summaryrefslogtreecommitdiff
path: root/bus/bus.c
Commit message (Collapse)AuthorAgeFilesLines
* Mediation of processes sending and receiving messagesJohn Johansen2015-02-181-1/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an AppArmor confined process wants to send or receive a message, a check is performed to see if the action should be allowed. When a message is going through dbus-daemon, there are two checks performed at once. One for the sending process and one for the receiving process. The checks are based on the process's label, the bus type, destination, path, interface, and member, as well as the peer's label and/or destination name. This allows for the traditional connection-based enforcement, as well as any fine-grained filtering desired by the system administrator. It is important to note that error and method_return messages are allowed to cut down on the amount of rules needed. If a process was allowed to send a message, it can receive error and method_return messages. An example AppArmor rule that would be needed to allow a process to call the UpdateActivationEnvironment method of the session bus itself would be: dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment peer=(name=org.freedesktop.DBus), To receive any message on the system bus from a process confined by the "confined-client" AppArmor profile: dbus receive bus=system peer=(label=confined-client), Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg] [tyhicks: Pass the message type to the AppArmor hook] [tyhicks: Don't audit unrequested reply message denials] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> [smcv: when AA denies sending, don't label requested_reply as "matched rules"] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
* Do LSM checks after determining if the message is a requested replyTyler Hicks2015-02-181-24/+29
| | | | | | | | | | | | Move the call to bus_selinux_allows_send() after the call to bus_connections_check_reply(). This allows LSMs to know if the message is a reply and whether or not it was requested. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Initialize AppArmor mediationJohn Johansen2015-02-181-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | When starting dbus-daemon, autodetect AppArmor kernel support and use the results from parsing the busconfig to determine if mediation should be enabled. In the busconfig, "enabled" means that kernel support is autodetected and, if available, AppArmor mediation occurs in dbus-daemon. In "enabled" mode, if kernel support is not detected, mediation is disabled. "disabled" means that mediation does not occur. "required" means that kernel support must be detected for dbus-daemon to start. Additionally, when libaudit support is built into dbus-daemon, the AppArmor initialization routines set up the audit connection. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 Signed-off-by: John Johansen <john.johansen@canonical.com> [tyhicks: Honor enforcement modes and detect AppArmor dbus rule support] [tyhicks: fix unreachable return when AppArmor support is built] [tyhicks: make bus_apparmor_full_init() able to raise a DBusError] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> [smcv: _bus_apparmor_aa_supports_dbus: document necessary kernel API guarantee] [smcv: bus_apparmor_pre_init: distinguish between OOM and AppArmor not enabled] [smcv: document why we open() and not just stat()] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
* bus_context_log_and_set_error: add and useSimon McVittie2015-02-031-0/+23
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810 Reviewed-by: Philip Withnall
* bus_context_log_literal: add simplified version of bus_context_logSimon McVittie2015-02-031-1/+21
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810 Reviewed-by: Philip Withnall
* bus: put the printf attribute in the header where it will do more goodSimon McVittie2015-02-031-3/+0
| | | | | | | | Now we can actually notice incorrect format strings in other translation units. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810 Reviewed-by: Philip Withnall
* bus: exit on fatal errors even if not sysloggingSimon McVittie2015-02-021-0/+4
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808 Reviewed-by: Philip Withnall
* Use DBUS_SYSTEM_LOG_WARNING for failure to alter fd-limitsSimon McVittie2014-11-181-2/+2
| | | | | Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
* Set error when message delivery is denied due to receive ruleJacek Bukarewicz2014-11-141-1/+1
| | | | | | | | | | | | | This makes bus_context_check_security_policy follow convention of setting errors if function indicates failure and has error parameter. Notable implication is that AccessDenied error will be sent if sending message to addressed recipient is denied due to receive rule. Previously, message was silently dropped. This also fixes assertion failure when message is denied at addressed recipient while sending pending auto activation messages. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=86194
* CVE-2014-7824: set fd rlimit to 64k for the system dbus-daemonSimon McVittie2014-11-061-10/+40
| | | | | | | | | | | | | | | This ensures that our rlimit is actually high enough to avoid the denial of service described in CVE-2014-3636 part A. CVE-2014-7824 has been allocated for this incomplete fix. Restore the original rlimit for activated services, to avoid them getting undesired higher limits. (Thanks to Alban Crequy for various adjustments which have been included in this commit.) Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105 Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
* config: add new limit: pending_fd_timeoutAlban Crequy2014-09-151-0/+6
| | | | | | | | | | | | | | | | | This is one of four commits needed to address CVE-2014-3637. When a file descriptor is passed to dbus-daemon, the associated D-Bus message might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file descriptor in the DBusMessageLoader of the connection, waiting for the rest of the message. If the client stops sending the remaining bytes, dbus-daemon will wait forever and keep that file descriptor. This patch adds pending_fd_timeout (milliseconds) in the configuration to disconnect a connection after a timeout when a file descriptor was sent but not the remaining message. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Stop listening on DBusServer sockets when reaching max_incomplete_connectionsAlban Crequy2014-09-151-0/+37
| | | | | | | | | This addresses the parts of CVE-2014-3639 not already addressed by reducing the default authentication timeout. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851 Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Reload policy rules for completed connectionsChengwei Yang2014-01-061-0/+12
| | | | | | | | | | | | | | | | The message bus which can monitor its conf dirs for changes and reload confs immediately if dir monitor enabled, for example, inotify in Linux, kqueue in *BSD. However, it doesn't apply policy rules change for completed connections, so to apply policy rules change, the client connection has to disconnect first and then re-connect to message bus. For imcomplete connections, it always has the latest review of policy rules. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39463 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* selinux: Use selinux_set_mapping() to avoid hardcoded constants for policyosmond sun2013-11-071-1/+1
| | | | | | | | | | | | | | | Previous to the introduction of selinux_set_mapping(), DBus pulled constants generated from the system's policy at build time. But this means it's impossible to replace the system policy without rebuilding userspace components. This patch maps from arbitrary class/perm indices used by D-Bus and the policy values and handles all the translation at runtime on avc_has_perm() calls. Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719 Reviewed-By: Colin Walters <walters@verbum.org> Tested-By: Colin Walters <walters@verbum.org>
* Do not suppress syslog test's stderr just because init is systemdSimon McVittie2013-04-081-1/+1
| | | | | | | | | | This causes the test to fail. The assumption implicitly being made was "if pid 1 is systemd, then every caller of _dbus_init_system_log() is a systemd service" which is not valid for the regression test. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63163 Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Colin Walters <walters@verbum.org>
* Replace a series of booleans, all (apparently) alike, with flagsSimon McVittie2012-02-131-9/+13
| | | | | | | This makes it a bit clearer what's going on. Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk> Reviewed-by: Lennart Poettering <lennart@poettering.net>
* bus: introduce --nopidfile switch to disable writing of PID filesLennart Poettering2012-02-101-2/+8
| | | | | | | | | | | When used with init systems such as systemd (where PID files are redundant) this allows us to disable PID files even if a path is configured for them in the normal bus configuration files. Make use of this new switch in the systemd unit file. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=45520 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Merge branch 'socket-set-33337'Simon McVittie2012-02-071-1/+13
|\ | | | | | | | | Reviewed-by: Will Thompson <will.thompson@collabora.co.uk> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33337
| * Add a stub _dbus_loop_toggle_watch and call it where neededSimon McVittie2011-06-131-1/+13
| | | | | | | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33337 Bug-NB: NB#197191
* | Merge branch 'dbus-1.4', rejecting commit 08dd53c14b53b88cSimon McVittie2012-01-231-0/+1
|\ \
| * | dbus-daemon: fix forgotten counter increase while copying configured auth ↵Simon McVittie2012-01-231-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | mechanisms Previously, only one auth mechanism was used. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=45106 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
| * | Revert all changes since a36d4918a6f646e085Simon McVittie2012-01-041-4/+39
|/ / | | | | | | | | | | | | Someone seems to have merged part of master into 1.4. Again. Let's go back to the "last known good" point (the branch-point of some 1.4 branches I had locally), then we can cherry-pick the changes that should have gone in.
