Simon McVittie [Tue, 10 Dec 2024 11:00:28 +0000 (11:00 +0000)]
bus: Update a build system cross-reference
We no longer have an Autotools build system, but Meson sets the same
environment variables that Autotools used to set. CMake does not, yet,
but ideally should.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/538 Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 229e48f549dfb1af891545fd978974dd462777da)
Mohamed Akram [Tue, 10 Dec 2024 13:30:19 +0000 (17:30 +0400)]
sysdeps-unix: Report missing launchd session bus as non-fatal
init_connections_unlocked() is called when connecting to any of the
well-known buses, and it initializes all of the well-known addresses:
session, system and starter. This means that a failure here causes
failure to connect to any one of the well-known buses, even if the
failure is actually only relevant to a different well-known bus.
As such, it should only fail on genuinely fatal errors, for example
an out-of-memory condition. It calls init_session_address() and
indirectly _dbus_lookup_session_address(), which therefore need to
have similar behaviour.
Previously, _dbus_lookup_session_address() would fail with a
fatal error whenever the macOS session bus was not correctly set up,
but that breaks the ability to connect to the system bus on macOS,
even though the system bus is not directly related to the session bus.
Instead, we should report a missing session bus as "not supported",
reserving an unsuccessful result for fatal situations like
out-of-memory. This brings _dbus_lookup_session_address_launchd()
into line with the error behaviour of _dbus_lookup_user_bus().
Simon McVittie [Tue, 10 Dec 2024 11:00:28 +0000 (11:00 +0000)]
bus: Update a build system cross-reference
We no longer have an Autotools build system, but Meson sets the same
environment variables that Autotools used to set. CMake does not, yet,
but ideally should.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/538 Signed-off-by: Simon McVittie <smcv@collabora.com>
Mohamed Akram [Tue, 10 Dec 2024 13:30:19 +0000 (17:30 +0400)]
sysdeps-unix: Report missing launchd session bus as non-fatal
init_connections_unlocked() is called when connecting to any of the
well-known buses, and it initializes all of the well-known addresses:
session, system and starter. This means that a failure here causes
failure to connect to any one of the well-known buses, even if the
failure is actually only relevant to a different well-known bus.
As such, it should only fail on genuinely fatal errors, for example
an out-of-memory condition. It calls init_session_address() and
indirectly _dbus_lookup_session_address(), which therefore need to
have similar behaviour.
Previously, _dbus_lookup_session_address() would fail with a
fatal error whenever the macOS session bus was not correctly set up,
but that breaks the ability to connect to the system bus on macOS,
even though the system bus is not directly related to the session bus.
Instead, we should report a missing session bus as "not supported",
reserving an unsuccessful result for fatal situations like
out-of-memory. This brings _dbus_lookup_session_address_launchd()
into line with the error behaviour of _dbus_lookup_user_bus().
Simon McVittie [Tue, 10 Dec 2024 14:31:59 +0000 (14:31 +0000)]
tests: Exercise NSS group lookup before running tests
Similar to #256, NSS plugins might open file descriptors the first time
they look up a system group, and leave them open. To avoid detecting
this as a leak, do one group lookup (which we expect to fail) before
starting testing, so that the fd is already open the first time we
call _dbus_check_fdleaks_enter(), and therefore is not considered to
have been leaked in _dbus_check_fdleaks_leave().
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/540 Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 7cbb7b75dd2803fcb0c6edb18d5c43e4eaeee704)
Simon McVittie [Mon, 9 Dec 2024 17:12:18 +0000 (17:12 +0000)]
internals: Use negative numbers to indicate no malloc failure simulation
If we set the countdown to simulating a failed allocation to
_DBUS_INT_MAX, then it will decrement every time we allocate memory,
eventually reaching 0 and triggering a simulated malloc failure.
In practice this does not happen during unit testing, because all of
our tests are (intentionally!) short enough that this can't happen,
but it can happen if a build of dbus with embedded tests enabled is
used for the "real" dbus-daemon or a "real" D-Bus service, either
during debugging or unintentionally, as noted on dbus/dbus!493.
We cannot simply special-case `_DBUS_INT_MAX` to never be decremented,
because _dbus_test_oom_handling() relies on the counter being
decremented even while we are not simulating malloc failure, as a way
to count the number of allocations as an upper bound for how long to
set the countdown during subsequent test runs.
Instead, reserve all negative numbers to represent the absence of
malloc failure simulation, while still being able to count allocations
by comparing two different negative numbers.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/535 Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 0735c401a7b3c9e56096fcde8139e773067302bd)
Simon McVittie [Mon, 9 Dec 2024 18:16:46 +0000 (18:16 +0000)]
cmake: Make intrusive (formerly embedded) tests into a separate option
Previously, the CMake build enabled tests by default, and enabled both
modular and intrusive (embedded) tests with a single option. This is
a really bad idea if anyone is using CMake-built binaries in production.
DBUS_BUILD_TESTS now enables only the modular tests, which are safe to
enable in production builds.
A new DBUS_ENABLE_INTRUSIVE_TESTS option enables the intrusive test
instrumentation.
To preserve existing test coverage, explicitly enable the intrusive
tests in most CMake-based Gitlab-CI jobs (Debian native, openSUSE native,
Windows).
In jobs that have a mirrored pair of production/debug builds (openSUSE
and Debian mingw32/mingw64 cmake), instead we leave the production
build as-is and only build full test coverage in the debug build.
Co-authored-by: Philip Withnall <philip@tecnocode.co.uk> Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 41c7570e1ea803e9635d9bcabba5fc221c94e7e6)
Simon McVittie [Mon, 9 Dec 2024 17:45:32 +0000 (17:45 +0000)]
Rename "embedded tests" to "intrusive tests"
This hopefully helps to get across the point that enabling these tests
adds instrumentation to libdbus and dbus-daemon, with a potentially
significant impact on code size, performance and security.
To avoid a huge diffstat which would be difficult to review, the cpp
macro that is checked by most of the C code is still
DBUS_ENABLE_EMBEDDED_TESTS, which is defined or undefined under exactly
the same conditions as the new DBUS_ENABLE_INTRUSIVE_TESTS.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/537 Co-authored-by: Philip Withnall <philip@tecnocode.co.uk> Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9c5b5838f5ff667225a913f97006816e3e401d55)
Simon McVittie [Tue, 10 Dec 2024 14:31:59 +0000 (14:31 +0000)]
tests: Exercise NSS group lookup before running tests
Similar to #256, NSS plugins might open file descriptors the first time
they look up a system group, and leave them open. To avoid detecting
this as a leak, do one group lookup (which we expect to fail) before
starting testing, so that the fd is already open the first time we
call _dbus_check_fdleaks_enter(), and therefore is not considered to
have been leaked in _dbus_check_fdleaks_leave().
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/540 Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 6 Dec 2024 17:49:02 +0000 (17:49 +0000)]
build: Bump version number to 1.16.99-alpha
This is a placeholder for the first release in the 1.17.x branch, which
is not yet ready, but is intended to be labelled as 1.17.0-alpha when
it is released.
Helps: dbus#530 Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 6 Dec 2024 17:48:04 +0000 (17:48 +0000)]
build: Allow version number to be followed by "-" and a suffix
Some distributions are known to have shipped dbus 1.15.x as though it
was a stable release, and it isn't clear whether they knew that we use
the odd/even versioning convention like GLib does.
If we add a -alpha, -beta, -rc suffix to development versions starting
from 1.17.0, then distros that know we use odd/even versioning will
know that our development versions are not a stable-branch, and so will
distros that mistakenly think we use the "semantic versioning"
versioning convention popularized by <https://semver.org/>.
(We intentionally do not use semver, because semver would require us to
ship a new minor version every time we add new API, and we do not have
the resources to provide security support for an unlimited number of
minor versions in parallel: we need to be able to nominate a subset of
our releases as having longer-term security support, in a way that signals
to distros that these are the releases they should prefer to ship.)
CMake's `project()` doesn't allow this version number format[1], but
we intend to use version numbers where the (major, minor, micro) tuple
is enough to uniquely identify a release, so we can just tell CMake our
version number without the suffix and there will be no ambiguity.
Similarly, the dash is not allowed in GNU ld version scripts, so use
the form of the version number without the suffix there.
Simon McVittie [Mon, 9 Dec 2024 17:12:18 +0000 (17:12 +0000)]
internals: Use negative numbers to indicate no malloc failure simulation
If we set the countdown to simulating a failed allocation to
_DBUS_INT_MAX, then it will decrement every time we allocate memory,
eventually reaching 0 and triggering a simulated malloc failure.
In practice this does not happen during unit testing, because all of
our tests are (intentionally!) short enough that this can't happen,
but it can happen if a build of dbus with embedded tests enabled is
used for the "real" dbus-daemon or a "real" D-Bus service, either
during debugging or unintentionally, as noted on dbus/dbus!493.
We cannot simply special-case `_DBUS_INT_MAX` to never be decremented,
because _dbus_test_oom_handling() relies on the counter being
decremented even while we are not simulating malloc failure, as a way
to count the number of allocations as an upper bound for how long to
set the countdown during subsequent test runs.
Instead, reserve all negative numbers to represent the absence of
malloc failure simulation, while still being able to count allocations
by comparing two different negative numbers.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/535 Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 9 Dec 2024 18:16:46 +0000 (18:16 +0000)]
cmake: Make intrusive (formerly embedded) tests into a separate option
Previously, the CMake build enabled tests by default, and enabled both
modular and intrusive (embedded) tests with a single option. This is
a really bad idea if anyone is using CMake-built binaries in production.
DBUS_BUILD_TESTS now enables only the modular tests, which are safe to
enable in production builds.
A new DBUS_ENABLE_INTRUSIVE_TESTS option enables the intrusive test
instrumentation.
To preserve existing test coverage, explicitly enable the intrusive
tests in most CMake-based Gitlab-CI jobs (Debian native, openSUSE native,
Windows).
In jobs that have a mirrored pair of production/debug builds (openSUSE
and Debian mingw32/mingw64 cmake), instead we leave the production
build as-is and only build full test coverage in the debug build.
Co-authored-by: Philip Withnall <philip@tecnocode.co.uk> Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 9 Dec 2024 17:45:32 +0000 (17:45 +0000)]
Rename "embedded tests" to "intrusive tests"
This hopefully helps to get across the point that enabling these tests
adds instrumentation to libdbus and dbus-daemon, with a potentially
significant impact on code size, performance and security.
To avoid a huge diffstat which would be difficult to review, the cpp
macro that is checked by most of the C code is still
DBUS_ENABLE_EMBEDDED_TESTS, which is defined or undefined under exactly
the same conditions as the new DBUS_ENABLE_INTRUSIVE_TESTS.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/537 Co-authored-by: Philip Withnall <philip@tecnocode.co.uk> Signed-off-by: Simon McVittie <smcv@collabora.com>
Ralf Habacker [Mon, 1 Nov 2021 12:01:59 +0000 (13:01 +0100)]
cmake: In client configuration file get DBus1_xxx variables from cmake target
The DBus1_xxx variables defined in DBusConfig.cmake for Windows builds
are currently hard-coded values and independent of those of the underlying
cmake target.
To avoid this, these values are retrieved from the corresponding cmake
target. In addition, the cmake allows the construction of the resulting
relocatable runtime paths.
Ralf Habacker [Mon, 1 Nov 2021 12:01:59 +0000 (13:01 +0100)]
cmake: In client configuration file get DBus1_xxx variables from cmake target
The DBus1_xxx variables defined in DBusConfig.cmake for Windows builds
are currently hard-coded values and independent of those of the underlying
cmake target.
To avoid this, these values are retrieved from the corresponding cmake
target. In addition, the cmake allows the construction of the resulting
relocatable runtime paths.
Simon McVittie [Mon, 9 Dec 2024 17:06:06 +0000 (17:06 +0000)]
release-checklist: Give a better reference for deprecation warnings
Commit 4ebb275ab7 disabled deprecation warnings in the Autotools build
system, which we no longer have. Future stable-branches will want to
disable deprecation warnings in Meson instead.
Simon McVittie [Mon, 9 Dec 2024 17:04:39 +0000 (17:04 +0000)]
release-checklist: Fix sequencing
`meson dist` requires the version you intend to release to have been
committed already, and does not create any generated files in the
`${srcdir}` that are intended to be committed to git.
Simon McVittie [Mon, 9 Dec 2024 17:06:06 +0000 (17:06 +0000)]
release-checklist: Give a better reference for deprecation warnings
Commit 4ebb275ab7 disabled deprecation warnings in the Autotools build
system, which we no longer have. Future stable-branches will want to
disable deprecation warnings in Meson instead.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 9 Dec 2024 17:04:39 +0000 (17:04 +0000)]
release-checklist: Fix sequencing
`meson dist` requires the version you intend to release to have been
committed already, and does not create any generated files in the
`${srcdir}` that are intended to be committed to git.
Signed-off-by: Simon McVittie <smcv@collabora.com>
If there is a pending OOM watch and at the same time there is no
timeout, poll is entered with infinite timeout, because infinite
is expressed with a negative number, which is smaller than any
actual timeout.
Introduce min_poll_timeout(), which returns the smaller non-negative
number of the two, or the larger negative number if both numbers
are negative.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/536 Signed-off-by: Petr Malat <oss@malat.biz>
[smcv: adjust whitespace] Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit a6023f49acfda099a7ccac9ebd804d553ec9d666)
If there is a pending OOM watch and at the same time there is no
timeout, poll is entered with infinite timeout, because infinite
is expressed with a negative number, which is smaller than any
actual timeout.
Introduce min_poll_timeout(), which returns the smaller non-negative
number of the two, or the larger negative number if both numbers
are negative.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/536 Signed-off-by: Petr Malat <oss@malat.biz>
[smcv: adjust whitespace] Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Fri, 29 Nov 2024 11:46:32 +0000 (11:46 +0000)]
build: Check for socket(), socketpair() in -lsocket if necessary
On older Solaris, these functions exist in -lsocket rather than in the
standard C library. If we can't find them immediately, try again with
-lsocket added to the dependencies.
Later, use network_libs when checking for optional functions like
socketpair(), so that we will detect it correctly. If socketpair() is
not found, dbus compiles successfully without it, but dbus-daemon will
not start because it cannot set up reload signalling.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/531 Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 19 Nov 2024 13:11:13 +0000 (13:11 +0000)]
Completely remove the Containers1 interface
This interface is still not ready for production use. To minimize
confusion, let's remove it from the 1.16.x stable branch. We can have
another try during the 1.17.x cycle, via dbus/dbus!449.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 18 Nov 2024 18:53:23 +0000 (18:53 +0000)]
bus: Don't create /run/dbus/containers if the feature is disabled
The `Containers1` interface is not stable or production-ready, and is
compile-time-optional behind a build option, which in fact currently
cannot be enabled (it intentionally provokes a compiler `#error` if
enabled). If it isn't enabled, this directory won't be useful, so
there's no reason to create it.
As discussed in <https://github.com/systemd/mkosi/issues/3189>, if we
use the `@DBUS_USER@` here, it makes `tmpfiles.d/dbus.conf` dependent
on having created the `@DBUS_USER@` via `sysusers.d` or some
appropriate distro-specific mechanism. This is problematic in distros
that split up the functionality of dbus into several layers, such as
Debian: the `@DBUS_USER@` conceptually belongs to the same layer as
the well-known system bus, but `/etc/machine-id` and
`/var/lib/dbus/machine-id` are also used by the well-known session bus,
which is orthogonal to the system bus; so we want `dbus.conf` to be in a
lower layer than the `@DBUS_USER@`.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Mon, 4 Nov 2024 15:49:39 +0000 (15:49 +0000)]
doc, maint: Publishing DTDs requires a MR to xdg-specs
We can no longer upload to specifications.freedesktop.org directly.
Instead, that area of the freedesktop.org web space is updated by
sending merge requests to the xdg/xdg-specs> project.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Simon McVittie [Tue, 29 Oct 2024 15:47:21 +0000 (15:47 +0000)]
doc: Use api/html to link to Doxygen docs in Devhelp index
Now that we're installing the Doxygen documentation in a subdirectory,
the Devhelp index needs to reflect that.
Fixes: 522633b4 "cmake: install api docs in html subdir" Fixes: f546ddd9 "meson: Install Doxygen docs as api/html/*.html" Signed-off-by: Simon McVittie <smcv@debian.org>
Simon McVittie [Sun, 27 Oct 2024 18:19:08 +0000 (18:19 +0000)]
tests: Only check whether the first 1024 fds are close-on-exec
On recent Linux systems, systemd sets the hard limit on the number of
file descriptors extremely high (about 1e9, compared with about 1e6 in
previous systemd versions or 4096 in the kernel's historical defaults),
and dbus raises its soft limit to match the hard limit. The result of
sysconf(_SC_OPEN_MAX) is based on the fd limit, and iterating linearly
through that many fds takes long enough for activation to time out.
This particular piece of code is just test instrumentation, which aims to
log (possibly fatal) warnings if any file descriptor is not close-on-exec
as it should be. In practice the test suite doesn't use anywhere near
a thousand fds, so it's sufficient to run this check against a much
smaller number of fds.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/527
Bug-Debian: https://bugs.debian.org/1086148 Signed-off-by: Simon McVittie <smcv@collabora.com>
Alan Coopersmith [Sun, 13 Oct 2024 19:33:06 +0000 (12:33 -0700)]
test: Move fd limit check into test_flood
Other tests have different requirements for fds (and already check for
them), so move this check into the specific test (mirroring what those
other tests already do) instead of blocking the whole test program,
incorrectly using autoconf test return codes instead of TAP protocol,
as discussed in #176.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Alan Coopersmith [Sun, 13 Oct 2024 19:24:09 +0000 (12:24 -0700)]
test: raise fd limit to maximum before running fdpass tests
Many of these tests require more than the default fd limit on some systems,
so raise the limit, if we can, to give them a better chance of being able
to run.
Closes #176 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Needed when building with support for Solaris audit API, otherwise
linking fails with:
Undefined first referenced
symbol in file
adt_export_session_data dbus/libdbus-1.so.3.38.1.p/dbus-sysdeps-unix.c.o
adt_start_session dbus/libdbus-1.so.3.38.1.p/dbus-sysdeps-unix.c.o
adt_end_session dbus/libdbus-1.so.3.38.1.p/dbus-sysdeps-unix.c.o
adt_set_from_ucred dbus/libdbus-1.so.3.38.1.p/dbus-sysdeps-unix.c.o
Fixes: cd2e3826 ("Add Meson build system") Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
spec: recommend searching for system-services in /etc/ and /run/
This is useful when an asset manager wants to install a system
service while /usr/ is read-only (e.g.: portable services running
on a different namespaced image). Also recommend searching in /run/
following the now-standard pattern, for ephemeral services.
bus: search for system-services in /etc/ and /run/ by default
Tthis is useful when an asset manager wants to install a system
service while /usr/ is read-only (e.g.: portable
services running on a different namespaced image). Unlike other
directories, enforce strict naming and do not set up an inotify,
as the directories might not even exist until much later. Also
search in /run/ for ephemeral services that will disappear after
a reboot.
Jordan Williams [Wed, 6 Mar 2024 14:32:34 +0000 (08:32 -0600)]
Handle missing user when installing setuid in meson_post_install.py
The logic that sets the dbus-daemon-launcher-helper setuid does not
handle the case where the group named the same as the dbus_user does not
exist.
This makes the assumption that the primary group of the dbus_user
has the same name as the dbus_user.
This may not be the case.
To remedy these issues, obtain the group id for dbus_user instead of
attempting to retrieve the group id by name.
To avoid a failure when the user does not exist, handle the KeyError
exception from the pwd.getpwnam function by printing a warning and
skipping the logic to set the binary setuid.
Perform an additional check to ensure that the dbus_user's primary group
has only a single member.
Fail similarly if it has more than one member.
Resolves: #492 Signed-off-by: Simon McVittie <smcv@collabora.com>
projects / thirdparty / dbus.git / log
