1 /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
2 /* bus.c message bus context object
4 * Copyright (C) 2003, 2004 Red Hat, Inc.
6 * Licensed under the Academic Free License version 2.1
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
29 #include "activation.h"
30 #include "connection.h"
34 #include "config-parser.h"
38 #include "dir-watch.h"
39 #include <dbus/dbus-list.h>
40 #include <dbus/dbus-hash.h>
41 #include <dbus/dbus-credentials.h>
42 #include <dbus/dbus-internals.h>
43 #include <dbus/dbus-server-protected.h>
62 BusConnections *connections;
63 BusActivation *activation;
64 BusRegistry *registry;
66 BusMatchmaker *matchmaker;
68 DBusRLimit *initial_fd_limit;
69 unsigned int fork : 1;
70 unsigned int syslog : 1;
71 unsigned int keep_umask : 1;
72 unsigned int allow_anonymous : 1;
73 unsigned int systemd_activation : 1;
74 dbus_bool_t watches_enabled;
77 static dbus_int32_t server_data_slot = -1;
84 #define BUS_SERVER_DATA(server) (dbus_server_get_data ((server), server_data_slot))
87 server_get_context (DBusServer *server)
92 if (!dbus_server_allocate_data_slot (&server_data_slot))
95 bd = BUS_SERVER_DATA (server);
98 dbus_server_free_data_slot (&server_data_slot);
102 context = bd->context;
104 dbus_server_free_data_slot (&server_data_slot);
110 add_server_watch (DBusWatch *watch,
113 DBusServer *server = data;
116 context = server_get_context (server);
118 return _dbus_loop_add_watch (context->loop, watch);
122 remove_server_watch (DBusWatch *watch,
125 DBusServer *server = data;
128 context = server_get_context (server);
130 _dbus_loop_remove_watch (context->loop, watch);
134 toggle_server_watch (DBusWatch *watch,
137 DBusServer *server = data;
140 context = server_get_context (server);
142 _dbus_loop_toggle_watch (context->loop, watch);
146 add_server_timeout (DBusTimeout *timeout,
149 DBusServer *server = data;
152 context = server_get_context (server);
154 return _dbus_loop_add_timeout (context->loop, timeout);
158 remove_server_timeout (DBusTimeout *timeout,
161 DBusServer *server = data;
164 context = server_get_context (server);
166 _dbus_loop_remove_timeout (context->loop, timeout);
170 new_connection_callback (DBusServer *server,
171 DBusConnection *new_connection,
174 BusContext *context = data;
176 if (!bus_connections_setup_connection (context->connections, new_connection))
178 _dbus_verbose ("No memory to setup new connection\n");
180 /* if we don't do this, it will get unref'd without
181 * being disconnected... kind of strange really
182 * that we have to do this, people won't get it right
185 dbus_connection_close (new_connection);
188 dbus_connection_set_max_received_size (new_connection,
189 context->limits.max_incoming_bytes);
191 dbus_connection_set_max_message_size (new_connection,
192 context->limits.max_message_size);
194 dbus_connection_set_max_received_unix_fds (new_connection,
195 context->limits.max_incoming_unix_fds);
197 dbus_connection_set_max_message_unix_fds (new_connection,
198 context->limits.max_message_unix_fds);
200 dbus_connection_set_allow_anonymous (new_connection,
201 context->allow_anonymous);
203 /* on OOM, we won't have ref'd the connection so it will die. */
207 free_server_data (void *data)
209 BusServerData *bd = data;
215 setup_server (BusContext *context,
217 char **auth_mechanisms,
222 bd = dbus_new0 (BusServerData, 1);
223 if (bd == NULL || !dbus_server_set_data (server,
225 bd, free_server_data))
232 bd->context = context;
234 if (!dbus_server_set_auth_mechanisms (server, (const char**) auth_mechanisms))
240 dbus_server_set_new_connection_function (server,
241 new_connection_callback,
244 if (!dbus_server_set_watch_functions (server,
255 if (!dbus_server_set_timeout_functions (server,
257 remove_server_timeout,
268 /* This code only gets executed the first time the
269 * config files are parsed. It is not executed
270 * when config files are reloaded.
273 process_config_first_time_only (BusContext *context,
274 BusConfigParser *parser,
275 const DBusString *address,
276 BusContextFlags flags,
279 DBusString log_prefix;
281 DBusList **addresses;
282 const char *user, *pidfile;
283 char **auth_mechanisms;
284 DBusList **auth_mechanisms_list;
288 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
291 auth_mechanisms = NULL;
294 _dbus_init_system_log (TRUE);
296 if (flags & BUS_CONTEXT_FLAG_SYSTEMD_ACTIVATION)
297 context->systemd_activation = TRUE;
299 context->systemd_activation = FALSE;
301 /* Check for an existing pid file. Of course this is a race;
302 * we'd have to use fcntl() locks on the pid file to
303 * avoid that. But we want to check for the pid file
304 * before overwriting any existing sockets, etc.
307 if (flags & BUS_CONTEXT_FLAG_WRITE_PID_FILE)
308 pidfile = bus_config_parser_get_pidfile (parser);
315 _dbus_string_init_const (&u, pidfile);
317 if (_dbus_stat (&u, &stbuf, NULL))
323 _dbus_string_init (&p);
324 _dbus_file_get_contents(&p, &u, NULL);
325 _dbus_string_parse_int(&p, 0, &pid, NULL);
326 _dbus_string_free(&p);
328 if ((kill((int)pid, 0))) {
329 dbus_set_error(NULL, DBUS_ERROR_FILE_EXISTS,
330 "pid %ld not running, removing stale pid file\n",
332 _dbus_delete_file(&u, NULL);
335 dbus_set_error (error, DBUS_ERROR_FAILED,
336 "The pid file \"%s\" exists, if the message bus is not running, remove this file",
345 /* keep around the pid filename so we can delete it later */
346 context->pidfile = _dbus_strdup (pidfile);
348 /* note that type may be NULL */
349 context->type = _dbus_strdup (bus_config_parser_get_type (parser));
350 if (bus_config_parser_get_type (parser) != NULL && context->type == NULL)
353 user = bus_config_parser_get_user (parser);
356 context->user = _dbus_strdup (user);
357 if (context->user == NULL)
361 /* Set up the prefix for syslog messages */
362 if (!_dbus_string_init (&log_prefix))
364 if (context->type && !strcmp (context->type, "system"))
366 if (!_dbus_string_append (&log_prefix, "[system] "))
369 else if (context->type && !strcmp (context->type, "session"))
371 DBusCredentials *credentials;
373 credentials = _dbus_credentials_new_from_current_process ();
376 if (!_dbus_string_append (&log_prefix, "[session "))
378 _dbus_credentials_unref (credentials);
381 if (!_dbus_credentials_to_string_append (credentials, &log_prefix))
383 _dbus_credentials_unref (credentials);
386 if (!_dbus_string_append (&log_prefix, "] "))
388 _dbus_credentials_unref (credentials);
391 _dbus_credentials_unref (credentials);
393 if (!_dbus_string_steal_data (&log_prefix, &context->log_prefix))
395 _dbus_string_free (&log_prefix);
397 /* Build an array of auth mechanisms */
399 auth_mechanisms_list = bus_config_parser_get_mechanisms (parser);
400 len = _dbus_list_get_length (auth_mechanisms_list);
406 auth_mechanisms = dbus_new0 (char*, len + 1);
407 if (auth_mechanisms == NULL)
411 link = _dbus_list_get_first_link (auth_mechanisms_list);
414 auth_mechanisms[i] = _dbus_strdup (link->data);
415 if (auth_mechanisms[i] == NULL)
417 link = _dbus_list_get_next_link (auth_mechanisms_list, link);
423 auth_mechanisms = NULL;
426 /* Listen on our addresses */
432 server = dbus_server_listen (_dbus_string_get_const_data(address), error);
435 _DBUS_ASSERT_ERROR_IS_SET (error);
438 else if (!setup_server (context, server, auth_mechanisms, error))
440 _DBUS_ASSERT_ERROR_IS_SET (error);
444 if (!_dbus_list_append (&context->servers, server))
449 addresses = bus_config_parser_get_addresses (parser);
451 link = _dbus_list_get_first_link (addresses);
456 server = dbus_server_listen (link->data, error);
459 _DBUS_ASSERT_ERROR_IS_SET (error);
462 else if (!setup_server (context, server, auth_mechanisms, error))
464 _DBUS_ASSERT_ERROR_IS_SET (error);
468 if (!_dbus_list_append (&context->servers, server))
471 link = _dbus_list_get_next_link (addresses, link);
475 context->fork = bus_config_parser_get_fork (parser);
476 context->syslog = bus_config_parser_get_syslog (parser);
477 context->keep_umask = bus_config_parser_get_keep_umask (parser);
478 context->allow_anonymous = bus_config_parser_get_allow_anonymous (parser);
480 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
484 dbus_free_string_array (auth_mechanisms);
489 dbus_free_string_array (auth_mechanisms);
493 /* This code gets executed every time the config files
494 * are parsed: both during BusContext construction
495 * and on reloads. This function is slightly screwy
496 * since it can do a "half reload" in out-of-memory
497 * situations. Realistically, unlikely to ever matter.
500 process_config_every_time (BusContext *context,
501 BusConfigParser *parser,
502 dbus_bool_t is_reload,
505 DBusString full_address;
509 const char *servicehelper;
514 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
519 if (!_dbus_string_init (&full_address))
525 /* get our limits and timeout lengths */
526 bus_config_parser_get_limits (parser, &context->limits);
529 bus_policy_unref (context->policy);
530 context->policy = bus_config_parser_steal_policy (parser);
531 _dbus_assert (context->policy != NULL);
533 /* context->connections is NULL when creating new BusContext */
534 if (context->connections)
536 _dbus_verbose ("Reload policy rules for completed connections\n");
537 retval = bus_connections_reload_policy (context->connections, error);
540 _DBUS_ASSERT_ERROR_IS_SET (error);
545 /* We have to build the address backward, so that
546 * <listen> later in the config file have priority
548 link = _dbus_list_get_last_link (&context->servers);
551 addr = dbus_server_get_address (link->data);
558 if (_dbus_string_get_length (&full_address) > 0)
560 if (!_dbus_string_append (&full_address, ";"))
567 if (!_dbus_string_append (&full_address, addr))
576 link = _dbus_list_get_prev_link (&context->servers, link);
580 dbus_free (context->address);
582 if (!_dbus_string_copy_data (&full_address, &context->address))
588 /* get the service directories */
589 dirs = bus_config_parser_get_service_dirs (parser);
591 /* and the service helper */
592 servicehelper = bus_config_parser_get_servicehelper (parser);
594 s = _dbus_strdup(servicehelper);
595 if (s == NULL && servicehelper != NULL)
602 dbus_free(context->servicehelper);
603 context->servicehelper = s;
606 /* Create activation subsystem */
607 if (context->activation)
609 if (!bus_activation_reload (context->activation, &full_address, dirs, error))
614 context->activation = bus_activation_new (context, &full_address, dirs, error);
617 if (context->activation == NULL)
619 _DBUS_ASSERT_ERROR_IS_SET (error);
623 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
627 _dbus_string_free (&full_address);
636 list_concat_new (DBusList **a,
644 for (link = _dbus_list_get_first_link (a); link; link = _dbus_list_get_next_link (a, link))
646 if (!_dbus_list_append (result, link->data))
649 for (link = _dbus_list_get_first_link (b); link; link = _dbus_list_get_next_link (b, link))
651 if (!_dbus_list_append (result, link->data))
657 _dbus_list_clear (result);
662 raise_file_descriptor_limit (BusContext *context)
665 DBusError error = DBUS_ERROR_INIT;
667 /* we only do this once */
668 if (context->initial_fd_limit != NULL)
671 context->initial_fd_limit = _dbus_rlimit_save_fd_limit (&error);
673 if (context->initial_fd_limit == NULL)
675 bus_context_log (context, DBUS_SYSTEM_LOG_WARNING,
676 "%s: %s", error.name, error.message);
677 dbus_error_free (&error);
681 /* We used to compute a suitable rlimit based on the configured number
682 * of connections, but that breaks down as soon as we allow fd-passing,
683 * because each connection is allowed to pass 64 fds to us, and if
684 * they all did, we'd hit kernel limits. We now hard-code 64k as a
685 * good limit, like systemd does: that's enough to avoid DoS from
686 * anything short of multiple uids conspiring against us.
688 if (!_dbus_rlimit_raise_fd_limit_if_privileged (65536, &error))
690 bus_context_log (context, DBUS_SYSTEM_LOG_WARNING,
691 "%s: %s", error.name, error.message);
692 dbus_error_free (&error);
699 process_config_postinit (BusContext *context,
700 BusConfigParser *parser,
703 DBusHashTable *service_context_table;
704 DBusList *watched_dirs = NULL;
706 raise_file_descriptor_limit (context);
708 service_context_table = bus_config_parser_steal_service_context_table (parser);
709 if (!bus_registry_set_service_context_table (context->registry,
710 service_context_table))
716 _dbus_hash_table_unref (service_context_table);
718 /* We need to monitor both the configuration directories and directories
719 * containing .service files.
