Add documentation for DBus filtering

author: Kristóf Marussy <kris7topher@gmail.com> 2020-03-03 00:22:45 +0100
committer: Kristóf Marussy <kris7topher@gmail.com> 2020-04-06 21:26:41 +0200
commit: 5fa90d04ac4e8ea8df174a0921b45570d8147707 (patch)
tree: 0a1b4a2013cd8a1d04d8254fed02b63480dfd579
parent: Add dbus filter options (diff)
download: firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.gz
firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.zst
firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.zip
3 files changed, 161 insertions, 11 deletions
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index 81a1a6099..0636a23c2 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -53,6 +53,12 @@ static char *usage_str =
 #endif
        "    --cpu=cpu-number,cpu-number - set cpu affinity.\n"
        "    --cpu.print=name|pid - print the cpus in use.\n"
+        "    --dbus-system=filter|none - set system DBus access policy.\n"
+        "    --dbus-system.own=name - allow ownership of name on the system DBus.\n"
+        "    --dbus-system.talk-name - allow talking to name on the system DBus.\n"
+        "    --dbus-user=filter|none - set session DBus access policy.\n"
+        "    --dbus-user.own=name - allow ownership of name on the session DBus.\n"
+        "    --dbus-user.talk-name - allow talking to name on the session DBus.\n"
        "    --debug - print sandbox debug messages.\n"
        "    --debug-blacklists - debug blacklisting.\n"
        "    --debug-caps - print all recognized capabilities.\n"
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 203d4543d..7ef512bbf 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -447,7 +447,55 @@ xephyr-screen 640x480
 .br
 x11 xephyr
+.SH DBus filtering
+Access to the session and system DBus UNIX sockets can be allowed, filtered or
+disabled. To disable the abstract sockets (and force applications to use the
+filtered UNIX socket) you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from the \-\-protocol set.
+.br
+.br
+Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be
+specified for well-known DBus names, but they are also propagated to the owning
+unique name, too. The permissions are "sticky" and are kept even if the
+corresponding well-know name is released (however, applications rarely release
+well-known names in practice). Names may have a .* suffix to match all names
+underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar",
+"foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information,
+see xdg-dbus-proxy(1).
+.br
+.br
+Examples:
+.TP
+\fBdbus-system filter
+Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.
+.TP
+\fBdbus-system none
+Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-system.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
+.TP
+\fBdbus-system.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-user filter
+Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
+.TP
+\fBdbus-user none
+Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-user.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
+.TP
+\fBdbus-user.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBnodbus
+Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -522,12 +570,6 @@ Disable 3D hardware acceleration.
 Disable automatic ~/.config/pulse init, for complex setups such as remote
 pulse servers or non-standard socket paths.
 .TP
-\fBnodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by
-this command. To disable the abstract socket, you would need to
-request a new network namespace using the net command. Another
-option is to remove unix from protocol set.
-.TP
 \fBnodvd
 Disable DVD and audio CD devices.
 .TP
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 02c1d27b2..b0c4eeb15 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -326,6 +326,112 @@ $ firejail \-\-list
 $ firejail \-\-cpu.print=3272
 .TP
+\fB\-\-dbus-system=filter|none
+Set system DBus sandboxing policy. 
+.br
+.br
+The \fBfilter\fR policy enables the system DBus filter. This option requires
+installing the xdg-dbus-proxy utility. Permissions for well-known can be
+specified with the --dbus-system.talk and --dbus-system.own options.
+.br
+.br
+The \fBnone\fR policy disables access to the system DBus.
+.br
+.br
+Only the regular system DBus UNIX socket is handled by this option. To disable
+the abstract sockets (and force applications to use the filtered UNIX socket)
+you would need to request a new network namespace using \-\-net command. Another
+option is to remove unix from the \-\-protocol set.
+.br
+.br
+Example:
+.br
+$ firejail \-\-dbus-system=none
+.TP
+\fB\-\-dbus-system.own=name
+Allows the application to own the specified well-known name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.*
+.TP
+\fB\-\-dbus-system.talk=name
+Allows the application to talk to the specified well-known name on the system DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+.br
+Example:
+.br
+$ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications
+.TP
+\fB\-\-dbus-user=filter|none
+Set session DBus sandboxing policy.
+.br
+.br
+The \fBfilter\fR policy enables the session DBus filter. This option requires
+installing the xdg-dbus-proxy utility. Permissions for well-known names can be
+added with the --dbus-user.talk and --dbus-user.own options.
+.br
+.br
+The \fBnone\fR policy disables access to the session DBus.
+.br
+.br
+Only the regular session DBus UNIX socket is handled by this option. To disable
+the abstract sockets (and force applications to use the filtered UNIX socket)
+you would need to request a new network namespace using \-\-net command. Another
+option is to remove unix from the \-\-protocol set.
