Abstract unix sockets and session socket address
Thiago Macieira
thiago at kde.org
Tue Dec 16 08:41:48 PST 2014
On Tuesday 16 December 2014 10:39:32 Alexander Larsson wrote:
> I'm currently working on a desktop "app" system using container
> technologies, and I'm running into an issue with dbus use of abstract
> sockets. In the long run I want to do fully sandboxed apps, which
> implies kdbus. However, at the moment I want to just use the container
> aspect to ease deployment of apps (use a separate runtime for the app
> and the host), and as such I want the apps to be able to talk to dbus.
>
> In general, abstract sockets are a bad idea whenever namespaces are
> involved. Abstract sockets exist in a global namespace for each network
> namespace in use. This means that you can't have an app in its own
> network namespace and still talk to the session bus. It also means that
> if you're sharing the network namespace with the host there is no way to
> disallow the app access to the session bus (or any other service on the
> host using abstract sockets).
I'm not sure I understand you here. If you're in the same network namespace,
shouldn't you be allowed to access all the networking resources of that
namespace? Conversely, if you have a different network namespace, resources may
or may not be available depending on how the namespacing is done.
That said, the session bus socket is a network resource. If an app is in a
different namespace, it stands to reason it may not be allowed to access other
namespaces' resources.
> Regular non-abstract sockets are a much better fit for this. Since they
> exist in the regular filesystem tree they are naturally namespaced via
> the filesystem namespace, and you can easily "transplant" any particular
> socket from one namespace to the other using things like bind mounts. It
> also allows filesystem permission checks on the sockets.
Unless you have a different filesystem namespace, in which case it will break. I
don't see how one is different from the other here.
> In a modern desktop linux the natural place to put the session socket is
> in XDG_RUNTIME_DIR, as this is a ephemeral location tied to the user
> login. In fact, the cleanup semantics of this directory solves the
> cleanup problems that caused dbus to use abstract sockets to begin with.
>
> I'm attaching a patch that lets you specify runtime=yes, or
> noabstract=yes in the listen address. With this you can have in your
> session.conf:
> <listen>unix:tmpdir=/tmp,runtime=yes</listen>
>
> In fact, I would propose that we make this the new default, as its a
> no-op if XDG_RUNTIME_DIR is not set.
That looks good to me.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel Open Source Technology Center
PGP/GPG: 0x6EF45358; fingerprint:
E067 918B B660 DBD1 105C 966C 33F5 F005 6EF4 5358
More information about the dbus
mailing list