Colin Walters [Thu, 18 Dec 2008 00:29:39 +0000 (19:29 -0500)]
Add requested_reply to send denials, and connection loginfo to "would deny"
The requested_reply field is necessary in send denials too because
it's used in the policy language. The connection loginfo lack in
"would deny" was just an oversight.
Colin Walters [Wed, 21 Jan 2009 21:23:18 +0000 (16:23 -0500)]
Add uid, pid, and command to security logs
Extend the current security logs with even more relevant
information than just the message content. This requires
some utility code to look up and cache (as a string)
the data such as the uid/pid/command when a connection is
authenticated.
Colin Walters [Tue, 9 Dec 2008 14:15:06 +0000 (09:15 -0500)]
Bug 18229: Allow signals
Our previous fix went too far towards lockdown; many things rely
on signals to work, and there's no really good reason to restrict
which signals can be emitted on the bus because we can't tie
them to a particular sender.
Colin Walters [Wed, 21 Jan 2009 19:58:49 +0000 (14:58 -0500)]
Bug 18229 - Change system.conf to correctly deny non-reply sends by default
The previous rule <allow send_requested_reply="true"/> was actually
applied to all messages, even if they weren't a reply. This meant
that in fact the default DBus policy was effectively allow, rather
than deny as claimed.
This fix ensures that the above rule only applies to actual reply
messages. Signed-off-by: Colin Walters <walters@verbum.org>
Conflicts:
* CVE-2008-0595 - security policy of the type <allow send_interface=
"some.interface.WithMethods"/> work as an implicit allow for
messages sent without an interface bypassing the default deny rules
and potentially allowing restricted methods exported on the bus to be
executed by unauthorized users. This patch fixes the issue.
* bus/policy.c (bus_client_policy_check_can_send,
bus_client_policy_check_can_receive): skip messages without an
interface when evaluating an allow rule
correctly unref connections without guids during shutdown
* dbus/dbus-connection.c (close_connection_on_shutdown): new method
split out from shared_connections_shutdown
(shared_connections_shutdown): shutdown all shared connections
without guids
(_dbus_connection_ref_unlocked): handle OOM when prepending no guid
connections to the shared_connections_no_guid list
* Patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
* dbus/dbus-message.c (dbus_message_get_cached)
(dbus_message_cache_or_finalize): don't mess with message from
message cache outside of the cache lock. Bug #9164 from Jonathan
Matthew.
* dbus/dbus-connection.c (struct DBusConnection): Fix from Olivier
Hochreutiner to avoid trying to protect individual bits in a word
with different locks (make dispatch_acquired and io_path_acquired
dbus_bool_t rather than bitfields)
Havoc Pennington [Fri, 26 Jan 2007 16:10:26 +0000 (16:10 +0000)]
2007-01-26 Havoc Pennington <hp@redhat.com>
* bus/session.conf.in: override all the default limits with much
higher limits on the session bus, there is no reason the session
bus should have low limits
* bus/config-parser.c (bus_config_parser_new): increase default
limits so they are less likely to be hit; in particular the max
replies per connection was way too low
Thiago Macieira [Wed, 22 Nov 2006 17:49:57 +0000 (17:49 +0000)]
Backporting from HEAD:
* dbus/dbus-sysdeps-pthread.c (_dbus_pthread_mutex_lock,
_dbus_pthread_condvar_wait,
_dbus_pthread_condvar_wait_timeout): set pmutex->holder to
pthread_self() after coming back from a conditional variable
wait as well as in one codepath where it was forgotten.
Approved by: Havoc Pennington.
Havoc Pennington [Sat, 18 Nov 2006 03:30:47 +0000 (03:30 +0000)]
2006-11-17 Havoc Pennington <hp@redhat.com>
* update-dbus-docs.sh: allow setting fd.org username via env
variable. Make it run autogen with --enable-xml-docs=yes
--enable-doxygen-docs=yes so configure will fail if the required
tools are missing.
Havoc Pennington [Wed, 15 Nov 2006 03:07:59 +0000 (03:07 +0000)]
2006-11-14 Havoc Pennington <hp@redhat.com>
* dbus/dbus-misc.c, dbus/dbus-misc.h: Move
dbus_get_local_machine_id() to its own file, no substantive
changes. There are a couple other things we might want to add that
are "misc" so moving out of dbus-connection.[hc] which is big
enough already.
Havoc Pennington [Wed, 15 Nov 2006 01:52:01 +0000 (01:52 +0000)]
2006-11-14 Havoc Pennington <hp@redhat.com>
* dbus/dbus-internals.c (_dbus_generate_uuid): The spec said the
UUID had the timestamp last, but the implementation had it first;
move it to last since I think it's a tiny bit nicer (easier to
compare at a glance, faster to sort, less code), and will not
cause any practical compatibility problems. Also, always convert
the timestamp to big endian.
* doc/dbus-specification.xml: Clean up the docs on the UUID.
* tools/dbus-uuidgen.1: more prominently say it is not suitable
as a replacement for regular uuidgen/RFC4122.
* HACKING: Update release instructions to include stuff about
stable releases, branching, etc. May not be totally correct,
please fix if needed, but keep instructions up-to-date so we do
each stable release consistently in the future.
* doc/dbus-specification.xml, doc/dbus-faq.xml, README: various
documentation updates. Bump faq/spec versions (not to 1.0; I don't
think the spec will be "finished"/1.0 when we ship the 1.0 library).
* bus/config-parser.c (service_dirs_find_dir): use
_dbus_list_get_next_link so we don't get stuck in an infinite loop
(start_busconfig_child): move processing of standard_session_servicedirs
tags here because they have no content
(bus_config_parser_content): check we don't have content in
standard_session_servicedirs tag
* tools/Makefile.am: Make sure the /var/lib/dbus directory is created
Packagers need to own this directory
* tools/run-with-tmp-session-bus.sh: fixed script to replace the
<standard_session_servicedirs> tag with a <sevicedir> tag that
points to the test service directory
* bus/config-parser.c: add the standard_session_servicedirs element
to the parser
(bus_config_parser_content): process the standard_session_servicedirs
element by getting the standard directories from sysdeps and merging
them into the service directory list
(test_default_session_servicedirs): make sure we get what we expect
* bus/session.conf.in: replace the servicedir tag with the
standard_session_servicedirs tag
* dbus/dbus-list.h: remove the typedef of DBusList and place it in
dbus-sysdeps.h to avoid circular header dependencies
* dbus/dbus-sysdeps.h: add the typedef of DBusList
* dbus/dbus-sysdeps-unix.c (split_paths_and_append): utility function
which takes a string of directories delimited by colons, parses them
out, appends a suffix and puts them in a list ignoring empty elements
(_dbus_get_standard_session_servicedirs): returns the standard
directories for a session bus to look for service activation files
on Unix which includes the XDG_DATA_HOME, XDG_DATA_DIRS and
DBUS_DATADIR directories
* test/data/valid-config-files/many-rules.conf: add the
standard_session_servicedirs tag to the valid config file tests
Havoc Pennington [Sat, 28 Oct 2006 01:41:37 +0000 (01:41 +0000)]
2006-10-27 Havoc Pennington <hp@redhat.com>
* dbus/dbus-test.c: enclose more of the file in the
DBUS_BUILD_TESTS check.
* dbus/dbus-sysdeps-pthread.c (PTHREAD_CHECK): fix for
DBUS_DISABLE_ASSERT case.
* dbus/dbus-connection.c (dbus_connection_get_unix_user): document
that it only works on the server side
* dbus/dbus-bus.c: add a global lock covering the BusData we
attach to each connection
(internal_bus_get): lock our access to the BusData
(dbus_bus_register): lock the entire registration process
with _DBUS_LOCK(bus_datas). If we get the lock and
registration is already complete, silently return (vs. previous
behavior of aborting).
(dbus_bus_set_unique_name): lock the BusData
(dbus_bus_get_unique_name): lock the BusData
* bus/config-parser.c (service_dirs_find_dir,
service_dirs_append_unique_or_free,
service_dirs_append_link_unique_or_free): New static methods
for only appending unique service directory names into
the service directory list
(merge_included, bus_config_parser_content): Only add unique
service directory names into the list
Havoc Pennington [Fri, 27 Oct 2006 14:00:20 +0000 (14:00 +0000)]
2006-10-27 Havoc Pennington <hp@redhat.com>
* dbus/dbus-sysdeps-pthread.c: make the "count" and "holder"
variables volatile, suggested by Thiago. Document struct fields.
(PTHREAD_CHECK): remove pthread error checking if assertions are
disabled, should reduce the no-assertions case to the bare
minimum code.
Havoc Pennington [Fri, 27 Oct 2006 03:29:09 +0000 (03:29 +0000)]
2006-10-26 Havoc Pennington <hp@redhat.com>
* dbus/dbus-sysdeps-pthread.c (_dbus_pthread_mutex_lock): change
to be recursive
(_dbus_pthread_mutex_unlock): make it recursive
(_dbus_pthread_condvar_wait): save/restore the recursion count
(_dbus_pthread_condvar_wait_timeout): save/restore the recursion count
Havoc Pennington [Fri, 27 Oct 2006 02:17:42 +0000 (02:17 +0000)]
2006-10-26 Havoc Pennington <hp@redhat.com>
* doc/dbus-specification.xml: clarify the UUID text slightly
* dbus/dbus-sysdeps-pthread.c: check for and mostly abort on
pthread errors. Add DBusMutexPThread and DBusCondVarPThread
in preparation for being able to extend them for e.g. recursive
mutexes.
Havoc Pennington [Fri, 27 Oct 2006 01:09:24 +0000 (01:09 +0000)]
2006-10-26 Havoc Pennington <hp@redhat.com>
* dbus/dbus-threads.[hc]: Documentation improvements. Clarify how
condition variables relate to recursive mutexes.
* dbus/dbus-sysdeps-pthread.c, dbus/dbus-sysdeps-win-thread.c,
dbus/dbus-threads.c: Split the platforms-specific thread
implementations into their own files.
* dbus/dbus-sysdeps-pthread.c
(_dbus_pthread_condvar_wait_timeout): invert the return value, it
was backward. Not that anything uses it.
Thiago Macieira [Thu, 26 Oct 2006 18:03:24 +0000 (18:03 +0000)]
* dbus/dbus-connection.c (_dbus_connection_open_internal): Fix
bug 8780: the connection lock is only required while recording
the shared connection, so protect only that code
section. Don't require connection_lookup_shared to return a
locked connection.
Thiago Macieira [Thu, 26 Oct 2006 17:34:49 +0000 (17:34 +0000)]
* tools/dbus-launch-x11.c (get_session_file, init_x_atoms):
check if get_machine_uuid() returns NULL before proceeding any
further: we can't init the X atoms or create a session file
name if there is no machine ID.
This solves a crash reported by some users if
--exit-with-session was used without --autolaunch=<machine-id>
Havoc Pennington [Sun, 22 Oct 2006 15:03:10 +0000 (15:03 +0000)]
2006-10-22 Havoc Pennington <hp@redhat.com>
* dbus/dbus-connection-internal.h: move prototype of
_dbus_bus_notify_shared_connection_disconnected_unlocked() here so
it isn't in a public header and doesn't end up in the DBusBus
group in Doxygen
Havoc Pennington [Sun, 22 Oct 2006 00:31:08 +0000 (00:31 +0000)]
2006-10-21 Havoc Pennington <hp@redhat.com>
* Makefile.am (EXTRA_DIST): dist cleanup-man-pages.sh so it's in
the tarball if packagers want to run it
* cleanup-man-pages.sh: Add a script which munges all the internal
API man pages out of the Doxygen output. This reduces the size of
the installed man pages from 7 to 2 megs, and avoids
namespace-polluting pages. Right now (like Doxygen) this script
isn't in the build, it's something packagers can do manually.
Havoc Pennington [Sat, 21 Oct 2006 18:17:02 +0000 (18:17 +0000)]
2006-10-21 Havoc Pennington <hp@redhat.com>
* Clean up Doxygen group markers for public API so Doxygen finds
everything (not comprehensively fixed for private API).
Means all remaining Doxygen warnings are just about missing docs
and thus pretty simple to resolve.
Havoc Pennington [Fri, 20 Oct 2006 05:16:58 +0000 (05:16 +0000)]
2006-10-20 Havoc Pennington <hp@redhat.com>
* doc/TODO: remove the int64 thing from 1.0 since it doesn't
matter, and the message-loader-breaker thing since nobody is going
to do it. Add an item to 1.0 about supporting recursive locks
in dbus_threads_init_default() though, since it should be easy.
* dbus/dbus-connection.c (_dbus_connection_read_write_dispatch):
Fix this in the !dispatch case to avoid busy-looping after
disconnection
* bus/dir-watch-default.c, bus/dir-watch-dnotify.c,
bus/dir-watch-kqueue.c (bus_watch_directory): Pass in a BusContext
instead of a void *. kqueue uses this to get the context's loop
while the other modules ignore the parameter. This allows us to
avoid platform conditionals
* bus/bus.c (process_config_postinit): Pass in the context to the
watch
* dbus-transport-socket.c (exchange_credentials):
Print out more detailed errors if reading or sending
credentials fail (Patch from Julio M. Merino Vidal
<jmmv at NetBSD dot org>)
projects / thirdparty / dbus.git / log
