diff options
author | Kristóf Marussy <kristof@marussy.com> | 2020-05-06 21:36:59 +0200 |
---|---|---|
committer | Kristóf Marussy <kristof@marussy.com> | 2020-05-07 02:15:42 +0200 |
commit | 28a3d386a1aeff935ce85644db7734bbc14c054f (patch) | |
tree | aa3752662366ec62cdb19b9bc208aa0a699ee059 /src/man | |
parent | Update D-Bus audit (diff) | |
download | firejail-28a3d386a1aeff935ce85644db7734bbc14c054f.tar.gz firejail-28a3d386a1aeff935ce85644db7734bbc14c054f.tar.zst firejail-28a3d386a1aeff935ce85644db7734bbc14c054f.zip |
Documentation for new DBus options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 18 | ||||
-rw-r--r-- | src/man/firejail.txt | 136 |
2 files changed, 154 insertions, 0 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index df2d2a2e8..198f33c00 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -491,6 +491,15 @@ Allow the application to own the name org.gnome.ghex and all names underneath in | |||
491 | \fBdbus-system.talk org.freedesktop.Notifications | 491 | \fBdbus-system.talk org.freedesktop.Notifications |
492 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. | 492 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. |
493 | .TP | 493 | .TP |
494 | \fBdbus-system.see org.freedesktop.Notifications | ||
495 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus. | ||
496 | .TP | ||
497 | \fBdbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
498 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
499 | .TP | ||
500 | \fBdbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
501 | Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus. | ||
502 | .TP | ||
494 | \fBdbus-user filter | 503 | \fBdbus-user filter |
495 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | 504 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. |
496 | .TP | 505 | .TP |
@@ -503,6 +512,15 @@ Allow the application to own the name org.gnome.ghex and all names underneath in | |||
503 | \fBdbus-user.talk org.freedesktop.Notifications | 512 | \fBdbus-user.talk org.freedesktop.Notifications |
504 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. | 513 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. |
505 | .TP | 514 | .TP |
515 | \fBdbus-user.see org.freedesktop.Notifications | ||
516 | Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus. | ||
517 | .TP | ||
518 | \fBdbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
519 | Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
520 | .TP | ||
521 | \fBdbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
522 | Allow the application to recieve broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus. | ||
523 | .TP | ||
506 | \fBnodbus \fR(deprecated) | 524 | \fBnodbus \fR(deprecated) |
507 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | 525 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. |
508 | .TP | 526 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index fae97ceb7..982b40d89 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -326,6 +326,22 @@ $ firejail \-\-list | |||
326 | $ firejail \-\-cpu.print=3272 | 326 | $ firejail \-\-cpu.print=3272 |
327 | 327 | ||
328 | .TP | 328 | .TP |
329 | \fB\-\-dbus-log=file | ||
330 | Specify the location for the DBus log file. | ||
331 | .br | ||
332 | |||
333 | .br | ||
334 | The log file contains events for both the system and session buses if both of | ||
335 | the --dbus-sysem.log and --dbus-user.log options are specified. If no log file | ||
336 | path is given, logs are written to the standard output instead. | ||
337 | .br | ||
338 | |||
339 | .br | ||
340 | Example: | ||
341 | .br | ||
342 | $ firejail --dbus-system=filter --dbus-system.log --dbus-log=dbus.txt | ||
343 | |||
344 | .TP | ||
329 | \fB\-\-dbus-system=filter|none | 345 | \fB\-\-dbus-system=filter|none |
330 | Set system DBus sandboxing policy. | 346 | Set system DBus sandboxing policy. |
331 | .br | 347 | .br |
@@ -353,6 +369,52 @@ Example: | |||
353 | $ firejail \-\-dbus-system=none | 369 | $ firejail \-\-dbus-system=none |
354 | 370 | ||
355 | .TP | 371 | .TP |
372 | \fB\-\-dbus-system.broadcast=name=[member][@path] | ||
373 | Allows the application to receive broadcast signals from theindicated interface | ||
374 | member at the indicated object path exposed by the indicated bus name on the | ||
375 | system DBus. | ||
376 | The name may have a .* suffix to match all names underneath it, including | ||
377 | itself. | ||
378 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
379 | The path may have a /* suffix to indicate all objects underneath it, including | ||
380 | itself. | ||
381 | Omitting the interface member or the object path will match all members and | ||
382 | object paths, respectively. | ||
383 | .br | ||
384 | |||
385 | .br | ||
386 | Example: | ||
387 | .br | ||
388 | $ firejail --dbus-system=filter --dbus-system.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
389 | |||
390 | .TP | ||
391 | \fB\-\-dbus-system.call=name=[member][@path] | ||
392 | Allows the application to call the indicated interface member at the indicated | ||
393 | object path exposed by the indicated bus name on the system DBus. | ||
394 | The name may have a .* suffix to match all names underneath it, including | ||
395 | itself. | ||
396 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
397 | The path may have a /* suffix to indicate all objects underneath it, including | ||
398 | itself. | ||
399 | Omitting the interface member or the object path will match all members and | ||
400 | object paths, respectively. | ||
