* CVE-2008-0595 - security policy of the type <allow send_interface=
"some.interface.WithMethods"/> work as an implicit allow for
messages sent without an interface bypassing the default deny rules
and potentially allowing restricted methods exported on the bus to be
executed by unauthorized users. This patch fixes the issue.
* bus/policy.c (bus_client_policy_check_can_send,
bus_client_policy_check_can_receive): skip messages without an
interface when evaluating an allow rule, and thus pass it to the
default deny rules
* bus/policy.c (bus_policy_create_client_policy): gracefully
continue if the connection has no unix user - just don't apply
any unix user dependent rules.
* bus/config-parser.c: remove dbus-userdb.h usage
* bus/bus.c: remove dbus-userdb.h usage
* dbus/dbus-transport.c (_dbus_transport_get_is_authenticated):
support Windows user function; also, fix the logic for checking
auth as root in the default auth code (broken in the previous
commit)
* dbus/dbus-connection.c
(dbus_connection_set_windows_user_function): new function
(dbus_connection_get_windows_user): new function
* bus/dispatch.c (check_get_connection_unix_process_id): adapt
since sysdeps-unix.h stuff isn't included anymore
* bus/bus.c (bus_context_new): use more abstract functions to
change user, so they can be no-ops on Windows
* dbus/dbus-credentials.c, dbus/dbus-credentials.h,
dbus/dbus-credentials-util.c: new files containing a fully opaque
DBusCredentials data type to replace the old not opaque one.
* configure.in (DBUS_UNIX): define DBUS_UNIX to match DBUS_WIN on
windows
* dbus/dbus-userdb.h: prohibit on Windows, next step is to clean
up the uses of it in bus/*.c and factor out the parts of
cookie auth that depend on it
* Add Havoc's patch that never got applied to HEAD (Bug #2436):
* bus/policy.c (bus_policy_allow_user): change default "user is
allowed" to be "user has same uid as the bus itself"; any
allow/deny rules will override.
* bus/session.conf.in: don't allow all users, since now by default
the user that ran the bus can connect.
* bus/config-parser.c:
(struct PolicyType): Add POLICY_CONSOLE
(struct Element.d.policy): s/gid_or_uid/gid_uid_or_at_console
(start_busconfig_child): Sets up console element when
<policy at_console=""> is encountered in a policy file
(append_rule_from_element): Convert console elements to console
rules.
* bus/policy.c:
(bus_policy_create_client_policy): Add console rules to the client
policy based on if the client is at the console
(bus_policy_append_console_rule): New function for adding a
console rule to a policy
(bus_policy_merge): Handle console rule merging
* dbus/dbus-sysdeps.h: Added the DBUS_CONSOLE_DIR constant
where we check for console user files
* dbus/dbus-sysdeps.c:
(_dbus_file_exists): New function which checks if the given
file exists
(_dbus_user_at_console): New function which does the system
specific process of checking if the user is at the console
* dbus/dbus-userdb.c:
(_dbus_is_console_user): New function converts a UID to user name
and then calls the system specific _dbus_user_at_console to
see if the user is at the console and therefor a console user
SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil>
* bus/selinux.c, bus/selinux.h: new file encapsulating selinux
functionality
* configure.in: add --enable-selinux
* bus/policy.c (bus_policy_merge): add FIXME to a comment
* bus/main.c (main): initialize and shut down selinux
* bus/connection.c: store SELinux ID on each connection, to avoid
repeated getting of the string context and converting it into
an ID
* bus/bus.c (bus_context_get_policy): new accessor, though it
isn't used
(bus_context_check_security_policy): check whether the security
context of sender connection can send to the security context of
recipient connection
* bus/config-parser.c: add parsing for <selinux> and <associate>
* dbus/dbus-transport.c (_dbus_transport_get_unix_fd): to
implement dbus_connection_get_unix_fd()
* dbus/dbus-connection.c (dbus_connection_get_unix_fd): new
function, used by the selinux stuff
* bus/config-parser.c (process_test_valid_subdir): temporarily
stop testing config parser OOM handling, since expat has issues
http://freedesktop.org/pipermail/dbus/2004-May/001153.html
* bus/dbus-daemon-1.1.in: change requested_reply to
send_requested_reply/receive_requested_reply so we can send the
replies, not just receive them.
* bus/config-parser.c: parse the new
send_requested_reply/receive_requested_reply
* bus/policy.c (bus_client_policy_check_can_send): add
requested_reply argument and use it
* bus/bus.c (bus_context_check_security_policy): pass through
requested_reply status to message send check
* bus/system.conf.in: adapt to requested_reply change
* bus/bus.c (bus_context_check_security_policy): revamp this to
work more sanely with new policy-based requested reply setup
* bus/connection.c (bus_transaction_send_from_driver): set bus
driver messages as no reply
* bus/policy.c (bus_client_policy_check_can_receive): handle a
requested_reply attribute on allow/deny rules
* bus/system.conf: add <allow requested_reply="true"/>
* bus/driver.c (bus_driver_handle_message): fix check for replies
sent to the bus driver, which was backward. How did this ever work
at all though? I think I'm missing something.
