Simon McVittie [Sat, 7 Nov 2015 12:06:52 +0000 (13:06 +0100)]
Stop statically enabling dbus.socket in dbus.target
dbus.target was relevant in early versions of systemd, but is not
used or installed any more. We also enable the socket in sockets.target,
which is the right place to do this sort of thing.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78412
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757913 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Lennart Poettering
Simon McVittie [Sat, 7 Nov 2015 12:03:47 +0000 (13:03 +0100)]
Drop [Install] sections from user services
We install the symlink to enable dbus.socket statically, so it doesn't
make much sense to invoke `systemctl enable` on it; and
dbus.service should normally be started by socket activation
(or possibly an explicit dependency) rather than manually.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92402 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Lennart Poettering
It's generally a good idea to avoid trailing whitespace in order to keep
patchs minimal. While it's common to enforce such restrictions for C code,
it's important for docbok XML files too. Hence, let's clean this up and
remove all trailing whitespace currently in place.
[By policy we do not clean up historical trailing whitespace and
tab-indentation in the C source code unless we are modifying those lines
anyway, to retain the ability to merge stable-branch bugfixes into the
development branch. However, the copy of the spec in the development
branch is the only one that receives any updates, so that concern
doesn't apply here. -smcv]
Allowing to send replies when NO_REPLY_EXPECTED is set is useless in
practice: Clients need to be careful not to send these replies, because
bus policy could deny these messages. The spec even mentions that this
issue exists.
To make this more clear and misbehaving clients less likely, disallow
sending unexpected replies entirely.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75749 Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Fri, 6 Nov 2015 13:03:23 +0000 (14:03 +0100)]
Fix test cases running client and server dispatch design issue.
DBus test cases running the server *and* client loop in the same
process assumed that all messages send from the server has to be
received in one client dispatch, which is not the case in all
environments.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92721 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Ralf Habacker [Mon, 2 Nov 2015 23:23:56 +0000 (00:23 +0100)]
Test system bus config files on Unix only
Previously, we didn't consistently test parsing of every file in
valid-config-files-system/ everywhere that we tested valid-config-files/.
We now test it on Unix.
The system bus is not supported on Windows, so we do not test
valid-config-files-system/ there.
valid-config-files/many-rules.conf contains <user> and <group> rules
which are not applicable to Windows. Copy the original many-rules.conf
to valid-config-files-system/ so that it will be tested on Unix, and
remove the non-portable rules from valid-config-files/many-rules.conf.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92721 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[rh:base patch came from Simon]
Simon McVittie [Thu, 29 Oct 2015 05:31:38 +0000 (06:31 +0100)]
refs test: reduce number of repeats under Wine
Under Wine, the API calls we use to do this are implemented via IPC
to wineserver, which makes it unreasonably slow to try to brute-force
bugs by having many threads stress-test refcounting. Do a few
repetitions just to verify that refcounting basically works, but
don't do the full stress-test.
As discussed in <https://github.com/systemd/systemd/issues/1600>.
See also <https://bugs.archlinux.org/task/46721>,
<https://bugzilla.gnome.org/show_bug.cgi?id=756420>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92612
[smcv: use AC_PATH_PROG to find systemctl; ignore systemctl failure] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
[smcv: add links to earlier bug reports elsewhere]
Simon McVittie [Mon, 19 Oct 2015 14:19:27 +0000 (15:19 +0100)]
When running dbus-daemon --session in tests, override listen address
Otherwise, we can't reliably run tests for Windows, because the default
listening address on Windows is "autolaunch:" which is global to
a machine, resulting in testing an installed dbus-daemon instead of
the one we intended to test.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92538 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Simon McVittie [Tue, 6 Oct 2015 11:43:22 +0000 (12:43 +0100)]
BecomeMonitor: do not overwrite error with another error
If the user gave us a syntactically invalid error name, we'd
overwrite the MatchRuleInvalid error with NoMemory, causing an
assertion failure (crash) in the dbus-daemon.
