Connect with D-Bus in a network namespace

Connecting to a DBus daemon listening on an abstract Unix socket in a different network namespace is not possible. Such addresses can be identified in ss -x via an address that contains a @:

u_str  ESTAB      0      0      @/tmp/dbus-t00hzZWBDm 11204746              * 11210618           

As a workaround, you can create a non-abstract Unix or IP socket which proxies to the abstract Unix socket. This is to be done outside the network namespace. From within the network namespace, you can then connect to that address. E.g. assuming the above abstract socket address, run this outside the namespace:

socat UNIX-LISTEN:/tmp/whatever,fork ABSTRACT-CONNECT:/tmp/dbus-t00hzZWBDm

Then from within the namespace you can connect by setting this environment variable:

DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/whatever

Linux network namespace ip-netns does separate the unix socket and as dbus uses it, it's then not accessible from the new namespace, we could imagine a feature that would leave access to unix socket but this is not implemented as of 05/2019. Unix socket can be watched with netstat -a -p --unix

Alternative solution using socat to proxy the dbus socket, this is detailed on this answer and here

Alternative solution depending on the needed communication with dbus a new session bus instance can be created with dbus-launch from inside the namespace with dbus-launch my-command-or-app note that other ways can be used like dbus-run-session

Alternative solution netns-exec can run an application/command on a namespace without root access (similar to what firejail can do) but it also can proxy the dbus with socat like the first solution in an automated way and without root access.

Alternative solution xdg-dbus-proxy can also do the job without root and with many additional options like filtering... this could be the best option regarding security if you want to allow access to a single dbus location, this application start being distributed on major distro as it's part of firejail so building from source may not be required, the man page can be found here or just man xdg-dbus-proxy if the app is installed, here is how to use it:

On the host: xdg-dbus-proxy $DBUS_SESSION_BUS_ADDRESS /tmp/proxybus or xdg-dbus-proxy $DBUS_SESSION_BUS_ADDRESS /tmp/proxybus --filter --talk=org.foo.bar --see=org.gtk.* --own=org.my.name

And on the namespace: DBUS_SESSION_BUS_ADDRESS=unix:path=/tmp/proxybus app-using-dbus