diff options
Diffstat (limited to 'src/man')
-rw-r--r-- | src/man/firejail-profile.txt | 54 | ||||
-rw-r--r-- | src/man/firejail.txt | 112 |
2 files changed, 155 insertions, 11 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 203d4543d..7ef512bbf 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt | |||
@@ -447,7 +447,55 @@ xephyr-screen 640x480 | |||
447 | .br | 447 | .br |
448 | x11 xephyr | 448 | x11 xephyr |
449 | 449 | ||
450 | .SH DBus filtering | ||
450 | 451 | ||
452 | Access to the session and system DBus UNIX sockets can be allowed, filtered or | ||
453 | disabled. To disable the abstract sockets (and force applications to use the | ||
454 | filtered UNIX socket) you would need to request a new network namespace using | ||
455 | \-\-net command. Another option is to remove unix from the \-\-protocol set. | ||
456 | .br | ||
457 | |||
458 | .br | ||
459 | Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be | ||
460 | specified for well-known DBus names, but they are also propagated to the owning | ||
461 | unique name, too. The permissions are "sticky" and are kept even if the | ||
462 | corresponding well-know name is released (however, applications rarely release | ||
463 | well-known names in practice). Names may have a .* suffix to match all names | ||
464 | underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar", | ||
465 | "foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information, | ||
466 | see xdg-dbus-proxy(1). | ||
467 | .br | ||
468 | |||
469 | .br | ||
470 | Examples: | ||
471 | |||
472 | .TP | ||
473 | \fBdbus-system filter | ||
474 | Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands. | ||
475 | .TP | ||
476 | \fBdbus-system none | ||
477 | Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering. | ||
478 | .TP | ||
479 | \fBdbus-system.own org.gnome.ghex.* | ||
480 | Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus. | ||
481 | .TP | ||
482 | \fBdbus-system.talk org.freedesktop.Notifications | ||
483 | Allow the application to talk to the name org.freedesktop.Notifications on the system DBus. | ||
484 | .TP | ||
485 | \fBdbus-user filter | ||
486 | Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands. | ||
487 | .TP | ||
488 | \fBdbus-user none | ||
489 | Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering. | ||
490 | .TP | ||
491 | \fBdbus-user.own org.gnome.ghex.* | ||
492 | Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus. | ||
493 | .TP | ||
494 | \fBdbus-user.talk org.freedesktop.Notifications | ||
495 | Allow the application to talk to the name org.freedesktop.Notifications on the session DBus. | ||
496 | .TP | ||
497 | \fBnodbus | ||
498 | Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none. | ||
451 | 499 | ||
452 | .SH Resource limits, CPU affinity, Control Groups | 500 | .SH Resource limits, CPU affinity, Control Groups |
453 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. | 501 | These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox. |
@@ -522,12 +570,6 @@ Disable 3D hardware acceleration. | |||
522 | Disable automatic ~/.config/pulse init, for complex setups such as remote | 570 | Disable automatic ~/.config/pulse init, for complex setups such as remote |
523 | pulse servers or non-standard socket paths. | 571 | pulse servers or non-standard socket paths. |
524 | .TP | 572 | .TP |
525 | \fBnodbus | ||
526 | Disable D-Bus access. Only the regular UNIX socket is handled by | ||
527 | this command. To disable the abstract socket, you would need to | ||
528 | request a new network namespace using the net command. Another | ||
529 | option is to remove unix from protocol set. | ||
530 | .TP | ||
531 | \fBnodvd | 573 | \fBnodvd |
532 | Disable DVD and audio CD devices. | 574 | Disable DVD and audio CD devices. |
533 | .TP | 575 | .TP |
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 02c1d27b2..b0c4eeb15 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -326,6 +326,112 @@ $ firejail \-\-list | |||
326 | $ firejail \-\-cpu.print=3272 | 326 | $ firejail \-\-cpu.print=3272 |
327 | 327 | ||
328 | .TP | 328 | .TP |
329 | \fB\-\-dbus-system=filter|none | ||
330 | Set system DBus sandboxing policy. | ||
331 | .br | ||
332 | |||
333 | .br | ||
334 | The \fBfilter\fR policy enables the system DBus filter. This option requires | ||
335 | installing the xdg-dbus-proxy utility. Permissions for well-known can be | ||
