review.tizen.org Git - platform/upstream/dbus.git/log

Add version info to dbus-1 target for non msvc builds on Windows too

Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Reviewed-by: Simon McVittie <smcv@collabora.com>

Use cmake build in timestamp function to generate the build time stamp

The recent implementation generates a timestamp containing eol on
linux hosts, which generates unparseable versioninfo.rc.

This commit raises the minimal required cmake version to 3.0.2.

Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Reviewed-by: Simon McVittie <smcv@collabora.com>

Windows: Check for $RC, not $WINDRES

That's what is checked for by LT_LANG([Windows Resource]) further
up, and is what we now use during the build. Its value is typically
i686-w64-mingw32-windres.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>

Windows: Use libtool-detected RC to compile resources in tools/

We have two variables that both expand to i686-w64-mingw32-windres,
namely WINDRES and RC, and we might as well use the same one as
in dbus/ here. However, it seems we can't wrap windres in libtool
when producing an executable: if we use .rc.lo, my Automake 1.15.1
doesn't realise that it needs to include disable-uac.lo in the
list of objects, whereas if we use .rc.o, Ralf's libtool 2.4.2 and
Automake 1.13.4 disagree on where the output should go
(.libs/disable-uac.o vs. disable-uac.o) and the link fails.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015

Windows: Stop manipulating line numbering in versioninfo.rc

If __LINE__ doesn't work in MSVC's resource compiler, then removing
the #line directive altogether seems a simpler fix than redefining
__LINE__ to the wrong value.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>

cmake: Stop creating an empty afxres.h

The resource file used to #include this, but it was unnecessary,
and Ralf removed it in commit e3a14eb.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>

Windows: Simplify compiling versioninfo.rc by using libtool facilities

libtool has built-in support for Windows resources, and we even
enable it in configure.ac. What it doesn't have is a built-in rule
for generating Libtool objects using that built-in support, but
we can add one.

We have to generate Libtool pseudo-objects (.lo) rather than native
object files (.o) so that we get both a PIC object for the shared
library and a non-PIC object for the static library.

This mimics the libtool invocations used for compiling C and C++.
Note that $(RC) is typically i686-w64-mingw32-windres, the same as
our project-specific variable $(WINDRES) which was previously used here.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>

doc: Fix dbus-send.1 uint16 typo

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103075
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1467415
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>

Post-release version bump (and add release name)

Signed-off-by: Simon McVittie <smcv@collabora.com>

Prepare 1.11.20

Signed-off-by: Simon McVittie <smcv@collabora.com>

Clarify NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

unix: Condition Linux-specific abstract sockets on __linux__

This is nicer for cross-compiling, because AC_RUN_IFELSE can't work
there. In practice abstract sockets are supported on Linux since
2.2 (so, all relevant versions), and on no other platform; so it
seems futile to keep this complexity.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34905
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

build: Remove unused substitution DBUS_PATH_OR_ABSTRACT

This was presumably once used in constructs like
"unix:" DBUS_PATH_OR_ABSTRACT "=/var/run/dbus/foo", but git grep says
there are no remaining uses, so it can go.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34905
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

build: Remove unused variables

libdbus isn't localized, so we have no use for libintl. We always
link libdbus-1 with -no-undefined, so we have no use for
putting that flag in no_undefined on Windows only. export_symbols
seems to be left over from before fd.o#83115 was fixed.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

dbus: Actually link versioninfo.o into libdbus

It appears this has been wrong ever since the versioninfo machinery
was first added in 2009, and nobody noticed until now.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

dbus: Clarify why we are not just adding the resource file to SOURCES

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

dbus: Make SUFFIXES more specific

We want this to apply to files ending with ".rc", but not to files
ending with just "rc", like .arc or something.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103015
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

ci-build: Use a mirror of mingw binaries, not msys2 binaries

Signed-off-by: Simon McVittie <smcv@collabora.com>

Add Windows manifest to dbus-update-activation-environment.exe

This explicitly sets the execution level to 'asInvoker', preventing
Windows' UAC heuristics from deciding that because its name mentions
"update", it probably needs to escalate privileges.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102558
Reviewed-by: Simon McVittie <smcv@collabora.com>

ci-build: Use a mirror that hopefully works better than Sourceforge

Signed-off-by: Simon McVittie <smcv@collabora.com>

sysdeps: Stop pretending _dbus_set_signal_handler is portable to Windows

None of the things we rely on in POSIX async signal handlers, such
as the existence of async-signal-safe write(), are portable to Windows,
so the async signal handlers that use this function are #ifdef
DBUS_UNIX anyway. Remove the unused stub function from the
Windows side, and move the declaration to the Unix-specific header.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103010
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

