run: Ignore system bus failures in parental controls check

Currently if the parental controls check can't connect to the system bus, apps are not allowed to run. However, apps are also allowed to run if the malcontent (or accounts-service) D-Bus services aren't available. Since it's trivial to meet that requirement by starting a temporary dbus-daemon and setting `DBUS_SYSTEM_BUS_ADDRESS` to use it, not being able to access the system bus at all is no less secure. This primarily affects flatpak running in a container where D-Bus is generally not available. Fixes: flatpak#5076
smcv · Dec 8, 2023 · 3afdfd2 · 3afdfd2
1 parent 9e58442
commit 3afdfd2
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
@@ -2710,9 +2710,21 @@ check_parental_controls (FlatpakDecomposed *app_ref,
  g_autoptr(GDesktopAppInfo) app_info = NULL;
  gboolean allowed = FALSE;
 
- system_bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, error);
+ system_bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &local_error);
  if (system_bus == NULL)
- return FALSE;
+ {
+ /* Since the checks below allow access when malcontent or
+ * accounts-service aren't available on the bus, this whole routine can
+ * be trivially bypassed by setting DBUS_SYSTEM_BUS_ADDRESS to a
+ * temporary dbus-daemon. Not being able to connect to the system bus is
+ * basically equivalent.
+ */
+ g_debug ("Skipping parental controls check for %s since D-Bus system "
+ "bus connection failed: %s",
+ flatpak_decomposed_get_ref (app_ref),
+ local_error ? local_error->message : "unknown reason");
+ return TRUE;
+ }
 
  manager = mct_manager_new (system_bus);
  app_filter = mct_manager_get_app_filter (manager, getuid (),