The following security filters are currently implemented:
allow-debuggers
Allow tools such as strace and gdb inside the sandbox by
allowing system calls ptrace and process_vm_readv.
caps Enable default Linux capabilities filter.
caps.drop capability,capability,capability
Deny given Linux capabilities.
caps.drop all
Deny all Linux capabilities.
caps.keep capability,capability,capability
Allow given Linux capabilities.
memory-deny-write-execute
Install a seccomp filter to block attempts to create
memory mappings that are both writable and executable, to
change mappings to be executable or to create executable
shared memory.
nonewprivs
Sets the NO_NEW_PRIVS prctl. This ensures that child
processes cannot acquire new privileges using execve(2);
in particular, this means that calling a suid binary (or
one with file capabilities) does not result in an increase
of privilege.
noroot Use this command to enable an user namespace. The
namespace has only one user, the current user. There is
no root account (uid 0) defined in the namespace.
protocol protocol1,protocol2,protocol3
Enable protocol filter. The filter is based on seccomp and
checks the first argument to socket system call.
Recognized values: unix, inet, inet6, netlink, packet and
bluetooth.
seccomp
Enable seccomp filter and deny the syscalls in the default
list. See man 1 firejail for more details.
seccomp.32
Enable seccomp filter and deny the syscalls in the default
list for 32 bit system calls on a 64 bit architecture
system.
seccomp syscall,syscall,syscall
Enable seccomp filter and deny the system calls in the
list on top of default seccomp filter.
seccomp.32 syscall,syscall,syscall
Enable seccomp filter and deny the system calls in the
list on top of default seccomp filter for 32 bit system
calls on a 64 bit architecture system.
seccomp.block-secondary
Enable seccomp filter and filter system call architectures
so that only the native architecture is allowed.
seccomp.drop syscall,syscall,syscall
Enable seccomp filter and deny the system calls in the
list.
seccomp.32.drop syscall,syscall,syscall
Enable seccomp filter and deny the system calls in the
list for 32 bit system calls on a 64 bit architecture
system.
seccomp.keep syscall,syscall,syscall
Enable seccomp filter and allow the system calls in the
list.
seccomp.32.keep syscall,syscall,syscall
Enable seccomp filter and allow the system calls in the
list for 32 bit system calls on a 64 bit architecture
system.
seccomp-error-action kill | log | ERRNO
Return a different error instead of EPERM to the process,
kill it when an attempt is made to call a blocked system
call, or allow but log the attempt.
x11 Enable X11 sandboxing.
x11 none
Deny access to /tmp/.X11-unix directory,
${HOME}/.Xauthority and file specified in ${XAUTHORITY}
environment variable. Remove DISPLAY and XAUTHORITY
environment variables. Stop with error message if X11
abstract socket will be accessible in jail.
x11 xephyr
Enable X11 sandboxing with Xephyr server.
x11 xorg
Enable X11 sandboxing with X11 security extension.
x11 xpra
Enable X11 sandboxing with Xpra server.
x11 xvfb
Enable X11 sandboxing with Xvfb server.
xephyr-screen WIDTHxHEIGHT
Set screen size for x11 xephyr. This command should be
included in the profile file before x11 xephyr command.
Example:
xephyr-screen 640x480
x11 xephyr
