Closed HandsomeJaack closed 2 years ago
What i gather the service should be on session bus?
@pvuorela actually it's is, but there is patch in libsignond which enables p2p by default, seems that firejail treats with p2p like system permission (but I haven't found clear evidence of this).
If the system here somehow makes the /run/... socket readable it sounds more like accident than a real fix. Also the file here includes already
# Application must be able to create a socket here
whitelist ${RUNUSER}/signonui
which I would expect to take care of the p2p socket.
cc @Tomin1
Yes, indeed. This change should not have any effect on those peer-to-peer sockets since dbus-system and dbus-user rules affect only the proxies on these two well-known buses. There is no proxy on peer-to-peer sockets. Access to those is controlled by file system rules like whitelist and read-only.
Application must be able to create a socket here whitelist ${RUNUSER}/signonui
What creates that directory / sockets within it, and when?
IIRC for whitelisting to have any effect: the directory needs to already exist before sandbox is set up, or it needs to be created during sandbox setup.
Basically: should there be "mkdir ${RUNUSER}/signonui" rule before that whitelist rule?
Ok, I put together a picture, thank you all @spiiroin I've check out your suggestion and it works, thanks
com.google.code.AccountsSSO.SingleSignOn is located on system bus. Fixes error:
SignOn::ConnectionManager::init:130 - Unable to activate p2p signond service!
when attempting to create email-account.