| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Unlike eavesdropping, the point of capture is when the message is
received, except for messages originating inside the dbus-daemon.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
|
| |
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall
|
| |
|
|
|
| |
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
|
| |\
| |
| |
| |
| |
| | |
Conflicts:
NEWS
configure.ac
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This ensures that our rlimit is actually high enough to avoid the
denial of service described in CVE-2014-3636 part A.
CVE-2014-7824 has been allocated for this incomplete fix.
Restore the original rlimit for activated services, to avoid
them getting undesired higher limits.
(Thanks to Alban Crequy for various adjustments which have been
included in this commit.)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This patch doesn't do any function change, but only the function name,
to align its name with the struct RestorePendingData.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=72254
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |/
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=57272
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
How it should work:
When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
whether the message can be delivered after the service has been activated. The
service is considered activated when its well-known name is requested with
org.freedesktop.DBus.RequestName. When the message delivery is denied, the
service stays activated but should not receive the activating message (the
message which triggered the activation). dbus-daemon is supposed to drop the
activating message and reply to the sender with a D-Bus error message.
However, it does not work as expected:
1. The error message is delivered to the service instead of being delivered to
the sender. As an example, the error message could be something like:
An SELinux policy prevents this sender from sending this
message to this recipient, [...] member="MaliciousMethod"
If the sender and the service are malicious confederates and agree on a
protocol to insert information in the member name, the sender can leak
information to the service, even though the LSM attempted to block the
communication between the sender and the service.
2. The error message is delivered as a reply to the RequestName call from
service. It means the activated service will believe it cannot request the
name and might exit. The sender could activate the service frequently and
systemd will give up activating it. Thus the denial of service.
The following changes fix the bug:
- bus_activation_send_pending_auto_activation_messages() only returns an error
in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
(and its only caller sets the OOM error).
- When a client is not allowed to talk to the service, a D-Bus error message
is pre-allocated to be delivered to the client as part of the transaction.
The error is not propagated to the caller so RequestName will not fail
(except on OOM).
[fixed a misleading comment -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
Signed-off-by: Radoslaw Pajak <r.pajak@samsung.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=71526
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When dbus-daemon receives a request to activate a systemd service before
systemd has connected to it, it enqueues a fake request to "activate"
systemd itself (as a way to get a BusPendingActivationEntry to track the
process of waiting for systemd). When systemd later joins the bus,
dbus-daemon sends the actual activation message; any future activation
messages are sent directly to systemd.
In the "pending" code path, the activation messages are currently
dispatched as though they had been sent by the same process that sent
the original activation request, which is wrong: the bus security
policy probably doesn't allow that process to talk to systemd directly.
They should be dispatched as though they had been sent by the
dbus-daemon itself (connection == NULL), the same as in the non-pending
code path.
In the worst case, if the attempt to activate systemd timed out, the
dbus-daemon would crash with a (fatal) warning, because in this special
case, activation_message is a signal with no serial number, whereas the
code to send an error reply is expecting a method call with a serial
number.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=50199
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Tested-by: Ma Yu <yu.ma@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
DBusBabysitter->executable is defined as executable name to use in error
messages. However, if servicehelper used, then the executable name is
servicehelper. It's not much help because we couldn't figure out which
service we're trying to activated if error happens.
In the following patch, we'll use service name to be activated as the
child log identifier and add a parameter to
_dbus_spawn_async_with_babysitter() to pass the log identifier. Since
this is not the case in test, so executable changed to log_name.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| | |
| |
| |
| |
| | |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=66728
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Sharing a static variable between threads is not safe in general,
and this function is used in the shared libdbus (for nonce files),
so it can't rely on being single-threaded.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68610
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
| | |
| |
| |
| |
| |
| | |
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=66291
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When dbus-daemon receives a request to activate a systemd service before
systemd has connected to it, it enqueues a fake request to "activate"
systemd itself (as a way to get a BusPendingActivationEntry to track the
process of waiting for systemd). When systemd later joins the bus,
dbus-daemon sends the actual activation message; any future activation
messages are sent directly to systemd.
