19 files changed, 125 insertions, 19 deletions
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 9be6b1631..567bd912a 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -46,9 +46,10 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3
 private-dev
 private-tmp
-# uses dconf, MPRIS
+dbus-user filter
-# dbus-user none
+dbus-user.own io.github.celluloid_player.Celluloid
-# dbus-system none
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile
index ea5370649..6df9627b3 100644
--- a/etc/profile-a-l/com.github.dahenson.agenda.profile
+++ b/etc/profile-a-l/com.github.dahenson.agenda.profile
@@ -54,6 +54,11 @@ private-dev
 private-etc dconf,fonts,gtk-3.0
 private-tmp
+dbus-user filter
+dbus.own com.github.dahenson.agenda
+dbus.talk ca.desrt.dconf
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.cache/agenda
 read-write ${HOME}/.config/agenda
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile
index e7cc66e32..62379d3ef 100644
--- a/etc/profile-a-l/dconf-editor.profile
+++ b/etc/profile-a-l/dconf-editor.profile
@@ -44,3 +44,8 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
+dbus-user filter
+dbus-user.own ca.desrt.dconf-editor
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 6690b33ca..3266f7d28 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -15,5 +15,10 @@ whitelist /usr/share/eog
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
+dbus-user filter
+dbus-user.own org.gnome.Eog
+dbus-user.talk ca.desrt.dconf
+dbus-system none
 # Redirect
 include eo-common.profile
diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile
index 7d3c7a8f4..60c6c8548 100644
--- a/etc/profile-a-l/feedreader.profile
+++ b/etc/profile-a-l/feedreader.profile
@@ -48,3 +48,11 @@ private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.FeedReader
+dbus-user.own org.gnome.FeedReader.ArticleView
+# Enable as you need.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 4a2cb260f..337311ed8 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -28,5 +28,12 @@ include whitelist-usr-share-common.inc
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
+dbus-user filter
+dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mpris.MediaPlayer2.firefox.*
+# Uncomment or put in your firefox.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
 # Redirect
 include firefox-common.profile
diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile
index e7913f5e4..587a12a93 100644
--- a/etc/profile-a-l/gfeeds.profile
+++ b/etc/profile-a-l/gfeeds.profile
@@ -58,5 +58,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
-# dbus-user none
+dbus-user filter
-# dbus-system none
+dbus-user.own org.gabmus.gfeeds
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile
index c18a6b72e..1d5398403 100644
--- a/etc/profile-a-l/ghostwriter.profile
+++ b/etc/profile-a-l/ghostwriter.profile
@@ -48,3 +48,6 @@ private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
 private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 68f38c3ce..71b8e9b11 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -52,3 +52,10 @@ private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.gitg
+dbus-user.talk ca.desrt.dconf
+# Uncomment (or put in your gitg.local) if you need keyring access.
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile
index bf263efa9..1366d1e1e 100644
--- a/etc/profile-a-l/gnome-maps.profile
+++ b/etc/profile-a-l/gnome-maps.profile
@@ -62,3 +62,11 @@ private-bin gjs,gnome-maps
 private-dev
 private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Maps
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system filter
+#dbus-system.talk org.freedesktop.NetworkManager
+dbus-system.talk org.freedesktop.GeoClue2
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile
index f8be23f07..2a5d2a231 100644
--- a/etc/profile-a-l/gnome-pomodoro.profile
+++ b/etc/profile-a-l/gnome-pomodoro.profile
@@ -47,5 +47,11 @@ private-dev
 private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Pomodoro
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Shell
+dbus-system none
 read-only ${HOME}
 read-write ${HOME}/.local/share/gnome-pomodoro
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile
index cc5efb161..fe6bc025d 100644
--- a/etc/profile-a-l/gnome-screenshot.profile
+++ b/etc/profile-a-l/gnome-screenshot.profile
@@ -42,3 +42,8 @@ private-bin gnome-screenshot
 private-dev
 private-etc dconf,fonts,gtk-3.0,localtime,machine-id
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system none
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile
index 6240cce65..453925022 100644
--- a/etc/profile-a-l/gnome-todo.profile
+++ b/etc/profile-a-l/gnome-todo.profile
@@ -48,4 +48,16 @@ private-dev
 private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
 private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Todo
+dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
+#dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+#dbus-user.talk org.gnome.evolution.dataserver.Sources5
+#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
+#dbus-system filter
+#dbus-system.talk org.freedesktop.login1
 read-only ${HOME}
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 43dbad5f9..9458edf33 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -31,10 +31,6 @@ machine-id
 net none
 no3d
 nodvd
-# Breaks 'Lock database when session is locked or lid is closed' (#2899).
