Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   firejail-profile    ( 5 )

синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)

DBus filtering

Access to the session and system DBus UNIX sockets can be
       allowed, filtered or disabled. To disable the abstract sockets
       (and force applications to use the filtered UNIX socket) you
       would need to request a new network namespace using --net
       command. Another option is to remove unix from the --protocol
       set.


       Filtering requires installing the xdg-dbus-proxy utility. Filter
       rules can be specified for well-known DBus names, but they are
       also propagated to the owning unique name, too. The permissions
       are "sticky" and are kept even if the corresponding well-known
       name is released (however, applications rarely release well-known
       names in practice). Names may have a .* suffix to match all names
       underneath them, including themselves (e.g. "foo.bar.*" matches
       "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not
       "foobar"). For more information, see xdg-dbus-proxy(1).


       Examples:


       dbus-system filter
              Enable filtered access to the system DBus. Filters can be
              specified with the dbus-system.talk and dbus-system.own
              commands.


       dbus-system none
              Disable access to the system DBus. Once access is
              disabled, it cannot be relaxed to filtering.


       dbus-system.own org.gnome.ghex.*
              Allow the application to own the name org.gnome.ghex and
              all names underneath in on the system DBus.


       dbus-system.talk org.freedesktop.Notifications
              Allow the application to talk to the name
              org.freedesktop.Notifications on the system DBus.


       dbus-system.see org.freedesktop.Notifications
              Allow the application to see but not talk to the name
              org.freedesktop.Notifications on the system DBus.


       dbus-system.call
       org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
              Allow the application to call methods of the interface
              org.freedesktop.Notifications of the object exposed at the
              path /org/freedesktop/Notifications by the client owning
              the bus name org.freedesktop.Notifications on the system
              DBus.


       dbus-system.broadcast
       org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
              Allow the application to receive broadcast signals from
              the the interface org.freedesktop.Notifications of the
              object exposed at the path /org/freedesktop/Notifications
              by the client owning the bus name
              org.freedesktop.Notifications on the system DBus.


       dbus-user filter
              Enable filtered access to the session DBus. Filters can be
              specified with the dbus-user.talk and dbus-user.own
              commands.


       dbus-user none
              Disable access to the session DBus. Once access is
              disabled, it cannot be relaxed to filtering.


       dbus-user.own org.gnome.ghex.*
              Allow the application to own the name org.gnome.ghex and
              all names underneath in on the session DBus.


       dbus-user.talk org.freedesktop.Notifications
              Allow the application to talk to the name
              org.freedesktop.Notifications on the session DBus.


       dbus-user.see org.freedesktop.Notifications
              Allow the application to see but not talk to the name
              org.freedesktop.Notifications on the session DBus.


       dbus-user.call
       org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
              Allow the application to call methods of the interface
              org.freedesktop.Notifications of the object exposed at the
              path /org/freedesktop/Notifications by the client owning
              the bus name org.freedesktop.Notifications on the session
              DBus.


       dbus-user.broadcast
       org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
              Allow the application to receive broadcast signals from
              the the interface org.freedesktop.Notifications of the
              object exposed at the path /org/freedesktop/Notifications
              by the client owning the bus name
              org.freedesktop.Notifications on the session DBus.


       nodbus (deprecated)
              Disable D-Bus access (both system and session buses).
              Equivalent to dbus-system none and dbus-user none.


       Individual filters can be overridden via the --ignore command.
       Supposing a profile has
              [...]
              dbus-user filter
              dbus-user.own org.mozilla.firefox.*
              dbus-user.talk org.freedesktop.Notifications
              dbus-system none
              [...]


              and the user wants to disable notifications, this can be
              achieved by putting the below in a local override file:
              [...]
              ignore dbus-user.talk org.freedesktop.Notifications
              [...]