review.tizen.org Git - platform/upstream/dbus.git/log

tools: Improve argument validation in dbus-spam

Check that at most one argument which sets the payload is provided, so
the allocated payload is not overwritten and leaked.

Coverity ID: 54759

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99693
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

signals: Add some missing assertions to inline unit tests

check_parse() can return NULL on OOM, which we might as well handle
gracefully in the tests with an assertion, rather than an explosion. At
least it will shut Coverity up.

Coverity ID: 54724

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99643
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

driver: Remove unnecessary NULL check

context is definitely non-NULL at this point, and has been dereferenced
already on all paths leading to it.

Coverity ID: 141062

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99642
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

systemd: add sysusers.d snippet for booting up with unpopulated /etc

This adds a "sysusers.d" snippet for creating the system user "dbus" at
boot, if it is missing, in order to support stateless systems that boot
up with an empty /etc and need static information for determining which
system users to create.

This is only installed on systemd-based systems.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99162

cmake: Use relative install locations on Unix too

Using expanded paths make no sense in install commands because they
may be patched by cmake for example by specifying DESTDIR on install.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99752
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

cmake: Install executables in bin/ on Unix, not lib/

Previously, executables like dbus-daemon were installed to
the lib subdirectory, but this was unintended. RUNTIME DESTINATION
is the equivalent of Autotools ${bindir}.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99752
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Let cmake install arch depending headers on Unix in the same location as autotools.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99752
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Add pkgconfig file generating support on unix os to cmake build system.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99752
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Only print timestamps on stderr if verbose messages will go there

On Windows, dbus can be configured to send DBUS_VERBOSE messages
to the Windows debug port instead of stderr. If we're in that
configuration, we already avoided printing thread information to
stderr before each verbose message; do the same for timestamps.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99749

Autotools compile fix.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99622

Do not mention disallowed auth mechanisms in REJECTED message

Previously, all implemented mechanisms were included, even if the
sysadmin had configured them not to be allowed.

Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99621

On bus startup check given auth in config file against supported mechanisms.

With recent code starting dbus-daemon with an unsupported auth mechanism
let dbus-daemon silently ignore this issue. Clients connecting to this
server fails to connect without any descriptive explanation of the
root cause, only the message 'Rejected client connection due to lack
of memory' error is reported in dbus-daemon verbose log, which is disabled
in production environments.

With this patch dbus-daemon checks the supported auth mechanisms on startup
and shuts down with a descriptive error message, which gives admins an
immediate feedback on service startup/restart.

Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99622

connection: Fix an LSM label memory leak on an error handling path

This is almost certainly not going to make a difference, as it’s on the
OOM handling path; but the fewer leaks the better.

Coverity ID: 141058

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99612
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Add more bug references

Update NEWS for 1.11.x

Revert "Make uid 0 immune to pending_fd_timeout limit"

This reverts commit 3f407671ecf821eb38ea7af5b160bfb93a9f4584.

This special case is no longer needed: we believe we have now fixed the
root cause.

Only read one message at a time if there are fds pending

systemd-logind's OpenSession() API call returns a fd. If there is a
flood of new sessions, it is possible that by the time we finish reading
message 1, message 2 will already be in our incoming buffer and so on.
This results in systemd-logind consistently having one or more fds enqueued
for an extended period, which we interpret as a denial of service
attack, and handle by kicking it off the bus (at least until we worked
around the resulting logind failure by making uid 0 immune to that
particular anti-DoS mechanism, but that workaround doesn't work for
other uids).

To avoid this without the complexity of tracking multiple countdowns
per connection (one for each message with fds), we can avoid reading
any additional messages while we already have a message with a fd
attached pending processing. To avoid stalling, we have to read the rest
of any partial message we might have, but we stop after that.
Assuming we are able to get rid of the pending fds within a reasonable
time, we'll eventually drain the incoming queue to a level of 0 bytes
and 0 fds, at which point the countdown stops.

To make this actually work, we need fd.o #95619 to be fixed first, so
that when we receive more fds and restart the countdown, it restarts
with its correct time remaining.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tested-by: Kai-Heng Feng

bus: Fix timeout restarts

The code counting pending fds relied on restart of timeouts when they are
enabled. This patch adds function that ensures that such enabled timeouts
have their timekeeping data reset (and not only when timeout is
registered into event loop processing).

When timeouts weren't reset, they'd fire at rather random and mainly
incorrect moments leading to interruption of connections of dbus-daemon.

Every time we reset the interval, we also need to re-enable the timeout
and mark its end time to be recalculated by the event loop, so combine
the old set_enabled(TRUE) with set_interval() as a new restart() method.
This leaves all the set_enabled() calls having a FALSE parameter, so
remove the parameter and rename the method to disable().

[smcv: fix minor coding style issues]
[smcv: replace set_reenabled()/set_interval() pair with restart()]
[smcv: replace set_enabled(FALSE) with disable()]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95619
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Do not dump unused DBUS_SYSTEM_BUS_DEFAULT_ADDRESS variable on windows.

Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99586

Do not define unused variable DBUS_SESSION_SOCKET_DIR setting with cmake on Windows.

This fixes also an undefined temp dir cmake error on cross compiling for windows.

Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99586

Add test-uid-permissions test case to cmake build system.

Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99586

Replace deprecated cmake install_ functions with related install(...) calls.

Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99586

Fix broken install of dbus-arch-deps.h.

Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99586

Bus driver: add default BusDriverFound switch cases

If we get an impossible result, treat it as BUS_DRIVER_FOUND_ERROR.

Signed-off-by: Simon McVittie <smcv@debian.org>

Marshalling tests: make integer generation more concise

This also avoids -Wswitch-default warnings.

[smcv: split out from a larger commit]
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191

Stringify DBUS_AUTH_STATE_INVALID

[smcv: split out from a larger commit]
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191

Trivial config parser: enumerate the elements we don't care about

This quiets -Wswitch-enum warnings. The trivial config parser
is used by the setuid activation helper, and only handles the
elements whose contents influence the operation of that helper:
system service directories, the setuid activation helper itself,
the bus uid, and the bus type.

[smcv: split out from a larger commit; add justification; move
ELEMENT_SERVICEDIR start handler to a functionally equivalent list
of elements whose content we are going to process later]
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191

Move defaults for some switches into a default case

This is clearly equivalent, and quiets -Wswitch-default.

Based on part of a patch by Thomas Zimmermann.

Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191

_dbus_validity_to_error_message: add missing cases

[smcv: split out from a larger commit]
Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191

dbus-connection: Remove a duplicate _dbus_list_clear() call

This was doing no harm (clearing an already-cleared list is a no-op),
but it was also pointless.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99435

Merge branch '1.10-docker'

ci-install, ci-build: add brief documentation for parameter variables

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

ci-install.sh: make ci_in_docker follow the yes/no convention too

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: Add and use infrastructure to build and test in Docker

Debian stable, Debian testing and Ubuntu LTS provide a reasonable
spectrum of old and new distributions. I'm only doing one build on
each to avoid a combinatorial explosion of options.

The Docker images don't have any deb-src apt sources set up, so don't
use `apt-get build-dep`; just include dependencies manually.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: add an install script instead of open-coding it in .travis.yml

Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
[smcv: move comment to install script as suggested]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: introduce maybe_fail_tests() to make test failure more obvious

Taken from the version I added to OSTree.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: run in bash, with the "unofficial strict mode"

set -u forces us to set all variables that we use (for example with the
${foo:=bar} syntax to take an existing value or set a default), or use the
${foo:-bar} syntax to make it explicit that the variable might be unset.

set -o pipefail (which is a bash feature) detects failure in non-last
elements of a pipeline.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: consistently use yes/no instead of yes/empty

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: consistently use ci_* for parameter variables

This aligns it with the more generic script based on this one that
I sent to OSTree.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

ci-build: retab with 4-space indentation

This realigns it with the script loosely based on this one that I
sent to OSTree.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

travis-ci: add an explicit copyright/license statement

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98889

Rename distro-style CI build from "release" to "production"

This avoids confusion with the meaning of "release" used by
AX_IS_RELEASE. AX_IS_RELEASE is about facts about the source tree,
namely the distinction between releases (tags) and random snapshots.
The build variants in .travis.yml are about facts about the build
being done, namely the distinction between production and
debug/developer builds.

Production builds are sometimes referred to as "release builds",
for example in typical CMake and MSVC build environments, but a
different term seems better here.

Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches]

Update autoconf-archive, and use snapshot.debian.org

This way the link won't expire in future.

