Firejail: Block access to dbus

Created on 11 Oct 2016  路  4Comments  路  Source: netblue30/firejail

A very serious vulnerability was discovered where dbus-daemon used ipc message as format string. Subgraph's Oz sandbox say they are not affected since they block dbus access to isolated processes. I recommend you do the same if not already.

https://bugs.freedesktop.org/show_bug.cgi?id=98157

/cc @adrelanos

information
Source
picture HulaHoopWhonix

Most helpful comment

@intika there is a dedicated nodbus option available in Firejail 0.9.54 and higher. It is more effective when combined with net none and if available apparmor.

picture SkewedZeppelin on 29 Jul 2018
👍3

All 4 comments

Easiest ways to do so:
1) Force DBus to use a standard UNIX socket (makes it easier to block) - see #801 for how to do so.
2) Only whitelist /tmp/_dbus-socket_ when necessary.

chiraag-nataraj picture chiraag-nataraj on 11 Oct 2016

In our case dbus can be disabled using a network namespace (--net) or AppAromr (--apparmor). It can also be disabled by configuring dbus to use a regular Unix socket instead of the abstract Unix socket, and blacklisting the socket inside the sandbox.

netblue30 picture netblue30 on 11 Oct 2016
👍1

i am blocking dbus access to chrome just by giving it a fake dbus address
env DBUS_SESSION_BUS_ADDRESS=none firejail chrome

intika picture intika on 29 Jul 2018

@intika there is a dedicated nodbus option available in Firejail 0.9.54 and higher. It is more effective when combined with net none and if available apparmor.

SkewedZeppelin picture SkewedZeppelin on 29 Jul 2018
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kruthe01 picture kruthe01  路  4Comments
fl-chris picture fl-chris  路  4Comments
ericschdt picture ericschdt  路  3Comments
semente picture semente  路  4Comments
ghost picture ghost  路  3Comments