Separate the event based implementation for _dbus_poll() from the fd based one
The function _dbus_poll() has been split into two functions,
_dbus_poll_events() and _dbus_poll_select(), each containing the
corresponding implementation.
_dbus_poll() now calls the corresponding function.
Some of the command-lines that we print as diagnostics contain newlines,
which will cause warnings or errors under a strict TAP parser (and one of
them wasn't correctly prefixed with '#' anyway). TAP parsers only parse
stdout, not stderr, so we can use stderr for these diagnostic messages.
[smcv: Expand commit message]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Otherwise, Coverity will diagnose this as a resource leak,
because it doesn't understand that our assertions end up guaranteeing
that the result is freed if and only if it's non-`NULL`.
Simon McVittie [Thu, 16 Apr 2020 13:18:49 +0000 (14:18 +0100)]
test: Enable more tests when embedded tests are disabled
These previously relied on embedding test-specific code in libdbus,
but they actually only need public APIs, private interfaces that get
exported anyway for the benefit of dbus-daemon, and the TAP helpers;
so we can run them even in production builds.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 6 Apr 2020 13:48:11 +0000 (14:48 +0100)]
CI: Build on Debian 10 'buster' by default
Previously, we built on Debian 9 'stretch' by default, and on
Debian 10 'buster' only on request. Let's reverse that so that we get
more modern toolchains, before Debian 9 'stretch' reaches EOL.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 11 Mar 2020 13:14:45 +0000 (13:14 +0000)]
sysdeps-win: Refactor cleanup of struct addrinfo during connect()
As suggested on !143. Instead of remembering to free it in every error
condition, let's move its cleanup to the "out" phase so that it's done
every time.
Change the iterator variable tmp to be const so that it's obvious we
aren't meant to free that too.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 11 Mar 2020 13:12:22 +0000 (13:12 +0000)]
sysdeps-unix: Don't leak struct addrinfo on OOM during connect()
If we ran out of memory while handling connect() errors, we didn't
free the linked list of struct addrinfo. Move their cleanup to the
"out" phase of the function so that we always do it.
While I'm there, change the iterator variable tmp to be const, to make
it more obvious that we aren't meant to free it.
This is similar to commit 00badeba (!143) in the corresponding Windows
code path, but with some refactoring.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Tue, 10 Mar 2020 21:59:19 +0000 (22:59 +0100)]
Fix missing release of the memory allocated in _dbus_connect_tcp_socket_with_nonce() in OOM case
If there is no more memory available within the mentiond function, e.g.,
when checking memory management, the release of memory allocated by
getaddrinfo() is missing.
Each connection that is an active monitor holds a pointer to its own
link in this list, via BusConnectionData.link_in_monitors. We can't
validly free the list while these pointers exist: that would be a
use-after-free, when each connection gets disconnected and tries to
remove itself from the list.
Instead, let each connection remove itself from the list, then assert
that the list has become empty.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/291
Ralf Habacker [Thu, 20 Feb 2020 08:50:00 +0000 (08:50 +0000)]
In _dbus_verbose_real() avoid possible stack overflows on output to the Windows debug port
Instead of creating a fixed memory area on the stack that can lead to
a stack overflow if exceeded, this configuration now uses a DBusString
instance that dynamically manages memory.
Ralf Habacker [Thu, 12 Dec 2019 08:34:58 +0000 (09:34 +0100)]
Add a trivial sanity-check for the atomic primitives
This doesn't verify that they're atomic, but does verify that they
return the right things.
This commit adds a new test function _dbus_test_check (a) to make
writing tests easier. It checks the given boolean expression and
generates a "not ok" test result if the expression is false.
Due to the current design of the test api, the test is only compiled
if embedded tests were enabled at the time of configuration.
It was also necessary to move the test_atomic target definitions in
test/Makefile.am to the --enable-embedded-tests section to avoid a
make distcheck build error.
The test case itself has been authored by smcv.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 6 Dec 2019 01:54:18 +0000 (02:54 +0100)]
_dbus_modify_sigpipe: be thread-safe
This needs new atomic primitives: we don't have "set to a value",
and in fact that's a bit annoying to implement in terms of gcc
intrinsics. "Set to 0" and "set to nonzero" are easy, though.
Currently, if the "dbus" security class or the associated AV doesn't
exist, dbus-daemon fails to initialize and exits immediately. Also the
security classes or access vector cannot be reordered in the policy.
This can be a problem for people developing their own policy or trying
to access a machine where, for some reasons, there is not policy defined
at all.
The code here copy the behaviour of the selinux_check_access() function.
We cannot use this function here as it doesn't allow us to define the
AVC entry reference.
See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
Clients listening for a signal can match against the 'sender', expecting
it to come from a connection with a specific name. With this change,
dbus-send can send signals to them.
Simon McVittie [Wed, 3 Jul 2019 08:58:04 +0000 (09:58 +0100)]
tests: Move _dbus_sha_test outside libdbus
Instead of exposing _dbus_sha_test() as a private exported symbol,
we can expose _dbus_sha_compute(), which is the only thing called by
the test that isn't already exported.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Sat, 29 Jun 2019 15:45:25 +0000 (16:45 +0100)]
bus tests: Shut down audit socket
Some CI environments run build-time tests as root with CAP_AUDIT_WRITE.
In this case we need to close the audit socket so that it will not be
reported as leaked.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Sat, 29 Jun 2019 16:36:36 +0000 (17:36 +0100)]
bus: Make audit initialization idempotent
The audit module is initialized every time a new BusContext is created,
which is only once in the real dbus-daemon, but can happen several times
in some unit tests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Sat, 29 Jun 2019 14:16:03 +0000 (15:16 +0100)]
tests: Skip if unable to launch uninstalled dbus-daemon as other uid
Some CI systems do the entire build as uid 0 in a throwaway container.
If this is done in a build directory for which the messagebus user
does not have search (+x) permission, then they will be unable to
execute the just-built dbus-daemon binary.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 2 Jul 2019 19:42:54 +0000 (20:42 +0100)]
tests: Skip system bus test if we are root but messagebus does not exist
Some CI systems do the build as root in a disposable container, and
run tests without ever having installed dbus. This means we can't
expect to be able to drop privileges from root to the DBUS_USER (usually
named messagebus or dbus) unless we have checked that the
DBUS_USER exists.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Thu, 30 May 2019 11:58:28 +0000 (12:58 +0100)]
test: Add basic test coverage for DBUS_COOKIE_SHA1
We don't actually complete successful authentication, because that
would require us to generate a cookie and compute the correct SHA1,
which is difficult to do in a deterministic authentication script.
However, we do assert that dbus#269 (CVE-2019-12749) has been fixed.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Thu, 30 May 2019 11:53:03 +0000 (12:53 +0100)]
auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
of a shared home directory by having the server write a secret "cookie"
into a .dbus-keyrings subdirectory of the desired identity's home
directory with 0700 permissions, and having the client prove that it can
read the cookie. This never actually worked for non-malicious clients in
the case where server uid != client uid (unless the server and client
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
Unix uid 0) because an unprivileged server would fail to write out the
cookie, and an unprivileged client would be unable to read the resulting
file owned by the server.
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
is owned by the uid of the server (a side-effect of a check added to
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
by a non-malicious client with a uid differing from the server's.
Joe Vennix of Apple Information Security discovered that the
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
attack: a malicious client with write access to its own home directory
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
read and write in unintended locations. In the worst case this could
result in the DBusServer reusing a cookie that is known to the
malicious client, and treating that cookie as evidence that a subsequent
client connection came from an attacker-chosen uid, allowing
authentication bypass.
This is mitigated by the fact that by default, the well-known system
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
at an early stage, before manipulating cookies. As a result, this
vulnerability only applies to:
* system or session dbus-daemons with non-standard configuration
* third-party dbus-daemon invocations such as at-spi2-core (although
in practice at-spi2-core also only accepts EXTERNAL by default)
* third-party uses of DBusServer such as the one in Upstart
Avoiding symlink attacks in a portable way is difficult, because APIs
like openat() and Linux /proc/self/fd are not universally available.
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
a non-matching uid, we can solve this vulnerability in an easier way
without regressions, by rejecting it early (before looking at
~/.dbus-keyrings) whenever the requested identity doesn't match the
identity of the process hosting the DBusServer.
Signed-off-by: Simon McVittie <smcv@collabora.com> Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269 Closes: CVE-2019-12749
Simon McVittie [Thu, 30 May 2019 14:38:49 +0000 (15:38 +0100)]
bus: Clarify names of methods that query owned names
It wasn't immediately clear from the names of these method whether they
should return TRUE or FALSE for queued owners other than the primary
owner. Renaming them makes it obvious that the answer should be TRUE.
While I'm there, make the corresponding _dbus_verbose() messages more
precise.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/270
projects / thirdparty / dbus.git / log
