diff options
| author | Simon McVittie <smcv@collabora.com> | 2022-10-02 11:43:11 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2022-10-02 11:43:11 +0100 |
| commit | d1951de9b8fc90db7d3fb72764e13bc05304c1ec (patch) | |
| tree | e86b8aa7ae021d0af6c17e1e02f790ce85fa5a30 /doc | |
| parent | 4033dc57869b9e517e9fc01b338d26e0faed61c1 (diff) | |
| download | dbus-d1951de9b8fc90db7d3fb72764e13bc05304c1ec.tar.gz | |
spec: Mention the consequences of abstract sockets when using namespaces
Signed-off-by: Simon McVittie <smcv@collabora.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/dbus-specification.xml | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml index 62c8e89d..88cb0557 100644 --- a/doc/dbus-specification.xml +++ b/doc/dbus-specification.xml @@ -3733,6 +3733,8 @@ on platforms that support it: treating "tmpdir" as being equivalent to "dir" is a valid implementation, and recent versions of the reference implementation of D-Bus do this. + See "abstract", below, for more details of the consequences + of using abstract sockets. Like "dir", this key can only be used in server addresses, not in client addresses; the resulting client address will have the "abstract" or "path" key instead. @@ -3746,6 +3748,21 @@ resembling a path but unconnected to the filesystem namespace. This key is only supported on platforms with abstract Unix sockets, of which Linux is the only known example. + Implementors should note that on Linux, abstract sockets are + namespaced according to + <ulink url="https://man7.org/linux/man-pages/man7/network_namespaces.7.html" + >network namespaces</ulink> + rather than being part of the filesystem. + This means that abstract sockets are unaffected by mechanisms + like + <ulink url="https://man7.org/linux/man-pages/man2/chroot.2.html" + >chroot(2)</ulink> + and + <ulink url="https://man7.org/linux/man-pages/man7/mount_namespaces.7.html" + >mount namespaces</ulink>, + which can lead to a sandbox escape if a sandboxing + implementation alters the sandboxed process's view of the + filesystem but shares the network namespace with the host. </entry> </row> <row> |