Use case: under KDE for an app add an icon to the systray requires that the app be able to own org.kde.StatusNotifierItem-PID-#. To make this work for an app sandboxed by Firejail requires using the .* suffix like so: dbus-user.own org.kde.*. This is giving way too much permission for just the sake of a systray icon.
Proposal: add a * suffix. foo.bar-* would match foo.bar-, foo.bar-baz and foo.bar-baz-quux but not foo.bar, foo.bar.baz or foo.bar.baz.quux. Then Firejail would be able to let a sandboxed app place a systray icon with dbus-user.own org.kde.StatusNotifierItem-*. While not perfect, it would be much less bad than dbus-user.own org.kde.*
Use case: under KDE for an app add an icon to the systray requires that the app be able to own
org.kde.StatusNotifierItem-PID-#
. To make this work for an app sandboxed by Firejail requires using the.*
suffix like so:dbus-user.own org.kde.*
. This is giving way too much permission for just the sake of a systray icon.Proposal: add a
*
suffix.foo.bar-*
would matchfoo.bar-
,foo.bar-baz
andfoo.bar-baz-quux
but notfoo.bar
,foo.bar.baz
orfoo.bar.baz.quux
. Then Firejail would be able to let a sandboxed app place a systray icon withdbus-user.own org.kde.StatusNotifierItem-*
. While not perfect, it would be much less bad thandbus-user.own org.kde.*