We're treating transient services as higher-priority than those in
the XDG_DATA_HOME or XDG_DATA_DIRS, which is consistent with systemd.
The specific list used by the standard session dbus-daemon will be
added to dbus-daemon(1) in the next commit.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=99825
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Clarify its intended behaviour in two situations:
• For interfaces which have no properties.
• Where some properties are not visible to the caller (due to access
control, for example).
The intention here is for this behaviour to be mandatory, but given that
this is quite late on in the specification’s life, and various D-Bus
libraries like dbus-glib and telepathy-glib cannot support access
control at a per-property level, for example. GDBus can, although it’s
questionable whether this is a good idea. Deliberately leave the
specification open to allow access control at a higher level as well
(such as per-(object, interface)).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=36190
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Using versioned names here reinforces the advice given in
<https://dbus.freedesktop.org/doc/dbus-api-design.html#api-versioning>.
I haven't added versions to the sample parameters "com.example.tea" and
"com.example.cappuccino" for methods that query information about
names, on the basis that I assume they are more likely to be intended
to represent an implementation than an API.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
We didn't say that SystemdService existed. Now we do, together with
enough context to make it make sense.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
For something we recommend, that is important enough to have its own
header flag, it doesn't have very good documentation. Redo the text
to suggest that auto-starting is the normal thing and
StartServiceByName is the oddity. That's usually a good principle
to follow, since it dodges time-of-check/time-of-use issues, and the
method call that you presumably wanted to do needs to handle errors
anyway.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
The spec previously mentioned that CORBA calls this activation, but
did not explicitly say that D-Bus has copied this jargon term.
It's 2016, and developers are probably more likely to be familiar
with D-Bus than with CORBA at this point: explicitly say that *our*
jargon term for this action is activation.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98671
This is widely used in practice (especially by GLib — just look at files
in /usr/share/dbus-1/interfaces/), and there is no reason not to allow
it. Update the specification, introspection DTD and XSL file to allow
and represent it.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86162
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is an attempt to make that section a little clearer. I don’t think
any factual inaccuracies have been fixed (because I couldn’t find any).
Including some wording and an example by Simon McVittie.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=93382
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
It's generally a good idea to avoid trailing whitespace in order to keep
patchs minimal. While it's common to enforce such restrictions for C code,
it's important for docbok XML files too. Hence, let's clean this up and
remove all trailing whitespace currently in place.
[By policy we do not clean up historical trailing whitespace and
tab-indentation in the C source code unless we are modifying those lines
anyway, to retain the ability to merge stable-branch bugfixes into the
development branch. However, the copy of the spec in the development
branch is the only one that receives any updates, so that concern
doesn't apply here. -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91755
Allowing to send replies when NO_REPLY_EXPECTED is set is useless in
practice: Clients need to be careful not to send these replies, because
bus policy could deny these messages. The spec even mentions that this
issue exists.
To make this more clear and misbehaving clients less likely, disallow
sending unexpected replies entirely.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75749
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is not used by default, but can be configured by OS builders (or
regression-test environments) if desired.
If used, this listens on $XDG_RUNTIME_DIR/bus, or fails if $XDG_RUNTIME_DIR
is not set. Fallback behaviour is unnecessary, because it is already
possible to use a string of semicolon-separated addresses like
<listen>unix:runtime=yes;unix:tmpdir=/tmp</listen>, resulting in
listening on either $XDG_RUNTIME_DIR/bus or /tmp/something.
We use a non-abstract socket here, because that is desirable for
use with Linux containers: abstract sockets are attached to the
network namespace, whereas non-abstract sockets are part of the
filesystem and can be bind-mounted between domains if necessary.
The major advantage of abstract sockets is that they do not need
cleanup, but the specification of XDG_RUNTIME_DIR guarantees to
provide cleanup anyway.
Based on prior work by Simon McVittie, Colin Walters and Alexander
Larsson.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=61303
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Unlike eavesdropping, the point of capture is when the message is
received, except for messages originating inside the dbus-daemon.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Heavily based on a patch from Lennart Poettering.
This is useful for authentication frameworks such as polkit, but this
flag is supposed to be generic, and not be bound to any implementation
of such a framework.
The dbus specification already clarifies that unknown flags must be
ignored, the reference implementation and the other implementations we
checked indeed ignore any new flags, hence we should be fine with
compatibility here.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83449
The message type is more important than whether NO_REPLY_EXPECTED is
set, when deciding whether a reply is expected. This documents
existing practice in at least libdbus, GDBus and dbus-daemon.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75749
Reviewed-by: Thiago Macieira
tcp/nonce-tcp transport has a "bind" key, which can be specified a
hostname and will override hostname specified in "host" key.
"bind" has a special value "*" which means ip address 0.0.0.0 and will
cause dbus-daemon listen on all interfaces.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=72301
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
The --with-dbus-session-bus-connect-address configure option and the
DBUS_SESSION_BUS_CONNECT_ADDRESS CMake variable expect a connectable
address, while the --with-dbus-session-bus-listen-address option and
the DBUS_SESSION_BUS_LISTEN_ADDRESS variable expect a listenable address.
DBUS_SYSTEM_BUS_DEFAULT_ADDRESS currently has to be an address that
is simultaneously listenable and connectable.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=61303
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
[fixed name of DBUS_SESSION_BUS_CONNECT_ADDRESS as per review -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This is an important security measure. Without it, the system bus
would not deliver its intended security properties. The actual
implementation has always behaved like this, I think.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68597
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
Previously, if we have interfaces:
interface com.example.foo:
method Ambiguous()
interface com.example.bar:
method Ambiguous()
method Unambiguous()
implementations were required to deliver a message with no INTERFACE
and METHOD=Unambiguous to "bar". A message with no INTERFACE and
METHOD=Ambiguous could either be delivered to "foo", delivered to "bar"
or treated as an error.
Relax this to allow an error for the unambiguous case, too, and
strongly recommend specifying the interface (which is best-practice).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68597
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
Vaguely-acked-by: Thiago Macieira, David Zeuthen
[and desrt objected that it didn't go far enough]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
