man(8)

malcontent-client man page

man(8)

NAME

malcontent-client - Parental Controls Access Utility

SYNOPSIS

malcontent-client get-app-filter [-q] [-n] [USER]

malcontent-client check-app-filter [-q] [-n] [USER] ARG

malcontent-client set-app-filter [-q] [-n] [USER] ARG

malcontent-client oars-section [-q] [-n] [USER] SECTION

malcontent-client get-session-limits [-q] [-n] [USER]

malcontent-client set-session-limits [-q] [-n] [USER] LIMIT-TYPE

malcontent-client monitor [-q] [USER]

malcontent-client record-usage [-q] USAGE-ENTRIES

malcontent-client query-usage [-q] USER RECORD-TYPE IDENTIFIER

malcontent-client get-estimated-times [-q] RECORD-TYPE

malcontent-client request-extension [-q] RECORD-TYPE IDENTIFIER [DURATION]

malcontent-client get-web-filter [-q] [-n] [USER]

malcontent-client set-web-filter [-q] [-n] [USER] ARG

malcontent-client update-web-filters [-q] [-n] [USER]

malcontent-client dump-web-filters [-q] [-n] [USER]

DESCRIPTION

malcontent-client is a utility for querying and updating the parental controls settings for users on the system. It will typically require administrator access to do anything more than query the current user’s parental controls.

It communicates with accounts-service, which stores parental controls data.

Its first argument is a command to run. The supported commands are documented below.

The command line API and output format are unstable and likely to change in future versions of malcontent-client.

get-app-filter OPTIONS

Get the app filter for a user. For example:

# malcontent-client get-app-filter timmy

USER: Username or ID of the user to get the app filter for. If not specified, the current user will be used by default.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

check-app-filter OPTIONS

Check if a given program, content type or flatpak ref is permitted to be used by a user, according to their current app filter. For example:

# malcontent-client check-app-filter timmy $(which gnome-calculator)

# malcontent-client check-app-filter timmy x-scheme-handler/http

# malcontent-client check-app-filter timmy app/com.realm667.WolfenDoom_Blade_of_Agony/x86_64/stable

USER: Username or ID of the user to get the app filter for. If not specified, the current user will be used by default.
ARG: Path to a program, content type or flatpak ref to check against the app filter, to see if it is allowed for the specified user.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

set-app-filter OPTIONS

Set the app filter for a user, replacing all previous values in it. For example:

# malcontent-client set-app-filter timmy \
--disallow-user-installation \
$(which gnome-calculator) \
x-scheme-handler/http \
app/com.realm667.WolfenDoom_Blade_of_Agony/x86_64/stable

USER: Username or ID of the user to set the app filter for. If not specified, the current user will be used by default.
ARG: Item to filter in the user’s app filter. This could either be an absolute path or flatpak ref of a program to block; a content type to block all programs handling that type; or an OARS section=value pair to block installation of apps with a more extreme rating for that OARS section. Multiple items may be specified, and they will replace the user’s current app filter in entirety. If zero items are specified, the app filter is cleared.
--allow-user-installation: Allow the user to install flatpaks to their user repository.
--disallow-user-installation: Disallow the user from installing flatpaks to their user repository.
--allow-system-installation: Allow the user to install flatpaks to the system repository.
--disallow-system-installation: Disallow the user from installing flatpaks to the system repository.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

oars-section OPTIONS

Get the value set for a specific OARS section from the app filter of the given user. For example:

# malcontent-client oars-section timmy language-profanity

USER: Username or ID of the user to get the OARS filter for. If not specified, the current user will be used by default.
SECTION: OARS section to get the restriction level of the given user for. For example, language-profanity.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

get-session-limits OPTIONS

Get the session limits set for a user. For example:

# malcontent-client get-session-limits timmy

USER: Username or ID of the user to get the session limits for. If not specified, the current user will be used by default.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)
--now yyyy-mm-ddThh:mm:ssZ: Check session limits (in particular, session expiry time) against the given date/time, provided in ISO 8601 format. (Default: Current date/time.)

set-session-limits OPTIONS

Set the session limits for a user, replacing its previous value completely. For example:

# malcontent-client set-session-limits timmy \
daily-schedule \
--start-time 16:00 --end-time 18:00

USER: Username or ID of the user to set the app filter for. If not specified, the current user will be used by default.
LIMIT-TYPE: The type of session limit to use for this user. Possible values are:

none: - No session limits.
daily-schedule --start-time HH[:MM[:SS]] --end-time HH[:MM[:SS]]: - Daily schedule with fixed start and end times. These must be provided as two arguments giving the time of day when the schedule starts and ends.
daily-limit --daily-limit SECONDS: - Daily limit on the overall active time using the computer for the day. This must be provided as a limit length in seconds.

