1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
.TH FIREJAIL-CONFIG 5 "MONTH YEAR" "VERSION" "firejail.config man page"
.SH NAME
firejail.config \- Firejail run time configuration file
.SH DESCRIPTION
/etc/firejail/firejail.config is the system-wide configuration file for Firejail.
It allows the system administrator to enable or disable a number of
features and Linux kernel security technologies used by Firejail sandbox.
The file contains keyword-argument pairs, one per line.
Use 'yes' or 'no' as configuration values.
Note that some of these features can also be enabled or disabled at compile
time. Most features are enabled by default both at compile time and
at run time.
.TP
\fBbind
Enable or disable bind support, default enabled.
.TP
\fBchroot
Enable or disable chroot support, default enabled.
.TP
\fBfile-transfer
Enable or disable file transfer support, default enabled.
.TP
\fBforce-nonewprivs
Force use of nonewprivs. This mitigates the possibility of
a user abusing firejail's features to trick a privileged (suid
or file capabilities) process into loading code or configuration
that is partially under their control. Default disabled.
.TP
\fBnetwork
Enable or disable networking features, default enabled.
.TP
\fBrestricted-network
Enable or disable restricted network support, default disabled. If enabled,
networking features should also be enabled (network yes).
Restricted networking grants access to --interface, --net=ethXXX and
\-\-netfilter only to root user. Regular users are only allowed --net=none.
.TP
\fBsecomp
Enable or disable seccomp support, default enabled.
.TP
\fBuserns
Enable or disable user namespace support, default enabled.
.TP
\fBwhitelist
Enable or disable whitelisting support, default enabled.
.TP
\fBx11
Enable or disable X11 sandboxing support, default enabled.
.TP
\fBxephyr-screen
Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
a full list of resolutions available on your specific setup. Examples:
.br
.br
xephyr-screen 640x480
.br
xephyr-screen 800x600
.br
xephyr-screen 1024x768
.br
xephyr-screen 1280x1024
.TP
\fBxephyr-window-title
Firejail window title in Xephry, default enabled.
.TP
\fBxephyr-extra-params
Xephyr command extra parameters. None by default, and the declaration is commented out. Examples:
.br
.br
xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
.br
xephyr-extra-params -grayscale
.SH COMPILE TIME CONFIGURATION
Most of the features described in this file can also be configured at compile time, please run \fB./configure --help\fR for more details.
.SH FILES
/etc/firejail/firejail.config
.SH LICENSE
Firejail is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
.PP
Homepage: http://firejail.wordpress.com
.SH SEE ALSO
\&\flfirejail\fR\|(1),
\&\flfiremon\fR\|(1),
\&\flfirecfg\fR\|(1),
\&\flfirejail-profile\fR\|(5)
\&\flfirejail-login\fR\|(5)
|
