82 lines
2.9 KiB
Plaintext
82 lines
2.9 KiB
Plaintext
# This is Firejail system-wide configuration file, see firejail-config(5) for
|
|
# more information. The file contains keyword-argument pairs, one per line.
|
|
# Most features are enabled by default. Use 'yes' or 'no' as configuration
|
|
# values.
|
|
|
|
# Enable or disable bind support, default enabled.
|
|
# bind yes
|
|
|
|
# Enable or disable chroot support, default enabled.
|
|
# chroot yes
|
|
|
|
# Use chroot for desktop programs, default enabled. The sandbox will have full
|
|
# access to system's /dev directory in order to allow video acceleration,
|
|
# and it will harden the rest of the chroot tree.
|
|
# chroot-desktop yes
|
|
|
|
# Enable or disable file transfer support, default enabled.
|
|
# file-transfer yes
|
|
|
|
# Force use of nonewprivs. This mitigates the possibility of
|
|
# a user abusing firejail's features to trick a privileged (suid
|
|
# or file capabilities) process into loading code or configuration
|
|
# that is partially under their control. Default disabled.
|
|
# force-nonewprivs no
|
|
|
|
# Enable or disable networking features, default enabled.
|
|
# network yes
|
|
|
|
# Enable or disable overlayfs features, default enabled.
|
|
# overlayfs yes
|
|
|
|
# Remove /usr/local directories from private-bin list, default disabled.
|
|
# private-bin-no-local no
|
|
|
|
# Enable or disable private-home feature, default enabled
|
|
# private-home yes
|
|
|
|
# Enable --quiet as default every time the sandbox is started. Default disabled.
|
|
# quiet-by-default no
|
|
|
|
# Remount /proc and /sys inside the sandbox, default enabled.
|
|
# remount-proc-sys yes
|
|
|
|
# Enable or disable restricted network support, default disabled. If enabled,
|
|
# networking features should also be enabled (network yes).
|
|
# Restricted networking grants access to --interface, --net=ethXXX and
|
|
# --netfilter only to root user. Regular users are only allowed --net=none.
|
|
# restricted-network no
|
|
|
|
# Change default netfilter configuration. When using --netfilter option without
|
|
# a file argument, the default filter is hardcoded (see man 1 firejail). This
|
|
# configuration entry allows the user to change the default by specifying
|
|
# a file containing the filter configuration. The filter file format is the
|
|
# format of iptables-save and iptable-restore commands. Example:
|
|
# netfilter-default /etc/iptables.iptables.rules
|
|
|
|
# Enable or disable seccomp support, default enabled.
|
|
# seccomp yes
|
|
|
|
# Enable or disable user namespace support, default enabled.
|
|
# userns yes
|
|
|
|
# Enable or disable whitelisting support, default enabled.
|
|
# whitelist yes
|
|
|
|
# Enable or disable X11 sandboxing support, default enabled.
|
|
# x11 yes
|
|
|
|
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
|
|
# a full list of resolutions available on your specific setup.
|
|
# xephyr-screen 640x480
|
|
# xephyr-screen 800x600
|
|
# xephyr-screen 1024x768
|
|
# xephyr-screen 1280x1024
|
|
|
|
# Firejail window title in Xephyr, default enabled.
|
|
# xephyr-window-title yes
|
|
|
|
# Xephyr command extra parameters. None by default, and the declaration is commented out.
|
|
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
|
|
# xephyr-extra-params -grayscale
|