Colin Walters [Mon, 13 Jul 2009 17:02:21 +0000 (13:02 -0400)]
Bug 14259 - Refactor _dbus_get_autolaunch_address
Split out the process-launching code, which can be reused for
other applications; in particular, a forthcoming patch to parse
output from launchd for MacOS X.
(cherry picked from commit 6b163e95e7a2318a98c16c0d0944337e38e62efa)
Colin Walters [Mon, 13 Jul 2009 16:47:19 +0000 (12:47 -0400)]
Bug 14259 - Make session address lookup system-dependent
On some platforms such as MacOS X and Windows, we can't depend
on an environment variable to determine the address of the
session bus. Create a sysdep function dbus_lookup_session_address
which can be filled in with platform-specific code.
(cherry picked from commit 6478ec6949c6bb794237b43d03b68f80eba1288c)
Colin Walters [Sat, 11 Jul 2009 02:27:55 +0000 (22:27 -0400)]
Bug 18121 - Use a monotonic clock for pthread timeouts
Patch based on one from Keith Mok <ek9852@gmail.com>, some
followup work from Janne Karhunen <Janne.Karhunen@gmail.com>.
We don't want condition variable timeouts to be affected by the system clock.
Use the POSIX CLOCK_MONOTONIC if available.
(cherry picked from commit ae24bb35e2ee3ecde990f55852982b573754ec43)
Will Thompson [Sun, 7 Jun 2009 16:44:26 +0000 (17:44 +0100)]
Ensure messages are locked while marshalling.
Locking a message has the side-effect of updating the message's length
header. Previously, if dbus_message_marshal() was called on an unlocked
message, it could yield an invalid message (as discovered by Ben
Schwartz in <http://bugs.freedesktop.org/show_bug.cgi?id=19723>).
(cherry picked from commit 9f825271f9106c23fe51ab54abdb5156b7751014)
Add test case for assert when unwinding a container.
* dbus/dbus-message-util.c: when constructing an array of structures,
it's not possible to unwind in case of an error part-way through.
This test will therefore assert.
* test/test-service.c (handle_delay_echo, path_message_func): Add a
variant of the Echo method which sleeps for a short time.
* test/name-test/test-pending-call-timeout.c: Run tests with default,
specified and infinite timeout to make sure we get the reply.
* test/name-test/run-test.sh: Run the new test
* test/name-test/Makefile.am: Build the new test
Expire list timeout may be negative for no expiry.
* bus/expirelist.c (do_expiration_with_current_time): Don't check for
expiry if expire_after is negative, will just disable the expiry timer
after the call.
* dbus/dbus-connection.c (_dbus_connection_block_pending_call): Rework
the timeout math so instead of calculating an end time, which may
overflow, we instead calculate the elapsed time which is always
smaller than the boundaries.
Update documentation now that INT_MAX means no timeout.
* dbus/dbus-connection.c (dbus_connection_send_with_reply): Fix
documentation now that INT_MAX will not be clamped.
(dbus_connection_send_with_reply_and_block): Update documentation too.
Don't allocate DBusTimeout for pending call when passed INT_MAX
* dbus/dbus-pending-call.c (_dbus_pending_call_new_unlocked): When passed
INT_MAX, do not clamp the value and do not allocate a timeout for the call
(_dbus_pending_call_get_timeout_unlocked): Document that this may return
NULL.
* dbus/dbus-connection.c (_dbus_connection_block_pending_call): Allow the
pending call to have no timeout, in which case we simply block until we
complete, have data or get disconnected.
* dbus/dbus-connection.c (_dbus_connection_attach_pending_call_unlocked):
Don't assume that the pending call has a timeout.
(connection_timeout_and_complete_all_pending_call_unlocked): check that
the timeout was actually added before removing it; this safeguards us
if the pending call doesn't have a timeout.
Marc Mutz [Wed, 7 Jan 2009 11:46:53 +0000 (12:46 +0100)]
configure.in: fail abstract socket test gracefully when cross-compiling
* configure.in: only run AC_CACHE_CHECK if enable_abstract_sockets=auto
* configure.in: warn that, when cross-compiling, we're unable to detect
abstract sockets availability automatically
libselinux behavior in permissive mode wrt invalid domains
Stephen Smalley wrote:
> On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
>
>> Stephen Smalley wrote:
>>
>>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
>>>
>>>> Stephen Smalley wrote:
>>>>
>> <snip>
>>
>>
>>> No, I don't want to change the behavior upon context_to_sid calls in
>>> general, as we otherwise lose all context validity checking in
>>> permissive mode.
>>>
>>> I think I'd rather change compute_sid behavior to preclude the situation
>>> from arising in the first place, possibly altering the behavior in
>>> permissive mode upon an invalid context to fall back on the ssid
>>> (process) or the tsid (object). But I'm not entirely convinced any
>>> change is required here.
>>>
>>>
>> I just want to follow up to make sure we are all on the same page here. Was the
>> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
>> or leave the code as is and fix the callers of avc_has_perm to correctly handle
>> error codes?
>>
>> I prefer the last approach because of Eamon's explanation, EINVAL is already
>> passed in errno to specify the context was invalid (and if object managers
>> aren't handling that correctly now there is a good chance they aren't handling
>> the ENOMEM case either).
>>
>
> I'd be inclined to change compute_sid (not context_to_sid) in the kernel
> to prevent invalid contexts from being formed even in permissive mode
> (scenario is a type transition where role is not authorized for the new
> type). That was originally to allow the system to boot in permissive
> mode. But an alternative would be to just stay in the caller's context
> (ssid) in that situation.
>
> Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
> may make sense, but that logic should not depend on enforcing vs.
> permissive mode.
>
>
FWIW, the following patch to D-Bus should help:
bfo21072 - Log SELinux denials better by checking errno for the cause
Note that this does not fully address the bug report since
EINVAL can still be returned in permissive mode. However the log
messages will now reflect the proper cause of the denial.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> Signed-off-by: Colin Walters <walters@verbum.org>
William Lachance [Tue, 21 Apr 2009 17:51:46 +0000 (13:51 -0400)]
Bug 19567 - Make marshaling code usable without DBusConnection
Some projects want to reuse the DBus message format, without
actually going through a DBusConnection. This set of changes
makes a few functions from DBusMessage public, and adds a new
function to determine the number of bytes needed to demarshal
a message.
Colin Walters [Wed, 25 Feb 2009 16:10:15 +0000 (11:10 -0500)]
Bug 20137 - Fix alignment usage when demarshaling basics
We can't safely type-pun from e.g. char * to DBusBasicValue *, because
the latter has higher alignment requirements. Instead, create an
explicit pointer for each case.
Also, we mark each one volatile to sidestep strict aliasing issues, for
the future when we turn on strict aliasing support.
Original patch and review from Jay Estabrook <jay.estabrook@hp.com>.
Colin Walters [Wed, 1 Apr 2009 16:02:00 +0000 (12:02 -0400)]
Bug 17803 - Fix both test case and validation logic
The previous commit had errors in both the test case and
the validation logic. The test case was missing a trailing
comma before the previous one, so we weren't testing the
signature we thought we were.
The validation logic was wrong because if the type was not valid,
we'd drop through the entire if clause, and thus skip returning
an error code, and accept the signature.
The AC_CANONICAL_TARGET macro and the $target_os variables are used for the
target of compilers and other code-generation tools, and should not be used
during cross-compile of generic software. Replace them with
AC_CANONICAL_HOST and $host_os instead, as they should have been from the
start.
For a breakdown of what host, build and target machines are, please see
http://blog.flameeyes.eu/s/canonical-target .
Colin Walters [Sat, 20 Dec 2008 01:02:14 +0000 (20:02 -0500)]
Enable -Werror by default with --enable-maintainer-mode, and change warnings
Important compiler warnings were being lost in the noise from warnings
we know about but aren't problems, and moreover made using -Werror
difficult. Now we expect *all* developers and testers to be using
-Werror.
Colin Walters [Thu, 18 Dec 2008 00:29:39 +0000 (19:29 -0500)]
Add requested_reply to send denials, and connection loginfo to "would deny"
The requested_reply field is necessary in send denials too because
it's used in the policy language. The connection loginfo lack in
"would deny" was just an oversight.
Colin Walters [Wed, 17 Dec 2008 21:01:28 +0000 (16:01 -0500)]
Add uid, pid, and command to security logs
Extend the current security logs with even more relevant
information than just the message content. This requires
some utility code to look up and cache (as a string)
the data such as the uid/pid/command when a connection is
authenticated.
Colin Walters [Tue, 9 Dec 2008 14:15:06 +0000 (09:15 -0500)]
Bug 18229: Allow signals
Our previous fix went too far towards lockdown; many things rely
on signals to work, and there's no really good reason to restrict
which signals can be emitted on the bus because we can't tie
them to a particular sender.
Tomas Hoger [Thu, 4 Dec 2008 20:19:13 +0000 (15:19 -0500)]
Bug 18229 - Change system.conf to correctly deny non-reply sends by default
The previous rule <allow send_requested_reply="true"/> was actually
applied to all messages, even if they weren't a reply. This meant
that in fact the default DBus policy was effectively allow, rather
than deny as claimed.
This fix ensures that the above rule only applies to actual reply
messages. Signed-off-by: Colin Walters <walters@verbum.org>
Artem Bityutskiy [Fri, 29 Aug 2008 14:13:15 +0000 (17:13 +0300)]
Bug 17352: synchronize the file before renaming
Dbus is doing atomic file updates by copying them, changing
the copy, and re-naming them. However, it does not synchronize
the file before re-naming, which results in corruption in
case of unclean reboots. The reason for this is that file-systems
have write-back cache and they postpone writing data to the media.
This patch adds the missed fsync() for the Unix part. I do
not have windows so cannot provide a windows port fix.
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: Colin Walters <walters@verbum.org>
Bug 16727: Handle ERANGE for getgr; fixes user in many groups
Patch originally from Noèl Köthe.
Modified by Colin Walters <walters@verbum.org>
* dbus/dbus-sysdeps-unix.c, dbus/dbus-sysdeps-unix-utils.c:
Use a while() loop to reallocate buffer if we get ERANGE
return. This fixes the case where a user is in a large
number of groups.
Bug 16839: Fix bus names in test case so it actually works.
* test/name-test/test-privserver.c (filter_session_message, main),
* test/name-test/test-privserver-client.c (open_shutdown_private_connection):
Replace TestServer with PrivServer to match the service definition files.
Ray Strode [Tue, 15 Jul 2008 08:01:49 +0000 (04:01 -0400)]
Fix leaks in bus_activation_get_environment error paths
Commit 91306ef938873fce8f2ae2d4a6b3282d0379c65a introduced
two memory leaks on OOM error paths. In one case the
environment string array wasn't getting freed, and in the
other case it was getting freed with dbus_free instead of
dbus_free_string_array.
Ray Strode [Fri, 11 Jul 2008 14:27:07 +0000 (10:27 -0400)]
Update man page to make the point of the <type> element more clear
There have been a number of patches in the past try to key system
versus session bus policy off of the message bus type, when the
policy should be distinguished from more fine-grained options in the
individulal policy files. Hopefully, this man page update will make
that more clear.
Ray Strode [Thu, 10 Jul 2008 17:19:44 +0000 (13:19 -0400)]
Add new UpdateActivationEnvironment bus message
It adjusts the environment of activated bus clients.
This is important for session managers that get started
after the session bus daemon and want to influence the
environment of desktop services that are started by the
bus.
Ray Strode [Thu, 10 Jul 2008 18:35:38 +0000 (14:35 -0400)]
Store what environment to activate with on activation object
We now keep the environment in a hash table member of the
activation object and provide a method
bus_activation_set_environment_variable to modify the
hash table. This hash table is seeded initially with the
environment of the bus daemon itself.
Ray Strode [Thu, 10 Jul 2008 17:12:01 +0000 (13:12 -0400)]
When spawning processes, don't ignore the passed in environment
Previously, we'd always call execv() and unconditionally use
the environment of the parent. Now we call execve() with the
passed in environment. For compatibility, we detect if
the passed in environment is NULL and for that case, use the
environment from the parent instead.
Ray Strode [Thu, 10 Jul 2008 16:45:36 +0000 (12:45 -0400)]
Add new _dbus_get_environment call
It's a wrapper around the environ external variable.
It will be important in the future when we allow
bus clients to modify the environment of future
activated clients. Presently, we just always use the
bus daemon environment wholesale.
Fix inverted return value from dbus_connection_read_write()
* dbus/dbus-connection.c (_dbus_connection_read_write_dispatch):
The double negation re no_progress_possible was obviously too
confusing: the path for dispatch = FALSE would return an inverted
status. So make it progress_possible and fix the logic.
projects / thirdparty / dbus.git / log