Signed-off-by: Simon McVittie <smcv@debian.org>
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches; it is not strictly needed on dbus-1.10]

Travis-CI: fetch a newer autoconf-archive from Debian

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches; it is not strictly needed on dbus-1.10]

Travis-CI: install new autoconf-archive build-dependency

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[smcv: cherry-picked from master to dbus-1.10 to get the Travis-CI setup
consistent between the two branches; it is not strictly needed on dbus-1.10]

activation test: don't crash if AppArmor is built but unavailable

Also don't try to clean up a process we didn't start.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Don't test AppArmor mediation of activation if libapparmor < 2.10

We need libapparmor 2.10 for the test, but not for the actual
functionality, for which 2.8.95 is enough. In particular this lets
us compile with AppArmor enabled on Ubuntu 14.04, which is still
the newest host platform available on travis-ci.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Start towards 1.11.10

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

dbus 1.11.8 and D-Bus Specification 0.30

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Merge branch 'dbus-1.10'

Reject the change that ignored -Wmisleading-indentation.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Start developing 1.10.16

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

dbus 1.10.14

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Suppress -Wmisleading-indentation for this stable branch

We are not going to fix the inconsistent tab/space indentation in a
stable branch just to keep gcc happy.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Make uid 0 immune to pending_fd_timeout limit

This is a workaround for
<https://bugs.freedesktop.org/show_bug.cgi?id=95263>. If a service
sends a file descriptor sufficiently frequently that its queue of
messages never goes down to 0 fds pending, then it will eventually be
disconnected. logind is one such service.

We do not currently have a good solution for this: the proposed
patches either don't work, or reintroduce a denial of service
security vulnerability (CVE-2014-3637). Neither seems desirable.
However, we can avoid the worst symptoms by trusting uid 0 not to be
malicious.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1591411
Reviewed-by: Łukasz Zemczak
Tested-by: Ivan Kozik
Tested-by: Finn Herpich
Tested-by: autostatic
Tested-by: Ben Parafina
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
(cherry picked from commit d5fae1db789d741295ca4746b84915d4bec591fd)
[smcv: omit the test/dbus-daemon.c part, which does not apply unless
a363822f5f58e5513e30dc2f84a30ae03cd91e07 is also applied]

Log to syslog when pending_fd_timeout is exceeded

This is either a denial-of-service attempt, a pathological performance
problem or a dbus-daemon bug. Sysadmins should be told about any of
these.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86442
[smcv: add units to timeout: it is in milliseconds]
Signed-off-by: Simon McVittie <smcv@debian.org>
(cherry picked from commit 05cb619f0a6a4c9997832cb4acbb26f7a0be66c3)

Spec: document AppArmor mediation of auto-starting

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Activation test: exercise what happens with nonexistent AppArmor labels

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Add an integration test for AppArmor mediating activation

This requires libapparmor 2.10, for aa_features_new_from_kernel()
and related functions.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Mediate auto-activation attempts through AppArmor

Because the recipient process is not yet available, we have to make some
assumption about its AppArmor profile. Parsing the first word of
the Exec value and then chasing symlinks seems like too much magic,
so I've gone for something more explicit. If the .service file contains

AssumedAppArmorLabel=/foo/bar

then we will do the AppArmor query on the assumption that the recipient
AppArmor label will be as stated. Otherwise, we will do a query
with an unspecified label, which means that AppArmor rules that do
specify a peer label will never match it.

Regardless of the result of this query, we will do an independent
AppArmor query when the activation has actually happened, this time
with the correct peer label; that second query will still be used
to decide whether to deliver the message. As a result, if this change
has any effect, it is to make the bus more restrictive; it does not
allow anything that would previously have been denied.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Do not auto-activate services if we could not send a message

We specifically do not check recipient policies, because
the recipient policy is based on properties of the
recipient process (in particular, its uid), which we do
not necessarily know until we have already started it.

In this initial implementation we do not check LSMs either,
because we cannot know what LSM context the recipient process
is going to have. However, LSM support will need to be added
to make this feature useful, because StartServiceByName is
normally allowed in non-LSM environments, and is more
powerful than auto-activation anyway.

The StartServiceByName method does not go through this check,
because if access to that method has been granted, then
it's somewhat obvious that you can start arbitrary services.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Add tests for activation when message send/receive is denied

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Merge branch 'dbus-1.10'

Install mingw build-dependencies in a different order

This avoids installing the build-dependencies for dbus and its tests,
then uninstalling them all because they rely on libraries whose versions
are older than the ones needed by wine:i386 (and apparently apt prefers
to remove those libraries rather than upgrade them). Doing it this way
round seems to convince apt to do the right thing.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

ci-build: run our copy of config.guess

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Merge branch 'dbus-1.10'

NEWS

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Don't test X11 autolaunching if it was disabled at compile time

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98665

Spec: be clearer about "starting" and "activation" being synonyms

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671

Update NEWS

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

spec: Clarify behaviour of o.f.D.P.GetAll

Clarify its intended behaviour in two situations:
• For interfaces which have no properties.
• Where some properties are not visible to the caller (due to access
control, for example).

The intention here is for this behaviour to be mandatory, but given that
this is quite late on in the specification’s life, and various D-Bus
libraries like dbus-glib and telepathy-glib cannot support access
control at a per-property level, for example. GDBus can, although it’s
questionable whether this is a good idea. Deliberately leave the
specification open to allow access control at a higher level as well
(such as per-(object, interface)).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=36190
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

NEWS for spec changes

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Spec: mostly use versioned interface and bus names

Using versioned names here reinforces the advice given in
<https://dbus.freedesktop.org/doc/dbus-api-design.html#api-versioning>.

I haven't added versions to the sample parameters "com.example.tea" and
"com.example.cappuccino" for methods that query information about
names, on the basis that I assume they are more likely to be intended
to represent an implementation than an API.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671

Spec: document systemd activation

We didn't say that SystemdService existed. Now we do, together with
enough context to make it make sense.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671

Spec: document what auto-starting is, and recommend it

For something we recommend, that is important enough to have its own
header flag, it doesn't have very good documentation. Redo the text
to suggest that auto-starting is the normal thing and
StartServiceByName is the oddity. That's usually a good principle
to follow, since it dodges time-of-check/time-of-use issues, and the
method call that you presumably wanted to do needs to handle errors
anyway.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671

Spec: be clearer about what activation means

The spec previously mentioned that CORBA calls this activation, but
did not explicitly say that D-Bus has copied this jargon term.
It's 2016, and developers are probably more likely to be familiar
with D-Bus than with CORBA at this point: explicitly say that *our*
jargon term for this action is activation.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671

Update NEWS

Make uid 0 immune to pending_fd_timeout limit

This is a workaround for
<https://bugs.freedesktop.org/show_bug.cgi?id=95263>. If a service
sends a file descriptor sufficiently frequently that its queue of
messages never goes down to 0 fds pending, then it will eventually be
disconnected. logind is one such service.

We do not currently have a good solution for this: the proposed
patches either don't work, or reintroduce a denial of service
security vulnerability (CVE-2014-3637). Neither seems desirable.
However, we can avoid the worst symptoms by trusting uid 0 not to be
malicious.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1591411
Reviewed-by: Łukasz Zemczak
Tested-by: Ivan Kozik
Tested-by: Finn Herpich
Tested-by: autostatic
Tested-by: Ben Parafina
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Add more _DBUS_GNUC_PRINTF annotations

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98658

Note #98195 (the printf attributes) in NEWS

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Configure the compiler to suggest useful function attributes

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Add missing function attributes suggested by clang (but not by gcc)

clang is a little more enthusiastic about suggesting these.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Add missing format attributes suggested by -Wsuggest-attribute=format

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Enable format, noreturn, unused attributes for clang

I'm assuming here that any version of clang will be new enough to
understand gcc 2.4 features, which seems rather safe.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

test-segfault: mark exception_handler as NORETURN

It calls ExitProcess(), which is correctly detected as not returning.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

test-privserver: avoid -Wformat-security

This is not a security vulnerability because it's test code that
should never be compiled in production.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

dbus-launch-x11: print a window ID portably

On LP64 platforms, a Window is unsigned long.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

dbus-file-win: print a HANDLE correctly

HANDLEs are pointers, not integers.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Print XML parse errors correctly

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Print errors parsing match rules correctly

Not an exploitable vulnerability, just incorrect output.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

dbus-nonce: print sockets correctly

Since early 2015, a DBusSocket has been a struct containing either
an int or a pointer-sized Windows SOCKET. Print them with
"%" DBUS_SOCKET_FORMAT and _dbus_socket_printable().

Bug found by adding more _DBUS_GNUC_PRINTF attributes.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

dbus_signature_validate: be sure to use a literal format string

This was not a security vulnerability because
_dbus_validity_to_error_message() doesn't return anything containing
"%", but the compiler can't know that.

Found by adding more _DBUS_GNUC_PRINTF attributes.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

_dbus_listen_tcp_socket: correct format string

res is an integer, not a string.

Bug found by adding more _DBUS_GNUC_PRINTF attributes.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

NEWS

Test compiler and linker flags with AX_COMPILER_FLAGS_* macros

The autoconf macros AX_COMPILER_FLAGS_{CFLAGS|CXXFLAGS|LDFLAGS} test
for compiler and linker support of various flags, and add the flags to
the generated output.

If the command-line option '--enable-compile-warnings' is specified to
'configure', a number of additional warning options is also added to the
output. This is the default.

The AX_COMPILER_FLAGS_* macros add stricter warnings then before. The
patch disables some of them to make dbus build without errors. A later
patch set should fix the warnings and remove the compiler flags.

This patch integrates all tests for compiler flags into the call to
AX_COMPILER_FLAGS_CFLAGS. All tests for compiler flags are now done
in a single place. The old macros have been removed.

Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: add missing $ to DISABLE_WARNINGS]
[smcv: drop -Wno-discarded-qualifiers]
[smcv: drop non-C++ option -Wpointer-sign in C++ mode]
[smcv: work around an AX_COMPILER_FLAGS_CFLAGS bug]
[smcv: this source tree is called dbus, not DBus]
Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357

Revert "Keep cmake gcc builds in sync with autotools warnings."

When reviewing this commit, I said

    Looks OK, although this is going to become impossible if we start
    using the externally-curated list of warnings from
    <https://www.gnu.org/software/autoconf-archive/ax_compiler_flags.html>,
    which I've been quite tempted to do.

That time has now come. I think it's more valuable to have comprehensive
warnings under our primary build system, Autotools, than to have
some fairly elaborate CMake scripting to pick up the same compiler
warnings in both build systems; the CMake build system is primarily
there to give us the ability to compile with MSVC, which has orthogonal
compiler warning options anyway.

This reverts commit 41427560af2c9923a48e50ddbf72e53aad5b2983.

Signed-off-by: Simon McVittie <smcv@debian.org>
Acked-by: Ralf Habacker <ralf.habacker@freenet.de>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357

Fix remaining -Wundef warnings

Vaguely based on a patch from Thomas Zimmermann, but with a different
solution to RECURSIVE_MARSHAL_WRITE_TRACE, and additionally fixing
a build failure that only occurs when targeting Unix without libsystemd,
and another that occurs when targeting Windows.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357

Remove leftover declarations for assuming int manipulation is atomic

We never assume this since
<https://bugs.freedesktop.org/show_bug.cgi?id=38005> was fixed, because
it isn't true in modern compilers.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357

Clean up how we arrange for environ to be declared

Annoyingly, the POSIX way to declare environ (as
"extern char **environ") is a redundant declaration in glibc with
_GNU_SOURCE; work around that.

We also have a workaround for _NSGetEnviron() needing to be used
instead of direct access to environ in at least some circumstances on
Mac OS. Attempt to sync that up between all the files that use environ,
consistently sorting the most special special-cases first (Windows
for files that are compiled there, then Mac, then GNU, with
lowest-common-denominator POSIX last).

The affected files are already OS-specific, so I'm not bothering to
introduce a nicer or higher-level API for this.

Based on the best bits of an earlier patch from me, and an earlier
patch from Thomas Zimmermann.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357

Reimplement _dbus_warn_return_if_fail without -Wformat-nonliteral

We can avoid duplicating the format string between translation units,
without the compiler warning us that it can't check non-literal
format strings for format-string security vulnerabilities based on %p,
by breaking out the "assertion failed" case into a slow-path.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357

Linux: use readdir(), not deprecated readdir_r()

glibc >= 2.24 marks readdir_r() as deprecated. It is meant to be a
thread-safe version of readdir(), but modern implementations of readdir()
are thread-safe anyway (when called with a distinct DIR * argument),
and readdir_r() has some design issues involving PATH_MAX.

This code path is in Linux-specific code, so we can safely assume a
high-quality implementation of readdir().

Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357