+.br
+.br
+Example:
+.br
+$ firejail \-\-dbus-user=none
+.TP
+\fB\-\-dbus-user.own=name
+Allows the application to own the specified well-known name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
+.TP
+\fB\-\-dbus-user.talk=name
+Allows the application to talk to the specified well-known name on the session DBus.
+The name may have a .* suffix to match all names underneath it, including itself
+(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
+not "foobar").
+.br
+.br
+Example:
+.br
+$ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications
+.TP
 \fB\-\-debug\fR
 Print debug messages.
 .br
@@ -1171,11 +1277,7 @@ $ nc dict.org 2628
 .br
 .TP
 \fB\-\-nodbus
-Disable D-Bus access (both system and session buses). Only the regular
+Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
-UNIX sockets are handled by this command. To disable the abstract
-sockets you would need to request a new network namespace using
-\-\-net command. Another option is to remove unix from \-\-protocol
-set.
 .br
 .br
author	Kristóf Marussy <kris7topher@gmail.com>	2020-03-03 00:22:45 +0100
committer	Kristóf Marussy <kris7topher@gmail.com>	2020-04-06 21:26:41 +0200
commit	5fa90d04ac4e8ea8df174a0921b45570d8147707 (patch)
tree	0a1b4a2013cd8a1d04d8254fed02b63480dfd579
parent	Add dbus filter options (diff)
download	firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.gz firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.zst firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.zip

diff --git a/src/firejail/usage.c b/src/firejail/usage.c index 81a1a6099..0636a23c2 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c
@@ -53,6 +53,12 @@ static char *usage_str =
53	#endif	53	#endif
54	" --cpu=cpu-number,cpu-number - set cpu affinity.\n"	54	" --cpu=cpu-number,cpu-number - set cpu affinity.\n"
55	" --cpu.print=name\|pid - print the cpus in use.\n"	55	" --cpu.print=name\|pid - print the cpus in use.\n"
		56	" --dbus-system=filter\|none - set system DBus access policy.\n"
		57	" --dbus-system.own=name - allow ownership of name on the system DBus.\n"
		58	" --dbus-system.talk-name - allow talking to name on the system DBus.\n"
		59	" --dbus-user=filter\|none - set session DBus access policy.\n"
		60	" --dbus-user.own=name - allow ownership of name on the session DBus.\n"
		61	" --dbus-user.talk-name - allow talking to name on the session DBus.\n"
56	" --debug - print sandbox debug messages.\n"	62	" --debug - print sandbox debug messages.\n"
57	" --debug-blacklists - debug blacklisting.\n"	63	" --debug-blacklists - debug blacklisting.\n"
58	" --debug-caps - print all recognized capabilities.\n"	64	" --debug-caps - print all recognized capabilities.\n"


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 203d4543d..7ef512bbf 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -447,7 +447,55 @@ xephyr-screen 640x480
447	.br	447	.br
448	x11 xephyr	448	x11 xephyr
449		449
		450	.SH DBus filtering
450		451
		452	Access to the session and system DBus UNIX sockets can be allowed, filtered or
		453	disabled. To disable the abstract sockets (and force applications to use the
		454	filtered UNIX socket) you would need to request a new network namespace using
		455	\-\-net command. Another option is to remove unix from the \-\-protocol set.
		456	.br
		457
		458	.br
		459	Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be
		460	specified for well-known DBus names, but they are also propagated to the owning
		461	unique name, too. The permissions are "sticky" and are kept even if the
		462	corresponding well-know name is released (however, applications rarely release
		463	well-known names in practice). Names may have a .* suffix to match all names
		464	underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar",
		465	"foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information,
		466	see xdg-dbus-proxy(1).
		467	.br
		468
		469	.br
		470	Examples:
		471
		472	.TP
		473	\fBdbus-system filter
		474	Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.
		475	.TP
		476	\fBdbus-system none
		477	Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
		478	.TP
		479	\fBdbus-system.own org.gnome.ghex.*
		480	Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
		481	.TP
		482	\fBdbus-system.talk org.freedesktop.Notifications
		483	Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
		484	.TP
		485	\fBdbus-user filter
		486	Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
		487	.TP
		488	\fBdbus-user none
		489	Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
		490	.TP
		491	\fBdbus-user.own org.gnome.ghex.*
		492	Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
		493	.TP
		494	\fBdbus-user.talk org.freedesktop.Notifications
		495	Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
		496	.TP
		497	\fBnodbus
		498	Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
451		499
452	.SH Resource limits, CPU affinity, Control Groups	500	.SH Resource limits, CPU affinity, Control Groups
453	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.	501	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -522,12 +570,6 @@ Disable 3D hardware acceleration.
