-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jail escape through DBus #796
Comments
So apparently using |
Also, is fine-grained control of DBus even possible without a complete rewrite of DBus itself? I guess one way is to blacklist DBus service files. That would entail letting blacklist and whitelist operate on /usr...is that an option @netblue30? |
DBus runs an abstract socket, very similar to x11. So far there are two ways to stop it: --net= and --apparmor. I will document it on the Known Problems page on project website. |
@chiraag-nataraj it's also possible to prevent access to DBus using @netblue30 the issue isn't to prevent access to DBus, but to allow access to DBus without entirely compromising the sandbox. One hypothetical possibility would probably be to have a proxy between the jailed process and the real DBus daemon that controls access. Of course this would likely be a lot of effort to implement, but as of now the isolation for any process that requires DBus is sufficient only to prevent casual attacks. |
@lheckemann, I think the easier option is to blacklist service files in |
/usr/share/dbus-1/ - let me check out! @lheckemann, the biggest problem DBus has is browsers and other networking programs don't use it. Usually programs that have also been ported to Windows behave well in the absence of DBus. |
@chiraag-nataraj as far as I understand, that will only prevent automatic starting of the server and the jail can still be escaped if the user has a GNOME Terminal open. @netblue30 How is that a problem that DBus has? |
There are only a few applications relying on DBus, for example multilingual keyboard support. But if you don't need them you can just shut it down inside the sandbox. I don't know how a proxy would work, you still have to hide the abstract socket, otherwise the bad guy will go directly to the abstract socket bypassing the proxy. The only valid method I know for filtering the traffic over DBus is using AppArmor, but this is deep inside the kernel. We don't have anything equivalent in user space. |
Should the proxy and hiding the abstract socket not be possible through IPC namespacing? |
As far as I can tell, multilingual keyboard (fctix) is literally the only thing that legitimately uses DBus on my laptop. Everything else seems to rely on other mechanisms. Is there any way to get dbus to rely on unix sockets so that it's easy to blacklist/block? |
The commands I included as an example also work in a jail with
As for legitimate use cases for DBus, a variety of applications such as mail clients (which as we know are a good idea to sandbox) may wish to use libnotify to send notifications, which uses DBus, for example. |
Here's the profile I use for my terminal emulator:
With this profile, your example fails to work and DBus returns a |
Yes, this is a legitimate use of dbus.
No, unix sockets are in the network subsystem not in IPC subsystem.
Probably they have something similar to x11, where they say what type of sockets to use. |
Indeed, I found it. Look for the |
(thanks thiago on #dbus on irc.freenode.net!)
Key part being "the session bus assumes that all connecting processes have the same privileges", so sandboxed applications really shouldn't have unfiltered access to the session bus. This is also relevant to #801 |
Quirky as hell all this issue. I had noticed that in Fedora 22 I couldn't launch a free lxterminal for vimperator cause firejail. Now in Fedora 23 and 24 if you have any lxterminal already opened and execute on vimperator: It will be a escaped "trough" DBus ... It's 2016 and they don't care about sessions/security yet? I'm kind of amaze. |
Who are "they"? The issue is that the design of the interfaces to services that many applications will need to use (notifications, accessibility functions like advanced input methods, and others, even more basic stuff like integration with GNOME/Unity for the application menu) is based on the assumption that all applications having access to them have the same privileges. This is entirely opposite to the principle that firejail aims to implement: giving applications only the privileges that they need and none more. It's a design flaw in how applications interact with their environment, a design flaw that is still pervasive across most desktop environments (including on OSX and Windows). Newer platforms like Android were designed with privilege minimisation in mind (to some degree... Some of the more advanced functionality like lazy privilege granting was shoehorned in a bit... but regardless it's far better than what we've got on desktops) and allow applications to declare exactly which permissions they need. This means not only that they're isolated well, but that the user can be informed of what the application wants to do and in more recent versions can choose to deny it some of the requested permissions. This also avoids the hacky "profiles" solution we have in firejail. Basically, firejail is a hack to improve a broken system and hacks will never be better than a system that isn't broken in the first place.
|
I suppose I just can wait for someone to fix it. :) We need a Lennart for a dbus-like project. |
It seems just started... https://lwn.net/Articles/706025/ He's going to leave out desktop stuff for now but he's coming up against the D-Bus issues. |
Since we have |
It's 2020 and more and more applications use So, is there a way to filter dbus messages instead of having full or no access to dbus? Or, can we start a new instance? I have written a script for that but it would be nice as part of firejail. |
Thanks for the fast response. :) Following your link. |
Blacklisting client/server-based terminal emulators is not sufficient to avoid jailbreaks. For example, if GNOME Terminal is installed, one can escape using a wide variety of tools, such as
gdbus
or DBus bindings for the language of the attacker's choice.Example:
Of course there are diverse other attack options through DBus, such as shutting down the system through UPower, unmounting things mounted through GVFS, etc.
As a lot of applications will not work without access to DBus, there needs to be some more fine-grained access control to only allow applications access to the interfaces they really need...
The text was updated successfully, but these errors were encountered: