diff options
Diffstat (limited to 'etc/firejail.config')
-rw-r--r-- | etc/firejail.config | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..824e3f503 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -9,24 +9,63 @@ | |||
9 | # Enable or disable chroot support, default enabled. | 9 | # Enable or disable chroot support, default enabled. |
10 | # chroot yes | 10 | # chroot yes |
11 | 11 | ||
12 | # Use chroot for desktop programs, default enabled. The sandbox will have full | ||
13 | # access to system's /dev directory in order to allow video acceleration, | ||
14 | # and it will harden the rest of the chroot tree. | ||
15 | # chroot-desktop yes | ||
16 | |||
12 | # Enable or disable file transfer support, default enabled. | 17 | # Enable or disable file transfer support, default enabled. |
13 | # file-transfer yes | 18 | # file-transfer yes |
14 | 19 | ||
20 | # Enable Firejail green prompt in terminal, default disabled | ||
21 | # firejail-prompt no | ||
22 | |||
23 | # Force use of nonewprivs. This mitigates the possibility of | ||
24 | # a user abusing firejail's features to trick a privileged (suid | ||
25 | # or file capabilities) process into loading code or configuration | ||
26 | # that is partially under their control. Default disabled. | ||
27 | # force-nonewprivs no | ||
28 | |||
15 | # Enable or disable networking features, default enabled. | 29 | # Enable or disable networking features, default enabled. |
16 | # network yes | 30 | # network yes |
17 | 31 | ||
32 | # Enable or disable overlayfs features, default enabled. | ||
33 | # overlayfs yes | ||
34 | |||
35 | # Remove /usr/local directories from private-bin list, default disabled. | ||
36 | # private-bin-no-local no | ||
37 | |||
38 | # Enable or disable private-home feature, default enabled | ||
39 | # private-home yes | ||
40 | |||
41 | # Enable --quiet as default every time the sandbox is started. Default disabled. | ||
42 | # quiet-by-default no | ||
43 | |||
44 | # Remount /proc and /sys inside the sandbox, default enabled. | ||
45 | # remount-proc-sys yes | ||
46 | |||
18 | # Enable or disable restricted network support, default disabled. If enabled, | 47 | # Enable or disable restricted network support, default disabled. If enabled, |
19 | # networking features should also be enabled (network yes). | 48 | # networking features should also be enabled (network yes). |
20 | # Restricted networking grants access to --interface and --net=ethXXX | 49 | # Restricted networking grants access to --interface, --net=ethXXX and |
21 | # only to root user. Regular users are only allowed --net=none. | 50 | # --netfilter only to root user. Regular users are only allowed --net=none. |
22 | # restricted-network no | 51 | # restricted-network no |
23 | 52 | ||
53 | # Change default netfilter configuration. When using --netfilter option without | ||
54 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | ||
55 | # configuration entry allows the user to change the default by specifying | ||
56 | # a file containing the filter configuration. The filter file format is the | ||
57 | # format of iptables-save and iptable-restore commands. Example: | ||
58 | # netfilter-default /etc/iptables.iptables.rules | ||
59 | |||
24 | # Enable or disable seccomp support, default enabled. | 60 | # Enable or disable seccomp support, default enabled. |
25 | # seccomp yes | 61 | # seccomp yes |
26 | 62 | ||
27 | # Enable or disable user namespace support, default enabled. | 63 | # Enable or disable user namespace support, default enabled. |
28 | # userns yes | 64 | # userns yes |
29 | 65 | ||
66 | # Enable or disable whitelisting support, default enabled. | ||
67 | # whitelist yes | ||
68 | |||
30 | # Enable or disable X11 sandboxing support, default enabled. | 69 | # Enable or disable X11 sandboxing support, default enabled. |
31 | # x11 yes | 70 | # x11 yes |
32 | 71 | ||
@@ -36,3 +75,10 @@ | |||
36 | # xephyr-screen 800x600 | 75 | # xephyr-screen 800x600 |
37 | # xephyr-screen 1024x768 | 76 | # xephyr-screen 1024x768 |
38 | # xephyr-screen 1280x1024 | 77 | # xephyr-screen 1280x1024 |
78 | |||
79 | # Firejail window title in Xephyr, default enabled. | ||
80 | # xephyr-window-title yes | ||
81 | |||
82 | # Xephyr command extra parameters. None by default, and the declaration is commented out. | ||
83 | # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev | ||
84 | # xephyr-extra-params -grayscale | ||