Sandboxing D-Bus-activated Applications

[glitsj16]

Quite some time ago I noticed this comment in the gjs.profile:

firejail/etc/profile-a-l/gjs.profile

Lines 8 to 10 in 65c92b4

	# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them

At first I took it to suggest that sandboxing D-Bus activated applications is impossible to achieve with Firejail by design. That scratched an itch and I started to research this topic. Pretty soon it turned out there's actually nothing technical or code-wise in Firejail that keeps you from doing so.

With a bit of manual work you can in fact firejail those D-Bus activated applications. Most distributions use the /usr/share/dbus-1/services directory to store D-Bus units. Copy the unit file for the app you want to sandbox to either

• /etc/dbus-1/services (system-wide) or
• ${HOME}/.local/share/dbus-1/services (per-user).

You will need to edit this file, regardless where you placed it. Point the Exec=foo to a custom shell script and boom, firejail activated. Oh no, create yet another shell script? Well okay, let's do that.

Here's an example for dconf-editor to get you going. The example uses system-wide files, but these can just as easily be per-user ones. The logic stays the same.

$ cat /usr/share/dbus-1/services/ca.desrt.dconf-editor.service

[D-BUS Service]
Name=ca.desrt.dconf-editor
Exec=/usr/bin/dconf-editor --gapplication-service

$ cat /etc/dbus-1/services/ca.desrt.dconf.service

[D-BUS Service]
Name=ca.desrt.dconf-editor
Exec=/usr/bin/dconf-editor-fj --gapplication-service

$ cat /usr/bin/dconf-editor-fj

#!/bin/sh
#
# D-Bus activation hook
if [ "$1" = "--gapplication-service" ]; then
    # do whatever you like here, logging for example
    _parent="$(ps -o args= "$PPID")"
    _report_file="${HOME}/Downloads/dbus-activation.report"
    _timestamp="$(date +%H:%M:%S)"
    {
	echo
	echo "- - - - - - - - - - - - - - - -"
	echo "[${_timestamp}] D-Bus service [ca.desrt.dconf-editor] activated"
	echo "    parameters: ${@}"
	echo "    parent: ${_parent}"
    } >> "$_report_file"
fi
# display server
if [ "$WAYLAND_DISPLAY" ]; then
    _ds="wayland"
    export GDK_BACKEND=${_ds}
fi
# sandboxing
_sbox_wayland=""
[ "$_ds" = "wayland" ] && _sbox_wayland="--env=GDK_BACKEND=${_ds} --include=/etc/firejail/disable-X11.inc"
exec firejail --quiet ${_sbox_wayland} /usr/bin/dconf-editor "$@"
exit 0

Now for the discussion. If there's an interest, I can add this to the wiki. All input is welcome and I'm very much open to clarify or answer any questions that might come up.

[rusty-snake]

firecfg.py supports this for over two years.

And it supports autostart and experimental shell aliases for programs like ffmpeg or tar that frequently cause breakage of other programs like makepkg but can be firejailed when they are used directly by the user in a shell.

[glitsj16]

I knew firecfg.py can do all this. It's just not very advertised and IMO it should have a dedicated page on the wiki. Also, is it packaged by any distributions (yet)?