Fine-grained DBus sandboxing #3265
Merged
Commits on Apr 6, 2020
-
Add --dbus-user and --dbus-system options
Allow setting a separate policy for the user and system buses. For now, the filter policy is equivalent to the none (block) policy. Future commits will add more configuration options and filters.
-
Add sbox_exec_v and SBOX_KEEP_FDS
To contain processes forked for long time, such as the xdg-dbus-proxy, sbox_exec_v can be used, which is the non-forking version of sbox_run_v. Additionally, the SBOX_KEEPS_FDS flag avoid closing any open fds, so fds needed by the subordinate process can be left open before calling sbox_exec_v. This flag does not makes sense for sbox_run_v, and causes an assertion failure.
-
* The proxy is forked off outside the sandbox namespace to protect the fds of the original buses from the sandboxed process. * The /run/firejail/dbus directory (with the sticky bit set) holds the proxy sockets. The sockets are <parent pid>-user and <parent pid>-system for the user and system buses, respectively. Each socket is owned by the sandbox user. * The sockets are bind-mounted over their expected locations and the /run/firejail/dbus directory is subsequently hidden from the sandbox. * Upon sandbox exit, the xdg-dbus-proxy instance is terminated and the sockets are cleaned up. * Filter rules will be added in a future commit.
-
The options --dbus-user.talk, --dbus-user.own, --dbus-system.talk, and --dbus-system.own control which names can be accessed and owned on the user and system buses.
-
-
-
xdg-dbus-proxy socket finding and mount hardening
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root. Instead of relying on the default locations of the DBus sockets, the environment variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set accordingly. User sockets are tried in the following order when starting the proxy: * DBUS_SESSION_BUS_ADDRES * /run/user/<pid>/bus * /run/user/<pid>/dbus/user_bus_socket These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active. System sockets are tried in the following order: * DBUS_SYSTEM_BUS_ADDRESS * /run/dbus/system_bus_socket These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a socket in the filesystem) when the filtering or blocking policy is active.
-
Turn DBus profile errors into warnings
This patch also allows setting the DBus policies to filter even if xdg-dbus-proxy is not installed. In that case, unrestricted access to the bus is allowed, but a warning is emitted.
Commits on Apr 7, 2020
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.