review.tizen.org Git - platform/upstream/dbus.git/log

dbus-send: Avoid duplicated-branches warning

Switch the order of the argument checks to avoid the
-Wduplicated-branches warning.

Signed-off-by: David King <dking@redhat.com>
Reviewed-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit c0bf0d185d72e20e70da9a98e13f69e19f2a87d5)

desktop-file: Justify implementation of is_valid_section_name()

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 99580298f305e1e2426f0c016d797a1ff9ea0b79)

is_valid_section_name: Fix logical expression

Group names in desktop files may contain all ASCII characters, except
control characters and '[' and ']'. Rather than accepting all values,
thanks to a logical operator confusion found by GCC warning
-Wlogical-op, instead explicitly reject the invalid values.

Signed-off-by: David King <dking@redhat.com>
Fixes: https://gitlab.freedesktop.org/dbus/dbus/issues/208
(cherry picked from commit 3ef9e789c1b99f420078f4debabd4f5c4fa0a748)

Adapt to API change in AX_CODE_COVERAGE version 28

AX_CODE_COVERAGE recently changed the way it embedded its Makefile rules
in the output file: instead of using @CODE_COVERAGE_RULES@, users
are now meant to include aminclude_static.am.

The new AX_CODE_COVERAGE is only in the latest autoconf-archive release,
version 2019.01.06, which is inconveniently new, so bundle everything
we need for the moment.

This requires us to stop using the deprecated CODE_COVERAGE_LDFLAGS
(which we still used to support older versions of autoconf-archive)
and replace them with CODE_COVERAGE_LIBS.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2938c2125ebcd001e470aeac1ffac45b6b1ebe89)
Closes: dbus#265

kdbus: share fd and pool with libdbuspolicy

This uses new functionality of libdbuspolicy: using client's pool and fd.
This way libdbuspolicy doesn't have to create its own connection,
and what is more important it doesn't have to create its own 1MB pool.
This is at the cost of using client's pool for receiving responses
to ioctl(KDBUS_CMD_GET_CONN_INFO), which are small.

Change-Id: I183a91196fead179a9fba22fa6418680305d3558

kdbus: add assert for non-NULL member

Trying to call an unnammed method on org.freedesktop.DBus is considered
a programming error.
This detects such errors.

Change-Id: Ic341df0eef0e7ef5ab8234aacc2c256c295327c3

kdbus: move dbuspolicy init to bus_register_kdbus

This changes the moment of checking if user is allowed to connect to
the bus. Now, it reflects standard process a bit more.

The standard process is:
- open fd (e.g. socket);
- check authentication, if needed and possible;
- connect to the bus (say hello).

In kdbus, we have only:
- open kdbus fd;
- connect to the bus (ioctl KDBUS_CMD_HELLO).
Calling libdbuspolicy for authentication fits between the two.

Additionally, and most importantly, this is required to share
the connection between libdbus and libdbuspolicy in the future.

Change-Id: Id6fe1dbc1cdc6ec774316e13fe5d60d862949476

kdbus: Fix memory leakage in capture_org_freedesktop_DBus_StartServiceByName()

Change-Id: If4b04d0f287e199e809cdf183ce4ce779c0f4dd4
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>

DBusMessage: bugfix for wrong type specifier

Change-Id: I0743a3d67e3d6d58acc605ded013eedb6b0af9c5
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>

dbus_message_iter_open_container: Don't leak signature on failure

If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().

One might reasonably worry that this change can break callers that use
this (incorrect) pattern:

    if (!dbus_message_iter_open_container (outer, ..., inner))
      {
        dbus_message_iter_abandon_container (outer, inner);
        goto fail;
      }
    /* now we know inner is open, and we must close it later */

However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.

This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.

Change-Id: I2ccd4b516c7714f64c4543dd8d2e5c99633733a5
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

dbus_message_append_args_valist: Don't leak memory on inappropriate type

Found by source code inspection while trying to debug an unrelated
leak.

Change-Id: I0726c57bb4b0ccdadee2263b14f9fe3fe4ebc99a
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

DBusMessage: Fix UB (misaligned access) in call to _dbus_header_set_field_basic()

The const void* 'value' pointer that is passed the address of a
uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
casts it to a DBusBasicValue, a union type that has an alignment of
eight on 64-bit platforms and is therefore more-aligned than the
uint32.

The read of a value of a more-aligned type through a pointer to a less
-aligned type is undefined behaviour.

Fix by storing the uint32 in a DBusBasicValue and passing that instead.

Found by UBSan:

  dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
  0x7fdb8dac3a04: note: pointer points here
    4a 87 b5 71 01 00 00 00  40 7d 01 00 00 61 00 00  10 3b ac 8d db 7f 00 00  2c 2a 3e 94 db 7f 00 00
                ^
    #0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
    #1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
    #2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
    #3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
    #4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
    #5 0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173

Change-Id: I0149da4ebbead9b4b38c8c62af1ea892e24ec95e
Signed-off-by: Marc Mutz <marc@kdab.net>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035

dbus_message_iter_append_basic: Don't leak signature if appending fd fails

Change-Id: I37ac4d243832476772ffbd822bbf4598e6f8f9a5
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568

dbus-hash: Fix a potential shift by a negative integer

As a hash table becomes unbelievably large and full, the down_shift
tends towards 0. The overflow detection code in rebuild_table() does not
prevent down_shift becoming negative, which then causes undefined
behaviour in RANDOM_INDEX for int-keyed tables.

Note that this can only happen with approaching INT_MAX entries in the
hash table, at which point we’ve almost certainly hit OOM somewhere, so
this is vanishingly unlikely to happen. This is why I can’t add a test
for the bug.

As always, thanks to Coverity.

Coverity ID: 54682
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99641
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Change-Id: Iac3047fc0bff11b3d08c2938c0fda292bddb1466

Display thread id in _dbus_verbose to be able to see threading issues.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95191
Change-Id: I16b39c8c3123436d54655a67f9d00aa090933aba
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

tools: modify execute label of dbus-monitor

Unable to read 'fd passing messages' due to permission.
Set execute label as "System"

Change-Id: I765081a58cc285951216fdb63f8cf9a5c68e39de
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>

configure.ac: Forbid AX_-prefixed patterns more selectively

We want to make autoconf fail early and with a user-comprehensible
message if autoconf-archive isn't installed, rather than generating
a configure script with syntax errors, or a configure script that runs
successfully but doesn't do what we intended.

However, autoconf-archive doesn't actually guarantee not to use
AX_-prefixed shell variable names without m4_pattern_allow'ing them
(unlike Autoconf, Automake, Libtool and pkg-config, which explicitly use
m4_pattern_allow for variables with AC_, AM_, LT_ and PKG_ prefixes), so
it isn't safe to assume that they won't be used. In particular, recent
versions of AX_CHECK_GNU_MAKE appear to be using
$AX_CHECK_GNU_MAKE_HEADLINE as a shell variable.

Instead, specifically forbid the names of the finite list of macros
that we actually use.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus#249
(cherry picked from commit ee09cc0acdc1c34e8ae999adf9922f3d0d66f407)

dbus-connection: Add _dbus_string_free to deallocate memory

The string must eventually be freed with _dbus_string_free().

Change-Id: I4041940684dd1dc7099bf823b22fabc357f17901
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>

Fix missing dbus_message_unref() in error reply path

The error message was leaked when blocking on a pending call after
the connection was disconnected.

Change-Id: Icc95bcef32b2fd1d2b4d4a7db3bdf2936579c52c
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: re-word commit message]
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101481

dbus-connection: Remove a duplicate _dbus_list_clear() call

This was doing no harm (clearing an already-cleared list is a no-op),
but it was also pointless.

