# This is Firejail system-wide configuration file, see firejail-config(5) for
# more information. The file contains keyword-argument pairs, one per line.
# Most features are enabled by default. Use 'yes' or 'no' as configuration
# values.

# Enable or disable bind support, default enabled.
# bind yes

# Enable or disable chroot support, default enabled.
# chroot yes

# Use chroot for desktop programs, default enabled. The sandbox will have full
# access to system's /dev directory in order to allow video acceleration,
# and it will harden the rest of the chroot tree.
# chroot-desktop yes

# Enable or disable file transfer support, default enabled.
# file-transfer yes

# Force use of nonewprivs.  This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control.  Default disabled.
# force-nonewprivs no

# Enable or disable networking features, default enabled.
# network yes

# Enable or disable overlayfs features, default enabled.
# overlayfs yes

# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no

# Enable or disable private-home feature, default enabled
# private-home yes

# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no

# Remount /proc and /sys inside the sandbox, default enabled.
# remount-proc-sys yes

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of  iptables-save  and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules

# Enable or disable seccomp support, default enabled.
# seccomp yes

# Enable or disable user namespace support, default enabled.
# userns yes

# Enable or disable whitelisting support, default enabled.
# whitelist yes

# Enable or disable X11 sandboxing support, default enabled.
# x11 yes

# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024

# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes

# Xephyr command extra parameters. None by default, and the declaration is commented out.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale