| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AppArmor and SELinux modes both default to "enabled" (i.e.
enable it if and only if it is supported), so there is no need to
add their element to system.conf unless a system integrator wants
to set them to either required or disabled.
However, if we add <apparmor/> on upgrade from 1.9.10 to 1.9.12,
any subsequent attempts to reload bus configuration before the
next reboot will fail, because the dbus-daemon that is already
running does not support that element.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89231
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The <apparmor> element can contain a single mode attribute that has one
of three values:
"enabled"
"disabled"
"required"
"enabled" means that kernel support is autodetected and, if available,
AppArmor mediation occurs in dbus-daemon. If kernel support is not
detected, mediation is disabled. "disabled" means that mediation does
not occur. "required" means that kernel support must be detected for
dbus-daemon to start.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.
This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This addresses CVE-2014-3636.
Based on a patch by Alban Crequy. Now that it's the same on all
platforms, there's little point in it being set by configure/cmake.
This change fixes two distinct denials of service:
fd.o#82820, part A
------------------
Before this patch, the system bus had the following default configuration:
- max_connections_per_user: 256
- DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176)
as defined by configure.ac
- max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
- max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
- max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024
This means that a single user could create 256 connections and transmit
256*4096 = 1048576 file descriptors.
The file descriptors stay attached to the dbus-daemon process while they are
in the message loader, in the outgoing queue or waiting to be dispatched before
D-Bus activation.
dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the
limit is reached and dbus-daemon needs to receive a message with a file
descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC.
Dbus-daemon cannot recover from that error because the kernel does not have any
API to retrieve a file descriptor which has been discarded with MSG_CTRUNC.
Therefore, it closes the connection of the sender. This is not necessarily the
connection which generated the most file descriptors so it can lead to
denial-of-service attacks.
In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to
16:
max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384
This is less than the usual "ulimit -n" (65536) with a good margin to
accomodate the other sources of file descriptors (stdin/stdout/stderr,
listening sockets, message loader, etc.).
Distributors on non-Linux may need to configure a smaller limit in
system.conf, if their limit on the number of fds is smaller than
Linux's.
fd.o#82820, part B
------------------
On Linux, it's not possible to send more than 253 fds in a single sendmsg()
call: sendmsg() would return -EINVAL.
#define SCM_MAX_FD 253
SCM_MAX_FD changed value during Linux history:
- it used to be (OPEN_MAX-1)
- commit c09edd6eb (Jul 2007) changed it to 255
- commit bba14de98 (Nov 2010) changed it to 253
Libdbus always sends all of a message's fds, and the beginning
of the message itself, in a single sendmsg() call. Combining these
two, a malicious sender could split a message across two or more
sendmsg() calls to construct a composite message with 254 or more
fds. When dbus-daemon attempted to relay that message to its
recipient in a single sendmsg() call, it would receive EINVAL,
interpret that as a fatal socket error and disconnect the recipient,
resulting in denial of service.
This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82820
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
As Ralf pointed out, we usually use upper-case when substituting
variables (apart from "somethingdir", which Autoconf conventionally
makes lower-case for some reason).
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=63682
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QNX has an arbitrary limit to the number of file descriptors
which may be passed in a message, which is smaller than the
current default. This patch therefore changes the default from
a hardcoded constant to a macro, which is determined at configure
time by looking at the host operating system.
[This reduces the limit from 4096 (session)/1024 (system) to 128 fds
per message on QNX, and 1024 fds per message on other operating systems.
I think the reduced session bus limit on other OSs is a reasonable change
too, given that the default hard/soft ulimits in Linux are only 4096/1024
fds per process. -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=61176
Reviewed-by: Simon McVittie <simon.mcvittie.collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
set better defaults
On Unix, the connect address should basically always be "autolaunch:"
but the listen address has to be something you can listen on.
On Windows, you can listen on "autolaunch:" or
"autolaunch:scope=*install-path", for instance, and the dbus-daemon is
involved in the auto-launching process.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=38201
Reviewed-by: David Zeuthen <davidz@redhat.com>
[default address changed to autolaunch: for interop with GDBus -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
| |
This reverts commit 89e453216c02bb85c5e53d459997f8bc3b2c73d4.
It makes the tests fail under autotools.
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
Conflicts:
dbus/dbus-connection.c
dbus/dbus-message-util.c
dbus/dbus-sysdeps-unix.c
|
| |
| |
| |
| |
| | |
Create configuration settings and enforce message unix fd limits the
same way we do for allocated message memory.
|
|/
|
|
|
|
|
| |
* bus/session.conf.in: Remove the reply_timeout stanza, previously
intended to increase the reply timeout, this now reduces it.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
|
|
|
|
| |
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
|
|
|
| |
* bus/Makefile.am (install-data-hook): create session.d
* bus/session.conf.in: add session.d for the session bus, so
security policy can be extended
|
|
|
|
| |
bus/dbus-daemon.1.in,bus/session.conf.in: added eavesdrop support for replies - patch by olli.salli at collabora.co.uk approved by Havoc Pennington.
|
|
|
|
|
|
|
|
|
|
| |
* bus/session.conf.in: override all the default limits with much
higher limits on the session bus, there is no reason the session
bus should have low limits
* bus/config-parser.c (bus_config_parser_new): increase default
limits so they are less likely to be hit; in particular the max
replies per connection was way too low
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/config-parser.c: add the standard_session_servicedirs element
to the parser
(bus_config_parser_content): process the standard_session_servicedirs
element by getting the standard directories from sysdeps and merging
them into the service directory list
(test_default_session_servicedirs): make sure we get what we expect
* bus/session.conf.in: replace the servicedir tag with the
standard_session_servicedirs tag
* dbus/dbus-list.h: remove the typedef of DBusList and place it in
dbus-sysdeps.h to avoid circular header dependencies
* dbus/dbus-sysdeps.h: add the typedef of DBusList
* dbus/dbus-sysdeps-unix.c (split_paths_and_append): utility function
which takes a string of directories delimited by colons, parses them
out, appends a suffix and puts them in a list ignoring empty elements
(_dbus_get_standard_session_servicedirs): returns the standard
directories for a session bus to look for service activation files
on Unix which includes the XDG_DATA_HOME, XDG_DATA_DIRS and
DBUS_DATADIR directories
* test/data/valid-config-files/many-rules.conf: add the
standard_session_servicedirs tag to the valid config file tests
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Add Havoc's patch that never got applied to HEAD (Bug #2436):
* bus/policy.c (bus_policy_allow_user): change default "user is
allowed" to be "user has same uid as the bus itself"; any
allow/deny rules will override.
* bus/session.conf.in: don't allow all users, since now by default
the user that ran the bus can connect.
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-sysdeps.c (fill_user_info): On errors do not free
the DBusUserInfo structure since this is passed into the function.
This would cause a double free when the function that allocated
the structure would try to free it when an error occured.
* (bus/session.conf.in, bus/Makefile.am, dbus/configure.in):
use /usr/share/dbus-1/services instead of /usr/lib/dbus-1.0/services
for service activation to avoid 32bit/64bit parallel install issues
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/selinux.h: Add bus_selinux_enabled.
* bus/selinux.c (bus_selinux_enabled): Implement it.
* bus/config-parser.c (struct include): Add
if_selinux_enabled member.
(start_busconfig_child): Parse if_selinux_enabled
attribute for include.
(bus_config_parser_content): Handle it.
* bus/session.conf.in, bus/system.conf.in: Add
inclusion of context mapping to default config files;
conditional on SELinux being enabled.
* doc/busconfig.dtd: Add to if_selinux_enabled to default DTD.
* test/data/invalid-config-files/badselinux-1.conf,
test/data/invalid-config-files/badselinux-2.conf:
Test files for bad syntax.
|
|
|
|
| |
* bus/session.conf.in: fix my mess
|
|
|
|
| |
* bus/session.conf.in: fix security policy, reported by Seth Nickell
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get matching rules mostly working in the bus; only actually
parsing the rule text remains. However, the client side of
"signal connections" hasn't been started, this patch is only the
bus side.
* dbus/dispatch.c: fix for the matching rules changes
* bus/driver.c (bus_driver_handle_remove_match)
(bus_driver_handle_add_match): send an ack reply from these
method calls
* glib/dbus-gproxy.c (dbus_gproxy_begin_call): fix order of
arguments, reported by Seth Nickell
* bus/config-parser.c (append_rule_from_element): support
eavesdrop=true|false attribute on policies so match rules
can be prevented from snooping on the system bus.