Change-Id: I21b580f01439ef2113183a116f208bf91e09ac76
Signed-off-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99435

dbus-daemon: add send_destination_prefix support

Change-Id: Iaa1eff400c045ec46465f248e8460c97bb183e5b

kdbus: fixed memory leak in process_connection_info_cmd()

Change-Id: I67e577761e7596eac400bc8c35386f4c0cbf840a
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>

Start working on dbus 1.12.14

Signed-off-by: Simon McVittie <smcv@collabora.com>

1.12.12

Signed-off-by: Simon McVittie <smcv@collabora.com>

CI: Start supporting Debian 10 'buster', currently under development

This gives us a way to build on a more recent host OS if we want to.
For Gitlab-CI it's disabled by default.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 28c27349e252e33215e21b570d41853badd770ef)

CI: Exercise maintainer-only documentation build

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit bcc34caa43d8e5dba8266cf163d8a24e4fb55dce)

CI: Stop building on Ubuntu 14.04 'trusty'

The version of gcc in trusty is too old for AddressSanitizer, which we
want to be able to start using, and Travis-CI finally supports Ubuntu
16.04 'xenial' now. This lets us remove some workarounds, but we need
to update others.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 0c553afcd9c79bc19ffdad67980f421def5d0613)

ci-build.sh: Show file size in list of files to be able to compare generated file size

(cherry picked from commit bac2fd3aa458c7dfd002f7ec96a245d630c5830f)

CI: Remove unimplemented --with-glib option

dbus has never actually had this option.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit e0a1bfb26a9f72e8fe59af770d394a90810a7cea)

CI: List attributes, sizes etc. of installed files, not just names

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d71049799a3f87de95151e00c667c05dd0b5386c)

doc: Remove obsolete message about man2html

We no longer run man2html.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit f134e2d2c7ae53965dfba0c85bf76ad38fb7fa4c)

CONTRIBUTING.md: Update and rewrite

This file hadn't kept up with reality, and needs updating for Gitlab.
Take the opportunity to rewrite it.

Much of the text, particularly about commit messages, was taken from
Wayland's contributing guide (thanks to Ander Conselvan de Oliveira,
Bryce Harrington, Eric Engestrom, Pekka Paalanen and Daniel Stone).

Signed-off-by: Simon McVittie <smcv@collabora.com>

CONTRIBUTING: Reformat as Markdown

Signed-off-by: Simon McVittie <smcv@collabora.com>

CONTRIBUTING: Remove all trailing whitespace

Signed-off-by: Simon McVittie <smcv@collabora.com>

Rename HACKING to CONTRIBUTING

Signed-off-by: Simon McVittie <smcv@collabora.com>

Merge "Revert "Add RequiresMountsFor=/opt to dbus.service"" into tizen

NEWS: Refer to Gitlab

Signed-off-by: Simon McVittie <smcv@collabora.com>

Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

activation: Don't leak if delivering activation message is forbidden

This is technically a denial of service because the dbus-daemon will
run out of memory eventually, but it's a very slow and noisy one,
because all the rejected messages are also very likely to have
been logged to the system log.

Detected by AddressSanitizer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/234
Reviewed-by: pwithnall

spec: fixed compilation options to reduce warnings

If -mimplicit-it option is set to thumb while compiling to ARM,
then it shows lots of:
Warning: conditional outside an IT block for Thumb.

This commit removes -mimplicit-it from the compilation options on ARM32 arch.

Change-Id: I6eea9ef65e61b8ec7afa16035d4a14d6d7f870e4

Revert "Add RequiresMountsFor=/opt to dbus.service"

This reverts commit 1c9ed8666fcbae5076022fdf6d0f177d7e464ce4.

Change-Id: Ic15fcd3ace518c180910f43cc18b40c6de478d92

Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

dbus-daemon test: Allow much longer for pending fd timeout

The timeout we're using here is 0.5s (500ms), but the actual time taken
is unbounded, because the OS scheduler might not schedule our process
for an arbitrary length of time after we become runnable.

We previously allowed up to 1 second, but in the CI jobs for dbus!9
and dbus!18 we've seen this take up to 3.4 seconds (presumably
because other tests, or other jobs running on the same shared
infrastructure, starved this process). Allow up to 10 seconds to guard
against spurious failures.

The timeout used in the production system.conf is 150 seconds (2½
minutes), and we're only using the shorter 500ms timeout here to make
the test complete more quickly, so ±10 seconds is relatively
insignificant: the main thing is that it's finite.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 20e6eb7cd1f9c2ad941bd62c8f1f71712377a96e)

build: Never use poll() on Darwin family (macOS, etc.) or Interix

Doing a runtime check in configure.ac (AC_RUN_IFELSE) has several
disadvantages:

* It doesn't work when cross-compiling. For example, if we build macOS
  binaries on a Linux system, we'd assume that poll() works, but in
  fact it won't.

* It checks the build system capabilities, but that is not necessarily
  appropriate if (for example) a macOS 10.10 user builds binaries that
  could be used by macOS 10.12 or macOS 10.9 users.

* It checks for one specific failure mode, but macOS seems to have a
  history of various implementation issues in poll().

* If we want it to work in CMake, we have to duplicate it in the CMake
  build system.

None of these is a showstopper on its own, but the combination of all
of them makes the current approach to avoiding the broken poll() on
macOS look unreliable. libcurl, a widely-portable library making
extensive use of sockets, specifically doesn't use poll() on Darwin
(macOS, iOS, etc.) or on Interix; let's follow their example here.

See also https://bugzilla.gnome.org/show_bug.cgi?id=302672 and
https://daniel.haxx.se/blog/2016/10/11/poll-on-mac-10-12-is-broken/
for some relevant history.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/232
(cherry picked from commit 0414ea65ca8196e328da09c3a2324d7765fba8c4)

Do not auto-activate services if we could not send a message

We specifically do not check recipient policies, because
the recipient policy is based on properties of the
recipient process (in particular, its uid), which we do
not necessarily know until we have already started it.

In this initial implementation we do not check LSMs either,
because we cannot know what LSM context the recipient process
is going to have. However, LSM support will need to be added
to make this feature useful, because StartServiceByName is
normally allowed in non-LSM environments, and is more
powerful than auto-activation anyway.

The StartServiceByName method does not go through this check,
because if access to that method has been granted, then
it's somewhat obvious that you can start arbitrary services.

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Change-Id: I53ff4f6d02e631fcd09bf1c5c306b8828f075963

Add tests for activation when message send/receive is denied

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

Change-Id: I7339c1a6de69a751cbe0b9047c980c4aea53750b

dbus-daemon: prepare activation for async security checks

This commit prepares activation function (bus_activation_acivate_service())
for returning BUS_RESULT_LATER from security check introduced
in next commits.

Change-Id: I5b37d06fc5f7e563d52ed7207b5e416bedd666e6

Remove kdbus interface header

kdbus.h is now provided with other linux kernel headers.

Change-Id: Ida7d06aa1f27d88040f949fffd73f0d6cfd5f244
Signed-off-by: Michal Bloch <m.bloch@samsung.com>

Update NEWS

ci: Use a separate ccache for each CI job

This should avoid them overwriting each other.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit e3fb085886d26aa84a0ce1bfe441244206c87e6f)

ci: Mark many Gitlab jobs to be run manually

freedesktop.org Gitlab doesn't currently have enough test runners
available to run all of this every time. For higher-risk changes
(for example those that change the build system) we can run the
complete set through the web UI.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a2f416c2896062755c285f2d1fe4a2dc03455aa1)

ci: Reshuffle mingw jobs so we test different combinations

We test the combinations that we don't test on Travis-CI.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a6d926b805a1a38567a70490b3e8d7d6c932d1f5)

ci: Use ccache to speed up repeated builds

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d0728fd06e5a2302e7596e3df56b68b0a0834fd7)

ci: Add Gitlab-CI configuration

This uses the same shell scripts as Travis-CI, with slightly different
settings. We use Docker containers for all our Gitlab-CI runs, so take
the opportunity to use Debian 9 'stretch' as our baseline, and
relegate Ubuntu 14.04 'trusty' to to a secondary build.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 60933c09e9e891f74f0102fabe22d29a1a7ae5c5)

ci: Explicitly install cmake

Travis-CI workers have cmake preinstalled, but Gitlab-CI Docker images
typically don't.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 907832e00849ca454322052981dbb122ea537506)

ci: Teach ci-install.sh to install wine on Debian 9 'stretch'

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=108177
Acked-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 408b222a9fc61327cd7be385b6705f30f0c38802)

travis-ci: Add cross building support for mingw 64 bit compiler

Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit d22e7901b555a0bfb5e06fb2463d839a276c7482)

sysdeps-win: Print word-size-dependent offset correctly

AddrPC.Offset is the same size as a pointer, but previously
we printed it as though it was the same size as a long,
which is 32 bits on 64-bit Windows.

Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit 577813cf3a89df804efa6d85a1c5415ba12806ec)

dbus-transport-socket: Correctly print DBusSocket with DBUS_SOCKET_FORMAT

Previously, on 64-bit Windows we were passing a 32-bit int where the
format string expects a 64-bit SOCKET.

Reviewed-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=105662
(cherry picked from commit 18d4ff664491c17664b9f88c06d9338cd3750120)

Remove build warnings

Change-Id: Ia1676731696d446a3511efb700dd89c1a1100b08
Signed-off-by: pr.jung <pr.jung@samsung.com>

Set the smack label of executable binary tools

Apps (3rd party and even in-house Apps) are not permitted to run dbus tools directly.
User System::Tools rx
User::Shell System::Tools rx
System::TEF System::Tools rx
System::Privileged System::Tools rx
System System::Tools rx

Change-Id: Ica6d587d2516da8241590f3cf090a91ed8d3ff75
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Update NEWS

Reference the freedesktop.org Code of Conduct

Signed-off-by: Simon McVittie <smcv@collabora.com>

Update NEWS

Do not apply __attribute__((__malloc__)) to dbus_realloc()

As noted in GLib commit c879f50f, gcc's interpretation of the malloc
attribute has become more strict over time, which could result in
miscompilation. The new definition is that in addition to assuming
that the returned memory block is newly-allocated, gcc now assumes
that it does not contain any valid pointers. This is OK for
uninitialized or zero-initialized memory returned by dbus_malloc()
or dbus_malloc0(), but not valid for dbus_realloc(), which might be
used for a dynamically-sized array of (structures containing)
valid pointers.

See https://gitlab.gnome.org/GNOME/glib/issues/1465

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107741

Update NEWS

server-unix: Don't leak address of systemd server on success

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107320
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit d98c43c697fbeb104463dcf2da36d0d855bfb367)

bus: Free address (from --address) when we have finished using it

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107320
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 7ae750c4e887b2d63f87caaf2162125ec3217fcc)

Add RequiresMountsFor=/opt to dbus.service

In order to apply User/Group to .service, we need /opt/etc/{passwd,group}.

Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I585503d0dc180f21bd9594327b87b80204876005

1.12.11

1.12.10

Update NEWS

validate_body_helper: Bounds-check before validating booleans

Running the "embedded tests" through valgrind revealed that before this
commit, we would have been willing to read up to 3 bytes off the end of
a message if the message is truncated part way through a boolean. Any
practical allocator will round up allocations to the next 32-bit (or
larger) boundary, so in practice this will not leave the memory buffer
(and in particular did not crash during unit testing), but it could read
uninitialized contents.

On little-endian CPUs, an attacker might be able to use this to learn
whether up to 3 bytes of uninitialized memory in the dbus-daemon
were all-zero (their crafted message would be relayed) or not (their
connection would be disconnected for sending an invalid message). On
big-endian CPUs, an attacker might be able to use this to learn whether
up to 3 bytes were all-zeroes (relayed to a cooperating peer), 0-2
bytes of all-zeroes followed by 0x01 (relayed to a cooperating peer),
or something else (disconnected). This is not believed to be exploitable
to leak interesting information.

Fixes: 62e46533 "hardcode dbus_bool_t to 32 bits"
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107332
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit e93a775e68daeda5c95984452aee6327e31c17dd)

Update NEWS

nonce: Don't try to rmdir(NULL) on OOM

If re-initializing the string fails, it will be left in a state
where it has a length of 0 and a NULL buffer. That's valid to
"free", but not valid to pass to rmdir().