In the "pending" code path, the activation messages are currently
dispatched as though they had been sent by the same process that sent
the original activation request, which is wrong: the bus security
policy probably doesn't allow that process to talk to systemd directly.
They should be dispatched as though they had been sent by the
dbus-daemon itself (connection == NULL), the same as in the non-pending
code path.
In the worst case, if the attempt to activate systemd timed out, the
dbus-daemon would crash with a (fatal) warning, because in this special
case, activation_message is a signal with no serial number, whereas the
code to send an error reply is expecting a method call with a serial
number.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=50199
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Tested-by: Ma Yu <yu.ma@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
| |\
| |
| |
| |
| | |
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33337
|
| | |
| |
| |
| |
| | |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33337
Bug-NB: NB#197191
|
| |\ \
| | |
| | |
| | |
| | | |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39231
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The uses in bus/activation.c are also probably wrong because they ignore
the result of the test, but that's orthogonal.
(<https://bugs.freedesktop.org/show_bug.cgi?id=39858>)
|
| |\ \ \
| |/ /
|/| |
| | |
| | | |
Conflicts:
NEWS
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
return it
Since 1.4.4 (commit 75cfd97f) this function always returned FALSE. As far
as I can see this was actually harmless, because both of its callers
ignore any error that is not NoMemory (and treat it the same as success).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39230
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If we're going to return FALSE for this (which has apparently always
been the case), then we should set an error properly.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39230
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Revenge of #33126: most, but not all, temporary variables were freed on
this code path.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39230
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| | |/
|/|
| |
| |
| | |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39231
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
|
| | |
| |
| |
| |
| |
| |
| | |
This has been marked as broken since 2003...
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33342
Reviewed-by: Thiago Macieira <thiago@kde.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Similar to the previous commit, almost every use of DBusWatch can just
have the main loop call dbus_watch_handle.
The one exception is the bus activation code; it's had a comment
explaining why it's wrong since 2003. We should fix that one day, but for
now, just migrate it to a new _dbus_loop_add_watch_full which preserves
the second-layer callback.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33342
Reviewed-by: Thiago Macieira <thiago@kde.org>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of supplying 8 tiny wrapper functions around dbus_timeout_handle,
each with a user_data parameter that's a potentially unsafe borrowed
pointer but isn't actually used, we can call dbus_timeout_handle directly
and save a lot of trouble.
One of the wrappers previously called dbus_timeout_handle repeatedly
if it returned FALSE to indicate OOM, but that timeout's handler never
actually returned FALSE, so there was no practical effect. The rest just
ignore the return, which is documented as OK to do.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33342
Reviewed-by: Thiago Macieira <thiago@kde.org>
|
| |
|
|
|
|
|
| |
Log when we are activating something (and whether it's via systemd)
as well as when we fail to activate, and when one succeeds.
https://bugs.freedesktop.org/show_bug.cgi?id=35705
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In commit:
075945f6 (John (J5) Palmieri 2005-07-14 20:44:15 +0000
some code was added to compare services by Exec key. The changelog is
not pariticularly informative as to why this was added. But while
debugging other code, we noticed this.
Comparing by Exec key is not in the specification, and triggered a
problem where while converting services to use systemd for activation,
a change was made to use Exec=/bin/false and simply rely on systemd
to activate.
While I think it was broken for the service files to be changed
to Exec=/bin/false, we shouldn't be doing something here that's
not in the spec either.
Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35750
|
| | |
|
| |
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33126
|
| |
|
|
|
|
| |
before failure
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33126
|
| |
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33126
|
| |
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33126
|
| |
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33126
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, if a method call activated a service, it would only be
delivered to that service, and not to other services with match rules
which should match. This patch replaces the improperly-duplicated
dispatch code in activation.c with a call back into the normal dispatch
code, fixing this bug (fd.o#26427).
