Simon McVittie [Tue, 22 Nov 2016 11:39:07 +0000 (11:39 +0000)]
Spec: document AppArmor mediation of auto-starting
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Simon McVittie [Mon, 21 Nov 2016 21:18:15 +0000 (21:18 +0000)]
Activation test: exercise what happens with nonexistent AppArmor labels
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Simon McVittie [Mon, 21 Nov 2016 20:46:17 +0000 (20:46 +0000)]
Add an integration test for AppArmor mediating activation
This requires libapparmor 2.10, for aa_features_new_from_kernel()
and related functions.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Simon McVittie [Mon, 21 Nov 2016 20:45:45 +0000 (20:45 +0000)]
Mediate auto-activation attempts through AppArmor
Because the recipient process is not yet available, we have to make some
assumption about its AppArmor profile. Parsing the first word of
the Exec value and then chasing symlinks seems like too much magic,
so I've gone for something more explicit. If the .service file contains
AssumedAppArmorLabel=/foo/bar
then we will do the AppArmor query on the assumption that the recipient
AppArmor label will be as stated. Otherwise, we will do a query
with an unspecified label, which means that AppArmor rules that do
specify a peer label will never match it.
Regardless of the result of this query, we will do an independent
AppArmor query when the activation has actually happened, this time
with the correct peer label; that second query will still be used
to decide whether to deliver the message. As a result, if this change
has any effect, it is to make the bus more restrictive; it does not
allow anything that would previously have been denied.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Simon McVittie [Mon, 21 Nov 2016 20:56:55 +0000 (20:56 +0000)]
Do not auto-activate services if we could not send a message
We specifically do not check recipient policies, because
the recipient policy is based on properties of the
recipient process (in particular, its uid), which we do
not necessarily know until we have already started it.
In this initial implementation we do not check LSMs either,
because we cannot know what LSM context the recipient process
is going to have. However, LSM support will need to be added
to make this feature useful, because StartServiceByName is
normally allowed in non-LSM environments, and is more
powerful than auto-activation anyway.
The StartServiceByName method does not go through this check,
because if access to that method has been granted, then
it's somewhat obvious that you can start arbitrary services.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Simon McVittie [Fri, 16 Oct 2015 16:33:36 +0000 (17:33 +0100)]
Add tests for activation when message send/receive is denied
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
Simon McVittie [Tue, 22 Nov 2016 21:10:44 +0000 (21:10 +0000)]
Install mingw build-dependencies in a different order
This avoids installing the build-dependencies for dbus and its tests,
then uninstalling them all because they rely on libraries whose versions
are older than the ones needed by wine:i386 (and apparently apt prefers
to remove those libraries rather than upgrade them). Doing it this way
round seems to convince apt to do the right thing.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 9 Nov 2016 18:44:21 +0000 (18:44 +0000)]
Don't test X11 autolaunching if it was disabled at compile time
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98665
Simon McVittie [Tue, 22 Nov 2016 11:46:17 +0000 (11:46 +0000)]
Spec: be clearer about "starting" and "activation" being synonyms
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
Philip Withnall [Tue, 1 Nov 2016 04:17:54 +0000 (21:17 -0700)]
spec: Clarify behaviour of o.f.D.P.GetAll
Clarify its intended behaviour in two situations:
• For interfaces which have no properties.
• Where some properties are not visible to the caller (due to access
control, for example).
The intention here is for this behaviour to be mandatory, but given that
this is quite late on in the specification’s life, and various D-Bus
libraries like dbus-glib and telepathy-glib cannot support access
control at a per-property level, for example. GDBus can, although it’s
questionable whether this is a good idea. Deliberately leave the
specification open to allow access control at a higher level as well
(such as per-(object, interface)).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=36190 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Mon, 21 Nov 2016 20:19:22 +0000 (20:19 +0000)]
Spec: mostly use versioned interface and bus names
Using versioned names here reinforces the advice given in
<https://dbus.freedesktop.org/doc/dbus-api-design.html#api-versioning>.
