fdo-mirrors/dbus
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/dbus/dbus.git synced 2026-05-07 20:18:01 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

spec: Add an introduction to the Containers1 interface

Browse source 
Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
Simon McVittie 2024-10-01 17:51:49 +01:00
parent 5e6580ca19
commit bc4a8d8985
1 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
doc/dbus-specification.xml
View file

@ -7470,6 +7470,38 @@
</sect2>
<sect2 id="message-bus-containers-interface">
<title>Containers Interface v1: <literal>org.freedesktop.DBus.Containers1</literal></title>
<para>
The special message bus name <literal>org.freedesktop.DBus</literal>
may optionally implement the
<literal>org.freedesktop.DBus.Containers1</literal> interface on
the object path <literal>/org/freedesktop/DBus</literal>.
</para>
<para>
This interface allows container managers and similar sandboxing
mechanisms to ask the message bus to create a special socket
for each sandboxed application,
which uniquely identifies the application to other message bus
clients without introducing race conditions.
For this mechanism to be useful, the sandboxed application must be
prevented from connecting to the message bus's usual socket.
This interface is a D-Bus equivalent of the
<ulink url="https://gitlab.freedesktop.org/wayland/wayland-protocols/-/tree/main/staging/security-context">Wayland security-context extension</ulink>.
</para>
<para>
As currently implemented, this interface does not apply any
special filtering to the D-Bus messages sent and received by a
sandboxed application.
To limit what a sandboxed application can do on D-Bus, it is
likely to be necessary to impose restrictions,
perhaps by using a Linux security module such as AppArmor or a
filtering proxy such as
<ulink url="https://github.com/flatpak/xdg-dbus-proxy/">xdg-dbus-proxy</ulink>.
A future version of this specification might add a mechanism for
the creator of a confined socket to specify filtering rules.
</para>
<sect3 id="bus-messages-containers1-add-server">
<title><literal>org.freedesktop.DBus.Containers1.AddServer</literal></title>