336 | specified with the --dbus-system.talk and --dbus-system.own options. | ||
337 | .br | ||
338 | |||
339 | .br | ||
340 | The \fBnone\fR policy disables access to the system DBus. | ||
341 | .br | ||
342 | |||
343 | .br | ||
344 | Only the regular system DBus UNIX socket is handled by this option. To disable | ||
345 | the abstract sockets (and force applications to use the filtered UNIX socket) | ||
346 | you would need to request a new network namespace using \-\-net command. Another | ||
347 | option is to remove unix from the \-\-protocol set. | ||
348 | .br | ||
349 | |||
350 | .br | ||
351 | Example: | ||
352 | .br | ||
353 | $ firejail \-\-dbus-system=none | ||
354 | |||
355 | .TP | ||
356 | \fB\-\-dbus-system.own=name | ||
357 | Allows the application to own the specified well-known name on the system DBus. | ||
358 | The name may have a .* suffix to match all names underneath it, including itself | ||
359 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
360 | not "foobar"). | ||
361 | .br | ||
362 | |||
363 | .br | ||
364 | Example: | ||
365 | .br | ||
366 | $ firejail --dbus-system=filter --dbus-system.own=org.gnome.ghex.* | ||
367 | |||
368 | .TP | ||
369 | \fB\-\-dbus-system.talk=name | ||
370 | Allows the application to talk to the specified well-known name on the system DBus. | ||
371 | The name may have a .* suffix to match all names underneath it, including itself | ||
372 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
373 | not "foobar"). | ||
374 | .br | ||
375 | |||
376 | .br | ||
377 | Example: | ||
378 | .br | ||
379 | $ firejail --dbus-system=filter --dbus-system.talk=org.freedesktop.Notifications | ||
380 | |||
381 | .TP | ||
382 | \fB\-\-dbus-user=filter|none | ||
383 | Set session DBus sandboxing policy. | ||
384 | .br | ||
385 | |||
386 | .br | ||
387 | The \fBfilter\fR policy enables the session DBus filter. This option requires | ||
388 | installing the xdg-dbus-proxy utility. Permissions for well-known names can be | ||
389 | added with the --dbus-user.talk and --dbus-user.own options. | ||
390 | .br | ||
391 | |||
392 | .br | ||
393 | The \fBnone\fR policy disables access to the session DBus. | ||
394 | .br | ||
395 | |||
396 | .br | ||
397 | Only the regular session DBus UNIX socket is handled by this option. To disable | ||
398 | the abstract sockets (and force applications to use the filtered UNIX socket) | ||
399 | you would need to request a new network namespace using \-\-net command. Another | ||
400 | option is to remove unix from the \-\-protocol set. | ||
401 | .br | ||
402 | |||
403 | .br | ||
404 | Example: | ||
405 | .br | ||
406 | $ firejail \-\-dbus-user=none | ||
407 | |||
408 | .TP | ||
409 | \fB\-\-dbus-user.own=name | ||
410 | Allows the application to own the specified well-known name on the session DBus. | ||
411 | The name may have a .* suffix to match all names underneath it, including itself | ||
412 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
413 | not "foobar"). | ||
414 | .br | ||
415 | |||
416 | .br | ||
417 | Example: | ||
418 | .br | ||
419 | $ firejail --dbus-user=filter --dbus-user.own=org.gnome.ghex.* | ||
420 | |||
421 | .TP | ||
422 | \fB\-\-dbus-user.talk=name | ||
423 | Allows the application to talk to the specified well-known name on the session DBus. | ||
424 | The name may have a .* suffix to match all names underneath it, including itself | ||
425 | (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but | ||
426 | not "foobar"). | ||
427 | .br | ||
428 | |||
429 | .br | ||
430 | Example: | ||
431 | .br | ||
432 | $ firejail --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications | ||
433 | |||
434 | .TP | ||
329 | \fB\-\-debug\fR | 435 | \fB\-\-debug\fR |
330 | Print debug messages. | 436 | Print debug messages. |
331 | .br | 437 | .br |
@@ -1171,11 +1277,7 @@ $ nc dict.org 2628 | |||
1171 | .br | 1277 | .br |
1172 | .TP | 1278 | .TP |
1173 | \fB\-\-nodbus | 1279 | \fB\-\-nodbus |
1174 | Disable D-Bus access (both system and session buses). Only the regular | 1280 | Disable D-Bus access (both system and session buses). Equivalent to --dbus-system=none --dbus-user=none. |
1175 | UNIX sockets are handled by this command. To disable the abstract | ||
1176 | sockets you would need to request a new network namespace using | ||
1177 | \-\-net command. Another option is to remove unix from \-\-protocol | ||
1178 | set. | ||
1179 | .br | 1281 | .br |
1180 | 1282 | ||
1181 | .br | 1283 | .br |