401 | .br | ||
402 | |||
403 | .br | ||
404 | Example: | ||
405 | .br | ||
406 | $ firejail --dbus-system=filter --dbus-system.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
407 | |||
408 | .TP | ||
409 | \fB\-\-dbus-system.log | ||
410 | Turn on DBus logging for the system DBus. This option requires --dbus-system=log. | ||
411 | |||
412 | .br | ||
413 | Example: | ||
414 | .br | ||
415 | $ firejail --dbus-system=filter --dbus-system.log | ||
416 | |||
417 | .TP | ||
356 | \fB\-\-dbus-system.own=name | 418 | \fB\-\-dbus-system.own=name |
357 | Allows the application to own the specified well-known name on the system DBus. | 419 | Allows the application to own the specified well-known name on the system DBus. |
358 | The name may have a .* suffix to match all names underneath it, including itself | 420 | The name may have a .* suffix to match all names underneath it, including itself |
@@ -366,6 +428,20 @@ Example: | |||
366 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* | 428 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* |
367 | 429 | ||
368 | .TP | 430 | .TP |
431 | \fB\-\-dbus-system.see=name | ||
432 | Allows the application to see, but not talk to the specified well-known name on | ||
433 | the system DBus. | ||
434 | The name may have a .* suffix to match all names underneath it, including itself | ||
435 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
436 | not "foobar"). | ||
437 | .br | ||
438 | |||
439 | .br | ||
440 | Example: | ||
441 | .br | ||
442 | $ firejail --dbus-system=filter --dbus-system.see=org.freedesktop.Notifications | ||
443 | |||
444 | .TP | ||
369 | \fB\-\-dbus-system.talk=name | 445 | \fB\-\-dbus-system.talk=name |
370 | Allows the application to talk to the specified well-known name on the system DBus. | 446 | Allows the application to talk to the specified well-known name on the system DBus. |
371 | The name may have a .* suffix to match all names underneath it, including itself | 447 | The name may have a .* suffix to match all names underneath it, including itself |
@@ -406,6 +482,52 @@ Example: | |||
406 | $ firejail \-\-dbus-user=none | 482 | $ firejail \-\-dbus-user=none |
407 | 483 | ||
408 | .TP | 484 | .TP |
485 | \fB\-\-dbus-user.broadcast=name=[member][@path] | ||
486 | Allows the application to receive broadcast signals from theindicated interface | ||
487 | member at the indicated object path exposed by the indicated bus name on the | ||
488 | session DBus. | ||
489 | The name may have a .* suffix to match all names underneath it, including | ||
490 | itself. | ||
491 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
492 | The path may have a /* suffix to indicate all objects underneath it, including | ||
493 | itself. | ||
494 | Omitting the interface member or the object path will match all members and | ||
495 | object paths, respectively. | ||
496 | .br | ||
497 | |||
498 | .br | ||
499 | Example: | ||
500 | .br | ||
501 | $ firejail --dbus-user=filter --dbus-user.broadcast=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
502 | |||
503 | .TP | ||
504 | \fB\-\-dbus-user.call=name=[member][@path] | ||
505 | Allows the application to call the indicated interface member at the indicated | ||
506 | object path exposed by the indicated bus name on the session DBus. | ||
507 | The name may have a .* suffix to match all names underneath it, including | ||
508 | itself. | ||
509 | The interface member may have a .* to match all members of an interface, or be * to match all interfaces. | ||
510 | The path may have a /* suffix to indicate all objects underneath it, including | ||
511 | itself. | ||
512 | Omitting the interface member or the object path will match all members and | ||
513 | object paths, respectively. | ||
514 | .br | ||
515 | |||
516 | .br | ||
517 | Example: | ||
518 | .br | ||
519 | $ firejail --dbus-user=filter --dbus-user.call=org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications | ||
520 | |||
521 | .TP | ||
522 | \fB\-\-dbus-user.log | ||
523 | Turn on DBus logging for the session DBus. This option requires --dbus-user=log. | ||
524 | |||
525 | .br | ||
526 | Example: | ||
527 | .br | ||
528 | $ firejail --dbus-user=filter --dbus-user.log | ||
529 | |||
530 | .TP | ||
409 | \fB\-\-dbus-user.own=name | 531 | \fB\-\-dbus-user.own=name |
410 | Allows the application to own the specified well-known name on the session DBus. | 532 | Allows the application to own the specified well-known name on the session DBus. |
411 | The name may have a .* suffix to match all names underneath it, including itself | 533 | The name may have a .* suffix to match all names underneath it, including itself |
@@ -432,6 +554,20 @@ Example: | |||
432 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications | 554 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications |
433 | 555 | ||
434 | .TP | 556 | .TP |
557 | \fB\-\-dbus-user.see=name | ||
558 | Allows the application to see, but not talk to the specified well-known name on | ||
559 | the session DBus. | ||
560 | The name may have a .* suffix to match all names underneath it, including itself | ||
561 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
562 | not "foobar"). | ||
563 | .br | ||
564 | |||
565 | .br | ||
566 | Example: | ||
567 | .br | ||
568 | $ firejail --dbus-user=filter --dbus-user.see=org.freedesktop.Notifications | ||
569 | |||
570 | .TP | ||
435 | \fB\-\-debug\fR | 571 | \fB\-\-debug\fR |
436 | Print debug messages. | 572 | Print debug messages. |
437 | .br | 573 | .br |