Add documentation for DBus filtering

author: Kristóf Marussy <kris7topher@gmail.com> 2020-03-03 00:22:45 +0100
committer: Kristóf Marussy <kris7topher@gmail.com> 2020-04-06 21:26:41 +0200
commit: 5fa90d04ac4e8ea8df174a0921b45570d8147707 (patch)
tree: 0a1b4a2013cd8a1d04d8254fed02b63480dfd579 /src/man/firejail-profile.txt
parent: Add dbus filter options (diff)
download: firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.gz
firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.zst
firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.zip
1 files changed, 48 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 203d4543d..7ef512bbf 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -447,7 +447,55 @@ xephyr-screen 640x480
 .br
 x11 xephyr
+.SH DBus filtering
+Access to the session and system DBus UNIX sockets can be allowed, filtered or
+disabled. To disable the abstract sockets (and force applications to use the
+filtered UNIX socket) you would need to request a new network namespace using
+\-\-net command. Another option is to remove unix from the \-\-protocol set.
+.br
+.br
+Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be
+specified for well-known DBus names, but they are also propagated to the owning
+unique name, too. The permissions are "sticky" and are kept even if the
+corresponding well-know name is released (however, applications rarely release
+well-known names in practice). Names may have a .* suffix to match all names
+underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar",
+"foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information,
+see xdg-dbus-proxy(1).
+.br
+.br
+Examples:
+.TP
+\fBdbus-system filter
+Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.
+.TP
+\fBdbus-system none
+Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-system.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
+.TP
+\fBdbus-system.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
+.TP
+\fBdbus-user filter
+Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
+.TP
+\fBdbus-user none
+Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
+.TP
+\fBdbus-user.own org.gnome.ghex.*
+Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
+.TP
+\fBdbus-user.talk org.freedesktop.Notifications
+Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
+.TP
+\fBnodbus
+Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -522,12 +570,6 @@ Disable 3D hardware acceleration.
 Disable automatic ~/.config/pulse init, for complex setups such as remote
 pulse servers or non-standard socket paths.
 .TP
-\fBnodbus
-Disable D-Bus access. Only the regular UNIX socket is handled by
-this command. To disable the abstract socket, you would need to
-request a new network namespace using the net command. Another
-option is to remove unix from protocol set.
-.TP
 \fBnodvd
 Disable DVD and audio CD devices.
 .TP
author	Kristóf Marussy <kris7topher@gmail.com>	2020-03-03 00:22:45 +0100
committer	Kristóf Marussy <kris7topher@gmail.com>	2020-04-06 21:26:41 +0200
commit	5fa90d04ac4e8ea8df174a0921b45570d8147707 (patch)
tree	0a1b4a2013cd8a1d04d8254fed02b63480dfd579 /src/man/firejail-profile.txt
parent	Add dbus filter options (diff)
download	firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.gz firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.zst firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.zip

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 203d4543d..7ef512bbf 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -447,7 +447,55 @@ xephyr-screen 640x480
447	.br	447	.br
448	x11 xephyr	448	x11 xephyr
449		449
		450	.SH DBus filtering
450		451
		452	Access to the session and system DBus UNIX sockets can be allowed, filtered or
		453	disabled. To disable the abstract sockets (and force applications to use the
		454	filtered UNIX socket) you would need to request a new network namespace using
		455	\-\-net command. Another option is to remove unix from the \-\-protocol set.
		456	.br
		457
		458	.br
		459	Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be
		460	specified for well-known DBus names, but they are also propagated to the owning
		461	unique name, too. The permissions are "sticky" and are kept even if the
		462	corresponding well-know name is released (however, applications rarely release
		463	well-known names in practice). Names may have a .* suffix to match all names
		464	underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar",
		465	"foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information,
		466	see xdg-dbus-proxy(1).
		467	.br
		468
		469	.br
		470	Examples:
		471
		472	.TP
		473	\fBdbus-system filter
		474	Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.
		475	.TP
		476	\fBdbus-system none
		477	Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.
		478	.TP
		479	\fBdbus-system.own org.gnome.ghex.*
		480	Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.
		481	.TP
		482	\fBdbus-system.talk org.freedesktop.Notifications
		483	Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.
		484	.TP
		485	\fBdbus-user filter
		486	Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.
		487	.TP
		488	\fBdbus-user none
		489	Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.
		490	.TP
		491	\fBdbus-user.own org.gnome.ghex.*
		492	Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.
		493	.TP
		494	\fBdbus-user.talk org.freedesktop.Notifications
		495	Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.
		496	.TP
		497	\fBnodbus
		498	Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.
451		499
452	.SH Resource limits, CPU affinity, Control Groups	500	.SH Resource limits, CPU affinity, Control Groups
453	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.	501	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -522,12 +570,6 @@ Disable 3D hardware acceleration.
522	Disable automatic ~/.config/pulse init, for complex setups such as remote	570	Disable automatic ~/.config/pulse init, for complex setups such as remote
523	pulse servers or non-standard socket paths.	571	pulse servers or non-standard socket paths.
524	.TP	572	.TP
525	\fBnodbus
526	Disable D-Bus access. Only the regular UNIX socket is handled by
527	this command. To disable the abstract socket, you would need to
528	request a new network namespace using the net command. Another
529	option is to remove unix from protocol set.
530	.TP
531	\fBnodvd	573	\fBnodvd
532	Disable DVD and audio CD devices.	574	Disable DVD and audio CD devices.
533	.TP	575	.TP