Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   profile    ( 5 )

синтаксис файла профиля безопасности и информация о создании новых профилей приложений (Security profile file syntax, and information about building new application profiles.)

DBus filtering

Access to the session and system DBus UNIX sockets can be allowed, filtered or disabled. To disable the abstract sockets (and force applications to use the filtered UNIX socket) you would need to request a new network namespace using --net command. Another option is to remove unix from the --protocol set.

Filtering requires installing the xdg-dbus-proxy utility. Filter rules can be specified for well-known DBus names, but they are also propagated to the owning unique name, too. The permissions are "sticky" and are kept even if the corresponding well-known name is released (however, applications rarely release well-known names in practice). Names may have a .* suffix to match all names underneath them, including themselves (e.g. "foo.bar.*" matches "foo.bar", "foo.bar.baz" and "foo.bar.baz.quux", but not "foobar"). For more information, see xdg-dbus-proxy(1).

Examples:

dbus-system filter Enable filtered access to the system DBus. Filters can be specified with the dbus-system.talk and dbus-system.own commands.

dbus-system none Disable access to the system DBus. Once access is disabled, it cannot be relaxed to filtering.

dbus-system.own org.gnome.ghex.* Allow the application to own the name org.gnome.ghex and all names underneath in on the system DBus.

dbus-system.talk org.freedesktop.Notifications Allow the application to talk to the name org.freedesktop.Notifications on the system DBus.

dbus-system.see org.freedesktop.Notifications Allow the application to see but not talk to the name org.freedesktop.Notifications on the system DBus.

dbus-system.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.

dbus-system.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the system DBus.

dbus-user filter Enable filtered access to the session DBus. Filters can be specified with the dbus-user.talk and dbus-user.own commands.

dbus-user none Disable access to the session DBus. Once access is disabled, it cannot be relaxed to filtering.

dbus-user.own org.gnome.ghex.* Allow the application to own the name org.gnome.ghex and all names underneath in on the session DBus.

dbus-user.talk org.freedesktop.Notifications Allow the application to talk to the name org.freedesktop.Notifications on the session DBus.

dbus-user.see org.freedesktop.Notifications Allow the application to see but not talk to the name org.freedesktop.Notifications on the session DBus.

dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to call methods of the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.

dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications Allow the application to receive broadcast signals from the the interface org.freedesktop.Notifications of the object exposed at the path /org/freedesktop/Notifications by the client owning the bus name org.freedesktop.Notifications on the session DBus.

nodbus (deprecated) Disable D-Bus access (both system and session buses). Equivalent to dbus-system none and dbus-user none.

Individual filters can be overridden via the --ignore command. Supposing a profile has [...] dbus-user filter dbus-user.own org.mozilla.firefox.* dbus-user.talk org.freedesktop.Notifications dbus-system none [...]

and the user wants to disable notifications, this can be achieved by putting the below in a local override file: [...] ignore dbus-user.talk org.freedesktop.Notifications [...]