* dbus/dbus-message.c (decode_header_data): require error and
method return messages to have a reply serial field to be valid
(_dbus_message_loader_queue_messages): break up this function;
validate that reply serial and plain serial are nonzero;
clean up the OOM/error handling.
(get_uint_field): don't return -1 from this
(dbus_message_create_header): fix signed/unsigned bug
* bus/connection.c (bus_connections_expect_reply): save serial of
the incoming message, not reply serial
Make matching rules theoretically work (add parser).
* bus/bus.c (bus_context_check_security_policy): fix up to handle
the case where destination is explicitly specified as bus driver
and someone else is eavesdropping.
* bus/policy.c (bus_client_policy_check_can_receive): fix up
definition of eavesdropping and assertion
* tools/dbus-send.c (main): use dbus_message_type_from_string
* bus/signals.c (bus_match_rule_parse): implement
* dbus/dbus-message.c (dbus_message_type_from_string): new
* dbus/dbus-errors.h (DBUS_ERROR_MATCH_RULE_INVALID): add
Get matching rules mostly working in the bus; only actually
parsing the rule text remains. However, the client side of
"signal connections" hasn't been started, this patch is only the
bus side.
* dbus/dispatch.c: fix for the matching rules changes
* bus/driver.c (bus_driver_handle_remove_match)
(bus_driver_handle_add_match): send an ack reply from these
method calls
* glib/dbus-gproxy.c (dbus_gproxy_begin_call): fix order of
arguments, reported by Seth Nickell
* bus/config-parser.c (append_rule_from_element): support
eavesdrop=true|false attribute on policies so match rules
can be prevented from snooping on the system bus.
* bus/dbus-daemon-1.1.in: consistently use terminology "sender"
and "destination" in attribute names; fix some docs bugs;
add eavesdrop=true|false attribute
* bus/driver.c (bus_driver_handle_add_match)
(bus_driver_handle_remove_match): handle AddMatch, RemoveMatch
messages
* dbus/dbus-protocol.h (DBUS_SERVICE_ORG_FREEDESKTOP_BROADCAST): get
rid of broadcast service concept, signals are just always broadcast
* bus/signals.c, bus/dispatch.c, bus/connection.c, bus/bus.c:
mostly implement matching rules stuff (currently only exposed as signal
connections)
* doc/dbus-specification.sgml: partial updates
* bus/dbus-daemon-1.1.in: fix the config file docs for the
zillionth time; hopefully I edited the right file this time.
* bus/config-parser.c (append_rule_from_element): support
send_type, send_path, receive_type, receive_path
* bus/policy.c: add message type and path to the list of things
that can be "firewalled"
* dbus/dbus-message.c (decode_string_field): support FIELD_SENDER
(dbus_message_is_error): fix this function
* bus/dbus-daemon-1.1: clarify logic on when <deny>/<allow> rules
match
* bus/policy.c (bus_client_policy_check_can_receive): fix code to
reflect clarified man page
(bus_client_policy_check_can_send): ditto
* bus/session.conf.in: fixup
* bus/system.conf.in: fixup
* dbus/dbus-hash.c (_dbus_hash_table_insert_two_strings): fix
* dbus/dbus-message.c (_dbus_message_loader_queue_messages): fix
dumb bug created earlier (wrong order of args to
decode_header_data())
* tools/dbus-send.c: port
* tools/dbus-print-message.c (print_message): port
* test/data/*messages: port all messages over
* dbus/dbus-message-builder.c: support including
message type
* bus/driver.c: port over
* bus/dispatch.c: port over to new stuff
* dbus/dbus-connection.c (_dbus_connection_new_for_transport):
rename disconnect signal to "Disconnected"
This doesn't compile yet, but syncing up so I can hack on it from
work. What are branches for if not broken code? ;-)
* dbus/dbus-protocol.h: remove DBUS_HEADER_FIELD_NAME, add
DBUS_HEADER_FIELD_INTERFACE, DBUS_HEADER_FIELD_MEMBER,
DBUS_HEADER_FIELD_ERROR_NAME
* dbus/dbus-hash.c: Introduce DBUS_HASH_TWO_STRINGS as hack to use
for the interface+member pairs
(string_hash): change to use g_str_hash algorithm
(find_direct_function, find_string_function): refactor these to
share most code.
* dbus/dbus-message.c: port all of this over to support
interface/member fields instead of name field
* dbus/dbus-object-registry.c: port over
* dbus/dbus-string.c (_dbus_string_validate_interface): rename
from _dbus_string_validate_name
* bus/dbus-daemon-1.1: change file format for the
<deny>/<allow> stuff to match new message naming scheme
* bus/policy.c: port over
* bus/config-parser.c: parse new format
* bus/config-parser.c (merge_included): merge in policies from
child configuration file.
* bus/policy.c (bus_policy_merge): function to merge two policies
together
Unbreak my code...
* dbus/dbus-transport.c (_dbus_transport_get_dispatch_status):
report correct status if we finish processing authentication
inside this function.
* bus/activation.c (try_send_activation_failure): use
bus_transaction_send_error_reply
* bus/connection.c (bus_connection_get_groups): return an error
explaining the problem
* bus/bus.c (bus_context_check_security_policy): implement
restriction here that inactive connections can only send the
hello message. Also, allow bus driver to send anything to
any recipient.
* bus/connection.c (bus_connection_complete): create the
BusClientPolicy here instead of on-demand.
(bus_connection_get_policy): don't return an error
* dbus/dbus-message.c (dbus_message_new_error_reply): allow NULL
sender field in message being replied to
* bus/bus.c (bus_context_check_security_policy): fix silly typo
causing it to return FALSE always
* bus/policy.c (bus_client_policy_check_can_send): fix bug where
we checked sender rather than destination
* bus/bus.c: create and keep around a shared DBusUserDatabase
object.
* bus/connection.c (bus_connection_get_groups): don't cache
groups for user in the connection object, since user database
object now does that.
* dbus/dbus-mainloop.c: fix some reentrancy issues by refcounting
callbacks
* test/data/valid-config-files/debug-allow-all.conf.in: allow all
users
* dbus/dbus-transport.c (_dbus_transport_get_dispatch_status):
fix to only recover unused bytes if we're already authenticated
(_dbus_transport_get_is_authenticated): fix to still mark us
authenticated if there are unused bytes.
* bus/dispatch.c: implement security policy checking
* bus/connection.c (bus_transaction_send_from_driver): new
* bus/bus.c (bus_context_check_security_policy): new
* bus/dispatch.c (send_service_nonexistent_error): delete this,
now we just set the DBusError and it gets converted to an error
reply.
* bus/connection.c (allow_user_function): enable code using actual
data from the config file
* bus/policy.c (list_allows_user): handle wildcard rules for
user/group connection perms
* bus/config-parser.c: Load up the BusPolicy and BusPolicyRules
* dbus/dbus-sysdeps.c (_dbus_get_user_id): new function
* bus/policy.c (bus_policy_append_mandatory_rule)
(bus_policy_append_default_rule, bus_policy_append_user_rule)
(bus_policy_append_group_rule): new functions
* bus/policy.h: change BusPolicy to be the thing from the config
file, and rename old BusPolicy to BusClientPolicy
* bus/bus.c, bus/connection.c, bus/config-parser.c: change to
match change in how policy works
* dbus/dbus-internals.h: mark assert_not_reached as
__attribute((noreturn))__
* dbus/dbus-sysdeps.c (_dbus_set_fd_nonblocking): move to this
file
* dbus/dbus-errors.c (dbus_set_error, dbus_set_error_const): allow
NULL argument for "message" if the error is a well-known one,
fill in a generic message in this case.
* dbus/dbus-errors.h (DBusResultCode): Kill DBusResultCode in
favor of DBusError
* bus/test.c (bus_test_flush_bus): add
* bus/policy.c (bus_policy_test): test code stub
* dbus/dbus-threads.c (dbus_mutex_new, dbus_condvar_new): with
DBUS_BUILD_TESTS, actually alloc/free a block of memory for
the mutex, so we can check for proper memory management
and OOM handling.
* dbus/dbus-dataslot.c: remove the mutex from
DBusDataSlotAllocator and lock it manually when using it,
to simplify fitting it into the global slots framework.
* dbus/dbus-threads.c (init_static_locks): rework how we're
handling global locks so they are easily shut down.
* bus/policy.c (bus_policy_append_rule): fix
* bus/test-main.c (main): check for memleaks
* dbus/dbus-test.c (dbus_internal_do_not_use_run_tests): make
test suite check for memleaks
* dbus/dbus-memory.c: add support in test mode for tracking
number of outstanding blocks
* bus/connection.c (bus_connection_send_oom_error): assert that
message has a sender
(connection_execute_transaction): ditto
(bus_connection_preallocate_oom_error): fix to set the sender, and
set recipient to the destination service, not the bus driver
* bus/policy.c: hacking
* dbus/dbus-message.c (dbus_message_service_is): new function
(dbus_message_sender_is): new
