dbus: Restrict callers of private D-Bus APIs

Merged Florian Müllner requested to merge fmuellner/gnome-shell:d-bus-hardening into main

Many of our D-Bus APIs are intended for other core components, not as public application APIs. So far that was little more than an expressed intent on the GNOME side that app developers are either unaware of, or can ignore at will.

This MR changes that to enforce the private nature of the APIs in question, by limiting them to their expected callers.

I originally pursuited a more radical approach to limit all D-Bus interfaces implemented in gnome-shell. That involves moving all interface implementations that don't have a fixed number of callers into separate services that proxy the real implementation in the shell. The shell implmenentations then become private, and can be restricted to their proxy.

It's quite a rabbit hole, and will require a good amount of testing if we decide it's a good idea after all. But there's not really much benefit in doing that after restricting the really sensitive services (i.e. apps can no longer call org.gnome.Shell.Eval via org.gtk.Notifications). In any case it doesn't make sense to hold back the restrictions in this MR.

Fixes #3943 (closed)

Merge request reports