[MIR] xdg-dbus-proxy

Bug #1811824 reported by Jeremy Bicha on 2019-01-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xdg-dbus-proxy (Ubuntu)

Bug Description

Built for all supported architectures.

In sync with Debian.

webkit2gtk 2.26 will release in September. It adds per-process sandboxing using bubblewrap and xdg-dbus-proxy.

xdg-dbus-proxy was previously part of Flatpak but was split out for easier use by other projects.

By the time this is needed, xdg-dbus-proxy in main will need to be backported to 18.04 LTS and 19.04. (New major webkit2gtk releases happen every March and September. Once a new major release is out, the old major release is no longer supported. New releases include security updates.)

This will need a Security review.


There was one security issue (CVE-2018-6560) that has been fixed in all supported Ubuntu releases.

Quality assurance
Bug subscriber: Desktop Packages


tests are run as build tests (with dh_auto_test) and installed autopkgtests on Debian and Ubuntu.

All binary dependencies are in main

Standards compliance

- Actively developed upstream

- Maintained in Debian by the pkg-utopia team but more specifically, it is maintained by Simon McVittie (smcv) who also maintains Flatpak and ostree in Debian.

short dh7 style rules, dh compat 11/12

CVE References

Jeremy Bicha (jbicha) on 2019-02-19
description: updated
Jeremy Bicha (jbicha) wrote :

The new feature has been delayed until webkit2gtk 2.26 to be released in September 2019.

description: updated
tags: removed: cosmic
Didier Roche (didrocks) wrote :

Please set it back to New once the MIR team can have a look at it.

Changed in xdg-dbus-proxy (Ubuntu):
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :
Download full text (9.8 KiB)

It seems the security team was no longer assigned, but we knew this was
coming so I performed the security team MIR.

I reviewed xdg-dbus-proxy 0.1.1-1 as checked into eoan. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

xdg-dbus-proxy is a "filtering proxy for D-Bus connections". It is invoked via
the command line line with arguments that specify the address to proxy and the
path for client connections. It will listen on a unix domain socket for
clients to connect. For each client connection, it opens a new connection to
the proxied address, forwarding data between the two. xdg-dbus-proxy operates
in two modes, filtered and unfiltered (ie, forward all messages). With
filtering mode, policy is applied to determine which messages to allow and
drop. Filtering is applied to signals and method calls from the client and
broadcast signals from the proxied address. Replies (errors and method returns)
are allowed for the outstanding call, but not otherwise (this is analogous to
how dbus-daemon works with LSM policy like AppArmor).

Policy is simple, yet flexible and aggregates various common DBus APIs into
SEE, TALK and OWN policy levels (listed from lowest to highest, with each
higher level implying lower levels) that are specified in rules for use with
well-known DBus names (ie, *not* private/unique names). The default policy
allows TALKing to the bus itself (org.freedesktop.DBus) and to its own unique
ID. Other clients are invisible (this is not unlike the dbus-strict and
dbus-session-strict AppArmor abstractions). Policy rules allow a glob syntax
for suffixes such that org.foo.* matches org.foo, org.foo.bar, org.foo.bar.baz
but not org.norf. While the rule is specified for the well-known name, the rule
will also apply such that the policy for the private/unique DBus name of the
client is the union of all rules for well-known names that the client owns.
where the highest level wins. In addition to these policy levels, it is
possible to also specify interface and object paths with method calls/signals
on well-known names (similar to fine-grained AppArmor rules).

xdg-dbus-proxy is a lowlevel application intended to be driven by a higher
level application (eg, bubblewrap, flatpak (which drives bubblewrap, etc). It
does not support policy files and typical usage is to proxy, for example, the
session bus for an application, with all rules specified on the command line
(bwrap typically uses the --args option, which allows passing nul-separated
arguments via a file descriptor).
Eg (showing full args instead of the normal --args usage):

  $ xdg-dbus-proxy --fd=26 unix:path=/run/usr/1000/bus
  /run/usr/1000/.dbus-proxy/session-bus-proxy --filter --own=org.gnome.ghex.*
  --talk=ca.desrt.dconf --call=org.freedesktop.portal.*=*

such that different applications will each have their own proxy.

bwrap usage shows sockets in /run/user/<uid>/.dbus-proxy/session-bus-proxy-*
where there is a named socket allocated for each application that corresponds
to to the (now deleted) --args fd. xdg-dbus-proxy does support proxying the
system bus (eg, xdg-dbus-proxy unix:path=/run/dbus/system_bus_socket /tmp/foo).
Additionally, wi...

Changed in xdg-dbus-proxy (Ubuntu):
status: Incomplete → New
Changed in xdg-dbus-proxy (Ubuntu):
assignee: nobody → Ken VanDine (ken-vandine)
Changed in xdg-dbus-proxy (Ubuntu):
assignee: Ken VanDine (ken-vandine) → nobody

starting a MIR review after discussing with seb and cleaning up what made it disappear from the lists that we check.

Changed in xdg-dbus-proxy (Ubuntu):
assignee: nobody → Christian Ehrhardt  (paelzer)

No other comparable filtering dbus proxy in the archive (and none in main obviously)

[Embedded sources and static linking]
- no embedded sources
- no golang
- no static linking

- no CVEs on top of the reported and fixed CVE-2018-6560
- does not run a daemon as root
- does not uses webkit1,2 (in fact only becomes important with webkit2gtk 2.26)
- does not use lib*v8 directly
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

It does
- parses data formats
- opens a port (not a classic one but on dbus)
- does not processes arbitrary web content, but semi arbitrary dbus messages
- does not deals with system authentication (eg, pam), etc), but dbus is involved there and due to that it is as well.

This needs a security review, which fortunately already was done.
So we can feel safe on that side.

[Common blockers]
- builds on all arches without FTBFS
- has a (minimal) build time test
- has a autopkgtest
- code/msg isn't really user visible (no translations needed)
- not a python package
- Desktop Packages is subscribed
- Desktop packages is subscribed

[Packaging red flags]
- no Ubuntu delta
- no library that is exposed for symbols tracking
- watch file present
- update history seems ok
- current release packaged
- no MOTU conflict
- no massive Lintian warnings
- debian/rules is small and clean
- no Built-Using
- no golang checks needed

[Upstream red flags]
- no warning/errors on build
- no incautious use of malloc/sprintf that came up in checkers
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no known Important bugs (crashers, etc) in Debian or Ubuntu
- no Dependency on webkit, qtwebkit, seed or libgoa-* (but vice versa)
- no Embedded source copies

This package seems fine - ACK for the MIR Team

Changed in xdg-dbus-proxy (Ubuntu):
status: New → Fix Committed
assignee: Christian Ehrhardt  (paelzer) → nobody
Sebastien Bacher (seb128) wrote :

Override component to main
xdg-dbus-proxy 0.1.1-1 in eoan: universe/misc -> main
xdg-dbus-proxy 0.1.1-1 in eoan amd64: universe/admin/optional/100% -> main
xdg-dbus-proxy 0.1.1-1 in eoan arm64: universe/admin/optional/100% -> main
xdg-dbus-proxy 0.1.1-1 in eoan armhf: universe/admin/optional/100% -> main
xdg-dbus-proxy 0.1.1-1 in eoan i386: universe/admin/optional/100% -> main
xdg-dbus-proxy 0.1.1-1 in eoan ppc64el: universe/admin/optional/100% -> main
xdg-dbus-proxy 0.1.1-1 in eoan s390x: universe/admin/optional/100% -> main
Override [y|N]? y

Changed in xdg-dbus-proxy (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers