синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)
DBus filtering
Access to the session and system DBus UNIX sockets can be
allowed, filtered or disabled. To disable the abstract sockets
(and force applications to use the filtered UNIX socket) you
would need to request a new network namespace using --net
command. Another option is to remove unix from the --protocol
set.
Filtering requires installing the xdg-dbus-proxy utility. Filter
rules can be specified for well-known DBus names, but they are
also propagated to the owning unique name, too. The permissions
are "sticky" and are kept even if the corresponding well-known
name is released (however, applications rarely release well-known
names in practice). Names may have a .* suffix to match all names
underneath them, including themselves (e.g. "foo.bar.*" matches
"foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not
"foobar"). For more information, see xdg-dbus-proxy(1).
Examples:
dbus-system filter
Enable filtered access to the system DBus. Filters can be
specified with the dbus-system.talk and dbus-system.own
commands.
dbus-system none
Disable access to the system DBus. Once access is
disabled, it cannot be relaxed to filtering.
dbus-system.own org.gnome.ghex.*
Allow the application to own the name org.gnome.ghex and
all names underneath in on the system DBus.
dbus-system.talk org.freedesktop.Notifications
Allow the application to talk to the name
org.freedesktop.Notifications on the system DBus.
dbus-system.see org.freedesktop.Notifications
Allow the application to see but not talk to the name
org.freedesktop.Notifications on the system DBus.
dbus-system.call
org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to call methods of the interface
org.freedesktop.Notifications of the object exposed at the
path /org/freedesktop/Notifications by the client owning
the bus name org.freedesktop.Notifications on the system
DBus.
dbus-system.broadcast
org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to receive broadcast signals from
the the interface org.freedesktop.Notifications of the
object exposed at the path /org/freedesktop/Notifications
by the client owning the bus name
org.freedesktop.Notifications on the system DBus.
dbus-user filter
Enable filtered access to the session DBus. Filters can be
specified with the dbus-user.talk and dbus-user.own
commands.
dbus-user none
Disable access to the session DBus. Once access is
disabled, it cannot be relaxed to filtering.
dbus-user.own org.gnome.ghex.*
Allow the application to own the name org.gnome.ghex and
all names underneath in on the session DBus.
dbus-user.talk org.freedesktop.Notifications
Allow the application to talk to the name
org.freedesktop.Notifications on the session DBus.
dbus-user.see org.freedesktop.Notifications
Allow the application to see but not talk to the name
org.freedesktop.Notifications on the session DBus.
dbus-user.call
org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to call methods of the interface
org.freedesktop.Notifications of the object exposed at the
path /org/freedesktop/Notifications by the client owning
the bus name org.freedesktop.Notifications on the session
DBus.
dbus-user.broadcast
org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
Allow the application to receive broadcast signals from
the the interface org.freedesktop.Notifications of the
object exposed at the path /org/freedesktop/Notifications
by the client owning the bus name
org.freedesktop.Notifications on the session DBus.
nodbus (deprecated)
Disable D-Bus access (both system and session buses).
Equivalent to dbus-system none and dbus-user none.
Individual filters can be overridden via the --ignore command.
Supposing a profile has
[...]
dbus-user filter
dbus-user.own org.mozilla.firefox.*
dbus-user.talk org.freedesktop.Notifications
dbus-system none
[...]
and the user wants to disable notifications, this can be
achieved by putting the below in a local override file:
[...]
ignore dbus-user.talk org.freedesktop.Notifications
[...]