* | Remove various never-used variablesSimon McVittie2011-08-051-8/+0
|/ | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39231 Reviewed-by: Will Thompson <will.thompson@collabora.co.uk>
* DBusLoop: remove second layer of watch callbacks where possibleSimon McVittie2011-06-131-18/+2
| | | | | | | | | | | | | Similar to the previous commit, almost every use of DBusWatch can just have the main loop call dbus_watch_handle. The one exception is the bus activation code; it's had a comment explaining why it's wrong since 2003. We should fix that one day, but for now, just migrate it to a new _dbus_loop_add_watch_full which preserves the second-layer callback. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33342 Reviewed-by: Thiago Macieira <thiago@kde.org>
* DBusLoop: remove a layer of pointless abstraction around timeoutsSimon McVittie2011-06-131-13/+2
| | | | | | | | | | | | | | | Instead of supplying 8 tiny wrapper functions around dbus_timeout_handle, each with a user_data parameter that's a potentially unsafe borrowed pointer but isn't actually used, we can call dbus_timeout_handle directly and save a lot of trouble. One of the wrappers previously called dbus_timeout_handle repeatedly if it returned FALSE to indicate OOM, but that timeout's handler never actually returned FALSE, so there was no practical effect. The rest just ignore the return, which is documented as OK to do. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33342 Reviewed-by: Thiago Macieira <thiago@kde.org>
* bus_context_log: divert messages to stderr if we're not using syslogSimon McVittie2011-05-251-2/+13
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35358 Reviewed-by: Colin Walters <walters@verbum.org>
* process_config_first_time_only: initialize syslog as intended.Simon McVittie2011-05-251-0/+2
| | | | | | | | | | | | | | On Linux, we previously called openlog() (with different options!) while initializing SELinux; leave SELinux messages as LOG_USER|LOG_INFO in case anyone was relying on that, but let the rest of our log messages come out as LOG_DAEMON. Also enable LOG_PERROR (copy syslog messages to stderr) unconditionally; we can make this an autoconf check if anyone's pet Unix doesn't have LOG_PERROR. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35358 Reviewed-by: Colin Walters <walters@verbum.org>
* bus_context_check_security_policy: syslog if we hit the outgoing quotaSimon McVittie2011-05-251-10/+13
| | | | | | | | In practice, nothing copes with missing broadcast signals, so the least we can do is make the failure mode visible. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35358 Reviewed-by: Colin Walters <walters@verbum.org>
* bus_context_check_security_policy: for SELinux denials, share code to set errorsSimon McVittie2011-05-251-15/+6
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35358 Reviewed-by: Colin Walters <walters@verbum.org>
* bus_context_check_security_policy: factor out complain_about_messageSimon McVittie2011-05-251-98/+85
| | | | | Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35358 Reviewed-by: Colin Walters <walters@verbum.org>
* bus: Raise file descriptor limit to match configurationColin Walters2011-02-031-0/+20
| | | | | | | | | | | | | | The default configuration has hardcoded 2048 complete connections, and 64 incomplete. We need at least that number of file descriptors, plus some for internal use. In the bus, attempt to call setrlimit() before we drop privileges. Practically speaking for this means the system bus gets it, the session bus doesn't. http://bugs.freedesktop.org/show_bug.cgi?id=33474 Reviewed-By: Simon McVittie <simon.mcvittie@collabora.co.uk>
* clean up credentials on OOM in process_config_first_time_onlyChristian Dywan2011-01-171-3/+12
| | | | | | | Origin: vendor, Maemo Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33128 Bug-NB: NB#180486 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* remove obviously-redundant code from list_concat_newSimon McVittie2011-01-171-1/+0
| | | | | | | Origin: vendor, Maemo Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33128 Bug-NB: NB#180486 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
* Fixed wince build problem reported by aheinecke at intevation dot de.Ralf Habacker2010-08-101-0/+2
|
* Delete stale pid file on cygwin.Yaakov Selkowitz2010-08-101-0/+20
|
* activation: optionally, use systemd for system bus activationLennart Poettering2010-07-091-1/+12
|
* bus: add --address switchLennart Poettering2010-07-091-87/+111
| | | | | This is allows overriding of the listening address on the command line, which is particularly useful for systemd socket-based activation.
