1. 28 Nov, 2016 1 commit
    • Simon McVittie's avatar
      Mediate auto-activation attempts through AppArmor · dc25979e
      Simon McVittie authored
      Because the recipient process is not yet available, we have to make some
      assumption about its AppArmor profile. Parsing the first word of
      the Exec value and then chasing symlinks seems like too much magic,
      so I've gone for something more explicit. If the .service file contains
      
      AssumedAppArmorLabel=/foo/bar
      
      then we will do the AppArmor query on the assumption that the recipient
      AppArmor label will be as stated. Otherwise, we will do a query
      with an unspecified label, which means that AppArmor rules that do
      specify a peer label will never match it.
      
      Regardless of the result of this query, we will do an independent
      AppArmor query when the activation has actually happened, this time
      with the correct peer label; that second query will still be used
      to decide whether to deliver the message. As a result, if this change
      has any effect, it is to make the bus more restrictive; it does not
      allow anything that would previously have been denied.
      Signed-off-by: 's avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Philip Withnall's avatarPhilip Withnall <philip.withnall@collabora.co.uk>
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666
      dc25979e
  2. 05 Jun, 2014 1 commit
    • Alban Crequy's avatar
      CVE-2014-3477: deliver activation errors correctly, fixing Denial of Service · 24c59070
      Alban Crequy authored
      How it should work:
      
      When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
      whether the message can be delivered after the service has been activated. The
      service is considered activated when its well-known name is requested with
      org.freedesktop.DBus.RequestName. When the message delivery is denied, the
      service stays activated but should not receive the activating message (the
      message which triggered the activation). dbus-daemon is supposed to drop the
      activating message and reply to the sender with a D-Bus error message.
      
      However, it does not work as expected:
      
      1. The error message is delivered to the service instead of being delivered to
         the sender. As an example, the error message could be something like:
      
           An SELinux policy prevents this sender from sending this
           message to this recipient, [...] member="MaliciousMethod"
      
         If the sender and the service are malicious confederates and agree on a
         protocol to insert information in the member name, the sender can leak
         information to the service, even though the LSM attempted to block the
         communication between the sender and the service.
      
      2. The error message is delivered as a reply to the RequestName call from
         service. It means the activated service will believe it cannot request the
         name and might exit. The sender could activate the service frequently and
         systemd will give up activating it. Thus the denial of service.
      
      The following changes fix the bug:
      - bus_activation_send_pending_auto_activation_messages() only returns an error
        in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
        (and its only caller sets the OOM error).
      - When a client is not allowed to talk to the service, a D-Bus error message
        is pre-allocated to be delivered to the client as part of the transaction.
        The error is not propagated to the caller so RequestName will not fail
        (except on OOM).
      
      [fixed a misleading comment -smcv]
      
      Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979Reviewed-by: 's avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
      Reviewed-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      24c59070
  3. 09 Jul, 2010 1 commit
  4. 28 Jan, 2010 1 commit
    • Colin Walters's avatar
      Don't drop pending activations when reloading configuration · b93476ce
      Colin Walters authored
      The reload handling for activation simply dropped all knowledge
      of pending activations, which was clearly wrong.  Refactor things
      so that reload only reloads directories, server address etc.
      
      Based on a patch originally from Matthias Clasen <mclasen@redhat.com>
      b93476ce
  5. 14 Jul, 2009 1 commit
  6. 10 Jul, 2009 1 commit
  7. 12 Jul, 2008 1 commit
    • Ray Strode's avatar
      Store what environment to activate with on activation object · 91306ef9
      Ray Strode authored
      We now keep the environment in a hash table member of the
      activation object and provide a method
      bus_activation_set_environment_variable to modify the
      hash table.  This hash table is seeded initially with the
      environment of the bus daemon itself.
      91306ef9
  8. 14 Jul, 2007 1 commit
  9. 14 Jul, 2006 1 commit
    • John Palmieri's avatar
      * bus/activation.[ch] (bus_activation_list_services): new function to · 7628b541
      John Palmieri authored
        get the list of services that can be activated
      
      * bus/dispatch.c: test coverage for the new bus method
        ListActivatableNames
      
      * bus/driver.c: new bus method ListActivatableNames to get the list of
        services that can be activated
      