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107194
(cherry picked from commit 294e8b0b672c8ffdcb8d9227f114846433659864)

dbus_server_listen: Don't leak first_connect_error

If an implementation fails to listen, and a subsequent implementation
succeeds, then we would have leaked this. Detected by running
tests/loopback.c under valgrind.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107194
(cherry picked from commit b14a4517a82f7e7e4c0b59cb663ebf77563decda)

sysdeps: Reassure gcc 8 that we are not overflowing struct sockaddr_un

Using strncpy (buffer, str, strlen (str)) is a "code smell" that
might indicate a serious bug (it effectively turns strncpy into
strcpy), and gcc 8 now warns about it. In fact we avoided the bug
here, but it wasn't at all obvious.

We already checked that path_len is less than or equal to
_DBUS_MAX_SUN_PATH_LENGTH, which is 99, chosen to be strictly less
than the POSIX minimum sizeof(sun_path) >= 100, so we couldn't
actually be overflowing the available buffer.

The new static assertion in this commit matches a comment above the
definition of _DBUS_MAX_SUN_PATH_LENGTH: we define
_DBUS_MAX_SUN_PATH_LENGTH to 99, because POSIX says struct
sockaddr_un's sun_path member is at least 100 bytes (including space
for a \0 terminator). dbus will now fail to compile on
platforms that are non-POSIX-compliant in this way, except for Windows.

We zeroed the struct sockaddr_un before writing into it, so stopping
one byte short of the end of sun_path ensures that we get \0
termination.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107350
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit f429631365ba59a1749438af2184cab138a31772)

build: Disable new gcc 8 warning -Wcast-function-type

The foreach(list, (DBusForeachFunction) free, NULL) idiom seems too
entrenched to remove it from stable branches.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=107349
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>

service: add dependecy to tmp.mount

Until tmp.mount is run, dbus-daemon fails because /tmp is RO.

Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: I6bfb47f2d14d95c440efc56e3ca2fd8b1b75c6ad

Boost dbus.service and dbus.socket for boot optimization

Change-Id: Ie47ca8ea5fbf3b1deee98ebcdcd644b021531713
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Dbus policy: apply default deny rules in the global conf file (system.conf - system bus)
This is requirement from SR, MCD, and VD Security.

Change-Id: I5ec22cd70d15fdd07c4fd3d7ad7e9289bb4ef770
Signed-off-by: sanghyeok.oh <sanghyeok.oh@samsung.com>
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

kdbus: check policy first, only then open kdbus

A process shouldn't hold an open kdbus descriptor, if according to
security policy this process has no rights to open the bus at all.
Corrected error message and code to be consistent with dbus-daemon.

Change-Id: I8c138438a21736f9241addc9ed5a616f6be19442

dbus: a couple of corrections after static analysis

dbus-transport-kdbus.c:900
SVACE 19383: Assignment of a signed value which has type 'int'
to a variable of a bigger integer type 'dbus_uint64_t'

dbus-transport-kdbus.c:2464
SVACE 2044: Checking return value of dbus_message_get_interface().

Change-Id: Ic793c2d414aa77273b9ff3eff83a72b4f3e4d815

Update NEWS

Signed-off-by: Simon McVittie <smcv@collabora.com>

test: Skip TCP tests if getaddrinfo doesn't work

For example, this can be the case in bubblewrap or Debian pbuilder after
unsharing the network namespace:

    bwrap \
    --bind / / \
    --dev-bind /dev /dev \
    --bind /dev/shm /dev/shm \
    --bind /dev/pts /dev/pts \
    --unshare-net \
    ${builddir}/test/test-loopback --tap
    ...
    ok 1 /connect/tcp # SKIP Name resolution does not work here:
    getaddrinfo("127.0.0.1", "0", {flags=ADDRCONFIG, family=INET,
    socktype=STREAM, protocol=TCP}): Name or service not known

On some systems this can be circumvented by using nss_wrapper from
<https://cwrap.org/nss_wrapper.html>:

    cat > hosts <<EOF
    127.0.0.1 localhost
    EOF
    bwrap \
    ... \
    env \
    LD_PRELOAD=libnss_wrapper.so \
    NSS_WRAPPER_HOSTS=$(pwd)/hosts \
    ${builddir}/test/test-loopback --tap
    ...
    # listening at tcp:host=127.0.0.1,port=39219,family=ipv4,guid=...

but for systems where that does't work, we should be prepared to skip
the affected tests.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit f1faafd59bec67d347edb10447c4b9b18193458c)

server-oom test: Don't assume localhost is resolvable

Pathological autobuilder environments might not list localhost in
/etc/hosts.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit 4cfc7de30de7111f589501e5b597063aeb96cf28)

test: Test the same things with unix: that we do with tcp:

Minimal autobuilder environments don't always have working TCP,
so we may need to skip TCP tests. Make sure we test the equivalent
code paths via Unix sockets in those environments.

One notable exception is test/fdpass.c, which uses TCP as a transport
that is known not to be able to carry Unix fds; this needs to continue
to use TCP.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit cb7dd5bfccb2882d0e9951c41040ff6a97bb827d)

server-oom test: Parse the address instead of going directly to TCP

This expands test coverage, and lets us reuse the test for other
address schemes.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106812
(cherry picked from commit b19c9e2f265878801bc48866a7cc3152ca2ad45e)

sysdeps-unix: Handle errors from getaddrinfo correctly

getaddrinfo and getnameinfo have their own error-handling convention
in which the library call returns either 0 or an EAI_* error code
unrelated to errno. If the error code is not EAI_SYSTEM, then
the value of errno is undefined (in particular it might be carried
over from a previous system call or library call). Introduce a
new helper function _dbus_error_from_gai() to handle this.

The equivalent code paths in Windows appear to be OK: the Windows
implementation of getaddrinfo() is documented to return a Winsock
error code, which we seem to be handling correctly.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106395
(cherry picked from commit 60cedd0cfd775c9fcf7260e12af9b2ffeefc2bbe)

GVariant: fix alignment of elements in array

This patch fixes two related bugs:
1. off-by-one in checking size and alignment of the next element
in_dbus_reader_get_signature_fixed_size()
2. alignment requirements were not considered at all while iterating
over array of variable size elements in array_reader_next().

Change-Id: Ibd9e1f3d11fbcd3ef0e6dbaa024e66b2568709d5

dbus-marshal-gvariant: a couple of additional checks

Change-Id: I8c5bd10512682ac2df53c9b9ab89f4d4d669cd3f

Start 1.12.10 development

Signed-off-by: Simon McVittie <smcv@collabora.com>

1.12.8

build: Uninstall JavaScript and CSS from htmldir

Otherwise, distcheck fails when mallard-ducktype is available.

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9391d769ae335872e5b770f6741855fde45b8186)

Preallocate release name

NEWS: Mention non-local TCP too

Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 2390a325a0f094a87065e6dcfdf99c188a5b360f)

Update NEWS

(cherry picked from commit ee0e42ae2d157a5d4c9d5f1a9114632897bc47ad)

dbus-daemon(1): Mention and deprecate shared session buses

This might (?) have made sense behind a firewall in 2003; but now it's
2018, the typical threat model that we are defending against has
changed from "vandals want to feel proud of their l33t skills"
to "organised crime wants your money", and a "trusted" local LAN
probably contains an obsolete phone, tablet, games console or
Internet-of-Things-enabled toaster with remote root exploits.
This make network topologies that used to be acceptable look
increasingly irresponsible.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit d0a16b59a8572fbd1934e941e2e3004840306222)

dbus-daemon(1): Recommend requiring EXTERNAL on non-Windows OSs

This is the default, and blocks TCP-based attacks by making the
attacker fail to authenticate (while also preventing inadvisable
TCP-based configurations from working).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit aef4475939a773e1a205a71d641ea2bb6793ab92)

dbus-daemon(1): Put some scary warnings on <allow_anonymous/>

I'm far from convinced that this option should even *exist*, but it
should definitely be documented as a very bad thing.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106004
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
(cherry picked from commit 5d3680486712891c13b85c07fab629bb70f623cc)