<allow send_broadcast="true" ...> only matches broadcasts,
which are signals with a NULL destination. There was previously
no way for the policy language to express "NULL destination",
only "any destination".
<allow send_broadcast="false" ...> only matches non-broadcasts,
which are non-signals or signals with a non-NULL destination.
There was previously no way for the policy language to express
"any non-NULL destination", only "any destination".
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: improved documentation as per Philip's review]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853
We don't allow sending unrequested replies, but the documentation
implied that we did.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853
Until the previous commit, this would have worked. Now it correctly fails
with "send and receive attributes cannot be combined".
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853
The giant conditionals used to check policy attributes are increasingly
unwieldy, so let's try something else. Bundle together the send_
attributes, the receive_ attributes, the eavesdrop attribute
(which can go on either send or receive rules) and the other attributes
into equivalence classes, and write the conditionals in terms of those
equivalence classes.
In particular, this correctly forbids
<allow receive_type="..." send_destination="..."/>
which was previously allowed but nonsensical (the send part took
precedence and the receive part was ignored).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853
By default, Expat uses cryptographic-quality random numbers as a salt for
its hash algorithm, and since 2.2.1 it gets them from the getrandom
syscall on Linux. That syscall refuses to return any entropy until the
kernel's CSPRNG (random pool) has been initialized. Unfortunately, this
can take as long as 40 seconds on embedded devices with few entropy
sources, which is too long: if the system dbus-daemon blocks for that
length of time, important D-Bus clients like systemd and systemd-logind
time out and fail to connect to it.
We're parsing small configuration files here, and we trust them
completely, so we don't need to defend against hash collisions: nobody
is going to be crafting them to cause pathological performance.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101858
Tested-by: Christopher Hewitt <hewitt@ieee.org>
[smcv: Adjust build-system changes for 1.11.x]
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
By default, Expat uses cryptographic-quality random numbers as a salt for
its hash algorithm, and since 2.2.1 it gets them from the getrandom
syscall on Linux. That syscall refuses to return any entropy until the
kernel's CSPRNG (random pool) has been initialized. Unfortunately, this
can take as long as 40 seconds on embedded devices with few entropy
sources, which is too long: if the system dbus-daemon blocks for that
length of time, important D-Bus clients like systemd and systemd-logind
time out and fail to connect to it.
We're parsing small configuration files here, and we trust them
completely, so we don't need to defend against hash collisions: nobody
is going to be crafting them to cause pathological performance.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101858
Signed-off-by: Simon McVittie <smcv@debian.org>
Tested-by: Christopher Hewitt <hewitt@ieee.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
This is a followup of 529600397b. We can't
shortcut the timeouts iteration in order not to miss any timeouts that
might require timestamp restart.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95619
Reviewed-by: Simon McVittie <smcv@collabora.com>
configure.ac will detect PYTHON=python3 if there is no python
executable in the PATH.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101716
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
It is too easy for a developer working in an environment that has a
session bus to write tests that pass locally, but fail in minimal
environments. This is also risky because the tests might do
destructive things on the developer's real session bus. We can avoid
connecting to the session bus by consistently removing its address
from the environment, and replacing it with something that will
always fail.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
When we intend to exercise the default behaviour in the absence of
DBUS_SESSION_BUS_ADDRESS (but with an XDG_RUNTIME_DIR present), it would
help if we unset DBUS_SESSION_BUS_ADDRESS. Otherwise we'll just connect
to the real session bus, if there is one.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
test-pending-call-disconnected relies on being run under a session bus.
On master, the TESTS in this directory all get that treatment, but
in dbus-1.10 they do not. This caused test-pending-call-disconnected
to fail in minimal environments like travis-ci where there is no
developer-initiated session bus.
Backport part of commit ec6b220 "name-test: run most C tests directly,
not via run-test.sh" to wrap it in dbus-run-session. This is better
than putting it in run-test.sh because this way, its TAP output is
parsed directly by Automake.
It also has the side benefit of exercising dbus-run-session in the
automated tests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
For #100344, we will need a way to store the metadata from the
original method call, and copy them back into arbitrarily many
messages later. This would be easy in GDBus, which has GVariant
as a first-class object. However, libdbus doesn't have an object for
message items, only messages.
We could copy the message's content, but it will carry file descriptors,
which we don't want to copy. Instead, introduce an internal object
representing a message item in a small buffer. It is stored as a variant
(D-Bus type 'v') so that it naturally carries its own type.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
See the doc-comment of the new
dbus_message_iter_abandon_container_if_open() function for details.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().
One might reasonably worry that this change can break callers that use
this (incorrect) pattern:
if (!dbus_message_iter_open_container (outer, ..., inner))
{
dbus_message_iter_abandon_container (outer, inner);
goto fail;
}
/* now we know inner is open, and we must close it later */
However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.
This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit 031aa2ceb3)
Found by source code inspection while trying to debug an unrelated
leak.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit 6b7bdb105b)
This ensures that callers won't accidentally use it for something
in a way that is considered to be programmer error.
In _dbus_message_iter_check(), insert a specific check for this before
dereferencing iter->message, so that we get a nice assertion failure
(potentially non-fatal) instead of a segfault.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
Having opened a container for appending, the container must be closed
exactly once.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
Previously, it was only available under DBUS_ENABLE_EMBEDDED_TESTS,
because the infrastructure to pretend malloc had failed is only
compiled then. However, I'd like to use it in more modular tests, to
avoid test-dbus continuing to grow. To facilitate that, inline a
trivial version of it when DBUS_ENABLE_EMBEDDED_TESTS is disabled:
it just calls the function, once, without doing any strange things to
the malloc interface.
Similarly, amend the stub implementation of
_dbus_get_malloc_blocks_outstanding() so that references to it are
syntactically valid, and move the DBusTestMemoryFunction typedef so
that it can be used with or without DBUS_ENABLE_EMBEDDED_TESTS.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().
One might reasonably worry that this change can break callers that use
this (incorrect) pattern:
if (!dbus_message_iter_open_container (outer, ..., inner))
{
dbus_message_iter_abandon_container (outer, inner);
goto fail;
}
/* now we know inner is open, and we must close it later */
However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.
This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
The same assertion appears closer to the top of the function, and there
is no opportunity for it to have become false here.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
Found by source code inspection while trying to debug an unrelated
leak.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
This was added around 12½ years ago, in a commented-out state, and has
remained commented out ever since. It turns out these test vectors
do pass, although perhaps they didn't at the time.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
The deleted lines used to be a test for _dbus_validate_signature(),
until I deleted that function. We also had a completely separate
test for _dbus_validate_signature_with_reason() which remains present.
Some of the test vectors were tested in both places.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
This lets _dbus_warn() and _dbus_warn_check_failed() fall through
to flushing stderr and calling _dbus_abort(), meaning that failed
checks and warnings can result in a core dump as intended.
By renaming the FATAL severity to ERROR, we ensure that any code
contributions that assumed the old semantics will fail to compile.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
All callers should use _dbus_validate_signature_with_reason() directly.
The only remaining callers were this function's own tests.
As a side benefit, this commit removes a TODO pointing out that this
function did not follow normal DBusString conventions, by considering
a length outside the bounds of the DBusString to be an ordinary
lack of validity rather than a fatal programming error.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
