1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-14 15:21:37 +03:00
Commit Graph

121 Commits

Author SHA1 Message Date
Kay Sievers
1b09f548c7 turn kdbus support into a runtime option
./configure --enable/disable-kdbus can be used to set the default
behavior regarding kdbus.

If no kdbus kernel support is available, dbus-dameon will be used.

With --enable-kdbus, the kernel command line option "kdbus=0" can
be used to disable kdbus.

With --disable-kdbus, the kernel command line option "kdbus=1" is
required to enable kdbus support.
2015-06-17 18:01:49 +02:00
Ronny Chevalier
6482f6269c shared: add formats-util.h 2015-04-10 23:54:48 +02:00
Zbigniew Jędrzejewski-Szmek
c29005212d bus-proxyd: avoid logging oom twice 2015-03-03 10:19:51 -05:00
Thomas Hindoe Paaboel Andersen
2eec67acbb remove unused includes
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
2015-02-23 23:53:42 +01:00
Lennart Poettering
5569b33a8c bus-proxy: a few simplifications 2015-02-13 17:18:36 +01:00
Lennart Poettering
95eb099fa8 bus-proxy: close each connection fd only once
After passing the fds over to the sd_bus object, we should forget them,
so that we don't close them a second time when the object goes away.
2015-02-13 17:18:36 +01:00
Thomas Hindoe Paaboel Andersen
0a6f50c0af include <poll.h> instead of <sys/poll.h>
include-what-you-use automatically does this and it makes finding
unnecessary harder to spot. The only content of poll.h is a include
of sys/poll.h so should be harmless.
2015-02-12 20:47:38 +01:00
David Herrmann
d340f82032 bus-proxy: fix bus-uid tracking
We need to implicitly allow HELLO from users with the same uid as the bus.
Fix the bus-uid tracking to use the original uid, not the uid after
privilege-dropping.
2015-01-18 13:07:21 +01:00
David Herrmann
a80a3a7543 bus-proxy: drop privileges if run as root
We cannot use "User=" in unit-files if we want to retain privileges. So
make bus-proxy.c explicitly drop privileges. However, only do that if
we're root, as there is no need to drop it on the user-bus.
2015-01-17 18:27:23 +01:00
David Herrmann
c4bc1a8434 bus-proxy: share policy between threads
This implements a shared policy cache with read-write locks. We no longer
parse the XML policy in each thread.

This will allow us to easily implement ReloadConfig().
2015-01-17 18:27:23 +01:00
David Herrmann
d3394ff47c bus-proxy: set custom thread names
Set thread-names to "p$PIDu$UID" and suffix with '*' if truncated. This
helps debugging bus-proxy issues if we want to figure out which
connections are currently open.
2015-01-17 14:32:58 +01:00
David Herrmann
a8a1a43f48 bus-proxy: turn into multi-threaded daemon
Instead of using Accept=true and running one proxy for each connection, we
now run one proxy-daemon with a thread per connection. This will enable us
to share resources like policies in the future.
2015-01-17 14:00:19 +01:00
David Herrmann
c0395aeb90 bus-proxy: extract proxy into Proxy object
Move all the proxy code into a "struct Proxy" object that can be used
from multiple binaries.

We now dropped SMACK as we have to refactor it to work properly. We can
introduce it later on.
2015-01-17 11:55:14 +01:00
David Herrmann
91fd0103cc bus-proxy: refactor bus-creation
Move local and destination bus creation into a helper function. This
further reduces the line count of main().
2015-01-17 11:55:14 +01:00
Daniel Mack
5e2de0eb1d bus-proxyd: move synthesize_name_acquired()
Move synthesize_name_acquired() to synthesize.c.
2015-01-15 14:10:28 +01:00
Daniel Mack
f3c4724635 bus-proxy: factor out code for driver handling and message synthesis
Move synthesize_*() into synthesize.c and bus_proxy_process_driver() into
driver.c for better code separation.
2015-01-15 14:08:05 +01:00
David Herrmann
b49c7806a3 bus-proxy: print message direction in policy logs
Make sure to print "dbus-1 to kernel" or "kernel to dbus-1" in policy logs
to better diagnose the situation.
2015-01-11 15:27:18 +01:00
David Herrmann
b5cfc2b953 bus-proxy: fix receiver policy on dbus-1 to kdbus signals
If a dbus-1 client sends a broadcasted signal via the bus-proxy to kdbus,
the bus-proxy has no idea who the receiver is. Classic dbus-daemon has
bus-access and can perform policy checks for each receiver, but we cant.
Instead, we know the kernel will perform receiver policy checks for
broadcasts, so we can skip the policy check and just push it into the
kernel.

This fixes wpa_supplicant which has DENY rules on receive_type=signal for
non-root. As we never know the target, we always DENY all broadcasts from
wpa_supplicant.

