Bertrand SIMONNET [Wed, 20 Aug 2014 22:43:23 +0000 (15:43 -0700)]
Link dbus-daemon and dbus-daemon-lauch-helper against libdbus
The shared can be used by dbus-daemon and dbus-daemon-launch-helper by exporting
the private symbols needed, reducing the size of dbus by about 500k.
The private symbols are exposed under the version
LIBDBUS_PRIVATE_@VERSION_NUMBER@.
[Altered by Simon McVittie and Ralf Habacker to clear up some
problematic linking.]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83115
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Fri, 20 Feb 2015 14:46:46 +0000 (14:46 +0000)]
On Unix platforms with gcc (or compatible), hide non-exported symbols
This changes the Linux behaviour to match the default situation
on Windows: symbols without DBUS_EXPORT or DBUS_PRIVATE_EXPORT
decoration are internal to libdbus-1, and cannot be used by
other programs, even within the dbus source tree.
This means the compiler/linker can optimize calls to those functions
by avoiding indirection through the PLT, which should improve
performance a little. However, the primary purpose of doing this is
that it means developers building libdbus on Linux are considerably
less likely to break it on Windows by mistake.
I'm deliberately not adding -fvisbility=hidden in CMake because the
complexity of doing so is unnecessary: Autotools is the recommended
way to build dbus for Unix, and the one Unix developers are going
to use in practice, unless they are specifically checking that they
haven't broken the CMake build.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83115
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Fri, 20 Feb 2015 14:42:13 +0000 (14:42 +0000)]
Add DBUS_PRIVATE_EXPORT decoration to symbols used by dbus-daemon or tests
The rules are:
* symbols in libdbus-1 with neither decoration are private to libdbus-1
* symbols in libdbus-1 with DBUS_EXPORT are public API
* symbols in libdbus-1 with DBUS_PRIVATE_EXPORT are private to the
dbus source package, but may be used by other programs in the dbus
source tree, including tests
* symbols in libdbus-internal must not have DBUS_EXPORT or
DBUS_PRIVATE_EXPORT, and should be used by as few things as possible
Thanks to Ralf Habacker for his contributions to this rather
large commit.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83115
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Fri, 20 Feb 2015 15:07:23 +0000 (15:07 +0000)]
tests: always use libdbus-internal for main loop, never dbus-glib
This gets rid of a potential circular dependency, which is annoying
when bootstrapping. It is nice to have the regression tests use
the shared libdbus, but we're about to make it possible to
do that anyway, even though some of them use internal symbols.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83115
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Wed, 17 Sep 2014 17:51:53 +0000 (18:51 +0100)]
sysdeps: try to avoid re-including config.h
Re-including config.h after we have already included glib.h breaks
the GLIB_VERSION_MAX_ALLOWED macro, and every .c file should be
including config.h anyway.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83115
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Wed, 17 Sep 2014 17:49:34 +0000 (18:49 +0100)]
Remove some redundant inclusions
Both these files included dbus-test.h already.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83115
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Thu, 19 Feb 2015 15:52:17 +0000 (15:52 +0000)]
Remove <apparmor/> from default system.conf, session.conf
The AppArmor and SELinux modes both default to "enabled" (i.e.
enable it if and only if it is supported), so there is no need to
add their element to system.conf unless a system integrator wants
to set them to either required or disabled.
However, if we add <apparmor/> on upgrade from 1.9.10 to 1.9.12,
any subsequent attempts to reload bus configuration before the
next reboot will fail, because the dbus-daemon that is already
running does not support that element.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89231
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Simon McVittie [Thu, 19 Feb 2015 14:47:30 +0000 (14:47 +0000)]
clarify NEWS
Simon McVittie [Thu, 19 Feb 2015 14:46:35 +0000 (14:46 +0000)]
1.9.13
Simon McVittie [Thu, 19 Feb 2015 13:29:31 +0000 (13:29 +0000)]
1.9.12
Tyler Hicks [Wed, 18 Feb 2015 21:44:59 +0000 (15:44 -0600)]
apparmor: Fix build failure with --disable-apparmor
The bus_apparmor_confinement_unref() function definition must exist even
when building with --disable-apparmor.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 18 Feb 2015 20:57:08 +0000 (20:57 +0000)]
Revert "Add DBus method to return the AA context of a connection"
This reverts commit
24f1502e42b58a7c238779c023c6bfe870dc78cc,
which wasn't meant to go upstream (it's backwards compatibility
with older versions of this patchset).
Tyler Hicks [Wed, 4 Feb 2015 17:53:31 +0000 (17:53 +0000)]
Add DBus method to return the AA context of a connection
This is not intended for upstream inclusion. It implements a bus method
(GetConnectionAppArmorSecurityContext) to get a connection's AppArmor
security context but upstream D-Bus has recently added a generic way of
getting a connection's security credentials (GetConnectionCredentials).
Ubuntu should carry this patch until packages in the archive are moved
over to the new, generic method of getting a connection's credentials.
[Altered by Simon McVittie: survive non-UTF-8 contexts which
would otherwise be a local denial of service, except that Ubuntu
inherits a non-fatal warnings patch from Debian; new commit message
taken from the Ubuntu changelog; do not emit unreachable code if
AppArmor is disabled.]
Simon McVittie [Wed, 18 Feb 2015 17:58:33 +0000 (17:58 +0000)]
apparmor: tighten up terminology for context vs. label vs. profile
The thing returned by SO_PEERSEC (which we're calling LinuxSecurityLabel
within D-Bus) can have a different meaning for each LSM. In AppArmor
it's the AppArmor context, which is made up of an AppArmor label and an
optional confinement mode; the label further subdivides into one
or more profiles. See
https://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/2862
and subsequent commits for recent clarification of this terminology.
In practice, the part that dbus-daemon deals with is the label,
and occasionally also the mode.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Tyler Hicks [Mon, 9 Feb 2015 06:41:37 +0000 (00:41 -0600)]
Mediation of processes becoming a monitor
When an AppArmor confined process wants to become a monitor, a check is
performed to see if eavesdropping should be allowed.
The check is based on the connection's label and the bus type.
This patch reuses the bus_apparmor_allows_eavesdropping() hook.
An example AppArmor rule that would allow a process to become a monitor
on the system bus would be:
dbus eavesdrop bus=system,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tyler Hicks [Thu, 13 Feb 2014 19:17:23 +0000 (13:17 -0600)]
Mediation of processes eavesdropping
When an AppArmor confined process wants to eavesdrop on a bus, a check
is performed to see if the action should be allowed.
The check is based on the connection's label and the bus type.
This patch adds a new hook, which was not previously included in the
SELinux mediation, to mediate eavesdropping from
bus_driver_handle_add_match().
A new function is added to bus/signals.c to see if a match rule is an
eavesdropping rule since the rule flags field is private to signals.c.
An example AppArmor rule that would allow a process to eavesdrop on the
session bus would be:
dbus eavesdrop bus=session,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
John Johansen [Thu, 13 Feb 2014 19:07:32 +0000 (13:07 -0600)]
Mediation of processes sending and receiving messages
When an AppArmor confined process wants to send or receive a message, a
check is performed to see if the action should be allowed.
When a message is going through dbus-daemon, there are two checks
performed at once. One for the sending process and one for the receiving
process.
The checks are based on the process's label, the bus type, destination,
path, interface, and member, as well as the peer's label and/or
destination name.
This allows for the traditional connection-based enforcement, as well as
any fine-grained filtering desired by the system administrator.
It is important to note that error and method_return messages are
allowed to cut down on the amount of rules needed. If a process was
allowed to send a message, it can receive error and method_return
messages.
An example AppArmor rule that would be needed to allow a process to call
the UpdateActivationEnvironment method of the session bus itself would be:
dbus send bus=session path=/org/freedesktop/DBus
interface=org.freedesktop.DBus member=UpdateActivationEnvironment
peer=(name=org.freedesktop.DBus),
To receive any message on the system bus from a process confined by
the "confined-client" AppArmor profile:
dbus receive bus=system peer=(label=confined-client),
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg]
[tyhicks: Pass the message type to the AppArmor hook]
[tyhicks: Don't audit unrequested reply message denials]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: when AA denies sending, don't label requested_reply as "matched rules"]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Tyler Hicks [Fri, 14 Mar 2014 17:12:46 +0000 (12:12 -0500)]
Do LSM checks after determining if the message is a requested reply
Move the call to bus_selinux_allows_send() after the call to
bus_connections_check_reply().
This allows LSMs to know if the message is a reply and whether or not it
was requested.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
John Johansen [Thu, 13 Feb 2014 18:55:52 +0000 (12:55 -0600)]
Mediation of processes that acquire well-known names
When an AppArmor confined process wants to acquire a well-known name, a
check is performed to see if the action should be allowed.
The check is based on the connection's label, the bus type, and the name
being requested.
An example AppArmor rule that would allow the name
"com.example.ExampleName" to be acquired on the system bus would be:
dbus bind bus=system name=com.example.ExampleName,
To let a process acquire any name on any bus, the rule would be:
dbus bind,
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg]
[tyhicks: initialize reserved area at the start of the query string]
[tyhicks: Use empty string for NULL bustypes when building queries]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tyler Hicks [Thu, 13 Feb 2014 15:59:53 +0000 (09:59 -0600)]
Store AppArmor label of connecting processes
When processes connect the bus, the AppArmor confinement context should
be stored for later use when checks are to be done during message
sending/receiving, acquire a name, and eavesdropping.
Code outside of apparmor.c will need to initialize and unreference the
confinement context, so bus_apparmor_confinement_unref() can no longer
be a static function.
[Move bus_apparmor_confinement_unref back to its old location for
a more reasonable diff -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tyler Hicks [Wed, 12 Feb 2014 23:28:13 +0000 (17:28 -0600)]
Store AppArmor label of bus during initialization
During dbus-daemon initialization, the AppArmor confinement context
should be stored for later use when checks are to be done on messages
to/from the bus itself.
AppArmor confinement contexts are documented in aa_getcon(2). They
contain a confinement string and a mode string. The confinement string
is typically the name of the AppArmor profile confining a given process.
The mode string gives the current enforcement mode of the process
confinement. For example, it may indicate that the confinement should be
enforced or it may indicate that the confinement should allow all
actions with the caveat that actions which would be denied should be
audited.
It is important to note that libapparmor mallocs a single buffer to
store the con and mode strings and separates them with a NUL terminator.
Because of this, only con should be freed.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: use BUS_SET_OOM]
[smcv: dbus_set_error doesn't need extra newlines]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
John Johansen [Wed, 12 Feb 2014 18:37:41 +0000 (12:37 -0600)]
Initialize AppArmor mediation
When starting dbus-daemon, autodetect AppArmor kernel support and use
the results from parsing the busconfig to determine if mediation should
be enabled.
In the busconfig, "enabled" means that kernel support is autodetected
and, if available, AppArmor mediation occurs in dbus-daemon. In
"enabled" mode, if kernel support is not detected, mediation is
disabled. "disabled" means that mediation does not occur. "required"
means that kernel support must be detected for dbus-daemon to start.
Additionally, when libaudit support is built into dbus-daemon, the
AppArmor initialization routines set up the audit connection.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Honor enforcement modes and detect AppArmor dbus rule support]
[tyhicks: fix unreachable return when AppArmor support is built]
[tyhicks: make bus_apparmor_full_init() able to raise a DBusError]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: _bus_apparmor_aa_supports_dbus: document necessary kernel API guarantee]
[smcv: bus_apparmor_pre_init: distinguish between OOM and AppArmor not enabled]
[smcv: document why we open() and not just stat()]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Tyler Hicks [Tue, 11 Feb 2014 01:02:04 +0000 (19:02 -0600)]
Add apparmor element support to bus config parsing
The <apparmor> element can contain a single mode attribute that has one
of three values:
"enabled"
"disabled"
"required"
"enabled" means that kernel support is autodetected and, if available,
AppArmor mediation occurs in dbus-daemon. If kernel support is not
detected, mediation is disabled. "disabled" means that mediation does
not occur. "required" means that kernel support must be detected for
dbus-daemon to start.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tyler Hicks [Mon, 10 Feb 2014 23:40:03 +0000 (17:40 -0600)]
Update autoconf file to build against libapparmor
AppArmor support can be configured at build time with --enable-apparmor
and --disable-apparmor. By default, the build time decision is
automatically decided by checking if a sufficient libapparmor is
available.
A minimum required libapparmor is version 2.8.95.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
[smcv: avoid potential non-portability from "test EXPR -a EXPR"]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Tyler Hicks [Tue, 11 Feb 2014 00:29:06 +0000 (18:29 -0600)]
Add apparmor element and attributes to the bus config dtd
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tyler Hicks [Tue, 11 Feb 2014 00:24:59 +0000 (18:24 -0600)]
Document AppArmor enforcement in the dbus-daemon man page
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 11 Feb 2015 13:40:23 +0000 (13:40 +0000)]
Add LinuxSecurityLabel to specification
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Wed, 11 Feb 2015 13:19:43 +0000 (13:19 +0000)]
Add regression test for LinuxSecurityLabel credential
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Wed, 11 Feb 2015 13:19:15 +0000 (13:19 +0000)]
Add LSM-agnostic support for LinuxSecurityLabel credential
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> (for SELinux)
Acked-by: John Johansen <john.johansen@canonical.com> (for AppArmor)
Acked-by: Casey Schaufler <casey@schaufler-ca.com> (for Smack)
Tested-by: Tyler Hicks <tyhicks@canonical.com>
Tyler Hicks [Thu, 13 Mar 2014 22:37:38 +0000 (17:37 -0500)]
New a{sv} helper for using byte arrays as the variant
Create a new helper for using a byte array as the value in the mapping
from string to variant.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Ralf Habacker [Mon, 16 Feb 2015 14:08:22 +0000 (15:08 +0100)]
dbus-monitor: Remove empty column in --profile mode.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Mon, 16 Feb 2015 12:54:39 +0000 (13:54 +0100)]
dbus-monitor: Combine sec and usec columns into one timestamp column and unify platform related format string.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Mon, 16 Feb 2015 13:35:37 +0000 (14:35 +0100)]
dbus-send: Keep cmake build system in sync with autotools.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89109
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Philip Withnall [Thu, 5 Feb 2015 12:08:03 +0000 (12:08 +0000)]
doc: Add a guide to designing D-Bus APIs
This guide gives some pointers on how to write D-Bus APIs which are nice
to use.
It adds an optional dependency on Ducktype and yelp-build from
yelp-tools. These are used when available, but are not required unless
--enable-ducktype-docs is passed to configure. They are required for
uploading the docs, however.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88994
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 16 Feb 2015 12:53:57 +0000 (12:53 +0000)]
dbus-monitor: whitespace
Simon McVittie [Mon, 16 Feb 2015 12:03:32 +0000 (12:03 +0000)]
dbus-monitor: clarify column headers
- change "ref serial" to "in_reply_to" (avoiding whitespace for easy
visual parsing)
- prefix with # to clarify that these are not part of the data
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Ralf Habacker [Mon, 16 Feb 2015 10:23:00 +0000 (11:23 +0100)]
dbus-monitor.c: unify columns format in --profile mode and display column header.
[rebase onto correctly indented version -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Mon, 16 Feb 2015 11:52:01 +0000 (11:52 +0000)]
dbus-monitor: convert remaining hard tabs to 8 spaces
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89165
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Fri, 13 Feb 2015 18:55:31 +0000 (18:55 +0000)]
dbus-send: pretty-print GVariant-style bytestrings
dbus-send could already pretty-print bytestrings that do not have
\0 termination, but those are awkward to work with (they need copying),
so they are now discouraged. Teach it to print bytestrings that
do have \0 termination as well.
In the process, rewrite this part of the message parser
to use dbus_message_iter_get_fixed_array(), which is the Right way
to get arrays of numbers out of a message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89109
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 16 Feb 2015 11:43:57 +0000 (11:43 +0000)]
Add manual-paths test to the Autotools (mingw) build too
As in CMake, it is restricted to Windows builds, since the
functionality that it tests is not present in Unix builds.
Ralf Habacker [Sun, 1 Feb 2015 13:52:27 +0000 (14:52 +0100)]
Add org.freedesktop.DBus.Verbose interface to dbus-daemon when compiled with DBUS_ENABLE_VERBOSE_MODE.
This interface contains methods 'EnableVerbose' and 'DisableVerbose'
to control verbose mode on daemon runtime.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88896
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Wed, 11 Feb 2015 17:09:14 +0000 (18:09 +0100)]
Add manual-paths test executable with cmake build support.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83539
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Thu, 12 Feb 2015 13:04:15 +0000 (13:04 +0000)]
Add dbus-test-tool and its man page to the CMake build system
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89086
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Wed, 11 Feb 2015 16:59:42 +0000 (16:59 +0000)]
Document dbus-test-tool
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89086
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Wed, 11 Feb 2015 13:14:24 +0000 (13:14 +0000)]
bus_driver_handle_get_connection_credentials: do not assert on OOM
dbus_connection_get_windows_user is documented to return TRUE but
put NULL in its argument if OOM is reached.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Wed, 11 Feb 2015 11:47:15 +0000 (11:47 +0000)]
Reduce the number of fds the fdpass test uses
It was relying on a higher-than-default fd limit; cut it down to
more than 256 but rather less than 1024, since the default Linux
limit is 1024 fds per user.
Also automatically skip this test if our rlimit is too small.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88998
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Ralf Habacker [Tue, 10 Feb 2015 15:21:34 +0000 (16:21 +0100)]
Minor optimization in _dbus_getsid().
MSDN recommands to use GetCurrentProcess() for current process.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54445
Ralf Habacker [Tue, 10 Feb 2015 14:41:52 +0000 (15:41 +0100)]
Add test for windows sid.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54445
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Fri, 7 Sep 2012 03:00:59 +0000 (05:00 +0200)]
Windows implementation of GetConnectionCredentials.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=54445
Simon McVittie [Mon, 9 Feb 2015 15:35:55 +0000 (15:35 +0000)]
1.9.11
Simon McVittie [Mon, 9 Feb 2015 11:09:51 +0000 (11:09 +0000)]
1.9.10
Simon McVittie [Mon, 26 Jan 2015 20:07:14 +0000 (20:07 +0000)]
Add a regression test for making systemd activation appear to fail
Simon McVittie [Mon, 9 Feb 2015 11:06:32 +0000 (11:06 +0000)]
Merge branch '1.8-cve-2015-0245' into cve-2015-0245
Conflicts:
NEWS
bus/system.conf.in
configure.ac
Simon McVittie [Wed, 4 Feb 2015 19:45:23 +0000 (19:45 +0000)]
Add test-fdpass to the build, and make it compile again
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88998
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 26 Jan 2015 20:06:48 +0000 (20:06 +0000)]
CVE-2015-0245: discard forged ActivationFailure messages
Without this code change, non-systemd processes can make dbus-daemon
think systemd failed to activate a system service, resulting in an
error reply back to the requester. In practice we can address this in
system.conf by only allowing root to forge these messages, but this
check is the real solution, particularly on systems where root is
not all-powerful.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811
Reviewed-by: Alban Crequy
Reviewed-by: David King
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 20:06:04 +0000 (20:06 +0000)]
bus_driver_get_owner_of_name: factor out from bus_driver_get_conn_helper
We need this, or something equivalent, to address CVE-2015-0245 via
code changes.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811
Reviewed-by: Alban Crequy
Reviewed-by: David King
Reviewed-by: Philip Withnall
Simon McVittie [Thu, 5 Feb 2015 14:54:10 +0000 (14:54 +0000)]
1.8.17
Simon McVittie [Thu, 5 Feb 2015 12:48:57 +0000 (12:48 +0000)]
tests: make installable metadata Windows-friendly by using EXEEXT
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88980
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Thu, 5 Feb 2015 12:47:32 +0000 (12:47 +0000)]
tests: make sure to specify CPPFLAGS where needed
test-marshal and test-syntax need the
$(testutils_shared_if_possible_cppflags), so that they will get the
$(static_cflags) when we are not linking to dbus-glib.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88980
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Wed, 4 Feb 2015 15:16:34 +0000 (15:16 +0000)]
bus_driver_check_caller_is_privileged: correct the DBUS_WIN case
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Ralf Habacker [Wed, 4 Feb 2015 13:56:17 +0000 (14:56 +0100)]
_dbus_listen_tcp_socket: Keep windows code to fetch port from tcp listening socket in sync with unix.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 4 Feb 2015 17:44:05 +0000 (17:44 +0000)]
NEWS for 1.9
Simon McVittie [Tue, 3 Feb 2015 14:45:35 +0000 (14:45 +0000)]
Add a common test_init() for GLib tests which prevents hanging forever
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Fri, 23 Jan 2015 19:32:31 +0000 (19:32 +0000)]
dbus-monitor: add options to log binary data with or without pcap framing
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 20:08:07 +0000 (20:08 +0000)]