721 if (!list_concat_new (bus_config_parser_get_conf_dirs (parser),
722 bus_config_parser_get_service_dirs (parser),
729 bus_set_watched_dirs (context, &watched_dirs);
731 _dbus_list_clear (&watched_dirs);
737 bus_context_new (const DBusString *config_file,
738 BusContextFlags flags,
739 DBusPipe *print_addr_pipe,
740 DBusPipe *print_pid_pipe,
741 const DBusString *address,
745 BusConfigParser *parser;
747 _dbus_assert ((flags & BUS_CONTEXT_FLAG_FORK_NEVER) == 0 ||
748 (flags & BUS_CONTEXT_FLAG_FORK_ALWAYS) == 0);
750 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
755 if (!dbus_server_allocate_data_slot (&server_data_slot))
761 context = dbus_new0 (BusContext, 1);
767 context->refcount = 1;
769 if (!_dbus_generate_uuid (&context->uuid, error))
772 if (!_dbus_string_copy_data (config_file, &context->config_file))
778 context->loop = _dbus_loop_new ();
779 if (context->loop == NULL)
785 context->watches_enabled = TRUE;
787 context->registry = bus_registry_new (context);
788 if (context->registry == NULL)
794 parser = bus_config_load (config_file, TRUE, NULL, error);
797 _DBUS_ASSERT_ERROR_IS_SET (error);
801 if (!process_config_first_time_only (context, parser, address, flags, error))
803 _DBUS_ASSERT_ERROR_IS_SET (error);
806 if (!process_config_every_time (context, parser, FALSE, error))
808 _DBUS_ASSERT_ERROR_IS_SET (error);
812 /* we need another ref of the server data slot for the context
815 if (!dbus_server_allocate_data_slot (&server_data_slot))
816 _dbus_assert_not_reached ("second ref of server data slot failed");
818 /* Note that we don't know whether the print_addr_pipe is
819 * one of the sockets we're using to listen on, or some
820 * other random thing. But I think the answer is "don't do
823 if (print_addr_pipe != NULL && _dbus_pipe_is_valid (print_addr_pipe))
826 const char *a = bus_context_get_address (context);
829 _dbus_assert (a != NULL);
830 if (!_dbus_string_init (&addr))
836 if (!_dbus_string_append (&addr, a) ||
837 !_dbus_string_append (&addr, "\n"))
839 _dbus_string_free (&addr);
844 bytes = _dbus_string_get_length (&addr);
845 if (_dbus_pipe_write (print_addr_pipe, &addr, 0, bytes, error) != bytes)
847 /* pipe write returns an error on failure but not short write */
848 if (error != NULL && !dbus_error_is_set (error))
850 dbus_set_error (error, DBUS_ERROR_FAILED,
851 "Printing message bus address: did not write all bytes\n");
853 _dbus_string_free (&addr);
857 if (!_dbus_pipe_is_stdout_or_stderr (print_addr_pipe))
858 _dbus_pipe_close (print_addr_pipe, NULL);
860 _dbus_string_free (&addr);
863 context->connections = bus_connections_new (context);
864 if (context->connections == NULL)
870 context->matchmaker = bus_matchmaker_new ();
871 if (context->matchmaker == NULL)
877 /* check user before we fork */
878 if (context->user != NULL)
880 if (!_dbus_verify_daemon_user (context->user))
882 dbus_set_error (error, DBUS_ERROR_FAILED,
883 "Could not get UID and GID for username \"%s\"",
889 /* Now become a daemon if appropriate and write out pid file in any case */
893 if (context->pidfile)
894 _dbus_string_init_const (&u, context->pidfile);
896 if (((flags & BUS_CONTEXT_FLAG_FORK_NEVER) == 0 && context->fork) ||
897 (flags & BUS_CONTEXT_FLAG_FORK_ALWAYS))
899 _dbus_verbose ("Forking and becoming daemon\n");
901 if (!_dbus_become_daemon (context->pidfile ? &u : NULL,
904 context->keep_umask))
906 _DBUS_ASSERT_ERROR_IS_SET (error);
912 _dbus_verbose ("Fork not requested\n");
914 /* Need to write PID file and to PID pipe for ourselves,
915 * not for the child process. This is a no-op if the pidfile
916 * is NULL and print_pid_pipe is NULL.
918 if (!_dbus_write_pid_to_file_and_pipe (context->pidfile ? &u : NULL,
923 _DBUS_ASSERT_ERROR_IS_SET (error);
929 if (print_pid_pipe && _dbus_pipe_is_valid (print_pid_pipe) &&
930 !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe))
931 _dbus_pipe_close (print_pid_pipe, NULL);
933 if (!bus_selinux_full_init ())
935 bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
938 if (!bus_apparmor_full_init (error))
940 _DBUS_ASSERT_ERROR_IS_SET (error);
944 if (bus_apparmor_enabled ())
946 /* Only print AppArmor mediation message when syslog support is enabled */
948 bus_context_log (context, DBUS_SYSTEM_LOG_INFO,
949 "AppArmor D-Bus mediation is enabled\n");
952 if (!process_config_postinit (context, parser, error))
954 _DBUS_ASSERT_ERROR_IS_SET (error);
960 bus_config_parser_unref (parser);
964 /* Here we change our credentials if required,
965 * as soon as we've set up our sockets and pidfile
967 if (context->user != NULL)
969 if (!_dbus_change_to_daemon_user (context->user, error))
971 _DBUS_ASSERT_ERROR_IS_SET (error);
976 /* FIXME - why not just put this in full_init() below? */
