These profile entries define a chroot filesystem built on top of
the existing host filesystem. Each line describes a
file/directory that is inaccessible (blacklist), a read-only file
or directory (read-only), a tmpfs mounted on top of an existing
directory (tmpfs), or mount-bind a directory or file on top of
another directory or file (bind). Use private to set private
mode. File globbing is supported, and PATH and HOME directories
are searched, see the firejail FILE GLOBBING section for more
details. Examples:
allow file_or_directory
Allow directory or file. A temporary file system is
mounted on the top directory, and the allowed files are
mount-binded inside. Modifications to allowd files are
persistent, everything else is discarded when the sandbox
is closed. The top directory can be all directories in /
(except /proc and /sys), /sys/module, /run/user/$UID,
$HOME and all directories in /usr.
Symbolic link handling: with the exception of user home,
both the link and the real file should be in the same top
directory. For user home, both the link and the real file
should be owned by the user.
blacklist-nolog file_or_directory
When --tracelog flag is set, blacklisting generates syslog
messages if the sandbox tries to access the file or
directory. blacklist-nolog command disables syslog
messages for this particular file or directory. Examples:
blacklist-nolog /usr/bin
blacklist-nolog /usr/bin/gcc*
bind directory1,directory2
Mount-bind directory1 on top of directory2. This option is
only available when running as root.
bind file1,file2
Mount-bind file1 on top of file2. This option is only
available when running as root.
deny file_or_directory
Deny access to directory or file. Examples:
deny /usr/bin
deny /usr/bin/gcc*
deny ${PATH}/ifconfig
deny ${HOME}/.ssh
disable-mnt
Disable /mnt, /media, /run/mount and /run/media access.
keep-config-pulse
Disable automatic ~/.config/pulse init, for complex setups
such as remote pulse servers or non-standard socket paths.
keep-dev-shm
/dev/shm directory is untouched (even with private-dev).
keep-var-tmp
/var/tmp directory is untouched.
mkdir directory
Create a directory in user home, under /tmp, or under
/run/user/<UID> before the sandbox is started. The
directory is created if it doesn't already exist.
Use this command for allowed directories you need to
preserve when the sandbox is closed. Without it, the
application will create the directory, and the directory
will be deleted when the sandbox is closed. Subdirectories
are recursively created. Example from firefox profile:
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
allow ~/.cache/mozilla/firefox
For files in /run/user/<PID> use ${RUNUSER} macro:
mkdir ${RUNUSER}/firejail-testing
mkfile file
Similar to mkdir, this command creates an empty file in
user home, or /tmp, or under /run/user/<UID> before the
sandbox is started. The file is created if it doesn't
already exist.
noexec file_or_directory
Remount the file or the directory noexec, nodev and
nosuid.
private
Mount new /root and /home/user directories in temporary
filesystems. All modifications are discarded when the
sandbox is closed.
private directory
Use directory as user home.
private-bin file,file
Build a new /bin in a temporary filesystem, and copy the
programs in the list. The files in the list must be
expressed as relative to the /bin, /sbin, /usr/bin,
/usr/sbin, or /usr/local/bin directories. The same
directory is also bind-mounted over /sbin, /usr/bin and
/usr/sbin.
private-cache
Mount an empty temporary filesystem on top of the .cache
directory in user home. All modifications are discarded
when the sandbox is closed.
private-cwd
Set working directory inside jail to the home directory,
and failing that, the root directory.
private-cwd directory
Set working directory inside the jail.
private-dev
Create a new /dev directory. Only disc, dri, dvb, hidraw,
null, full, zero, tty, pts, ptmx, random, snd, urandom,
video, log, shm and usb devices are available. Use the
options no3d, nodvd, nosound, notv, nou2f and novideo for
additional restrictions.
private-etc file,directory
Build a new /etc in a temporary filesystem, and copy the
files and directories in the list. The files and
directories in the list must be expressed as relative to
the /etc directory, and must not contain the / character
(e.g., /etc/foo must be expressed as foo, but /etc/foo/bar
-- expressed as foo/bar -- is disallowed). All
modifications are discarded when the sandbox is closed.
private-home file,directory
Build a new user home in a temporary filesystem, and copy
the files and directories in the list in the new home.
The files and directories in the list must be expressed as
relative to the current user's home directory. All
modifications are discarded when the sandbox is closed.
private-lib file,directory
Build a new /lib directory and bring in the libraries
required by the application to run. The files and
directories in the list must be expressed as relative to
the /lib directory. This feature is still under
development, see man 1 firejail for some examples.
private-opt file,directory
Build a new /opt in a temporary filesystem, and copy the
files and directories in the list. The files and
directories in the list must be expressed as relative to
the /opt directory, and must not contain the / character
(e.g., /opt/foo must be expressed as foo, but /opt/foo/bar
-- expressed as foo/bar -- is disallowed). All
modifications are discarded when the sandbox is closed.
private-srv file,directory
Build a new /srv in a temporary filesystem, and copy the
files and directories in the list. The files and
directories in the list must be expressed as relative to
the /srv directory, and must not contain the / character
(e.g., /srv/foo must be expressed as foo, but /srv/foo/bar
-- expressed as foo/bar -- is disallowed). All
modifications are discarded when the sandbox is closed.
private-tmp
Mount an empty temporary filesystem on top of /tmp
directory allowing /tmp/.X11-unix.
read-only file_or_directory
Make directory or file read-only.
read-write file_or_directory
Make directory or file read-write.
tmpfs directory
Mount an empty tmpfs filesystem on top of directory.
Directories outside user home or not owned by the user are
not allowed. Sandboxes running as root are exempt from
these restrictions.
tracelog
File system deny violations logged to syslog.
writable-etc
Mount /etc directory read-write.
writable-run-user
Disable the default denying of run/user/$UID/systemd and
/run/user/$UID/gnupg.
writable-var
Mount /var directory read-write.
writable-var-log
Use the real /var/log directory, not a clone. By default,
a tmpfs is mounted on top of /var/log directory, and a
skeleton filesystem is created based on the original
/var/log.
