delta/NetworkManager.git/src/settings/nm-secret-agent.c, branch th/fix-python-test gitlab.freedesktop.org: NetworkManager/NetworkManager.git core: extend nm_shutdown_wait_obj_*() to support notification via a GCancellable 2019-09-22T14:05:50+00:00 Thomas Haller thaller@redhat.com 2019-08-23T05:45:41+00:00 eae69e33dd1865f24544c135b366eb343c5a46e6 Now nm_shutdown_wait_obj_*() supports two styles: - NM_SHUTDOWN_WAIT_TYPE_OBJECT: this just registers a weak pointer on a source GObject. As long as the object is not destroyed (and the object is not unregistered), the shutdown gets blocked. - now new is NM_SHUTDOWN_WAIT_TYPE_CANCELLABLE: this source object is a GCancellable, and during shutdown, the system will cancel the instances to notify about the shutdown. That aside, the GCancellable is tracked exactly like a regular NM_SHUTDOWN_WAIT_TYPE_OBJECT (meaning: a weak pointer is registered and shutdown gets delayed as long as the instance lives). As the rest of the shutdown, it's not yet implemented on the shutdown-side. What is now possible is to register such cancellables, so that users can make use of this API before we fix shutdown. We cannot fix it all at the same time, so first users must be ready for this approach. 
Now nm_shutdown_wait_obj_*() supports two styles:

 - NM_SHUTDOWN_WAIT_TYPE_OBJECT: this just registers a weak pointer
   on a source GObject. As long as the object is not destroyed
   (and the object is not unregistered), the shutdown gets blocked.

 - now new is NM_SHUTDOWN_WAIT_TYPE_CANCELLABLE: this source object
   is a GCancellable, and during shutdown, the system will cancel
   the instances to notify about the shutdown. That aside, the GCancellable
   is tracked exactly like a regular NM_SHUTDOWN_WAIT_TYPE_OBJECT (meaning:
   a weak pointer is registered and shutdown gets delayed as long as the instance
   lives).

As the rest of the shutdown, it's not yet implemented on the shutdown-side.
What is now possible is to register such cancellables, so that users can make
use of this API before we fix shutdown. We cannot fix it all at the same time,
so first users must be ready for this approach.
all: SPDX header conversion 2019-09-10T09:19:56+00:00 Lubomir Rintel lkundrak@v3.sk 2019-09-10T09:19:01+00:00 24028a22467275671df71cc6a8054036b37d8f03 $ find * -type f |xargs perl contrib/scripts/spdx.pl $ git rm contrib/scripts/spdx.pl 
  $ find * -type f |xargs perl contrib/scripts/spdx.pl
  $ git rm contrib/scripts/spdx.pl
secret-agent: rework secret-agent to better handle service shutdown 2019-08-08T08:10:34+00:00 Thomas Haller thaller@redhat.com 2019-08-03T17:54:30+00:00 f6624659482bd6cfecd3985f23f220f5206e51e4 The secret-agent D-Bus API knows 4 methods: GetSecrets, SaveSecrets, DeleteSecrets and CancelGetSecrets. When we cancel a GetSecrets request, we must issue another CancelGetSecrets to tell the agent that the request was aborted. This is also true during shutdown. Well, technically, during shutdown we anyway drop off the bus and it woudn't matter. In practice, I think we should get this right and always cancel properly. To better handle shutdown change the following: - each request now takes a reference on NMSecretAgent. That means, as long as there are pending requests, the instance stays alive. The way to get this right during shutdown, is that NMSecretAgent registers itself via nm_shutdown_wait_obj_register() and NetworkManager is supposed to keep running as long as requests are keeping the instance alive. - now, the 3 regular methods are cancellable (which means: we are no longer interested in the result). CancelGetSecrets is not cancellable, but it has a short timeout NM_SHUTDOWN_TIMEOUT_MS to handle this. We anyway don't really care about the result, aside logging and to be sure that the request fully completed. - this means, a request (NMSecretAgentCallId) can now immediately be cancelled and destroyed, both when the request returns and when the caller cancels it. The exception is GetSecrets which keeps the request alive while waiting for CancelGetSecrets. But this is easily handled by unlinking the call-id and pass it on to the CancelGetSecrets callback. Previously, the NMSecretAgentCallId was only destroyed when the D-Bus call returns, even if it was cancelled earlier. That's unnecessary complicated. - previously, D-Bus requests SaveSecrets and DeleteSecrets were not cancellable. That is a problem. We need to be able to cancel them in order to shutdown in time. - use GDBusConnection instead of GDBusProxy. As most of the time, GDBusProxy provides features we don't use. - again, don't log direct pointer values, but obfuscate the indentifiers. 
The secret-agent D-Bus API knows 4 methods: GetSecrets, SaveSecrets,
DeleteSecrets and CancelGetSecrets. When we cancel a GetSecrets
request, we must issue another CancelGetSecrets to tell the agent
that the request was aborted. This is also true during shutdown.
Well, technically, during shutdown we anyway drop off the bus and
it woudn't matter. In practice, I think we should get this right and
always cancel properly.

To better handle shutdown change the following:

- each request now takes a reference on NMSecretAgent. That means,
  as long as there are pending requests, the instance stays alive.
  The way to get this right during shutdown, is that NMSecretAgent
  registers itself via nm_shutdown_wait_obj_register() and
  NetworkManager is supposed to keep running as long as requests
  are keeping the instance alive.

- now, the 3 regular methods are cancellable (which means: we are
  no longer interested in the result). CancelGetSecrets is not
  cancellable, but it has a short timeout NM_SHUTDOWN_TIMEOUT_MS
  to handle this. We anyway don't really care about the result,
  aside logging and to be sure that the request fully completed.

- this means, a request (NMSecretAgentCallId) can now immediately
  be cancelled and destroyed, both when the request returns and
  when the caller cancels it. The exception is GetSecrets which
  keeps the request alive while waiting for CancelGetSecrets. But
  this is easily handled by unlinking the call-id and pass it on
  to the CancelGetSecrets callback.
  Previously, the NMSecretAgentCallId was only destroyed when
  the D-Bus call returns, even if it was cancelled earlier. That's
  unnecessary complicated.

- previously, D-Bus requests SaveSecrets and DeleteSecrets were not cancellable.
  That is a problem. We need to be able to cancel them in order to shutdown in
  time.

- use GDBusConnection instead of GDBusProxy. As most of the time, GDBusProxy
  provides features we don't use.

- again, don't log direct pointer values, but obfuscate the indentifiers.
secret-agent: use NMCListElem to track permissions in NMSecretAgent 2019-08-08T08:07:55+00:00 Thomas Haller thaller@redhat.com 2019-08-03T17:24:17+00:00 52f9c8ecf3cd5808c98ad8c402333dff51055bda I don't like GSList. 
I don't like GSList.
secret-agent/trivial: rename dbus_connection field of NMSecretAgentPrivate 2019-08-08T08:07:55+00:00 Thomas Haller thaller@redhat.com 2019-08-03T17:08:22+00:00 91364f4c0a3a3f37a4adf7d54db0e0851b677933 






secret-agent: avoid log plain pointer values
2019-08-08T08:07:55+00:00

Thomas Haller
thaller@redhat.com

2019-08-03T17:05:41+00:00

a010484c40dc42dee88a0a1d4c2a75054d1ce336

This defeats ASLR. Obfuscate the pointers.





This defeats ASLR. Obfuscate the pointers.







secret-agent: drop unused private-socket code from secret-agent
2019-08-08T08:07:55+00:00

Thomas Haller
thaller@redhat.com

2019-08-03T16:52:48+00:00

8a347dbd555bf20a8c49f79ec6b702e900bde203

In the past, we had a private unix socket. That is long gone.
Drop the remains in "nm-secret-agent.c". The request here really
always comes from the main D-Bus connection.

Maybe the private unix socket makes sense and we might resurrect it one
day. But at that point it would be an entire rewrite and the existing
code is probably not useful either way. Drop it.





In the past, we had a private unix socket. That is long gone.
Drop the remains in "nm-secret-agent.c". The request here really
always comes from the main D-Bus connection.

Maybe the private unix socket makes sense and we might resurrect it one
day. But at that point it would be an entire rewrite and the existing
code is probably not useful either way. Drop it.







secret-agent: enable trace log messages
2019-08-08T08:07:55+00:00

Thomas Haller
thaller@redhat.com

2019-08-03T16:52:01+00:00

58e5e55f1774b8a57ffac503bde4d974f57bebaa

They seem useful for debugging. Don't only enable them --with-more-logging.





They seem useful for debugging. Don't only enable them --with-more-logging.







all: drop emacs file variables from source files
2019-06-11T08:04:00+00:00

Thomas Haller
thaller@redhat.com

2019-06-02T12:32:30+00:00

c0e075c90263150bd00ea033dbbd2d8e6b05300e

We no longer add these. If you use Emacs, configure it yourself.

Also, due to our "smart-tab" usage the editor anyway does a subpar
job handling our tabs. However, on the upside every user can choose
whatever tab-width he/she prefers. If "smart-tabs" are used properly
(like we do), every tab-width will work.

No manual changes, just ran commands:

    F=($(git grep -l -e '-\*-'))
    sed '1 { /\/\* *-\*-  *[mM]ode.*\*\/$/d }'     -i "${F[@]}"
    sed '1,4 { /^\(#\|--\|dnl\) *-\*- [mM]ode/d }' -i "${F[@]}"

Check remaining lines with:

    git grep -e '-\*-'

The ultimate purpose of this is to cleanup our files and eventually use
SPDX license identifiers. For that, first get rid of the boilerplate lines.





We no longer add these. If you use Emacs, configure it yourself.

Also, due to our "smart-tab" usage the editor anyway does a subpar
job handling our tabs. However, on the upside every user can choose
whatever tab-width he/she prefers. If "smart-tabs" are used properly
(like we do), every tab-width will work.

No manual changes, just ran commands:

    F=($(git grep -l -e '-\*-'))
    sed '1 { /\/\* *-\*-  *[mM]ode.*\*\/$/d }'     -i "${F[@]}"
    sed '1,4 { /^\(#\|--\|dnl\) *-\*- [mM]ode/d }' -i "${F[@]}"

Check remaining lines with:

    git grep -e '-\*-'

The ultimate purpose of this is to cleanup our files and eventually use
SPDX license identifiers. For that, first get rid of the boilerplate lines.







all: use nm_clear_g_dbus_connection_signal() helper
2019-05-12T07:56:36+00:00

Thomas Haller
thaller@redhat.com

2019-05-04T09:53:55+00:00

309271ac176bda188ac739e7d38ea595e52b19a4

I also like this because it's non-obvious that subscription IDs from
GDBusConnection are "guint" (contrary to signal handler IDs which are
"gulong"). So, by using this API you get a compiler error when using the
wrong type.
In the past, when switching to nm_clear_g_signal_handler() this uncovered
multiple bugs where the wrong type was used to hold the ID.





I also like this because it's non-obvious that subscription IDs from
GDBusConnection are "guint" (contrary to signal handler IDs which are
"gulong"). So, by using this API you get a compiler error when using the
wrong type.
In the past, when switching to nm_clear_g_signal_handler() this uncovered
multiple bugs where the wrong type was used to hold the ID.