diff options
author | Kristóf Marussy <kris7topher@gmail.com> | 2020-03-03 00:22:45 +0100 |
---|---|---|
committer | Kristóf Marussy <kris7topher@gmail.com> | 2020-04-06 21:26:41 +0200 |
commit | 5fa90d04ac4e8ea8df174a0921b45570d8147707 (patch) | |
tree | 0a1b4a2013cd8a1d04d8254fed02b63480dfd579 /src/man/firejail-profile.txt | |
parent | Add dbus filter options (diff) | |
download | firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.gz firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.zst firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.zip |
Add documentation for DBus filtering
Diffstat (limited to 'src/man/firejail-profile.txt')
-rw-r--r-- | src/man/firejail-profile.txt | 54 |
1 files changed, 48 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 203d4543d..7ef512bbf 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -447,7 +447,55 @@ xephyr-screen 640x480 | |||
447 | .br | 447 | .br |
448 | x11 xephyr | 448 | x11 xephyr |
449 | 449 | ||
450 | .SH DBus filtering | ||
450 | 451 | ||
452 | Access to the session and system DBus UNIX sockets can be allowed, filtered or | ||
453 | disabled. To disable the abstract sockets (and force applications to use the | ||
454 | filtered UNIX socket) you would need to request a new network namespace using | ||
455 | \-\-net command. Another option is to remove unix from the \-\-protocol set. | ||
456 | .br | ||
457 | |||
458 | .br | ||
459 | Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be | ||
460 | specified for well-known DBus names, but they are also propagated to the owning | ||
461 | unique name, too. The permissions are "sticky" and are kept even if the | ||
462 | corresponding well-know name is released (however, applications rarely release | ||
463 | well-known names in practice). Names may have a .* suffix to match all names | ||
464 | underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar", | ||
465 | "foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information, | ||
466 | see xdg-dbus-proxy(1). | ||
467 | .br | ||
468 | |||
469 | .br | ||
470 | Examples: | ||
471 | |||
472 | .TP | ||
473 | \fBdbus-system filter | ||
474 | Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands. | ||
475 | .TP | ||
476 | \fBdbus-system none | ||
477 | Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. | ||
478 | .TP | ||
479 | \fBdbus-system.own org.gnome.ghex.* | ||
480 | Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. | ||
481 | .TP | ||
482 | \fBdbus-system.talk org.freedesktop.Notifications | ||
483 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. | ||
484 | .TP | ||
485 | \fBdbus-user filter | ||
486 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | ||
487 | .TP | ||
488 | \fBdbus-user none | ||
489 | Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. | ||
490 | .TP | ||
491 | \fBdbus-user.own org.gnome.ghex.* | ||
492 | Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. | ||
493 | .TP | ||
494 | \fBdbus-user.talk org.freedesktop.Notifications | ||
495 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. | ||
496 | .TP | ||
497 | \fBnodbus | ||
498 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | ||
451 | 499 | ||
452 | .SH Resource limits, CPU affinity, Control Groups | 500 | .SH Resource limits, CPU affinity, Control Groups |
453 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 501 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
@@ -522,12 +570,6 @@ Disable 3D hardware acceleration. | |||
522 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 570 | Disable automatic ~/.config/pulse init, for complex setups such as remote |
523 | pulse servers or non-standard socket paths. | 571 | pulse servers or non-standard socket paths. |
524 | .TP | 572 | .TP |
525 | \fBnodbus | ||
526 | Disable D-Bus access. Only the regular UNIX socket is handled by | ||
527 | this command. To disable the abstract socket, you would need to | ||
528 | request a new network namespace using the net command. Another | ||
529 | option is to remove unix from protocol set. | ||
530 | .TP | ||
531 | \fBnodvd | 573 | \fBnodvd |
532 | Disable DVD and audio CD devices. | 574 | Disable DVD and audio CD devices. |
533 | .TP | 575 | .TP |