diff options
| author | Alban Crequy <alban.crequy@collabora.co.uk> | 2012-03-04 15:18:38 +0000 |
|---|---|---|
| committer | Alban Crequy <alban.crequy@collabora.co.uk> | 2012-03-22 11:28:58 +0000 |
| commit | 97c11fe28633e5da65a2b5a0353204ce68d6140b (patch) | |
| tree | 109175b3f7c069258b831644306413e677013575 | |
| parent | 3c7c255ee7d5e478fa204a0f0848c98cc0e54a4f (diff) | |
| download | dbus-97c11fe28633e5da65a2b5a0353204ce68d6140b.tar.gz | |
doc: update documentation with own_prefix policy rules
https://bugs.freedesktop.org/show_bug.cgi?id=46886
| -rw-r--r-- | cmake/bus/dbus-daemon.xml | 8 | ||||
| -rw-r--r-- | doc/dbus-daemon.1.in | 10 |
2 files changed, 18 insertions, 0 deletions
diff --git a/cmake/bus/dbus-daemon.xml b/cmake/bus/dbus-daemon.xml index c6f4db07..f331699c 100644 --- a/cmake/bus/dbus-daemon.xml +++ b/cmake/bus/dbus-daemon.xml @@ -512,6 +512,7 @@ statements, and works just like <deny> but with the inverse meaning.</para eavesdrop="true" | "false" own="name" + own_prefix="name" user="username" group="groupname" </literallayout> <!-- .fi --> @@ -590,6 +591,13 @@ the character "*" can be substituted, meaning "any." Complex globs like "foo.bar.*" aren't allowed for now because they'd be work to implement and maybe encourage sloppy security anyway.</para> +<para><allow own_prefix="a.b"/> allows you to own the name "a.b" or any +name whose first dot-separated elements are "a.b": in particular, +you can own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c". +This is useful when services like Telepathy and ReserveDevice +define a meaning for subtrees of well-known names, such as +org.freedesktop.Telepathy.ConnectionManager.(anything) +and org.freedesktop.ReserveDevice1.(anything).</para> <para>It does not make sense to deny a user or group inside a <policy> for a user or group; user/group denials can only be inside diff --git a/doc/dbus-daemon.1.in b/doc/dbus-daemon.1.in index b063e643..53856e91 100644 --- a/doc/dbus-daemon.1.in +++ b/doc/dbus-daemon.1.in @@ -501,6 +501,7 @@ The possible attributes of these elements are: eavesdrop="true" | "false" own="name" + own_prefix="name" user="username" group="groupname" .fi @@ -573,6 +574,15 @@ like "foo.bar.*" aren't allowed for now because they'd be work to implement and maybe encourage sloppy security anyway. .PP +<allow own_prefix="a.b"/> allows you to own the name "a.b" or any +name whose first dot-separated elements are "a.b": in particular, +you can own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c". +This is useful when services like Telepathy and ReserveDevice +define a meaning for subtrees of well-known names, such as +org.freedesktop.Telepathy.ConnectionManager.(anything) +and org.freedesktop.ReserveDevice1.(anything). + +.PP It does not make sense to deny a user or group inside a <policy> for a user or group; user/group denials can only be inside context="default" or context="mandatory" policies. |