We were incorrectly passing NULL for a DBusList when the usage expected
is a pointer to a NULL DBusList pointer. Also during dbus_shutdown
we need to actually close the inotify fd, and remove our watch.
Move the shutdown handler out of bus.c and into inotify where we
can do all of this cleanly.
(cherry picked from commit 90fe96b187)
_dbus_change_to_daemon_user moved into selinux.c for the --with-selinux
(and audit) case because that's where all of the relevant libcap headers
were being used. However in the --disable-selinux case this didn't
compile and wasn't very clean.
If we don't have libaudit, use the legacy direct setgid/setuid bits
we had before in dbus-sysdeps-util-unix.c.
Substantially based on a patch by Matthias Clasen <mclasen@redhat.com>
kqueue implementation by Joe Marcus Clarke <marcus@freebsd.org>
Previously, when we detected a configuration change (which included
the set of config directories to monitor for changes), we would
simply drop all watches, then readd them.
The problem with this is that it introduced a race condition where
we might not be watching one of the config directories for changes.
Rather than dropping and readding, change the OS-dependent monitoring
API to simply take a new set of directories to monitor. Implicit
in this is that the OS-specific layer needs to keep track of the
previously monitored set.
The reload handling for activation simply dropped all knowledge
of pending activations, which was clearly wrong. Refactor things
so that reload only reloads directories, server address etc.
Based on a patch originally from Matthias Clasen <mclasen@redhat.com>
(Commit message written by Colin Walters <walters@verbum.org>)
A current Fedora goal is to convert projects to libcap-ng which
more easily allows dropping Linux capabilities. For software
which also links to libdbus, it's problematic to link against
libcap as well.
Though really, libdbus should have never linked against libcap
in the first place, which is another thing this patch changes
by moving the libcap-using bits out of dbus/ and into bus/.
https://bugzilla.redhat.com/show_bug.cgi?id=518541
A variety of system components have migrated from legacy init into DBus
service activation. Many of these system components "daemonize", which
involves forking. The DBus activation system treated an exit as an
activation failure, assuming that the child process which grabbed the
DBus name didn't run first.
While we're in here, also differentiate in this code path between the
servicehelper (system) versus direct activation (session) paths. In
the session activation path our error message mentioned a helper
process which was confusing, since none was involved.
Based on a patch and debugging research from Ray Strode <rstrode@redhat.com>
In my informal studies of "normal" sets of match rules, only checking
match rules with the appropriate interface for the message reduces the
number that need to be checked by almost 100x on average (ranging from
halving for messages from the bus daemon, to a >200x reduction in many
cases). This reduces the overhead added to dispatching each message by
having lots of irrelevant match rules.
This is currently not a big deal, but will make more of a difference
once the set of match rules is partitioned by more features than just
the message type.
A variety of system components have migrated from legacy init into DBus
service activation. Many of these system components "daemonize", which
involves forking. The DBus activation system treated an exit as an
activation failure, assuming that the child process which grabbed the
DBus name didn't run first.
While we're in here, also differentiate in this code path between the
servicehelper (system) versus direct activation (session) paths. In
the session activation path our error message mentioned a helper
process which was confusing, since none was involved.
Based on a patch and debugging research from Ray Strode <rstrode@redhat.com>
Replace dbus_daemon_init() by dbus_publish_session_bus_address(),
publishing the full address. Omit username from mutexes (not necessary
as mutex names are local to session). Don't exit if publishing the
address failed (allow multiple session bus instances per
session). Based on 00ee92ae314 by Tor Lillqvist.
Cherry-picked from commit 23945513e9a4da61d286ebfbce3897aa061ddbfe in
the dbus4win repository by tml@iki.fi. Remove claim of that commit not
being merged from README.dbus4win.
On Linux, dbus-daemon and dbus-daemon-launch-helper are treated specially
because they need permission adjustment.
On Windows, all executables are stubs, created by libtool. The real
executables are in .libs. We need to use libtool to install them
properly. So let's make them bin_PROGRAMS on Windows.
(cherry picked from commit 7fb35992d67433ac3ba82e9e2e786e123323456d)
libdbus-convenience may use system libraries, but not the other way
round. Most platforms don't care, but on some platforms this means that
system libraries need to be listed after libdbus-convenience.la on the
link line.
* bus/session.conf.in: Remove the reply_timeout stanza, previously
intended to increase the reply timeout, this now reduces it.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit bd2063e17e)
* bus/config-parser.c (bus_config_parser_new): change the default reply
timeout to "never"
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit 8f1d2a2fa8)
* bus/expirelist.c (do_expiration_with_current_time): Don't check for
expiry if expire_after is negative, will just disable the expiry timer
after the call.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit d672d03206)
* bus/expirelist.c (do_expiration_with_current_time): If the item added
time fields are both zero, always expire.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit d33cfec625)
* bus/session.conf.in: Remove the reply_timeout stanza, previously
intended to increase the reply timeout, this now reduces it.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
* bus/expirelist.c (do_expiration_with_current_time): Don't check for
expiry if expire_after is negative, will just disable the expiry timer
after the call.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
* bus/expirelist.c (do_expiration_with_current_time): If the item added
time fields are both zero, always expire.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
This simply verifies that we forward unix fds only on connection that
support it. We willr eturn an error if a client attempts to send a
message with unix fds to another client that cannot do it.
This adds two new directives to the auth protocol:
NEGOTIATE_UNIX_FD is sent by the client after the authentication was
sucessful, i.e. OK was received.
AGREE_UNIX_FD is then sent by the server if it can do unix fd passing as
well.
ERROR is returned when the server cannot or is unwilling to do unix fd
passing.
This should be compatible with existing D-Bus implementations which will
naturally return ERROR on NEGOTIATE_UNIX_FD.
All users of full duplex pipes enable FD_CLOEXEC later anyway so let's
just do it as part of _dbus_full_duplex_pipe. By side effect this allows
to make use of SOCK_CLOEXEC which fixes a race when forking/execing from
a different thread at the same time as we ar in this function.
Stephen Smalley wrote:
> On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
>
>> Stephen Smalley wrote:
>>
>>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
>>>
>>>> Stephen Smalley wrote:
>>>>
>> <snip>
>>
>>
>>> No, I don't want to change the behavior upon context_to_sid calls in
>>> general, as we otherwise lose all context validity checking in
>>> permissive mode.
>>>
>>> I think I'd rather change compute_sid behavior to preclude the situation
>>> from arising in the first place, possibly altering the behavior in
>>> permissive mode upon an invalid context to fall back on the ssid
>>> (process) or the tsid (object). But I'm not entirely convinced any
>>> change is required here.
>>>
>>>
>> I just want to follow up to make sure we are all on the same page here. Was the
>> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
>> or leave the code as is and fix the callers of avc_has_perm to correctly handle
>> error codes?
>>
>> I prefer the last approach because of Eamon's explanation, EINVAL is already
>> passed in errno to specify the context was invalid (and if object managers
>> aren't handling that correctly now there is a good chance they aren't handling
>> the ENOMEM case either).
>>
>
> I'd be inclined to change compute_sid (not context_to_sid) in the kernel
> to prevent invalid contexts from being formed even in permissive mode
> (scenario is a type transition where role is not authorized for the new
> type). That was originally to allow the system to boot in permissive
> mode. But an alternative would be to just stay in the caller's context
> (ssid) in that situation.
>
> Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
> may make sense, but that logic should not depend on enforcing vs.
> permissive mode.
>
>
FWIW, the following patch to D-Bus should help:
bfo21072 - Log SELinux denials better by checking errno for the cause
Note that this does not fully address the bug report since
EINVAL can still be returned in permissive mode. However the log
messages will now reflect the proper cause of the denial.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Colin Walters <walters@verbum.org>
