# This is Firejail system-wide configuration file.  The file contains
# keyword-argument pairs, one per line. Most features are enabled by default.
# Use 'yes' or 'no' as configuration values.

# Enable AppArmor functionality, default enabled.
# apparmor yes

# Number of ARP probes sent when assigning an IP address for --net option,
# default 2. This is a partial implementation of RFC 5227. A 0.5 seconds
# timeout is implemented for each probe. Increase this number to 4 if your
# local layer 2 network uses RSTP (IEEE 802.1w). Permitted values are
# between 1 and 30.
# arp-probes 2

# Enable or disable bind support, default enabled.
# bind yes

# Enable or disable chroot support, default enabled.
# chroot yes

# Enable or disable dbus handling by --nodbus flag, default enabled.
# dbus yes

# Disable /mnt, /media, /run/mount and /run/media access. By default access
# to these directories is enabled.
# disable-mnt no

# Enable or disable file transfer support, default enabled.
# file-transfer yes

# Enable Firejail green prompt in terminal, default disabled
# firejail-prompt no

# Follow symlink as user. While using --whitelist feature,
# symlinks pointing outside home directory are followed only
# if both the link and the real file are owned by the user.
# Enabled by default
# follow-symlink-as-user yes

# Force use of nonewprivs.  This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control.  Default disabled.
# force-nonewprivs no

# Allow sandbox joining as a regular user, default enabled.
# root user can always join sandboxes.
# join yes

# Enable or disable networking features, default enabled.
# network yes

# Enable or disable overlayfs features, default enabled.
# overlayfs yes

# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no

# Enable or disable private-home feature, default enabled
# private-home yes

# Enable or disable private-cache feature, default enabled
# private-cache yes

# Enable or disable private-lib feature, default enabled
# private-lib yes

# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no

# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no

# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of  iptables-save  and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules

# Enable or disable seccomp support, default enabled.
# seccomp yes

# Enable or disable user namespace support, default enabled.
# userns yes

# Enable or disable whitelisting support, default enabled.
# whitelist yes

# Enable or disable X11 sandboxing support, default enabled.
# x11 yes

# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024

# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes

# Xephyr command extra parameters. None by default; these are examples.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale

# Xpra server command extra parameters. None by default; this is an example.
# xpra-extra-params --dpi 96

# Enable this option if you have a version of Xpra that supports --attach switch
# for start command, default disabled.
# xpra-attach no

# Screen size for --x11=xvfb, default 800x600x24.  The third dimension is
# color depth; use 24 unless you know exactly what you're doing.
# xvfb-screen 640x480x24
# xvfb-screen 800x600x24
# xvfb-screen 1024x768x24
# xvfb-screen 1280x1024x24

# Xvfb command extra parameters.  None by default; this is an example.
# xvfb-extra-params -pixdepths 8 24 32