Simon McVittie [Fri, 23 Jan 2015 19:32:31 +0000 (19:32 +0000)]
dbus-monitor: add options to log binary data with or without pcap framing
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 20:08:07 +0000 (20:08 +0000)]
dbus-monitor: add support for using BecomeMonitor to be a read-only monitor
Move the dbus_connection_add_filter() call further up as a precaution,
because it isn't safe for a monitor to not have a filter that
swallows all messages.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 26 Jan 2015 19:15:16 +0000 (19:15 +0000)]
Allow root to monitor the system bus by default
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 20:02:56 +0000 (20:02 +0000)]
Add a regression test for being a new-style monitor
This includes most of the situations I could think of:
* method call on dbus-daemon and response
* NameOwnerChanged
* NameAcquired, NameLost (although I'm not 100% sure these should
get captured, since they're redundant with NameOwnerChanged)
* unicast message is allowed through
* unicast message is rejected by no-sending or no-receiving policy
* broadcast is allowed through
* broadcast is rejected by no-sending policy (the error reply
is also captured)
* broadcast is rejected by no-receiving policy (there is no error
reply)
* message causing service activation, and the message telling systemd
to do the actual activation
* systemd reporting that activation failed
It does not cover:
* sending a message to dbus-daemon, then provoking a reply, then
dbus-daemon does not allow itself to send the reply due to its
own security policy
This is such an obscure corner case that I'm not even convinced it's
testable without dropping down into lower-level socket manipulation:
dbus-daemon's replies are always assumed to be requested replies,
and replies contain so little other metadata that I think we can
only forbid them by forbidding all method replies. If we do that,
the reply to Hello() won't arrive and the client-side connection will
not become active.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Tue, 3 Feb 2015 14:45:37 +0000 (14:45 +0000)]
Capture a fake reply if a broadcast cannot be delivered
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 19:45:17 +0000 (19:45 +0000)]
Capture all messages received or sent, and send them to monitors
Unlike eavesdropping, the point of capture is when the message is
received, except for messages originating inside the dbus-daemon.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Fri, 23 Jan 2015 19:11:31 +0000 (19:11 +0000)]
Add support for morphing a D-Bus connection into a "monitor"
This is a special connection that is not allowed to send anything,
and loses all its well-known names.
In future commits, it will get a new set of match rules and the
ability to eavesdrop on messages before the rest of the bus daemon
has had a chance to process them.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Wed, 4 Feb 2015 17:06:54 +0000 (17:06 +0000)]
Merge branch 'dbus-1.8'
Simon McVittie [Wed, 4 Feb 2015 16:44:31 +0000 (16:44 +0000)]
NEWS for 1.8 branch
Simon McVittie [Wed, 4 Feb 2015 13:16:18 +0000 (13:16 +0000)]
_dbus_listen_tcp_socket: comment on another reason to ignore EADDRINUSE
Not being aware of the second reason described here caused bug #87999
in the equivalent code on Windows.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Simon McVittie [Wed, 4 Feb 2015 13:15:20 +0000 (13:15 +0000)]
_dbus_listen_tcp_socket: use NI_NUMERICSERV to determine port number
If we happen to have been given (say) port 30865, we want to
represent that as host=localhost,port=30865 and not
host=localhost,port=csync2.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Ralf Habacker [Wed, 4 Feb 2015 12:50:03 +0000 (13:50 +0100)]
Provide appropriate DBUS_USER and DBUS_TEST_USER under CMake
[separated out from a larger commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Wed, 4 Feb 2015 12:23:34 +0000 (13:23 +0100)]
Link tests to test-utils-glib.c under CMake too
[Separated out from a larger commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 4 Feb 2015 14:18:39 +0000 (14:18 +0000)]
dbus-monitor: use common code from dbus-test-tool
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall
[also sync up the cmake build system -smcv]
Simon McVittie [Tue, 3 Feb 2015 23:13:51 +0000 (23:13 +0000)]
1.9.9
Simon McVittie [Tue, 3 Feb 2015 17:26:47 +0000 (17:26 +0000)]
1.9.8 development release
Simon McVittie [Tue, 3 Feb 2015 19:35:39 +0000 (19:35 +0000)]
Treat root as a valid candidate for TEST_USER_ME
If spawn_dbus_daemon() can fail for TEST_USER_ME, then we'd have to
go through all the tests adding the ability to skip tests after
it fails, which is a fairly extensive change.