-# Also breaks (Plasma) tray icon,
-# you can safely uncomment it or add to keepassxc.local if you don't need these features.
-#
 nogroups
 nonewprivs
 noroot
@@ -52,11 +48,19 @@ private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
-# Breaks 'Lock database when session is locked or lid is closed' (#2899).
+dbus-user filter
-# Also breaks (Plasma) tray icon,
+#dbus-user.own org.keepassxc.KeePassXC
-# you can safely uncomment it or add to keepassxc.local if you don't need these features.
+dbus-user.talk com.canonical.Unity.Session
-# dbus-user none
+dbus-user.talk org.freedesktop.ScreenSaver
-# dbus-system none
+dbus-user.talk org.freedesktop.login1.Manager
+dbus-user.talk org.freedesktop.login1.Session
+dbus-user.talk org.gnome.ScreenSaver
+dbus-user.talk org.gnome.SessionManager
+dbus-user.talk org.gnome.SessionManager.Presence
+# Uncomment or add to your keepassxc.local to allow Notifications.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
 # Mutex is stored in /tmp by default, which is broken by private-tmp
 join-or-start keepassxc
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile
index aa113883e..948e2927c 100644
--- a/etc/profile-a-l/libreoffice.profile
+++ b/etc/profile-a-l/libreoffice.profile
@@ -46,4 +46,7 @@ tracelog
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 join-or-start libreoffice
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index e8f964383..f3939685a 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -47,6 +47,12 @@ private-bin rhythmbox,rhythmbox-client
 private-dev
 private-tmp
-# makes settings immutable
+dbus-user filter
-# dbus-user none
+dbus-user.own org.gnome.Rhythmbox3
-# dbus-system none
+dbus-user.own org.mpris.MediaPlayer2.rhythmbox
+dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+dbus-system filter
+dbus-system.talk org.freedesktop.Avahi
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 3a69086b5..85d86d646 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -61,3 +61,8 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
+dbus-user filter
+dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk org.freedesktop.secrets
+dbus-system none
diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile
index d73e2e279..a30cb43d5 100644
--- a/etc/profile-m-z/wireshark.profile
+++ b/etc/profile-m-z/wireshark.profile
@@ -47,4 +47,3 @@ tracelog
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index d339ce476..be1175ce3 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -33,6 +33,7 @@
 #   WHITELIST INCLUDES
 #   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
 #   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
+#   DBUS FILTER
 #   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
 #   REDIRECT INCLUDES
 #
@@ -136,6 +137,7 @@ include globals.local
 #net none
 #netfilter
 #no3d
+##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
 #nodvd
 #nogroups
 #nonewprivs
@@ -185,7 +187,20 @@ include globals.local
 ##writable-var
 ##writable-var-log
-#dbus-user none
+# Since 0.9.63 also a more granular regulation of dbus is supported.
+# To get the dbus-addresses to which an application needs access to.
+# You can look at flatpak if the application is also distriputed via flatpak:
+#    flatpak remote-info --show-metadata flathub <APP-ID>
+# Notes:
+#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
+#  - In order to make dconf work (if it is used by the app) you need to allow
+#    'ca.desrt.dconf' even if it is not allowed by flatpak.
+# Notes and Policiy about addresses can be found at
+# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
+#dbus-user filter
+#dbus-user.own com.github.netblue30.firejail
+#dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 ##env VAR=VALUE