man firejail

man(1)                         firejail man page                        man(1)



NAME
       Firejail - Linux namespaces sandbox program

SYNOPSIS
       firejail [options] [program and arguments]

DESCRIPTION
       Firejail  is  a  SUID sandbox program that reduces the risk of security
       breaches by restricting the running environment of  untrusted  applica‐
       tions using Linux namespaces. It includes a sandbox profile for Mozilla
       Firefox.

       Firejail also expands the restricted shell facility found  in  bash  by
       adding  Linux  namespace support. It supports sandboxing specific users
       upon login.

USAGE
       Without any options, the sandbox consists of a filesystem chroot  build
       from  the current system directories mounted read-only, and new PID and
       IPC namespaces.  If no program is specified as an  argument,  /bin/bash
       is started by default in the sandbox.

OPTIONS
       --     Signal  the  end of options and disables further option process‐
              ing.

       --bind=dirname1,dirname2
              Mount-bind dirname1 on top of  dirname2.  This  option  is  only
              available when running as root.

       --bind=filename1,filename2
              Mount-bind  filename1  on  top of filename2. This option is only
              available when running as root.

       --blacklist=dirname_or_filename
              Blacklist directory or file.

       -c     Execute command and exit.

       --caps Enable default Linux capabilities filter.  The  filter  disables
              CAP_SYS_MODULE,   CAP_SYS_RAWIO,   CAP_SYS_BOOT,   CAP_SYS_NICE,
              CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN.

       --caps.drop=all
              Drop all capabilities.

       --caps.drop=capability,capability,capability
              Blacklist Linux capabilities filter.

       --caps.keep=capability,capability,capability
              Whitelist Linux capabilities filter.

       --caps.print=name
              Print the caps filter  for  the  sandbox  started  using  --name
              option.

       --caps.print=pid
              Print the caps filter for the specified sandbox.

       --cgroup=tasks-file
              Place  the sandbox in the specified control group. tasks-file is
              the   full   path    of    cgroup    tasks    file.     Example:
              --cgroup=/sys/fs/cgroup/g1/tasks

       --chroot=dirname
              Chroot into dirname directory.

       --cpu=cpu-number,cpu-number
              Set CPU affinity. Example: --cpu=0,1,2

       --csh  Use /bin/csh as default user shell.

       --debug
              Print debug messages.

       --debug-syscalls
              Print  all recognized system calls in the current Firejail soft‐
              ware build and exit.

       --debug-caps
              Print all recognized capabilities in the current Firejail  soft‐
              ware build and exit.

       --defaultgw=address
              Use  this  address  as default gateway in the new network names‐
              pace.

       --dns=address
              Set a DNS server for the sandbox. Up to three DNS servers can be
              defined.

       --dns.print=name
              Print  DNS  configuration  for  the sandbox started using --name
              option.

       --dns.print=pid
              Print DNS configuration of the  specified  process.  Use  --list
              option to get a list of all active sandboxes.

       -?, --help
              Print options end exit.

       --ip=address
              Use this IP address in the new network namespace.

       --ip=none
              No  IP  address and no default gateway are configured in the new
              network namespace. Use this option in case you intend  to  start
              an external DHCP client in the sandbox.

       --ipc-namespace
              Enable  a new IPC namespace if the sandbox was started as a reg‐
              ular user. IPC namespace is enabled by default only if the sand‐
              box is started as root.

       --join=name
              Join the sandbox started using --name option.

       --join=pid
              Join  the  sandbox specified by process ID. Use --list option to
              get a list of all active sandboxes.

       --list List all sandboxes.

       --name=name
              Set sandbox hostname.

       --net=bridgename
              Enable a new network namespace and connect  it  to  this  bridge
              device.   Unless  specified with option --ip and --defaultgw, an
              IP address and a default gateway will be assigned  automatically
              to  the  sandbox.  The  IP  address  is checked using ARP before
              assignment. The IP address assigned as default  gateway  is  the
              bridge device IP address. Up to four --net bridge devices can be
              defined. Mixing bridge and macvlan devices is allowed.


       --net=ethernet_interface
              Enable a new network namespace and connect  it  to  this  ether‐
              net_interface  using  the  standard Linux macvlan driver. Unless
              specified with option --ip and --defaultgw, an IP address and  a
              default  gateway  will be assigned automatically to the sandbox.
              The IP address is checked using ARP before  assignment.  The  IP
              address  assigned  as  default gateway is the default gateway of
              the host. Up to four --net devices can be defined. Mixing bridge
              and macvlan devices is allowed.

       --net=none
              Enable a new, unconnected network namespace.

       --netfilter
              Enable  the  default  client  network  filter in the new network
              namespace:

              *filter
              :INPUT DROP [0:0]
              :FORWARD DROP [0:0]
              :OUTPUT ACCEPT [0:0]
              -A INPUT -i lo -j ACCEPT
              -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
              -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
              -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
              -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
              COMMIT

       --netfilter=filename
              Enable the network filter specified by filename in the new  net‐
              work  namespace.  The  filter file format is the format of ipta‐
              bles-save and iptable-restore commands.

       --netstats
              Monitor network statistics for sandboxes creating a new  network
              namespace.

       --nogroups
              Disable supplementary groups. Without this option, supplementary
              groups are enabled for the user starting the sandbox.  For  root
              user supplementary groups are always disabled.

       --output=logfile
              stdout  logging  and  log  rotation. Copy stdout to logfile, and
              keep the size of the file under 500KB using log  rotation.  Five
              files with prefixes .1 to .5 are used in rotation.

       --overlay
              Mount  a  filesystem  overlay  on top of the current filesystem.
              OverlayFS support is required in Linux kernel for this option to
              work.

       --private
              Mount new /root and /home/user directories.