Note that will still perform receiver-policy checks for signals that we
get from the kernel back to us. In those cases, we know the receiver
(which is us).
2015-01-11 15:14:14 +01:00
David Herrmann
0042d824e3 bus-proxy: fix policy for expected/non-expected reply tags
dbus-1 distinguishes expected and non-expected replies. An expected reply
is a reply that is sent as answer to a previously forwarded method-call
before the timeout fires. Those replies are, by default, forwarded and
DENY policy tags are ignored on them (unless explicitly stated otherwise).

We don't track reply-windows in the bus-proxy as the kernel already does
this. Furthermore, the kernel prohibits any non-expected replies (which
breaks dbus-1, but it was an odd feature, anyway).

Therefore, skip policy checks on replies and always let the kernel deal
with it!

To be correct, we should still process DENY tags marked as
send_expected_reply=true (which is *NOT* the default!). However, so far we
don't parse those attributes, and no-one really uses it, so lets not
implement it for now. It's marked as TODO if anyone feels like fixing it.
2015-01-11 14:18:29 +01:00
Lennart Poettering
d714387ed7 bus-proxy: make sure we have creds when two legacy clients talk to each other 2015-01-09 21:24:37 +01:00
Lennart Poettering
f5886c92ac bus-proxy: dbus-daemon implies that connections from UIDs that are identical to the bus owner should be allowed
Hence, copy this behaviour for bus-proxy too.
2015-01-09 19:25:23 +01:00
David Herrmann
b864535791 bus-proxyd: fix EPERM on replies
Imagine a kdbus peer sending a method-call without EXPECT_REPLY set
through the proxy to a dbus1 peer. The proxy turns the missing
EXPECT_REPLY flag into a dbus1 NO_REPLY_EXPECTED flag. However, if the
receipient ignores that flag (valid dbus1 behavior) and sends a reply, the
proxy will try to forward it to the original peer. This will fail with
EPERM as the kernel didn't track the reply.

We have two options now: Either we ignore EPERM for reply messages, or we
track reply-windows in the proxy so we can properly ignore replies if
EXPECT_REPLY wasn't set.

This commit chose the first option: ignore EPERM for replies. The only
down-side is that replies without matching method call will no longer be
forwarded by the proxy. This works on dbus1, though.
Nobody sane does this, so lets ignore it.
2015-01-08 21:06:14 +01:00
David Herrmann
426bb5ddb8 bus-proxyd: optimize replies if they're not requested
If a caller does not request a reply, dont send it. This skips message
creation and speeds up NO_REPLY_EXPECTED cases. Note that sd-bus still
handles this case internally, but if we handle it in bus-proxyd, we can
skip the whole message creation step.
2015-01-08 20:58:59 +01:00
David Herrmann
9dc41cc597 bus-proxy: augment credentials from /proc for cmdline update
dbus1 does not provide cmdline, so we have to augment our credentials from
/proc to beautify the bus-proxyd cmdline. We dont use this for anything
but beautification, so there shouldn't be any problems due to /proc
pid-recycling races.

This fixes bus-proxyd to no longer display 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
in its cmdline.
2015-01-08 17:46:42 +01:00
Lennart Poettering
210a68826f sd-bus: always catch name requests for the special names "org.freedesktop.DBus" and "org.freedesktop.DBus.Local" and refuse them 2015-01-07 19:32:42 +01:00
Lukasz Skalski
30897dd72b bus-proxyd: don't allow to acquire org.freedesktop.DBus name 2015-01-05 16:02:59 +01:00
Lennart Poettering
146d477367 machined,bus-proxy: fix connecting to containers 2015-01-05 01:40:51 +01:00
Veres Lajos
f131770b14 tree-wide: spelling fixes
https://github.com/vlajos/misspell_fixer

b6fdeb618c
Thanks to Torstein Husebo <torstein@huseboe.net>.
2014-12-30 20:07:04 -05:00
David Herrmann
679bda6a73 bus-proxy: fix sd_bus_reply_*() usage
We *must* not use sd_bus_reply_*() as it does not set the sender field
correctly. Use the synthetic_reply_*() helpers instead!
2014-12-29 15:43:57 +01:00
Lennart Poettering
3c70e3bb02 core: rearrange code so that libsystemd/sd-bus/ does not include header files from core
Stuff in src/shared or src/libsystemd should *never* include code from
src/core or any of the tools, so don't do that here either. It's not OK!
2014-12-23 19:15:27 +01:00
Daniel Mack
3e0a204897 bus-proxyd: ignore errors from sd_bus_creds_get_well_known_names()
sd_bus_creds_get_well_known_names() fails with -ENODATA in case the
message has no names attached, which is intended behavior if the
remote connection didn't own any names at the time of sending.

The function already deals with 'sender_names' being an empty strv,
so we can just continue in such cases.
2014-12-23 18:41:26 +01:00
Daniel Mack
259ac5cd7e bus-proxyd: handle -ESRCH and -ENXIO gracefully
Messages to destinations that are not currently owned by any bus connection
will cause kdbus related function to return with either -ENXIO or -ESRCH.

