dbus filter profiles (1) (#3326)

* dbus filter (1)

* dbus-filter: firefox

* drop org.gtk.vfs and com.canonical.AppMenu.Registrar

etc/profile-a-l/celluloid.profile

@@ -46,9 +46,10 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3
 private-dev
 private-tmp
 
-# uses dconf, MPRIS
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own io.github.celluloid_player.Celluloid
+dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
+dbus-system none
 
 read-only ${HOME}
 read-write ${HOME}/.config/celluloid

etc/profile-a-l/com.github.dahenson.agenda.profile

@@ -54,6 +54,11 @@ private-dev
 private-etc dconf,fonts,gtk-3.0
 private-tmp
 
+dbus-user filter
+dbus.own com.github.dahenson.agenda
+dbus.talk ca.desrt.dconf
+dbus-system none
+
 read-only ${HOME}
 read-write ${HOME}/.cache/agenda
 read-write ${HOME}/.config/agenda

etc/profile-a-l/dconf-editor.profile

@@ -44,3 +44,8 @@ private-dev
 private-etc alternatives,dconf,fonts,gtk-3.0,machine-id
 private-lib
 private-tmp
+
+dbus-user filter
+dbus-user.own ca.desrt.dconf-editor
+dbus-user.talk ca.desrt.dconf
+dbus-system none

etc/profile-a-l/eog.profile

@@ -15,5 +15,10 @@ whitelist /usr/share/eog
 # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
 private-bin eog
 
+dbus-user filter
+dbus-user.own org.gnome.Eog
+dbus-user.talk ca.desrt.dconf
+dbus-system none
+
 # Redirect
 include eo-common.profile

etc/profile-a-l/feedreader.profile

@@ -48,3 +48,11 @@ private-cache
 private-dev
 private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.FeedReader
+dbus-user.own org.gnome.FeedReader.ArticleView
+# Enable as you need.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none

etc/profile-a-l/firefox.profile

@@ -28,5 +28,12 @@ include whitelist-usr-share-common.inc
 # private-etc must first be enabled in firefox-common.profile
 #private-etc firefox
 
+dbus-user filter
+dbus-user.own org.mozilla.firefox.*
+dbus-user.own org.mpris.MediaPlayer2.firefox.*
+# Uncomment or put in your firefox.local to enable native notifications.
+#dbus-user.talk org.freedesktop.Notifications
+ignore dbus-user none
+
 # Redirect
 include firefox-common.profile

etc/profile-a-l/gfeeds.profile

@@ -58,5 +58,7 @@ private-dev
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
 
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.gabmus.gfeeds
+dbus-user.talk ca.desrt.dconf
+dbus-system none

etc/profile-a-l/ghostwriter.profile

@@ -48,3 +48,6 @@ private-dev
 # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
 private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg
 private-tmp
+
+dbus-user none
+dbus-system none

etc/profile-a-l/gitg.profile

@@ -52,3 +52,10 @@ private-bin git,gitg,ssh
 private-cache
 private-dev
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.gitg
+dbus-user.talk ca.desrt.dconf
+# Uncomment (or put in your gitg.local) if you need keyring access.
+#dbus-user.talk org.freedesktop.secrets
+dbus-system none

etc/profile-a-l/gnome-maps.profile

@@ -62,3 +62,11 @@ private-bin gjs,gnome-maps
 private-dev
 private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Maps
+#dbus-user.talk org.freedesktop.secrets
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system filter
+#dbus-system.talk org.freedesktop.NetworkManager
+dbus-system.talk org.freedesktop.GeoClue2

etc/profile-a-l/gnome-pomodoro.profile

@@ -47,5 +47,11 @@ private-dev
 private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
 private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.Pomodoro
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gnome.Shell
+dbus-system none
+
 read-only ${HOME}
 read-write ${HOME}/.local/share/gnome-pomodoro

etc/profile-a-l/gnome-screenshot.profile

@@ -42,3 +42,8 @@ private-bin gnome-screenshot
 private-dev
 private-etc dconf,fonts,gtk-3.0,localtime,machine-id
 private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Screenshot
+dbus-user.talk org.gnome.Shell.Screenshot
+dbus-system none

etc/profile-a-l/gnome-todo.profile

@@ -48,4 +48,16 @@ private-dev
 private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
 private-tmp
 
