gdbus autolaunching conflicts with sandboxing
Context from https://bugzilla.mozilla.org/show_bug.cgi?id=1466593
I'm implementing sandboxing on OpenBSD for firefox, and when there's no session dbus instance running (which can happen when users run minimalistic WMs, or dont like dbus for $reasons) and a password field is focused, glib/gdbus tries to autospawn a bus (in get_session_address_dbus_launch(), cf https://gitlab.gnome.org/GNOME/glib/blob/master/gio/gdbusaddress.c#L1131), which is prevented by the sandbox policy (the content process cant spawn processes) and the process is killed by the kernel.
dbus has a --disable-x11-autolaunch configure flag that makes dbus-launch return immediately when autolaunch is disabled in this case, but that still spawns a process which violates the sandboxing policy.
Right now, the 'less ugly' workaround is in the firefox sandboxing code to set DBUS_SESSION_BUS_ADDRESS to an empty string if it isnt set, this way a bus is 'faked' and glib doesnt try to spawn one.
In https://bugzilla.gnome.org/show_bug.cgi?id=723506 a special case was added to avoid spawning a bus when DISPLAY was unset. I think this issue is a slightly different one, but related, so how can we gracefully handle the case in glib itself ?
I was thinking of adding a configure flag to glib too to avoid this behaviour, because i dont think there's a way to introspect dbus 'from outside' without a bus running to figure out if it was built with or without --disable-x11-autolaunch.
Another option might be via an environment variable, which would be set by applications knowing that they dont want gdbus to autolaunch a bus ?
I'm not really comfortable with those solutions, and id rather disable autolaunching at all.. since if there's no session bus running, each app would autostart its own, and it would be useless to communicate between different apps. I suppose it only makes sense for multi-process applications, but they'd have to find another IPC mechanism to communicate the autolaunched bus, which feels complicated. Unless some badly coded apps would crash hard if they dont find a bus at all, which explains the sloppy behaviour of running a per-app bus..
cc @ajacoutot