(Additionally, were one to service-activate a service that doesn't
understand file descriptors with a message containing a file descriptor,
the previous code would send it anyway, and the service's dbus library
would blow up. This is also fixed here, since the normal dispatch code
checks this correctly.)
|
| |
|
|
|
|
|
|
| |
The reload handling for activation simply dropped all knowledge
of pending activations, which was clearly wrong. Refactor things
so that reload only reloads directories, server address etc.
Based on a patch originally from Matthias Clasen <mclasen@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A variety of system components have migrated from legacy init into DBus
service activation. Many of these system components "daemonize", which
involves forking. The DBus activation system treated an exit as an
activation failure, assuming that the child process which grabbed the
DBus name didn't run first.
While we're in here, also differentiate in this code path between the
servicehelper (system) versus direct activation (session) paths. In
the session activation path our error message mentioned a helper
process which was confusing, since none was involved.
Based on a patch and debugging research from Ray Strode <rstrode@redhat.com>
|
| |
|
|
|
|
|
| |
No comment.
Signed-off-by: Colin Walters <walters@verbum.org>
(cherry picked from commit 5baf2f856a9c6625993234855b07680da1c8916f)
|
| |
|
|
| |
Signed-off-by: Colin Walters <walters@verbum.org>
|
| |
|
|
|
|
|
|
| |
Commit 91306ef938873fce8f2ae2d4a6b3282d0379c65a introduced
two memory leaks on OOM error paths. In one case the
environment string array wasn't getting freed, and in the
other case it was getting freed with dbus_free instead of
dbus_free_string_array.
|
| |
|
|
|
|
|
|
| |
We now keep the environment in a hash table member of the
activation object and provide a method
bus_activation_set_environment_variable to modify the
hash table. This hash table is seeded initially with the
environment of the bus daemon itself.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/config-parser-trivial.c (check_return_values): disable a
test that hardcoded the bus user's name
* bus/dispatch.c (bus_dispatch_test_conf): remove the "if
(!use_launcher)" around the tests, they were only failing because
we didn't pass through all the expected errors from the helper.
* bus/activation-exit-codes.h
(BUS_SPAWN_EXIT_CODE_CHILD_SIGNALED): add a code for child segfaulting
(BUS_SPAWN_EXIT_CODE_GENERIC_FAILURE): make "1" be a generic
failure code, so if a third party launch helper were written it
could just always return 1 on failure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.in: add AM_PROG_CC_C_O to allow per-target CPPFLAGS
* bus/dispatch.c (bus_dispatch_test_conf): Fix up setting
TEST_LAUNCH_HELPER_CONFIG to include the full path, and enable
test shell_fail_service_auto_start when use_launcher==TRUE
* bus/activation-helper-bin.c (convert_error_to_exit_code): pass
through the INVALID_ARGS error so the test suite works
* bus/activation.c (handle_activation_exit_error): return
DBUS_ERROR_NO_MEMORY if we get BUS_SPAWN_EXIT_CODE_NO_MEMORY
* dbus/dbus-spawn.c (_dbus_babysitter_get_child_exit_status):
return only the exit code of the child, not the entire thingy from
waitpid(), and make the return value indicate whether the child
exited normally (with a status code)
* bus/bus.c (process_config_first_time_only): _dbus_strdup works
on NULL so no need to check
(process_config_every_time): move servicehelper init here, so we
reload it on HUP or config file change
* bus/Makefile.am (install-data-hook): remove comment because
Emacs make mode seems to be grumpy about it
|
| |
|
|
|
| |
* bus/activation.c: (bus_activation_activate_service):
If the bus uses a service-laucher, then use the setuid laucher.
|
| |
|
|
|
|
| |
* bus/activation.c: (handle_activation_exit_error),
(babysitter_watch_callback):
Map the child exit status integer to a proper dbus error.
|
