GitLab

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Move the dbus_connection_add_filter() call further up as a precaution,
because it isn't safe for a monitor to not have a filter that
swallows all messages.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

This includes most of the situations I could think of:

* method call on dbus-daemon and response
* NameOwnerChanged
* NameAcquired, NameLost (although I'm not 100% sure these should
  get captured, since they're redundant with NameOwnerChanged)
* unicast message is allowed through
* unicast message is rejected by no-sending or no-receiving policy
* broadcast is allowed through
* broadcast is rejected by no-sending policy (the error reply
  is also captured)
* broadcast is rejected by no-receiving policy (there is no error
  reply)
* message causing service activation, and the message telling systemd
  to do the actual activation
* systemd reporting that activation failed

It does not cover:

* sending a message to dbus-daemon, then provoking a reply, then
  dbus-daemon does not allow itself to send the reply due to its
  own security policy

This is such an obscure corner case that I'm not even convinced it's
testable without dropping down into lower-level socket manipulation:
dbus-daemon's replies are always assumed to be requested replies,
and replies contain so little other metadata that I think we can
only forbid them by forbidding all method replies. If we do that,
the reply to Hello() won't arrive and the client-side connection will
not become active.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Unlike eavesdropping, the point of capture is when the message is
received, except for messages originating inside the dbus-daemon.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

This is a special connection that is not allowed to send anything,
and loses all its well-known names.

In future commits, it will get a new set of match rules and the
ability to eavesdrop on messages before the rest of the bus daemon
has had a chance to process them.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

Not being aware of the second reason described here caused bug #87999
in the equivalent code on Windows.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999

If we happen to have been given (say) port 30865, we want to
represent that as host=localhost,port=30865 and not
host=localhost,port=csync2.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999

[separated out from a larger commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

[Separated out from a larger commit -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88964Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=46787
Reviewed-by: Philip Withnall
[also sync up the cmake build system -smcv]

If spawn_dbus_daemon() can fail for TEST_USER_ME, then we'd have to
go through all the tests adding the ability to skip tests after
it fails, which is a fairly extensive change.

The tests have historically all run as whatever uid is supplied, and
if the tests are being run as root for some reason - perhaps in a CI
framework for an embedded platform that doesn't have non-root users,
or in an environment where you can be root or non-root but not both -
there is no particular reason to skip them.

4.5 years after it was implemented, here is the regression test.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=57952
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

Now we can actually notice incorrect format strings in other
translation units.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

Unlike the initial mitigation for CVE-2014-8148, we now allow
uid 0 to call UpdateActivationEnvironment. There's no point in root
doing that, but there's also no reason why it's particularly bad -
if an attacker is uid 0 we've already lost - and it simplifies
use of this function for future things that do want to be callable
by root, like BecomeMonitor for #46787.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

This is technical debt from mitigating CVE-2014-8148, which should
really have had a regression test at the time.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

We run each test twice:

* once with the system's session.conf, as an integration test
  (test-cases that need a special configuration are automatically
  skipped)
* once with our special test configuration files, which provide better
  coverage

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

This means we can generate a version that works when installed,
from the same source files.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

In the process, make test_kill_pid() safer: do not try to terminate
more than one pid, or the NULL handle.

Also stop leaking the address_fd in spawn_dbus_daemon, a pre-existing
bug that was spotted by Philip Withnall during review.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

This is for g_close(), which the next commit will use. It also lets us
rely on g_type_init() being a no-op (since 2.32 the type system is
always initialized by a global constructor).

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88810
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88943Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

It seems lcov (or gcc?) has changed its paths since last time this
worked.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall

It has been supported since at least 1.10, and its absence is
deprecated since 1.14.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88808
Reviewed-by: Philip Withnall

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

This fix is required to support at least ipv4 tcp support calling
_dbus_listen_tcp_socket() without family.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=87999Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88087Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>

pygobject 2 is obsolete and unmaintained, and anyway this is for
optional functionality (full regression test coverage) rather than
anything that will be needed in production builds.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85969