dbus: place the bus in a subdirectory for better sandboxing

This commit is contained in:
2024-09-04 13:04:20 +00:00
parent 9f49084ccb
commit 6ff35b4366
2 changed files with 9 additions and 5 deletions

View File

@@ -34,11 +34,11 @@ in
sandbox.method = "bunpen";
sandbox.extraRuntimePaths = [
"/" #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory
"dbus"
];
sandbox.isolatePids = false; #< not actually sure *why* this is necessary, but it is
env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus";
env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/dbus/bus";
# normally systemd would create a dbus session for us, but if you configure it not to do that
# then we can create our own. not sure if there's a dependency ordering issue here: lots
@@ -47,8 +47,12 @@ in
services.dbus = {
description = "dbus user session";
partOf = lib.mkIf cfg.config.autostart [ "default" ];
command = "dbus-daemon --session --nofork --address=$DBUS_SESSION_BUS_ADDRESS";
readiness.waitExists = [ "$XDG_RUNTIME_DIR/bus" ];
command = pkgs.writeShellScript "dbus-start" ''
# have to create the dbus directory before launching so that it's available in the sandbox
mkdir -p "$XDG_RUNTIME_DIR/dbus"
dbus-daemon --session --nofork --address="$DBUS_SESSION_BUS_ADDRESS"
'';
readiness.waitExists = [ "$XDG_RUNTIME_DIR/dbus/bus" ];
};
};
}

View File

@@ -510,7 +510,7 @@ let
;
sandbox.extraRuntimePaths =
lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "bus" ]
++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "dbus" ]
++ lib.optionals config.sandbox.whitelistWayland [ "wl" ] # app can still communicate with wayland server w/o this, if it has net access
++ lib.optionals config.sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
;