Use unix sockets instead of abstract sockets
Quoting @mcatanzaro (from #28 (comment 992076), because it's a much better summary than mine
Secure host services must not use abstract sockets.
If your sandboxed application uses --share=net to access the host network namespace, which is required for internet access, then it gets access to all the host's abstract sockets as well. Loads of sandboxed applications necessarily have to use --share=net.
If your sandboxed application does not use --share=net, it cannot access any host abstract sockets.
Fixes #28 (closed)
As I noted in #28 (closed), I've tested this on my Debian Bullseye system and it does correctly switch the daemon from listening on an abstract socket to listening on a unix socket (in /tmp/dbus-XXXX
), but I'm not actually sure how to test that it's working properly because I'm unfortunately not very familiar with the accessibility daemon (or actually dbus, for that matter
I'm also happy to rebase, amend, discuss, adjust, close, defer, etc as desired!