977 bus_selinux_audit_init ();
980 bus_apparmor_audit_init ();
984 dbus_server_free_data_slot (&server_data_slot);
990 bus_config_parser_unref (parser);
992 bus_context_unref (context);
994 if (server_data_slot >= 0)
995 dbus_server_free_data_slot (&server_data_slot);
1001 bus_context_get_id (BusContext *context,
1004 return _dbus_uuid_encode (&context->uuid, uuid);
1008 bus_context_reload_config (BusContext *context,
1011 BusConfigParser *parser;
1012 DBusString config_file;
1015 /* Flush the user database cache */
1016 _dbus_flush_caches ();
1019 _dbus_string_init_const (&config_file, context->config_file);
1020 parser = bus_config_load (&config_file, TRUE, NULL, error);
1023 _DBUS_ASSERT_ERROR_IS_SET (error);
1027 if (!process_config_every_time (context, parser, TRUE, error))
1029 _DBUS_ASSERT_ERROR_IS_SET (error);
1032 if (!process_config_postinit (context, parser, error))
1034 _DBUS_ASSERT_ERROR_IS_SET (error);
1039 bus_context_log (context, DBUS_SYSTEM_LOG_INFO, "Reloaded configuration");
1042 bus_context_log (context, DBUS_SYSTEM_LOG_INFO, "Unable to reload configuration: %s", error->message);
1044 bus_config_parser_unref (parser);
1049 shutdown_server (BusContext *context,
1052 if (server == NULL ||
1053 !dbus_server_get_is_connected (server))
1056 if (!dbus_server_set_watch_functions (server,
1060 _dbus_assert_not_reached ("setting watch functions to NULL failed");
1062 if (!dbus_server_set_timeout_functions (server,
1066 _dbus_assert_not_reached ("setting timeout functions to NULL failed");
1068 dbus_server_disconnect (server);
1072 bus_context_shutdown (BusContext *context)
1076 link = _dbus_list_get_first_link (&context->servers);
1077 while (link != NULL)
1079 shutdown_server (context, link->data);
1081 link = _dbus_list_get_next_link (&context->servers, link);
1086 bus_context_ref (BusContext *context)
1088 _dbus_assert (context->refcount > 0);
1089 context->refcount += 1;
1095 bus_context_unref (BusContext *context)
1097 _dbus_assert (context->refcount > 0);
1098 context->refcount -= 1;
1100 if (context->refcount == 0)
1104 _dbus_verbose ("Finalizing bus context %p\n", context);
1106 bus_context_shutdown (context);
1108 if (context->connections)
1110 bus_connections_unref (context->connections);
1111 context->connections = NULL;
1114 if (context->registry)
1116 bus_registry_unref (context->registry);
1117 context->registry = NULL;
1120 if (context->activation)
1122 bus_activation_unref (context->activation);
1123 context->activation = NULL;
1126 link = _dbus_list_get_first_link (&context->servers);
1127 while (link != NULL)
1129 dbus_server_unref (link->data);
1131 link = _dbus_list_get_next_link (&context->servers, link);
1133 _dbus_list_clear (&context->servers);
1135 if (context->policy)
1137 bus_policy_unref (context->policy);
1138 context->policy = NULL;
1143 _dbus_loop_unref (context->loop);
1144 context->loop = NULL;
1147 if (context->matchmaker)
1149 bus_matchmaker_unref (context->matchmaker);
1150 context->matchmaker = NULL;
1153 dbus_free (context->config_file);
1154 dbus_free (context->log_prefix);
1155 dbus_free (context->type);
1156 dbus_free (context->address);
1157 dbus_free (context->user);
1158 dbus_free (context->servicehelper);
1160 if (context->pidfile)
1163 _dbus_string_init_const (&u, context->pidfile);
1165 /* Deliberately ignore errors here, since there's not much
1166 * we can do about it, and we're exiting anyways.
1168 _dbus_delete_file (&u, NULL);
1170 dbus_free (context->pidfile);
1173 if (context->initial_fd_limit)
1174 _dbus_rlimit_free (context->initial_fd_limit);
1176 dbus_free (context);
1178 dbus_server_free_data_slot (&server_data_slot);
1182 /* type may be NULL */
1184 bus_context_get_type (BusContext *context)
1186 return context->type;
1190 bus_context_get_address (BusContext *context)
1192 return context->address;
1196 bus_context_get_servicehelper (BusContext *context)
1198 return context->servicehelper;
1202 bus_context_get_systemd_activation (BusContext *context)
1204 return context->systemd_activation;
1208 bus_context_get_registry (BusContext *context)
1210 return context->registry;
1214 bus_context_get_connections (BusContext *context)
1216 return context->connections;
1220 bus_context_get_activation (BusContext *context)
1222 return context->activation;
1226 bus_context_get_matchmaker (BusContext *context)
1228 return context->matchmaker;
1232 bus_context_get_loop (BusContext *context)
1234 return context->loop;
1238 bus_context_allow_unix_user (BusContext *context,
1241 return bus_policy_allow_unix_user (context->policy,
1245 /* For now this is never actually called because the default
1246 * DBusConnection behavior of 'same user that owns the bus can connect'
1247 * is all it would do.
