Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   firejail-profile    ( 5 )

синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)

Scripting

Scripting commands:

File and directory names File and directory names containing spaces are supported. The space character ' ' should not be escaped.

Example: "deny ~/My Virtual Machines"

# this is a comment Example:

# disable networking net none # this command creates an empty network namespace

?CONDITIONAL: profile line Conditionally add profile line.

Example: "?HAS_APPIMAGE: allow ${HOME}/special/appimage/dir"

This example will load the profile line only if the --appimage option has been specified on the command line.

Currently the only conditionals supported this way are HAS_APPIMAGE, HAS_NET, HAS_NODBUS, HAS_NOSOUND, HAS_PRIVATE and HAS_X11. The conditionals BROWSER_DISABLE_U2F and BROWSER_ALLOW_DRM can be enabled or disabled globally in Firejail's configuration file.

The profile line may be any profile line that you would normally use in a profile except for "quiet" and "include" lines.

include other.profile Include other.profile file.

Example: "include /etc/firejail/disable-common.inc"

The file name can be prefixed with a macro such as ${HOME} or ${CFG}. ${HOME} is expanded as user home directory, and ${CFG} is expanded as Firejail system configuration directory - in most cases /etc/firejail or /usr/local/etc/firejail.

Example: "include ${HOME}/myprofiles/profile1" will load "~/myprofiles/profile1" file.

Example: "include ${CFG}/firefox.profile" will load "/etc/firejail/firefox.profile" file.

The file name may also be just the name without the leading directory components. In this case, first the user config directory (${HOME}/.config/firejail) is searched for the file name and if not found then the system configuration directory is search for the file name. Note: Unlike the --profile option which takes a profile name without the '.profile' suffix, include must be given the full file name.

Example: "include firefox.profile" will load "${HOME}/.config/firejail/firefox.profile" file and if it does not exist "${CFG}/firefox.profile" will be loaded.

System configuration files in ${CFG} are overwritten during software installation. Persistent configuration at system level is handled in ".local" files. For every profile file in ${CFG} directory, the user can create a corresponding .local file storing modifications to the persistent configuration. Persistent .local files are included at the start of regular profile files.

noallow file_name If the file name matches file_name, the file will not be allowed in any allow commands that follow.

Example: "nowhitelist ~/.config"

nodeny file_name If the file name matches file_name, the file will not be denied any deny commands that follow.

Example: "nodeny ${HOME}/.mozilla"

ignore Ignore command.

Example: "ignore seccomp" Example: "ignore net eth0"

quiet Disable Firejail's output. This should be the first uncommented command in the profile file.

Example: "quiet"