Provided by: firejail_0.9.38.10-0ubuntu0.16.04.1_amd64 bug

NAME

       profile - Security profile file syntax for Firejail

USAGE

       firejail --profile=filename.profile

DESCRIPTION

       Several  command  line  options can be passed to the program using profile files. Firejail
       chooses the profile file as follows:

       1. If a profile file is provided by the user with --profile option, the  profile  file  is
       loaded.  Example:

              $ firejail --profile=/home/netblue/icecat.profile icecat
              Reading profile /home/netblue/icecat.profile
              [...]

       2.   If   a   profile   file  with  the  same  name  as  the  application  is  present  in
       ~/.config/firejail   directory   or   in   /etc/firejail,   the   profile    is    loaded.
       ~/.config/firejail takes precedence over /etc/firejail. Example:

              $ firejail icecat
              Command name #icecat#
              Found icecat profile in /home/netblue/.config/firejail directory
              Reading profile /home/netblue/.config/firejail/icecat.profile
              [...]

       3.  Use  a  default.profile  file  if  the  sandbox  is  started  by  a regular user, or a
       server.profile file if the sandbox is started by root. Firejail looks for these  files  in
       ~/.config/firejail  directory,  followed  by  /etc/firejail directory.  To disable default
       profile loading, use --noprofile command option. Example:

              $ firejail
              Reading profile /etc/firejail/generic.profile
              Parent pid 8553, child pid 8554
              Child process initialized
              [...]

              $ firejail --noprofile
              Parent pid 8553, child pid 8554
              Child process initialized
              [...]

Scripting

       Scripting commands:

       File and directory names
              File and directory names containing spaces are supported. The space character  '  '
              should not be escaped.

              Example: "blacklist ~/My Virtual Machines"

       # this is a comment

       include other.profile
              Include other.profile file.

              Example: "include /etc/firejail/disable-common.inc"

              other.profile  file  name can be prefixed with ${HOME}. This will force Firejail to
              look for the file in user home directory.

              Example: "include ${HOME}/myprofiles/profile1"  will  load  "~/myprofiles/profile1"
              file.

       noblacklist file_name
              If  the  file  name  matches  file_name,  the  file  will not be blacklisted in any
              blacklist commands that follow.

              Example: "noblacklist ${HOME}/.mozilla"

       ignore command
              Ignore command.

              Example: "ignore seccomp"

Filesystem

       These profile entries define a chroot  filesystem  built  on  top  of  the  existing  host
       filesystem.  Each  line  describes  a  file  element  that  is removed from the filesystem
       (blacklist), a read-only file or directory (read-only), a  tmpfs  mounted  on  top  of  an
       existing directory (tmpfs), or mount-bind a directory  or file on top of another directory
       or file (bind).  Use private to set private mode.  File globbing is  supported,  and  PATH
       and HOME directories are searched.  Examples:

       blacklist file_or_directory
              Blacklist directory or file. Examples:

              blacklist /usr/bin
              blacklist /usr/bin/gcc*
              blacklist ${PATH}/ifconfig
              blacklist ${HOME}/.ssh

       read-only file_or_directory
              Make directory or file read-only.

       tmpfs directory
              Mount  an empty tmpfs filesystem on top of directory. This option is available only
              when running the sandbox as root.

       bind directory1,directory2
              Mount-bind directory1 on top of directory2. This  option  is  only  available  when
              running as root.

       bind file1,file2
              Mount-bind  file1  on  top  of file2. This option is only available when running as
              root.

       private
              Mount  new  /root  and  /home/user  directories  in  temporary   filesystems.   All
              modifications are discarded when the sandbox is closed.

       private directory
              Use directory as user home.

       private-bin file,file
              Build a new /bin in a temporary filesystem, and copy the programs in the list.  The
              same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.

       private-dev
              Create a new /dev directory. Only dri, null, full, zero, tty,  pts,  ptmx,  random,
              urandom, log and shm devices are available.

       private-etc file,directory
              Build  a  new /etc in a temporary filesystem, and copy the files and directories in
              the list.  All modifications are discarded when the sandbox is closed.

       private-tmp
              Mount an empty temporary filesystem on top of /tmp directory.

       whitelist file_or_directory
              Build a new user home in a temporary filesystem, and mount-bind  file_or_directory.
              The modifications to file_or_directory are persistent, everything else is discarded
              when the sandbox is closed.

       tracelog
              Blacklist violations logged to syslog.

