Change default session bus listen address from tmpdir (abstract) to dir (path-based) for better interop with sandboxes
On Linux, there are two categories of AF_UNIX
socket: abstract and path-based.
Path-based sockets are the same as the AF_UNIX
sockets on non-Linux platforms like *BSD. They behave a lot like files: sandboxing/container frameworks can choose to share them, or not, as they wish (just like any other file, including devices, fifos and other pseudo-files). The main down-side of a path-based socket is that it isn't automatically cleaned up when there is no longer a process listening on it, but we already have code to clean up path-based sockets when the dbus-daemon or another DBusServer
terminates gracefully (and we already rely on that code for non-Linux platforms like *BSD, which don't have abstract sockets at all).
Abstract sockets behave like TCP, but with an arbitrary string instead of an IP address and port. Confusingly, the way they're used in dbus, the arbitrary string looks like a path (but it isn't). If a sandboxed/containerized application shares the network namespace with the host system, then it can access any abstract socket, which is often a potential sandbox escape. Conversely, because the abstract socket doesn't exist at the filesystem level, if a sandboxed/containerized application doesn't share the network namespace with the host system, the sandboxing/container framework can't bind-mount it into the container if sharing it is desirable.
This is particularly problematic for the well-known D-Bus session bus: if a sandboxed application can connect to the well-known D-Bus session bus, then that's a sandbox escape. Unfortunately, for historical reasons, our default listening address for a session bus started by dbus-launch
or dbus-user-session
is unix:tmpdir=/tmp
which prefers to use an abstract socket.
On Linux systems with systemd --user
that configure dbus with --enable-user-session
(such as Arch, and Debian/Ubuntu with the default dbus-user-session
package), the session bus listens on a path-based socket and there is usually no problem - unless you run dbus-launch
or dbus-run-session
manually.
Similarly, on non-Linux systems, there is no problem, because abstract sockets don't exist.
The systems where this is a problem are Linux systems where either a non-systemd init system is in use, or the distro or sysadmin has explicitly disabled the user bus and enabled the traditional per-X11-display session bus (for example removing dbus-user-bus
and installing dbus-x11
on Debian/Ubuntu), or the user has explicitly run dbus-launch
or dbus-run-session
.
I think we should seriously consider changing the default listening address for the session bus to unix:dir=/tmp
, which was added in dbus 1.12.x (the oldest supported branch of dbus) and always uses path-based sockets.
If distributions want to do this "early" or in a branch where this change has not been made, they can configure with --with-dbus-session-bus-listen-address=unix:dir=/tmp
.
/cc @thiago @mcatanzaro