Make sure non-aborting signal handlers save and restore errno

If an async signal interrupts some function, we can have this
anti-pattern:

    /* in normal code */
    result = some_syscall (); /* fails, e.g. errno = EINVAL */

        /* interrupted by async signal handler */
        write (...); /* fails, e.g. errno = ENOBUFS */

    /* back to normal code */
    if (errno == EINVAL) /* problem! it should be but it isn't */

The solution is for signal handlers to save and restore errno.

This is unnecessary for signal handlers that can't touch errno (like
the one in dbus-launch that just sets a flag), and for signal handlers
that never return (like the one in test-utils-glib for timeouts).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103010
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

tests: In slower tests, make the timeout per-test-case

Some test-cases in the dbus-daemon and relay tests spam the bus with
thousands of messages, which can take 25 seconds on slower CPUs like
MIPS. Similarly, the refs test spams millions of refcount operations,
which it appears might take more than a minute on PA-RISC (HPPA).

To get an idea of how close we are to having a problem on other
architectures, log a message and start a timer when we reset the
timeout in setup(), and log the elapsed time when we reach teardown().

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103009
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

test-utils-glib: Try to emit TAP diagnostics before aborting

We can't use normal I/O in a signal handler, so resort to write().

"Bail out!" is a special syntactic token in TAP. If I artifically force
the tests to time out by reducing timeouts and increasing the number of
operations, I get results like this:

ERROR: test-sd-activation - Bail out! Test timed out (GLib main loop timeout callback reached)
ERROR: test-refs - Bail out! Test timed out (SIGALRM received)

which is a lot easier to understand than "Not enough tests run" or
"nonzero exit status". The differing output is because test-sd-activation
iterates the main loop, whereas test-refs just blocks (it is joining a
series of worker threads, each of which is spamming refcount operations).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103009
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Use STDOUT_FILENO as per Philip's review]
Signed-off-by: Simon McVittie <smcv@collabora.com>

Post-release version bump

Prepare 1.11.18 release

Signed-off-by: Simon McVittie <smcv@collabora.com>

Remove distribution-specific init-scripts

LSB-style (SysV-style) init scripts have not historically been
portable between distributions, as evidenced by the presence of both
"Red Hat" and "Slackware" init scripts in dbus. Many distributors
prefer to maintain them downstream, as is done in Debian (and its
derivatives) and in Slackware, so that the init script can follow
OS conventions (for example regarding boot messages) and make use
of OS-provided facilities (for example, the Debian init script uses
dpkg's start-stop-daemon utility).

The Slackware and Red Hat init scripts removed by this commit are not
tested or maintained in practice, and so are likely to have bugs. The
Slackware init-script provided here is not used on actual Slackware
systems, which provide a different implementation of rc.messagebus in
their packaging, while the Red Hat init script has been superseded by
the systemd unit in current Fedora, CentOS and RHEL versions.

The Cgywin messagebus-config provided here does appear to be used in
production in cygwin-ports, but it's full of Cygwin-specifics with which
the dbus maintainers are not familiar, so it is probably more appropriate
for it to be tracked downstream as part of the Cygwin packaging.

The systemd unit is not removed, since it is used on multiple Linux
distributions with little or no modification, and receives regular
testing and maintenance; this makes it appropriate to maintain upstream.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/101706
Reviewed-by: Philip Withnall <withnall@endlessm.com>

Deprecate the pam_console/pam_foreground flag-file directory

This feature is now compile-time conditional, and off by default.

pam_console appears to have been in Fedora and Gentoo until 2007.
pam_foreground seems to be specific to Debian and Ubuntu, where it was
unmaintained since 2008 and removed in 2010. The replacement for both
was ConsoleKit, which has itself been superseded by systemd-logind and
ConsoleKit2.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/101629
Reviewed-by: Philip Withnall <withnall@endlessm.com>

Merge branch 'dbus-1.10'

dbus-send: Reassure the compiler that secondary_type is initialized

It's initialized to a non-trivial value whenever container_type
is DBUS_TYPE_DICT_ENTRY, and subsequently only used if
container_type is DBUS_TYPE_DICT_ENTRY, but Debian's gcc 7.2.0-7
doesn't seem to be able to infer that any more, causing build failure
under -Werror=maybe-uninitialized.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102979
Reviewed-by: Philip Withnall <withnall@endlessm.com>

NEWS for fd.o #92074; also note an earlier backport

Signed-off-by: Simon McVittie <smcv@collabora.com>

monitor: use the addressed_recipient to select matches

This means we respect the destination keyword in arguments to
BecomeMonitor.

In bus_dispatch(), this means that we need to defer capturing until
we have decided whether there is an addressed recipient; so instead
of capturing once, we capture at each leaf of the decision tree.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92074
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Reviewed-by: Lars Uebernickel <lars@uebernic.de>
(cherry picked from commit f3be583b40dadfd78ddefbc9fb3fa182bafde949)
Signed-off-by: Simon McVittie <smcv@collabora.com>

test/data: Test impossible send_broadcast/send_destination pair

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/92853
Reviewed-by: Philip Withnall <withnall@endlessm.com>

config-parser: Fail on impossible send_broadcast/send_destination pair

If we add a rule like

<allow send_destination="com.example" send_broadcast="true"/>

then it cannot possibly match anything, because to be a broadcast, the
message would have to have no destination. The only value of
send_destination that can be combined with send_broadcast="true" is
the wildcard "*", but by this point in the function we already
replaced "*" with NULL.

Adapted from an earlier implementation of send_broadcast by
Alban Crequy.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/92853
Reviewed-by: Philip Withnall <withnall@endlessm.com>

NEWS for fd.o #102686

Signed-off-by: Simon McVittie <smcv@collabora.com>

unix: Reduce log level for DBUS_SYSTEM_LOG_INFO to LOG_INFO

This is a better match for the way we use it in practice.

Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102686
Reviewed-by: Philip Withnall <withnall@endlessm.com>

Merge branch 'dbus-1.10'

NEWS for #102145

Fix -Werror=declaration-after-statement build failure on Solaris

dbus-sysdeps-unix.c: In function ‘_dbus_read_credentials_socket’:
dbus-sysdeps-unix.c:2061:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
adt_session_data_t *adth = NULL;
^

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102145
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>

Update NEWS for fd.o #95264

Signed-off-by: Simon McVittie <smcv@debian.org>

sysdeps: increase listen() backlog of AF_UNIX sockets to SOMAXCONN

Previously, the listen() backlog was set to an arbitrary 30. This means
that if dbus-daemon is overloaded only 30 more connections may be queued
by the kernel, before connect() fails with EAGAIN. (Note that EAGAIN !=
EINPROGRESS -- the latter is what is returned if a connection is queued
and being processed for asynchronous sockets; EAGAIN in this case is
really an error, that cannot be recovered from).

Most software simply sets SOMAXCONN as backlog for AF_UNIX sockets, to
allow queuing of as many connections as the kernel allows. SOMAXCONN is
128 on Linux, which is not particularly high, but at least higher than
30.

This patch changes dbus-daemon to do the same.

I noticed this when flooding dbus-daemon with a lot of connections,
where it pretty quickly ceased to respond, much earlier than it really
should.

Note that the backlog has nothing to do with the number of concurrent
connections allowed, it simply controls how many queued, but not
accept()ed connections there may be on the listening socket.

(cherry picked from commit 12bd6e893c91430fdbdf8a27087d4a792b04eef9)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95264
Bug-Debian: https://bugs.debian.org/872144
Reviewed-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>

tests: Use dbus_clear_connection etc. in a couple of tests

This is just enough to demonstrate that they work - I'm deliberately
not doing a mass change throughout all tests, and we should definitely
not rush to introduce these into production code, because it would
hinder cherry-picking and merging fixes between branches. However,
new code on master can use them freely.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101895

Implement dbus_clear_connection(), etc.