      * doc/dbus-specification.xml: ListActivatableNames method documentation
      7628b541
  10. 10 Aug, 2004 1 commit
  11. 16 Mar, 2004 1 commit
    • Richard Hult's avatar
      2004-03-16 Richard Hult <richard@imendio.com> · 93f433a1
      Richard Hult authored
      	* bus/activation.c: (bus_activation_service_created),
      	(bus_activation_send_pending_auto_activation_messages),
      	(bus_activation_activate_service):
      	* bus/activation.h:
      	* bus/dispatch.c: (bus_dispatch),
      	(check_nonexistent_service_auto_activation),
      	(check_service_auto_activated),
      	(check_segfault_service_auto_activation),
      	(check_existent_service_auto_activation), (bus_dispatch_test):
      	* bus/driver.c: (bus_driver_handle_activate_service):
      	* bus/services.c: (bus_registry_acquire_service):
      	* dbus/dbus-message.c: (dbus_message_set_auto_activation),
      	(dbus_message_get_auto_activation):
      	* dbus/dbus-message.h:
      	* dbus/dbus-protocol.h: Implement auto-activation.
      93f433a1
  12. 02 Dec, 2003 1 commit
  13. 27 Nov, 2003 1 commit
  14. 02 Apr, 2003 2 commits
    • Havoc Pennington's avatar
      2003-04-02 Havoc Pennington <hp@redhat.com> · e55fd2c6
      Havoc Pennington authored
      	* bus/connection.c (bus_transaction_send_error_reply): set sender
      	service for the error, and unref the reply on success
      
      	* bus/activation.c: convert to use BusTransaction so OOM can be
      	handled correctly
      	(bus_activation_service_created): set sender of the message
      e55fd2c6
    • Havoc Pennington's avatar
      2003-04-01 Havoc Pennington <hp@redhat.com> · cfa261b4
      Havoc Pennington authored
      	* bus/config-parser.c, bus/bus.c: implement <servicedir> and
      	<includedir> (at least mostly)
      
      	* dbus/dbus-sysdeps.c (_dbus_change_identity): set the group ID
      	first, then the user ID
      cfa261b4
  15. 31 Mar, 2003 1 commit
    • Havoc Pennington's avatar
      2003-03-31 Havoc Pennington <hp@pobox.com> · 29c71168
      Havoc Pennington authored
      	* dbus/dbus-transport-unix.c (_dbus_transport_new_for_domain_socket)
      	(_dbus_transport_new_for_tcp_socket): these didn't need the "server"
      	argument since they are always client side
      
      	* dbus/dbus-server.c (dbus_server_get_address): new function
      
      	* bus/main.c (main): take the configuration file as an argument.
      
      	* test/data/valid-config-files/debug-allow-all.conf: new file to
      	use with dispatch.c tests for example
      
      	* bus/test-main.c (main): require test data dir
      
      	* bus/bus.c (bus_context_new): change this to take a
      	configuration file name as argument
      
      	* doc/config-file.txt (Elements): add <servicedir>
      
      	* bus/system.conf, bus/session.conf: new files
      
      	* dbus/dbus-bus.c (dbus_bus_get): look for system bus on
      	well-known socket if none set
      
      	* configure.in: create system.conf and session.conf
      29c71168
  16. 16 Mar, 2003 1 commit
    • Anders Carlsson's avatar
      2003-03-16 Anders Carlsson <andersca@codefactory.se> · 3f4086f0
      Anders Carlsson authored
      	* bus/activation.c: (bus_pending_activation_entry_free),
      	(bus_pending_activation_free), (bus_activation_new),
      	(bus_activation_unref), (bus_activation_service_created),
      	(bus_activation_activate_service):
      	* bus/activation.h:
      	* bus/bus.c: (bus_context_new):
      	* bus/desktop-file.c: (new_section):
      	* bus/driver.c: (bus_driver_send_service_deleted),
      	(bus_driver_handle_activate_service):
      	* bus/services.c: (bus_registry_new), (bus_registry_ensure):
      	* bus/services.h:
      	* dbus/dbus-connection.c:
      	(dbus_connection_send_with_reply_and_block):
      	* dbus/dbus-message.c: (dbus_message_append_args_valist):
      	* dbus/dbus-protocol.h:
      	Make activation work better. Now pending activations will be queued
      	and the daemon won't try to activate services that are already registered.
      3f4086f0
  17. 13 Mar, 2003 2 commits
    • Havoc Pennington's avatar
      2003-03-12 Havoc Pennington <hp@pobox.com> · 6ecc14ff
      Havoc Pennington authored
      	Throughout: purge global variables, introduce BusActivation,
      	BusConnections, BusRegistry, etc. objects instead.
      