1250 bus_context_allow_windows_user (BusContext *context,
1251 const char *windows_sid)
1253 return bus_policy_allow_windows_user (context->policy,
1258 bus_context_get_policy (BusContext *context)
1260 return context->policy;
1264 bus_context_create_client_policy (BusContext *context,
1265 DBusConnection *connection,
1268 _DBUS_ASSERT_ERROR_IS_CLEAR (error);
1269 return bus_policy_create_client_policy (context->policy, connection,
1274 bus_context_get_activation_timeout (BusContext *context)
1277 return context->limits.activation_timeout;
1281 bus_context_get_auth_timeout (BusContext *context)
1283 return context->limits.auth_timeout;
1287 bus_context_get_pending_fd_timeout (BusContext *context)
1289 return context->limits.pending_fd_timeout;
1293 bus_context_get_max_completed_connections (BusContext *context)
1295 return context->limits.max_completed_connections;
1299 bus_context_get_max_incomplete_connections (BusContext *context)
1301 return context->limits.max_incomplete_connections;
1305 bus_context_get_max_connections_per_user (BusContext *context)
1307 return context->limits.max_connections_per_user;
1311 bus_context_get_max_pending_activations (BusContext *context)
1313 return context->limits.max_pending_activations;
1317 bus_context_get_max_services_per_connection (BusContext *context)
1319 return context->limits.max_services_per_connection;
1323 bus_context_get_max_match_rules_per_connection (BusContext *context)
1325 return context->limits.max_match_rules_per_connection;
1329 bus_context_get_max_replies_per_connection (BusContext *context)
1331 return context->limits.max_replies_per_connection;
1335 bus_context_get_reply_timeout (BusContext *context)
1337 return context->limits.reply_timeout;
1341 bus_context_get_initial_fd_limit (BusContext *context)
1343 return context->initial_fd_limit;
1347 bus_context_log (BusContext *context, DBusSystemLogSeverity severity, const char *msg, ...)
1351 if (!context->syslog)
1353 /* we're not syslogging; just output to stderr */
1354 va_start (args, msg);
1355 vfprintf (stderr, msg, args);
1356 fprintf (stderr, "\n");
1359 if (severity == DBUS_SYSTEM_LOG_FATAL)
1365 va_start (args, msg);
1367 if (context->log_prefix)
1369 DBusString full_msg;
1371 if (!_dbus_string_init (&full_msg))
1373 if (!_dbus_string_append (&full_msg, context->log_prefix))
1375 if (!_dbus_string_append_printf_valist (&full_msg, msg, args))
1378 _dbus_system_log (severity, "%s", _dbus_string_get_const_data (&full_msg));
1380 _dbus_string_free (&full_msg);
1383 _dbus_system_logv (severity, msg, args);
1389 static inline const char *
1390 nonnull (const char *maybe_null,
1391 const char *if_null)
1393 return (maybe_null ? maybe_null : if_null);
1397 bus_context_log_literal (BusContext *context,
1398 DBusSystemLogSeverity severity,
1401 if (!context->syslog)
1403 fputs (msg, stderr);
1404 fputc ('\n', stderr);
1406 if (severity == DBUS_SYSTEM_LOG_FATAL)
1411 _dbus_system_log (severity, "%s%s", nonnull (context->log_prefix, ""),
1417 bus_context_log_and_set_error (BusContext *context,
1418 DBusSystemLogSeverity severity,
1424 DBusError stack_error = DBUS_ERROR_INIT;
1427 va_start (args, msg);
1428 _dbus_set_error_valist (&stack_error, name, msg, args);
1431 /* If we hit OOM while setting the error, this will syslog "out of memory"
1432 * which is itself an indication that something is seriously wrong */
1433 bus_context_log_literal (context, DBUS_SYSTEM_LOG_SECURITY,
1434 stack_error.message);
1436 dbus_move_error (&stack_error, error);
1440 * Log something about a message, usually that it was rejected.
1443 complain_about_message (BusContext *context,
1444 const char *error_name,
1445 const char *complaint,
1447 DBusMessage *message,
1448 DBusConnection *sender,
1449 DBusConnection *proposed_recipient,
1450 dbus_bool_t requested_reply,
1454 DBusError stack_error = DBUS_ERROR_INIT;
1455 const char *sender_name;
1456 const char *sender_loginfo;
1457 const char *proposed_recipient_loginfo;
1459 if (error == NULL && !log)
1464 sender_name = bus_connection_get_name (sender);
1465 sender_loginfo = bus_connection_get_loginfo (sender);
1469 sender_name = "(unset)";
1470 sender_loginfo = "(bus)";
1473 if (proposed_recipient != NULL)
1474 proposed_recipient_loginfo = bus_connection_get_loginfo (proposed_recipient);
1476 proposed_recipient_loginfo = "bus";
1478 dbus_set_error (&stack_error, error_name,
1479 "%s, %d matched rules; type=\"%s\", sender=\"%s\" (%s) "
1480 "interface=\"%s\" member=\"%s\" error name=\"%s\" "
1481 "requested_reply=\"%d\" destination=\"%s\" (%s)",
1484 dbus_message_type_to_string (dbus_message_get_type (message)),
1487 nonnull (dbus_message_get_interface (message), "(unset)"),
1488 nonnull (dbus_message_get_member (message), "(unset)"),
1489 nonnull (dbus_message_get_error_name (message), "(unset)"),
1491 nonnull (dbus_message_get_destination (message), DBUS_SERVICE_DBUS),
1492 proposed_recipient_loginfo);
1494 /* If we hit OOM while setting the error, this will syslog "out of memory"
1495 * which is itself an indication that something is seriously wrong */
1497 bus_context_log_literal (context, DBUS_SYSTEM_LOG_SECURITY,
1498 stack_error.message);
1500 dbus_move_error (&stack_error, error);
1504 * addressed_recipient is the recipient specified in the message.
