# This is Firejail system-wide configuration file. The file contains # keyword-argument pairs, one per line. Most features are enabled by default. # Use 'yes' or 'no' as configuration values. # Allow programs to display a tray icon (warning: allows escaping the sandbox; # see https://github.com/netblue30/firejail/discussions/4053) # allow-tray no # Enable AppArmor functionality, default enabled. # apparmor yes # Number of ARP probes sent when assigning an IP address for --net option, # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds # timeout is implemented for each probe. Increase this number to 4 if your # local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are # between 1 and 30. # arp-probes 2 # Enable or disable bind support, default enabled. # bind yes # Allow (DRM) execution in browsers, default disabled. # browser-allow-drm no # Disable U2F in browsers, default enabled. # browser-disable-u2f yes # Enable or disable chroot support, default disabled # chroot no # Enable or disable dbus handling, default enabled. # dbus yes # Disable /mnt, /media, /run/mount and /run/media access. By default access # to these directories is enabled. Unlike --disable-mnt profile option this # cannot be overridden by --noblacklist or --ignore. # disable-mnt no # Enable or disable file transfer support, default enabled. # file-transfer yes # Enable Firejail green prompt in terminal, default disabled # firejail-prompt no # Force use of nonewprivs. This mitigates the possibility of # a user abusing firejail's features to trick a privileged (suid # or file capabilities) process into loading code or configuration # that is partially under their control. Default disabled. # force-nonewprivs no # Allow sandbox joining as a regular user, default enabled. # root user can always join sandboxes. # join yes # Timeout when joining a sandbox, default five seconds. It is not # possible to join a sandbox while it is still starting up. Wait up # to the specified period of time to allow sandbox setup to finish. # join-timeout 5 # tracelog enables auditing blacklisted files and directories. A message # is sent to syslog in case the file or the directory is accessed. # Disabled by default. # tracelog no # Enable or disable sandbox name change, default enabled. # name-change yes # Change default netfilter configuration. When using --netfilter option without # a file argument, the default filter is hardcoded (see man 1 firejail). This # configuration entry allows the user to change the default by specifying # a file containing the filter configuration. The filter file format is the # format of iptables-save and iptables-restore commands. Example: # netfilter-default /etc/iptables.iptables.rules # Enable or disable networking features, default enabled. # network yes # Enable or disable overlayfs features, default enabled. # overlayfs yes # Set the limit for file copy in several --private-* options. The size is set # in megabytes. By default we allow up to 500MB. # Note: the files are copied in RAM. # file-copy-limit 500 # Enable or disable private-bin feature, default enabled. # private-bin yes # Remove /usr/local directories from private-bin list, default disabled. # private-bin-no-local no # Enable or disable private-cache feature, default enabled # private-cache yes # Enable or disable private-etc feature, default enabled. # private-etc yes # Enable or disable private-home feature, default enabled # private-home yes # Enable or disable private-lib feature, default disabled # private-lib no # Enable or disable private-opt feature, default enabled. # private-opt yes # Enable or disable private-srv feature, default enabled. # private-srv yes # Enable --quiet as default every time the sandbox is started. Default disabled. # quiet-by-default no # Enable or disable restricted network support, default disabled. If enabled, # networking features should also be enabled (network yes). # Restricted networking grants access to --interface, --net=ethXXX and # --netfilter only to root user. Regular users are only allowed --net=none. # restricted-network no # Enable or disable seccomp support, default enabled. # seccomp yes # Add rules to the default seccomp filter. Same syntax as for --seccomp= # None by default; this is an example. # seccomp-filter-add !chroot,kcmp,mincore # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) # seccomp-error-action EPERM # If seccomp subsystem in Linux kernel kills a program, a message is posted to syslog. # Starting with Linux kernel version 4.14, it is possible to send seccomp violation messages # even if the program is allowed to continue (see "seccomp-error-action EPERM" above). # This logging feature is disabled by default in our implementation. # seccomp-log no # Enable or disable user namespace support, default enabled. # userns yes # Disable whitelist top level directories, in addition to those # that are disabled out of the box. None by default; this is an example. # whitelist-disable-topdir /etc,/usr/etc # Enable or disable X11 sandboxing support, default enabled. # x11 yes # Xephyr command extra parameters. None by default; these are examples. # xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev # xephyr-extra-params -grayscale # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for # a full list of resolutions available on your specific setup. # xephyr-screen 640x480 # xephyr-screen 800x600 # xephyr-screen 1024x768 # xephyr-screen 1280x1024 # Firejail window title in Xephyr, default enabled. # xephyr-window-title yes # Enable this option if you have a version of Xpra that supports --attach switch # for start command, default disabled. # xpra-attach no # Xpra server command extra parameters. None by default; this is an example. # xpra-extra-params --dpi 96 # Screen size for --x11=xvfb, default 800x600x24. The third dimension is # color depth; use 24 unless you know exactly what you're doing. # xvfb-screen 640x480x24 # xvfb-screen 800x600x24 # xvfb-screen 1024x768x24 # xvfb-screen 1280x1024x24 # Xvfb command extra parameters. None by default; this is an example. # xvfb-extra-params -pixdepths 8 24 32