Harden fm-shim-backend D-Bus name acquisition, error replies, fd hygiene, systemd sandboxing, and cleanup

claude · claude · commit 58c85ee06cd6 · 2026-04-01T14:38:19.000Z
- Add DBUS_NAME_FLAG_DO_NOT_QUEUE and terminate on IN_QUEUE to prevent silent name takeover after another owner exits - Send proper D-Bus error replies for unrecognized methods, wrong object paths, and wrong interfaces instead of leaving callers hanging - Close inherited file descriptors in child process before execve to avoid leaking the D-Bus socket to the frontend - Add systemd sandboxing directives (NoNewPrivileges, ProtectSystem, ProtectHome, PrivateTmp, etc.) to the user service - Add explicit dbus_connection_unref/dbus_error_free on main loop exit https://claude.ai/code/session_01CgrrFhhVWtqtfhvJdEcBWm
diff --git a/usr/lib/systemd/user/fm-shim.service#security-misc-shared b/usr/lib/systemd/user/fm-shim.service#security-misc-shared
@@ -10,6 +10,14 @@ StartLimitBurst=3
 Type=notify
 ExecStart=/usr/bin/fm-shim-backend
 Restart=always
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=read-only
+PrivateTmp=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
 
 [Install]
 WantedBy=default.target
diff --git a/usr/src/security-misc/fm-shim-backend.c#security-misc-shared b/usr/src/security-misc/fm-shim-backend.c#security-misc-shared
@@ -32,6 +32,7 @@
 #include <unistd.h>
 #include <assert.h>
 #include <sys/wait.h>
+#include <dirent.h>
 #include <signal.h>
 #include <dbus/dbus.h>
 #include <systemd/sd-daemon.h>
@@ -192,7 +193,23 @@ void launch_frontend_process(const char *mode_opt, char **uri_list,
   if (fork_pid == -1) {
     err(1, "launch_frontend_process: fork failed");
   } else if (fork_pid == 0) {
-    /* child */
+    /* child - close inherited fds (except stdin/stdout/stderr) */
+    DIR *fd_dir = opendir("/proc/self/fd");
+    if (fd_dir != NULL) {
+      int dir_fd = dirfd(fd_dir);
+      struct dirent *fd_entry;
+      while ((fd_entry = readdir(fd_dir)) != NULL) {
+        char *endptr = NULL;
+        long fd_num = strtol(fd_entry->d_name, &endptr, 10);
+        if (endptr == fd_entry->d_name || *endptr != '\0') {
+          continue;
+        }
+        if (fd_num >= 3 && fd_num != (long)dir_fd) {
+          close((int)fd_num);
+        }
+      }
+      closedir(fd_dir);
+    }
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wcast-qual"
     if (execve(arg_arr[0], (char **)arg_arr, (char **)env_arr) == -1) {
@@ -332,7 +349,7 @@ int main(void) {
 
   dbus_name_request_rslt = dbus_bus_request_name(dbus_conn,
     "org.freedesktop.FileManager1",
-    DBUS_NAME_FLAG_REPLACE_EXISTING,
+    DBUS_NAME_FLAG_REPLACE_EXISTING | DBUS_NAME_FLAG_DO_NOT_QUEUE,
     &error_data);
   if (dbus_name_request_rslt == -1) {
     errx(1, "Failed to request 'org.freedesktop.FileManager1' name from D-Bus. Error name: '%s'. Error contents: '%s'.",
@@ -346,13 +363,7 @@ int main(void) {
     sd_notify(0, "STATUS=Running");
     break;
   case DBUS_REQUEST_NAME_REPLY_IN_QUEUE:
-    warnx("Requested 'org.freedesktop.FileManager1' name from D-Bus, but was placed in queue.");
-    warnx("This may be a security risk! Please report this bug!");
-    /*
-     * sd_notify(0, "READY=1") is intentionally omitted here, so that
-     * systemcheck will show a warning about the system not being ready
-     */
-    sd_notify(0, "STATUS=Running, security issue detected");
+    errx(1, "Requested 'org.freedesktop.FileManager1' name from D-Bus, but was placed in queue. This is a security risk! Please report this bug!");
     break;
   case DBUS_REQUEST_NAME_REPLY_ALREADY_OWNER:
     warnx("Possible bug, we already own 'org.freedesktop.FileManager1' name?");
@@ -393,6 +404,14 @@ int main(void) {
     if (strcmp(dbus_msg_obj_path, "/org/freedesktop/FileManager1") != 0) {
       warnx("Received a D-Bus method call for object path '%s', rather than '/org/freedesktop/FileManager1'!",
         dbus_msg_obj_path);
+      if (dbus_message_get_no_reply(dbus_msg) == FALSE) {
+        DBusMessage *err_reply = dbus_message_new_error(dbus_msg,
+          DBUS_ERROR_UNKNOWN_OBJECT, "Unknown object path");
+        if (err_reply != NULL) {
+          dbus_connection_send(dbus_conn, err_reply, NULL);
+          dbus_message_unref(err_reply);
+        }
+      }
       goto cleanup;
     }
 
@@ -404,6 +423,14 @@ int main(void) {
     if (strcmp(dbus_msg_iface, "org.freedesktop.FileManager1") != 0) {
       warnx("Received a D-Bus method call for interface '%s', rather than 'org.freedesktop.FileManager1'!",
         dbus_msg_iface);
+      if (dbus_message_get_no_reply(dbus_msg) == FALSE) {
+        DBusMessage *err_reply = dbus_message_new_error(dbus_msg,
+          DBUS_ERROR_UNKNOWN_INTERFACE, "Unknown interface");
+        if (err_reply != NULL) {
+          dbus_connection_send(dbus_conn, err_reply, NULL);
+          dbus_message_unref(err_reply);
+        }
+      }
       goto cleanup;
     }
 
@@ -422,6 +449,14 @@ int main(void) {
     } else {
       warnx("Received a D-Bus method call for unrecognized method '%s'!",
         dbus_msg_method);
+      if (dbus_message_get_no_reply(dbus_msg) == FALSE) {
+        DBusMessage *err_reply = dbus_message_new_error(dbus_msg,
+          DBUS_ERROR_UNKNOWN_METHOD, "Unknown method");
+        if (err_reply != NULL) {
+          dbus_connection_send(dbus_conn, err_reply, NULL);
+          dbus_message_unref(err_reply);
+        }
+      }
     }
 
 cleanup:
@@ -433,4 +468,7 @@ cleanup:
     dbus_msg_iface = NULL;
     dbus_msg_method = NULL;
   }
+
+  dbus_connection_unref(dbus_conn);
+  dbus_error_free(&error_data);
 }
