[PR #3406] [MERGED] DBus filtering enhancements #4751

New issue

Closed

opened 2026-05-05 10:25:53 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:25:53 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3406
Author: @kris7t
Created: 5/7/2020
Status: ✅ Merged
Merged: 6/1/2020
Merged by: @kris7t

Base: master ← Head: dbus-proxy

📝 Commits (6)

8b5cb76 Add --dbus-*.see options
8e719e0 Add dbus-.call and dbus-.broadcast commands
416d385 Add options for D-Bus logging
d50d1a9 Update D-Bus audit
28a3d38 Documentation for new DBus options
9a430b9 Turn attempted DBus policy downgrade into warning (fixes #3408)

📊 Changes

8 files changed (+444 additions, -23 deletions)

View changed files

📝 src/faudit/dbus.c (+48 -9)
📝 src/firejail/dbus.c (+89 -4)
📝 src/firejail/firejail.h (+4 -0)
📝 src/firejail/main.c (+86 -6)
📝 src/firejail/profile.c (+54 -4)
📝 src/firejail/usage.c (+9 -0)
📝 src/man/firejail-profile.txt (+18 -0)
📝 src/man/firejail.txt (+136 -0)

📄 Description

This PR exposes additional functionalities from xdg-dbus-proxy:

--dbus-user.see and --dbus-system.see allow setting the SEE policy for DBus names.

--dbus-{user,system}.{call,broadcast} allows setting per interface and per object path policies. For example, we can set

dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications
dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications

to safely allow notifications without exposing additional objects (e.g. /org/gnome/Shell).

--dbus-{user,system}.log to turn on DBus proxy logging (#3402). Unfortunately, this is not as useful as it may seem, because without --filer, xdg-dbus-proxy --log will not actually log anything. So we can use the options for debugging applications that fail due to DBus filters, but not for building DBus profiles from scratch.

In addition, this PR updates faudit so it won't report MAYBE when DBus filters are in effect (https://github.com/netblue30/firejail/pull/3326#issuecomment-610338629).

A next step would be to either find a better DBus logging option (maybe with dbus-monitor), or stay with this one, and create some contrib scripts to generate filter rules from (rejected) DBus communications.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3406 **Author:** [@kris7t](https://github.com/kris7t) **Created:** 5/7/2020 **Status:** ✅ Merged **Merged:** 6/1/2020 **Merged by:** [@kris7t](https://github.com/kris7t) **Base:** `master` ← **Head:** `dbus-proxy` --- ### 📝 Commits (6) - [`8b5cb76`](https://github.com/netblue30/firejail/commit/8b5cb76fd4f0ae52922a198ab50ad3799aac44a3) Add --dbus-*.see options - [`8e719e0`](https://github.com/netblue30/firejail/commit/8e719e0257bb92c143f56e9765e196c35fd57368) Add dbus-*.call and dbus-*.broadcast commands - [`416d385`](https://github.com/netblue30/firejail/commit/416d385ea749d59529d5624de87a0c5c1b44cdb6) Add options for D-Bus logging - [`d50d1a9`](https://github.com/netblue30/firejail/commit/d50d1a90d6cb28c6f1757ed853adebb537ebbc59) Update D-Bus audit - [`28a3d38`](https://github.com/netblue30/firejail/commit/28a3d386a1aeff935ce85644db7734bbc14c054f) Documentation for new DBus options - [`9a430b9`](https://github.com/netblue30/firejail/commit/9a430b94d8e2b5ec4b8027a62072bc9d02136128) Turn attempted DBus policy downgrade into warning (fixes #3408) ### 📊 Changes **8 files changed** (+444 additions, -23 deletions) <details> <summary>View changed files</summary> 📝 `src/faudit/dbus.c` (+48 -9) 📝 `src/firejail/dbus.c` (+89 -4) 📝 `src/firejail/firejail.h` (+4 -0) 📝 `src/firejail/main.c` (+86 -6) 📝 `src/firejail/profile.c` (+54 -4) 📝 `src/firejail/usage.c` (+9 -0) 📝 `src/man/firejail-profile.txt` (+18 -0) 📝 `src/man/firejail.txt` (+136 -0) </details> ### 📄 Description This PR exposes additional functionalities from `xdg-dbus-proxy`: * `--dbus-user.see` and `--dbus-system.see` allow setting the SEE policy for DBus names. * `--dbus-{user,system}.{call,broadcast}` allows setting per interface and per object path policies. For example, we can set ``` dbus-user.call org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications dbus-user.broadcast org.freedesktop.Notifications=org.freedesktop.Notifications.*@/org/freedesktop/Notifications ``` to safely allow notifications without exposing additional objects (e.g. `/org/gnome/Shell`). * `--dbus-{user,system}.log` to turn on DBus proxy logging (#3402). Unfortunately, this is not as useful as it may seem, because without `--filer`, `xdg-dbus-proxy --log` will not actually log anything. So we can use the options for debugging applications that fail due to DBus filters, but not for building DBus profiles from scratch. In addition, this PR updates `faudit` so it won't report MAYBE when DBus filters are in effect (https://github.com/netblue30/firejail/pull/3326#issuecomment-610338629). A next step would be to either find a better DBus logging option (maybe with `dbus-monitor`), or stay with this one, and create some contrib scripts to generate filter rules from (rejected) DBus communications. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:25:53 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4751

No description provided.

Rows
Columns