These are inspired by GLib's g_clear_pointer() and g_clear_object(),
which in turn is descended from CPython's Py_CLEAR_OBJECT. They should
make our code a lot less repetitive.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101895

build: Clean up DBUS_COOKIE_SHA1 keyrings

We use this directory as the temporary home directory.

Fixes: 3f377c511301cfb36bfa93fddf1f59ace8580749
Signed-off-by: Simon McVittie <smcv@debian.org>

NEWS for #101960

userdb: Respect $HOME for the home directory of our own uid

This lets cooperating processes with the same value of $HOME
interoperate for DBUS_COOKIE_SHA1 by reading and writing $HOME, even
if their $HOME differs from the uid's "official" home directory
according to getpwuid(). Out of paranoia, we only do this if the uid
and the euid are equal, since if they were unequal the correct thing
to do would be ambiguous.

In particular, Debian autobuilders run as a user whose "official"
home directory in /etc/passwd is "/nonexistent", as a mechanism to
detect non-deterministic build processes that rely on the contents of
the home directory. Until now, this meant we couldn't run dbus'
build-time tests, because every test that used DBUS_COOKIE_SHA1 would
fail in this environment.

In the tests, set HOME as well as DBUS_TEST_HOMEDIR. We keep
DBUS_TEST_HOMEDIR too, because Windows doesn't use HOME, only HOMEDRIVE
and HOMEPATH.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101960
Bug-Debian: https://bugs.debian.org/630152
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

NEWS for #101848

test: Exercise min_fds, max_fds

Signed-off-by: Simon McVittie <smcv@collabora.com>

policy: Add max_fds, min_fds qualifiers for send, receive rules

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101848
Reviewed-by: Thiago Macieira <thiago@kde.org>
[smcv: Revert an incorrect comment change]
Signed-off-by: Simon McVittie <smcv@collabora.com>

NEWS for #92853

Add a regression test for applying bus policy to broadcasts/unicasts

This test-case is actually in the test for monitoring the bus,
because it's easier to see what's going on there - the error reply
to a rejected broadcast is not visible unless you are monitoring.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

Add send_broadcast as an attribute of <allow> and <deny> elements

<allow send_broadcast="true" ...> only matches broadcasts,
which are signals with a NULL destination. There was previously
no way for the policy language to express "NULL destination",
only "any destination".

<allow send_broadcast="false" ...> only matches non-broadcasts,
which are non-signals or signals with a non-NULL destination.
There was previously no way for the policy language to express
"any non-NULL destination", only "any destination".

Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: improved documentation as per Philip's review]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

dbus-daemon(1): Document how send_* and receive_* work in general

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

dbus-daemon(1): Be more truthful about the default policy

We don't allow sending unrequested replies, but the documentation
implied that we did.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

dbus-daemon(1): Clarify how user, group rules work

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

dbus-daemon(1): Actually document "own" rules

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

dbus-daemon(1): Document the wildcard attribute value "*" more clearly

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

Add a test-case for combining receive_type and send_destination

Until the previous commit, this would have worked. Now it correctly fails
with "send and receive attributes cannot be combined".

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

config-parser: Clarify how <allow>, <deny> attributes work

The giant conditionals used to check policy attributes are increasingly
unwieldy, so let's try something else. Bundle together the send_
attributes, the receive_ attributes, the eavesdrop attribute
(which can go on either send or receive rules) and the other attributes
into equivalence classes, and write the conditionals in terms of those
equivalence classes.

In particular, this correctly forbids
<allow receive_type="..." send_destination="..."/>
which was previously allowed but nonsensical (the send part took
precedence and the receive part was ignored).