1506 * proposed_recipient is the recipient we're considering sending
1507 * to right this second, and may be an eavesdropper.
1509 * sender is the sender of the message.
1511 * NULL for proposed_recipient or sender definitely means the bus driver.
1513 * NULL for addressed_recipient may mean the bus driver, or may mean
1514 * no destination was specified in the message (e.g. a signal).
1517 bus_context_check_security_policy (BusContext *context,
1518 BusTransaction *transaction,
1519 DBusConnection *sender,
1520 DBusConnection *addressed_recipient,
1521 DBusConnection *proposed_recipient,
1522 DBusMessage *message,
1525 const char *src, *dest;
1526 BusClientPolicy *sender_policy;
1527 BusClientPolicy *recipient_policy;
1528 dbus_int32_t toggles;
1531 dbus_bool_t requested_reply;
1533 type = dbus_message_get_type (message);
1534 src = dbus_message_get_sender (message);
1535 dest = dbus_message_get_destination (message);
1537 /* dispatch.c was supposed to ensure these invariants */
1538 _dbus_assert (dest != NULL ||
1539 type == DBUS_MESSAGE_TYPE_SIGNAL ||
1540 (sender == NULL && !bus_connection_is_active (proposed_recipient)));
1541 _dbus_assert (type == DBUS_MESSAGE_TYPE_SIGNAL ||
1542 addressed_recipient != NULL ||
1543 strcmp (dest, DBUS_SERVICE_DBUS) == 0);
1547 case DBUS_MESSAGE_TYPE_METHOD_CALL:
1548 case DBUS_MESSAGE_TYPE_SIGNAL:
1549 case DBUS_MESSAGE_TYPE_METHOD_RETURN:
1550 case DBUS_MESSAGE_TYPE_ERROR:
1554 _dbus_verbose ("security check disallowing message of unknown type %d\n",
1557 dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
1558 "Message bus will not accept messages of unknown type\n");
1563 requested_reply = FALSE;
1567 if (bus_connection_is_active (sender))
1569 sender_policy = bus_connection_get_policy (sender);
1570 _dbus_assert (sender_policy != NULL);
1572 /* Fill in requested_reply variable with TRUE if this is a
1573 * reply and the reply was pending.
1575 if (dbus_message_get_reply_serial (message) != 0)
1577 if (proposed_recipient != NULL /* not to the bus driver */ &&
1578 addressed_recipient == proposed_recipient /* not eavesdropping */)
1582 dbus_error_init (&error2);
1583 requested_reply = bus_connections_check_reply (bus_connection_get_connections (sender),
1585 sender, addressed_recipient, message,
1587 if (dbus_error_is_set (&error2))
1589 dbus_move_error (&error2, error);
1597 sender_policy = NULL;
1600 /* First verify the SELinux access controls. If allowed then
1601 * go on with the standard checks.
1603 if (!bus_selinux_allows_send (sender, proposed_recipient,
1604 dbus_message_type_to_string (dbus_message_get_type (message)),
1605 dbus_message_get_interface (message),
1606 dbus_message_get_member (message),
1607 dbus_message_get_error_name (message),
1608 dest ? dest : DBUS_SERVICE_DBUS, error))
1610 if (error != NULL && !dbus_error_is_set (error))
1612 /* don't syslog this, just set the error: avc_has_perm should
1613 * have already written to either the audit log or syslog */
1614 complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
1615 "An SELinux policy prevents this sender from sending this "
1616 "message to this recipient",
1617 0, message, sender, proposed_recipient, FALSE, FALSE, error);
1618 _dbus_verbose ("SELinux security check denying send to service\n");
1624 /* next verify AppArmor access controls. If allowed then
1625 * go on with the standard checks.