dbus-monitor: add support for using BecomeMonitor to be a read-only monitor
Move the dbus_connection_add_filter() call further up as a precaution,
because it isn't safe for a monitor to not have a filter that
swallows all messages.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 26 Jan 2015 19:15:16 +0000 (19:15 +0000)]
Allow root to monitor the system bus by default
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 20:02:56 +0000 (20:02 +0000)]
Add a regression test for being a new-style monitor
This includes most of the situations I could think of:
* method call on dbus-daemon and response
* NameOwnerChanged
* NameAcquired, NameLost (although I'm not 100% sure these should
get captured, since they're redundant with NameOwnerChanged)
* unicast message is allowed through
* unicast message is rejected by no-sending or no-receiving policy
* broadcast is allowed through
* broadcast is rejected by no-sending policy (the error reply
is also captured)
* broadcast is rejected by no-receiving policy (there is no error
reply)
* message causing service activation, and the message telling systemd
to do the actual activation
* systemd reporting that activation failed
It does not cover:
* sending a message to dbus-daemon, then provoking a reply, then
dbus-daemon does not allow itself to send the reply due to its
own security policy
This is such an obscure corner case that I'm not even convinced it's
testable without dropping down into lower-level socket manipulation:
dbus-daemon's replies are always assumed to be requested replies,
and replies contain so little other metadata that I think we can
only forbid them by forbidding all method replies. If we do that,
the reply to Hello() won't arrive and the client-side connection will
not become active.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Tue, 3 Feb 2015 14:45:37 +0000 (14:45 +0000)]
Capture a fake reply if a broadcast cannot be delivered
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 19:45:17 +0000 (19:45 +0000)]
Capture all messages received or sent, and send them to monitors
Unlike eavesdropping, the point of capture is when the message is
received, except for messages originating inside the dbus-daemon.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Fri, 23 Jan 2015 19:11:31 +0000 (19:11 +0000)]
Add support for morphing a D-Bus connection into a "monitor"
This is a special connection that is not allowed to send anything,
and loses all its well-known names.
In future commits, it will get a new set of match rules and the
ability to eavesdrop on messages before the rest of the bus daemon
has had a chance to process them.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Simon McVittie [Wed, 4 Feb 2015 17:06:54 +0000 (17:06 +0000)]
Merge branch 'dbus-1.8'
Simon McVittie [Wed, 4 Feb 2015 16:51:10 +0000 (16:51 +0000)]
Prepare embargoed 1.8.16 release
Simon McVittie [Mon, 26 Jan 2015 20:09:56 +0000 (20:09 +0000)]
CVE-2015-0245: prevent forged ActivationFailure from non-root processes
Without either this rule or better checking in dbus-daemon, non-systemd
processes can make dbus-daemon think systemd failed to activate a system
service, resulting in an error reply back to the requester.
This is redundant with the fix in the C code (which I consider to be
the real solution), but is likely to be easier to backport.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88811
Reviewed-by: Alban Crequy
Reviewed-by: David King
Reviewed-by: Philip Withnall
Simon McVittie [Wed, 4 Feb 2015 16:44:31 +0000 (16:44 +0000)]
NEWS for 1.8 branch
Simon McVittie [Wed, 4 Feb 2015 13:16:18 +0000 (13:16 +0000)]
_dbus_listen_tcp_socket: comment on another reason to ignore EADDRINUSE
Not being aware of the second reason described here caused bug #87999
in the equivalent code on Windows.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Simon McVittie [Wed, 4 Feb 2015 13:15:20 +0000 (13:15 +0000)]
_dbus_listen_tcp_socket: use NI_NUMERICSERV to determine port number
If we happen to have been given (say) port 30865, we want to
represent that as host=localhost,port=30865 and not
host=localhost,port=csync2.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999
Ralf Habacker [Wed, 4 Feb 2015 12:50:03 +0000 (13:50 +0100)]
Provide appropriate DBUS_USER and DBUS_TEST_USER under CMake
[separated out from a larger commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Wed, 4 Feb 2015 12:23:34 +0000 (13:23 +0100)]
Link tests to test-utils-glib.c under CMake too
[Separated out from a larger commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 4 Feb 2015 14:18:39 +0000 (14:18 +0000)]
dbus-monitor: use common code from dbus-test-tool
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall
[also sync up the cmake build system -smcv]
Simon McVittie [Tue, 3 Feb 2015 23:13:51 +0000 (23:13 +0000)]
1.9.9
Simon McVittie [Tue, 3 Feb 2015 17:26:47 +0000 (17:26 +0000)]
1.9.8 development release
Simon McVittie [Tue, 3 Feb 2015 19:35:39 +0000 (19:35 +0000)]
Treat root as a valid candidate for TEST_USER_ME
If spawn_dbus_daemon() can fail for TEST_USER_ME, then we'd have to
go through all the tests adding the ability to skip tests after
it fails, which is a fairly extensive change.
The tests have historically all run as whatever uid is supplied, and
if the tests are being run as root for some reason - perhaps in a CI
framework for an embedded platform that doesn't have non-root users,
or in an environment where you can be root or non-root but not both -
there is no particular reason to skip them.
Simon McVittie [Tue, 3 Feb 2015 16:25:56 +0000 (16:25 +0000)]
NEWS
Simon McVittie [Mon, 26 Jan 2015 20:10:39 +0000 (20:10 +0000)]
Add a regression test for systemd activation
4.5 years after it was implemented, here is the regression test.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=57952
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 18:15:27 +0000 (18:15 +0000)]
bus_context_log_and_set_error: add and use
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 18:15:02 +0000 (18:15 +0000)]
_dbus_set_error_valist: add
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 17:57:30 +0000 (17:57 +0000)]
bus_context_log_literal: add simplified version of bus_context_log
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 17:29:43 +0000 (17:29 +0000)]
bus: put the printf attribute in the header where it will do more good
Now we can actually notice incorrect format strings in other
translation units.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 19:12:01 +0000 (19:12 +0000)]
bus driver: factor out bus_driver_check_caller_is_privileged, and allow root
Unlike the initial mitigation for CVE-2014-8148, we now allow
uid 0 to call UpdateActivationEnvironment. There's no point in root
doing that, but there's also no reason why it's particularly bad -
if an attacker is uid 0 we've already lost - and it simplifies
use of this function for future things that do want to be callable
by root, like BecomeMonitor for #46787.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 19:10:11 +0000 (19:10 +0000)]
Add a test for uid-controlled permissions
This is technical debt from mitigating CVE-2014-8148, which should
really have had a regression test at the time.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 15:47:59 +0000 (15:47 +0000)]
Add infrastructure to run bits of tests under an alternative uid
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 15:47:22 +0000 (15:47 +0000)]
test: implement GLib-style "installed tests"
We run each test twice:
* once with the system's session.conf, as an integration test
(test-cases that need a special configuration are automatically
skipped)
* once with our special test configuration files, which provide better
coverage
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 18:55:08 +0000 (18:55 +0000)]
Generate test configuration files via build-time sed, not configure
This means we can generate a version that works when installed,
from the same source files.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 19:02:59 +0000 (19:02 +0000)]
Factor out some utility functions from test/dbus-daemon*
In the process, make test_kill_pid() safer: do not try to terminate
more than one pid, or the NULL handle.
Also stop leaking the address_fd in spawn_dbus_daemon, a pre-existing
bug that was spotted by Philip Withnall during review.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 2 Feb 2015 16:04:52 +0000 (16:04 +0000)]
Bump required GLib version to 2.36
This is for g_close(), which the next commit will use. It also lets us
rely on g_type_init() being a no-op (since 2.32 the type system is
always initialized by a global constructor).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
Lukasz Skalski [Tue, 3 Feb 2015 12:59:00 +0000 (13:59 +0100)]
Update .gitignore files
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88943
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 2 Feb 2015 18:52:08 +0000 (18:52 +0000)]
NEWS
Simon McVittie [Fri, 23 Jan 2015 19:08:32 +0000 (19:08 +0000)]
lcov: use builddir, not srcdir
It seems lcov (or gcc?) has changed its paths since last time this
worked.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall
Simon McVittie [Mon, 26 Jan 2015 13:49:12 +0000 (13:49 +0000)]
Enable subdir-objects Automake option
It has been supported since at least 1.10, and its absence is
deprecated since 1.14.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall
Simon McVittie [Thu, 22 Jan 2015 15:46:27 +0000 (15:46 +0000)]
bus: exit on fatal errors even if not syslogging
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall