1 files changed, 48 insertions, 2 deletions
diff --git a/etc/firejail.config b/etc/firejail.config
index 41cd08e68..824e3f503 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -9,24 +9,63 @@
 # Enable or disable chroot support, default enabled.
 # chroot yes
+# Use chroot for desktop programs, default enabled. The sandbox will have full
+# access to system's /dev directory in order to allow video acceleration,
+# and it will harden the rest of the chroot tree.
+# chroot-desktop yes
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
+# Enable Firejail green prompt in terminal, default disabled
+# firejail-prompt no
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled.
+# force-nonewprivs no
 # Enable or disable networking features, default enabled.
 # network yes
+# Enable or disable overlayfs features, default enabled.
+# overlayfs yes
+# Remove /usr/local directories from private-bin list, default disabled.
+# private-bin-no-local no
+# Enable or disable private-home feature, default enabled
+# private-home yes
+# Enable --quiet as default every time the sandbox is started. Default disabled.
+# quiet-by-default no
+# Remount /proc and /sys inside the sandbox, default enabled.
+# remount-proc-sys yes
 # Enable or disable restricted network support, default disabled. If enabled,
 # networking features should also be enabled (network yes).
-# Restricted networking grants access to --interface and --net=ethXXX
+# Restricted networking grants access to --interface, --net=ethXXX and
-# only to root user. Regular users are only allowed --net=none.
+# --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 # Enable or disable user namespace support, default enabled.
 # userns yes
+# Enable or disable whitelisting support, default enabled.
+# whitelist yes
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
@@ -36,3 +75,10 @@
 # xephyr-screen 800x600
 # xephyr-screen 1024x768
 # xephyr-screen 1280x1024
+# Firejail window title in Xephyr, default enabled.
+# xephyr-window-title yes
+# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale

diff --git a/etc/firejail.config b/etc/firejail.config index 41cd08e68..824e3f503 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -9,24 +9,63 @@
9	# Enable or disable chroot support, default enabled.	9	# Enable or disable chroot support, default enabled.
10	# chroot yes	10	# chroot yes
11		11
		12	# Use chroot for desktop programs, default enabled. The sandbox will have full
		13	# access to system's /dev directory in order to allow video acceleration,
		14	# and it will harden the rest of the chroot tree.
		15	# chroot-desktop yes
		16
12	# Enable or disable file transfer support, default enabled.	17	# Enable or disable file transfer support, default enabled.
13	# file-transfer yes	18	# file-transfer yes
14		19
		20	# Enable Firejail green prompt in terminal, default disabled
		21	# firejail-prompt no
		22
		23	# Force use of nonewprivs. This mitigates the possibility of
		24	# a user abusing firejail's features to trick a privileged (suid
		25	# or file capabilities) process into loading code or configuration
		26	# that is partially under their control. Default disabled.
		27	# force-nonewprivs no
		28
15	# Enable or disable networking features, default enabled.	29	# Enable or disable networking features, default enabled.
16	# network yes	30	# network yes
17		31
		32	# Enable or disable overlayfs features, default enabled.
		33	# overlayfs yes
		34
		35	# Remove /usr/local directories from private-bin list, default disabled.
		36	# private-bin-no-local no
		37
		38	# Enable or disable private-home feature, default enabled
		39	# private-home yes
		40
		41	# Enable --quiet as default every time the sandbox is started. Default disabled.
		42	# quiet-by-default no
		43
		44	# Remount /proc and /sys inside the sandbox, default enabled.
		45	# remount-proc-sys yes
		46
18	# Enable or disable restricted network support, default disabled. If enabled,	47	# Enable or disable restricted network support, default disabled. If enabled,
19	# networking features should also be enabled (network yes).	48	# networking features should also be enabled (network yes).
20	# Restricted networking grants access to --interface and --net=ethXXX	49	# Restricted networking grants access to --interface, --net=ethXXX and
21	# only to root user. Regular users are only allowed --net=none.	50	# --netfilter only to root user. Regular users are only allowed --net=none.
22	# restricted-network no	51	# restricted-network no
23		52
		53	# Change default netfilter configuration. When using --netfilter option without
		54	# a file argument, the default filter is hardcoded (see man 1 firejail). This
		55	# configuration entry allows the user to change the default by specifying
		56	# a file containing the filter configuration. The filter file format is the
		57	# format of iptables-save and iptable-restore commands. Example:
		58	# netfilter-default /etc/iptables.iptables.rules
		59
24	# Enable or disable seccomp support, default enabled.	60	# Enable or disable seccomp support, default enabled.
25	# seccomp yes	61	# seccomp yes
26		62
27	# Enable or disable user namespace support, default enabled.	63	# Enable or disable user namespace support, default enabled.
28	# userns yes	64	# userns yes
29		65
		66	# Enable or disable whitelisting support, default enabled.
		67	# whitelist yes
		68
30	# Enable or disable X11 sandboxing support, default enabled.	69	# Enable or disable X11 sandboxing support, default enabled.
31	# x11 yes	70	# x11 yes
32		71
@@ -36,3 +75,10 @@
36	# xephyr-screen 800x600	75	# xephyr-screen 800x600
37	# xephyr-screen 1024x768	76	# xephyr-screen 1024x768
38	# xephyr-screen 1280x1024	77	# xephyr-screen 1280x1024
		78
		79	# Firejail window title in Xephyr, default enabled.
		80	# xephyr-window-title yes
		81
		82	# Xephyr command extra parameters. None by default, and the declaration is commented out.
		83	# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
		84	# xephyr-extra-params -grayscale