The tests have historically all run as whatever uid is supplied, and
if the tests are being run as root for some reason - perhaps in a CI
framework for an embedded platform that doesn't have non-root users,
or in an environment where you can be root or non-root but not both -
there is no particular reason to skip them.
Simon McVittie [Tue, 3 Feb 2015 16:25:56 +0000 (16:25 +0000)]
NEWS
Simon McVittie [Mon, 26 Jan 2015 20:10:39 +0000 (20:10 +0000)]
Add a regression test for systemd activation
4.5 years after it was implemented, here is the regression test.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=57952
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 18:15:27 +0000 (18:15 +0000)]
bus_context_log_and_set_error: add and use
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 18:15:02 +0000 (18:15 +0000)]
_dbus_set_error_valist: add
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 17:57:30 +0000 (17:57 +0000)]
bus_context_log_literal: add simplified version of bus_context_log
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 17:29:43 +0000 (17:29 +0000)]
bus: put the printf attribute in the header where it will do more good
Now we can actually notice incorrect format strings in other
translation units.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 19:12:01 +0000 (19:12 +0000)]
bus driver: factor out bus_driver_check_caller_is_privileged, and allow root
Unlike the initial mitigation for CVE-2014-8148, we now allow
uid 0 to call UpdateActivationEnvironment. There's no point in root
doing that, but there's also no reason why it's particularly bad -
if an attacker is uid 0 we've already lost - and it simplifies
use of this function for future things that do want to be callable
by root, like BecomeMonitor for #46787.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 19:10:11 +0000 (19:10 +0000)]
Add a test for uid-controlled permissions
This is technical debt from mitigating CVE-2014-8148, which should
really have had a regression test at the time.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 15:47:59 +0000 (15:47 +0000)]
Add infrastructure to run bits of tests under an alternative uid
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 15:47:22 +0000 (15:47 +0000)]
test: implement GLib-style "installed tests"
We run each test twice:
* once with the system's session.conf, as an integration test
(test-cases that need a special configuration are automatically
skipped)
* once with our special test configuration files, which provide better
coverage
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 18:55:08 +0000 (18:55 +0000)]
Generate test configuration files via build-time sed, not configure
This means we can generate a version that works when installed,
from the same source files.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 19:02:59 +0000 (19:02 +0000)]
Factor out some utility functions from test/dbus-daemon*
In the process, make test_kill_pid() safer: do not try to terminate
more than one pid, or the NULL handle.
Also stop leaking the address_fd in spawn_dbus_daemon, a pre-existing
bug that was spotted by Philip Withnall during review.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 16:04:52 +0000 (16:04 +0000)]
Bump required GLib version to 2.36
This is for g_close(), which the next commit will use. It also lets us
rely on g_type_init() being a no-op (since 2.32 the type system is
always initialized by a global constructor).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Lukasz Skalski [Tue, 3 Feb 2015 12:59:00 +0000 (13:59 +0100)]
Update .gitignore files
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88943
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 18:52:08 +0000 (18:52 +0000)]
NEWS
Simon McVittie [Fri, 23 Jan 2015 19:08:32 +0000 (19:08 +0000)]
lcov: use builddir, not srcdir
It seems lcov (or gcc?) has changed its paths since last time this
worked.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 13:49:12 +0000 (13:49 +0000)]
Enable subdir-objects Automake option
It has been supported since at least 1.10, and its absence is
deprecated since 1.14.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall
Simon McVittie [Thu, 22 Jan 2015 15:46:27 +0000 (15:46 +0000)]
bus: exit on fatal errors even if not syslogging
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall
Ralf Habacker [Fri, 30 Jan 2015 19:19:01 +0000 (20:19 +0100)]
Fix 'dbus-daemon on Windows: Failed to bind socket "localhost:xxxx": Address already in use'.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Tue, 27 Jan 2015 22:42:25 +0000 (23:42 +0100)]
In _dbus_listen_tcp_socket() set socket family to ipv4 in unspecified case for now.
This fix is required to support at least ipv4 tcp support calling
_dbus_listen_tcp_socket() without family.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Wed, 28 Jan 2015 21:44:16 +0000 (22:44 +0100)]
Add manual tcp test case.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Tue, 6 Jan 2015 22:12:16 +0000 (22:12 +0000)]
_dbus_string_append_printf_valist: avoid leaking copy of varargs
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88087
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Thu, 6 Nov 2014 14:24:14 +0000 (14:24 +0000)]
Use pygi instead of pygobject 2
pygobject 2 is obsolete and unmaintained, and anyway this is for
optional functionality (full regression test coverage) rather than
anything that will be needed in production builds.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85969
Thiago Macieira [Mon, 29 Dec 2014 18:51:28 +0000 (16:51 -0200)]
Fix build with --enable-maintainer-mode --disable-embedded-tests
Otherwise, we get:
dbus/dbus-object-tree.c:323:1: error: 'find_subtree' defined but not used [-Werror=unused-function]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87837
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Tue, 6 Jan 2015 22:15:16 +0000 (22:15 +0000)]
When generating random messages, exercise empty signature as intended
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88089
Simon McVittie [Tue, 6 Jan 2015 22:14:08 +0000 (22:14 +0000)]
_dbus_marshal_validate_test: test both /foo/ and foo/
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88089
Simon McVittie [Tue, 6 Jan 2015 22:11:48 +0000 (22:11 +0000)]
selinux: avoid leaking on systems where va_start allocates memory
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88087
Simon McVittie [Tue, 6 Jan 2015 22:08:47 +0000 (22:08 +0000)]
Fix assertion in regression test to be equality test, not assignment
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88088
Simon McVittie [Mon, 5 Jan 2015 15:00:45 +0000 (15:00 +0000)]
Merge branch 'dbus-1.8'
Conflicts:
NEWS
configure.ac
Simon McVittie [Mon, 5 Jan 2015 14:58:48 +0000 (14:58 +0000)]
Merge tag 'dbus-1.9.6'
dbus-1.9.6
Conflicts:
NEWS
configure.ac
Simon McVittie [Mon, 5 Jan 2015 14:57:26 +0000 (14:57 +0000)]
1.8.15
Simon McVittie [Mon, 5 Jan 2015 14:56:44 +0000 (14:56 +0000)]
Merge tag 'dbus-1.8.14' into dbus-1.8
dbus-1.8.14
Ralf Habacker [Sun, 4 Jan 2015 07:12:06 +0000 (08:12 +0100)]
Fix usage of undefined variable DBUS_WIN32 on cmake build system
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88010
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Mon, 5 Jan 2015 10:49:13 +0000 (11:49 +0100)]
Merge branch 'dbus-1.8'
Conflicts:
NEWS
configure.ac
Ralf Habacker [Sat, 3 Jan 2015 19:36:31 +0000 (20:36 +0100)]
Windows cmake cross compile fix
We need to include 'test' subdir in any case not only when using glib.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88009
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Mon, 27 Jan 2014 10:58:37 +0000 (11:58 +0100)]
Fix of 'dbus-daemon can only handle 64 simultaneous connections on Windows'.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=71297
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Thu, 1 Jan 2015 23:48:13 +0000 (23:48 +0000)]
Merge branch 'dbus-1.8' and prepare 1.9.6
Conflicts:
NEWS
configure.ac
test/dbus-daemon.c
Simon McVittie [Thu, 1 Jan 2015 23:42:41 +0000 (23:42 +0000)]
Prepare release for Monday
Simon McVittie [Fri, 19 Dec 2014 18:51:04 +0000 (18:51 +0000)]
Hardening: only accept Stats function calls at the canonical object path
These function calls are not a privilege escalation risk like
UpdateActivationEnvironment, but they might provide sensitive
information or be enhanced to provide sensitive information
in future, so the default system.conf locks them down to root-only.
Apply the same canonical-object-path hardening as for
UpdateActivationEnvironment.
We do not apply the uid check here because they are less dangerous
than UpdateActivationEnvironment, and because the ability to unlock
these function calls for specific uids is a documented configuration
for developers.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[added missing #include; extended commit message -smcv]
Simon McVittie [Fri, 19 Dec 2014 19:17:14 +0000 (19:17 +0000)]
Add a regression test for path-based UpdateActivationEnvironment hardening
Reviewed-by: Thiago Macieira <thiago@kde.org>
Simon McVittie [Fri, 19 Dec 2014 19:19:00 +0000 (19:19 +0000)]
Hardening: only allow the uid of the dbus-daemon to call UpdateActivationEnvironment
As with the previous commit, this is probably not actually privilege
escalation due to the use of an activation helper that cleans up its
environment, but let's be extra-careful here.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[adjusted commit message -smcv]
Simon McVittie [Fri, 19 Dec 2014 18:49:33 +0000 (18:49 +0000)]
Hardening: reject UpdateActivationEnvironment on non-canonical path
UpdateActivationEnvironment is the one dbus-daemon API call that is
obviously dangerous (it is intended for the session bus),
so the default system.conf does not allow anyone to call it.
It has recently come to the D-Bus maintainers' attention that some
system services incorrectly install D-Bus policy rules that allow
arbitrary method calls to any destination as long as they have a
"safe" object path. This is not actually safe: some system services
that use low-level D-Bus bindings like libdbus, including dbus-daemon
itself, provide the same API on all object paths.
Unauthorized calls to UpdateActivationEnvironment are probably just
resource consumption rather than privilege escalation, because on
the system bus, the modified environment is only used to execute
a setuid wrapper that avoids LD_PRELOAD etc. via normal setuid
handling, and sanitizes its own environment before executing
the real service. However, it's safest to assume the worst and
treat it as a potential privilege escalation.
Accordingly, as a hardening measure to avoid privilege escalation on
systems with these faulty services, stop allowing calls to
("/com/example/Whatever",
"org.freedesktop.DBus.UpdateActivationEnvironment")
and only allow ("/org/freedesktop/DBus",
"org.freedesktop.DBus.UpdateActivationEnvironment").
We deliberately continue to provide read-only APIs like
GetConnectionUnixUser at all object paths, for backwards compatibility.
Reviewed-by: Thiago Macieira <thiago@kde.org>
[adjusted commit message to note that this is probably only DoS -smcv]
Илья А. Ткаченко [Tue, 23 Dec 2014 08:45:24 +0000 (11:45 +0300)]
Fix GetExtendedTcpTable crash on vista sp0.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=77008
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Mon, 24 Nov 2014 22:52:22 +0000 (22:52 +0000)]
1.8.13
Simon McVittie [Mon, 24 Nov 2014 22:51:44 +0000 (22:51 +0000)]
1.9.5
Simon McVittie [Mon, 10 Nov 2014 17:08:56 +0000 (17:08 +0000)]
Start spec 0.26
Simon McVittie [Mon, 24 Nov 2014 13:08:06 +0000 (13:08 +0000)]
1.9.4
Simon McVittie [Mon, 24 Nov 2014 13:05:37 +0000 (13:05 +0000)]
Revert "Start spec 0.26"
This reverts commit
cdd9e9a65c40ac4c21dcd36e9bd0fd6c746ad753.
Simon McVittie [Tue, 18 Nov 2014 18:58:57 +0000 (18:58 +0000)]
Upgrade auth_timeout violation to a warning, since this branch has those
Simon McVittie [Mon, 24 Nov 2014 13:05:09 +0000 (13:05 +0000)]
Merge branch 'dbus-1.8'
Conflicts:
NEWS
configure.ac
Simon McVittie [Mon, 24 Nov 2014 13:01:40 +0000 (13:01 +0000)]
1.8.12
Simon McVittie [Tue, 18 Nov 2014 17:34:11 +0000 (17:34 +0000)]
Revert "config: change default auth_timeout to 5 seconds"
This reverts commit
54d26df52b6a394bea175651d1d7ad2ab3f87dea.
It appears this change may cause intermittent slow or failed boot,
more commonly on slower/older machines, in at least Mageia and
possibly also Debian. This would indicate that while the system
is under load, system services are not completing authentication
within 5 seconds.
This change was not the main part of fixing CVE-2014-3639, but does
help to mitigate that attack. As such, increasing this timeout makes
the denial of service attack described by CVE-2014-3639 somewhat
more effective: a local user connecting to the system bus repeatedly
from many parallel processes can cause other users' attempts to
connect to take longer.
