[PR #3265] [MERGED] Fine-grained DBus sandboxing #4701

New issue

Closed

opened 2026-05-05 10:25:00 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:25:00 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3265
Author: @kris7t
Created: 3/2/2020
Status: ✅ Merged
Merged: 4/7/2020
Merged by: @kris7t

Base: master ← Head: dbus-proxy

📝 Commits (9)

6fc8a55 Add --dbus-user and --dbus-system options
2345cc4 Add sbox_exec_v and SBOX_KEEP_FDS
0afb43a Add xdg-dbus-proxy support
31df60f Add dbus filter options
5fa90d0 Add documentation for DBus filtering
db4c5b0 xdg-dbus-proxy hardening
90facc1 xdg-dbus-proxy socket finding and mount hardening
870c8c8 Turn DBus profile errors into warnings
e91b9ff Deprecate --nodbus option

📊 Changes

12 files changed (+951 additions, -218 deletions)

View changed files

📝 src/firejail/dbus.c (+417 -22)
📝 src/firejail/firejail.h (+16 -2)
📝 src/firejail/fs.c (+1 -0)
📝 src/firejail/main.c (+77 -3)
📝 src/firejail/preproc.c (+14 -0)
📝 src/firejail/profile.c (+64 -3)
📝 src/firejail/sandbox.c (+1 -2)
📝 src/firejail/sbox.c (+195 -174)
📝 src/firejail/usage.c (+6 -0)
📝 src/include/rundefs.h (+4 -0)
📝 src/man/firejail-profile.txt (+48 -6)
📝 src/man/firejail.txt (+108 -6)

📄 Description

This PR adds the dbus-user and dbus-system options to individually control access to the session and system DBus buses, as per #3184. Access policies to the buses can be allow, which completely allows the bus, filter, which runs xdg-dbus-proxy, and none, which disables access. The nodbus options, which is equivalent to dbus-user none dbus-system none is kept for compatibility.

Filter rules for xdg-dbus-proxy can be specified with the dbus-user.talk, dbus-user.own, dbus-system.talk, and dbus-system.own options. While xdg-dbus-proxy implements finer-grained rules, these four should hopefully be enough to convert filter rules from Flatpak manifests.

On the implementation side:

The new filter rules are added to the profile similarly to blacklist and whitelist commands.
xdg-dbus-proxy runs outside the sandbox namespace (to maintain access to the original DBus sockets), but contained by a modified version of sbox_run. It is linked to the parent firejail process by a pipe fd, closing which triggers its exit, so it (hopefully) quits when the parent firejail process exits for any reason.
Filtered DBus sockets are in /run/firejail/dbus and are bind-mounted to their usual locations inside the sandbox. Even the system DBus socket is owned the user running the sandbox, not root, because if we chown it to root, xdg-dbus-proxy cannot clean them up when it exits (an the parent firejail process might not be around to clean the up instead). So inside the sandbox, the system DBus socket is owned by a normal user. This does not cause any problems when connecting to the bus, but might be used to detect the sandbox.

