dbus-sysdeps-unix: Handle empty supplementary group list
It is valid for getsockopt(SO_PEERGROUPS) to return len=0; that
indicates the process has no supplementary groups. Rather than failing,
simply use the returned empty list (and add the primary GID to it).
Without this change, calling GetConnectionCredentials on a bus name
owned by a process with no supplementary groups does not return the
UnixGroupIDs field, even though it is easy to determine that the process
only has one GID (the primary GID).
Barnabás Pőcze [Tue, 13 Jun 2023 16:12:26 +0000 (18:12 +0200)]
meson: Override "dbus-1" dependency name
Since meson 0.54.0, it is possible to override a dependency name,
so do that to make it easy to use dbus as a subproject. After this
change, simply
dependency('dbus-1')
will fall back to the subproject automatically and there is no need
for using `fallback` keyword argument. Of course this assumes that
the dbus source tree is at subprojects/dbus-1 and not subprojects/dbus
but it is easy to achieve that.
If the dbus source tree for some reason needs to be at subprojects/dbus,
dependency('dbus-1', fallback: 'dbus')
may be used, which still has the advantage of not needing to
depend on the variable names in the dbus build definitions.
Simon McVittie [Tue, 13 Jun 2023 12:59:21 +0000 (13:59 +0100)]
CI: Enable "debian mingw64 meson debug" by default
This gives us coverage for Meson mingw-w64 by default, but
cross-compiling from Debian with MSVCRT rather than a native compilation
on Windows with UCRT. When combined with "windows msys64 ucrt64 cmake",
this fills in most of the missing coverage caused by disabling
windows-meson-mingw-ucrt64 to work around dbus#462.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Mon, 12 Jun 2023 17:55:05 +0000 (19:55 +0200)]
CI: Fix problem with configuration when cross building with cmake
Due to an adaptation of an rpm macro for cross-compiling with cmake, there
was a problem with the previous method of using the current directory as
the build directory. Instead, the command line options provided by cmake
are now used to define the source and build directories, which provide more
stable behavior.
Simon McVittie [Tue, 6 Jun 2023 12:07:04 +0000 (13:07 +0100)]
meson: Disable some warnings when asserts/checks are disabled
Some labels are only used when checks are enabled, and some variables
are only used when assertions and/or checks are enabled. Instead of
cluttering the code with extra #ifdefs, we silence those warnings:
they're harmless in this case. We already do this in Autotools.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 6 Jun 2023 12:05:41 +0000 (13:05 +0100)]
sysdeps: Correct fallback signature of Linux close_range()
Linux generally declares syscalls with flags as type int. It's the same
ABI, but a slightly different API, and it seems better for our fallback
definition to match it exactly.
Related to dbus/dbus#453.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 5 Jun 2023 17:51:22 +0000 (18:51 +0100)]
monitor test: Reproduce dbus/dbus#457
The exact failure mode reported in dbus/dbus#457 is quite difficult
to achieve in a reliable way in a unit test, because we'd have to send
enough messages to a client to fill up its queue, then stop that client
from draining its queue, while still triggering a message that gets a
reply from the bus driver. However, we can trigger the same crash in a
slightly different way by not allowing the client to receive a
particular message. I chose NameAcquired.
Signed-off-by: Simon McVittie <smcv@collabora.com>
hongjinghao [Mon, 5 Jun 2023 17:17:06 +0000 (18:17 +0100)]
bus: Assign a serial number for messages from the driver
Normally, it's enough to rely on a message being given a serial number
by the DBusConnection just before it is actually sent. However, in the
rare case where the policy blocks the driver from sending a message
(due to a deny rule or the outgoing message quota being full), we need
to get a valid serial number sooner, so that we can copy it into the
DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
message sent to monitors. Otherwise, the dbus-daemon will crash with
an assertion failure if at least one Monitoring client is attached,
because zero is not a valid serial number to copy.
This fixes a denial-of-service vulnerability: if a privileged user is
monitoring the well-known system bus using a Monitoring client like
dbus-monitor or `busctl monitor`, then an unprivileged user can cause
denial-of-service by triggering this crash. A mitigation for this
vulnerability is to avoid attaching Monitoring clients to the system
bus when they are not needed. If there are no Monitoring clients, then
the vulnerable code is not reached.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus/dbus#457
Simon McVittie [Tue, 6 Jun 2023 09:41:35 +0000 (10:41 +0100)]
README: Mention not opening merge requests for security issues
The dbus maintainers can open confidential merge requests by using a
private git repository, but other contributors (including most security
researchers) cannot, so the safest simple recommendation is no merge
requests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Luca Boccassi [Mon, 20 Mar 2023 01:40:20 +0000 (01:40 +0000)]
Support /proc in _dbus_file_get_content
procfs has special semantics: most files are 0 size,
only one read can be done on a file, and they are
not larger than 4MB. Enhance _dbus_file_get_content()
so that we can read files from /proc with it.
Barnabás Pőcze [Thu, 4 May 2023 14:37:57 +0000 (16:37 +0200)]
dbus-spawn-win: use `_DBUS_FUNCTION_NAME` instead of `__FUNCTION__`
dbus-internals.h already defines a macro which expands to the name
of the current function based on C standard version, etc. So use
that instead of hard-coding `__FUNCTION__`.
Barnabás Pőcze [Thu, 4 May 2023 14:26:31 +0000 (16:26 +0200)]
dbus-internals: use `_DBUS_FUNCTION_NAME` in `_dbus_verbose()`
dbus-internals.h already defines a macro which expands to the name
of the current function based on C standard version, etc. So use
that instead of hard-coding `__FUNCTION__`.
Simon McVittie [Fri, 12 May 2023 17:35:13 +0000 (18:35 +0100)]
CI: Disable native Windows builds for now
These are extremely slow (the image build is currently at 36 minutes
and still running) which is standing in the way of us having functional
CI at all. They can be re-enabled if someone will maintain them.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 12 May 2023 14:31:58 +0000 (15:31 +0100)]
CI: Disable OOM-testing code paths for Meson, matching Autotools and CMake
Repeatedly re-running each test with different malloc() calls failing
is really slow, and in particular this is making
dbus:dbus / marshal-recursive time out on freedesktop.org CI.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 12 May 2023 14:23:27 +0000 (15:23 +0100)]
CI: Only run for pushes to dbus
In practice the pipeline is going to fail for namespaces other than
dbus, so don't waste time on trying to run it there; only run the
detached pipeline for the MR.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 12 May 2023 14:00:34 +0000 (15:00 +0100)]
CI: Run a detached pipeline for merge requests
After abuses of fdo infrastructure were mitigated in
freedesktop/freedesktop#540, contributors cannot usually run pipelines
in their own forks of dbus.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Thu, 19 Jan 2023 15:17:43 +0000 (16:17 +0100)]
_dbus_string_skip_blank(): Let the final assert follow the previous search
This appears to have been a copy/paste mistake. If only blanks (defined as
spaces or tabs) were removed, then it cannot be right to check for white
space (defined as spaces, tabs, carriage return or linefeed) afterwards.
If libdbus was compiled with assertions enabled, then this is a
denial-of-service issue for dbus-daemon or other users of DBusServer:
an unauthenticated user with access to the server's socket can send
whitespace that triggers this assertion failure. We recommend that
production versions of dbus, for example in OS distributions, should be
compiled with checks but without assertions.
Simon McVittie [Mon, 6 Feb 2023 13:24:11 +0000 (13:24 +0000)]
CI: Re-run some tests as root or as non-root, as appropriate
On Gitlab-CI we're always running the overall script as root (and
therefore we'll only enter the code path to re-run as non-root),
but when using these scripts for manual testing they might be run as
non-root to begin with.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 6 Feb 2023 13:23:05 +0000 (13:23 +0000)]
CI: Remove vestigial support for re-running tests in a Docker container
Travis CI needed this, but Gitlab-CI always runs our tests in a Docker
container of our choice, so there's never any need to enter another
(and it's not allowed anyway).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 6 Feb 2023 13:13:04 +0000 (13:13 +0000)]
CI: Don't change ownership of source directory
These CI scripts were originally used on Travis-CI, which starts all
builds as an ordinary user that has the ability to become root via `sudo`.
On Gitlab-CI, we don't need that: we start as uid 0, and can do the
whole CI run like that. This also means we get somewhat better test
coverage, because some of our unit tests benefit from being run as uid 0.
The only test coverage we lose by being uid 0 is that
test_pending_fd_timeout() in test/dbus-daemon.c is skipped, because
uid 0 bypasses the limit that's under test there.
Khem Raj [Sat, 14 Jan 2023 20:39:43 +0000 (12:39 -0800)]
Define _DBUS_ALIGNOF using _Alignof when using C11 or newer
WG14 N2350 made very clear that it is an UB having type definitions
within "offsetof" [1]. This patch changes the implementation of macro
_DBUS_ALIGNOF to builtin "_Alignof" to avoid undefined behavior.
clang 16+ has started to diagnose this [2]
Fixes build when using -std >= gnu11 and using clang16+
bus/selinux: Move vsnprintf call to avoid va_list reuse
In log_callback() the same va_list is reused for a call to vsnprintf and
vsyslog. A va_list can't be reused in this manner, such use is undefined
behavior that changes depending on glibc version.
In current glibc versions a segfault can be observed from the callsite at
bus/selinux.c:412. When trying to log a non-auditable event, the segfault
happens in strlen inside vsyslog.
Moving the call to vsnprintf closer to audit_log_user_avc_message (which is
followed by a 'goto out') avoids the reuse and segfault.
Simon McVittie [Fri, 6 Jan 2023 13:49:17 +0000 (13:49 +0000)]
meson: Use -fvisibility=hidden on Unix if supported
This avoids accidentally exporting all of our private symbols as part
of the LIBDBUS_PRIVATE_x.y.z verdef, including ones that don't need to
be visible outside the shared library even when testing internals
(_dbus_watch_set_handler is a good example).
Helps: https://gitlab.freedesktop.org/dbus/dbus/-/issues/437 Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Tue, 3 Jan 2023 13:29:14 +0000 (14:29 +0100)]
Fix data race in multithreaded application
This commit fixes a data race condition discovered by the
gcc thread sanitizer by also locking the associated mutex
when reading the corresponding counter.
Daniel Wagner [Thu, 24 Nov 2022 08:17:45 +0000 (09:17 +0100)]
meson: Introduce message_bus and tools command line option
To make the consume libdbus via Meson's subproject use case more useful,
introduce message_bus and tools command line options which control if
the D-Bus daemon and/or the tools are build. The idea here is that
depending projects are interested only in the library.
The strong recommendation is only to build libdbus as static library:
Dave Jones [Tue, 3 Jan 2023 18:42:51 +0000 (18:42 +0000)]
Permit access to /tmp dbus socket
After 6e48c317 the test-apparmor-activation test fails as it can no
longer access the dbus socket in /tmp. This commit updates the apparmor
profile used within the test
projects / thirdparty / dbus.git / log