      	* bus/bus.h, bus/bus.c: introduce BusContext as a global
      	message bus object
      
      	* test/Makefile.am (TEST_BINARIES): disable bus-test for now,
      	going to redo this a bit differently I think
      6ecc14ff
    • Havoc Pennington's avatar
      2003-03-12 Havoc Pennington <hp@redhat.com> · 29560adc
      Havoc Pennington authored
              Mega-patch that gets the message bus daemon initially handling
      	out-of-memory. Work still needed. Also lots of random
      	moving stuff to DBusError instead of ResultCode.
      
      	* dbus/dbus-list.c (_dbus_list_length_is_one): new function
      
      	* dbus/dbus-connection.c
      	(dbus_connection_send_with_reply_and_block): use DBusError
      
      	* dbus/dbus-bus.c: adapt to API changes, make it use DBusError not
      	DBusResultCode
      
      	* dbus/dbus-connection.c (dbus_connection_send): drop the result
      	code here, as the only failure possible is OOM.
      
      	* bus/connection.c (bus_connection_disconnect):
      	rename bus_connection_disconnected as it's a notification only
      
      	* bus/driver.c (bus_driver_handle_acquire_service): don't free
      	"name" on get_args failure, should be done by get_args;
      	don't disconnect client for bad args, just return an error.
      	(bus_driver_handle_service_exists): ditto
      
      	* bus/services.c (bus_services_list): NULL-terminate returned array
      
      	* bus/driver.c (bus_driver_send_service_lost)
      	(bus_driver_send_service_acquired): send messages from driver to a
      	specific client to the client's unique name, not to the broadcast
      	service.
      
      	* dbus/dbus-message.c (decode_header_data): reject messages that
      	contain no name field
      	(_dbus_message_get_client_serial): rename to
      	dbus_message_get_serial and make public
      	(_dbus_message_set_serial): rename from set_client_serial
      	(_dbus_message_set_reply_serial): make public
      	(_dbus_message_get_reply_serial): make public
      
      	* bus/connection.c (bus_connection_foreach): allow stopping
      	iteration by returning FALSE from foreach function.
      
      	* dbus/dbus-connection.c (dbus_connection_send_preallocated)
      	(dbus_connection_free_preallocated_send)
      	(dbus_connection_preallocate_send): new API for sending a message
      	without possibility of malloc failure.
      	(dbus_connection_send_message): rename to just
      	dbus_connection_send (and same for whole function family)
      
      	* dbus/dbus-errors.c (dbus_error_free): make this reinit the error
      
      	* dbus/dbus-sysdeps.c (_dbus_exit): new function
      
      	* bus/activation.c: handle/return errors
      
      	* dbus/dbus-errors.h: add more DBUS_ERROR #define
      
      	* dbus/dbus-sysdeps.c (_dbus_directory_open) (_dbus_file_get_contents)
      	(_dbus_directory_get_next_file): use DBusError instead of DBusResultCode
      	(_dbus_result_from_errno): move to this file
      29560adc
  18. 17 Feb, 2003 1 commit
    • Anders Carlsson's avatar
      2003-02-17 Anders Carlsson <andersca@codefactory.se> · 3c8db267
      Anders Carlsson authored
      	* bus/activation.c: (bus_activation_init), (child_setup),
      	(bus_activation_activate_service):
      	* bus/activation.h:
      	* bus/main.c: (main):
      	Set DBUS_ADDRESS environment variable.
      
      	* dbus/dbus-errors.c: (dbus_set_error):
      	Don't use va_copy since that's a C99 feature.
      
      	* dbus/dbus-sysdeps.c: (_dbus_setenv), (do_exec),
      	(_dbus_spawn_async):
      	* dbus/dbus-sysdeps.h:
      	Add child_setup_func to _dbus_spawn_async.
      
      	* doc/dbus-specification.sgml:
      	Update specification.
      
      	* test/spawn-test.c: (setup_func), (main):
      	Fix test.
      3c8db267
  19. 16 Feb, 2003 1 commit
    • Anders Carlsson's avatar
      2003-02-16 Anders Carlsson <andersca@codefactory.se> · f116b128
      Anders Carlsson authored
      	* bus/activation.c: (load_directory), (bus_activation_init),
      	(bus_activation_activate_service):
      	* bus/activation.h:
      	* bus/driver.c:
      	(bus_driver_handle_activate_service), (bus_driver_handle_message):
      	More work on the activation handling.
      
