diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-03-23 22:18:11 +0200 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2019-03-25 21:51:33 +0200 |
commit | 94b5b236aa0743bacb2139c62d5a6e0143845634 (patch) | |
tree | e831a75a07afd47bc9fcfb140595de56c193e431 /bus | |
parent | df9cb47c3aa28a385bd6254b80f1e55c66321071 (diff) | |
download | dbus-94b5b236aa0743bacb2139c62d5a6e0143845634.tar.gz |
Configure option to disable traditional activation
Traditional activation could be disabled if all services use
SystemdService activation instead. Provide an example of a hardened
DBus systemd service drop-in file for such a setup.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'bus')
-rw-r--r-- | bus/Makefile.am | 10 | ||||
-rw-r--r-- | bus/activation.c | 41 | ||||
-rw-r--r-- | bus/dispatch.c | 22 | ||||
-rw-r--r-- | bus/example-system-hardening-without-traditional-activation.conf | 31 |
4 files changed, 93 insertions, 11 deletions
diff --git a/bus/Makefile.am b/bus/Makefile.am index 0adc0c89..1595432c 100644 --- a/bus/Makefile.am +++ b/bus/Makefile.am @@ -67,6 +67,10 @@ examples_DATA = \ example-session-disable-stats.conf \ $(NULL) +dist_examples_DATA = \ + example-system-hardening-without-traditional-activation.conf \ + $(NULL) + if DBUS_ENABLE_LAUNCHD agentdir=$(LAUNCHD_AGENT_DIR) agent_DATA=org.freedesktop.dbus-session.plist @@ -171,8 +175,10 @@ liblaunch_helper_internal_la_LIBADD = \ noinst_PROGRAMS = dbus_daemon_exec_PROGRAMS = dbus-daemon if DBUS_UNIX +if ENABLE_TRADITIONAL_ACTIVATION noinst_LTLIBRARIES += liblaunch-helper-internal.la libexec_PROGRAMS = dbus-daemon-launch-helper +endif ENABLE_TRADITIONAL_ACTIVATION endif DBUS_UNIX install-data-hook: @@ -199,6 +205,7 @@ if DBUS_ENABLE_USER_SESSION endif if DBUS_UNIX +if ENABLE_TRADITIONAL_ACTIVATION install-exec-hook: if test `id -u` -eq 0; then \ chown root:$(DBUS_USER) $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper$(EXEEXT); \ @@ -207,7 +214,8 @@ install-exec-hook: echo "Not installing $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper binary setuid!"; \ echo "You'll need to manually set permissions to root:$(DBUS_USER) and permissions 4750"; \ fi -endif +endif ENABLE_TRADITIONAL_ACTIVATION +endif DBUS_UNIX EXTRA_DIST += \ dbus.service.in \ diff --git a/bus/activation.c b/bus/activation.c index 30950636..19ac869a 100644 --- a/bus/activation.c +++ b/bus/activation.c @@ -36,7 +36,9 @@ #include <dbus/dbus-hash.h> #include <dbus/dbus-list.h> #include <dbus/dbus-shell.h> +#ifdef ENABLE_TRADITIONAL_ACTIVATION #include <dbus/dbus-spawn.h> +#endif #include <dbus/dbus-timeout.h> #include <dbus/dbus-sysdeps.h> #include <dbus/dbus-test-tap.h> @@ -106,7 +108,9 @@ typedef struct char *systemd_service; DBusList *entries; int n_entries; +#ifdef ENABLE_TRADITIONAL_ACTIVATION DBusBabysitter *babysitter; +#endif DBusTimeout *timeout; unsigned int timeout_added : 1; } BusPendingActivation; @@ -187,6 +191,7 @@ bus_pending_activation_unref (BusPendingActivation *pending_activation) if (pending_activation->timeout) _dbus_timeout_unref (pending_activation->timeout); +#ifdef ENABLE_TRADITIONAL_ACTIVATION if (pending_activation->babysitter) { if (!_dbus_babysitter_set_watch_functions (pending_activation->babysitter, @@ -197,6 +202,7 @@ bus_pending_activation_unref (BusPendingActivation *pending_activation) _dbus_babysitter_unref (pending_activation->babysitter); } +#endif dbus_free (pending_activation->service_name); dbus_free (pending_activation->exec); @@ -1068,6 +1074,7 @@ bus_activation_unref (BusActivation *activation) dbus_free (activation); } +#ifdef ENABLE_TRADITIONAL_ACTIVATION static dbus_bool_t add_bus_environment (BusActivation *activation, DBusError *error) @@ -1108,6 +1115,7 @@ add_bus_environment (BusActivation *activation, return TRUE; } +#endif typedef struct { @@ -1387,6 +1395,7 @@ pending_activation_failed (BusPendingActivation *pending_activation, pending_activation->service_name); } +#ifdef ENABLE_TRADITIONAL_ACTIVATION /** * Depending on the exit code of the helper, set the error accordingly */ @@ -1557,6 +1566,7 @@ toggle_babysitter_watch (DBusWatch *watch, _dbus_loop_toggle_watch (bus_context_get_loop (pending_activation->activation->context), watch); } +#endif static dbus_bool_t