| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The full license texts are not added because they were already
added in a previous commit.
Signed-off-by: Ralf Habacker <ralf.habacker@freenet.de>
see #394
|
|
|
|
| |
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
|
|
|
|
| |
Split _dbus_transport_open_unix_socket() to leave the "unixexec:"
handling to the unix-specific unit.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
|
|
|
|
| |
Split out the Unix socket handling from open_platform_specific(),
enabling "unix:" connectable addresses on Windows in next patch.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't usually mass-remove trailing whitespace from the actual source
code because it would complicate cherry-picking bug fixes to older
branches, but that reasoning doesn't really apply to the comments
containing copyright and licensing notices.
Removing trailing whitespace makes it much easier to move code around:
we have a commit hook that rejects commits containing trailing
whitespace, but that commit hook counts moving a file as a delete + add
pair, so it objects to moving code that contains trailing whitespace.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
| |
As suggested by Philip Withnall in dbus!43.
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
|
|
|
|
|
|
| |
We have a lot of dbus_connection_get_foo() and
_dbus_transport_get_foo() that are actually rather redundant.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103737
|
|
|
|
|
|
|
|
|
|
| |
If we somehow get an autolaunch address with multiple
semicolon-separated components, and one of them fails, then we will
hit an assertion failure when we try the next one.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101257
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Explicitly enumerate the states where we reset the maybe_authenticated
flag, and assert that _dbus_auth_do_work() doesn't return an impossible
or invalid state (by source code inspection, it doesn't).
This silences -Wswitch-enum. Based on part of a patch from
Thomas Zimmermann.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191
|
|
|
|
|
|
|
|
|
|
| |
This silences -Wswitch-default.
Based on part of a patch from Thomas Zimmermann.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98191
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd-logind's OpenSession() API call returns a fd. If there is a
flood of new sessions, it is possible that by the time we finish reading
message 1, message 2 will already be in our incoming buffer and so on.
This results in systemd-logind consistently having one or more fds enqueued
for an extended period, which we interpret as a denial of service
attack, and handle by kicking it off the bus (at least until we worked
around the resulting logind failure by making uid 0 immune to that
particular anti-DoS mechanism, but that workaround doesn't work for
other uids).
To avoid this without the complexity of tracking multiple countdowns
per connection (one for each message with fds), we can avoid reading
any additional messages while we already have a message with a fd
attached pending processing. To avoid stalling, we have to read the rest
of any partial message we might have, but we stop after that.
Assuming we are able to get rid of the pending fds within a reasonable
time, we'll eventually drain the incoming queue to a level of 0 bytes
and 0 fds, at which point the countdown stops.
To make this actually work, we need fd.o #95619 to be fixed first, so
that when we receive more fds and restart the countdown, it restarts
with its correct time remaining.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=95263
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Tested-by: Kai-Heng Feng
|
|
|
|
|
| |
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98089
|
|
|
|
|
|
|
| |
They used to be needed, but are not needed any more, and we were
never completely consistent about including them in any case.
Signed-off-by: Simon McVittie <smcv@debian.org>
|
|
|
|
|
|
| |
Signed-off-by: Thomas Zimmermann <tdz@users.sourceforge.net>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=97282
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89444
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The other code paths that ref or unref a transport are protected by
the DBusConnection's lock. This function already used that lock,
but for a narrower scope than the refcount manipulation.
live_messages_notify() could be triggered by unreffing messages
that originated from the same connection in a different thread.
[smcv: added commit message]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90312
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|/
|
|
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov> (for SELinux)
Acked-by: John Johansen <john.johansen@canonical.com> (for AppArmor)
Acked-by: Casey Schaufler <casey@schaufler-ca.com> (for Smack)
Tested-by: Tyler Hicks <tyhicks@canonical.com>
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
This will allow the bus to be notified whenever a file descriptor is added or
removed from a DBusConnection's DBusMessageLoader.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is one of four commits needed to address CVE-2014-3637.
This will allow the bus to know whether there are pending file descriptors in a
DBusConnection's DBusMessageLoader.
https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
[fix compilation on platforms that do not HAVE_UNIX_FD_PASSING -smcv]
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
| |
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=70218
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
| |
This reverts commit 600621dbc8073527a958091316eddfbb490c1032.
|
|
|
|
| |
This reverts commit d5d25b5efd35d8d9bbb9d58cae441debf8f7ded6.
|
|
|
|
| |
This reverts commit 7f6d7229d8812d985d544cf5dd3636865c5abc81.
|
|
|
|
| |
This reverts commit 64e50dd167993fb2344d2d3be18bb0d5820b5b26.
|
|
|
|
|
|
|
|
|
|
| |
All mechs do authorization before answering OK/REJECT.
There is no reason to run a second round of authorization which will
return the same answer of the first time (when OK) or will never be
reched (if REJECTed).
Bug: http://bugs.freedesktop.org/show_bug.cgi?id=39720
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Those structs are for DBusTransport internal use, they should not be
referenced outside it.
The transport needs only to allocate memory on initialization and free
it on finalization.
The lifecycle for the two allocated structs is DBusTransport lifecycle
and at DBusTransport's finalization its connection is already
disconnected.