1627 if (!bus_apparmor_allows_send (sender, proposed_recipient,
1629 bus_context_get_type (context),
1630 dbus_message_get_type (message),
1631 dbus_message_get_path (message),
1632 dbus_message_get_interface (message),
1633 dbus_message_get_member (message),
1634 dbus_message_get_error_name (message),
1635 dest ? dest : DBUS_SERVICE_DBUS,
1636 src ? src : DBUS_SERVICE_DBUS,
1640 if (!bus_connection_is_active (sender))
1642 /* Policy for inactive connections is that they can only send
1643 * the hello message to the bus driver
1645 if (proposed_recipient == NULL &&
1646 dbus_message_is_method_call (message,
1647 DBUS_INTERFACE_DBUS,
1650 _dbus_verbose ("security check allowing %s message\n",
1656 _dbus_verbose ("security check disallowing non-%s message\n",
1659 dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
1660 "Client tried to send a message other than %s without being registered",
1669 sender_policy = NULL;
1671 /* If the sender is the bus driver, we assume any reply was a
1672 * requested reply as bus driver won't send bogus ones
1674 if (addressed_recipient == proposed_recipient /* not eavesdropping */ &&
1675 dbus_message_get_reply_serial (message) != 0)
1676 requested_reply = TRUE;
1679 _dbus_assert ((sender != NULL && sender_policy != NULL) ||
1680 (sender == NULL && sender_policy == NULL));
1682 if (proposed_recipient != NULL)
1684 /* only the bus driver can send to an inactive recipient (as it
1685 * owns no services, so other apps can't address it). Inactive
1686 * recipients can receive any message.
1688 if (bus_connection_is_active (proposed_recipient))
1690 recipient_policy = bus_connection_get_policy (proposed_recipient);
1691 _dbus_assert (recipient_policy != NULL);
1693 else if (sender == NULL)
1695 _dbus_verbose ("security check using NULL recipient policy for message from bus\n");
1696 recipient_policy = NULL;
1700 _dbus_assert_not_reached ("a message was somehow sent to an inactive recipient from a source other than the message bus\n");
1701 recipient_policy = NULL;
1705 recipient_policy = NULL;
1707 _dbus_assert ((proposed_recipient != NULL && recipient_policy != NULL) ||
1708 (proposed_recipient != NULL && sender == NULL && recipient_policy == NULL) ||
1709 (proposed_recipient == NULL && recipient_policy == NULL));
1712 if (sender_policy &&
1713 !bus_client_policy_check_can_send (sender_policy,
1717 message, &toggles, &log))
1719 complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
1720 "Rejected send message", toggles,
1721 message, sender, proposed_recipient, requested_reply,
1722 (addressed_recipient == proposed_recipient), error);
1723 _dbus_verbose ("security policy disallowing message due to sender policy\n");
1729 /* We want to drop this message, and are only not doing so for backwards
1731 complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
1732 "Would reject message", toggles,
1733 message, sender, proposed_recipient, requested_reply,
1737 if (recipient_policy &&
1738 !bus_client_policy_check_can_receive (recipient_policy,
1742 addressed_recipient, proposed_recipient,
1745 complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
1746 "Rejected receive message", toggles,
1747 message, sender, proposed_recipient, requested_reply,
1748 (addressed_recipient == proposed_recipient), error);
1749 _dbus_verbose ("security policy disallowing message due to recipient policy\n");
1753 /* See if limits on size have been exceeded */
1754 if (proposed_recipient &&
1755 ((dbus_connection_get_outgoing_size (proposed_recipient) > context->limits.max_outgoing_bytes) ||
1756 (dbus_connection_get_outgoing_unix_fds (proposed_recipient) > context->limits.max_outgoing_unix_fds)))
1758 complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
1759 "Rejected: destination has a full message queue",
1760 0, message, sender, proposed_recipient, requested_reply, TRUE,
1762 _dbus_verbose ("security policy disallowing message due to full message queue\n");
1766 /* Record that we will allow a reply here in the future (don't
1767 * bother if the recipient is the bus or this is an eavesdropping
1768 * connection). Only the addressed recipient may reply.
1770 if (type == DBUS_MESSAGE_TYPE_METHOD_CALL &&
1772 addressed_recipient &&
1773 addressed_recipient == proposed_recipient && /* not eavesdropping */
1774 !bus_connections_expect_reply (bus_connection_get_connections (sender),
1776 sender, addressed_recipient,
1779 _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n");
1783 _dbus_verbose ("security policy allowing message\n");
1788 bus_context_check_all_watches (BusContext *context)
1791 dbus_bool_t enabled = TRUE;
1793 if (bus_connections_get_n_incomplete (context->connections) >=
1794 bus_context_get_max_incomplete_connections (context))
1799 if (context->watches_enabled == enabled)
1802 context->watches_enabled = enabled;
1804 for (link = _dbus_list_get_first_link (&context->servers);
1806 link = _dbus_list_get_next_link (&context->servers, link))
1808 /* A BusContext might contains several DBusServer (if there are
1809 * several <listen> configuration items) and a DBusServer might
1810 * contain several DBusWatch in its DBusWatchList (if getaddrinfo
1811 * returns several addresses on a dual IPv4-IPv6 stack or if
1812 * systemd passes several fds).
1813 * We want to enable/disable them all.
1815 DBusServer *server = link->data;
1816 _dbus_server_toggle_all_watches (server, enabled);