diff options
| author |  Kristóf Marussy <kristof@marussy.com> | 2020-05-06 21:36:59 +0200 |
|---|---|---|
| committer | Kristóf Marussy <kristof@marussy.com> | 2020-05-07 02:15:42 +0200 |
| commit | 28a3d386a1aeff935ce85644db7734bbc14c054f (patch) | |
| tree | aa3752662366ec62cdb19b9bc208aa0a699ee059 | |
| parent | Update D-Bus audit (diff) | |
| download | firejail-28a3d386a1aeff935ce85644db7734bbc14c054f.tar.gz firejail-28a3d386a1aeff935ce85644db7734bbc14c054f.tar.zst firejail-28a3d386a1aeff935ce85644db7734bbc14c054f.zip | |
Documentation for new DBus options
| -rw-r--r-- | src/firejail/usage.c | 9 | ||||
| -rw-r--r-- | src/man/firejail-profile.txt | 18 | ||||
| -rw-r--r-- | src/man/firejail.txt | 136 |
3 files changed, 163 insertions, 0 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 08546fa51..4ab464289 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c | |||
| @@ -53,11 +53,20 @@ static char *usage_str = | |||
| 53 | #endif | 53 | #endif |
| 54 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" | 54 | " --cpu=cpu-number,cpu-number - set cpu affinity.\n" |
| 55 | " --cpu.print=name|pid - print the cpus in use.\n" | 55 | " --cpu.print=name|pid - print the cpus in use.\n" |
| 56 | " --dbus-log=file - set DBus log file location.\n" | ||
| 56 | " --dbus-system=filter|none - set system DBus access policy.\n" | 57 | " --dbus-system=filter|none - set system DBus access policy.\n" |
| 58 | " --dbus-system.broadcast=rule - allow signals on the system DBus according to rule.\n" | ||
| 59 | " --dbus-system.call=rule - allow calls on the system DBus according to rule.\n" | ||
| 60 | " --dbus-system.log - turn on logging for the system DBus." | ||
| 57 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" | 61 | " --dbus-system.own=name - allow ownership of name on the system DBus.\n" |
| 62 | " --dbus-system.see=name - allow seeing name on the system DBus.\n" | ||
| 58 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" | 63 | " --dbus-system.talk=name - allow talking to name on the system DBus.\n" |
| 59 | " --dbus-user=filter|none - set session DBus access policy.\n" | 64 | " --dbus-user=filter|none - set session DBus access policy.\n" |
| 65 | " --dbus-user.broadcast=rule - allow signals on the session DBus according to rule.\n" | ||
| 66 | " --dbus-user.call=rule - allow calls on the session DBus according to rule.\n" | ||
| 67 | " --dbus-user.log - turn on logging for the user DBus." | ||
| 60 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" | 68 | " --dbus-user.own=name - allow ownership of name on the session DBus.\n" |
| 69 | " --dbus-user.see=name - allow seeing name on the session DBus.\n" | ||
| 61 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" | 70 | " --dbus-user.talk=name - allow talking to name on the session DBus.\n" |
| 62 | " --debug - print sandbox debug messages.\n" | 71 | " --debug - print sandbox debug messages.\n" |
| 63 | " --debug-blacklists - debug blacklisting.\n" | 72 | " --debug-blacklists - debug blacklisting.\n" |
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index df2d2a2e8..198f33c00 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
| @@ -491,6 +491,15 @@ Allow the application to own the name org.gnome.ghex and all names underneath in | |||
| 491 | \fBdbus-system.talk org.freedesktop.Notifications | 491 | \fBdbus-system.talk org.freedesktop.Notifications |
| 492 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. | 492 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. |
| 493 | .TP | 493 | .TP |
| 494 | \fBdbus-system.see org.freedesktop.Notifications | ||
| 495 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. | ||
| 496 | .TP | ||
| 497 | \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 498 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
| 499 | .TP | ||
| 500 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 501 | Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
| 502 | .TP | ||
| 494 | \fBdbus-user filter | 503 | \fBdbus-user filter |
| 495 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 504 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
| 496 | .TP | 505 | .TP |
| @@ -503,6 +512,15 @@ Allow the application to own the name org.gnome.ghex and all names underneath in | |||
| 503 | \fBdbus-user.talk org.freedesktop.Notifications | 512 | \fBdbus-user.talk org.freedesktop.Notifications |
| 504 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. | 513 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. |
| 505 | .TP | 514 | .TP |