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853

Merge branch 'dbus-1.10'

NEWS for #101858

config-loader-expat: Tell Expat not to defend against hash collisions

By default, Expat uses cryptographic-quality random numbers as a salt for
its hash algorithm, and since 2.2.1 it gets them from the getrandom
syscall on Linux. That syscall refuses to return any entropy until the
kernel's CSPRNG (random pool) has been initialized. Unfortunately, this
can take as long as 40 seconds on embedded devices with few entropy
sources, which is too long: if the system dbus-daemon blocks for that
length of time, important D-Bus clients like systemd and systemd-logind
time out and fail to connect to it.

We're parsing small configuration files here, and we trust them
completely, so we don't need to defend against hash collisions: nobody
is going to be crafting them to cause pathological performance.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101858
Tested-by: Christopher Hewitt <hewitt@ieee.org>
[smcv: Adjust build-system changes for 1.11.x]
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

config-loader-expat: Tell Expat not to defend against hash collisions

By default, Expat uses cryptographic-quality random numbers as a salt for
its hash algorithm, and since 2.2.1 it gets them from the getrandom
syscall on Linux. That syscall refuses to return any entropy until the
kernel's CSPRNG (random pool) has been initialized. Unfortunately, this
can take as long as 40 seconds on embedded devices with few entropy
sources, which is too long: if the system dbus-daemon blocks for that
length of time, important D-Bus clients like systemd and systemd-logind
time out and fail to connect to it.

We're parsing small configuration files here, and we trust them
completely, so we don't need to defend against hash collisions: nobody
is going to be crafting them to cause pathological performance.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101858
Signed-off-by: Simon McVittie <smcv@debian.org>
Tested-by: Christopher Hewitt <hewitt@ieee.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>

Start 1.10.24

Signed-off-by: Simon McVittie <smcv@collabora.com>

Belatedly bump the libtool versioning

Signed-off-by: Simon McVittie <smcv@collabora.com>

Start towards 1.11.18

Signed-off-by: Simon McVittie <smcv@collabora.com>

1.11.16

1.10.22

NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

DBusMainLoop: ensure all required timeouts are restarted

This is a followup of 529600397bcab47b9bed5da9208c2df05c8b86b4. We can't
shortcut the timeouts iteration in order not to miss any timeouts that
might require timestamp restart.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95619
Reviewed-by: Simon McVittie <smcv@collabora.com>

Merge branch 'dbus-1.10'

NEWS for fd.o#101716

Signed-off-by: Simon McVittie <smcv@collabora.com>

test/name-test: Be compatible with Python 3

configure.ac will detect PYTHON=python3 if there is no python
executable in the PATH.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101716
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>

Merge branch 'dbus-1.10'

NEWS for #101698

Signed-off-by: Simon McVittie <smcv@collabora.com>

tests: Make tests fail if they try to connect to the real session bus

It is too easy for a developer working in an environment that has a
session bus to write tests that pass locally, but fail in minimal
environments. This is also risky because the tests might do
destructive things on the developer's real session bus. We can avoid
connecting to the session bus by consistently removing its address
from the environment, and replacing it with something that will
always fail.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698

test/dbus-daemon: Unset DBUS_SESSION_BUS_ADDRESS

When we intend to exercise the default behaviour in the absence of
DBUS_SESSION_BUS_ADDRESS (but with an XDG_RUNTIME_DIR present), it would
help if we unset DBUS_SESSION_BUS_ADDRESS. Otherwise we'll just connect
to the real session bus, if there is one.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698

Update NEWS for fd.o#101700

Signed-off-by: Simon McVittie <smcv@collabora.com>

Update NEWS for 1.10 branch

Signed-off-by: Simon McVittie <smcv@collabora.com>

name-test: Backport dbus-run-session wrapper from git master

test-pending-call-disconnected relies on being run under a session bus.
On master, the TESTS in this directory all get that treatment, but
in dbus-1.10 they do not. This caused test-pending-call-disconnected
to fail in minimal environments like travis-ci where there is no
developer-initiated session bus.

Backport part of commit ec6b220 "name-test: run most C tests directly,
not via run-test.sh" to wrap it in dbus-run-session. This is better
than putting it in run-test.sh because this way, its TAP output is
parsed directly by Automake.