I haven't added versions to the sample parameters "com.example.tea" and
"com.example.cappuccino" for methods that query information about
names, on the basis that I assume they are more likely to be intended
to represent an implementation than an API.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
Simon McVittie [Wed, 9 Nov 2016 17:52:48 +0000 (17:52 +0000)]
Spec: document systemd activation
We didn't say that SystemdService existed. Now we do, together with
enough context to make it make sense.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
Simon McVittie [Mon, 21 Nov 2016 20:12:57 +0000 (20:12 +0000)]
Spec: document what auto-starting is, and recommend it
For something we recommend, that is important enough to have its own
header flag, it doesn't have very good documentation. Redo the text
to suggest that auto-starting is the normal thing and
StartServiceByName is the oddity. That's usually a good principle
to follow, since it dodges time-of-check/time-of-use issues, and the
method call that you presumably wanted to do needs to handle errors
anyway.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
Simon McVittie [Mon, 21 Nov 2016 20:12:17 +0000 (20:12 +0000)]
Spec: be clearer about what activation means
The spec previously mentioned that CORBA calls this activation, but
did not explicitly say that D-Bus has copied this jargon term.
It's 2016, and developers are probably more likely to be familiar
with D-Bus than with CORBA at this point: explicitly say that *our*
jargon term for this action is activation.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
Simon McVittie [Fri, 11 Nov 2016 16:40:44 +0000 (16:40 +0000)]
Make uid 0 immune to pending_fd_timeout limit
This is a workaround for
<https://bugs.freedesktop.org/show_bug.cgi?id=95263>. If a service
sends a file descriptor sufficiently frequently that its queue of
messages never goes down to 0 fds pending, then it will eventually be
disconnected. logind is one such service.
We do not currently have a good solution for this: the proposed
patches either don't work, or reintroduce a denial of service
security vulnerability (CVE-2014-3637). Neither seems desirable.
However, we can avoid the worst symptoms by trusting uid 0 not to be
malicious.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1591411 Reviewed-by: Łukasz Zemczak Tested-by: Ivan Kozik Tested-by: Finn Herpich Tested-by: autostatic Tested-by: Ben Parafina Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Wed, 9 Nov 2016 12:59:18 +0000 (12:59 +0000)]
Add more _DBUS_GNUC_PRINTF annotations
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98658
Simon McVittie [Fri, 7 Oct 2016 18:05:40 +0000 (19:05 +0100)]
dbus-nonce: print sockets correctly
Since early 2015, a DBusSocket has been a struct containing either
an int or a pointer-sized Windows SOCKET. Print them with
"%" DBUS_SOCKET_FORMAT and _dbus_socket_printable().
Bug found by adding more _DBUS_GNUC_PRINTF attributes.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Simon McVittie [Fri, 7 Oct 2016 18:01:01 +0000 (19:01 +0100)]
dbus_signature_validate: be sure to use a literal format string
This was not a security vulnerability because
_dbus_validity_to_error_message() doesn't return anything containing
"%", but the compiler can't know that.
Found by adding more _DBUS_GNUC_PRINTF attributes.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Test compiler and linker flags with AX_COMPILER_FLAGS_* macros
The autoconf macros AX_COMPILER_FLAGS_{CFLAGS|CXXFLAGS|LDFLAGS} test
for compiler and linker support of various flags, and add the flags to
the generated output.
If the command-line option '--enable-compile-warnings' is specified to
'configure', a number of additional warning options is also added to the
output. This is the default.
The AX_COMPILER_FLAGS_* macros add stricter warnings then before. The
patch disables some of them to make dbus build without errors. A later
patch set should fix the warnings and remove the compiler flags.
This patch integrates all tests for compiler flags into the call to
AX_COMPILER_FLAGS_CFLAGS. All tests for compiler flags are now done
in a single place. The old macros have been removed.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: add missing $ to DISABLE_WARNINGS]
[smcv: drop -Wno-discarded-qualifiers]
[smcv: drop non-C++ option -Wpointer-sign in C++ mode]
[smcv: work around an AX_COMPILER_FLAGS_CFLAGS bug]
[smcv: this source tree is called dbus, not DBus] Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Sat, 1 Oct 2016 14:06:27 +0000 (15:06 +0100)]
Revert "Keep cmake gcc builds in sync with autotools warnings."
When reviewing this commit, I said
Looks OK, although this is going to become impossible if we start
using the externally-curated list of warnings from
<https://www.gnu.org/software/autoconf-archive/ax_compiler_flags.html>,
which I've been quite tempted to do.
