fdo-mirrors/dbus
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/dbus/dbus.git synced 2026-05-07 19:08:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Revert "Disable the Containers interface"

Browse source 
This reverts commit 9d60676ae0.
This commit is contained in:
Simon McVittie 2023-10-20 15:26:42 +01:00
parent 83476b7a93
commit 3690de9398
13 changed files with 41 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CMakeLists.txt
View file

@ -124,6 +124,7 @@ endif()
option(DBUS_DISABLE_ASSERT "Disable assertion checking" OFF)
option(DBUS_ENABLE_STATS "enable bus daemon usage statistics" OFF)
option(DBUS_ENABLE_CONTAINERS "enable restricted servers for app-containers" OFF)
option(ENABLE_TRADITIONAL_ACTIVATION "Enable traditional activation (without using systemd)" ON)
find_package(PkgConfig)

3
README.cmake
View file

@ -149,6 +149,9 @@ ENABLE_QT_HELP:STRING=AUTO
// enable bus daemon usage statistics
DBUS_ENABLE_STATS:BOOL=OFF
// enable restricted servers for app containers
DBUS_ENABLE_CONTAINERS:BOOL=OFF
// build with systemd at_console support
ENABLE_SYSTEMD:STRING=AUTO

2
bus/containers.c
View file

@ -29,8 +29,6 @@
#ifdef DBUS_ENABLE_CONTAINERS
#error This feature is not ready for production use
#ifndef DBUS_UNIX
# error DBUS_ENABLE_CONTAINERS requires DBUS_UNIX
#endif

4
bus/driver.c
View file

@ -1970,9 +1970,7 @@ bus_driver_fill_connection_credentials (DBusCredentials *credentials,
dbus_pid_t pid = DBUS_PID_UNSET;
const char *windows_sid = NULL;
const char *linux_security_label = NULL;
#ifdef DBUS_ENABLE_CONTAINERS
const char *path;
#endif
#ifdef HAVE_UNIX_FD_PASSING
int pid_fd = -1; /* owned by credentials */
#endif
@ -2033,7 +2031,6 @@ bus_driver_fill_connection_credentials (DBusCredentials *credentials,
return FALSE;
}
#ifdef DBUS_ENABLE_CONTAINERS
/* This has to come from the connection, not the credentials */
if (peer_conn != NULL &&
bus_containers_connection_is_contained (peer_conn, &path, NULL, NULL))
@ -2043,7 +2040,6 @@ bus_driver_fill_connection_credentials (DBusCredentials *credentials,
path))
return FALSE;
}
#endif
#ifdef HAVE_UNIX_FD_PASSING
if (caller_conn != NULL && pid_fd >= 0 &&

6
bus/session.conf.in
View file

@ -76,5 +76,11 @@
<limit name="max_names_per_connection">50000</limit>
<limit name="max_match_rules_per_connection">50000</limit>
<limit name="max_replies_per_connection">50000</limit>
<limit name="max_containers">10000</limit>
<limit name="max_containers_per_user">10000</limit>
<limit name="max_container_metadata_bytes">1000000000</limit>
<!-- This is relatively low so that app-containers (which we do not fully
trust) do not cause DoS. -->
<limit name="max_connections_per_container">16</limit>
</busconfig>

4
bus/system.conf.in
View file

@ -126,6 +126,10 @@
<!-- <limit name="max_names_per_connection">512</limit> -->
<!-- <limit name="max_match_rules_per_connection">512</limit> -->
<!-- <limit name="max_replies_per_connection">128</limit> -->
<!-- <limit name="max_containers">512</limit> -->
<!-- <limit name="max_containers_per_user">16</limit> -->
<!-- <limit name="max_container_metadata_bytes">4096</limit> -->
<!-- <limit name="max_connections_per_container">8</limit> -->
<!-- Config files are placed here that among other things, punch
holes in the above policy for specific services. -->

1
cmake/config.h.cmake
View file

@ -41,6 +41,7 @@
#cmakedefine DBUS_RUNSTATEDIR "@DBUS_RUNSTATEDIR@"
#cmakedefine DBUS_ENABLE_STATS
#cmakedefine DBUS_ENABLE_CONTAINERS
#cmakedefine ENABLE_TRADITIONAL_ACTIVATION
#define TEST_LISTEN "@TEST_LISTEN@"

2
dbus/dbus-shared.h
View file

@ -88,6 +88,8 @@ typedef enum
*/
/** The interface exported by the object with #DBUS_SERVICE_DBUS and #DBUS_PATH_DBUS */
#define DBUS_INTERFACE_DBUS "org.freedesktop.DBus"
/** The restricted container interface exported by the dbus-daemon */
#define DBUS_INTERFACE_CONTAINERS1 "org.freedesktop.DBus.Containers1"
/** The monitoring interface exported by the dbus-daemon */
#define DBUS_INTERFACE_MONITORING "org.freedesktop.DBus.Monitoring"

8
doc/dbus-daemon.1.xml.in
View file

@ -840,6 +840,14 @@ Available limit names are:</para>
(number of calls-in-progress)
"reply_timeout" : milliseconds (thousandths)
until a method call times out
"max_containers" : max number of restricted servers for use
in app-containers, in total
"max_containers_per_user" : max number of app-containers per Unix uid
"max_container_metadata_bytes": max number of bytes of metadata to store
for each app-container
"max_connections_per_container": max number of (authenticated or
unauthenticated) connections to each
app-container
</literallayout> <!-- .fi -->

2
test/containers.c
View file

@ -47,8 +47,6 @@
#include "test-utils-glib.h"
#define DBUS_INTERFACE_CONTAINERS1 "org.freedesktop.DBus.Containers1"
typedef struct {
TestMainContext *ctx;
gboolean skip;

5
test/data/valid-config-files/limit-containers.conf.in
View file

@ -13,4 +13,9 @@
<!-- Allow anyone to own anything -->
<allow own="*"/>
</policy>
<limit name="max_containers">5</limit>
<limit name="max_containers_per_user">3</limit>
<limit name="max_container_metadata_bytes">4096</limit>
<limit name="max_connections_per_container">3</limit>
</busconfig>

7
test/data/valid-config-files/tmp-session.conf.in
View file

@ -57,4 +57,11 @@
<limit name="max_names_per_connection">50000</limit>
<limit name="max_match_rules_per_connection">50000</limit>
<limit name="max_replies_per_connection">50000</limit>
<limit name="max_containers">10000</limit>
<limit name="max_containers_per_user">10000</limit>
<limit name="max_container_metadata_bytes">1000000000</limit>
<!-- This is relatively low so that app-containers (which we do not fully
trust) do not cause DoS. -->
<limit name="max_connections_per_container">16</limit>
</busconfig>

4
test/dbus-daemon.c
View file

@ -637,6 +637,10 @@ test_creds (Fixture *f,
g_assert_not_reached ();
#endif
}
else if (g_str_has_prefix (name, DBUS_INTERFACE_CONTAINERS1 "."))
{
g_assert_not_reached ();
}
dbus_message_iter_next (&arr_iter);
}