It also has the side benefit of exercising dbus-run-session in the
automated tests.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698

system.conf: Allow unprivileged users to get dbus-daemon properties

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101700

Update NEWS for the various things that ended up in #101568

Signed-off-by: Simon McVittie <smcv@collabora.com>

test-variant: Add a regression test for DBusVariant

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

message: Add DBusVariant, a way to copy a single message item

For #100344, we will need a way to store the metadata from the
original method call, and copy them back into arbitrarily many
messages later. This would be easy in GDBus, which has GVariant
as a first-class object. However, libdbus doesn't have an object for
message items, only messages.

We could copy the message's content, but it will carry file descriptors,
which we don't want to copy. Instead, introduce an internal object
representing a message item in a small buffer. It is stored as a variant
(D-Bus type 'v') so that it naturally carries its own type.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

Test dbus_message_iter_abandon_container_if_open under OOM conditions

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

DBusMessageIter: Add a function to abandon possibly-zero-filled iterators

See the doc-comment of the new
dbus_message_iter_abandon_container_if_open() function for details.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

dbus_message_iter_open_container: Don't leak signature on failure

If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().

One might reasonably worry that this change can break callers that use
this (incorrect) pattern:

    if (!dbus_message_iter_open_container (outer, ..., inner))
      {
        dbus_message_iter_abandon_container (outer, inner);
        goto fail;
      }
    /* now we know inner is open, and we must close it later */

However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.

This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit 031aa2ceb3dfff373e7b398dfc5d020d77262512)

dbus_message_iter_append_basic: Don't leak signature if appending fd fails

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit 8384e795516066960bb9fcfbfe138f569420edb9)

dbus_message_append_args_valist: Don't leak memory on inappropriate type

Found by source code inspection while trying to debug an unrelated
leak.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit 6b7bdb105b120b3db312de93af94af1bb6a2a474)

DBusMessageIter: Zero out the iterator on failure

This ensures that callers won't accidentally use it for something
in a way that is considered to be programmer error.

In _dbus_message_iter_check(), insert a specific check for this before
dereferencing iter->message, so that we get a nice assertion failure
(potentially non-fatal) instead of a segfault.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

DBusMessageIter: Clarify the API

Having opened a container for appending, the container must be closed
exactly once.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

test/message: Add a targeted test for recently-fixed leaks

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

internals: Make a minimal _dbus_test_oom_handling() universally available

Previously, it was only available under DBUS_ENABLE_EMBEDDED_TESTS,
because the infrastructure to pretend malloc had failed is only
compiled then. However, I'd like to use it in more modular tests, to
avoid test-dbus continuing to grow. To facilitate that, inline a
trivial version of it when DBUS_ENABLE_EMBEDDED_TESTS is disabled:
it just calls the function, once, without doing any strange things to
the malloc interface.

Similarly, amend the stub implementation of
_dbus_get_malloc_blocks_outstanding() so that references to it are
syntactically valid, and move the DBusTestMemoryFunction typedef so
that it can be used with or without DBUS_ENABLE_EMBEDDED_TESTS.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

dbus_message_iter_open_container: Don't leak signature on failure

If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().

One might reasonably worry that this change can break callers that use
this (incorrect) pattern:

    if (!dbus_message_iter_open_container (outer, ..., inner))
      {
        dbus_message_iter_abandon_container (outer, inner);
        goto fail;
      }
    /* now we know inner is open, and we must close it later */

However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.

This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

dbus_message_iter_append_basic: Don't leak signature if appending fd fails

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

_dbus_message_iter_open_signature: Clarify why this is not leaky

The same assertion appears closer to the top of the function, and there
is no opportunity for it to have become false here.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

dbus_message_append_args_valist: Don't leak memory on inappropriate type

Found by source code inspection while trying to debug an unrelated
leak.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

_dbus_marshal_validate_test: Uncomment commented-out test coverage

This was added around 12½ years ago, in a commented-out state, and has
remained commented out ever since. It turns out these test vectors
do pass, although perhaps they didn't at the time.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

_dbus_marshal_validate_test: Merge two sets of signature validity checks

The deleted lines used to be a test for _dbus_validate_signature(),
until I deleted that function. We also had a completely separate
test for _dbus_validate_signature_with_reason() which remains present.
Some of the test vectors were tested in both places.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568