* bus/dbus-daemon-1.1.in: consistently use terminology "sender"
and "destination" in attribute names; fix some docs bugs;
add eavesdrop=true|false attribute
* bus/driver.c (bus_driver_handle_add_match)
(bus_driver_handle_remove_match): handle AddMatch, RemoveMatch
messages
* dbus/dbus-protocol.h (DBUS_SERVICE_ORG_FREEDESKTOP_BROADCAST): get
rid of broadcast service concept, signals are just always broadcast
* bus/signals.c, bus/dispatch.c, bus/connection.c, bus/bus.c:
mostly implement matching rules stuff (currently only exposed as signal
connections)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-message.c (decode_string_field): support FIELD_SENDER
(dbus_message_is_error): fix this function
* bus/dbus-daemon-1.1: clarify logic on when <deny>/<allow> rules
match
* bus/policy.c (bus_client_policy_check_can_receive): fix code to
reflect clarified man page
(bus_client_policy_check_can_send): ditto
* bus/session.conf.in: fixup
* bus/system.conf.in: fixup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.in:
* bus/activation.c: (bus_activation_service_created),
(bus_activation_activate_service):
* bus/driver.c: (bus_driver_send_service_deleted),
(bus_driver_send_service_created), (bus_driver_send_service_lost),
(bus_driver_send_service_acquired),
(bus_driver_send_welcome_message),
(bus_driver_handle_list_services):
* bus/session.conf.in:
* dbus/dbus-bus.c: (dbus_bus_acquire_service),
(dbus_bus_service_exists), (dbus_bus_activate_service):
* dbus/dbus-bus.h:
Add some convenience API which lets you activate a service, and did a
bunch of s/0/DBUS_TYPE_INVALID/ in calls to dbus_message_append_args()
and dbus_message_get_args()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dbus/dbus-mainloop.c: fix some reentrancy issues by refcounting
callbacks
* test/data/valid-config-files/debug-allow-all.conf.in: allow all
users
* dbus/dbus-transport.c (_dbus_transport_get_dispatch_status):
fix to only recover unused bytes if we're already authenticated
(_dbus_transport_get_is_authenticated): fix to still mark us
authenticated if there are unused bytes.
* bus/dispatch.c: implement security policy checking
* bus/connection.c (bus_transaction_send_from_driver): new
* bus/bus.c (bus_context_check_security_policy): new
* bus/dispatch.c (send_service_nonexistent_error): delete this,
now we just set the DBusError and it gets converted to an error
reply.
* bus/connection.c (allow_user_function): enable code using actual
data from the config file
* bus/policy.c (list_allows_user): handle wildcard rules for
user/group connection perms
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/bus.c (bus_context_new): fix wrong handling of
server_data_slot_unref() in the error case.
* dbus/dbus-internals.h (_dbus_assert): change so it passes
"(condition) != 0" to _dbus_real_assert so that
"_dbus_assert (pointer)" doesn't cause a warning
* bus/main.c (main): accept --print-address option to print out
the message bus address
* dbus/dbus-sysdeps.c (_dbus_generate_random_ascii): export this
* dbus/dbus-transport.c (_dbus_transport_open): special error for
"tmpdir" option to unix: address on client side
* dbus/dbus-server.c (dbus_server_listen): handle "tmpdir" option
to unix: address
* configure.in (TEST_SOCKET_DIR): locate a temporary directory
we can use to create sockets in the test suite.
* bus/main.c (signal_handler): on SIGTERM, exit the daemon
cleanly. To be used for testing.
* dbus/dbus-spawn.c (babysit): use _dbus_set_signal_handler()
* dbus/dbus-sysdeps.c (_dbus_set_signal_handler): new
* dbus/dbus-server-debug-pipe.c (_dbus_transport_debug_pipe_new):
handle trying to call this when there's no servers active
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/config-parser.c (bus_config_parser_unref): free
list of mechanisms, bug discovered by test suite enhancements
(putting system.conf and session.conf into suite)
* test/Makefile.am, test/test-service.c: add placeholder for a
test service that we'll activate as part of test suite. Doesn't
do anything yet.
* dbus/dbus-sysdeps.c (_dbus_setenv): support unsetenv by
setting NULL value, and use system malloc not dbus_malloc()
when we have unavoidable memleakage.
* dbus/dbus-bus.c (dbus_bus_get): fix bug where bus type of 0
didn't work, and support DBUS_BUS_ACTIVATION.
* bus/activation.c (child_setup): pass our well-known bus type to
the child
* bus/config-parser.c: support <type> to specify well-known type
* doc/dbus-specification.sgml: document the env variables to
locate well-known buses and find service activator
|
|
* dbus/dbus-transport-unix.c (_dbus_transport_new_for_domain_socket)
(_dbus_transport_new_for_tcp_socket): these didn't need the "server"
argument since they are always client side
* dbus/dbus-server.c (dbus_server_get_address): new function
* bus/main.c (main): take the configuration file as an argument.
* test/data/valid-config-files/debug-allow-all.conf: new file to
use with dispatch.c tests for example
* bus/test-main.c (main): require test data dir
* bus/bus.c (bus_context_new): change this to take a
configuration file name as argument
* doc/config-file.txt (Elements): add <servicedir>
* bus/system.conf, bus/session.conf: new files
* dbus/dbus-bus.c (dbus_bus_get): look for system bus on
well-known socket if none set
* configure.in: create system.conf and session.conf
|