Userspace filtering dbus proxy

Alexander Larsson alexl at redhat.com
Tue May 12 06:37:04 PDT 2015 

I'm working on xdg-app which is an app bundling and sandboxing model for
linux desktop apps. The main way for the app to talk to the system (and
for the system to talk to the app) is dbus (and Wayland/PulseAudio as
well). 

I was expecting to use the kdbus custom endpoints and policies to limit
the access to the bus, but the kdbus upstream discussions seem to be
going slowly, so I wrote a userspace dbus proxy that applies a policy
similar to kdbus. When needed xdg-app then spawns such a proxy in the
app cgroup (so you can get the remote peer cgroup and find the app
source) but outside the app sandbox.

This unfortunately means yet another level of indirection and another
context switch for dbus messages, but it lets us move forward on the
rest of the infrastructure while kdbus is worked on.

The code for the proxy is here:
https://github.com/alexlarsson/xdg-app/blob/master/xdg-app-proxy.c

It starts with a big comment explaining how it works.
You can also try it easily if you build xdg-app, just do something like:

./xdg-dbus-proxy $DBUS_SESSION_BUS_ADDRESS /run/user/1000/proxy --filter --talk=org.foo.bar --see=org.gtk.* --own=org.my.name

Then:
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/proxy dbus-using-app

Since this is security facing code it would be nice if some people took
a look at it to see if there are any obvious issues with the approach it
uses (or plain bugs).

There is one major deviation from the kdbus semantics though. In kdbus a
custom endpoint will *never* see NameOwnerChanged signals for unique
IDs. However, in the context of the session bus this is a pretty common
operation. Some desktop app is started, and it claims its own app id on
the session bus to handle requests, and then it uses NameOwnerChanged
signals to track the lifetime of its clients.

This kind of lifetime tracking is very important for the dbus model.
Lifetimes was something we struggled a lot with when we used Corba for
IPC and that dbus finally solved. To fix this in the proxy i give all
clients that send messages to the proxied client a "SEE" policy which
allows the client to track the lifetime of that client. I think kdbus
needs something like this too.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl at redhat.com            alexander.larsson at gmail.com 
He's a maverick native American romance novelist possessed of the uncanny 
powers of an insect. She's a beautiful motormouth advertising executive 
with someone else's memories. They fight crime!

More information about the dbus mailing list