profiles: add dbus filters

[rusty-snake]

Opening as PR so we can disscuss about them. The most are just extracted from flathub, see #3265 (comment).

EDIT: everyone fell free to push more profiles here.

[rusty-snake]

BTW: firejail --noprofile --dbus-user=filter --audit | grep D-Bus MAYBE: D-Bus socket /run/firejail/mnt/dbus/user is available.

[kris7t]

First of all, thanks for creating the DBus profiles!

In the previous weeks, I was running the DBus filter with much tighter rules. As I use sway, not Gnome, desktop integration wasn't a problem, so I may be overly vigilant. Nevertheless, below I made some comments regarding the filter rules from flathub.

[kris7t]

Is allowing Gvfs access safe? Could for example a malicious application access any Gvfs mount (and potentially e.g., spread ransomware to an unsecured samba mount, using the credentials already provided to Gvfs by the user)?

Also, I don't think you need org.gtk.vfs here, org.gtk.vfs.* covers it as well.

[rusty-snake]

Resolved other org.gtk.vfs commend in order to have one thread.

Your right, the most programs don't need it.

TODO: can it be used to bypass disable-mnt/blacklist/whitelist.

[kris7t]

Allowing any firejailed application to own the name com.github.netblue30.firejail (and potentially impersonate firejail, if we ever add any custom DBus interfaces) sounds a bit risky.

[rusty-snake]

Thats just an example, it would not pass any review. However we can change it to com.example.appname.

[kris7t]

I am not sure whether unrestricted DConf access is always a good idea. A malicious application could, for example, change stuff under org.gnome.system.proxy to MITM traffic.

Luckily, users could just ignore dbus-user.talk ca.desrt.dconf in globals.local, and selectively enable it for applications that absolutely need it.

I wonder what's the flatpak solution for this vulnerability.

[rusty-snake]

I wonder what's the flatpak solution for this vulnerability.

https://docs.flatpak.org/en/latest/sandbox-permissions.html#dconf-access, a lot of flatpaks still use direct access. gnome-builder suggests it.

[rusty-snake]

A malicious application could, for example, change stuff under org.gnome.system.proxy to MITM traffic.

Or even worser: /org/gnome/terminal/legacy/profiles:/<UUID>/custom-command

[rusty-snake]

I only added it there as an example since it is common used.

[abranson]

A sandboxed dconf similar to flatpak's would be a logical next step after DBus

[kris7t]

What is the access policy of the secret service? I think at least Gnome keyring only asks for the user password once (at most, never if PAM unlocks it), and provides secrets to application without any confirmation required. Although arguably, that's a vulnerability in the secret service implementation (I'm pretty sure keepassxc can be set to ask for confirmation before releasing credentials), not in the sandbox.

[kris7t]

BTW: firejail --noprofile --dbus-user=filter --audit | grep D-Bus MAYBE: D-Bus socket /run/firejail/mnt/dbus/user is available.

Well, that socket is the proxy socket, so it should be present. But yeah, I should fix the audit so it does not emit a warning, it makes no sense to warn for a properly running filter.

[kris7t]

Starting with Firefox 75, there should probably also be a dbus-user.own org.mpris.MediaPlayer2.firefox.* for hardware media key support.

[rusty-snake]

I wanted to start minimal, there a lot more path for firefox + extensions. The policy used by the inoffical firefox-flatpak:

dbus-user filter
dbus-user.own org.mozilla.Firefox
dbus-user.own org.mozilla.firefox.*
dbus-user.talk org.freedesktop.FileManager1
dbus-user.talk org.freedesktop.Notifications
dbus-user.talk org.freedesktop.ScreenSaver
dbus-user.talk org.gnome.SessionManager
dbus-system filter
dbus-system.talk org.freedesktop.NetworkManager

[kris7t]

Whoah, org.freedesktop.NetworkManager sounds quite evil in this context (MITM via adding a VPN, or leaking IP and MAC addresses of interfaces otherwise isolated with --net=).

[Fred-Barclay]

@rusty-snake I was going to replace all nodbus in profiles with

dbus-system none
dbus-user none

as a general starting point

Ok to push here or should I open a new PR? It's probably lots of files so didn't want to clutter up this PR.

[rusty-snake]

@Fred-Barclay if you push upstream, I can rebase.

Nitpick: I used dbus-user before dbus-system.

[Fred-Barclay]

@rusty-snake I'm usually bad at alphabetising... in this case though for consistency's sake I'd guess dbus-system before dbus-user. What do you think?

[rusty-snake]

The must profiles will disable dbus or look like the example below. For my eyes it was nicer to have a dbus-system none at the bottom instead of the top.

dbus-user filter
dbus-user.own com.foo.bar
dbus-user.talk ca.desrt.dconf
dbus-user.talk org.freedesktop.smile
dbus-system none

The addresses (grouped by own and talk) should be alphabetical sure.

[Fred-Barclay]

@rusty-snake done, see 3848b98

There are a few small changes left, like how to handle ?HAS_NODBUS, but that should affect >5 files.

[glitsj16]

I get why we need to have ignore nodbus here. Does that mean we can remove it from firefox-common-addons.inc?

[rusty-snake]

Now needs to be ignore dbus-user none.

firefox-common.profile is used by firefox, thunderbird, waterfox, ... and disables D-Bus access. Of course we can't add the own rule to firefox-common. Because some program throw errors messages if D-Bus isn't available, but hardfail on D-Bus error due to work policy, I added this for now only to firefox.

