Now that we are recommending Meson, let's de-emphasize Autotools.
Anyone who still needs Autotools will already know how it works, at
least generically.
Signed-off-by: Simon McVittie <smcv@collabora.com>
On older 32-bit architectures such as i386, this redefines time_t to be
64-bit, and correspondingly increases the size of all system data
structures that contain a time_t, such as struct timeval and struct stat.
This is necessary to allow timestamps beyond January 2038 to be
represented; as well as things that obviously deal with timestamps,
this affects functions like stat() (and therefore our wrapper
_dbus_stat()), which will fail with EOVERFLOW if asked to inspect a
file whose correct timestamp does not fit in time_t.
In particular, if the modification or access timestamp on
/etc/machine-id has somehow been set to a post-2038 time, libdbus will
consider the inability to stat() that file to be an installation error,
and when using the deprecated dbus_get_local_machine_id(), that can
cause third-party i386 software such as the Steam client to crash.
Using 64-bit timestamps avoids that failure mode.
Using 64-bit timestamps in glibc is an opt-in and not the default,
because if done carelessly it can change libraries' ABIs. However,
libdbus is careful not to include system headers and system data
types in its own headers, with the only exceptions being extremely
basic ISO C headers like <stddef.h> and <stdarg.h>; so we can safely
do this without it breaking our ABI. This is similar to the reasoning
for why commit 96ffc2a0 "configure.ac: support large-file for stat64"
was a safe change.
This change only affects glibc. Some non-GNU operating system libraries
(such as musl) are less concerned with binary backwards compatibility
than glibc, and therefore have incompatibly changed their ABI on 32-bit
platforms to switch to 64-bit timestamps throughout; no action is needed
on those platforms. If other non-GNU OS libraries have taken a route
similar to GNU's, then maintainers of those operating systems are
welcome to send tested merge requests similar to this one.
An extra subtlety here is that _TIME_BITS=64 requires
_FILE_OFFSET_BITS=64. In the Meson build, Meson unconditionally enables
_FILE_OFFSET_BITS=64 where appropriate, and in the Autotools build,
we already had that via AC_SYS_LARGEFILE, but in the CMake build we
did not necessarily have this; so we also define _FILE_OFFSET_BITS=64
there if necessary, as a continuation of commit 96ffc2a0
"configure.ac: support large-file for stat64".
On newer 32-bit architectures like x32, time_t is always 64-bit and so
this has no practical effect.
On 64-bit, setting these would have no practical effect, but to minimize
risk I'm only doing this for 32-bit architectures.
Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/465
Signed-off-by: Simon McVittie <smcv@collabora.com>
Allows to track a process by pinning to a file descriptor,
which unlike a PID cannot be reused.
root@image:~# busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus GetConnectionCredentials "s" org.freedesktop.systemd1
a{sv} 3 "ProcessID" u 1 "UnixUserID" u 0 "ProcessFD" h 4
Signed-off-by: Luca Boccassi <bluca@debian.org>
The new socket option SO_PEERPIDFD allows to pin the process on the
other side of the socket by file descriptor, which closes a race
condition where a PID can be reused before we can pin it manually.
Available since Linux v6.5.
When storing credentials, pin the process by FD from the PID.
When querying the PID, if the PID FD is available, resolve
it from there first if possible.
Ensure the DBusCredentials object only returns the PID FD if it was
obtained by this call, so that we know for sure we can rely on it
being safe against PID reuse attacks.
Signed-off-by: Luca Boccassi <bluca@debian.org>
The order and arrangement of the initialization of the build directories
has been improved: the deletion of special directories have been moved to
the associated part, the rest have been merged and there is a default
value if not specified as an environment variable, making it easier to
execute on the command line.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
This customization simplifies their use, e.g. when outputting the command
line used. Because of FreeBSD, 'awk' is used instead of 'gawk' to make
sure that the tool is available.
When starting as root files in /proc/self/fdinfo/ will be owned as root
and set to 400, so we cannot read them. Nowadays it is not necessary to
start as root when running under systemd, so just add User/Group with
the configured user to the system unit.
If libaudit support is enabled, add AmbientCapabilities=CAP_AUDIT_WRITE
so that we can still write to the audit log.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Make D-Bus implementations return a file descriptor
pinning the process as part of the credentials on
platforms that implement such concept, like Linux.
Pinning the process allows to defend against PID
reuse attacks, making authentication by
service/cgroup possible.
Signed-off-by: Luca Boccassi <bluca@debian.org>
The man page and --help imply that
dbus-daemon --print-address --print-pid
is a valid/useful thing to do, but because --print-address takes an
optional argument, it is ambiguous whether --print-pid is meant to
be the argument for --print-address (same as --print-address=--print-pid)
or a new option (same as --print-address=1 --print-pid). In fact,
before this commit, the dbus-daemon would interpret --print-pid as
the optional argument to --print-address, and then fail to parse it
because it isn't an integer.
Because none of our options are syntactically valid as arguments for
any option that takes an optional argument, we can avoid the ambiguity
by delaying parsing of optional arguments until all known options
have been tried.
Resolves: dbus/dbus#467
Signed-off-by: Xin Shi <shixin21@huawei.com>
It is valid for getsockopt(SO_PEERGROUPS) to return len=0; that
indicates the process has no supplementary groups. Rather than failing,
simply use the returned empty list (and add the primary GID to it).
Without this change, calling GetConnectionCredentials on a bus name
owned by a process with no supplementary groups does not return the
UnixGroupIDs field, even though it is easy to determine that the process
only has one GID (the primary GID).
Since meson 0.54.0, it is possible to override a dependency name,
so do that to make it easy to use dbus as a subproject. After this
change, simply
dependency('dbus-1')
will fall back to the subproject automatically and there is no need
for using `fallback` keyword argument. Of course this assumes that
the dbus source tree is at subprojects/dbus-1 and not subprojects/dbus
but it is easy to achieve that.
If the dbus source tree for some reason needs to be at subprojects/dbus,
dependency('dbus-1', fallback: 'dbus')
may be used, which still has the advantage of not needing to
depend on the variable names in the dbus build definitions.
This gives us coverage for Meson mingw-w64 by default, but
cross-compiling from Debian with MSVCRT rather than a native compilation
on Windows with UCRT. When combined with "windows msys64 ucrt64 cmake",
this fills in most of the missing coverage caused by disabling
windows-meson-mingw-ucrt64 to work around dbus#462.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Workaround for dbus#462: if this doesn't run reliably as a result of
external factors, then we shouldn't be using it as a CI gate.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Due to an adaptation of an rpm macro for cross-compiling with cmake, there
was a problem with the previous method of using the current directory as
the build directory. Instead, the command line options provided by cmake
are now used to define the source and build directories, which provide more
stable behavior.
Fix#455
Some labels are only used when checks are enabled, and some variables
are only used when assertions and/or checks are enabled. Instead of
cluttering the code with extra #ifdefs, we silence those warnings:
they're harmless in this case. We already do this in Autotools.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Linux generally declares syscalls with flags as type int. It's the same
ABI, but a slightly different API, and it seems better for our fallback
definition to match it exactly.
Related to dbus/dbus#453.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Some of the symbols we check for, such as close_range(), are only
declared in their corresponding header files if _GNU_SOURCE was
defined.
Resolves: dbus/dbus#453
Signed-off-by: Simon McVittie <smcv@collabora.com>
The exact failure mode reported in dbus/dbus#457 is quite difficult
to achieve in a reliable way in a unit test, because we'd have to send
enough messages to a client to fill up its queue, then stop that client
from draining its queue, while still triggering a message that gets a
reply from the bus driver. However, we can trigger the same crash in a
slightly different way by not allowing the client to receive a
particular message. I chose NameAcquired.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Normally, it's enough to rely on a message being given a serial number
by the DBusConnection just before it is actually sent. However, in the
rare case where the policy blocks the driver from sending a message
(due to a deny rule or the outgoing message quota being full), we need
to get a valid serial number sooner, so that we can copy it into the
DBUS_HEADER_FIELD_REPLY_SERIAL field (which is mandatory) in the error
message sent to monitors. Otherwise, the dbus-daemon will crash with
an assertion failure if at least one Monitoring client is attached,
because zero is not a valid serial number to copy.
This fixes a denial-of-service vulnerability: if a privileged user is
monitoring the well-known system bus using a Monitoring client like
dbus-monitor or `busctl monitor`, then an unprivileged user can cause
denial-of-service by triggering this crash. A mitigation for this
vulnerability is to avoid attaching Monitoring clients to the system
bus when they are not needed. If there are no Monitoring clients, then
the vulnerable code is not reached.
Co-authored-by: Simon McVittie <smcv@collabora.com>
Resolves: dbus/dbus#457
It appears some freedesktop CI runners still have /builds/dbus/dbus
owned by a different user ID.
This reverts commit 3f6400b8b9.
Signed-off-by: Simon McVittie <smcv@collabora.com>
The dbus maintainers can open confidential merge requests by using a
private git repository, but other contributors (including most security
researchers) cannot, so the safest simple recommendation is no merge
requests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
