Ralf Habacker [Thu, 11 Nov 2021 09:01:29 +0000 (10:01 +0100)]
tools/dbus-run-session: fix race between manual and automatically started dbus-daemon on Windows
dbus-run-session starts a dbus-daemon before the client application.
We must avoid letting the application try to connect before the
dbus-daemon's DBusServer is listening for connections.
In the Unix implementation, we already achieved this via the
--print-address option. If the client tried to connect too soon,
the server would not yet be listening and the client would fail.
In the Windows implementation, we communicate the bus address to
the client application as an autolaunch: address, so if the client
tried to connect too soon, it would autolaunch a new dbus-daemon
instead of using the one that it was intended to use.
We can avoid this by using a new option to pass in a Windows event
object, which will be set when the server has started and is ready
to process connections.
Setting this property allows to fix linking to the imported target with MinGW.
This only happens when dbus is built using autotools, when cmake is used the DBus1Config.variant.in
is configured and the automatically exported target by cmake is fine.
David Redondo [Wed, 17 Nov 2021 12:24:19 +0000 (12:24 +0000)]
Put dbus-daemon into session slice
The session slice and the app and background slices are special slices defined by
https://systemd.io/DESKTOP_ENVIRONMENTS/, where:
session.slice: Contains only processes essential to run the user’s graphical session
app.slice: Contains all normal applications that the user is running
This allows users or sysadmins to control resource allocation depending on the type
of the service.
Since v249 (https://github.com/systemd/systemd/commit/23dce98e89616092007005692a4574ab908db5a6)
systemd puts user services into the app slice by default so dbus needs to manually state
that it belongs in the session slice.
Ralf Habacker [Tue, 9 Nov 2021 23:49:21 +0000 (00:49 +0100)]
cmake: fix find_package related naming mismatch for GLIB2
The package name passed to `find_package_handle_standard_args` (GLIB2) did not match the name of the calling package (GLib2).
This could lead to problems when calling code that expects `find_package`.
result variables (e.g. `_FOUND`) expect to follow a certain pattern.
Simon McVittie [Mon, 21 Jun 2021 11:04:05 +0000 (12:04 +0100)]
dbus-send: Validate interface, member names before use
Instead of a failed check or assertion failure and a core dump, let's
produce an error message on stderr and a graceful nonzero exit status.
It's still not going to *work*, but at least we can avoid crashing.
$ dbus-send / com.example.Nope..Nope
Interface name was not valid: 'com.example.Nope.'
$ dbus-send / com.example.Nope.0
Invalid signal name: Member name was not valid: '0'
Resolves: dbus#338 Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Mon, 9 Nov 2020 09:58:22 +0000 (10:58 +0100)]
On CI use common install prefix named 'dep_prefix' for installing local packages
With this commit a new variable 'ci_local_packages' has been introduced
to have a choice for using development packages from a local installation
or from the distribution.
Ralf Habacker [Fri, 6 Nov 2020 11:08:12 +0000 (12:08 +0100)]
tools/ci-install.sh: merge multiple calls to apt-get
This required a reorganization of the steps that had been carried out.
The new order is:
1. install packages with apt-get
2. create user for build if required
3. fetch and unpack tar balls
4. create messagebus user
Chris PeBenito [Mon, 14 Sep 2020 15:34:04 +0000 (11:34 -0400)]
bus/selinux: Fix audit message types.
The SELinux log callback includes a message type. Not all messages are
auditable and those that are have varying audit types. An audit message is
a security-relevant event: security state changes, MAC permission denied,
etc. A message that is auditable is not necessarily sensitive. Messages
that are not auditable are not security-relevant, like messages about
socket polling errors. Update the auditing accordingly.
If the message is not auditable, fall through and write it to syslog.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
William Earley [Sun, 27 Sep 2020 11:39:04 +0000 (12:39 +0100)]
dbus-launch: Replace slashes in DISPLAY if present
dbus-daemon fails to autolaunch with X11 on macOS 10.8+ because XQuartz
(the X11 package for macOS) provides a value for `$DISPLAY` that is
not expected by dbus, in that it contains `/` characters. This is
addressed by replacing the invalid path character `/` with `_`.
William Earley [Sun, 27 Sep 2020 11:24:30 +0000 (12:24 +0100)]
sysdeps: Don't raise RLIMIT_NOFILE beyond OPEN_MAX on macOS
dbus-daemon fails to launch on macOS 10.5 and above because of a breaking
change in setrlimit, in which RLIM_INFINITY is no longer supported
for RLIMIT_NOFILE. Instead we must use OPEN_MAX.
