Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Poor default value for DBus access in Flatpak container #2074

Closed
freakboy3742 opened this issue Dec 4, 2024 · 0 comments · Fixed by #2075
Closed

Poor default value for DBus access in Flatpak container #2074

freakboy3742 opened this issue Dec 4, 2024 · 0 comments · Fixed by #2075
Labels
bug A crash or error in behavior.

Comments

@freakboy3742
Copy link
Member

Describe the bug

Originally reported by @sarayourfriend via security@beeware.org; we've determined that it isn't a security issue, and will instead be treating it as a normal bug fix.

Flatpak build target defaults to including session bus permissions in the manifest

However, Flatpak's documentation says that including session bus access breaks sandboxing and presents a security risk.

Steps to reproduce

  1. Generate a hello world app for Flatpak
  2. Check the Flatpak manifest.yml for the list of permissions

Expected behavior

Briefcase-generated Flatpak apps shouldn't include the "socket=session-bus" permission by default.

Screenshots

No response

Environment

  • Operating System: Linux (all)
  • Python version: all
  • Software versions:
    • Briefcase: 0.3.20

Logs

Additional context

While the Flatpak documentation indicates that adding Dbus access poses a security risk, in order to exploit this fact, an app would need to either:

  1. Explicitly be trying to access DBus in application code - in which case the app author themselves are the party being malicious
  2. Include a dependency that tries to access DBus in an inappropriate way - this constitutes a supply chain attack, with Flatpak providing, at best, a layer of protection
  3. Include a code injection exploit in the app's code - in which case DBus access is the least of your problems.

In all three cases, the same app code published as a system package would have no protection; so Flatpak with the extra permission would have the same defect as an app packaged as a system package.

On that basis, we don't consider this a security issue, but a default value for Flatpak packaging that can be improved.

We’ve identified that the permission was added because a test app that was used to verify Flatpak packaging (Toga Tutorial 4) was slightly misconfigured - the Briefcase bundle ID and the ID in the Toga code didn’t match, and as a result, the Flatpak app wasn’t able to access it’s own DBus session. Giving access to the system bus resolved this issue - because it gave access to the whole of DBus.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug A crash or error in behavior.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove D-Bus session access as a default Flatpak permission. freakboy3742/briefcase
1 participant
@freakboy3742