diff options
| author |  Kristóf Marussy <kris7topher@gmail.com> | 2020-03-26 01:28:57 +0100 |
|---|---|---|
| committer | Kristóf Marussy <kris7topher@gmail.com> | 2020-04-06 21:26:41 +0200 |
| commit | 90facc19c2708b60eb81a2a29993a3f16596bab6 (patch) | |
| tree | ef3da7dbfc720b266b1a2ce2b31ceae7cc72ab1a /src/man/firejail-profile.txt | |
| parent | xdg-dbus-proxy hardening (diff) | |
| download | firejail-90facc19c2708b60eb81a2a29993a3f16596bab6.tar.gz firejail-90facc19c2708b60eb81a2a29993a3f16596bab6.tar.zst firejail-90facc19c2708b60eb81a2a29993a3f16596bab6.zip | |
xdg-dbus-proxy socket finding and mount hardening
To avoid race conditions, the proxy sockets from /run/firejail/dbus/ are
bind-mounted to /run/firejail/mnt/dbus/, which is controlled by root.
Instead of relying on the default locations of the DBus sockets, the environment
variables DBUS_SESSION_BUS_ADDRESS and DBUS_SYSTEM_BUS_ADDRESS are set
accordingly.
User sockets are tried in the following order when starting the proxy:
* DBUS_SESSION_BUS_ADDRES
* /run/user/<pid>/bus
* /run/user/<pid>/dbus/user_bus_socket
These are all blocked (including DBUS_SESSION_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
System sockets are tried in the following order:
* DBUS_SYSTEM_BUS_ADDRESS
* /run/dbus/system_bus_socket
These are all blocked (including DBUS_SYSTEM_BUS_ADDRESS if it points at a
socket in the filesystem) when the filtering or blocking policy is active.
Diffstat (limited to 'src/man/firejail-profile.txt')
0 files changed, 0 insertions, 0 deletions