nextcloud: harden D-Bus filtering

author: glitsj16 <glitsj16@users.noreply.github.com> 2024-02-16 20:21:11 +0000
committer: GitHub <noreply@github.com> 2024-02-16 20:21:11 +0000
commit: 15fc09ec77263746a7081d2d58d8afa257be4322 (patch)
tree: 34731f98d54ee84554c069b633b004319d467128 /etc/profile-m-z
parent: build: ensure fnettrace prints to stdout (diff)
download: firejail-15fc09ec77263746a7081d2d58d8afa257be4322.tar.gz
firejail-15fc09ec77263746a7081d2d58d8afa257be4322.tar.zst
firejail-15fc09ec77263746a7081d2d58d8afa257be4322.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index d4bad2f67..f6d3d5b6b 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -65,7 +65,12 @@ private-etc @tls-ca,@x11,Nextcloud,host.conf,os-release
 private-dev
 private-tmp
-dbus-user filter
+# IMPORTANT: create ~/.local/share/dbus-1/services/com.nextcloudgmbh.Nextcloud.service
+# referencing the firejailed /usr/local/bin/nextcloud to keep nextcloud running sandboxed
+# even when started via systemd user service
+# see https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-sandbox-systemd-started-applications
+dbus-user filter 
+dbus-user.own com.nextcloudgmbh.Nextcloud
 dbus-user.talk org.freedesktop.secrets
 ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
author	glitsj16 <glitsj16@users.noreply.github.com>	2024-02-16 20:21:11 +0000
committer	GitHub <noreply@github.com>	2024-02-16 20:21:11 +0000
commit	15fc09ec77263746a7081d2d58d8afa257be4322 (patch)
tree	34731f98d54ee84554c069b633b004319d467128 /etc/profile-m-z
parent	build: ensure fnettrace prints to stdout (diff)
download	firejail-15fc09ec77263746a7081d2d58d8afa257be4322.tar.gz firejail-15fc09ec77263746a7081d2d58d8afa257be4322.tar.zst firejail-15fc09ec77263746a7081d2d58d8afa257be4322.zip