| 515 | \fBdbus-user.see org.freedesktop.Notifications | ||
| 516 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. | ||
| 517 | .TP | ||
| 518 | \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 519 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
| 520 | .TP | ||
| 521 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 522 | Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
| 523 | .TP | ||
| 506 | \fBnodbus \fR(deprecated) | 524 | \fBnodbus \fR(deprecated) |
| 507 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | 525 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. |
| 508 | .TP | 526 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fae97ceb7..982b40d89 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
| @@ -326,6 +326,22 @@ $ firejail \-\-list | |||
| 326 | $ firejail \-\-cpu.print=3272 | 326 | $ firejail \-\-cpu.print=3272 |
| 327 | 327 | ||
| 328 | .TP | 328 | .TP |
| 329 | \fB\-\-dbus-log=file | ||
| 330 | Specify the location for the DBus log file. | ||
| 331 | .br | ||
| 332 | |||
| 333 | .br | ||
| 334 | The log file contains events for both the system and session buses if both of | ||
| 335 | the --dbus-sysem.log and --dbus-user.log options are specified. If no log file | ||
| 336 | path is given, logs are written to the standard output instead. | ||
| 337 | .br | ||
| 338 | |||
| 339 | .br | ||
| 340 | Example: | ||
| 341 | .br | ||
| 342 | $ firejail --dbus-system=filter --dbus-system.log --dbus-log=dbus.txt | ||
| 343 | |||
| 344 | .TP | ||
| 329 | \fB\-\-dbus-system=filter|none | 345 | \fB\-\-dbus-system=filter|none |
| 330 | Set system DBus sandboxing policy. | 346 | Set system DBus sandboxing policy. |
| 331 | .br | 347 | .br |
| @@ -353,6 +369,52 @@ Example: | |||
| 353 | $ firejail \-\-dbus-system=none | 369 | $ firejail \-\-dbus-system=none |
| 354 | 370 | ||
| 355 | .TP | 371 | .TP |
| 372 | \fB\-\-dbus-system.broadcast=name=[member][@path] | ||
| 373 | Allows the application to receive broadcast signals from theindicated interface | ||
| 374 | member at the indicated object path exposed by the indicated bus name on the | ||
| 375 | system DBus. | ||
| 376 | The name may have a .* suffix to match all names underneath it, including | ||
| 377 | itself. | ||
| 378 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
| 379 | The path may have a /* suffix to indicate all objects underneath it, including | ||
| 380 | itself. | ||
| 381 | Omitting the interface member or the object path will match all members and | ||
| 382 | object paths, respectively. | ||
| 383 | .br | ||
| 384 | |||
| 385 | .br | ||
| 386 | Example: | ||
| 387 | .br | ||
| 388 | $ firejail --dbus-system=filter --dbus-system.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 389 | |||
| 390 | .TP | ||
| 391 | \fB\-\-dbus-system.call=name=[member][@path] | ||
| 392 | Allows the application to call the indicated interface member at the indicated | ||
| 393 | object path exposed by the indicated bus name on the system DBus. | ||
| 394 | The name may have a .* suffix to match all names underneath it, including | ||
| 395 | itself. | ||
| 396 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
| 397 | The path may have a /* suffix to indicate all objects underneath it, including | ||
| 398 | itself. | ||
| 399 | Omitting the interface member or the object path will match all members and | ||
| 400 | object paths, respectively. | ||
| 401 | .br | ||
| 402 | |||
| 403 | .br | ||
| 404 | Example: | ||
| 405 | .br | ||
| 406 | $ firejail --dbus-system=filter --dbus-system.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 407 | |||
| 408 | .TP | ||
| 409 | \fB\-\-dbus-system.log | ||
| 410 | Turn on DBus logging for the system DBus. This option requires --dbus-system=log. | ||
| 411 | |||
| 412 | .br | ||
| 413 | Example: | ||
| 414 | .br | ||
| 415 | $ firejail --dbus-system=filter --dbus-system.log | ||
| 416 | |||
| 417 | .TP | ||
| 356 | \fB\-\-dbus-system.own=name | 418 | \fB\-\-dbus-system.own=name |
| 357 | Allows the application to own the specified well-known name on the system DBus. | 419 | Allows the application to own the specified well-known name on the system DBus. |
| 358 | The name may have a .* suffix to match all names underneath it, including itself | 420 | The name may have a .* suffix to match all names underneath it, including itself |
| @@ -366,6 +428,20 @@ Example: | |||
| 366 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* | 428 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* |
| 367 | 429 | ||