If your machine boots reliably with the shorter timeout, and
resilience against local denial of service attacks is important
to you, putting this in /etc/dbus-1/system-local.conf
or a file matching /etc/dbus-1/system.d/*.conf can restore
the lower limit:
<busconfig>
<limit name="auth_timeout">5000</limit>
</busconfig>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
Simon McVittie [Tue, 18 Nov 2014 12:01:44 +0000 (12:01 +0000)]
Log to syslog when auth_timeout drops an incomplete connection
This is a symptom of either a denial of service attack, or a
serious performance problem. Either way, sysadmins should know.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86431
Simon McVittie [Tue, 4 Nov 2014 14:51:22 +0000 (14:51 +0000)]
Use DBUS_SYSTEM_LOG_WARNING for failure to alter fd-limits
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Alban Crequy [Mon, 3 Nov 2014 16:04:45 +0000 (16:04 +0000)]
DBusSystemLogSeverity: add DBUS_SYSTEM_LOG_WARNING
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Simon McVittie [Fri, 14 Nov 2014 19:14:22 +0000 (19:14 +0000)]
Merge branch 'dbus-1.8'
Simon McVittie [Fri, 14 Nov 2014 19:14:13 +0000 (19:14 +0000)]
README, HACKING: add some brief notes on reporting security vulnerabilities
We now have a private mailing list that can be the security contact.
Simon McVittie [Fri, 14 Nov 2014 18:58:52 +0000 (18:58 +0000)]
Merge branch 'dbus-1.8'
Simon McVittie [Fri, 14 Nov 2014 18:58:44 +0000 (18:58 +0000)]
NEWS
Jacek Bukarewicz [Fri, 14 Nov 2014 18:39:38 +0000 (18:39 +0000)]
Set error when message delivery is denied due to receive rule
This makes bus_context_check_security_policy follow convention of
setting errors if function indicates failure and has error parameter.
Notable implication is that AccessDenied error will be sent if sending message
to addressed recipient is denied due to receive rule. Previously, message
was silently dropped.
This also fixes assertion failure when message is denied at addressed recipient
while sending pending auto activation messages.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86194
Simon McVittie [Mon, 10 Nov 2014 17:10:09 +0000 (17:10 +0000)]
Merge branch 'dbus-1.8'
Conflicts:
NEWS
Simon McVittie [Mon, 10 Nov 2014 17:09:52 +0000 (17:09 +0000)]
next version number will be 1.8.12
Simon McVittie [Mon, 10 Nov 2014 17:08:56 +0000 (17:08 +0000)]
Start spec 0.26
Simon McVittie [Mon, 10 Nov 2014 17:07:31 +0000 (17:07 +0000)]
1.9.3
Simon McVittie [Mon, 10 Nov 2014 17:06:44 +0000 (17:06 +0000)]
1.8.11
Simon McVittie [Thu, 6 Nov 2014 21:02:27 +0000 (21:02 +0000)]
1.9.2, spec 0.25
Simon McVittie [Thu, 6 Nov 2014 20:59:57 +0000 (20:59 +0000)]
Merge branch 'dbus-1.8'
Conflicts:
NEWS
configure.ac
Simon McVittie [Thu, 6 Nov 2014 15:39:51 +0000 (15:39 +0000)]
Embargoed security release for Monday
Simon McVittie [Tue, 4 Nov 2014 14:41:54 +0000 (14:41 +0000)]
CVE-2014-7824: set fd rlimit to 64k for the system dbus-daemon
This ensures that our rlimit is actually high enough to avoid the
denial of service described in CVE-2014-3636 part A.
CVE-2014-7824 has been allocated for this incomplete fix.
Restore the original rlimit for activated services, to avoid
them getting undesired higher limits.
