diff options
| author |  rusty-snake <41237666+rusty-snake@users.noreply.github.com> | 2020-05-02 18:05:48 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2020-05-02 18:05:48 +0000 |
| commit | 8744e0854acaee7de267ab946c991fe5d82ec696 (patch) | |
| tree | 6532dc1356b1c3aae0ff435ef7096ff3adacceff /etc/templates | |
| parent | various hardening (#3394) (diff) | |
| download | firejail-8744e0854acaee7de267ab946c991fe5d82ec696.tar.gz firejail-8744e0854acaee7de267ab946c991fe5d82ec696.tar.zst firejail-8744e0854acaee7de267ab946c991fe5d82ec696.zip | |
dbus filter profiles (1) (#3326)
* dbus filter (1)
* dbus-filter: firefox
* drop org.gtk.vfs and com.canonical.AppMenu.Registrar
Diffstat (limited to 'etc/templates')
| -rw-r--r-- | etc/templates/profile.template | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d339ce476..be1175ce3 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
| @@ -33,6 +33,7 @@ | |||
| 33 | # WHITELIST INCLUDES | 33 | # WHITELIST INCLUDES |
| 34 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) | 34 | # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) |
| 35 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) | 35 | # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) |
| 36 | # DBUS FILTER | ||
| 36 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) | 37 | # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) |
| 37 | # REDIRECT INCLUDES | 38 | # REDIRECT INCLUDES |
| 38 | # | 39 | # |
| @@ -136,6 +137,7 @@ include globals.local | |||
| 136 | #net none | 137 | #net none |
| 137 | #netfilter | 138 | #netfilter |
| 138 | #no3d | 139 | #no3d |
| 140 | ##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) | ||
| 139 | #nodvd | 141 | #nodvd |
| 140 | #nogroups | 142 | #nogroups |
| 141 | #nonewprivs | 143 | #nonewprivs |
| @@ -185,7 +187,20 @@ include globals.local | |||
| 185 | ##writable-var | 187 | ##writable-var |
| 186 | ##writable-var-log | 188 | ##writable-var-log |
| 187 | 189 | ||
| 188 | #dbus-user none | 190 | # Since 0.9.63 also a more granular regulation of dbus is supported. |
| 191 | # To get the dbus-addresses to which an application needs access to. | ||
| 192 | # You can look at flatpak if the application is also distriputed via flatpak: | ||
| 193 | # flatpak remote-info --show-metadata flathub <APP-ID> | ||
| 194 | # Notes: | ||
| 195 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | ||
| 196 | # - In order to make dconf work (if it is used by the app) you need to allow | ||
| 197 | # 'ca.desrt.dconf' even if it is not allowed by flatpak. | ||
| 198 | # Notes and Policiy about addresses can be found at | ||
| 199 | # <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus> | ||
| 200 | #dbus-user filter | ||
| 201 | #dbus-user.own com.github.netblue30.firejail | ||
| 202 | #dbus-user.talk ca.desrt.dconf | ||
| 203 | #dbus-user.talk org.freedesktop.Notifications | ||
| 189 | #dbus-system none | 204 | #dbus-system none |
| 190 | 205 | ||
| 191 | ##env VAR=VALUE | 206 | ##env VAR=VALUE |