IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The lovely libvirtd goes into crazy mode if it receives broadcasts that
it didn't subscribe to. With bus-proxyd, this might happen in 2 cases:
1) The kernel passes us an unmatched signal due to a false-positive
bloom-match.
2) We generate NameOwnerChanged/NameAcquired/NameLost locally even
though the peer didn't subscribe to it.
dbus-daemon is reliable in what signals it passes on. So make sure we
follow that style. Never ever send a signal to a local peer if it doesn't
match an installed filter of that peer.
sd_bus_flush_close_unref() is a call that simply combines sd_bus_flush()
(which writes all unwritten messages out) + sd_bus_close() (which
terminates the connection, releasing all unread messages) +
sd_bus_unref() (which frees the connection).
The combination of this call is used pretty frequently in systemd tools
right before exiting, and should also be relevant for most external
clients, and is hence useful to cover in a call of its own.
Previously the combination of the three calls was already done in the
_cleanup_bus_close_unref_ macro, but this was only available internally.
Also see #327
Unlike dbus-daemon, the bus-proxy does not know the receiver of a
broadcast (as the kernel has exclusive access on the bus connections).
Hence, and "destination=" matches in dbus1 policies cannot be applied.
But kdbus does not place any restrictions on *SENDING* broadcasts, anyway.
The kernel never returns EPERM to KDBUS_CMD_SEND if KDBUS_MSG_SIGNAL is
set. Instead, receiver policies are checked. Hence, stop checking sender
policies for signals in bus-proxy and leave it up to the kernel.
This fixes some network-manager bus-proxy issues where NM uses weird
dst-based matches against interface-based matches. As we cannot perform
dst-based matches, our bus-proxy cannot properly implement this policy.
./configure --enable/disable-kdbus can be used to set the default
behavior regarding kdbus.
If no kdbus kernel support is available, dbus-dameon will be used.
With --enable-kdbus, the kernel command line option "kdbus=0" can
be used to disable kdbus.
With --disable-kdbus, the kernel command line option "kdbus=1" is
required to enable kdbus support.
If the local peer does not dispatch its incoming queue, the bus-proxy will
slowly fill its outgoing queue. Once its full, it will continously
complain that it cannot forward its messages.
As it turns out, pulseaudio does have an idle background dbus connection
that is not integrated into any mainloop (and given that gdbus and
libdbus1 both support background shared connections, PA is probably not
the only example), therefore, the bus-proxy will loudly complain if it
cannot forward NameOwnerChanged events once the queue is full.
This commit makes the proxy track queue-state and complain only once the
queue runs full, not if it is already full.
A PA bug-report (and patch) has been filed, and other applications should
be fixed similarly. Hence, lets keep the error message, instead of
dropping it. It's unused resources we really want to get rid of, so
silencing the message does not really help (which is actually what
dbus-daemon does).
GetConnectionCredentials method was added to dbus-1 specification
more than one year ago. This method should return "[...] as many
credentials as possible for the process connected to the server",
but at this moment only "UnixUserID", "LinuxSecurityLabel" and
"ProcessID" are defined by the specification. We should add support
for next credentials after extending dbus-1 spec.
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
If we cannot forward messages, include information on the peer and message
just like the xml-policy does. This helps debugging such situations and
figuring out what exactly is going wrong.
UDS sockets transmit EUID+EGID only. Don't try to fake data we don't know!
Otherwise, this might be used to override user-limits by non-root setuid
programs (by faking UID==EUID).
Now that sd-bus is fixed to always use EUID even on UDS, we can safely set
all other UID/GID fields to INVALID.
Sometimes, when we try to reply to messages we don't check return
values. This means we might miss a ECONNRESET, and will get a ENOTCONN
on next command. Treat both the same hence.
Errors like EPERM from the kernel should certainly not be reason to
exit. Let's try to be defensive here, and try to continue on most send
errors, but possibly tell the sender about it.
include-what-you-use automatically does this and it makes finding
unnecessary harder to spot. The only content of poll.h is a include
of sys/poll.h so should be harmless.
While it's a lovely scenario, it's probably not really useful. Fix our
GetConnectionUnixUser() to return the actual 'euid' which we asked for,
not the possible uninitialized 'uid'.
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
Make sure we tell the kernel to fake all UIDs/GIDs. Otherwise, the remote
side has no chance of querying our effective UID (which is usually what
they're interested in).
We need to implicitly allow HELLO from users with the same uid as the bus.
Fix the bus-uid tracking to use the original uid, not the uid after
privilege-dropping.
If we test the policy against multiple destination names, we really should
not print warnings if one of the names results in DENY. Instead, pass the
whole array of names to the policy and let it deal with it.
We cannot use "User=" in unit-files if we want to retain privileges. So
make bus-proxy.c explicitly drop privileges. However, only do that if
we're root, as there is no need to drop it on the user-bus.
This implements a shared policy cache with read-write locks. We no longer
parse the XML policy in each thread.
This will allow us to easily implement ReloadConfig().
Set thread-names to "p$PIDu$UID" and suffix with '*' if truncated. This
helps debugging bus-proxy issues if we want to figure out which
connections are currently open.
Instead of using Accept=true and running one proxy for each connection, we
now run one proxy-daemon with a thread per connection. This will enable us
to share resources like policies in the future.
Move all the proxy code into a "struct Proxy" object that can be used
from multiple binaries.
We now dropped SMACK as we have to refactor it to work properly. We can
introduce it later on.
The 'at_console' policy-category allows to apply policy-items to clients
depending on whether they're run from within a valid user-session or not.
We use sd_uid_get_seats() to check whether a user has a valid seat (which
excludes remote-sessions like ssh).