522	Disable automatic ~/.config/pulse init, for complex setups such as remote	570	Disable automatic ~/.config/pulse init, for complex setups such as remote
523	pulse servers or non-standard socket paths.	571	pulse servers or non-standard socket paths.
524	.TP	572	.TP
525	\fBnodbus
526	Disable D-Bus access. Only the regular UNIX socket is handled by
527	this command. To disable the abstract socket, you would need to
528	request a new network namespace using the net command. Another
529	option is to remove unix from protocol set.
530	.TP
531	\fBnodvd	573	\fBnodvd
532	Disable DVD and audio CD devices.	574	Disable DVD and audio CD devices.
533	.TP	575	.TP


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 02c1d27b2..b0c4eeb15 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -326,6 +326,112 @@ $ firejail \-\-list
326	$ firejail \-\-cpu.print=3272	326	$ firejail \-\-cpu.print=3272
327		327
328	.TP	328	.TP
		329	\fB\-\-dbus-system=filter\|none
		330	Set system DBus sandboxing policy.
		331	.br
		332
		333	.br
		334	The \fBfilter\fR policy enables the system DBus filter. This option requires
		335	installing the xdg-dbus-proxy utility. Permissions for well-known can be
		336	specified with the --dbus-system.talk and --dbus-system.own options.
		337	.br
		338
		339	.br
		340	The \fBnone\fR policy disables access to the system DBus.
		341	.br
		342
		343	.br
		344	Only the regular system DBus UNIX socket is handled by this option. To disable
		345	the abstract sockets (and force applications to use the filtered UNIX socket)
		346	you would need to request a new network namespace using \-\-net command. Another
		347	option is to remove unix from the \-\-protocol set.
		348	.br
		349
		350	.br
		351	Example:
		352	.br
		353	$ firejail \-\-dbus-system=none
		354
		355	.TP
		356	\fB\-\-dbus-system.own=name
		357	Allows the application to own the specified well-known name on the system DBus.
		358	The name may have a .* suffix to match all names underneath it, including itself
		359	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
		360	not "foobar").
		361	.br
		362
		363	.br
		364	Example:
		365	.br
		366	$ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.*
		367
		368	.TP
		369	\fB\-\-dbus-system.talk=name
		370	Allows the application to talk to the specified well-known name on the system DBus.
		371	The name may have a .* suffix to match all names underneath it, including itself
		372	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
		373	not "foobar").
		374	.br
		375
		376	.br
		377	Example:
		378	.br
		379	$ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications
		380
		381	.TP
		382	\fB\-\-dbus-user=filter\|none
		383	Set session DBus sandboxing policy.
		384	.br
		385
		386	.br
		387	The \fBfilter\fR policy enables the session DBus filter. This option requires
		388	installing the xdg-dbus-proxy utility. Permissions for well-known names can be
		389	added with the --dbus-user.talk and --dbus-user.own options.
		390	.br
		391
		392	.br
		393	The \fBnone\fR policy disables access to the session DBus.
		394	.br
		395
		396	.br
		397	Only the regular session DBus UNIX socket is handled by this option. To disable
		398	the abstract sockets (and force applications to use the filtered UNIX socket)
		399	you would need to request a new network namespace using \-\-net command. Another
		400	option is to remove unix from the \-\-protocol set.
		401	.br
		402
		403	.br
		404	Example:
		405	.br
		406	$ firejail \-\-dbus-user=none
		407
		408	.TP
		409	\fB\-\-dbus-user.own=name
		410	Allows the application to own the specified well-known name on the session DBus.
		411	The name may have a .* suffix to match all names underneath it, including itself
		412	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
		413	not "foobar").
		414	.br
		415
		416	.br
		417	Example:
		418	.br
		419	$ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.*
		420
		421	.TP
		422	\fB\-\-dbus-user.talk=name
		423	Allows the application to talk to the specified well-known name on the session DBus.
		424	The name may have a .* suffix to match all names underneath it, including itself
		425	(e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but
		426	not "foobar").
		427	.br
		428
		429	.br
		430	Example:
		431	.br
		432	$ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications
		433
		434	.TP
329	\fB\-\-debug\fR	435	\fB\-\-debug\fR
330	Print debug messages.	436	Print debug messages.
331	.br	437	.br
@@ -1171,11 +1277,7 @@ $ nc dict.org 2628
1171	.br	1277	.br
1172	.TP	1278	.TP
1173	\fB\-\-nodbus	1279	\fB\-\-nodbus
1174	Disable D-Bus access (both system and session buses). Only the regular	1280	Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none.
1175	UNIX sockets are handled by this command. To disable the abstract
1176	sockets you would need to request a new network namespace using
1177	\-\-net command. Another option is to remove unix from \-\-protocol
1178	set.
1179	.br	1281	.br
1180		1282
1181	.br	1283	.br