The assumption is that the transport owns a reference for any object the
two structs holds a reference for (particularly DBusConnection)
Bug: http://bugs.freedesktop.org/show_bug.cgi?id=39720
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
| |
Also update the authentication script so that DBusAuthorization default
rules are used during testing.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39720
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
In order to authorize/reject a connection in a polite way, instead of
cutting it off after authentication succeed and Hello() is
sent, because authorization failed, we need to factor out some
authorization bits from DBusTransport and pass them to DBusAuth.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39720
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Historically, _dbus_transport_get_is_authenticated() has had the
side-effect of trying to advance the authentication state machine (if
there's enough buffered input to do so). This seems an inappropriate
activity for what looks like a simple getter.
Split it into _dbus_transport_try_to_authenticate (which does what it
always used to do) and _dbus_transport_peek_is_authenticated (which
is the simple getter version).
To minimize the difference in behaviour for the stable branch of D-Bus,
I've only used _dbus_transport_peek_is_authenticated where it was used
in an assertion, which should clearly not have side effects (and I've
checked that the asserting function cannot be called until both
authentication and authorization have completed). Replacing most of the
calls to get_is_authenticated with try_to_authenticate is a possible
piece of future work.
Based on patches from Cosimo Alfarano, who noticed this
assertion-with-side-effects.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
https://bugs.freedesktop.org/show_bug.cgi?id=39720
Reviewed-by: Cosimo Alfarano <cosimo.alfarano@collabora.com>
|
|
|
|
|
|
| |
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65755
|
|
|
|
|
|
| |
Signed-off-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=66291
|
|
|
|
|
|
|
|
| |
Windows also has numeric process IDs that fit in an unsigned long, so
there's no reason this has to be Unix-specific.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=61787
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
| |
dbus-launch can apparently return an empty address under certain
circumstances, and dbus_parse_address() in the next line will return
a nice DBusError for an empty address rather than aborting the process.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=51657
Bug-Debian: http://bugs.debian.org/680027
Reviewed-by: David Zeuthen <davidz@redhat.com>
|
|
|
|
|
|
|
|
| |
No longer needed.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46095
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk>
|
|
|
|
|
|
|
|
| |
It seems it's no longer needed here.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46095
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Guillaume Desmottes <guillaume.desmottes@collabora.co.uk>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Finalizing a message can trigger callbacks; that's bad, if we have a
connection locked.
In particular, if a message is received by the "left side", passed to
the "right side" and sent (as in test/relay.c (see the diagram there)
or in dbus-daemon), then finalizing that message could result in the
live messages counter for the left side, and the outgoing messages counter
for the right side, both being decremented while under either side's
lock.
After a message is dispatched on the left side, finalizing it now drops
the lock temporarily, to avoid this problem.
After a message is sent on the right side, finalizing it is now deferred
until the right side unlocks, by moving it to a new queue of
"expired messages" which is automatically cleared every time we release
the lock.
The "live messages" counter for the "left" connection will now explicitly
take the left connection's lock before decrementing, to avoid
manipulating watches without a lock.
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34393
|
|
|
|
|
|
|
|
|
| |
In all the places where counters are added, we're under a lock. The caller
knows what effect adding the counter might have, and can replicate it
in a lock-safe way if necessary.
Reviewed-by: Colin Walters <walters@verbum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34393
|
|
|
|
|
| |
Reviewed-by: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34040
|
|
|
|
|
| |
Reviewed-by: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=34040
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was previously a leak in _dbus_transport_get_is_authenticated, if
we hit OOM when copying the server's actual GUID. This would fail the
"SHA1 connection test" if _dbus_iterate was modified to allocate and free
one extra pointer per iteration.
Rather than adding OOM handling everywhere, if we avoid strdup'ing the
GUID, and just re-fetch the const string from the DBusAuth object on demand
instead, we go back to a situation where _dbus_transport_get_is_authenticated
can't fail.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=33126
|
| |
|
|
|
|
| |
printed by default.
|
| |
|
|
|
|
| |
(cherry picked from commit 8d8d5fa1babc8f51f1d1bb95b8116850978c60d9)
|
|
|
|
| |
commit e15f1cde3b5893357f640e360f64c0a1ae37f93b)
|
|\
| |
| |
| |
| |
| |
| | |
Conflicts:
dbus/dbus-connection.c
dbus/dbus-message-util.c
dbus/dbus-sysdeps-unix.c
|
| |
| |
| |
| | |
This make all counters count both bytes of memory and unix fds.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds two new directives to the auth protocol:
NEGOTIATE_UNIX_FD is sent by the client after the authentication was
sucessful, i.e. OK was received.
AGREE_UNIX_FD is then sent by the server if it can do unix fd passing as
well.
ERROR is returned when the server cannot or is unwilling to do unix fd
passing.
This should be compatible with existing D-Bus implementations which will
naturally return ERROR on NEGOTIATE_UNIX_FD.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When appending unix fds to the message a new entry in the fd array will
be allocated and the index to it will be written to the message payload.
When parsing unix fds from the message the index will be read from the
payload and then looked up in the fd array.
When we read fds we put them in a queue first. Since each message knows
how many fds are attached to it we will then pop enough fds from this
queue each time we decode a message from the stream.
This should make sending and receiving more portable since we don't make
any strong requirements on the exact semantics of the SCM_RIGHTS
implementation: as long as fds are recieved in order, none or lost and
the arrive at the same time as at least one byte from the actual message
dat we should be able to handle them correctly.
|