That time has now come. I think it's more valuable to have comprehensive
warnings under our primary build system, Autotools, than to have
some fairly elaborate CMake scripting to pick up the same compiler
warnings in both build systems; the CMake build system is primarily
there to give us the ability to compile with MSVC, which has orthogonal
compiler warning options anyway.
Simon McVittie [Mon, 10 Oct 2016 14:07:34 +0000 (15:07 +0100)]
Fix remaining -Wundef warnings
Vaguely based on a patch from Thomas Zimmermann, but with a different
solution to RECURSIVE_MARSHAL_WRITE_TRACE, and additionally fixing
a build failure that only occurs when targeting Unix without libsystemd,
and another that occurs when targeting Windows.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Mon, 15 Aug 2016 14:24:16 +0000 (15:24 +0100)]
Remove leftover declarations for assuming int manipulation is atomic
We never assume this since
<https://bugs.freedesktop.org/show_bug.cgi?id=38005> was fixed, because
it isn't true in modern compilers.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Fri, 7 Oct 2016 16:24:31 +0000 (17:24 +0100)]
Clean up how we arrange for environ to be declared
Annoyingly, the POSIX way to declare environ (as
"extern char **environ") is a redundant declaration in glibc with
_GNU_SOURCE; work around that.
We also have a workaround for _NSGetEnviron() needing to be used
instead of direct access to environ in at least some circumstances on
Mac OS. Attempt to sync that up between all the files that use environ,
consistently sorting the most special special-cases first (Windows
for files that are compiled there, then Mac, then GNU, with
lowest-common-denominator POSIX last).
The affected files are already OS-specific, so I'm not bothering to
introduce a nicer or higher-level API for this.
Based on the best bits of an earlier patch from me, and an earlier
patch from Thomas Zimmermann.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Mon, 15 Aug 2016 14:32:01 +0000 (15:32 +0100)]
Reimplement _dbus_warn_return_if_fail without -Wformat-nonliteral
We can avoid duplicating the format string between translation units,
without the compiler warning us that it can't check non-literal
format strings for format-string security vulnerabilities based on %p,
by breaking out the "assertion failed" case into a slow-path.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Sat, 1 Oct 2016 11:38:50 +0000 (12:38 +0100)]
Linux: use readdir(), not deprecated readdir_r()
glibc >= 2.24 marks readdir_r() as deprecated. It is meant to be a
thread-safe version of readdir(), but modern implementations of readdir()
are thread-safe anyway (when called with a distinct DIR * argument),
and readdir_r() has some design issues involving PATH_MAX.
This code path is in Linux-specific code, so we can safely assume a
high-quality implementation of readdir().
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Fri, 7 Oct 2016 16:41:01 +0000 (17:41 +0100)]
Be more const-correct
As a general design principle, strings that we aren't going to modify
should usually be const. When compiling with -Wwrite-strings, quoted
string constants are of type "const char *", causing compiler warnings
when they are assigned to char * variables.
Unfortunately, we need to add casts in a few places:
* _dbus_list_append(), _dbus_test_oom_handling() and similar generic
"user-data" APIs take a void *, not a const void *, so we have
to cast
* For historical reasons the execve() family of functions take a
(char * const *), i.e. a constant pointer to an array of mutable
strings, so again we have to cast
* _dbus_spawn_async_with_babysitter similarly takes a char **,
although we can make it a little more const-correct by making it
take (char * const *) like execve() does
This also incorporates a subsequent patch by Thomas Zimmermann to
put various string constants in static storage, which is a little
more efficient.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98192
Simon McVittie [Sat, 1 Oct 2016 14:20:11 +0000 (15:20 +0100)]
Rename distro-style CI build from "release" to "production"
This avoids confusion with the meaning of "release" used by
AX_IS_RELEASE. AX_IS_RELEASE is about facts about the source tree,
namely the distinction between releases (tags) and random snapshots.
The build variants in .travis.yml are about facts about the build
being done, namely the distinction between production and
debug/developer builds.
Production builds are sometimes referred to as "release builds",
for example in typical CMake and MSVC build environments, but a
different term seems better here.
Signed-off-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Partially fix warnings from compiler option '-Wredundant-decls'
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: omit the part involving environ, which was more involved] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Partially fix warnings from compiler option '-Wformat-nonliteral'
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: split out from a larger commit] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This path removes the obsolete configure option
'--disable-compiler-optimisations'. Users can control compiler flags
by setting CFLAGS, CXXFLAGS, etc in the build environment.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Several internal functions are not used on Windows. This patch
hides them behind DBUS_WIN.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net> Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: add space after cast, that is our coding style] Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
This patch adds 'void' to function declarations without parameters.
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: fix coding style while we're touching these lines anyway] Reviewed-by: Simon McVittie <smcv@debian.org>
Add configure option '--enable-debug' to control debugging and profiling
The command-line option '--enable-debug' controls the debugging and
profiling flags of the build. Debugging is disabled by default and only
enabled on developer builds. Profiling is always disabled. Both options
can be overridden from the command line (e.g., for profiling of release
builds).
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
[smcv: remove trailing whitespace from new lines] Reviewed-by: Simon McVittie <smcv@debian.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97357
Simon McVittie [Fri, 7 Oct 2016 20:38:05 +0000 (21:38 +0100)]
Disable deprecation warnings for stable branch
We're not going to replace deprecated functions here.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:26:36 +0000 (21:26 +0100)]
Ignore ActivationFailure if not using systemd activation
This isn't security-related, just defensive programming: if
dbus-daemon wasn't run with --systemd-activation, then there is no
reason why systemd would legitimately send us this signal, and if it
does we should just ignore it.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:25:08 +0000 (21:25 +0100)]
bus_driver_handle_message: reject ActivationFailure if unprivileged
Specifically, this will allow ActivationFailure messages from our
own uid or from root, but reject them otherwise, even if the bus
configuration for who can own org.freedesktop.systemd1 is entirely
wrong due to something like CVE-2014-8148.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 18:13:01 +0000 (19:13 +0100)]
dbus_activation_systemd_failure: do not use non-literal format string
In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.
This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.
However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.
Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:26:36 +0000 (21:26 +0100)]
Ignore ActivationFailure if not using systemd activation
This isn't security-related, just defensive programming: if
dbus-daemon wasn't run with --systemd-activation, then there is no
reason why systemd would legitimately send us this signal, and if it
does we should just ignore it.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 20:25:08 +0000 (21:25 +0100)]
bus_driver_handle_message: reject ActivationFailure if unprivileged
Specifically, this will allow ActivationFailure messages from our
own uid or from root, but reject them otherwise, even if the bus
configuration for who can own org.freedesktop.systemd1 is entirely
wrong due to something like CVE-2014-8148.
Signed-off-by: Simon McVittie <smcv@debian.org> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Simon McVittie [Fri, 7 Oct 2016 18:13:01 +0000 (19:13 +0100)]
dbus_activation_systemd_failure: do not use non-literal format string
In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.
This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.
However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.
Bug found using -Wsuggest-attribute=format and -Wformat-security.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Philip Withnall [Sat, 1 Oct 2016 13:59:47 +0000 (15:59 +0200)]
bus: Add sender name to bus activation log messages
This clarifies
Activating via systemd: service name='com.example.Example'
unit='example.service'
to
Activating via systemd: service name='com.example.Example'
unit='example.service' requested by ':1.23' (uid 1000 pid 123
comm "whatever-activat")
Similarly for the non-systemd code paths.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68212 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Philip Withnall [Sat, 1 Oct 2016 19:23:16 +0000 (21:23 +0200)]
doc: Install introspection and busconfig DTDs
Install them to $(datadir)/xml/dbus-1, which seems to be the standard
location for installed DTDs. This means that developers can use them to
validate their introspection XML, and sysadmins can use them to validate
their bus configuration files.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89011 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Marc Mutz [Mon, 3 Oct 2016 20:19:45 +0000 (22:19 +0200)]
DBusMessage: Fix UB (misaligned access) in call to _dbus_header_set_field_basic()
The const void* 'value' pointer that is passed the address of a
uint32_t here eventually ends up in _dbus_marshal_write_basic(), which
casts it to a DBusBasicValue, a union type that has an alignment of
eight on 64-bit platforms and is therefore more-aligned than the
uint32.
The read of a value of a more-aligned type through a pointer to a less
-aligned type is undefined behaviour.
Fix by storing the uint32 in a DBusBasicValue and passing that instead.
Found by UBSan:
dbus/dbus/dbus-marshal-basic.c:832:14: runtime error: member access within misaligned address 0x7fdb8dac3a04 for type 'const union DBusBasicValue', which requires 8 byte alignment
0x7fdb8dac3a04: note: pointer points here
4a 87 b5 71 01 00 00 00 40 7d 01 00 00 61 00 00 10 3b ac 8d db 7f 00 00 2c 2a 3e 94 db 7f 00 00
^
#0 0x7fdb9444a2c3 in _dbus_marshal_write_basic dbus/dbus/dbus-marshal-basic.c:832
#1 0x7fdb943d22fb in _dbus_type_writer_write_basic_no_typecode dbus/dbus/dbus-marshal-recursive.c:1605
#2 0x7fdb943d64e9 in _dbus_type_writer_write_basic dbus/dbus/dbus-marshal-recursive.c:2327
#3 0x7fdb943c52a6 in write_basic_field dbus/dbus/dbus-marshal-header.c:318
#4 0x7fdb943c919e in _dbus_header_set_field_basic dbus/dbus/dbus-marshal-header.c:1321
#5 0x7fdb943e1349 in dbus_message_set_reply_serial dbus/dbus/dbus-message.c:1173
Signed-off-by: Marc Mutz <marc@kdab.net> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98035
Philip Withnall [Sat, 1 Oct 2016 11:47:27 +0000 (13:47 +0200)]
spec: Allow <annotation> in <arg> elements in introspection XML
This is widely used in practice (especially by GLib — just look at files
in /usr/share/dbus-1/interfaces/), and there is no reason not to allow
it. Update the specification, introspection DTD and XSL file to allow
and represent it.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86162 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Philip Withnall [Sat, 1 Oct 2016 11:22:30 +0000 (13:22 +0200)]
spec: Recommend against using ‘/’ for object paths
As discussed in http://0pointer.de/blog/projects/versioning-dbus.html
and in https://dbus.freedesktop.org/doc/dbus-api-design.html,
un-versioned object paths make it hard to work out which interface a
signal was emitted from.
Clarify this in the specification to try and avoid people making this
mistake.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=37095 Reviewed-by: Simon McVittie <smcv@debian.org>
Like --fork and --nofork, these override what the configuration says.
Use --syslog-only to force the systemd services to log to the Journal
(via syslog, which means we see the severity metadata) instead of
testing sd_booted() in the configuration implementation.
Simon McVittie [Wed, 20 Jul 2016 08:25:57 +0000 (09:25 +0100)]
_dbus_warn, _dbus_warn_check_failed: unify with _dbus_logv
This means that dbus-daemon will log something like
dbus-daemon[123]: Unable to add reload watch to main loop
to syslog and/or stderr according to its configuration, while other
libdbus users will print something like this to stderr:
dbus[4567]: arguments to dbus_foo() were incorrect, assertion
"connection != NULL" failed at file dbus-foo.c line 123.
This is normally a bug in some application using the D-Bus library.
This slightly changes the meaning of the argument to _dbus_warn()
and _dbus_warn_check_failed. Previously, a trailing newline was
expected, and a missing newline would have resulted in incorrect
output. Now, a newline is supplied automatically by the
library (like g_warning()), and messages that end with a newline will
result in an unnecessary extra newline in output.
This extra newline is harmless, so I'm not going to change all the
callers immediately.
Simon McVittie [Fri, 12 Aug 2016 16:59:45 +0000 (17:59 +0100)]
_dbus_logv: configurably log to syslog and/or stderr
This changes the behaviour of _dbus_logv() if _dbus_init_system_log() was
not called. Previously, _dbus_logv() would always log to syslog;
additionally, it would log to stderr, unless the process is dbus-daemon
and it was started by systemd. Now, it will log to stderr only,
unless _dbus_init_system_log() was called first.
This is the desired behaviour because when we hook up
_dbus_warn_check_failed() to _dbus_logv() in the next commit, we don't
want typical users of libdbus to start logging their check failures to
syslog - we only want the dbus-daemon to do that.
In practice this is not usually a behaviour change, because there was
only one situation in which we called _dbus_logv() without first calling
_dbus_init_system_log(), namely an error while parsing configuration
files. Initialize the system log "just in time" in that situation
to preserve existing behaviour.
projects / thirdparty / dbus.git / log
