Simon McVittie [Tue, 4 Dec 2018 11:41:11 +0000 (11:41 +0000)]
doc: Remove obsolete message about man2html
We no longer run man2html.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
f134e2d2c7ae53965dfba0c85bf76ad38fb7fa4c)
Simon McVittie [Tue, 16 Oct 2018 14:44:59 +0000 (15:44 +0100)]
CONTRIBUTING.md: Update and rewrite
This file hadn't kept up with reality, and needs updating for Gitlab.
Take the opportunity to rewrite it.
Much of the text, particularly about commit messages, was taken from
Wayland's contributing guide (thanks to Ander Conselvan de Oliveira,
Bryce Harrington, Eric Engestrom, Pekka Paalanen and Daniel Stone).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 16 Oct 2018 14:02:29 +0000 (15:02 +0100)]
CONTRIBUTING: Reformat as Markdown
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 16 Oct 2018 14:01:04 +0000 (15:01 +0100)]
CONTRIBUTING: Remove all trailing whitespace
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 22 Aug 2018 16:48:34 +0000 (17:48 +0100)]
Rename HACKING to CONTRIBUTING
Signed-off-by: Simon McVittie <smcv@collabora.com>
Hyotaek Shim [Tue, 4 Dec 2018 04:14:22 +0000 (04:14 +0000)]
Merge "Revert "Add RequiresMountsFor=/opt to dbus.service"" into tizen
Simon McVittie [Mon, 3 Dec 2018 16:34:55 +0000 (16:34 +0000)]
NEWS: Refer to Gitlab
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 3 Dec 2018 16:31:07 +0000 (16:31 +0000)]
Update NEWS
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 17 Aug 2018 14:42:17 +0000 (15:42 +0100)]
activation: Don't leak if delivering activation message is forbidden
This is technically a denial of service because the dbus-daemon will
run out of memory eventually, but it's a very slow and noisy one,
because all the rejected messages are also very likely to have
been logged to the system log.
Detected by AddressSanitizer.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/234
Reviewed-by: pwithnall
Adrian Szyndela [Thu, 29 Nov 2018 09:23:44 +0000 (10:23 +0100)]
spec: fixed compilation options to reduce warnings
If -mimplicit-it option is set to thumb while compiling to ARM,
then it shows lots of:
Warning: conditional outside an IT block for Thumb.
This commit removes -mimplicit-it from the compilation options on ARM32 arch.
Change-Id: I6eea9ef65e61b8ec7afa16035d4a14d6d7f870e4
Hyotaek Shim [Wed, 28 Nov 2018 04:54:15 +0000 (04:54 +0000)]
Revert "Add RequiresMountsFor=/opt to dbus.service"
This reverts commit
1c9ed8666fcbae5076022fdf6d0f177d7e464ce4.
Change-Id: Ic15fcd3ace518c180910f43cc18b40c6de478d92
Simon McVittie [Fri, 16 Nov 2018 15:09:39 +0000 (15:09 +0000)]
Update NEWS
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 23 Oct 2018 10:43:23 +0000 (11:43 +0100)]
dbus-daemon test: Allow much longer for pending fd timeout
The timeout we're using here is 0.5s (500ms), but the actual time taken
is unbounded, because the OS scheduler might not schedule our process
for an arbitrary length of time after we become runnable.
We previously allowed up to 1 second, but in the CI jobs for dbus!9
and dbus!18 we've seen this take up to 3.4 seconds (presumably
because other tests, or other jobs running on the same shared
infrastructure, starved this process). Allow up to 10 seconds to guard
against spurious failures.
The timeout used in the production system.conf is 150 seconds (2½
minutes), and we're only using the shorter 500ms timeout here to make
the test complete more quickly, so ±10 seconds is relatively
insignificant: the main thing is that it's finite.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
20e6eb7cd1f9c2ad941bd62c8f1f71712377a96e)
Simon McVittie [Mon, 22 Oct 2018 10:45:45 +0000 (11:45 +0100)]
build: Never use poll() on Darwin family (macOS, etc.) or Interix
Doing a runtime check in configure.ac (AC_RUN_IFELSE) has several
disadvantages:
* It doesn't work when cross-compiling. For example, if we build macOS
binaries on a Linux system, we'd assume that poll() works, but in
fact it won't.
* It checks the build system capabilities, but that is not necessarily
appropriate if (for example) a macOS 10.10 user builds binaries that
could be used by macOS 10.12 or macOS 10.9 users.
* It checks for one specific failure mode, but macOS seems to have a
history of various implementation issues in poll().
* If we want it to work in CMake, we have to duplicate it in the CMake
build system.
None of these is a showstopper on its own, but the combination of all
of them makes the current approach to avoiding the broken poll() on
macOS look unreliable. libcurl, a widely-portable library making
extensive use of sockets, specifically doesn't use poll() on Darwin
(macOS, iOS, etc.) or on Interix; let's follow their example here.
See also https://bugzilla.gnome.org/show_bug.cgi?id=302672 and
https://daniel.haxx.se/blog/2016/10/11/poll-on-mac-10-12-is-broken/
for some relevant history.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/232
(cherry picked from commit
0414ea65ca8196e328da09c3a2324d7765fba8c4)
Simon McVittie [Mon, 21 Nov 2016 20:56:55 +0000 (20:56 +0000)]
Do not auto-activate services if we could not send a message
We specifically do not check recipient policies, because
the recipient policy is based on properties of the
recipient process (in particular, its uid), which we do
not necessarily know until we have already started it.
In this initial implementation we do not check LSMs either,
because we cannot know what LSM context the recipient process
is going to have. However, LSM support will need to be added
to make this feature useful, because StartServiceByName is
normally allowed in non-LSM environments, and is more
powerful than auto-activation anyway.
The StartServiceByName method does not go through this check,
because if access to that method has been granted, then
it's somewhat obvious that you can start arbitrary services.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Change-Id: I53ff4f6d02e631fcd09bf1c5c306b8828f075963
Simon McVittie [Fri, 16 Oct 2015 16:33:36 +0000 (17:33 +0100)]
Add tests for activation when message send/receive is denied
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Change-Id: I7339c1a6de69a751cbe0b9047c980c4aea53750b
Adrian Szyndela [Wed, 7 Nov 2018 10:26:11 +0000 (11:26 +0100)]
dbus-daemon: prepare activation for async security checks
This commit prepares activation function (bus_activation_acivate_service())
for returning BUS_RESULT_LATER from security check introduced
in next commits.
Change-Id: I5b37d06fc5f7e563d52ed7207b5e416bedd666e6
Michal Bloch [Mon, 5 Nov 2018 15:18:55 +0000 (16:18 +0100)]
Remove kdbus interface header
kdbus.h is now provided with other linux kernel headers.
Change-Id: Ida7d06aa1f27d88040f949fffd73f0d6cfd5f244
Signed-off-by: Michal Bloch <m.bloch@samsung.com>
Simon McVittie [Fri, 5 Oct 2018 11:29:56 +0000 (12:29 +0100)]
Update NEWS
Simon McVittie [Thu, 4 Oct 2018 17:41:29 +0000 (18:41 +0100)]
ci: Use a separate ccache for each CI job
This should avoid them overwriting each other.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
e3fb085886d26aa84a0ce1bfe441244206c87e6f)
Simon McVittie [Thu, 4 Oct 2018 16:26:42 +0000 (17:26 +0100)]
ci: Mark many Gitlab jobs to be run manually
freedesktop.org Gitlab doesn't currently have enough test runners
available to run all of this every time. For higher-risk changes
(for example those that change the build system) we can run the
complete set through the web UI.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
a2f416c2896062755c285f2d1fe4a2dc03455aa1)
Simon McVittie [Thu, 4 Oct 2018 16:04:41 +0000 (17:04 +0100)]
ci: Reshuffle mingw jobs so we test different combinations
We test the combinations that we don't test on Travis-CI.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
a6d926b805a1a38567a70490b3e8d7d6c932d1f5)
Simon McVittie [Thu, 4 Oct 2018 09:50:37 +0000 (10:50 +0100)]
ci: Use ccache to speed up repeated builds
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
d0728fd06e5a2302e7596e3df56b68b0a0834fd7)
Simon McVittie [Wed, 3 Oct 2018 16:25:43 +0000 (17:25 +0100)]
ci: Add Gitlab-CI configuration
This uses the same shell scripts as Travis-CI, with slightly different
settings. We use Docker containers for all our Gitlab-CI runs, so take
the opportunity to use Debian 9 'stretch' as our baseline, and
relegate Ubuntu 14.04 'trusty' to to a secondary build.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
60933c09e9e891f74f0102fabe22d29a1a7ae5c5)
Simon McVittie [Wed, 3 Oct 2018 16:51:35 +0000 (17:51 +0100)]
ci: Explicitly install cmake
Travis-CI workers have cmake preinstalled, but Gitlab-CI Docker images
typically don't.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
907832e00849ca454322052981dbb122ea537506)
Simon McVittie [Wed, 3 Oct 2018 16:51:49 +0000 (17:51 +0100)]
ci: Teach ci-install.sh to install wine on Debian 9 'stretch'
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
408b222a9fc61327cd7be385b6705f30f0c38802)
Ralf Habacker [Wed, 21 Mar 2018 10:48:52 +0000 (11:48 +0100)]
travis-ci: Add cross building support for mingw 64 bit compiler
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit
d22e7901b555a0bfb5e06fb2463d839a276c7482)
Ralf Habacker [Thu, 22 Mar 2018 14:05:48 +0000 (15:05 +0100)]
sysdeps-win: Print word-size-dependent offset correctly
AddrPC.Offset is the same size as a pointer, but previously
we printed it as though it was the same size as a long,
which is 32 bits on 64-bit Windows.
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit
577813cf3a89df804efa6d85a1c5415ba12806ec)
Ralf Habacker [Wed, 21 Mar 2018 18:29:44 +0000 (19:29 +0100)]
dbus-transport-socket: Correctly print DBusSocket with DBUS_SOCKET_FORMAT
Previously, on 64-bit Windows we were passing a 32-bit int where the
format string expects a 64-bit SOCKET.
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit
18d4ff664491c17664b9f88c06d9338cd3750120)
pr.jung [Mon, 17 Sep 2018 07:09:50 +0000 (16:09 +0900)]
Remove build warnings
Change-Id: Ia1676731696d446a3511efb700dd89c1a1100b08
Signed-off-by: pr.jung <pr.jung@samsung.com>
Hyotaek Shim [Wed, 5 Sep 2018 09:20:00 +0000 (18:20 +0900)]
Set the smack label of executable binary tools
Apps (3rd party and even in-house Apps) are not permitted to run dbus tools directly.
User System::Tools rx
User::Shell System::Tools rx
System::TEF System::Tools rx
System::Privileged System::Tools rx
System System::Tools rx
Change-Id: Ica6d587d2516da8241590f3cf090a91ed8d3ff75
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
Simon McVittie [Thu, 30 Aug 2018 16:35:36 +0000 (17:35 +0100)]
Update NEWS
Simon McVittie [Wed, 22 Aug 2018 16:50:18 +0000 (17:50 +0100)]
Reference the freedesktop.org Code of Conduct
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Thu, 30 Aug 2018 16:34:45 +0000 (17:34 +0100)]
Update NEWS
Simon McVittie [Thu, 23 Aug 2018 08:01:03 +0000 (09:01 +0100)]
Do not apply __attribute__((__malloc__)) to dbus_realloc()
As noted in GLib commit
c879f50f, gcc's interpretation of the malloc
attribute has become more strict over time, which could result in
miscompilation. The new definition is that in addition to assuming
that the returned memory block is newly-allocated, gcc now assumes
that it does not contain any valid pointers. This is OK for
uninitialized or zero-initialized memory returned by dbus_malloc()
or dbus_malloc0(), but not valid for dbus_realloc(), which might be
used for a dynamically-sized array of (structures containing)
valid pointers.
See https://gitlab.gnome.org/GNOME/glib/issues/1465
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107741
Simon McVittie [Thu, 30 Aug 2018 15:27:46 +0000 (16:27 +0100)]
Update NEWS
Simon McVittie [Tue, 24 Jul 2018 12:21:37 +0000 (13:21 +0100)]
server-unix: Don't leak address of systemd server on success
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107320
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
d98c43c697fbeb104463dcf2da36d0d855bfb367)
Simon McVittie [Tue, 24 Jul 2018 12:18:48 +0000 (13:18 +0100)]
bus: Free address (from --address) when we have finished using it
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107320
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
7ae750c4e887b2d63f87caaf2162125ec3217fcc)
INSUN PYO [Thu, 9 Aug 2018 04:21:10 +0000 (13:21 +0900)]
Add RequiresMountsFor=/opt to dbus.service
In order to apply User/Group to .service, we need /opt/etc/{passwd,group}.
Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I585503d0dc180f21bd9594327b87b80204876005
Simon McVittie [Fri, 3 Aug 2018 00:05:33 +0000 (01:05 +0100)]
1.12.11
Simon McVittie [Thu, 2 Aug 2018 18:27:15 +0000 (19:27 +0100)]
1.12.10
Simon McVittie [Thu, 2 Aug 2018 18:24:00 +0000 (19:24 +0100)]
Update NEWS
Simon McVittie [Thu, 12 Jul 2018 18:11:05 +0000 (19:11 +0100)]
validate_body_helper: Bounds-check before validating booleans
Running the "embedded tests" through valgrind revealed that before this
commit, we would have been willing to read up to 3 bytes off the end of
a message if the message is truncated part way through a boolean. Any
practical allocator will round up allocations to the next 32-bit (or
larger) boundary, so in practice this will not leave the memory buffer
(and in particular did not crash during unit testing), but it could read
uninitialized contents.
On little-endian CPUs, an attacker might be able to use this to learn
whether up to 3 bytes of uninitialized memory in the dbus-daemon
were all-zero (their crafted message would be relayed) or not (their
connection would be disconnected for sending an invalid message). On
big-endian CPUs, an attacker might be able to use this to learn whether
up to 3 bytes were all-zeroes (relayed to a cooperating peer), 0-2
bytes of all-zeroes followed by 0x01 (relayed to a cooperating peer),
or something else (disconnected). This is not believed to be exploitable
to leak interesting information.
Fixes:
62e46533 "hardcode dbus_bool_t to 32 bits"
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107332
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
e93a775e68daeda5c95984452aee6327e31c17dd)
Simon McVittie [Thu, 2 Aug 2018 16:19:26 +0000 (17:19 +0100)]
Update NEWS
Simon McVittie [Thu, 12 Jul 2018 12:32:10 +0000 (13:32 +0100)]
nonce: Don't try to rmdir(NULL) on OOM
If re-initializing the string fails, it will be left in a state
where it has a length of 0 and a NULL buffer. That's valid to
"free", but not valid to pass to rmdir().
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107194
(cherry picked from commit
294e8b0b672c8ffdcb8d9227f114846433659864)
Simon McVittie [Wed, 11 Jul 2018 15:16:38 +0000 (16:16 +0100)]
dbus_server_listen: Don't leak first_connect_error
If an implementation fails to listen, and a subsequent implementation
succeeds, then we would have leaked this. Detected by running
tests/loopback.c under valgrind.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107194
(cherry picked from commit
b14a4517a82f7e7e4c0b59cb663ebf77563decda)
Simon McVittie [Mon, 23 Jul 2018 17:52:01 +0000 (18:52 +0100)]
sysdeps: Reassure gcc 8 that we are not overflowing struct sockaddr_un
Using strncpy (buffer, str, strlen (str)) is a "code smell" that
might indicate a serious bug (it effectively turns strncpy into
strcpy), and gcc 8 now warns about it. In fact we avoided the bug
here, but it wasn't at all obvious.
We already checked that path_len is less than or equal to
_DBUS_MAX_SUN_PATH_LENGTH, which is 99, chosen to be strictly less
than the POSIX minimum sizeof(sun_path) >= 100, so we couldn't
actually be overflowing the available buffer.
The new static assertion in this commit matches a comment above the
definition of _DBUS_MAX_SUN_PATH_LENGTH: we define
_DBUS_MAX_SUN_PATH_LENGTH to 99, because POSIX says struct
sockaddr_un's sun_path member is at least 100 bytes (including space
for a \0 terminator). dbus will now fail to compile on
platforms that are non-POSIX-compliant in this way, except for Windows.
We zeroed the struct sockaddr_un before writing into it, so stopping
one byte short of the end of sun_path ensures that we get \0
termination.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107350
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
f429631365ba59a1749438af2184cab138a31772)
Simon McVittie [Mon, 23 Jul 2018 17:20:54 +0000 (18:20 +0100)]
build: Disable new gcc 8 warning -Wcast-function-type
The foreach(list, (DBusForeachFunction) free, NULL) idiom seems too
entrenched to remove it from stable branches.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107349
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
INSUN PYO [Fri, 27 Jul 2018 02:09:01 +0000 (11:09 +0900)]
service: add dependecy to tmp.mount
Until tmp.mount is run, dbus-daemon fails because /tmp is RO.
Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I6bfb47f2d14d95c440efc56e3ca2fd8b1b75c6ad
Hyotaek Shim [Mon, 25 Jun 2018 07:29:21 +0000 (16:29 +0900)]
Boost dbus.service and dbus.socket for boot optimization
Change-Id: Ie47ca8ea5fbf3b1deee98ebcdcd644b021531713
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
sanghyeok.oh [Tue, 8 May 2018 10:18:16 +0000 (19:18 +0900)]
Dbus policy: apply default deny rules in the global conf file (system.conf - system bus)
This is requirement from SR, MCD, and VD Security.
Change-Id: I5ec22cd70d15fdd07c4fd3d7ad7e9289bb4ef770
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
Aleksy Barcz [Tue, 8 May 2018 09:21:10 +0000 (11:21 +0200)]
kdbus: check policy first, only then open kdbus
A process shouldn't hold an open kdbus descriptor, if according to
security policy this process has no rights to open the bus at all.
Corrected error message and code to be consistent with dbus-daemon.
Change-Id: I8c138438a21736f9241addc9ed5a616f6be19442
Adrian Szyndela [Tue, 5 Jun 2018 07:33:47 +0000 (09:33 +0200)]
dbus: a couple of corrections after static analysis
dbus-transport-kdbus.c:900
SVACE 19383: Assignment of a signed value which has type 'int'
to a variable of a bigger integer type 'dbus_uint64_t'
dbus-transport-kdbus.c:2464
SVACE 2044: Checking return value of dbus_message_get_interface().
Change-Id: Ic793c2d414aa77273b9ff3eff83a72b4f3e4d815
Simon McVittie [Mon, 4 Jun 2018 16:55:05 +0000 (17:55 +0100)]
Update NEWS
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 4 Jun 2018 15:27:50 +0000 (16:27 +0100)]
test: Skip TCP tests if getaddrinfo doesn't work
For example, this can be the case in bubblewrap or Debian pbuilder after
unsharing the network namespace:
bwrap \
--bind / / \
--dev-bind /dev /dev \
--bind /dev/shm /dev/shm \
--bind /dev/pts /dev/pts \
--unshare-net \
${builddir}/test/test-loopback --tap
...
ok 1 /connect/tcp # SKIP Name resolution does not work here:
getaddrinfo("127.0.0.1", "0", {flags=ADDRCONFIG, family=INET,
socktype=STREAM, protocol=TCP}): Name or service not known
On some systems this can be circumvented by using nss_wrapper from
<https://cwrap.org/nss_wrapper.html>:
cat > hosts <<EOF
127.0.0.1 localhost
EOF
bwrap \
... \
env \
LD_PRELOAD=libnss_wrapper.so \
NSS_WRAPPER_HOSTS=$(pwd)/hosts \
${builddir}/test/test-loopback --tap
...
# listening at tcp:host=127.0.0.1,port=39219,family=ipv4,guid=...
but for systems where that does't work, we should be prepared to skip
the affected tests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit
f1faafd59bec67d347edb10447c4b9b18193458c)
Simon McVittie [Mon, 4 Jun 2018 15:27:49 +0000 (16:27 +0100)]
server-oom test: Don't assume localhost is resolvable
Pathological autobuilder environments might not list localhost in
/etc/hosts.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit
4cfc7de30de7111f589501e5b597063aeb96cf28)
Simon McVittie [Mon, 4 Jun 2018 15:27:49 +0000 (16:27 +0100)]
test: Test the same things with unix: that we do with tcp:
Minimal autobuilder environments don't always have working TCP,
so we may need to skip TCP tests. Make sure we test the equivalent
code paths via Unix sockets in those environments.
One notable exception is test/fdpass.c, which uses TCP as a transport
that is known not to be able to carry Unix fds; this needs to continue
to use TCP.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit
cb7dd5bfccb2882d0e9951c41040ff6a97bb827d)
Simon McVittie [Mon, 4 Jun 2018 15:27:48 +0000 (16:27 +0100)]
server-oom test: Parse the address instead of going directly to TCP
This expands test coverage, and lets us reuse the test for other
address schemes.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit
b19c9e2f265878801bc48866a7cc3152ca2ad45e)
Simon McVittie [Mon, 4 Jun 2018 15:27:46 +0000 (16:27 +0100)]
sysdeps-unix: Handle errors from getaddrinfo correctly
getaddrinfo and getnameinfo have their own error-handling convention
in which the library call returns either 0 or an EAI_* error code
unrelated to errno. If the error code is not EAI_SYSTEM, then
the value of errno is undefined (in particular it might be carried
over from a previous system call or library call). Introduce a
new helper function _dbus_error_from_gai() to handle this.
The equivalent code paths in Windows appear to be OK: the Windows
implementation of getaddrinfo() is documented to return a Winsock
error code, which we seem to be handling correctly.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106395
(cherry picked from commit
60cedd0cfd775c9fcf7260e12af9b2ffeefc2bbe)
Adrian Szyndela [Wed, 23 May 2018 10:49:48 +0000 (12:49 +0200)]
GVariant: fix alignment of elements in array
This patch fixes two related bugs:
1. off-by-one in checking size and alignment of the next element
in_dbus_reader_get_signature_fixed_size()
2. alignment requirements were not considered at all while iterating
over array of variable size elements in array_reader_next().
Change-Id: Ibd9e1f3d11fbcd3ef0e6dbaa024e66b2568709d5
Adrian Szyndela [Thu, 24 May 2018 08:34:59 +0000 (10:34 +0200)]
dbus-marshal-gvariant: a couple of additional checks
Change-Id: I8c5bd10512682ac2df53c9b9ab89f4d4d669cd3f
Simon McVittie [Mon, 30 Apr 2018 17:38:55 +0000 (18:38 +0100)]
Start 1.12.10 development
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 27 Apr 2018 17:03:50 +0000 (18:03 +0100)]
1.12.8
Simon McVittie [Fri, 27 Apr 2018 17:18:07 +0000 (18:18 +0100)]
build: Uninstall JavaScript and CSS from htmldir
Otherwise, distcheck fails when mallard-ducktype is available.
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
9391d769ae335872e5b770f6741855fde45b8186)
Simon McVittie [Wed, 25 Apr 2018 15:58:53 +0000 (16:58 +0100)]
Preallocate release name
Simon McVittie [Wed, 25 Apr 2018 15:47:03 +0000 (16:47 +0100)]
NEWS: Mention non-local TCP too
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
2390a325a0f094a87065e6dcfdf99c188a5b360f)
Simon McVittie [Mon, 23 Apr 2018 17:33:42 +0000 (18:33 +0100)]
Update NEWS
(cherry picked from commit
ee0e42ae2d157a5d4c9d5f1a9114632897bc47ad)
Simon McVittie [Thu, 12 Apr 2018 13:07:17 +0000 (14:07 +0100)]
dbus-daemon(1): Mention and deprecate shared session buses
This might (?) have made sense behind a firewall in 2003; but now it's
2018, the typical threat model that we are defending against has
changed from "vandals want to feel proud of their l33t skills"
to "organised crime wants your money", and a "trusted" local LAN
probably contains an obsolete phone, tablet, games console or
Internet-of-Things-enabled toaster with remote root exploits.
This make network topologies that used to be acceptable look
increasingly irresponsible.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
d0a16b59a8572fbd1934e941e2e3004840306222)
Simon McVittie [Thu, 12 Apr 2018 13:09:19 +0000 (14:09 +0100)]
dbus-daemon(1): Recommend requiring EXTERNAL on non-Windows OSs
This is the default, and blocks TCP-based attacks by making the
attacker fail to authenticate (while also preventing inadvisable
TCP-based configurations from working).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
aef4475939a773e1a205a71d641ea2bb6793ab92)
Simon McVittie [Thu, 12 Apr 2018 13:08:08 +0000 (14:08 +0100)]
dbus-daemon(1): Put some scary warnings on <allow_anonymous/>
I'm far from convinced that this option should even *exist*, but it
should definitely be documented as a very bad thing.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
5d3680486712891c13b85c07fab629bb70f623cc)
Simon McVittie [Thu, 12 Apr 2018 12:57:26 +0000 (13:57 +0100)]
dbus-daemon(1): Recommend against remote TCP for debugging
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Add a TODO comment as suggested]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
cf47380641aac0e5b40694b0ae09ffb85ec4b5fc)
Simon McVittie [Thu, 12 Apr 2018 12:57:00 +0000 (13:57 +0100)]
dbus-daemon(1): Say that non-local TCP is insecure
With some fairly reasonable threat models (active or passive local
attacker able to eavesdrop on the network link, confidential
information being transferred via D-Bus), secure authentication is
insufficient to make this transport secure: it does not protect
confidentiality or integrity either.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
2513f84db68a9edad8558806b777ed6c284016b9)
Simon McVittie [Mon, 23 Apr 2018 17:00:25 +0000 (18:00 +0100)]
Update NEWS for 1.12.x branch
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 23 Apr 2018 10:22:41 +0000 (11:22 +0100)]
doxygen_to_devhelp: Produce Devhelp index format v2
The old version-1 format is deprecated and now produces warnings.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106186
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Add the .devhelp2 file to .gitignore as suggested]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
fa922639207de16d459983144ddad28b7abe60c2)
Simon McVittie [Mon, 23 Apr 2018 10:21:35 +0000 (11:21 +0100)]
doxygen_to_devhelp: Make the API reference the front page
The tutorial is not necessarily a great entry point for the libdbus
documentation: it's infrequently updated, and we should probably have
the "If you use this low-level API directly, you're signing up for some
pain" message from the API reference show up in devhelp more immediately.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106186
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Add longer commit message with rationale]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
c84ac8b1ef3a9fa18127b2462ead369c4e8846bd)
Simon McVittie [Mon, 23 Apr 2018 16:38:56 +0000 (17:38 +0100)]
doc: Install highlight.pack.js if present
Newer versions of yelp-build use this instead of a jQuery syntax
highlighter.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106171
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Also add it to .gitignore as suggested]
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
49ad5b110fd5f5f4e41405d98007a11d8eb741f7)
Simon McVittie [Sat, 21 Apr 2018 18:35:41 +0000 (19:35 +0100)]
doc: Only install ancillary files from yelp-build if they exist
Newer versions of yelp-build don't install jquery.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106171
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
bab857fb6f75ffe0ac3771de4b8272ad97623a2c)
Adrian Szyndela [Fri, 13 Apr 2018 14:07:53 +0000 (16:07 +0200)]
gvariant: handle immediate iteration with empty body
With GVariant, we had to do a trade-off. libdbus API does not provide
any function that would state that a message is "finished".
While creating dbus-1 messages, they are always complete.
On additions header fields can change, and all the data is simply
appended. With GVariant it is different. The format does not have
signature field anymore in the header, but it is at the end
of a message, as a part of body variant. After a body variant,
there is also a body offset appended. These values are added to a body
when a message is considered "finished". We have chosen function
dbus_message_lock() as a signal that a message is finished.
This function is always called when a message is added to output queue.
Now, what does actually happen in case of immediate iteration after
creating a message with empty body? The length of the body is zero.
This is not possible for valid GVariant as it has at least one NUL byte,
signature (minimal is '()') and a body offset. It breaks
_dbus_message_gvariant_get_body_length(). However, it can be done with
public interface, therefore this patch:
1. fixes _dbus_message_gvariant_get_body_length() to return 0 in case
of empty body, instead of computing "negative" value.
2. warns users when they try to iterate over a GVariant message
that is not locked.
Change-Id: Ie7dc331f5ea278502df02a976e555a2c7d249197
Adrian Szyndela [Tue, 10 Apr 2018 13:58:13 +0000 (15:58 +0200)]
gvariant: fix recursing into empty array
In GVariant, arrays of variable size values have offsets at the end.
We need to know how many offsets are in an array when we recurse
into it. To count the offsets we need to have offsets size and
the start and end of the offsets. The start of the offsets
is computed from the value of the last offset.
On the other hand, empty arrays have size equal to zero. In other words,
they have no offsets. Function _dbus_reader_count_array_elems missed it.
This commit fixes _dbus_reader_count_array_elems() by ensuring returning 0
when an array is empty.
Change-Id: I5f93ea89e490b321b2c2528e7bae838a1af0ec75
Hyotaek Shim [Tue, 3 Apr 2018 04:47:23 +0000 (13:47 +0900)]
Apply Full RELRO linker options ("-Wl,-z,relro,-z,now") to dbus-daemon
In addition to Partial RELRO, Full RELRO means "GOT Table becomes read-only."
Change-Id: Iaed328906e23d526f3e05209d949f3e39f76a738
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
Simon McVittie [Thu, 1 Mar 2018 18:05:09 +0000 (18:05 +0000)]
1.12.6
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 23 Feb 2018 10:32:43 +0000 (10:32 +0000)]
Clarify NEWS entry with implications of fd.o#105165
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 20 Feb 2018 18:40:36 +0000 (18:40 +0000)]
Update NEWS for #105165
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
c62a20624e4616e7fa84427c54f3653312a7edb5)
Simon McVittie [Tue, 20 Feb 2018 11:45:39 +0000 (11:45 +0000)]
Add a unit test for the dbus-daemon resetting its fd limit
Reviewed-by: David King <dking@redhat.com>
[smcv: Fix typo in cmake macro name]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165
(cherry picked from commit
49ca421997d91d3e01626b2c92a826e6a5db0b2f)
Simon McVittie [Tue, 20 Feb 2018 12:20:35 +0000 (12:20 +0000)]
cmake: Check for getrlimit, setrlimit
This gives us feature parity with the Autotools build system for this
particular area, and in particular means a system dbus-daemon built
with cmake can expand its fd limit.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165
(cherry picked from commit
a146724f2f7610bc0a968d03a3f20481c03a6a37)
David King [Wed, 7 Feb 2018 14:37:24 +0000 (14:37 +0000)]
bus: raise fd limits before dropping privs
Startup ordering was changed in #92832 to ensure that SELinux audit
messages could be sent. As a side effect, the raising of file descriptor
limits was moved to after the dropping of root privileges, resulting in
the limit change always failing.
Move the raise_file_descriptor_limit() call to ensure that it is called
before dropping root privileges.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105165
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1529044
[smcv: Call raise_file_descriptor_limit() even if !context->user]
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
6e42964f5f850f4108fd8f7f3cd385ab4d60f9f6)
Simon McVittie [Thu, 8 Feb 2018 23:37:33 +0000 (23:37 +0000)]
Start towards 1.12.6
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Thu, 8 Feb 2018 14:32:18 +0000 (14:32 +0000)]
1.12.4
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Thu, 8 Feb 2018 14:21:17 +0000 (14:21 +0000)]
Add NEWS for #104925
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
93433970e9c5a5d0b7f92a37174b40624c711475)
Philip Withnall [Sat, 3 Feb 2018 11:25:17 +0000 (12:25 +0100)]
doc: Fix bracket escaping in Ducktype API design file
There’s no need to escape closing brackets if the paired opening bracket
is escaped (or doesn’t need escaping).
