From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id 67E4B10B39;
	Wed, 03 Dec 2025 15:56:03 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 5B19A109F7; Wed, 03 Dec 2025 15:55:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com
 [IPv6:2607:f8b0:4864:20::1136])
	by atuin.qyliss.net (Postfix) with ESMTPS id 009C310A67
	for <devel@spectrum-os.org>; Wed, 03 Dec 2025 15:55:53 +0000 (UTC)
Received: by mail-yw1-x1136.google.com with SMTP id
 00721157ae682-78a6c7ac38fso74897457b3.0
        for <devel@spectrum-os.org>; Wed, 03 Dec 2025 07:55:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764777351; x=1765382151;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=0rarWrmm78ETjEXrX4/u9F14msXT5kIJtfB0DQjH3sc=;
        b=F3wuQujhYvrqefUqek6iBKB3eovNlXq6IeLuSS68IF5VKdj36IGwOnYpb0lMaMInxg
         qc8LAkXChEkA/wb+VrlHUdDRvzBh4e3mgVV60CEPQPpjiuPekjiNMureuDW2l55A+vTV
         tBGlSv71X5JXJJmzcMZSr2pyHkj2A7IJRTv3JWFTyK0E32vV+RHmQPYdD02IIplkP4p+
         JIjiJ7vXVYxURRpKRQ4Fh3oKO72J42ea3dQIyL8BvVSvw3b+uc1wxzESHaksgRmrRYng
         J1kuYBk9B0GyqlYVevky4p+7uBzn8xxVVFyLjEpTPKcwbVGS6MnPdJU4ENlqZY7qFCjX
         Qilg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764777351; x=1765382151;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=0rarWrmm78ETjEXrX4/u9F14msXT5kIJtfB0DQjH3sc=;
        b=e25dUrXp+V0uv8iHVuk0sYFYudqI7ePc96UKcbFVOgWuScv9atd168rtK9sMHT8JCC
         WWRqsN7lv74SKuiqgU9XAI8a5jYL1O7BCVFnWze5vBw1+Hh4ZHIPlnjYTjU82LbJQUw8
         QXsh6hWWGEDrxE6rscpzrDAUt5jrsEmAUhsEoyHYDJCqhIquQFsOy+g5BdFyjGUyTYYY
         NwKD7m94MbmCyJtoiHlVWEkDOIYijRhQqushbzJxWRVWVFZeH56bFGZJ/hKZqVO3Pa+3
         3eWB1eObjlspzf+qrg4uG+EA1FgSqj87srbf39GZE2SLU0+Dz6/A+MzjXEqw6aZhhHex
         SaBw==
X-Gm-Message-State: AOJu0YzCBI7I8fKky7L7naE5TnqZS+B1GSyaxEVcPjuWeNcSLJAPkomL
	n6NsRszIPbvt3Y4leL+T825oxDWGHTSBJod1EjQzf1l9YFTWQo9ddJJEaQDz7A==
X-Gm-Gg: ASbGncvD4uMEJrseXJG6aC57Y4hgaMfgjCJljZ5ZVlbfvu5OuuEiJVh6GyaFPb1aARC
	bKXfptMmfoCImS20F1kugUfQ4X9UbUp3QkDNbcb/kw29A7YQCPBQ/3SzJjteumcFQg6yzd8hsBd
	hh9ndpITFi6TyIUWWYN4ZUvtacWWYEOBlwYGebQhLexzBfbYKqV6je7erVlKblA09yHy+nI9w/Y
	VDBosGa/VTakT/J09SEQ/914c5Gy0vbLozcPQuX5fl1a8ZsNHdViO3rYj2udZLHJtxUVmwF9G7x
	FAlKV95sgL/vtcFD+U6mW9/8EnsMRGRNbZQnCZEelum+q4/hfUFQgrMqq9tjful5zNAkRULI5e7
	d3qxoIK6h1FTX/xZqIw0FXKCgFVfSpS52RZqjd4PLRIBn0chFw4SAAcCOKcji+Lz9Lr26Is12JH
	znpT6skmncRV553FB1PbrJX8+y4Eu0Q/DloaB6tYB7zVoBic2AThAZkreKyGymXvwLjHWL0XYLI
	uiG+w0T/HQgad774tJaI4+AGhC/TtwVwu0EQXbJ0f41Fg==
X-Google-Smtp-Source: 
 AGHT+IEICCZhLIX255ITLLRFxdnxs7akPfbdEpnpzAiYNE2nQ31+mBKNgRxrj3Cv1deveu1PuW7rRg==
X-Received: by 2002:a05:690c:708b:b0:787:f755:5b06 with SMTP id
 00721157ae682-78c0c28679cmr20859407b3.50.1764777351292;
        Wed, 03 Dec 2025 07:55:51 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 00721157ae682-78ad0d5fe10sm74901807b3.14.2025.12.03.07.55.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Dec 2025 07:55:50 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 03 Dec 2025 10:54:59 -0500
Subject: [PATCH v3 5/5] host/rootfs: Try to protect the portal and dbus
 daemon
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251203-sandbox-v3-5-f16ae06a251e@gmail.com>
References: <20251203-sandbox-v3-0-f16ae06a251e@gmail.com>
In-Reply-To: <20251203-sandbox-v3-0-f16ae06a251e@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1764777294; l=1358;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=ymAl4KIBl8jBBQsqXV9ijwKRVtSy1Y0QVsgtT8RICVo=;
 b=xt/eJiVg2RmngDCD6YP0//tSg9EaTxxZVqCqjyliG+5Z4U0nJQzEvCUahX5Us3uFytPAywRSH
 TfLuPTkVSeJB1VeShyih9lxFuCAzhJKD5/JW8rHALT/kixB7y5w3nli
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: 5CNC2U6ISOSEEI5XYDHFJ4MWAMHTNM2G
X-Message-ID-Hash: 5CNC2U6ISOSEEI5XYDHFJ4MWAMHTNM2G
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/5CNC2U6ISOSEEI5XYDHFJ4MWAMHTNM2G/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This tries to protect the portal and D-Bus daemon from other processes.
Unfortunately, this protection is extremely limited: it currently only
switches network and cgroup namespaces.

The single biggest improvement that could be made, by far, is to make
all mounts that the portal and bus daemon have access to 'nosymfollow',
except for the root filesystem.  Unfortunately, I am not aware of how to
enforce this on mounts that appear after the service starts.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 .../run-image/service/vm-services/template/data/service/dbus/run         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
index 9b2319265024ab51934157834b280be869afa9b9..4e100ad39e11c802f875ac318c2d908b5e6dd9b8 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
@@ -6,6 +6,7 @@ importas -i VM VM
 
 nsenter --mount=${VM}/mount
 
+unshare --net --ipc
 dbus-daemon
   --config-file /usr/share/dbus-1/session.conf
   --print-address 3

-- 
2.52.0