Arnout Engelen [Thu, 5 Nov 2020 20:27:02 +0000 (21:27 +0100)]
docs: generate reproducible ids
With this parameter, docbook will generate the same id's when generating the
same docs. This is helpful to get bit-by-bit 'reproducible' output, which
makes auditing the package easier.
Tested both the cmake output and the automake output
Calling malloc() after fork is undefined behaviour if the process is
multi-threaded. locks held by a thread on fork() will never be released.
malloc() is usally protected by a lock and can therefore deadlock. glibc
is known not to deadlock in this case.
This commit does not rule out other problems on glibc-systems, but fixes an
issue on musl-libc-systems. Only restricting to async-signal safe functions
between fork() and exec() prevents undefined behaviour for sure. See
signal-safety(7).
Previously it was built on Unix platforms, but not installed. This
would prevent traditional activation on the system bus (on Linux
without systemd or non-Linux, or for services without SystemdService),
which requires the activation helper.
Because the executable is an internal implementation detail of how
traditional activation is implemented on Unix, it is not exported to
the generated cmake support files.
Simon McVittie [Mon, 7 Sep 2020 10:57:19 +0000 (11:57 +0100)]
spec: Update recommendations for DBUS_COOKIE_SHA1 timeouts
This had two issues that could damage interoperability.
First, the spec wording suggested that any cookie that had not been
deleted was suitable for use in authentication. However, this introduces
a race condition, which is called out in comments in both the reference
implementation and GDBus: the newest cookie might be less old than the
arbitrary lifetime when authentication *begins*, but older than the
lifetime at the time authentication *ends*. As a result, we need a grace
period during which an old cookie will still be accepted, but a newer
cookie exists and will be used for new authentication operations.
Second, the spec wording implied that the arbitrary timeouts were
completely up to the implementor. However, GLib bug
https://gitlab.gnome.org/GNOME/glib/-/issues/2164 indicates that they
need to be reasonably compatible: in particular, GDBus servers
historically didn't allocate new cookies until 10 minutes had passed,
but libdbus clients would decline to use a cookie older than 5 minutes,
causing authentication to fail if the gdbus-server test-case (in which
GDBus and libdbus clients connect to a GDBus server) happened to take
longer than 5 minutes to run.
While I'm here, also be consistent about calling the secrets "cookies"
(consistent with the name of the mechanism) rather than "keys" (which
is what they are called in libdbus' dbus-keyring.c).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Wed, 1 Jul 2020 15:01:38 +0000 (16:01 +0100)]
tests: On Unix, include <netinet/in.h> for IPPROTO_TCP
Otherwise, dbus doesn't compile on FreeBSD if the GLib-based tests
are enabled (which suggests that no FreeBSD user has run those tests
successfully).
We already include <netinet/in.h> in other places with no conditions
or checks other than "is Unix", so apparently it's portable enough that
specifically testing for its presence is not necessary. POSIX requires it
to exist.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Previously, the hash table indexed by uid (or gid) took ownership of the
single reference to the heap-allocated struct, and the hash table
indexed by username (or group name) had a borrowed pointer to the same
struct that exists in the other hash table.
However, this can break down if you have two or more distinct usernames
that share a numeric identifier. This is generally a bad idea, because
the user-space model in such situations does not match the kernel-space
reality, and in particular there is no effective kernel-level security
boundary between such users, but it is sometimes done anyway.
In this case, when the second username is looked up in the userdb, it
overwrites (replaces) the entry in the hash table that is indexed by
uid, freeing the DBusUserInfo. This results in both the key and the
value in the hash table that is indexed by username becoming dangling
pointers (use-after-free), leading to undefined behaviour, which is
certainly not what we want to see when doing access control.
An equivalent situation can occur with groups, in the rare case where
a numeric group ID has two names (although I have not heard of this
being done in practice).
Solve this by reference-counting the data structure. There are up to
three references in practice: one held temporarily while the lookup
function is populating and storing it, one held by the hash table that
is indexed by uid, and one held by the hash table that is indexed by
name.
Closes: dbus#305 Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 30 Jun 2020 18:13:17 +0000 (19:13 +0100)]
userdb: Make lookups return a const pointer
This makes it more obvious that the returned pointer points to a
struct owned by the userdb, which must not be freed or have its
contents modified, and is only valid to dereference until the next
modification to the userdb's underlying hash tables (which in practice
means until the lock is released, because after that we have no
guarantees about what might be going on in another thread).
Signed-off-by: Simon McVittie <smcv@collabora.com>
projects / thirdparty / dbus.git / log