See
https://github.com/projectmallard/mallard-ducktype/issues/16#issuecomment-
362590519.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=104925
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
ad72d6bc5f45e78d21f64099f670a89dcf32507d)
Simon McVittie [Thu, 8 Feb 2018 14:11:26 +0000 (14:11 +0000)]
Add NEWS for #102839
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
705db4455d482edba52d0af3fe57521da9d33e86)
Simon McVittie [Thu, 1 Feb 2018 19:47:00 +0000 (19:47 +0000)]
Add new test for waiting on pending calls in threads
Based on code contributed by Manish Narang. This is not included in the
automated test suite, because it isn't reliable on heavily-loaded
automatic test infrastructure like Travis-CI.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Add the test to the CMake build system too, as requested]
[smcv: Convert into a manual test]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102839
(cherry picked from commit
0b1e2928606e0cf138c38e75eb248d2ed19bff15)
Simon McVittie [Mon, 24 Jul 2017 11:30:57 +0000 (12:30 +0100)]
Add a simplified backport of g_steal_pointer()
This will be used in tests later in the branch.
Sadly we can't use GLIB_VERSION_2_44 unless we are willing to have a
hard dependency on GLib 2.44, which would force us to do all our
Travis-CI builds in Docker containers rather than in ye olde base
system, and that adds 50% to the time taken to do builds.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Rebase onto 1.13.x branch, fix minor conflicts]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
(cherry picked from commit
d5742550ca566317eaddea0ff7db04098f9f044f)
Simon McVittie [Tue, 25 Jul 2017 12:37:52 +0000 (13:37 +0100)]
cmake: Match AC_DEFINE more precisely, respecting [] quoting
The regular expression previously used here to select the second
comma-delimited argument won't work when we introduce an argument
containing a comma, which I need to do now. We can address this by
recognising Autoconf's quoting mechanism (which uses square
brackets).
This is not 100% right (it doesn't understand nested square brackets),
but it's good enough in practice.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Acked-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
(cherry picked from commit
83b439f7b4c6a946e0fe9a0287910ba4f6318143)
Simon McVittie [Mon, 27 Nov 2017 19:14:23 +0000 (19:14 +0000)]
tests: Add the ability to multiply up test timeouts
Tests that brute-force OOM code paths can be rather slow.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
5c91d85f3ed462dac1e011aab216c9021e826773)
Simon McVittie [Thu, 1 Feb 2018 19:46:28 +0000 (19:46 +0000)]
test_connect_to_bus: Allow skipping the use of a DBusLoop
DBusLoop isn't thread-safe, so we can't use it to test multi-threaded
situations.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102839
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
f127c8e110faed76039f96dbc53a87f093fea312)
[smcv: Adjust for older codebase]
Simon McVittie [Thu, 25 Jan 2018 12:35:07 +0000 (12:35 +0000)]
DBusPendingCall: Improve doc-comments around completed flag
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102839
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit
57a0cf1d14c20765bfc7a36234955b14f3811f2a)
Manish Narang [Thu, 25 Jan 2018 11:39:44 +0000 (11:39 +0000)]
DBusPendingCall: Only update ->completed under the connection lock
If one thread is blocking on a pending call, and another thread is
dispatching the connection, then we need them to agree on the value
of the completed flag by protecting all accesses with a lock. Reads
for this member seem to have the connection lock already, so it's
sufficient to make sure that the only write also happens under the
connection lock.
We already set the completed flag before calling the callback, so it
seems OK to stretch it to meaning that some thread has merely *taken
responsibility for* calling the callback.
The completed flag shares a bitfield with timeout_added, but that
flag is protected by the connection lock already.
Based on suggestions from Simon McVittie on
<https://bugs.freedesktop.org/show_bug.cgi?id=102839>.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102839
[smcv: Revert indentation changes; add commit message]
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
d3e03eb50eefa5a38d87f274c7de73f36468459c)
Manish Narang [Thu, 25 Jan 2018 11:39:44 +0000 (11:39 +0000)]
DBusConnection: Pass a pending call around more often
If a pending call is provided, _dbus_connection_do_iteration_unlocked
checks whether it has completed or has a reply ready as soon as it
acquires the I/O path. If that's the case, then the iteration
terminates without trying to carry out I/O, so that the pending call
can be dispatched immediately, without blocking until a timeout is
reached. This change is believed to be necessary, but not sufficient,
to resolve #102839.
Based on part of a patch from Michael Searle on
<https://bugs.freedesktop.org/show_bug.cgi?id=102839>.
Commit message added by Simon McVittie.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=102839
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
30f8a38b3c8f8756744d6b65dd8207302a683acc)
Simon McVittie [Mon, 29 Jan 2018 12:01:09 +0000 (12:01 +0000)]
NEWS: Mention systemd < 237 here too
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit
38dea203a5514dc4b4e858fce0b6957d4cf116ab)