[glitsj16]

Suppose a profile has dbus-user.talk org.freedesktop.Notifications and a user wants to override that, and only that. Is ignore still the correct/preferred way to do this with regards to the DBus filters? If so, I'll add an example to man firejail-profile to avoid potential confusion.

[rusty-snake]

I created a short list about some of the D-Bus addresses.

Legend:
# |0| => harmless
# |!| => Danger sandbox escape possible
# |!!| => Very dangerous
# |$| => sensitive

# |0| MediaKeys
org.gnome.SettingsDaemon.MediaKeys
# |!| Dconf
ca.desrt.dconf
# |0| NightMode/Screen temperaur
org.gnome.SettingsDaemon.Color
# |!!| Native notifications
org.freedesktop.Notifications
# |$| Keyring
org.freedesktop.secrets
# |$|
org.gnome.OnlineAccounts
# |0|
org.mpris.MediaPlayer2.APP
# |!!| Filesystem access (blacklist/whitelist esacape)
org.freedesktop.FileManager1
# |$| Unlock screen
org.freedesktop.ScreenSaver
# |$| reboot(?)
org.gnome.SessionManager
# |!|
org.freedesktop.NetworkManager
# |$|
org.gnome.evolution.dataserver.*
# |$|
org.freedesktop.GeoClue2
# |!|
org.gnome.Shell
# |!!|
org.gnome.Shell.*
# |!|
org.freedesktop.login1
# |!|
org.gtk.vfs.*


Things that `org.freedesktop.Notifications` can do:

# Screenshots

firejail --noprofile --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications dbus-send --session --print-reply --dest=org.freedesktop.Notifications /org/gnome/Shell/Screenshot org.gnome.Shell.Screenshot.Screenshot boolean:false boolean:false string:screenshot.png

# Unlock your screen

firejail --noprofile --dbus-user=filter --dbus-user.talk=org.freedesktop.Notifications dbus-send --session --print-reply --dest=org.freedesktop.Notifications /org/gnome/ScreenSaver org.gnome.ScreenSaver.SetActive boolean:false

# Install gnome-shell-extensions

# /org/gnome/Shell org.gnome.Shell **Eval** any code (gjs)

# /org/gnome/Mutter/ScreenCast org.gnome.Mutter.ScreenCast

Record your screen

# /org/gnome/keyring/Prompter org.gnome.keyring.internal.Prompter

IDK what it can, but keyring sounds not good.

# /org/gnome/SessionManager/EndSessionDialog org.gnome.SessionManager.EndSessionDialog

Logout; Poweroff?; Reboot?

# /org/gnome/Mutter/RemoteDesktop org.gnome.Mutter.RemoteDesktop

forward desktop

# /org/gnome/Mutter/DisplayConfig

turnoff the monitor

# force you to hard-poweroff

[Fred-Barclay]

@rusty-snake Awesome, care to toss it in the wiki?

[rusty-snake]

👍 Definitely something for the wiki. with more comments/descriptions and better formating.

---

What policy should be apply for org.freedesktop.Notifications?

[glitsj16]

What policy should be apply for org.freedesktop.Notifications?

That's one of the reasons I wanted to add an example to the firejail-profile man page. I admit not spending a whole lot of time on it and decided to add an example on how to override a given setting. But for this I would have liked a dbus-system.talk org.freedesktop.Notifications none option (or something similar). Probably not easily - if at all - implementable, but I for one will be scanning future profiles that allow it and do whatever I can to disable. Just a personal opinion...

[rusty-snake]

flatpak like: dbus-user.no-talk

I would say making it opt-in for whitelisting profiles.

[kris7t]

something like dbus-user.no-talk is potentially tricky (originally, I considered it, but decided not to implement for now) due to the presence of .* patterns in talk rules. Basically, what should happen if we have (fictitious example, obvious not a good idea to apply these exact rules):

dbus-user.talk org.freedesktop.*
dbus-user.no-talk org.freedesktop.Notifications

The challenge here is that, as far as I could find, there is no way to pass negative rules to xdg-dbus-proxy. We could resort to an approach similar to filesystem whitelisting, i.e., allow all names below org.freedesktop current present on the bus except Notifications, but that is complicated (we have to connect to the bus and list all names) and wrong (new names may appear all the time).

Alternatively, we could just throw an error if a no-talk rule is superseded by a talk rule (i.e., a no-talk with no corresponding talk rule or a talk rule which would whitelist that exact pattern of bus name(s) is ok, but anything more general than that is an error). That's pretty much what an ignore command does, tho.

I should really look into how Flatpak handles this.

On the other hand, xdg-dbus-proxy can disable dbus interfaces and methods in a quite fine-grained manner, so the Notifications issue (with the rest of Gnome Shell being practically exposed) can be handled more easily.

[rusty-snake]

I would say dbus-user.no-talk can act like (no)blacklist, path/address of the no command must match the path/address of the blacklist/talk command.

[glitsj16]

@kris7t Very informative ^. I might have missed it, but have there been suggestions on how to deal with org.freedesktop.portal.* (see here) yet?

[rusty-snake]

https://github.com/netblue30/firejail/wiki/Restrict-D-Bus -- disscussion

[kris7t]

@glitsj16 Unfortunately, I don't know much about xdg-portals. I think Gnome has some kind of settings dialog for at least flatpak app permissions (filesystem access, webcam, microphone, etc.). I don't know whether that's just black/whitelisting the D-Bus names of portals, or something implemented inside the portals themselves.

[rusty-snake]

From my side we could merge.

[glitsj16]

From my side we could merge.

@rusty-snake LGTM. Great work and a big thank you to all involved!