      	* dbus/dbus-errors.h:
      	Add some error messages
      
      	* dbus/dbus-message.c: (dbus_message_new_error_reply):
      	* dbus/dbus-message.h:
      	New function that creates an error message.
      
      	* dbus/dbus-protocol.h:
      	Add ACTIVATE_SERVER message.
      
      	* dbus/dbus-server-unix.c: (unix_handle_watch),
      	(_dbus_server_new_for_domain_socket):
      	Call _dbus_fd_set_close_on_exec.
      
      	* dbus/dbus-sysdeps.c: (make_pipe), (do_exec),
      	(_dbus_spawn_async), (_dbus_disable_sigpipe),
      	(_dbus_fd_set_close_on_exec):
      	* dbus/dbus-sysdeps.h:
      	Add _dbus_fd_set_close_on exec function. Also add function that checks
      	that all open fds are set to close-on-exec and warns otherwise.
      
      	* dbus/dbus-transport-unix.c:
      	(_dbus_transport_new_for_domain_socket):
      	Call _dbus_fd_set_close_on_exec.
      f116b128
  20. 15 Feb, 2003 1 commit
    • Anders Carlsson's avatar
      2003-02-15 Anders Carlsson <andersca@codefactory.se> · efd53eca
      Anders Carlsson authored
      	* bus/Makefile.am:
      	* bus/activation.c: (bus_activation_entry_free),
      	(add_desktop_file_entry), (load_directory), (bus_activation_init):
      	* bus/activation.h:
      	* bus/main.c: (main):
      	Add simple activation support, doesn't work yet though.
      efd53eca
  21. 13 Feb, 2003 1 commit
    • Anders Carlsson's avatar
      2003-02-13 Anders Carlsson <andersca@codefactory.se> · 02dfd4fb
      Anders Carlsson authored
      	* bus/Makefile.am:
      	Add utils.[ch]
      
      	* bus/connection.c: (bus_connection_foreach):
      	Fix a warning.
      
      	* bus/desktop-file.c: (grow_lines_in_section), (grow_sections),
      	(unescape_string), (new_section), (parse_section_start),
      	(parse_key_value), (report_error), (bus_desktop_file_load),
      	(bus_desktop_file_get_string):
      	* bus/desktop-file.h:
      	Use DBusError for error reporting.
      
      	* bus/dispatch.c: (send_one_message),
      	(bus_dispatch_message_handler):
      	* bus/driver.c: (bus_driver_send_service_deleted),
      	(bus_driver_send_service_created), (bus_driver_send_service_lost),
      	(bus_driver_send_service_acquired), (bus_driver_handle_hello),
      	(bus_driver_send_welcome_message),
      	(bus_driver_handle_list_services),
      	(bus_driver_handle_acquire_service),
      	(bus_driver_handle_service_exists):
      	* bus/loop.c: (bus_loop_run):
      	* bus/main.c:
      	Use BUS_HANDLE_OOM instead of _DBUS_HANDLE_OOM.
      
      	* bus/utils.c: (bus_wait_for_memory):
      	* bus/utils.h:
      	New files with general utility functions.
      
      	* dbus/dbus-internals.h:
      	Remove _DBUS_HANDLE_OOM.
      02dfd4fb
  22. 21 Nov, 2002 3 commits
    • Havoc Pennington's avatar
      2002-11-21 Havoc Pennington <hp@redhat.com> · 5a6adeee
      Havoc Pennington authored
      	* dbus/Makefile.am (INCLUDES): define DBUS_COMPILATION
      	so we can allow ourselves to include files directly,
      	instead of having to use dbus.h
      
      	* dbus/dbus.h: fill in
      
      	* dbus/dbus-message.h: sketch out a sample header file.
      	Include griping if you include it directly instead of
      	via dbus.h
      
      	* dbus/dbus-macros.h: new file with macros for extern "C",
      	TRUE/FALSE, NULL, etc.
      
      	* doc/file-boilerplate.c: put include guards in here
      5a6adeee
    • Havoc Pennington's avatar
      2002-11-21 Havoc Pennington <hp@redhat.com> · 89161753
      Havoc Pennington authored
      	* doc/file-boilerplate.c: include both AFL and GPL boilerplate.
      
      	* COPYING: include the GPL as well, and license code
      	under both AFL and GPL.
      89161753
    • Havoc Pennington's avatar
      add file-boilerplate.c · f6343e58
      Havoc Pennington authored
      f6343e58