This is not a denial-of-service vulnerability on the system bus,
because monitoring is a privileged action, and root privilege
is checked before this code is reached. However, it's an annoying
bug on the session bus.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92298 Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk> Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de> Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Fri, 2 Oct 2015 15:51:59 +0000 (16:51 +0100)]
Assume that DBUS_DATADIR is absolute on Windows
Both build systems arrange for this to be the case,
and we already assume that it's absolute on Unix.
On Windows, it's probably going to be /mingw/share or
something; it gets relocated via _dbus_replace_install_prefix()
at runtime.
Simon McVittie [Wed, 30 Sep 2015 15:35:49 +0000 (16:35 +0100)]
Use DBusString for all relocation and install-root code
This means we handle OOM correctly, and makes it obvious
that we are not overflowing buffers. This change does not
affect the actual content of the strings.
Instead of redefining DBUS_DATADIR to be a function call
(which hides the fact that DBUS_DATADIR is used),
this patch makes each use explicit: DBUS_DATADIR
is always the #define from configure or cmake, before
replacing the prefix.
Simon McVittie [Wed, 30 Sep 2015 16:15:53 +0000 (17:15 +0100)]
Cancel pending activation on any activation error
This fixes the error reporting if you make two attempts
to activate a service that cannot be activated due to an
error that is reported synchronously, such as a system
service with no User= line in its .service file.
This is easy to reproduce with the gdbus(1) tool, which
sends an Introspect call in addition to the one you asked
it to. If you try to activate a service using
then gdbus will actually send two method calls: one
Introspect, and one Ping. The Introspect gets the correct
error reply, but when dbus-daemon enters
bus_activation_activate_service() for the Ping call, it
sees that there is a pending activation and does an
early-return. The pending activation does not finish
until the timeout is reached.
A couple of error cases handled this correctly, but the
majority did not; make them all go into the same code path.
Natanael Copa [Fri, 18 Sep 2015 13:27:50 +0000 (15:27 +0200)]
Use C99 standard PRI*64 for printing 64 bit integers
Use the standard C99 PRI*64 macros instead of checking for specific GNU
libc version. We also specifically check for windows which does not have
proper C99 support.
This fixes printing of int64 on non-GNU 32 bit systems (like musl libc).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92043 Reviewed-by: Thiago Macieira <thiago@kde.org> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[smcv: fix extra % in the Windows fallbacks; include <inttypes.h> where needed]
Simon McVittie [Fri, 18 Sep 2015 16:52:07 +0000 (17:52 +0100)]
Rename getters for session, system config files
It turns out to be easier to implement the Windows version
of these in a relocatable way if it can assume that the
argument starts empty, which is in fact true in practice.
Milan Crha [Fri, 18 Sep 2015 15:22:29 +0000 (16:22 +0100)]
Fix creation of Exec path for files not in prefix
Doing strcat() into a static buffer produces incorrect results for
the second and subsequent services if they are not in the ${prefix};
for example, if the first call should have returned
"C:\bar\bin\service1" and the second should have returned
"C:\bar\bin\service2", the second result would actually be
"C:\bar\bin\service1C:\bar\bin\service2".
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83539 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[smcv: added commit message; used strncpy/strncat to avoid overflow] Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
Make Windows dbus-daemon look for the config file we install
The canonical location for bus setup changed from
${sysconfdir}/dbus-1 to ${datadir}/dbus-1 (or their CMake
equivalents) in version 1.9.18.
Also stop trying to use bus/session.conf from the build tree,
which will not work if our ${prefix} contains an older
${sysconfdir}/dbus-1/session.conf.
Simon McVittie [Wed, 19 Aug 2015 22:47:40 +0000 (23:47 +0100)]
audit: make the first few fds close-on-exec
libcap-ng < 0.7.7 leaks one non-close-on-exec fd during initialization.
test-bus asserts that all fds beyond 2 passed to an executed subprocess
have the close-on-exec flag set, which will fail at that leaked fd.
This was unnoticed until commit 517c4685, because libaudit was
previously only initialized if we were configured to switch uid,
which the regression tests do not do; the system bus is normally
the only place that happens, but the system bus is not normally
run with the "embedded tests" enabled (since they are bad
for performance and security).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91684 Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Initialize audit subsystem even for the session bus
If SELinux is enabled on the system, dbus will check the permissions but
no audit trails will be generated in case of denial as the audit
subsystem is not initialized. Same should apply for apparmor.
[smcv: without audit, the equivalent of the audit trail goes to stderr
where it can be picked up by systemd-journald]
A unprivileged user should be able to open the audit socket
(audit_open()) but should not have the permissions to log an audit
trail. The CAP_AUDIT_WRITE file capability could be set on the
dbus-daemon executable in order to allow the session bus to log an AVC
denial.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83856
[smcv: s/should/could/ in commit message to reflect lack of consensus that
"setcap cap_audit_write+ep dbus-daemon" is desirable in general] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Fri, 3 Jul 2015 15:57:28 +0000 (16:57 +0100)]
audit: only check for CAP_AUDIT_WRITE once, during initialization
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89225 Reviewed-by: Colin Walters <walters@verbum.org> Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Thu, 19 Feb 2015 12:04:26 +0000 (12:04 +0000)]
bus: move shared libaudit code to a new audit.[ch]
This fixes various duplicated libaudit interactions in both
SELinux and AppArmor code paths, including opening two audit sockets
if both SELinux and AppArmor were enabled at compile time.
In particular, audit.c is now the only user of libcap-ng.
This commit is not intended to introduce any functional changes,
except for the de-duplication.
The actual audit_log_user_avc_message() call is still duplicated,
because the SELinux and AppArmor code paths use different mechanisms
to compose the audit message: the SELinux path uses a statically-sized
buffer on the stack which might be subject to truncation, whereas
the AppArmor path uses malloc() (via DBusString) and falls back to
using syslog on a memory allocation failure.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89225 Reviewed-by: Colin Walters <walters@verbum.org>
[smcv: minor issues raised during review are subsequently fixed] Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Fri, 3 Jul 2015 12:50:04 +0000 (13:50 +0100)]
dbus-monitor: disable automatic handling of o.fd.Peer messages
A normal DBusConnection will automatically reply to o.fd.Peer
messages such as Ping. We don't want this: we'll
confuse everyone else by replying to messages that weren't
intended for us.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90952 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
(cherry picked from commit d9ee040d0bff2b421bca80c2339dcd9347d906db,
commit message adjusted to describe the impact in versions < 1.9)
Conflicts:
tools/dbus-monitor.c
Simon McVittie [Fri, 3 Jul 2015 12:59:44 +0000 (13:59 +0100)]
Add test-case for the same situation as fd.o #90952
This does not directly test the code in the previous commit, but it does
confirm that calling dbus_connection_set_route_peer_messages() is enough
to fix the observed bug.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90952 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
[smcv: re-worded commit message in response to review]
Simon McVittie [Fri, 3 Jul 2015 12:50:04 +0000 (13:50 +0100)]
dbus-monitor: disable automatic handling of o.fd.Peer messages
A normal DBusConnection will automatically reply to o.fd.Peer
messages such as Ping. We don't want this: if we are using
traditional eavesdropping with an older dbus-daemon, we'll
confuse everyone else by replying to messages that weren't
intended for us. If we are using the new Monitoring
interface (since 1.9.12), the same still applies, but in
addition, the dbus-daemon will disconnect us for not being
a well-behaved monitor.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90952 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Jacek Bukarewicz [Wed, 17 Jun 2015 17:53:41 +0000 (18:53 +0100)]
Fix memleak in GetConnectionCredentials handler
Reply message was not unreferenced when GetConnectionCredentials
handler was successful.
Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
[smcv: changed bus_message_unref() to dbus_message_unref()] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91008
projects / thirdparty / dbus.git / log
