From 8744e0854acaee7de267ab946c991fe5d82ec696 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 2 May 2020 18:05:48 +0000 Subject: [PATCH] dbus filter profiles (1) (#3326) * dbus filter (1) * dbus-filter: firefox * drop org.gtk.vfs and com.canonical.AppMenu.Registrar --- etc/profile-a-l/celluloid.profile | 7 +++--- .../com.github.dahenson.agenda.profile | 5 +++++ etc/profile-a-l/dconf-editor.profile | 5 +++++ etc/profile-a-l/eog.profile | 5 +++++ etc/profile-a-l/feedreader.profile | 8 +++++++ etc/profile-a-l/firefox.profile | 7 ++++++ etc/profile-a-l/gfeeds.profile | 6 +++-- etc/profile-a-l/ghostwriter.profile | 3 +++ etc/profile-a-l/gitg.profile | 7 ++++++ etc/profile-a-l/gnome-maps.profile | 8 +++++++ etc/profile-a-l/gnome-pomodoro.profile | 6 +++++ etc/profile-a-l/gnome-screenshot.profile | 5 +++++ etc/profile-a-l/gnome-todo.profile | 12 ++++++++++ etc/profile-a-l/keepassxc.profile | 22 +++++++++++-------- etc/profile-a-l/libreoffice.profile | 3 +++ etc/profile-m-z/rhythmbox.profile | 12 +++++++--- etc/profile-m-z/seahorse.profile | 5 +++++ etc/profile-m-z/wireshark.profile | 1 - etc/templates/profile.template | 17 +++++++++++++- 19 files changed, 125 insertions(+), 19 deletions(-) diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 9be6b16310f..567bd912adc 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile @@ -46,9 +46,10 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3 private-dev private-tmp -# uses dconf, MPRIS -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own io.github.celluloid_player.Celluloid +dbus-user.talk org.gnome.SettingsDaemon.MediaKeys +dbus-system none read-only ${HOME} read-write ${HOME}/.config/celluloid diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index ea5370649cb..6df9627b328 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile @@ -54,6 +54,11 @@ private-dev private-etc dconf,fonts,gtk-3.0 private-tmp +dbus-user filter +dbus.own com.github.dahenson.agenda +dbus.talk ca.desrt.dconf +dbus-system none + read-only ${HOME} read-write ${HOME}/.cache/agenda read-write ${HOME}/.config/agenda diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index e7cc66e32bd..62379d3efce 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile @@ -44,3 +44,8 @@ private-dev private-etc alternatives,dconf,fonts,gtk-3.0,machine-id private-lib private-tmp + +dbus-user filter +dbus-user.own ca.desrt.dconf-editor +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 6690b33ca26..3266f7d28fb 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile @@ -15,5 +15,10 @@ whitelist /usr/share/eog # or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local private-bin eog +dbus-user filter +dbus-user.own org.gnome.Eog +dbus-user.talk ca.desrt.dconf +dbus-system none + # Redirect include eo-common.profile diff --git a/etc/profile-a-l/feedreader.profile b/etc/profile-a-l/feedreader.profile index 7d3c7a8f468..60c6c85488a 100644 --- a/etc/profile-a-l/feedreader.profile +++ b/etc/profile-a-l/feedreader.profile @@ -48,3 +48,11 @@ private-cache private-dev private-tmp +dbus-user filter +dbus-user.own org.gnome.FeedReader +dbus-user.own org.gnome.FeedReader.ArticleView +# Enable as you need. +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.freedesktop.secrets +#dbus-user.talk org.gnome.OnlineAccounts +dbus-system none diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 4a2cb260f50..337311ed8e8 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile @@ -28,5 +28,12 @@ include whitelist-usr-share-common.inc # private-etc must first be enabled in firefox-common.profile #private-etc firefox +dbus-user filter +dbus-user.own org.mozilla.firefox.* +dbus-user.own org.mpris.MediaPlayer2.firefox.