-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

monitor OPTIONS

Monitor changes to any of the parental controls settings for a specific user. For example:

# malcontent-client monitor timmy

USER: Username or ID of the user to monitor the parental controls for. If not specified, the current user will be used by default.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)

record-usage OPTIONS

Record session or app usage times for the current user. For example:

# malcontent-client record-usage 2025-04-22T08:00:00Z 2025-04-22T16:00:00Z login-session

# malcontent-client record-usage 2025-04-22T08:00:00Z 2025-04-22T16:00:00Z app "org.gnome.gedit"

USAGE-ENTRIES: One or more usage entries to add. Each entry is a set of four arguments:

the start date and time of the usage period (in ISO 8601 format),
the end date and time of the usage period (also in ISO 8601 format),
the record type (login-session or app) and
the record identifier (this must be the empty string for login-session records, and the app ID for app records).

The final record identifier in the arguments list can be omitted if it’s empty.

-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)

query-usage OPTIONS

Query session or app usage times for a given user. For example:

# malcontent-client query-usage bob login-session ""

# malcontent-client query-usage bob app "org.gnome.gedit"

USER: Username or ID of the user to get the usage information for.
RECORD-TYPE IDENTIFIER: The record type and identifier to query for records of. See the documentation for the record-usage command for valid values.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

get-estimated-times OPTIONS

Query the usage and session limits for the current user, to work out how much time is remaining in their session or for using apps. For example:

# malcontent-client get-estimated-times login-session

RECORD-TYPE: Type of usage record to query for. This can be login-session or app.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)

request-extension OPTIONS

Request an extension to the screen time limit for the current user, for their session or the specified app. For example:

# malcontent-client request-extension login-session ""

RECORD-TYPE IDENTIFIER: The record type and identifier to request an extension for. See the documentation for the record-usage command for valid values.
DURATION: The duration of the extension to request (in seconds), or zero to allow the parent to choose the duration (typically this means until the end of today). (Default: Zero.)
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)

get-web-filter OPTIONS

Get the web filter for a user. For example:

# malcontent-client get-web-filter timmy

USER: Username or ID of the user to get the web filter for. If not specified, the current user will be used by default.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

set-web-filter OPTIONS

Set the web filter for a user, replacing all previous values in it. For example:

# malcontent-client set-web-filter timmy \
--force-safe-search \
--filter-type block-list \
adult=https://v.firebog.net/hosts/Prigent-Adult.txt \
advertising=https://v.firebog.net/hosts/Prigent-Ads.txt \
reddit.com \
~mastodon.social

USER: Username or ID of the user to set the web filter for. If not specified, the current user will be used by default.
ARG: Item to filter in the user’s web filter. This could either be an id=filter-URI pair, or an individual hostname to block. Either type of item may be prefixed with ~ (a tilde) to allow it rather than blocking it. A filter URI must point to a text file in the same format as /etc/hosts listing websites to filter. The associated ID is an arbitrary alphanumeric string used to track the filter over time, even if its canonical URI changes. Multiple items may be specified, and they will replace the user’s current web filter in entirety. If zero items are specified, the web filter is cleared.
--force-safe-search: Force ‘safe search’ mode to be enabled for known search engines and popular websites.
--filter-type: The type of web filter to use for this user. Possible values are:

none: - No web filtering.
block-list: - Websites are allowed by default unless listed in one of the block lists. The websites in the allow lists are always allowed.
allow-list: - Websites are blocked by default unless listed in one of the allow lists. The block lists are ignored.

-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

update-web-filters OPTIONS

Download and update the compiled web filters for a specific user, or for all users. This will read the current web filter configuration for the user and update the compiled filter database using that configuration. For example:

# malcontent-client update-web-filters timmy

To update the web filter configuration for a user, use malcontent-client set-web-filter.

USER: Username or ID of the user to update the web filters for. If not specified, the web filters will be updated for all users who have them set.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

dump-web-filters OPTIONS

Dump the compiled web filters for a specific user, or for all users. These are the filter rules which are currently being used. For example:

# malcontent-client dump-web-filters timmy

USER: Username or ID of the user to dump the web filters for. If not specified, the web filters will be dumped for all users who have them set.
-q, --quiet: Only output error messages, and no informational messages, as the operation progresses. (Default: Output informational messages.)
-n, --no-interactive: Do not allow interactive authorization with polkit. If this is needed to complete the operation, the operation will fail. (Default: Allow interactive authorization.)

ENVIRONMENT

malcontent-client supports the standard GLib environment variables for debugging. These variables are not intended to be used in production:

$G_MESSAGES_DEBUG: This variable can contain one or more debug domain names to display debug output for. The value all will enable all debug output. The default is for no debug output to be enabled.

EXIT STATUS

malcontent-client may return one of several error codes if it encounters problems.

0: No problems occurred. The utility ran and successfully queried the app filter. If running the check-app-filter command, the given path, content type or flatpak ref was allowed for the given user.
1: An invalid option was passed to malcontent-client on startup.
2: The current user was not authorized to query the app filter for the given user.
3: If running the check-app-filter command, the given path, content type or flatpak ref was not allowed for the given user.
4: Malcontent is disabled at the system level, and hence parental controls are not enabled or enforced.
5: An operation failed and no more specific error information is available.
6: The service was busy; try again shortly.

BUGS

Any bugs which are found should be reported on the project website:
https://gitlab.freedesktop.org/pwithnall/malcontent/-/issues

AUTHOR

Endless Mobile, Inc. Philip Withnall

COPYRIGHT

20 Mar 2025

1.2