| 368 | .TP | 430 | .TP |
| 431 | \fB\-\-dbus-system.see=name | ||
| 432 | Allows the application to see, but not talk to the specified well-known name on | ||
| 433 | the system DBus. | ||
| 434 | The name may have a .* suffix to match all names underneath it, including itself | ||
| 435 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
| 436 | not "foobar"). | ||
| 437 | .br | ||
| 438 | |||
| 439 | .br | ||
| 440 | Example: | ||
| 441 | .br | ||
| 442 | $ firejail --dbus-system=filter --dbus-system.see=org.freedesktop.Notifications | ||
| 443 | |||
| 444 | .TP | ||
| 369 | \fB\-\-dbus-system.talk=name | 445 | \fB\-\-dbus-system.talk=name |
| 370 | Allows the application to talk to the specified well-known name on the system DBus. | 446 | Allows the application to talk to the specified well-known name on the system DBus. |
| 371 | The name may have a .* suffix to match all names underneath it, including itself | 447 | The name may have a .* suffix to match all names underneath it, including itself |
| @@ -406,6 +482,52 @@ Example: | |||
| 406 | $ firejail \-\-dbus-user=none | 482 | $ firejail \-\-dbus-user=none |
| 407 | 483 | ||
| 408 | .TP | 484 | .TP |
| 485 | \fB\-\-dbus-user.broadcast=name=[member][@path] | ||
| 486 | Allows the application to receive broadcast signals from theindicated interface | ||
| 487 | member at the indicated object path exposed by the indicated bus name on the | ||
| 488 | session DBus. | ||
| 489 | The name may have a .* suffix to match all names underneath it, including | ||
| 490 | itself. | ||
| 491 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
| 492 | The path may have a /* suffix to indicate all objects underneath it, including | ||
| 493 | itself. | ||
| 494 | Omitting the interface member or the object path will match all members and | ||
| 495 | object paths, respectively. | ||
| 496 | .br | ||
| 497 | |||
| 498 | .br | ||
| 499 | Example: | ||
| 500 | .br | ||
| 501 | $ firejail --dbus-user=filter --dbus-user.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 502 | |||
| 503 | .TP | ||
| 504 | \fB\-\-dbus-user.call=name=[member][@path] | ||
| 505 | Allows the application to call the indicated interface member at the indicated | ||
| 506 | object path exposed by the indicated bus name on the session DBus. | ||
| 507 | The name may have a .* suffix to match all names underneath it, including | ||
| 508 | itself. | ||
| 509 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
| 510 | The path may have a /* suffix to indicate all objects underneath it, including | ||
| 511 | itself. | ||
| 512 | Omitting the interface member or the object path will match all members and | ||
| 513 | object paths, respectively. | ||
| 514 | .br | ||
| 515 | |||
| 516 | .br | ||
| 517 | Example: | ||
| 518 | .br | ||
| 519 | $ firejail --dbus-user=filter --dbus-user.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
| 520 | |||
| 521 | .TP | ||
| 522 | \fB\-\-dbus-user.log | ||
| 523 | Turn on DBus logging for the session DBus. This option requires --dbus-user=log. | ||
| 524 | |||
| 525 | .br | ||
| 526 | Example: | ||
| 527 | .br | ||
| 528 | $ firejail --dbus-user=filter --dbus-user.log | ||
| 529 | |||
| 530 | .TP | ||
| 409 | \fB\-\-dbus-user.own=name | 531 | \fB\-\-dbus-user.own=name |
| 410 | Allows the application to own the specified well-known name on the session DBus. | 532 | Allows the application to own the specified well-known name on the session DBus. |
| 411 | The name may have a .* suffix to match all names underneath it, including itself | 533 | The name may have a .* suffix to match all names underneath it, including itself |
| @@ -432,6 +554,20 @@ Example: | |||
| 432 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications | 554 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications |
| 433 | 555 | ||
| 434 | .TP | 556 | .TP |
| 557 | \fB\-\-dbus-user.see=name | ||
| 558 | Allows the application to see, but not talk to the specified well-known name on | ||
| 559 | the session DBus. | ||
| 560 | The name may have a .* suffix to match all names underneath it, including itself | ||
| 561 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
| 562 | not "foobar"). | ||
| 563 | .br | ||
| 564 | |||
| 565 | .br | ||
| 566 | Example: | ||
| 567 | .br | ||
| 568 | $ firejail --dbus-user=filter --dbus-user.see=org.freedesktop.Notifications | ||
| 569 | |||
| 570 | .TP | ||
| 435 | \fB\-\-debug\fR | 571 | \fB\-\-debug\fR |
| 436 | Print debug messages. | 572 | Print debug messages. |
| 437 | .br | 573 | .br |