From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from atuin.qyliss.net (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id B5AD913814;
	Thu, 04 Dec 2025 02:22:07 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 993)
	id 78EA6136CC; Thu, 04 Dec 2025 02:21:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1
Received: from mail-yx1-xb132.google.com (mail-yx1-xb132.google.com
 [IPv6:2607:f8b0:4864:20::b132])
	by atuin.qyliss.net (Postfix) with ESMTPS id 329A6136B5
	for <devel@spectrum-os.org>; Thu, 04 Dec 2025 02:21:54 +0000 (UTC)
Received: by mail-yx1-xb132.google.com with SMTP id
 956f58d0204a3-640d790d444so346711d50.0
        for <devel@spectrum-os.org>; Wed, 03 Dec 2025 18:21:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764814911; x=1765419711;
 darn=spectrum-os.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=t4KOEvs9c1iBlGjzdseb3SH2yTirHDfx4fl7MDTB9O4=;
        b=VjY/qSo4TgXZUW5RRl3X3CrmvZJ2CCfXA5CHDkI1JV2CWg868ObSKc5NCLpAp1cCFx
         lhpwX+fpfIWviouRJoXneaM/ElLmp1PRJ35Xop70AXHG1cXEds22g+kZPkVd5WRirD5c
         ekMiE2lSTobsORrAiuZg26SYn9yuGJp71N8ANS7tpqp/WFsLFwFi13Bj/SmTRkHBlV2z
         NXiMxXfhwYwoCMLAVqcJgy9T7GHYLPvIuUneb4M/YjM2kf/EsVeWkhppSGRp3/KmtJtS
         ZVdPE3AtD8ynLzFH60VmBiCyzbZCxvZ5rl7ZU3q80kWhGHKZEmw4BhOGY6zRQ+74Jz5l
         e91g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764814911; x=1765419711;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=t4KOEvs9c1iBlGjzdseb3SH2yTirHDfx4fl7MDTB9O4=;
        b=bdNcHJ3kOlo+4vkDarZjC2GR9y1xJgRoWRn0AE+/IpEQ11gFZzq2VJxz1lIMJ4C/jp
         jJ48J96JVvNWHRdqEtd29FteqPcREtjTKaIJhCryqDWepSJ5fjPu5Rs2TPJ1zAIwonW+
         8lg2wEzFzVIXogbXrfYevbKIN6JHERKVHCPUPcLz3wTc1Q1GTKdBWkEvKkMTvPpiClaw
         Jcnn1FpITFvFlN4dJJ5pAOJ/HPJEZnY6cM43+Yc1j/kE7GElADpPw/69Uu1HhDjrIW59
         msihzJj2k4DeO+YGxItJczQ+jNGEzXJ622DVX6PAuNHtKMhBKbr+RprkLJWnsaQRQZHp
         ewAQ==
X-Gm-Message-State: AOJu0YyDaJ8nua56wE77nbty+vsrNDpPJXSax2/wp9a5j/FtU3h3ZeG3
	rzRIW67ccw8QWzU9rma4Q2uKbU8VmtkBo9u2hjecCsxwCTtz4pQdexE5ASbKag==
X-Gm-Gg: ASbGncsZwW3JxmhxWD5edskCD7tbAqo7uI5xl8kqv1vX988SvTPcsp83KIw0bZNh2ah
	8+f1IMSOoCLVzgiWN4w2roDYn/F6U6ndX4zOCZE+hJuDk2OqLWjZoHu9bUfS80+mUK7T8yMxgHj
	IgMNii9ol2nDhCbvSe6an8sUmck2eByXUYJtDghQoYVtzFKPX8V1Srj6bnOsRD0wix5VFpK/Ypo
	k/MOJxVleEpSXqvSfLEuqGT9Nuc78zlB557KdPnzVUIj3W4UC2fKhjw8hqEGmihn5Cn4cVpAnnU
	sQiMqoc3H1N7dxVzrW+gWB0VvcZ3o/P8Z1qOlxwurJjnVP560+FV5Qq2s6OxuYFk4Syz802C7Z/
	kkWMlV9g3MJ0LYuFNkwf1dPnnNcppLj6Fj2Ql/QY2V0GN0WEaoP4npZpZOr7EYuZeZOLJu0zURw
	vhdE4tNAhJFjZbaPJFUiW0XvD79Sy9Eat5fsiuQXBKw4CKt54SwivS/dbm4atXWXQAeykuYC/S4
	6UHqmljspm1C3Wq7v0WuC5X/PYfrVhGPXE=
X-Google-Smtp-Source: 
 AGHT+IEjZsi3mbe/J/HPeJJDYUDQYAQ0WZ0s6bAO96rmCpPYA5mX69VAaadnjHszLnGeuDJNuqfiTA==
X-Received: by 2002:a05:690e:1187:b0:63f:25cc:112a with SMTP id
 956f58d0204a3-64437021c97mr3664682d50.54.1764814911457;
        Wed, 03 Dec 2025 18:21:51 -0800 (PST)
Received: from localhost.localdomain
 (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169])
        by smtp.gmail.com with UTF8SMTPSA id
 956f58d0204a3-6443f2abfd4sm172649d50.5.2025.12.03.18.21.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 03 Dec 2025 18:21:51 -0800 (PST)
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 03 Dec 2025 21:20:42 -0500
Subject: [PATCH v4 5/6] host/rootfs: Try to protect the portal and dbus
 daemon
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20251203-sandbox-v4-5-71542a7dcf5c@gmail.com>
References: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com>
In-Reply-To: <20251203-sandbox-v4-0-71542a7dcf5c@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1764814837; l=1402;
 i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id;
 bh=pLaTTxP7r30JUIXBCSqvtViIk+dut/kufqS5p/p0vqo=;
 b=bAM3BuWZtGqzb5zmDTMOzcai5evtPVy5ugQkUtvMS24MfwqerUhUkTp2hmrn22k/I8E8rXn1/
 sVF08l+aLN9DSAlpYIO0O46k14VFHqUn5p8V4KGagHjDWo2GDJQPduB
X-Developer-Key: i=demiobenour@gmail.com; a=ed25519;
 pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0=
Message-ID-Hash: XMVVPMJNBJK4AVXDATJ6UZFPKEUQKZ4I
X-Message-ID-Hash: XMVVPMJNBJK4AVXDATJ6UZFPKEUQKZ4I
X-MailFrom: demiobenour@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation;
 header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1;
 header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3;
 header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Demi Marie Obenour <demiobenour@gmail.com>, Alyssa Ross <hi@alyssa.is>
X-Mailman-Version: 3.3.9
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/XMVVPMJNBJK4AVXDATJ6UZFPKEUQKZ4I/>
List-Archive: 
 <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Owner: <mailto:devel-owner@spectrum-os.org>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

This tries to protect the portal and D-Bus daemon from other processes.
Unfortunately, this protection is extremely limited: it currently only
unshares cgroup, IPC, network, and UTS namespaces.

The single biggest improvement that could be made, by far, is to make
all mounts that the portal and bus daemon have access to 'nosymfollow',
except for the root filesystem.  Unfortunately, I am not aware of how to
enforce this on mounts that appear after the service starts.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
 .../run-image/service/vm-services/template/data/service/dbus/run     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
index 9b2319265024ab51934157834b280be869afa9b9..3a7dd49415538f1872b984bcc791ef754b6922aa 100755
--- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
+++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/dbus/run
@@ -6,6 +6,11 @@ importas -i VM VM
 
 nsenter --mount=${VM}/mount
 
+unshare
+  --cgroup
+  --ipc
+  --net
+  --uts
 dbus-daemon
   --config-file /usr/share/dbus-1/session.conf
   --print-address 3

-- 
2.52.0