* +# Uncomment or put in your firefox.local to enable native notifications. +#dbus-user.talk org.freedesktop.Notifications +ignore dbus-user none + # Redirect include firefox-common.profile diff --git a/etc/profile-a-l/gfeeds.profile b/etc/profile-a-l/gfeeds.profile index e7913f5e4a5..587a12a934f 100644 --- a/etc/profile-a-l/gfeeds.profile +++ b/etc/profile-a-l/gfeeds.profile @@ -58,5 +58,7 @@ private-dev private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,fonts,gconf,group,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg private-tmp -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.gabmus.gfeeds +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index c18a6b72ec8..1d5398403cb 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile @@ -48,3 +48,6 @@ private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,texlive,Trolltech.conf,X11,xdg private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile index 68f38c3ceb4..71b8e9b115e 100644 --- a/etc/profile-a-l/gitg.profile +++ b/etc/profile-a-l/gitg.profile @@ -52,3 +52,10 @@ private-bin git,gitg,ssh private-cache private-dev private-tmp + +dbus-user filter +dbus-user.own org.gnome.gitg +dbus-user.talk ca.desrt.dconf +# Uncomment (or put in your gitg.local) if you need keyring access. +#dbus-user.talk org.freedesktop.secrets +dbus-system none diff --git a/etc/profile-a-l/gnome-maps.profile b/etc/profile-a-l/gnome-maps.profile index bf263efa99d..1366d1e1e10 100644 --- a/etc/profile-a-l/gnome-maps.profile +++ b/etc/profile-a-l/gnome-maps.profile @@ -62,3 +62,11 @@ private-bin gjs,gnome-maps private-dev private-etc alternatives,ca-certificates,clutter-1.0,crypto-policies,dconf,drirc,fonts,gconf,gcrypt,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pango,pkcs11,pki,protocols,resolv.conf,rpc,services,ssl,X11,xdg private-tmp + +dbus-user filter +dbus-user.own org.gnome.Maps +#dbus-user.talk org.freedesktop.secrets +#dbus-user.talk org.gnome.OnlineAccounts +dbus-system filter +#dbus-system.talk org.freedesktop.NetworkManager +dbus-system.talk org.freedesktop.GeoClue2 diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index f8be23f074e..2a5d2a23119 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile @@ -47,5 +47,11 @@ private-dev private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id private-tmp +dbus-user filter +dbus-user.own org.gnome.Pomodoro +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.gnome.Shell +dbus-system none + read-only ${HOME} read-write ${HOME}/.local/share/gnome-pomodoro diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index cc5efb1613e..fe6bc025d12 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile @@ -42,3 +42,8 @@ private-bin gnome-screenshot private-dev private-etc dconf,fonts,gtk-3.0,localtime,machine-id private-tmp + +dbus-user filter +dbus-user.own org.gnome.Screenshot +dbus-user.talk org.gnome.Shell.Screenshot +dbus-system none diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 6240cce65e0..4539250224e 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile @@ -48,4 +48,16 @@ private-dev private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg private-tmp +dbus-user filter +dbus-user.own org.gnome.Todo +dbus-user.talk ca.desrt.dconf +#dbus-user.talk org.gnome.evolution.dataserver.AddressBook9 +#dbus-user.talk org.gnome.evolution.dataserver.Calendar8 +#dbus-user.talk org.gnome.evolution.dataserver.Sources5 +#dbus-user.talk org.gnome.evolution.dataserver.Subprocess.Backend.* +#dbus-user.talk org.gnome.OnlineAccounts +dbus-system none +#dbus-system filter +#dbus-system.talk org.freedesktop.login1 + read-only ${HOME} diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index 43dbad5f9cf..9458edf33c2 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -31,10 +31,6 @@ machine-id net none no3d nodvd -# Breaks 'Lock database when session is locked or lid is closed' (#2899). -# Also breaks (Plasma) tray icon, -# you can safely uncomment it or add to keepassxc.local if you don't need these features. -# nogroups nonewprivs noroot @@ -52,11 +48,19 @@ private-dev private-etc alternatives,fonts,ld.so.cache,machine-id private-tmp -# Breaks 'Lock database when session is locked or lid is closed' (#2899). -# Also breaks (Plasma) tray icon, -# you can safely uncomment it or add to keepassxc.local if you don't need these features. -# dbus-user none -# dbus-system none +dbus-user filter +#dbus-user.own org.keepassxc.KeePassXC +dbus-user.talk com.canonical.Unity.Session +dbus-user.talk org.freedesktop.ScreenSaver +dbus-user.talk org.freedesktop.login1.Manager +dbus-user.talk org.freedesktop.login1.Session +dbus-user.talk org.gnome.ScreenSaver +dbus-user.talk org.gnome.SessionManager +dbus-user.talk org.gnome.SessionManager.Presence +# Uncomment or add to your keepassxc.local to allow Notifications. +#dbus-user.talk org.freedesktop.Notifications +#dbus-user.talk org.kde.StatusNotifierWatcher +dbus-system none # Mutex is stored in /tmp by default, which is broken by private-tmp join-or-start keepassxc diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index aa113883eaa..948e2927c9c 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile @@ -46,4 +46,7 @@ tracelog private-dev private-tmp +dbus-user none +dbus-system none + join-or-start libreoffice diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile index e8f964383e9..f3939685a24 100644 --- a/etc/profile-m-z/rhythmbox.profile +++ b/etc/profile-m-z/rhythmbox.profile @@ -47,6 +47,12 @@ private-bin rhythmbox,rhythmbox-client private-dev private-tmp -# makes settings immutable -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.gnome.Rhythmbox3 +dbus-user.own org.mpris.MediaPlayer2.rhythmbox +dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +dbus-system none +dbus-system filter +dbus-system.talk org.freedesktop.Avahi diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 3a69086b54f..85d86d64664 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile @@ -61,3 +61,8 @@ private-cache private-dev private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 writable-run-user + +dbus-user filter +dbus-user.own org.gnome.seahorse.Application +dbus-user.talk org.freedesktop.secrets +dbus-system none diff --git a/etc/profile-m-z/wireshark.profile b/etc/profile-m-z/wireshark.profile index d73e2e27937..a30cb43d5e6 100644 --- a/etc/profile-m-z/wireshark.profile +++ b/etc/profile-m-z/wireshark.profile @@ -47,4 +47,3 @@ tracelog private-dev # private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,ssl private-tmp - diff --git a/etc/templates/profile.template b/etc/templates/profile.template index d339ce476a1..be1175ce3fc 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template @@ -33,6 +33,7 @@ # WHITELIST INCLUDES # OPTIONS (caps*, net*, no*, protocol, seccomp*, shell none, tracelog) # PRIVATE OPTIONS (disable-mnt, private-*, writable-*) +# DBUS FILTER # SPECIAL OPTIONS (mdwx, noexec, read-only, join-or-start) # REDIRECT INCLUDES # @@ -136,6 +137,7 @@ include globals.local #net none #netfilter #no3d +##nodbus (deprecated, use 'dbus-user none' and 'dbus-system none', see below) #nodvd #nogroups #nonewprivs @@ -185,7 +187,20 @@ include globals.local ##writable-var ##writable-var-log -#dbus-user none +# Since 0.9.63 also a more granular regulation of dbus is supported. +# To get the dbus-addresses to which an application needs access to. +# You can look at flatpak if the application is also distriputed via flatpak: +# flatpak remote-info --show-metadata flathub +# Notes: +# - flatpak implicitly allows an app to own on the session bus +# - In order to make dconf work (if it is used by the app) you need to allow +# 'ca.desrt.dconf' even if it is not allowed by flatpak. +# Notes and Policiy about addresses can be found at +# +#dbus-user filter +#dbus-user.own com.github.netblue30.firejail +#dbus-user.talk ca.desrt.dconf +#dbus-user.talk org.freedesktop.Notifications #dbus-system none ##env VAR=VALUE