diff options
author | Kristóf Marussy <kris7topher@gmail.com> | 2020-03-03 00:22:45 +0100 |
---|---|---|
committer | Kristóf Marussy <kris7topher@gmail.com> | 2020-04-06 21:26:41 +0200 |
commit | 5fa90d04ac4e8ea8df174a0921b45570d8147707 (patch) | |
tree | 0a1b4a2013cd8a1d04d8254fed02b63480dfd579 /src/man/firejail.txt | |
parent | Add dbus filter options (diff) | |
download | firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.gz firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.tar.zst firejail-5fa90d04ac4e8ea8df174a0921b45570d8147707.zip |
Add documentation for DBus filtering
Diffstat (limited to 'src/man/firejail.txt')
-rw-r--r-- | src/man/firejail.txt | 112 |
1 files changed, 107 insertions, 5 deletions
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 02c1d27b2..b0c4eeb15 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -326,6 +326,112 @@ $ firejail \-\-list | |||
326 | $ firejail \-\-cpu.print=3272 | 326 | $ firejail \-\-cpu.print=3272 |
327 | 327 | ||
328 | .TP | 328 | .TP |
329 | \fB\-\-dbus-system=filter|none | ||
330 | Set system DBus sandboxing policy. | ||
331 | .br | ||
332 | |||
333 | .br | ||
334 | The \fBfilter\fR policy enables the system DBus filter. This option requires | ||
335 | installing the xdg-dbus-proxy utility. Permissions for well-known can be | ||
336 | specified with the --dbus-system.talk and --dbus-system.own options. | ||
337 | .br | ||
338 | |||
339 | .br | ||
340 | The \fBnone\fR policy disables access to the system DBus. | ||
341 | .br | ||
342 | |||
343 | .br | ||
344 | Only the regular system DBus UNIX socket is handled by this option. To disable | ||
345 | the abstract sockets (and force applications to use the filtered UNIX socket) | ||
346 | you would need to request a new network namespace using \-\-net command. Another | ||
347 | option is to remove unix from the \-\-protocol set. | ||
348 | .br | ||
349 | |||
350 | .br | ||
351 | Example: | ||
352 | .br | ||
353 | $ firejail \-\-dbus-system=none | ||
354 | |||
355 | .TP | ||
356 | \fB\-\-dbus-system.own=name | ||
357 | Allows the application to own the specified well-known name on the system DBus. | ||
358 | The name may have a .* suffix to match all names underneath it, including itself | ||
359 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
360 | not "foobar"). | ||
361 | .br | ||
362 | |||
363 | .br | ||
364 | Example: | ||
365 | .br | ||
366 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* | ||
367 | |||
368 | .TP | ||
369 | \fB\-\-dbus-system.talk=name | ||
370 | Allows the application to talk to the specified well-known name on the system DBus. | ||
371 | The name may have a .* suffix to match all names underneath it, including itself | ||
372 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
373 | not "foobar"). | ||
374 | .br | ||
375 | |||
376 | .br | ||
377 | Example: | ||
378 | .br | ||
379 | $ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications | ||
380 | |||
381 | .TP | ||
382 | \fB\-\-dbus-user=filter|none | ||
383 | Set session DBus sandboxing policy. | ||
384 | .br | ||
385 | |||
386 | .br | ||
387 | The \fBfilter\fR policy enables the session DBus filter. This option requires | ||
388 | installing the xdg-dbus-proxy utility. Permissions for well-known names can be | ||
389 | added with the --dbus-user.talk and --dbus-user.own options. | ||
390 | .br | ||
391 | |||
392 | .br | ||
393 | The \fBnone\fR policy disables access to the session DBus. | ||
394 | .br | ||
395 | |||
396 | .br | ||
397 | Only the regular session DBus UNIX socket is handled by this option. To disable | ||
398 | the abstract sockets (and force applications to use the filtered UNIX socket) | ||
399 | you would need to request a new network namespace using \-\-net command. Another | ||
400 | option is to remove unix from the \-\-protocol set. | ||
401 | .br | ||
402 | |||
403 | .br | ||
404 | Example: | ||
405 | .br | ||
406 | $ firejail \-\-dbus-user=none | ||
407 | |||
408 | .TP | ||
409 | \fB\-\-dbus-user.own=name | ||
410 | Allows the application to own the specified well-known name on the session DBus. | ||
411 | The name may have a .* suffix to match all names underneath it, including itself | ||
412 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
413 | not "foobar"). | ||
414 | .br | ||
415 | |||
416 | .br | ||
417 | Example: | ||
418 | .br | ||
419 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* | ||
420 | |||
421 | .TP | ||
422 | \fB\-\-dbus-user.talk=name | ||
423 | Allows the application to talk to the specified well-known name on the session DBus. | ||
424 | The name may have a .* suffix to match all names underneath it, including itself | ||
425 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
426 | not "foobar"). | ||
427 | .br | ||
428 | |||
429 | .br | ||
430 | Example: | ||
431 | .br | ||
432 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications | ||
433 | |||
434 | .TP | ||
329 | \fB\-\-debug\fR | 435 | \fB\-\-debug\fR |
330 | Print debug messages. | 436 | Print debug messages. |
331 | .br | 437 | .br |
@@ -1171,11 +1277,7 @@ $ nc dict.org 2628 | |||
1171 | .br | 1277 | .br |
1172 | .TP | 1278 | .TP |
1173 | \fB\-\-nodbus | 1279 | \fB\-\-nodbus |
1174 | Disable D-Bus access (both system and session buses). Only the regular | 1280 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. |
1175 | UNIX sockets are handled by this command. To disable the abstract | ||
1176 | sockets you would need to request a new network namespace using | ||
1177 | \-\-net command. Another option is to remove unix from \-\-protocol | ||
1178 | set. | ||
1179 | .br | 1281 | .br |
1180 | 1282 | ||
1181 | .br | 1283 | .br |