forked from netblue30/firejail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
firejail.config
174 lines (130 loc) · 6.07 KB
/
firejail.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# This is Firejail system-wide configuration file. The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.
# Allow programs to display a tray icon (warning: allows escaping the sandbox;
# see https://github.com/netblue30/firejail/discussions/4053)
# allow-tray no
# Enable AppArmor functionality, default enabled.
# apparmor yes
# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2
# Enable or disable bind support, default enabled.
# bind yes
# Allow (DRM) execution in browsers, default disabled.
# browser-allow-drm no
# Disable U2F in browsers, default enabled.
# browser-disable-u2f yes
# Enable or disable chroot support, default disabled
# chroot no
# Enable or disable dbus handling, default enabled.
# dbus yes
# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled. Unlike --disable-mnt profile option this
# cannot be overridden by --noblacklist or --ignore.
# disable-mnt no
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes
# Timeout when joining a sandbox, default five seconds. It is not
# possible to join a sandbox while it is still starting up. Wait up
# to the specified period of time to allow sandbox setup to finish.
# join-timeout 5
# tracelog enables auditing blacklisted files and directories. A message
# is sent to syslog in case the file or the directory is accessed.
# Disabled by default.
# tracelog no
# Enable or disable sandbox name change, default enabled.
# name-change yes
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptables-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Set the limit for file copy in several --private-* options. The size is set
# in megabytes. By default we allow up to 500MB.
# Note: the files are copied in RAM.
# file-copy-limit 500
# Enable or disable private-bin feature, default enabled.
# private-bin yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-cache feature, default enabled
# private-cache yes
# Enable or disable private-etc feature, default enabled.
# private-etc yes
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable or disable private-lib feature, default disabled
# private-lib no
# Enable or disable private-opt feature, default enabled.
# private-opt yes
# Enable or disable private-srv feature, default enabled.
# private-srv yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Add rules to the default seccomp filter. Same syntax as for --seccomp=
# None by default; this is an example.
# seccomp-filter-add !chroot,kcmp,mincore
# Seccomp error action, kill, log or errno (EPERM, ENOSYS etc)
# seccomp-error-action EPERM
# If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog.
# Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages
# even if the program is allowed to continue (see "seccomp-error-action EPERM" above).
# This logging feature is disabled by default in our implementation.
# seccomp-log no
# Enable or disable user namespace support, default enabled.
# userns yes
# Disable whitelist top level directories, in addition to those
# that are disabled out of the box. None by default; this is an example.
# whitelist-disable-topdir /etc,/usr/etc
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Enable this option if you have a version of Xpra that supports --attach switch
# for start command, default disabled.
# xpra-attach no
# Xpra server command extra parameters. None by default; this is an example.
# xpra-extra-params --dpi 96
# Screen size for --x11=xvfb, default 800x600x24. The third dimension is
# color depth; use 24 unless you know exactly what you're doing.
# xvfb-screen 640x480x24
# xvfb-screen 800x600x24
# xvfb-screen 1024x768x24
# xvfb-screen 1280x1024x24
# Xvfb command extra parameters. None by default; this is an example.
# xvfb-extra-params -pixdepths 8 24 32