diff options
author | rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-05-02 18:05:48 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-02 18:05:48 +0000 |
commit | 8744e0854acaee7de267ab946c991fe5d82ec696 (patch) | |
tree | 6532dc1356b1c3aae0ff435ef7096ff3adacceff /etc/templates/profile.template | |
parent | various hardening (#3394) (diff) | |
download | firejail-8744e0854acaee7de267ab946c991fe5d82ec696.tar.gz firejail-8744e0854acaee7de267ab946c991fe5d82ec696.tar.zst firejail-8744e0854acaee7de267ab946c991fe5d82ec696.zip |
dbus filter profiles (1) (#3326)
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
Diffstat (limited to 'etc/templates/profile.template')
-rw-r--r-- | etc/templates/profile.template | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d339ce476..be1175ce3 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -33,6 +33,7 @@ | |||
33 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
34 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) | 34 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) |
35 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) | 35 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) |
36 | # DBUS FILTER | ||
36 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | 37 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) |
37 | # REDIRECT INCLUDES | 38 | # REDIRECT INCLUDES |
38 | # | 39 | # |
@@ -136,6 +137,7 @@ include globals.local | |||
136 | #net none | 137 | #net none |
137 | #netfilter | 138 | #netfilter |
138 | #no3d | 139 | #no3d |
140 | ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) | ||
139 | #nodvd | 141 | #nodvd |
140 | #nogroups | 142 | #nogroups |
141 | #nonewprivs | 143 | #nonewprivs |
@@ -185,7 +187,20 @@ include globals.local | |||
185 | ##writable-var | 187 | ##writable-var |
186 | ##writable-var-log | 188 | ##writable-var-log |
187 | 189 | ||
188 | #dbus-user none | 190 | # Since 0.9.63 also a more granular regulation of dbus is supported. |
191 | # To get the dbus-addresses to which an application needs access to. | ||
192 | # You can look at flatpak if the application is also distriputed via flatpak: | ||
193 | # flatpak remote-info --show-metadata flathub <APP-ID> | ||
194 | # Notes: | ||
195 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | ||
196 | # - In order to make dconf work (if it is used by the app) you need to allow | ||
197 | # 'ca.desrt.dconf' even if it is not allowed by flatpak. | ||
198 | # Notes and Policiy about addresses can be found at | ||
199 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | ||
200 | #dbus-user filter | ||
201 | #dbus-user.own com.github.netblue30.firejail | ||
202 | #dbus-user.talk ca.desrt.dconf | ||
203 | #dbus-user.talk org.freedesktop.Notifications | ||
189 | #dbus-system none | 204 | #dbus-system none |
190 | 205 | ||
191 | ##env VAR=VALUE | 206 | ##env VAR=VALUE |