* Merge branch 'dbus-1.2'Colin Walters2010-03-221-1/+4
|\ | | | | | | | | | | | | Conflicts: bus/dispatch.c configure.in test/name-test/test-names.c
| * Add DBUS_GNUC_PRINTF checks to new formatting functionsColin Walters2010-03-221-0/+3
| | | | | | | | Otherwise we don't get GCC warnings.
| * [bus] While creating a syslog, correctly get pointer data from DBusStringColin Walters2010-03-211-1/+1
| |
* | Consistently include <config.h> in all C source files and never in header files.Marcus Brinkmann2010-03-191-0/+1
| |
* | Merge branch 'dbus-1.2'Colin Walters2010-03-161-70/+98
|\ \ | |/ | | | | | | | | Conflicts: bus/bus.c configure.in
| * Make SELinux initialization failure fatalColin Walters2010-03-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=572769 Previously we'd just continue if AVC initialization failed, but that didn't really work because then we'd later crash in avc_has_perm. Simply treat initialization failures as fatal, and hopefully we can get data from the system log.
| * Add a prefix to our syslog messagesColin Walters2010-03-161-46/+87
| | | | | | | | | | | | | | | | | | Previously we were simply logging as "dbus", and it was unclear whether it was the system bus, or a session bus. And if the latter, which user? This patch adds a prefix to the log message with the bus type and the userid.
| * Refactor _dbus_log_info, _dbus_log_security into _dbus_log_systemColin Walters2010-03-161-23/+10
| | | | | | | | | | In preparation for a future patch which introduces a fatal logging level, don't duplicate the API here.
* | Merge branch 'dbus-1.2'Colin Walters2010-02-221-2/+42
|\ \ | |/ | | | | | | | | | | Conflicts: bus/bus.c bus/selinux.c configure.in
| * Monitor service directories for changesColin Walters2010-02-181-2/+42
| | | | | | | | | | | | | | | | | | It's not expected to have to manually SIGHUP the bus after installing a new .service file. Since our directory monitoring is already set up to queue a full reload which includes service activation, simply monitor the servicedirs too. https://bugs.freedesktop.org/show_bug.cgi?id=23846
| * Fix inotify shutdownColin Walters2010-02-021-8/+0
| | | | | | | | | | | | | | | | | | We were incorrectly passing NULL for a DBusList when the usage expected is a pointer to a NULL DBusList pointer. Also during dbus_shutdown we need to actually close the inotify fd, and remove our watch. Move the shutdown handler out of bus.c and into inotify where we can do all of this cleanly.
* | Fix inotify shutdownColin Walters2010-02-031-8/+0
| | | | | | | | | | | | | | | | | | | | We were incorrectly passing NULL for a DBusList when the usage expected is a pointer to a NULL DBusList pointer. Also during dbus_shutdown we need to actually close the inotify fd, and remove our watch. Move the shutdown handler out of bus.c and into inotify where we can do all of this cleanly. (cherry picked from commit 90fe96b1875350f86a4a773d4a0a22009950dd4d)
* | Merge branch 'my-dbus-1.2'Colin Walters2010-02-011-9/+10
|\ \ | |/
View Lorry Controller Status