pending_activation_timed_out (void *data) @@ -1569,12 +1579,14 @@ pending_activation_timed_out (void *data) context = pending_activation->activation->context; timeout = bus_context_get_activation_timeout (context); +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* Kill the spawned process, since it sucks * (not sure this is what we want to do, but * may as well try it for now) */ if (pending_activation->babysitter) _dbus_babysitter_kill_child (pending_activation->babysitter); +#endif dbus_error_init (&error); @@ -1599,8 +1611,10 @@ cancel_pending (void *data) _dbus_verbose ("Canceling pending activation of %s\n", pending_activation->service_name); +#ifdef ENABLE_TRADITIONAL_ACTIVATION if (pending_activation->babysitter) _dbus_babysitter_kill_child (pending_activation->babysitter); +#endif _dbus_hash_table_remove_string (pending_activation->activation->pending_activations, pending_activation->service_name); @@ -1696,11 +1710,13 @@ activation_find_entry (BusActivation *activation, return entry; } +#ifdef ENABLE_TRADITIONAL_ACTIVATION static char ** bus_activation_get_environment (BusActivation *activation) { return _dbus_hash_table_to_array (activation->environment, '='); } +#endif dbus_bool_t bus_activation_set_environment_variable (BusActivation *activation, @@ -1741,6 +1757,7 @@ out: return retval; } +#ifdef ENABLE_TRADITIONAL_ACTIVATION static void child_setup (void *user_data) { @@ -1764,6 +1781,7 @@ child_setup (void *user_data) } #endif } +#endif /* @@ -1790,21 +1808,23 @@ bus_activation_activate_service (BusActivation *activation, const char *service_name, DBusError *error) { - DBusError tmp_error; BusActivationEntry *entry; BusPendingActivation *pending_activation; BusPendingActivationEntry *pending_activation_entry; DBusMessage *message; DBusString service_str; - const char *servicehelper; - char **argv; - char **envp = NULL; - int argc; dbus_bool_t retval; dbus_bool_t was_pending_activation; - DBusString command; int limit; +#ifdef ENABLE_TRADITIONAL_ACTIVATION + DBusError tmp_error; + DBusString command; + char **argv; + char **envp = NULL; + int argc; + const char *servicehelper; DBusSpawnFlags flags = DBUS_SPAWN_NONE; +#endif _dbus_assert (activation != NULL); _dbus_assert (transaction != NULL); @@ -2174,6 +2194,7 @@ bus_activation_activate_service (BusActivation *activation, proceed with traditional activation. */ } +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* If entry was NULL, it would be because we were doing systemd activation * and activating systemd itself; but we already handled that case with * an early-return */ @@ -2323,7 +2344,13 @@ bus_activation_activate_service (BusActivation *activation, } return TRUE; - +#else /* !TRADITIONAL_ACTIVATION */ + bus_context_log (activation->context, + DBUS_SYSTEM_LOG_INFO, "Cannot activate service name='%s' requested by '%s' (%s): SystemdService not configured and dbus was compiled with --disable-traditional-activation", + service_name, + bus_connection_get_name (connection), + bus_connection_get_loginfo (connection)); +#endif cancel_pending_activation: _DBUS_ASSERT_ERROR_IS_SET (error); _dbus_hash_table_remove_string (activation->pending_activations, diff --git a/bus/dispatch.c b/bus/dispatch.c index e91a8255..c3019b1e 100644 --- a/bus/dispatch.c +++ b/bus/dispatch.c @@ -639,6 +639,7 @@ pop_message_waiting_for_memory (DBusConnection *connection) return dbus_connection_pop_message (connection); } +#ifdef ENABLE_TRADITIONAL_ACTIVATION static DBusMessage* borrow_message_waiting_for_memory (DBusConnection *connection) { @@ -648,6 +649,7 @@ borrow_message_waiting_for_memory (DBusConnection *connection) return dbus_connection_borrow_message (connection); } +#endif static void warn_unexpected_real (DBusConnection *connection, @@ -1156,6 +1158,7 @@ check_hello_message (BusContext *context, return retval; } +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* returns TRUE if the correct thing happens, * but the correct thing may include OOM errors. */ @@ -1552,6 +1555,7 @@ check_get_connection_unix_process_id (BusContext *context, return retval; } +#endif /* returns TRUE if the correct thing happens, * but the correct thing may include OOM errors. @@ -1685,7 +1689,7 @@ check_add_match (BusContext *context, return retval; } -#ifdef DBUS_ENABLE_STATS +#if defined(ENABLE_TRADITIONAL_ACTIVATION) && defined(DBUS_ENABLE_STATS) /* returns TRUE if the correct thing happens, * but the correct thing may include OOM errors. */ @@ -1863,6 +1867,7 @@ check_hello_connection (BusContext *context, #define NONEXISTENT_SERVICE_NAME "test.this.service.does.not.exist.ewuoiurjdfxcvn" +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* returns TRUE if the correct thing happens, * but the correct thing may include OOM errors. */ @@ -3190,10 +3195,12 @@ check_segfault_service_auto_start (BusContext *context, return retval; } +#endif #define TEST_ECHO_MESSAGE "Test echo message" #define TEST_RUN_HELLO_FROM_SELF_MESSAGE "Test sending message to self" +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* returns TRUE if the correct thing happens, * but the correct thing may include OOM errors. */ @@ -3708,8 +3715,9 @@ check_launch_service_file_missing (BusContext *context, return retval; } +#endif -#ifndef DBUS_WIN +#if defined(ENABLE_TRADITIONAL_ACTIVATION) && !defined(DBUS_WIN) #define SERVICE_USER_MISSING_NAME "org.freedesktop.DBus.TestSuiteNoUser" @@ -4018,6 +4026,7 @@ check_launch_service_service_missing (BusContext *context, #define SHELL_FAIL_SERVICE_NAME "org.freedesktop.DBus.TestSuiteShellEchoServiceFail" +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* returns TRUE if the correct thing happens, * but the correct thing may include OOM errors. */ @@ -4701,6 +4710,7 @@ check_list_services (BusContext *context, return retval; } +#endif typedef struct { @@ -4751,6 +4761,7 @@ check2_try_iterations (BusContext *context, _dbus_test_fatal ("%s failed during oom", description); } +#ifdef ENABLE_TRADITIONAL_ACTIVATION static dbus_bool_t setenv_TEST_LAUNCH_HELPER_CONFIG(const DBusString *test_data_dir, const char *filename) @@ -4912,6 +4923,7 @@ bus_dispatch_test_conf (const DBusString *test_data_dir, check_shell_fail_service_auto_start); _dbus_test_ok ("%s:%s - check_shell_fail_service_auto_start", _DBUS_FUNCTION_NAME, filename); +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* specific to launcher */ if (use_launcher) { @@ -4920,6 +4932,7 @@ bus_dispatch_test_conf (const DBusString *test_data_dir, _dbus_test_ok ("%s:%s - check_launch_service_file_missing", _DBUS_FUNCTION_NAME, filename); } +#endif #if 0 /* Note: need to resolve some issues with the testing code in order to run @@ -4955,8 +4968,9 @@ bus_dispatch_test_conf (const DBusString *test_data_dir, _dbus_test_ok ("%s:%s", _DBUS_FUNCTION_NAME, filename); return TRUE; } +#endif -#ifndef DBUS_WIN +#if defined(ENABLE_TRADITIONAL_ACTIVATION) && !defined(DBUS_WIN) static dbus_bool_t bus_dispatch_test_conf_fail (const DBusString *test_data_dir, const char *filename) @@ -5029,6 +5043,7 @@ bus_dispatch_test (const char *test_data_dir_cstr) _dbus_string_init_const (&test_data_dir, test_data_dir_cstr); +#ifdef ENABLE_TRADITIONAL_ACTIVATION /* run normal activation tests */ _dbus_verbose ("Normal activation tests\n"); if (!bus_dispatch_test_conf (&test_data_dir, @@ -5047,6 +5062,7 @@ bus_dispatch_test (const char *test_data_dir_cstr) "valid-config-files-system/debug-allow-all-fail.conf")) return FALSE; #endif +#endif return TRUE; } diff --git a/bus/example-system-hardening-without-traditional-activation.conf b/bus/example-system-hardening-without-traditional-activation.conf new file mode 100644 index 00000000..2665c9a8 --- /dev/null +++ b/bus/example-system-hardening-without-traditional-activation.conf @@ -0,0 +1,31 @@ +# Example drop-in file (dbus.service.d/override.conf) for systemd +# service. This version has many hardening options enabled and thus +# it is only suitable for cases where only systemd activation is used +# or traditional activation disabled by compiling dbus with +# --disable-traditional-activation. + +[Service] +CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_RESOURCE CAP_AUDIT_WRITE +DeviceAllow=/dev/null rw +DeviceAllow=/dev/urandom r +DevicePolicy=strict +IPAddressDeny=any +LimitMEMLOCK=0 +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadOnlyPaths=-/ +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap memfd_create mincore mlock mlockall personality +UMask=0077 |