Connect with D-Bus in a network namespace
Connecting to a DBus daemon listening on an abstract Unix socket in a different network namespace is not possible. Such addresses can be identified in ss -x
via an address that contains a @
:
u_str ESTAB 0 0 @/tmp/dbus-t00hzZWBDm 11204746 * 11210618
As a workaround, you can create a non-abstract Unix or IP socket which proxies to the abstract Unix socket. This is to be done outside the network namespace. From within the network namespace, you can then connect to that address. E.g. assuming the above abstract socket address, run this outside the namespace:
socat UNIX-LISTEN:/tmp/whatever,fork ABSTRACT-CONNECT:/tmp/dbus-t00hzZWBDm
Then from within the namespace you can connect by setting this environment variable:
DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/whatever
Linux network namespace ip-netns does separate the unix socket and as dbus uses it, it's then not accessible from the new namespace, we could imagine a feature that would leave access to unix socket but this is not implemented as of 05/2019. Unix socket can be watched with netstat -a -p --unix
Alternative solution using socat
to proxy the dbus socket, this is detailed on this answer and here
Alternative solution depending on the needed communication with dbus a new session bus instance can be created with dbus-launch from inside the namespace with dbus-launch my-command-or-app
note that other ways can be used like dbus-run-session
Alternative solution netns-exec can run an application/command on a namespace without root access (similar to what firejail can do) but it also can proxy the dbus with socat
like the first solution in an automated way and without root access.
Alternative solution xdg-dbus-proxy can also do the job without root and with many additional options like filtering... this could be the best option regarding security if you want to allow access to a single dbus location, this application start being distributed on major distro as it's part of firejail so building from source may not be required, the man page can be found here or just man xdg-dbus-proxy
if the app is installed, here is how to use it:
On the host: xdg-dbus-proxy $DBUS_SESSION_BUS_ADDRESS /tmp/proxybus
or xdg-dbus-proxy $DBUS_SESSION_BUS_ADDRESS /tmp/proxybus --filter --talk=org.foo.bar --see=org.gtk.* --own=org.my.name
And on the namespace: DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/proxybus app-using-dbus