1 files changed, 45 insertions, 2 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 41cd08e68..2ea767f37 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -9,24 +9,60 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
+# Use chroot for desktop programs, default enabled. The sandbox will have full
+# access to system's /dev directory in order to allow video acceleration,
+# and it will harden the rest of the chroot tree.
+# chroot-desktop yes
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled.
+# force-nonewprivs no
 # Enable or disable networking features, default enabled.
 # network yes
+# Enable or disable overlayfs features, default enabled.
+# overlayfs yes
+# Remove /usr/local directories from private-bin list, default disabled.
+# private-bin-no-local no
+# Enable or disable private-home feature, default enabled
+# private-home yes
+# Enable --quiet as default every time the sandbox is started. Default disabled.
+# quiet-by-default no
+# Remount /proc and /sys inside the sandbox, default enabled.
+# remount-proc-sys yes
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
-# Restricted networking grants access to --interface and --net=ethXXX
+# Restricted networking grants access to --interface, --net=ethXXX and
-# only to root user. Regular users are only allowed --net=none.
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 # Enable or disable user namespace support, default enabled.
 # userns yes
+# Enable or disable whitelisting support, default enabled.
+# whitelist yes
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
@@ -36,3 +72,10 @@
 # xephyr-screen 800x600
 # xephyr-screen 1024x768
 # xephyr-screen 1280x1024
+# Firejail window title in Xephyr, default enabled.
+# xephyr-window-title yes
+# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale

diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..2ea767f37 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -9,24 +9,60 @@
9	# Enable or disable chroot support, default enabled.	9	# Enable or disable chroot support, default enabled.
10	# chroot yes	10	# chroot yes
11		11
		12	# Use chroot for desktop programs, default enabled. The sandbox will have full
		13	# access to system's /dev directory in order to allow video acceleration,
		14	# and it will harden the rest of the chroot tree.
		15	# chroot-desktop yes
		16
12	# Enable or disable file transfer support, default enabled.	17	# Enable or disable file transfer support, default enabled.
13	# file-transfer yes	18	# file-transfer yes
14		19
		20	# Force use of nonewprivs. This mitigates the possibility of
		21	# a user abusing firejail's features to trick a privileged (suid
		22	# or file capabilities) process into loading code or configuration
		23	# that is partially under their control. Default disabled.
		24	# force-nonewprivs no
		25
15	# Enable or disable networking features, default enabled.	26	# Enable or disable networking features, default enabled.
16	# network yes	27	# network yes
17		28
		29	# Enable or disable overlayfs features, default enabled.
		30	# overlayfs yes
		31
		32	# Remove /usr/local directories from private-bin list, default disabled.
		33	# private-bin-no-local no
		34
		35	# Enable or disable private-home feature, default enabled
		36	# private-home yes
		37
		38	# Enable --quiet as default every time the sandbox is started. Default disabled.
		39	# quiet-by-default no
		40
		41	# Remount /proc and /sys inside the sandbox, default enabled.
		42	# remount-proc-sys yes
		43
18	# Enable or disable restricted network support, default disabled. If enabled,	44	# Enable or disable restricted network support, default disabled. If enabled,
19	# networking features should also be enabled (network yes).	45	# networking features should also be enabled (network yes).
20	# Restricted networking grants access to --interface and --net=ethXXX	46	# Restricted networking grants access to --interface, --net=ethXXX and
21	# only to root user. Regular users are only allowed --net=none.	47	# --netfilter only to root user. Regular users are only allowed --net=none.
22	# restricted-network no	48	# restricted-network no
23		49
		50	# Change default netfilter configuration. When using --netfilter option without
		51	# a file argument, the default filter is hardcoded (see man 1 firejail). This
		52	# configuration entry allows the user to change the default by specifying
		53	# a file containing the filter configuration. The filter file format is the
		54	# format of iptables-save and iptable-restore commands. Example:
		55	# netfilter-default /etc/iptables.iptables.rules
		56
24	# Enable or disable seccomp support, default enabled.	57	# Enable or disable seccomp support, default enabled.
25	# seccomp yes	58	# seccomp yes
26		59
27	# Enable or disable user namespace support, default enabled.	60	# Enable or disable user namespace support, default enabled.
28	# userns yes	61	# userns yes
29		62
		63	# Enable or disable whitelisting support, default enabled.
		64	# whitelist yes
		65
30	# Enable or disable X11 sandboxing support, default enabled.	66	# Enable or disable X11 sandboxing support, default enabled.
31	# x11 yes	67	# x11 yes
32		68
@@ -36,3 +72,10 @@
36	# xephyr-screen 800x600	72	# xephyr-screen 800x600
37	# xephyr-screen 1024x768	73	# xephyr-screen 1024x768
38	# xephyr-screen 1280x1024	74	# xephyr-screen 1280x1024
		75
		76	# Firejail window title in Xephyr, default enabled.
		77	# xephyr-window-title yes
		78
		79	# Xephyr command extra parameters. None by default, and the declaration is commented out.
		80	# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
		81	# xephyr-extra-params -grayscale