects memory shared with other
processes. It is a sum of the SHR values for all processes run‐
ning in the sandbox, including the controlling process.
Uptime Sandbox running time in hours:minutes:seconds format.
User The owner of the sandbox.
Several command line configuration options can be passed to the program
using profile files. Default Firejail profile files are stored in
/etc/firejail directory, user profile files are stored in ~/.con‐
fig/firejail directory. See man 5 firejail-profile for more informa‐
To configure a restricted shell, replace /bin/bash with /usr/bin/fire‐
jail in /etc/password file for each user that needs to be restricted.
Alternatively, you can specify /usr/bin/firejail in adduser command:
adduser --shell /usr/bin/firejail username
Additional arguments passed to firejail executable upon login are
declared in /etc/firejail/login.users file.
Start a regular /bin/bash session in sandbox.
Start Mozilla Firefox.
firejail --seccomp firefox
Start Mozilla Firefox in a seccomp sandbox.
firejail --caps firefox
Start Mozilla Firefox in a Linux capabilities sandbox.
firejail --debug firefox
Debug Firefox sandbox.
Start a /bin/bash session with a new tmpfs home directory.
firejail --net=br0 ip=10.10.20.10
Start a /bin/bash session in a new network namespace. The ses‐
sion is connected to the main network using br0 bridge device.
An IP address of 10.10.20.10 is assigned to the sandbox.
firejail --net=br0 --net=br1 --net=br2
Start a /bin/bash session in a new network namespace and connect
it to br0, br1, and br2 host bridge devices.
List all sandboxed processes.
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.
0.9.22 Mar 2015 man(1)
Back to Firejail project page