From c0a1a3b384a27b4b18628174a5c4d9f3fb0a8c82 Mon Sep 17 00:00:00 2001 From: msizanoen1 Date: Fri, 21 Oct 2022 21:52:19 +0700 Subject: [PATCH 1/2] gio/gdbusserver: use non-abstract socket for unix:tmpdir= This implements https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/350 for GDBus's server implementation. Abstract sockets belong to the network namespace instead of the mount namespace. As a result, mount namespace-based sandboxes (e.g. Flatpak) cannot restrict access to abstract sockets (and therefore GDBus's unix:tmpdir= server addresses), at least for applications with network access permission, which may result in sandbox escapes unless the application running the GDBus server explicitly check that the connecting process is not in a sandbox. As of the time of writing, no known applications using GDBusServer does this. Fix this by always using non-abstract sockets for unix:tmpdir=, which is allowed by the DBus specification. --- gio/gdbusserver.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/gio/gdbusserver.c b/gio/gdbusserver.c index f144d129ae..db0c9ab50a 100644 --- a/gio/gdbusserver.c +++ b/gio/gdbusserver.c @@ -725,14 +725,7 @@ try_unix (GDBusServer *server, for (n = 0; n < 8; n++) g_string_append_c (s, random_ascii ()); - /* prefer abstract namespace if available for tmpdir: addresses - * abstract namespace is disallowed for dir: addresses */ - if (tmpdir != NULL && g_unix_socket_address_abstract_names_supported ()) - address = g_unix_socket_address_new_with_type (s->str, - -1, - G_UNIX_SOCKET_ADDRESS_ABSTRACT); - else - address = g_unix_socket_address_new (s->str); + address = g_unix_socket_address_new (s->str); g_string_free (s, TRUE); local_error = NULL; -- GitLab From 9151fe94cb21ef78c00b0ce0b7dfebdbc423830c Mon Sep 17 00:00:00 2001 From: msizanoen1 Date: Fri, 21 Oct 2022 21:57:28 +0700 Subject: [PATCH 2/2] gio: remove pointless use of g_unix_socket_address_abstract_names_supported with unix:tmpdir= There's no point in checking for g_unix_socket_address_abstract_names_supported now that unix:tmpdir= always use non-abstract sockets. --- gio/gdbusdaemon.c | 9 ++------- gio/tests/gdbus-auth.c | 15 ++++----------- gio/tests/gdbus-overflow.c | 9 ++------- gio/tests/gmenumodel.c | 9 ++------- 4 files changed, 10 insertions(+), 32 deletions(-) diff --git a/gio/gdbusdaemon.c b/gio/gdbusdaemon.c index 8837b48192..5a8e523f05 100644 --- a/gio/gdbusdaemon.c +++ b/gio/gdbusdaemon.c @@ -1618,13 +1618,8 @@ initable_init (GInitable *initable, if (daemon->address == NULL) { #ifdef G_OS_UNIX - if (g_unix_socket_address_abstract_names_supported ()) - daemon->address = g_strdup ("unix:tmpdir=/tmp/gdbus-daemon"); - else - { - daemon->tmpdir = g_dir_make_tmp ("gdbus-daemon-XXXXXX", NULL); - daemon->address = g_strdup_printf ("unix:tmpdir=%s", daemon->tmpdir); - } + daemon->tmpdir = g_dir_make_tmp ("gdbus-daemon-XXXXXX", NULL); + daemon->address = g_strdup_printf ("unix:tmpdir=%s", daemon->tmpdir); flags |= G_DBUS_SERVER_FLAGS_AUTHENTICATION_REQUIRE_SAME_USER; #else /* Don’t require authentication on Windows as that hasn’t been diff --git a/gio/tests/gdbus-auth.c b/gio/tests/gdbus-auth.c index b0d163d98d..e62f53f871 100644 --- a/gio/tests/gdbus-auth.c +++ b/gio/tests/gdbus-auth.c @@ -63,17 +63,10 @@ server_new_for_mechanism (const gchar *allowed_mechanism) guid = g_dbus_generate_guid (); #ifdef G_OS_UNIX - if (g_unix_socket_address_abstract_names_supported ()) - { - addr = g_strdup ("unix:tmpdir=/tmp/gdbus-test-"); - } - else - { - gchar *tmpdir; - tmpdir = g_dir_make_tmp ("gdbus-test-XXXXXX", NULL); - addr = g_strdup_printf ("unix:tmpdir=%s", tmpdir); - g_free (tmpdir); - } + gchar *tmpdir; + tmpdir = g_dir_make_tmp ("gdbus-test-XXXXXX", NULL); + addr = g_strdup_printf ("unix:tmpdir=%s", tmpdir); + g_free (tmpdir); #else addr = g_strdup ("nonce-tcp:"); #endif diff --git a/gio/tests/gdbus-overflow.c b/gio/tests/gdbus-overflow.c index e3896e1b11..b0dc89f0f9 100644 --- a/gio/tests/gdbus-overflow.c +++ b/gio/tests/gdbus-overflow.c @@ -219,13 +219,8 @@ main (int argc, if (is_unix) { - if (g_unix_socket_address_abstract_names_supported ()) - tmp_address = g_strdup ("unix:tmpdir=/tmp/gdbus-test-"); - else - { - tmpdir = g_dir_make_tmp ("gdbus-test-XXXXXX", NULL); - tmp_address = g_strdup_printf ("unix:tmpdir=%s", tmpdir); - } + tmpdir = g_dir_make_tmp ("gdbus-test-XXXXXX", NULL); + tmp_address = g_strdup_printf ("unix:tmpdir=%s", tmpdir); } else tmp_address = g_strdup ("nonce-tcp:"); diff --git a/gio/tests/gmenumodel.c b/gio/tests/gmenumodel.c index 618a29eae6..04ae2840b8 100644 --- a/gio/tests/gmenumodel.c +++ b/gio/tests/gmenumodel.c @@ -831,13 +831,8 @@ service_thread_func (gpointer user_data) flags = G_DBUS_SERVER_FLAGS_NONE; #ifdef G_OS_UNIX - if (g_unix_socket_address_abstract_names_supported ()) - address = g_strdup ("unix:tmpdir=/tmp/test-dbus-peer"); - else - { - tmpdir = g_dir_make_tmp ("test-dbus-peer-XXXXXX", NULL); - address = g_strdup_printf ("unix:tmpdir=%s", tmpdir); - } + tmpdir = g_dir_make_tmp ("test-dbus-peer-XXXXXX", NULL); + address = g_strdup_printf ("unix:tmpdir=%s", tmpdir); #else address = g_strdup ("nonce-tcp:"); flags |= G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS; -- GitLab