Application Sandboxing with systemd Containers and wayland and kdbus, oh my!

kdbus Domain - fs mount Bus - named object inside a domain used to exchange messgaes Endpoint - access point onto bus - every bus gets a default endpoint Skip - Connection, pool, well-known-name, message, item, Policy - Set of rules define which connections can see, talk or own a well known name, attached to endpoint. Endpoitn policy set on creation, but can be updated. Privalaged - CAP_IPC_OWNER lifetimes domain - mount lifetime bus - control fd used for KDBUS_CMD_BUS_MAKE endpoint - fd used for KDBUS_CMD_ENDPOINT_MAKE

Endpoint policy Authorisation Anyone can make a bus - the only person you can harm is yourself! Only the bus owner or a privalaged user can create an endpoint. connecting to an endpoint is whether you have file system access? For example, a set of policy rules may look like this

Endpoint policy KDBUS_ITEM_NAME: str='org.foo.bar' KDBUS_ITEM_POLICY_ACCESS: type=USER, access=OWN, id=1000 KDBUS_ITEM_POLICY_ACCESS: type=USER, access=TALK, id=1001 KDBUS_ITEM_POLICY_ACCESS: type=WORLD, access=SEE KDBUS_ITEM_NAME: str='org.blah.baz' KDBUS_ITEM_POLICY_ACCESS: type=USER, access=OWN, id=0 KDBUS_ITEM_POLICY_ACCESS: type=WORLD, access=TALK

systemd remember that bus lifetime is ties to the fd you used to create the bus? So the root systemd is the owner of teh sstem bys, when you do a user login you get a user systemd that creates and owns the user bus. Custom endpoints ---------------- Currently the only way to make an endpoint is to use a unit to launch a system service, and you can create a custom endpoint for that service to use and attach a policy

BusPolicy BusPolicy=org.freedesktop.systemd1 talk BusPolicy=org.foo.bar see BusPolicy=org.foo.baz own

The tricky bit I've put together a patchset for systemd-nspawn, but Alex Larsson has gnome-sdk-helper in gnome-sdk, which is a real minimal container, just limits namespaces and does some nosetuid,nodev bind mounts and some fiddly bits for home directory, pulseaudio, XDG, dbus and X11 Maybe it should be a systemd template service? sandbox@$APP? Lennart wants eventually to have it be like the new apparoch for Desktop file handling - using bus activation? Needs more discussion, but I'll probably just submit the patchset for nspawn anyhow (once its rebased and cleanedup) and see where the discussion goes

Wayland Currently wayland-drm pretty much requires that clients can open /dev/dri/card0. This is bad for a number of reasons 1) Security issues with card0 interface - flink in insecure - buffer names leak information and can allow clients to access each other buffers (as i understand it!) 2) we need to bindmount /dev/dri into the container - ideally we only want it to have access to dummy devices 3) mixes up display controller (mode setting) and renderers(gl), e.g. Tegra, multi card systems Render nodes - /dev/dri/renderD<num> these are the cool, dma-buf no flink, seperates display controller from rendering - no modestting, no DRI-auth, no legacy pre-KMS - ask David Herrmann... Daniel Stone has suggested we extend the wayland-drm protocol to allow the compositor to open the fd to a render node and pass this fd to the client. this would be perfect

Pulseaudio? Sound ----- So much to do, the ideal way forward here is for pulseaudio to use kdbus for everything. Stream over kdbus? No reason why not Policy is tricky – record from microphone? How to do the interation well and how to support doing the interaction well Limit backgound apps Lot to do yet!

Questions?

Links http://www.freedesktop.org/wiki/Software/systemd/ https://github.com/alexlarsson/gnome-sdk https://gitlab.com/rob.taylor/systemd https://dvdhrm.wordpress.com/tag/render-nodes/ GimpNet - #gnome-os Freenode - #systemd, #kdbus Email: rob.taylor@codethink.co.uk

Copyright Bright Eyes ©originalpozer @flickr Uh oh ©Daniel Bogan @flickr German police dog ©Brian Snelson @flickr Oh Ceiling Cat - I worship thee ©Katrine Thielke @flickr Sad dog eyes – Patches ©Tiggamiru @flickr Momma's Little Hipster ©kizzzbeth @flickr DJ Norman ©Ana Belén Ramón @flickr Topanga, hat model ©Claire @flickr