From 3afdfd298b2a119eacae6d008b13f716967f69ca Mon Sep 17 00:00:00 2001 From: Dan Nicholson Date: Wed, 29 Nov 2023 13:16:53 -0700 Subject: [PATCH] run: Ignore system bus failures in parental controls check Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: #5076 --- common/flatpak-run.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index b0d87525..fc1ed263 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2710,9 +2710,21 @@ check_parental_controls (FlatpakDecomposed *app_ref, g_autoptr(GDesktopAppInfo) app_info = NULL; gboolean allowed = FALSE; - system_bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, error); + system_bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &local_error); if (system_bus == NULL) - return FALSE; + { + /* Since the checks below allow access when malcontent or + * accounts-service aren't available on the bus, this whole routine can + * be trivially bypassed by setting DBUS_SYSTEM_BUS_ADDRESS to a + * temporary dbus-daemon. Not being able to connect to the system bus is + * basically equivalent. + */ + g_debug ("Skipping parental controls check for %s since D-Bus system " + "bus connection failed: %s", + flatpak_decomposed_get_ref (app_ref), + local_error ? local_error->message : "unknown reason"); + return TRUE; + } manager = mct_manager_new (system_bus); app_filter = mct_manager_get_app_filter (manager, getuid (),