+dbus-user filter
+dbus-user.own org.gnome.Todo
+dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9
+#dbus-user.talk org.gnome.evolution.dataserver.Calendar8
+#dbus-user.talk org.gnome.evolution.dataserver.Sources5
+#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.*
+#dbus-user.talk org.gnome.OnlineAccounts
+dbus-system none
+#dbus-system filter
+#dbus-system.talk org.freedesktop.login1
+
 read-only ${HOME}

etc/profile-a-l/keepassxc.profile

@@ -31,10 +31,6 @@ machine-id
 net none
 no3d
 nodvd
-# Breaks 'Lock database when session is locked or lid is closed' (#2899).
-# Also breaks (Plasma) tray icon,
-# you can safely uncomment it or add to keepassxc.local if you don't need these features.
-#
 nogroups
 nonewprivs
 noroot
@@ -52,11 +48,19 @@ private-dev
 private-etc alternatives,fonts,ld.so.cache,machine-id
 private-tmp
 
-# Breaks 'Lock database when session is locked or lid is closed' (#2899).
-# Also breaks (Plasma) tray icon,
-# you can safely uncomment it or add to keepassxc.local if you don't need these features.
-# dbus-user none
-# dbus-system none
+dbus-user filter
+#dbus-user.own org.keepassxc.KeePassXC
+dbus-user.talk com.canonical.Unity.Session
+dbus-user.talk org.freedesktop.ScreenSaver
+dbus-user.talk org.freedesktop.login1.Manager
+dbus-user.talk org.freedesktop.login1.Session
+dbus-user.talk org.gnome.ScreenSaver
+dbus-user.talk org.gnome.SessionManager
+dbus-user.talk org.gnome.SessionManager.Presence
+# Uncomment or add to your keepassxc.local to allow Notifications.
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
 
 # Mutex is stored in /tmp by default, which is broken by private-tmp
 join-or-start keepassxc

etc/profile-a-l/libreoffice.profile

@@ -46,4 +46,7 @@ tracelog
 private-dev
 private-tmp
 
+dbus-user none
+dbus-system none
+
 join-or-start libreoffice

etc/profile-m-z/rhythmbox.profile

@@ -47,6 +47,12 @@ private-bin rhythmbox,rhythmbox-client
 private-dev
 private-tmp
 
-# makes settings immutable
-# dbus-user none
-# dbus-system none
+dbus-user filter
+dbus-user.own org.gnome.Rhythmbox3
+dbus-user.own org.mpris.MediaPlayer2.rhythmbox
+dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+dbus-system none
+dbus-system filter
+dbus-system.talk org.freedesktop.Avahi

etc/profile-m-z/seahorse.profile

@@ -61,3 +61,8 @@ private-cache
 private-dev
 private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11
 writable-run-user
+
+dbus-user filter
+dbus-user.own org.gnome.seahorse.Application
+dbus-user.talk org.freedesktop.secrets
+dbus-system none

etc/profile-m-z/wireshark.profile

@@ -47,4 +47,3 @@ tracelog
 private-dev
 # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl
 private-tmp
-

etc/templates/profile.template

@@ -33,6 +33,7 @@
 #   WHITELIST INCLUDES
 #   OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog)
 #   PRIVATE OPTIONS (disable-mnt, private-*, writable-*)
+#   DBUS FILTER
 #   SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start)
 #   REDIRECT INCLUDES
 #
@@ -136,6 +137,7 @@ include globals.local
 #net none
 #netfilter
 #no3d
+##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below)
 #nodvd
 #nogroups
 #nonewprivs
@@ -185,7 +187,20 @@ include globals.local
 ##writable-var
 ##writable-var-log
 
-#dbus-user none
+# Since 0.9.63 also a more granular regulation of dbus is supported.
+# To get the dbus-addresses to which an application needs access to.
+# You can look at flatpak if the application is also distriputed via flatpak:
+#    flatpak remote-info --show-metadata flathub <APP-ID>
+# Notes:
+#  - flatpak implicitly allows an app to own <APP-ID> on the session bus
+#  - In order to make dconf work (if it is used by the app) you need to allow
+#    'ca.desrt.dconf' even if it is not allowed by flatpak.
+# Notes and Policiy about addresses can be found at
+# <https://github.com/netblue30/firejail/wiki/Restrict-D-Bus>
+#dbus-user filter
+#dbus-user.own com.github.netblue30.firejail
+#dbus-user.talk ca.desrt.dconf
+#dbus-user.talk org.freedesktop.Notifications
 #dbus-system none
 
 ##env VAR=VALUE