Security filters

       The following security filters are currently implemented:

       caps   Enable default Linux capabilities filter.

       caps.drop all
              Blacklist all Linux capabilities.

       caps.drop capability,capability,capability
              Blacklist given Linux capabilities.

       caps.keep capability,capability,capability
              Whitelist given Linux capabilities.

       protocol protocol1,protocol2,protocol3
              Enable protocol filter. The filter is  based  on  seccomp  and   checks  the  first
              argument  to  socket system call. Recognized values: unix, inet, inet6, netlink and
              packet.

       seccomp
              Enable default seccomp filter.  The default list is  as  follows:  mount,  umount2,
              ptrace,  kexec_load,  open_by_handle_at,  init_module, finit_module, delete_module,
              iopl, ioperm, swapon,  swapoff,  syslog,  process_vm_readv  and  process_vm_writev,
              sysfs,_sysctl,    adjtimex,    clock_adjtime,    lookup_dcookie,   perf_event_open,
              fanotify_init and kcmp.

       seccomp syscall,syscall,syscall
              Enable seccomp filter and blacklist the system calls in the list on top of  default
              seccomp filter.

       seccomp.drop syscall,syscall,syscall
              Enable seccomp filter and blacklist  the system calls in the list.

       seccomp.keep syscall,syscall,syscall
              Enable seccomp filter and whitelist the system calls in the list.

       noroot Use this command  to enable an user namespace. The namespace has only one user, the
              current user.  There is no root account (uid 0) defined in the namespace.

Resource limits

       These profile entries define the limits on system resources (rlimits)  for  the  processes
       inside  the  sandbox.   The  limits  can  be modified inside the sandbox using the regular
       ulimit command. Example:

       rlimit-fsize 1024
              Set the maximum file size that can be created by a process to 1024 bytes.

       rlimit-nproc 1000
              Set the maximum number of processes that can be created for the real user ID of the
              calling process to 1000.

       rlimit-nofile 500
              Set the maximum number of files that can be opened by a process to 500.

       rlimit-sigpending 200
              Set the maximum number of processes that can be created for the real user ID of the
              calling process to 200.

CPU Affinity

       Set the CPU cores available for this sandbox using cpu command. Examples:

       cpu 1,2,3
              Use only CPU cores 0, 1 and 2.

Control Groups

       Place the sandbox in an existing control group specified by the full path of the task file
       using cgroup. Example:

       cgroup /sys/fs/cgroup/g1/tasks
              The sandbox is placed in g1 control group.

User Environment

       name sandboxname
              Set sandbox name. Example:

              name browser

       env name=value
              Set environment variable. Examples:

              env LD_LIBRARY_PATH=/opt/test/lib
              env CFLAGS="-W -Wall -Werror"

       nogroups
              Disable supplementary user groups

       shell none
              Run the program directly, without a shell.

Networking

       Networking features available in profile files.

       netfilter
              If a new network namespace is created, enabled default network filter.

       netfilter filename
              If a new network namespace is created, enabled the network filter in filename.

       net none
              Enable   a  new, unconnected network namespace. The only interface available in the
              new namespace is a new loopback interface (lo).  Use  this  option  to deny network
              access to programs that don't really need network access.

       dns address
              Set a DNS server for the sandbox. Up to three DNS servers can be defined.

       hostname name
              Set a hostname for the sandbox.

RELOCATING PROFILES

       For  various  reasons  some  users  might  want  to  keep the profile files in a different
       directory.  Using --profile-path command line option, Firejail can be instructed  to  look
       for profiles into this directory.

       This   is   an   example   of   relocating   the  profile  files  into  a  new  directory,
       /home/netblue/myprofiles. Start by creating the new directory and  copy  all  the  profile
       files in:

       $ mkdir ~/myprofiles && cd ~/myprofiles && cp /etc/firejail/* .

       Using sed utility, modify the absolute paths for include commands:

       $ sed -i "s/\/etc\/firejail/\/home\/netblue\/myprofiles/g" *.profile
       $ sed -i "s/\/etc\/firejail/\/home\/netblue\/myprofiles/g" *.inc

       Start Firejail using the new path:

       $ firejail --profile-path=~/myprofiles

FILES

       /etc/firejail/filename.profile, $HOME/.config/firejail/filename.profile

LICENSE

       Firejail is free software; you can redistribute it and/or modify it under the terms of the
       GNU General Public License as published by the Free Software Foundation; either version  2
       of the License, or (at your option) any later version.

       Homepage: http://firejail.wordpress.com

SEE ALSO

       firejail(1), firemon(1), firejail-login(5)