Security hardening, based on !348 (closed) (review that first, and only look at the last commit when considering this MR).
-
dbus-server-socket: Make unix:tmpdir equivalent to unix:dir
unix:tmpdir and unix:dir were always equivalent on non-Linux platforms such as the BSDs, where only the POSIX path-based (unix:path) sockets are supported, and the OS-specific abstract (unix:abstract) sockets are not.
On Linux, the difference between them is that since commit a70b042f (2003-06-04), unix:tmpdir would use abstract Unix sockets. This avoids needing to clean up the sockets from the filesystem when finished with them, but it turns out to be problematic when using namespace-based containers (see previous commits and #416 (closed)), so 14 years later, in commit b951c500 "Add unix:dir=/something addresses" I added unix:dir which had the original unix:tmpdir behaviour, namely always producing a unix:path socket.
To avoid these sockets becoming an unintended sandbox escape, we can make unix:tmpdir equivalent to unix:dir on all platforms, partially reverting commit a70b042f. This is technically not even an incompatible spec change, because (as is necessary to make the spec implementable on *BSD) the spec only says that server implementations may yield a unix:abstract socket for unix:tmpdir, and not that they must do so.
This is a behaviour change and does have a regression risk, similar to the earlier commit that changed the default session bus address. As with that earlier commit, the justification for introducing that regression risk is that it avoids D-Bus servers inadvertently becoming a sandbox escape route.
Helps: #416 (closed)
/cc @thiago @mcatanzaro
I think this is too intrusive for %1.14.x but would be good to have in %1.16.0, although I'm willing to be persuaded in either direction.