This PR does not contain any profile changes, so all profiles remain to constrain DBus access in a coarse-grained way. Hopefully, in the future, profiles can be updated to take advantage of DBus filtering, but that might require a hard dependency on xdg-dbus-proxy, or some auto-detection mechanism.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3265 **Author:** [@kris7t](https://github.com/kris7t) **Created:** 3/2/2020 **Status:** ✅ Merged **Merged:** 4/7/2020 **Merged by:** [@kris7t](https://github.com/kris7t) **Base:** `master` ← **Head:** `dbus-proxy` --- ### 📝 Commits (9) - [`6fc8a55`](https://github.com/netblue30/firejail/commit/6fc8a559ded2cc8cf263288ef111d8876673e2fb) Add --dbus-user and --dbus-system options - [`2345cc4`](https://github.com/netblue30/firejail/commit/2345cc4c7d1ec1322c50d11e992be49ba3588db3) Add sbox_exec_v and SBOX_KEEP_FDS - [`0afb43a`](https://github.com/netblue30/firejail/commit/0afb43a5607574fa946fdfd65f3a4cfa25cfa018) Add xdg-dbus-proxy support - [`31df60f`](https://github.com/netblue30/firejail/commit/31df60f61d2c286674d7a062797fba494d1fd47c) Add dbus filter options - [`5fa90d0`](https://github.com/netblue30/firejail/commit/5fa90d04ac4e8ea8df174a0921b45570d8147707) Add documentation for DBus filtering - [`db4c5b0`](https://github.com/netblue30/firejail/commit/db4c5b0f50e7d572116994fffe19af3967c8853e) xdg-dbus-proxy hardening - [`90facc1`](https://github.com/netblue30/firejail/commit/90facc19c2708b60eb81a2a29993a3f16596bab6) xdg-dbus-proxy socket finding and mount hardening - [`870c8c8`](https://github.com/netblue30/firejail/commit/870c8c816fb7f99ea0fe5cc1b7cf900a857cfed7) Turn DBus profile errors into warnings - [`e91b9ff`](https://github.com/netblue30/firejail/commit/e91b9ff0f2ca1715cffda6f4578aeb9dccef2fc4) Deprecate --nodbus option ### 📊 Changes **12 files changed** (+951 additions, -218 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/dbus.c` (+417 -22) 📝 `src/firejail/firejail.h` (+16 -2) 📝 `src/firejail/fs.c` (+1 -0) 📝 `src/firejail/main.c` (+77 -3) 📝 `src/firejail/preproc.c` (+14 -0) 📝 `src/firejail/profile.c` (+64 -3) 📝 `src/firejail/sandbox.c` (+1 -2) 📝 `src/firejail/sbox.c` (+195 -174) 📝 `src/firejail/usage.c` (+6 -0) 📝 `src/include/rundefs.h` (+4 -0) 📝 `src/man/firejail-profile.txt` (+48 -6) 📝 `src/man/firejail.txt` (+108 -6) </details> ### 📄 Description This PR adds the `dbus-user` and `dbus-system` options to individually control access to the session and system DBus buses, as per #3184. Access policies to the buses can be `allow`, which completely allows the bus, `filter`, which runs [`xdg-dbus-proxy`](https://github.com/flatpak/xdg-dbus-proxy), and `none`, which disables access. The `nodbus` options, which is equivalent to `dbus-user none` `dbus-system none` is kept for compatibility. Filter rules for `xdg-dbus-proxy` can be specified with the `dbus-user.talk`, `dbus-user.own`, `dbus-system.talk`, and `dbus-system.own` options. While `xdg-dbus-proxy` implements finer-grained rules, these four should hopefully be enough to convert filter rules from Flatpak manifests. On the implementation side: - The new filter rules are added to the profile similarly to `blacklist` and `whitelist` commands. - `xdg-dbus-proxy` runs outside the sandbox namespace (to maintain access to the original DBus sockets), but contained by a modified version of `sbox_run`. It is linked to the parent firejail process by a pipe fd, closing which triggers its exit, so it (hopefully) quits when the parent firejail process exits for any reason. - Filtered DBus sockets are in `/run/firejail/dbus` and are bind-mounted to their usual locations inside the sandbox. Even the system DBus socket is owned the user running the sandbox, not root, because if we `chown` it to root, xdg-dbus-proxy cannot clean them up when it exits (an the parent firejail process might not be around to clean the up instead). So inside the sandbox, the system DBus socket is owned by a normal user. This does not cause any problems when connecting to the bus, but might be used to detect the sandbox. This PR does not contain any profile changes, so all profiles remain to constrain DBus access in a coarse-grained way. Hopefully, in the future, profiles can be updated to take advantage of DBus filtering, but that might require a hard dependency on xdg-dbus-proxy, or some auto-detection mechanism. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:25:00 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4701

No description provided.

Rows
Columns