(Thanks to Alban Crequy for various adjustments which have been
included in this commit.)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Simon McVittie [Thu, 6 Nov 2014 14:32:50 +0000 (14:32 +0000)]
NEWS
Simon McVittie [Mon, 15 Sep 2014 17:37:59 +0000 (18:37 +0100)]
Add NetBSD to the list of platforms where credentials-passing a pid should work
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69702
Reviewed-by: Patrick Welche <prlw1@cam.ac.uk>
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Tested-by: Patrick Welche <prlw1@cam.ac.uk>
Simon McVittie [Mon, 15 Sep 2014 17:38:49 +0000 (18:38 +0100)]
test_processid: only assert that it works if we expect it to work
Otherwise, this would fail on, for instance, QNX.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69702
Reviewed-by: Patrick Welche <prlw1@cam.ac.uk>
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Tested-by: Patrick Welche <prlw1@cam.ac.uk>
Patrick Welche [Thu, 30 Oct 2014 12:39:26 +0000 (12:39 +0000)]
whitespace/comment fixes
[originally part of the previous commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69702
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Patrick Welche [Tue, 29 Jul 2014 13:08:20 +0000 (14:08 +0100)]
Implement NetBSD credentials-passing with LOCAL_PEEREID
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69702
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Tested-by: Patrick Welche <prlw1@cam.ac.uk>
Simon McVittie [Mon, 15 Sep 2014 17:04:36 +0000 (18:04 +0100)]
dbus-daemon test: don't assert we pass uid/pid on unknown Unix platforms
We know that Linux, FreeBSD and OpenBSD are "first class citizens"
for credentials-passing, with NetBSD not far behind: people have
turned up on the bug tracking system and told us that tests passed.
On other Unixes, we can't really assert that it works, until someone
who runs them tells us that it worked for them.
Additions to these lists are welcome.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69702
Reviewed-by: Patrick Welche <prlw1@cam.ac.uk>
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Tested-by: Patrick Welche <prlw1@cam.ac.uk>
Simon McVittie [Wed, 29 Oct 2014 14:21:19 +0000 (14:21 +0000)]
NEWS
Simon McVittie [Thu, 11 Sep 2014 09:59:32 +0000 (10:59 +0100)]
dbus-spawn: do not forget the exec() errno when the grandchild exits
As is already noted in a comment in
_dbus_babysitter_set_child_exit_error(), if the grandchild fails
to exec() the desired process, we get both CHILD_EXEC_FAILED (with
an errno) and CHILD_EXITED (with a status), and we want to report
the former, since it is more informative. However, clearing
sitter->errnum meant we lose the errno value.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=24821
Reviewed-by: Ross Lagerwall
Simon McVittie [Wed, 10 Sep 2014 12:53:39 +0000 (13:53 +0100)]
dbus-tutorial: replace the entire GLib section with "use GDBus"
Also provide links to relevant GLib and Qt documentation.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=25140
Simon McVittie [Wed, 8 May 2013 15:58:08 +0000 (16:58 +0100)]
Stop asserting that we're not using the dummy lock implementation
That implementation no longer exists, so neither 0xABCDEF nor 0xABCDEF2
has any special meaning any more.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54972
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Simon McVittie [Wed, 29 Oct 2014 14:10:48 +0000 (14:10 +0000)]
Use a better NoReply message for disconnection with reply pending
As an implementation detail, dbus-daemon handles this situation by
artificially triggering a timeout (even if its configured timeout for
method calls is in fact infinite). However, using the same debug message
for both is misleading, and can lead people who are debugging a service
crash to blame dbus-daemon instead, wasting their time.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=76112
Simon McVittie [Thu, 11 Sep 2014 12:08:21 +0000 (13:08 +0100)]
dbus-sysdeps-unix: document the assumption that makes our use of credentials secure
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83499
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Simon McVittie [Mon, 8 Sep 2014 19:18:22 +0000 (20:18 +0100)]
Consistently save and restore errno
Some functions in dbus-transport-socket.c make a (wrapped)
socket syscall, then call other APIs, then test the result and
errno of the socket syscall.
This would break horribly if those "other APIs" overwrote errno with
their own value (... and this is part of why errno is an awful API).
Notably, if running under DBUS_VERBOSE, _dbus_verbose() is basically
fprintf(), which sets errno; and our Unix fd-passing support
makes calls of the form _dbus_verbose ("Read/wrote %i unix fds\n", n)
between the syscall and the result processing.
Maybe one day we'll convert all of dbus' syscall wrappers to either
raise a DBusError, or use the "negative errno" convention that systemd
borrowed from the Linux kernel, and in particular, we would need to
do that if we ever ported it to a platform where socket error reporting
was not basically errno. However, in practice everyone uses something
derived from BSD sockets, so "this sets errno, you know what errno is"
is a good enough internal API if we make sure to use it correctly.
Nothing calls _dbus_get_is_errno_nonzero(), so I just removed it instead
of converting it to the new calling convention.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83625
Simon McVittie [Wed, 29 Oct 2014 13:59:24 +0000 (13:59 +0000)]
NEWS
projects / platform / upstream / dbus.git / log