Skip to content

Commit a3e524a

Browse files
bbhttbbhtt
committed
sandbox-permissions: Clarify security of sockets
1 parent 17e5e80 commit a3e524a

File tree

1 file changed

+17
-7
lines changed

1 file changed

+17
-7
lines changed

docs/sandbox-permissions.rst

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -77,18 +77,28 @@ which can be used on an as-needed basis, and which should be avoided.
7777
Standard permissions
7878
````````````````````
7979

80-
The following permissions provide access to basic resources that applications
81-
commonly require, and can therefore be freely used.
80+
The following permissions are commonly used by applications.
8281

8382
- ``--allow=bluetooth`` - Allow access to Bluetooth (``AF_BLUETOOTH``) sockets
8483
- ``--device=dri`` - OpenGL rendering
8584
- ``--share=ipc`` - Share IPC namespace with the host [#f1]_
8685
- ``--share=network`` - Access the network [#f2]_
87-
- ``--socket=cups`` - Talk to the CUPS printing system (``$CUPS_SERVER`` or server defined in CUPS's ``client.conf``. Falls back to ``/var/run/cups/cups.sock``)
88-
- ``--socket=gpg-agent`` - Talk to the GPG agent (The socket in ``gpgconf --list-dir agent-socket``)
89-
- ``--socket=pcsc`` - Smart card access ``$PCSCLITE_CSOCK_NAME``
90-
- ``--socket=pulseaudio`` - Access to PulseAudio, includes sound input (mic), sound output/playback, MIDI and ALSA sound devices in ``/dev/snd``
91-
- ``--socket=ssh-auth``- Allow access to ``$SSH_AUTH_SOCK``
86+
- ``--socket=pulseaudio`` - Access to PulseAudio. It includes sound input
87+
(mic), sound output/playback, MIDI and ALSA sound devices in
88+
``/dev/snd``. This permission can be sensitive in certain situations.
89+
- ``--socket=cups`` - Talk to the CUPS printing system. ``$CUPS_SERVER``
90+
or server defined in CUPS's ``client.conf``. Falls back to
91+
``/var/run/cups/cups.sock``.
92+
- ``--socket=pcsc`` - Smart card access ``$PCSCLITE_CSOCK_NAME``.
93+
- ``--socket=gpg-agent`` - Talk to the GPG agent running on host. This
94+
may allow acquiring additional permissions that can be used to perform
95+
priviledged GPG operations. The gives access to the socket in
96+
``gpgconf --list-dir agent-socket``. This is not commonly needed
97+
unless the application interacts with GPG such as e-mail clients or
98+
GPG frontends.
99+
- ``--socket=ssh-auth``- Allow access to ``$SSH_AUTH_SOCK``. This is not
100+
commonly needed unless the application interacts with SSH such as
101+
Git clients or SSH frontends.
92102

93103
.. note::
94104

0 commit comments

Comments
 (0)