We should prevent containers from trying to put a container in our
container so we can sandbox while we sandbox. The implementation doesn't
actually have any concept of nesting or layering, so that would potentially
be privilege escalation.
At the moment, this is just prevented by METHOD_FLAG_PRIVILEGED. When we
remove that flag (after we've introduced better resource limits), we can
specifically restrict this method to not be called by containers
instead. This test will make sure we do.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
So far it only exercises SupportedArguments.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
Tests that brute-force OOM code paths can be rather slow.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
test_object_try_whatever() now has libdbus-like OOM handling,
while test_object_whatever() has GLib-like OOM handling. This is
because an overwhelming majority of the callers of these functions
either didn't check for OOM anyway, or checked for it but then
aborted. In the uncommon case where we do care, we can use the _try_
version.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
If _dbus_loop_queue_dispatch fails with OOM, we'd try to free cd,
while cd is already owned by the connection's timeout functions.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=100317
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
Also use test_oom() where the relevant lines are changing anyway.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103600
It seemed like a nice idea at the time, but I now think it's more
confusing than it's worth.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103600
Previously, we allocated m both during initialization, and after
deciding not to skip this test.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103600
This also covers _dbus_server_new_for_socket(), which is one of the
worse places in terms of complexity of the error-unwinding path
(3 labels).
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89104
These tests were disabled by commit 9c3d566, which rewrote the D-Bus
type system to be fully recursive, back in 2005. The message builder
was subsequently removed by commit 9d21554, also in early 2005.
It will probably take significant work to turn these files into
test-cases that use the current D-Bus type system and so can be run
this decade. Until that work is done, let's not ship them: we can
always fetch them from git history if we want them.
The single .message-raw file can still be read and has been retained,
although it hasn't actually tested the intended failure mode since
2005 due to changes to the D-Bus specification (it is a wire-protocol
version 0 message, and the recursive type system introduced in commit
9c3d566 changed the wire-protocol version to 1).
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103758
In parts of the OOM testing, our logging produces multiple megabytes
of output. Let's not do that.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103601
stdout and stderr are close-on-exec and buffered, so we can't rely on
their buffers being empty. If we continue to execute application code
after forking (as opposed to immediately exec()ing), then the child
process might later flush the libc stdio buffers, resulting in
output that is printed by the parent also being printed by the child.
In particular, test-bus.log sometimes grows extremely large for
this reason, because this test repeatedly attempts to carry out
legacy activation.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103601
This will be used in a test for connecting to container servers
as the wrong uid.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
Instead of calling g_test_skip() internally, raise a distinctive error
and let the caller handle it.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
This will be used in tests later in the branch.
Sadly we can't use GLIB_VERSION_2_44 unless we are willing to have a
hard dependency on GLib 2.44, which would force us to do all our
Travis-CI builds in Docker containers rather than in ye olde base
system, and that adds 50% to the time taken to do builds.
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Rebase onto 1.13.x branch, fix minor conflicts]
Signed-off-by: Simon McVittie <smcv@collabora.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
This fixes the build when a GNU-compatible `mkdir -p` is not available.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103521
[smcv: Add commit message]
Reviewed-by: Simon McVittie <smcv@collabora.com>
These were in git but not distributed in source tarballs, and in fact
not hooked up to the Autotools build system at all.
test/data/valid-introspection-files was mentioned in the CMake build
system (copied from the source directory to the build directory), but
according to `git grep` is not used for anything.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103420
test-bus exercises the parser by trying to parse every file in these
directories. A couple of files were accidentally left out, meaning
those parsing code paths are tested when we build from git, but not
when we build from a tarball release.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103420
Some test-cases in the dbus-daemon and relay tests spam the bus with
thousands of messages, which can take 25 seconds on slower CPUs like
MIPS. Similarly, the refs test spams millions of refcount operations,
which it appears might take more than a minute on PA-RISC (HPPA).
To get an idea of how close we are to having a problem on other
architectures, log a message and start a timer when we reset the
timeout in setup(), and log the elapsed time when we reach teardown().
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103009
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
We can't use normal I/O in a signal handler, so resort to write().
"Bail out!" is a special syntactic token in TAP. If I artifically force
the tests to time out by reducing timeouts and increasing the number of
operations, I get results like this:
ERROR: test-sd-activation - Bail out! Test timed out (GLib main loop timeout callback reached)
ERROR: test-refs - Bail out! Test timed out (SIGALRM received)
which is a lot easier to understand than "Not enough tests run" or
"nonzero exit status". The differing output is because test-sd-activation
iterates the main loop, whereas test-refs just blocks (it is joining a
series of worker threads, each of which is spamming refcount operations).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103009
Reviewed-by: Philip Withnall <withnall@endlessm.com>
[smcv: Use STDOUT_FILENO as per Philip's review]
Signed-off-by: Simon McVittie <smcv@collabora.com>
This is just enough to demonstrate that they work - I'm deliberately
not doing a mass change throughout all tests, and we should definitely
not rush to introduce these into production code, because it would
hinder cherry-picking and merging fixes between branches. However,
new code on master can use them freely.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101895
This lets cooperating processes with the same value of $HOME
interoperate for DBUS_COOKIE_SHA1 by reading and writing $HOME, even
if their $HOME differs from the uid's "official" home directory
according to getpwuid(). Out of paranoia, we only do this if the uid
and the euid are equal, since if they were unequal the correct thing
to do would be ambiguous.
In particular, Debian autobuilders run as a user whose "official"
home directory in /etc/passwd is "/nonexistent", as a mechanism to
detect non-deterministic build processes that rely on the contents of
the home directory. Until now, this meant we couldn't run dbus'
build-time tests, because every test that used DBUS_COOKIE_SHA1 would
fail in this environment.
In the tests, set HOME as well as DBUS_TEST_HOMEDIR. We keep
DBUS_TEST_HOMEDIR too, because Windows doesn't use HOME, only HOMEDRIVE
and HOMEPATH.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101960
Bug-Debian: https://bugs.debian.org/630152
Signed-off-by: Simon McVittie <smcv@debian.org>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
This test-case is actually in the test for monitoring the bus,
because it's easier to see what's going on there - the error reply
to a rejected broadcast is not visible unless you are monitoring.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853
Until the previous commit, this would have worked. Now it correctly fails
with "send and receive attributes cannot be combined".
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Thiago Macieira <thiago@kde.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92853
configure.ac will detect PYTHON=python3 if there is no python
executable in the PATH.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101716
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
It is too easy for a developer working in an environment that has a
session bus to write tests that pass locally, but fail in minimal
environments. This is also risky because the tests might do
destructive things on the developer's real session bus. We can avoid
connecting to the session bus by consistently removing its address
from the environment, and replacing it with something that will
always fail.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
When we intend to exercise the default behaviour in the absence of
DBUS_SESSION_BUS_ADDRESS (but with an XDG_RUNTIME_DIR present), it would
help if we unset DBUS_SESSION_BUS_ADDRESS. Otherwise we'll just connect
to the real session bus, if there is one.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
test-pending-call-disconnected relies on being run under a session bus.
On master, the TESTS in this directory all get that treatment, but
in dbus-1.10 they do not. This caused test-pending-call-disconnected
to fail in minimal environments like travis-ci where there is no
developer-initiated session bus.
Backport part of commit ec6b220 "name-test: run most C tests directly,
not via run-test.sh" to wrap it in dbus-run-session. This is better
than putting it in run-test.sh because this way, its TAP output is
parsed directly by Automake.
It also has the side benefit of exercising dbus-run-session in the
automated tests.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101698