       --private=directory
              Use directory as user home.

       --profile=filename
              Use a custom profile, see below.

       --read-only=dirname_or_filename
              Set directory or file read-only.

       --rlimit-fsize=number
              Set the maximum file size that can be created by a process.

       --rlimit-nofile=number
              Set the maximum number of files that can be opened by a process.

       --rlimit-nproc=number
              Set  the maximum number of processes that can be created for the
              real user ID of the calling process.

       --rlimit-sigpending=number
              Set the maximum number of pending signals for a process.

       --seccomp
              Enable seccomp filter and blacklist the syscalls in the  default
              list.  The  default  list is as follows: mount, umount2, ptrace,
              kexec_load,   open_by_handle_at,   init_module,    finit_module,
              delete_module,  iopl,  ioperm,  swapon, swapoff, mknode, syslog,
              process_vm_readv and process_vm_writev, sysfs,_sysctl, adjtimex,
              clock_adjtime,  lookup_dcookie,  perf_event_open,  fanotify_init
              and kcmp.

       --seccomp=syscall,syscall,syscall
              Enable seccomp  filter,  blacklist  the  default  list  and  the
              syscalls specified by the command.

       --seccomp.drop=syscall,syscall,syscall
              Enable  seccomp  filter, and blacklist the syscalls specified by
              the command.

       --seccomp.keep=syscall,syscall,syscall
              Enable seccomp filter, and whitelist the syscalls  specified  by
              the command.

       --seccomp.print=name
              Print  the  seccomp  filter for the sandbox started using --name
              option.

       --seccomp.print=pid
              Print the seccomp filter for the sandbox  specified  by  process
              ID. Use --list option to get a list of all active sandboxes.

       --shell=none
              Run the program directly, without a user shell.

       --shell=program
              Set  default  user  shell. Use this shell to run the application
              using -c shell option.  For example "firejail  --shell=/bin/dash
              firefox"  will  start Mozilla Firefox as "/bin/dash -c firefox".
              By default Bash shell (/bin/bash) is used. Options such as --zsh
              and --csh can also set the default shell.

       --shutdown=name
              Shutdown the sandbox started using --name option.

       --shutdown=pid
              Shutdown  the sandbox specified by process ID. Use --list option
              to get a list of all active sandboxes.

       --tmpfs=dirname
              Mount a tmpfs filesystem on directory dirname.

       --top  Monitor the most CPU-intensive sandboxes.

       --trace
              Trace open, access and connect system calls.

       --tree Print a tree of all sandboxed processes.

       --version
              Print program version and exit.

       --zsh  Use /usr/bin/zsh as default user shell.


MONITORING
       Option --list prints a list of  all  sandboxes.  The  format  for  each
       process entry is as follows:

            PID:USER:Command

       Option  --tree prints the tree of processes running in the sandbox. The
       format for each process entry is as follows:

            PID:USER:Command

       Option --top is similar to the UNIX top  command,  however  it  applies
       only  to  sandboxes. Listed below are the available fields (columns) in
       alphabetical order:


       Command
              Command used to start the sandbox.

       CPU%   CPU usage, the sandbox share of the elapsed CPU time  since  the
              last screen update

       PID    Unique process ID for the task controlling the sandbox.

       Prcs   Number  of  processes running in sandbox, including the control‐
              ling process.

       RES    Resident Memory Size (KiB), sandbox non-swapped physical memory.
              It  is  a sum of the RES values for all processes running in the
              sandbox.

       SHR    Shared Memory Size (KiB), it reflects memory shared  with  other
              processes.  It is a sum of the SHR values for all processes run‐
              ning in the sandbox, including the controlling process.

       Uptime Sandbox running time in hours:minutes:seconds format.

       User   The owner of the sandbox.



PROFILES
       Several command line configuration options can be passed to the program
       using  profile  files.  Default  Firejail  profile  files are stored in
       /etc/firejail directory, user  profile  files  are  stored  in  ~/.con‐
       fig/firejail  directory.  See  man 5 firejail-profile for more informa‐
       tion.

RESTRICTED SHELL
       To configure a restricted shell, replace /bin/bash with  /usr/bin/fire‐
       jail  in  /etc/password file for each user that needs to be restricted.
       Alternatively, you can specify /usr/bin/firejail  in adduser command:

       adduser --shell /usr/bin/firejail username

       Additional arguments passed  to  firejail  executable  upon  login  are
       declared in /etc/firejail/login.users file.


EXAMPLES
       firejail
              Start a regular /bin/bash session in sandbox.

       firejail firefox
              Start Mozilla Firefox.

       firejail --seccomp firefox
              Start Mozilla Firefox in a seccomp sandbox.

       firejail --caps firefox
              Start Mozilla Firefox in a Linux capabilities sandbox.

       firejail --debug firefox
              Debug Firefox sandbox.

       firejail --private
              Start a /bin/bash session with a new tmpfs home directory.

       firejail --net=br0 ip=10.10.20.10
              Start  a  /bin/bash session in a new network namespace. The ses‐
              sion is connected to the main network using br0  bridge  device.
              An IP address of 10.10.20.10 is assigned to the sandbox.

       firejail --net=br0 --net=br1 --net=br2
              Start a /bin/bash session in a new network namespace and connect
              it to br0, br1, and br2 host bridge devices.

       firejail --list
              List all sandboxed processes.

LICENSE
       This program is free software; you can redistribute it and/or modify it
       under  the  terms of the GNU General Public License as published by the
       Free Software Foundation; either version 2 of the License, or (at  your
       option) any later version.

       Homepage: http://firejail.sourceforge.net

SEE ALSO
       firemon(1), firejail-profile(5)






0.9.24                             Apr 2015                             man(1)

Back to Firejail project page

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s