main: Stop owning the public org.freedesktop.Notifications name

For sandboxed apps, permission to talk to org.freedesktop.Notifications looks innocent enough. However as all exported services share the same connection to the session bus, that permission actually grants an app access to *any* shell D-Bus API. While we want apps to use the notification portal, it is still common for apps to use libnotify, raw D-Bus calls or even notify-send. We don't want to give those apps a way to circumvent most of the sandbox restrictions, so stop owning the org.freedesktop.Notifications name. In a next step we will implement a separate notification-daemon that exposes the API on the well-known address and proxies any requests to the real implementation in gnome-shell. https://gitlab.gnome.org/GNOME/gnome-shell/merge_requests/547
2019-05-16 19:30:35 +02:00 · 2019-05-16 19:30:35 +02:00 · 1aff64a38b
commit 1aff64a38b
parent 574c560677
1 changed files with 0 additions and 2 deletions
--- a/src/main.c
+++ b/src/main.c
@ -161,8 +161,6 @@ shell_dbus_init (gboolean replace)
                            "org.gnome.Panel", TRUE,
  /* ...and the org.gnome.Magnifier service. */
                            MAGNIFIER_DBUS_SERVICE, FALSE,
-  /* ...and the org.freedesktop.Notifications service. */
-                            "org.freedesktop.Notifications", FALSE,
                            NULL);
  g_object_unref (bus);
  g_object_unref (session);