Block access to dbus #343
Comments
|
We don't block dbus access, instead we run a filtering dbus proxy that all dbus calls go through. However, it looks like this may affect us still. We do allow apps to send messages and signals directly to the "org.freedesktop.DBus" name on the bus, which seems to be the issue here. /cc @smcv you know this best, do we have a problem here? |
|
There are two things you could mean by "D-Bus access": the session bus and the system bus. The session bus is per-uid; the worst-case vulnerability there is escalating from sandboxed uid 1000 (or whatever your uid is) to un-sandboxed uid 1000. The system bus is per-system (whatever "system" means, originally per-kernel, but now more likely per-OS-container), so the worst-case vulnerability there is escalating from sandboxed uid 1000 to a different un-sandboxed uid. Either way, the correct solution to this is to fix the host's dbus-daemon. dbus-daemon is meant to be safe to use as a privilege boundary; that's why we handled the format string issue (fd.o bug 98157) as a security vulnerability, and not just a bug. (I must admit I was mainly thinking of the system bus and not the session bus when I treated that as a vulnerability, though.) 98157 is not exploitable unless you own the name On the system bus (where the worst-case impact of 98157 is privilege escalation between uids, not just a sandbox bypass for the unprivileged uid),
It would be fine for Flatpak to optionally block D-Bus access via a flag in the app's metadata, but unconditionally blocking the session bus altogether would break the majority of the apps that are packaged this way, so, no. The situation on the system bus is less clear-cut. @alexlarsson, is the system bus treated the same at the moment, with filtering? (Note that anything on the system bus that is not safe for random users to call is already meant to be access-controlled, with missing access-controls being a security vulnerability whether you have Flatpak or not.)
I would recommend allowing exactly those messages that you know to be OK, and forbidding the others. That's:
and depending on your security model (the extent to which it is considered to be acceptable that apps in the sandbox can learn about apps outside), perhaps:
You certainly don't want to allow:
|
|
So, currently both system and session bus are accessible, but via a proxy. In this proxy you have per-name rules (that actually also affects unique names that own the corresponding names). On these you can have permissions NONE, SEE, TALK & OWN. Additionally we do special filtering on METHOD CALLS (but not at at signals atm) to the name org.freedesktop.DBus, iface org.freedesktop.DBus. Looking at your list I see a few issues we need to fix:
|
Make sure we can only send message calls (not e.g. unicast signals) to the bus. Also, whitelist the list of allowed interfaces to org.freedesktop.DBus and org.freedesktop.DBus.Introspectable See #343 for the origin discussion of this.
|
With that i belive we're secure in general and in particular the unicast filtering fixes the specific worry above. |
|
b337c95 looks good to me. |
A very serious vulnerability was discovered where dbus-daemon used ipc message as format string. Subgraph's Oz sandbox say they are not affected since they block dbus access to isolated processes. I recommend you do the same if not already.
https://bugs.freedesktop.org/show_bug.cgi?id=98157
/cc @adrelanos
The text was updated successfully, but these errors were encountered: