2007-11-08 Havoc Pennington <hp@redhat.com>
* bus/connection.c, bus/expirelist.c: Make the BusExpireList
struct opaque, adding accessors for manipulating the list. In this
commit there should be no change in functionality or behavior. The
purpose of this change is to improve encapsulation prior to fixing
some bugs Kimmo Hämäläinen found where the timeout is not properly
updated, since we need to e.g. take some action whenever adding
and removing stuff from the expire list.
* CVE-2008-0595 - security policy of the type <allow send_interface=
"some.interface.WithMethods"/> work as an implicit allow for
messages sent without an interface bypassing the default deny rules
and potentially allowing restricted methods exported on the bus to be
executed by unauthorized users. This patch fixes the issue.
* bus/policy.c (bus_client_policy_check_can_send,
bus_client_policy_check_can_receive): skip messages without an
interface when evaluating an allow rule, and thus pass it to the
default deny rules
2008-01-17 Timo Hoenig <thoenig@suse.de>
* fix inotify support
* bus/dir-watch-inotify.c (_handle_inotify_watch): fix reading of the
inotify events. Also, use ssize_t not size_t for 'ret'.
* bus/dir-watch-inotify.c (bus_watch_directory): watch not only for
IN_MODIFY but also for IN_CREATE and IN_DELETE
* bus/dir-watch-inotify.c (bus_drop_all_directory_watches): drop the
inotify watches more elegantly by closing inotify:_fd, set inotify_fd to
-1 after dropping the watches
2008-01-15 John (J5) Palmieri <johnp@redhat.com>
* bus/bus.c (bus_context_check_security_policy): rewrite selinux error
handling to not abort due to a NULL read and to set the error only if
it is not already set (Based off of FDO Bug #12430)
2008-01-15 John (J5) Palmieri <johnp@redhat.com>
* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
* bus/config-parser.c (locate_attributes): remove dead code which
always evaluated to TRUE
* dbus/dbus-shell.c (_dbus_shell_quote): remove unused code
2008-01-14 John (J5) Palmieri <johnp@redhat.com>
* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
* bus/connection.c (bus_connection_complete): plug a possible
BusClientPolicy leak (FDO Bug #13242)
2008-01-14 John (J5) Palmieri <johnp@redhat.com>
* patch by Frederic Crozat <fcrozat at mandriva dot com> (FDO Bz#
13268)
* add inotify support
* bus/Makefile.am: add inotify module to the build
* bus/dir-watch-inotify.c: inotify module based off the dnotify and
kqueue modules
* configure.in: add checks and switch for inotify
also add a printout at the end of configure if inotify and kqueue
support is being built in (dnotify already had this)
2008-01-14 John (J5) Palmieri <johnp@redhat.com>
* patch by Frederic Crozat <fcrozat at mandriva dot com>
* bus/dir-watch-dnotify.c (bus_watch_directory): watch for file
creates also
2007-10-31 Havoc Pennington <hp@redhat.com>
* bus/selinux.c (log_audit_callback): rewrite to use
_dbus_string_copy_to_buffer_with_nul()
* dbus/dbus-string.c (_dbus_string_copy_to_buffer): change to NOT
nul-terminate the buffer; fail an assertion if there is not enough
space in the target buffer. This fixes two bugs where
copy_to_buffer was used to copy the binary bytes in a UUID, where
nul termination did not make sense. Bug reported by David Castelow.
(_dbus_string_copy_to_buffer_with_nul): new function that always
nul-terminates the buffer, and fails an assertion if there is not
enough space in the buffer.
2007-10-23 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): use the new name here
* bus/selinux.c (bus_selinux_audit_init): rename from audit_init()
to avoid possible libc conflict, and declare it in .h file to
avoid a warning
2007-10-19 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): put the audit_init() in here
instead, which I believe ends up being the same as where it was
before, though I'm not sure I understand why it goes here.
* dbus/dbus-sysdeps-util-unix.c (_dbus_change_to_daemon_user):
remove audit_init() from here, this file can't depend on code in
bus/ directory
* patch by Dan Walsh <dwalsh@redhat.com>
* https://bugs.freedesktop.org/show_bug.cgi?id=12429
* Reverse we_were_root check to setpcap if we were root. Also only init
audit if we were root. So error dbus message will not show up when policy
reload happens. dbus -session will no longer try to send audit message,
only system will.
* For security reasons we want possition independent code for libraries
and possition independent executable for executables
* before we were just enabling -fPIC
* now we correctly enable -fPIC and -PIE for libdbus and the bus respectively
* propper LD_FLAGS are set for each also
2007-09-20 Ryan Lortie <desrt@desrt.ca>
* dbus/signals.c (struct DBusMatchRule, bus_match_rule_new,
bus_match_rule_set_arg, bus_match_rule_parse_arg_match,
match_rule_matches): Add support for parsing and matching on
arg0path='/some/path' type rules.
* dbus/signals.h (bus_match_rule_set_arg): change to take const
DBusString instead of const char * for the string to match against.
* dbus/dbus-bus.c: add a quick note to dbus_bus_add_match
documentation about the path matching.
* doc/dbus-specification.xml: add a more detailed description of the
changes here.
2007-09-13 Ryan Lortie <desrt@desrt.ca>
migrate from cvs to git (cvs2svn -> git-svnimport).
* HACKING: update release/branch/tag instructions
* */.cvsignore: rename to .gitignore
also, clean up tags and branch names to conform to HACKING
* tools/dbus-launch-x11.c (set_address_in_x11): fix from Michael
Lorenz to use long not int with XChangeProperty format 32
* dbus/dbus-sysdeps-util-unix.c
(_dbus_write_pid_to_file_and_pipe): factor this out, and use the
same code in _dbus_become_daemon (where the parent writes the pid
file and to the pid pipe) and in bus_context_new (where the daemon
writes its own pid file and to its own pid pipe)
* bus/bus.c (bus_context_new): close the pid pipe after we print
to it. Also, don't write the pid to the pipe twice when we fork,
someone reported this bug a long time ago.
* bus/activation-helper.c (check_bus_name): don't use
_dbus_check_valid_bus_name() which is only around with
--enable-checks, instead use _dbus_validate_bus_name().
Bug #11766 from Diego <diego@pemas.net>
* bus/config-parser-trivial.c (check_return_values): disable a
test that hardcoded the bus user's name
* bus/dispatch.c (bus_dispatch_test_conf): remove the "if
(!use_launcher)" around the tests, they were only failing because
we didn't pass through all the expected errors from the helper.
* bus/activation-exit-codes.h
(BUS_SPAWN_EXIT_CODE_CHILD_SIGNALED): add a code for child segfaulting
(BUS_SPAWN_EXIT_CODE_GENERIC_FAILURE): make "1" be a generic
failure code, so if a third party launch helper were written it
could just always return 1 on failure.
* configure.in: add AM_PROG_CC_C_O to allow per-target CPPFLAGS
* bus/dispatch.c (bus_dispatch_test_conf): Fix up setting
TEST_LAUNCH_HELPER_CONFIG to include the full path, and enable
test shell_fail_service_auto_start when use_launcher==TRUE
* bus/activation-helper-bin.c (convert_error_to_exit_code): pass
through the INVALID_ARGS error so the test suite works
* bus/activation.c (handle_activation_exit_error): return
DBUS_ERROR_NO_MEMORY if we get BUS_SPAWN_EXIT_CODE_NO_MEMORY
* dbus/dbus-spawn.c (_dbus_babysitter_get_child_exit_status):
return only the exit code of the child, not the entire thingy from
waitpid(), and make the return value indicate whether the child
exited normally (with a status code)
* bus/bus.c (process_config_first_time_only): _dbus_strdup works
on NULL so no need to check
(process_config_every_time): move servicehelper init here, so we
reload it on HUP or config file change
* bus/Makefile.am (install-data-hook): remove comment because
Emacs make mode seems to be grumpy about it
* bus/Makefile.am:
* bus/test-system.c: (die), (check_memleaks), (test_pre_hook),
(test_post_hook), (main):
Add back the test-system.c file - not sure now this got ignored in the
diff. I blame git.
* bus/dispatch.c: (check_segfault_service_no_auto_start),
(check_launch_service_file_missing),
(check_launch_service_user_missing),
(check_launch_service_exec_missing),
(check_launch_service_service_missing), (bus_dispatch_test_conf),
(bus_dispatch_test_conf_fail), (bus_dispatch_test):
Add unit tests for system activation. Most are copied from the
session activation tests, but some didn't apply when using a laucher.
* bus/bus.c: (process_config_first_time_only),
(process_config_every_time), (bus_context_unref),
(bus_context_get_servicehelper):
* bus/bus.h:
Add the concept of a service-helper and allow it's value to be read.
* bus/activation.c: (bus_activation_entry_unref),
(update_desktop_file_entry):
Add the concept of, and read the value of user from the desktop file.
The user string is not required unless we are using system activation.
* bus/activation.c:
* bus/desktop-file.h:
Move the defines into the header file, as we use these in the lauch
helper as well as the desktop file parsing.
* bus/Makefile.am:
* bus/test.h:
Add the build glue for the lauch helper, and also add the launch-helper
OOM checks into make check. I've probably broken the build, give me 2.
* bus/test-launch-helper.c: (die), (check_memleaks),
(test_post_hook), (bus_activation_helper_oom_test), (main):
Add a test wrapper to allow OOM checks on the launch helper.
* bus/activation-helper-bin.c: (convert_error_to_exit_code),
(main):
* bus/activation-helper.c: (desktop_file_for_name),
(clear_environment), (check_permissions), (check_service_name),
(get_parameters_for_service), (switch_user),
(exec_for_correct_user), (check_bus_name), (get_correct_parser),
(launch_bus_name), (check_dbus_user), (run_launch_helper):
* bus/activation-helper.h:
Add the initial launch-helper. This is split into a main section and a
binary loader that allows us to lauch the main section in another test
harness to do stuff like OOM testing. No build glue yet.
* bus/Makefile.am:
* bus/config-parser.c: (bus_config_parser_unref),
(start_busconfig_child), (bus_config_parser_end_element),
(servicehelper_path), (bus_config_parser_content),
(bus_config_parser_finished),
(bus_config_parser_get_servicehelper),
(test_default_session_servicedirs),
(test_default_system_servicedirs), (bus_config_parser_test):
* bus/config-parser.h:
Make the config-parser code use the common config code.
Also add the session and systemdirs stuff, and make the config parser
aware of the servicehelper field.
* bus/config-parser-trivial.c: (service_dirs_find_dir),
(service_dirs_append_link_unique_or_free), (bus_config_parser_new),
(bus_config_parser_unref), (bus_config_parser_start_element),
(bus_config_parser_end_element), (bus_config_parser_content),
(bus_config_parser_finished), (bus_config_parser_get_user),
(bus_config_parser_get_type), (bus_config_parser_get_service_dirs),
(check_return_values), (do_load), (check_loader_oom_func),
(process_test_valid_subdir), (make_full_path), (check_file_valid),
(bus_config_parser_trivial_test):
* bus/config-parser-trivial.h:
Add a security sensitive stripped down config parser for the setuid
launcher. This file only reads what it needs, and doesn't try to do
anything remotely clever like including external files.
It is not intended to validate the config file; it is expected that
config-parser will do that before the setuid program tries to read it.
* bus/config-parser-common.c:
(bus_config_parser_element_name_to_type),
(bus_config_parser_element_type_to_name):
* bus/config-parser-common.h:
We don't want to run the whole config parser with all it's deps in the
setuid program. We need to implement a stripped down config parser just
for the launcher, and to do so I need some common functions and
defines; add them here.
* bus/activation-exit-codes.h:
Add defines which specify the output codes of the launch helper.
We have to use exit codes as this is the only way we can return failure
type without going grotty things like redirecting possibly-nonsecure
stderr into the error.
* doc/dbus-specification.xml: document org.freedesktop.DBus.GetId()
* bus/driver.c (bus_driver_handle_get_id): implement org.freedesktop.DBus.GetId()
* bus/bus.c (bus_context_new): generate a unique ID for each bus context
* dbus/dbus-connection.c (dbus_connection_get_server_id): new function
* dbus/dbus-bus.c (dbus_bus_get_id): new function
* dbus/dbus-server.c (dbus_server_get_id): new function
* dbus/dbus-sysdeps-unix.c (_dbus_append_session_config_file)
(_dbus_append_system_config_file): new functions
* bus/main.c (main): use _dbus_append_system_config_file() and
_dbus_append_session_config_file()
* dbus/Makefile.am (INCLUDES): move DBUS_SYSTEM_CONFIG_FILE and
DBUS_SESSION_CONFIG_FILE into this makefile
* dbus/dbus-sysdeps.c (_dbus_set_errno_to_zero)
(_dbus_get_is_errno_nonzero, _dbus_get_is_errno_eintr)
(_dbus_strerror_from_errno): family of functions to abstract
errno, though these are somewhat bogus (really we should make our
socket wrappers not use errno probably - the issue is that any
usage of errno that isn't socket-related probably is not
cross-platform, so should either be in a unix-only file that can
use errno directly, or is a bug - these general errno wrappers
hide issues of this nature in non-socket code, while
socket-specific API changes would not since sockets are allowed
cross-platform)
* bus/dispatch.c (check_get_connection_unix_process_id): mop up
getpid() (noticed by Peter KKümmel) and adapt the test to
expect a "pid unknown" error when running on Windows.
* dbus/dbus-server-socket.c (_dbus_server_listen_socket): support
all_interfaces=true|false for tcp servers
* dbus/dbus-sysdeps-unix.c (_dbus_listen_tcp_socket): support
inaddr_any flag
* bus/selinux.c: fix some missing includes
* dbus/dbus-server-socket.c (_dbus_server_listen_socket): allow
port to simply be omitted in addition to specifying 0
* configure.ac, bus/selinux.c, dbus/dbus-sysdeps-unix-util.c: add
libaudit support, no clue what this means really but now we have
it. Patches from Fedora package.
* bus/bus.c (bus_context_new): move selinux initialization after
changing to daemon user, patch from Fedora package
* dbus/dbus-transport.c (auth_via_unix_user_function): fix a typo
