Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   profile    ( 5 )

синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)

Filesystem

These profile entries define a chroot filesystem built on top of the existing host filesystem. Each line describes a file/directory that is inaccessible (blacklist), a read-only file or directory (read-only), a tmpfs mounted on top of an existing directory (tmpfs), or mount-bind a directory or file on top of another directory or file (bind). Use private to set private mode. File globbing is supported, and PATH and HOME directories are searched, see the firejail FILE GLOBBING section for more details. Examples:

allow file_or_directory Allow directory or file. A temporary file system is mounted on the top directory, and the allowed files are mount-binded inside. Modifications to allowd files are persistent, everything else is discarded when the sandbox is closed. The top directory can be all directories in / (except /proc and /sys), /sys/module, /run/user/$UID, $HOME and all directories in /usr.

Symbolic link handling: with the exception of user home, both the link and the real file should be in the same top directory. For user home, both the link and the real file should be owned by the user.

blacklist-nolog file_or_directory When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory. blacklist-nolog command disables syslog messages for this particular file or directory. Examples:

blacklist-nolog /usr/bin blacklist-nolog /usr/bin/gcc*

bind directory1,directory2 Mount-bind directory1 on top of directory2. This option is only available when running as root.

bind file1,file2 Mount-bind file1 on top of file2. This option is only available when running as root.

deny file_or_directory Deny access to directory or file. Examples:

deny /usr/bin deny /usr/bin/gcc* deny ${PATH}/ifconfig deny ${HOME}/.ssh

disable-mnt Disable /mnt, /media, /run/mount and /run/media access.

keep-config-pulse Disable automatic ~/.config/pulse init, for complex setups such as remote pulse servers or non-standard socket paths.

keep-dev-shm /dev/shm directory is untouched (even with private-dev).

keep-var-tmp /var/tmp directory is untouched.

mkdir directory Create a directory in user home, under /tmp, or under /run/user/<UID> before the sandbox is started. The directory is created if it doesn't already exist.

Use this command for allowed directories you need to preserve when the sandbox is closed. Without it, the application will create the directory, and the directory will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from firefox profile:

mkdir ~/.mozilla whitelist ~/.mozilla mkdir ~/.cache/mozilla/firefox allow ~/.cache/mozilla/firefox

For files in /run/user/<PID> use ${RUNUSER} macro:

mkdir ${RUNUSER}/firejail-testing

mkfile file Similar to mkdir, this command creates an empty file in user home, or /tmp, or under /run/user/<UID> before the sandbox is started. The file is created if it doesn't already exist.

noexec file_or_directory Remount the file or the directory noexec, nodev and nosuid.

private Mount new /root and /home/user directories in temporary filesystems. All modifications are discarded when the sandbox is closed.

private directory Use directory as user home.

private-bin file,file Build a new /bin in a temporary filesystem, and copy the programs in the list. The files in the list must be expressed as relative to the /bin, /sbin, /usr/bin, /usr/sbin, or /usr/local/bin directories. The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.

private-cache Mount an empty temporary filesystem on top of the .cache directory in user home. All modifications are discarded when the sandbox is closed.

private-cwd Set working directory inside jail to the home directory, and failing that, the root directory.

private-cwd directory Set working directory inside the jail.

private-dev Create a new /dev directory. Only disc, dri, dvb, hidraw, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log, shm and usb devices are available. Use the options no3d, nodvd, nosound, notv, nou2f and novideo for additional restrictions.

private-etc file,directory Build a new /etc in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to the /etc directory, and must not contain the / character (e.g., /etc/foo must be expressed as foo, but /etc/foo/bar -- expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed.

private-home file,directory Build a new user home in a temporary filesystem, and copy the files and directories in the list in the new home. The files and directories in the list must be expressed as relative to the current user's home directory. All modifications are discarded when the sandbox is closed.

private-lib file,directory Build a new /lib directory and bring in the libraries required by the application to run. The files and directories in the list must be expressed as relative to the /lib directory. This feature is still under development, see man 1 firejail for some examples.

private-opt file,directory Build a new /opt in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to the /opt directory, and must not contain the / character (e.g., /opt/foo must be expressed as foo, but /opt/foo/bar -- expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed.

private-srv file,directory Build a new /srv in a temporary filesystem, and copy the files and directories in the list. The files and directories in the list must be expressed as relative to the /srv directory, and must not contain the / character (e.g., /srv/foo must be expressed as foo, but /srv/foo/bar -- expressed as foo/bar -- is disallowed). All modifications are discarded when the sandbox is closed.

private-tmp Mount an empty temporary filesystem on top of /tmp directory allowing /tmp/.X11-unix.

read-only file_or_directory Make directory or file read-only.

read-write file_or_directory Make directory or file read-write.

tmpfs directory Mount an empty tmpfs filesystem on top of directory. Directories outside user home or not owned by the user are not allowed. Sandboxes running as root are exempt from these restrictions.

tracelog File system deny violations logged to syslog.

writable-etc Mount /etc directory read-write.

writable-run-user Disable the default denying of run/user/$UID/systemd and /run/user/$UID/gnupg.

writable-var Mount /var directory read-write.

writable-var-log Use the real /var/log directory, not a clone. By default, a tmpfs is mounted on top of /var/log directory, and a skeleton filesystem is created based on the original /var/log.