Such conditions should not make the proxyd terminate but send a sane
SD_BUS_ERROR_NAME_HAS_NO_OWNER error reply to the proxied connection.
2014-12-23 13:41:34 +01:00
Przemyslaw Kedzierski
dd5ae4c36c bus-proxy: cloning smack label
When dbus client connects to systemd-bus-proxyd through
Unix domain socket proxy takes client's smack label and sets for itself.

It is done before and independent of dropping privileges.

The reason of such soluton is fact that tests of access rights
performed by lsm may take place inside kernel, not only
in userspace of recipient of message.

The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label.

In case of systemd running in system mode, CAP_MAC_ADMIN
should be added to CapabilityBoundingSet in service file of bus-proxyd.

In case of systemd running in user mode ('systemd --user')
it can be achieved by addition
Capabilities=cap_mac_admin=i and SecureBits=keep-caps
to user@.service file
and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-09 18:23:24 +01:00
Lennart Poettering
0aa72be6a0 bus-proxy: fix compat with autostarted services 2014-12-08 23:52:27 +01:00
Lennart Poettering
c9a267b1b7 bus-proxy: don't log bus policy every single time we run 2014-12-02 13:23:04 +01:00
Lennart Poettering
fed1e721fd treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1 2014-11-28 20:55:04 +01:00
Lennart Poettering
5c3026927d sd-bus: rename sd_bus_get_owner_id() → sd_bus_get_bus_id()
The ID returned really doesn't identify the owner, but the bus instance,
hence fix this misnaming.

Also, update "busctl status" to show the ID in its output.
2014-11-28 20:29:43 +01:00
Michal Schmidt
56f64d9576 treewide: use log_*_errno whenever %m is in the format string
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.

Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'

Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:49:27 +01:00
Michal Schmidt
23bbb0de4e treewide: more log_*_errno + return simplifications 2014-11-28 18:24:30 +01:00
Lennart Poettering
2e43ad9ca6 bus-proxy: automatically detect scope of bus and derive which XML snippets to load from that 2014-11-28 16:18:17 +01:00
Lennart Poettering
e3afaf6b8e sd-bus: rename default bus address constants, they aren't "paths" but "addresses" 2014-11-28 16:17:33 +01:00
Lennart Poettering
52cfc0379a sd-bus: rework credential query logic
Also, make the call to free kdbus slices generic and use it everywhere
2014-11-28 16:17:33 +01:00
Michal Schmidt
da927ba997 treewide: no need to negate errno for log_*_errno()
It corrrectly handles both positive and negative errno values.
2014-11-28 13:29:21 +01:00
Michal Schmidt
0a1beeb642 treewide: auto-convert the simple cases to log_*_errno()
As a followup to 086891e5c1 "log: add an "error" parameter to all
low-level logging calls and intrdouce log_error_errno() as log calls
that take error numbers", use sed to convert the simple cases to use
the new macros:

find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/'

Multi-line log_*() invocations are not covered.
And we also should add log_unit_*_errno().
2014-11-28 12:04:41 +01:00
Lennart Poettering
78f9b196ab bus-proxy: beef up policy enforcement
- actually return permission errors to clients

- use the right ucreds field

- fix error paths when we cannot keep track of locally acquired names
  due to OOM

- avoid unnecessary global variables

- log when the policy denies access

- enforce correct policy rule order

- always request all the metadata its we need to make decisions
2014-11-27 22:02:12 +01:00
Lennart Poettering
64e96a194d bus-proxy: check passed parameter signature of all driver method calls 2014-11-27 21:58:07 +01:00
Lennart Poettering
705a415f68 sd-bus: update to current kernel version, by splitting off the extended KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS
Also:

- adds support for euid, suid, fsuid, egid, sgid, fsgid fields.

- makes augmentation of creds with data from /proc explicitly
  controllable to give apps better control over this, given that this is
  racy.

- enables augmentation for kdbus connections (previously we only did it
  for dbus1). This is useful since with recent kdbus versions it is
  possible for clients to control the metadata they want to send.

- changes sd_bus_query_sender_privilege() to take the euid of the client
  into consideration, if known

- when we don't have permissions to read augmentation data from /proc,
  don't fail, just don't add the data in
2014-11-25 14:28:34 +01:00
Lennart Poettering
e341912313 bus-proxy: avoid redundant name validity checks
Our API calls check the validity of bus names anyway, hence we don't
have to do this before calling them...
2014-11-14 20:06:20 +01:00
Lennart Poettering
49d4b1eecf bus-proxy: drop broken access check in driver
The access check call was broken (as it tried to read a service name
from the UpdateActivationEnvironment() method call which doesn't carry
any). Also, it's unnecessary to make any access checks here, as we just
forward the call to PID 1 which should do the access checks necessary.
2014-11-14 18:47:59 +01:00
Daniel Mack
c1ec25a063 bus-proxyd: temporarily disable policy checks again
There are issues to investigate on with policies shipped by some
packages, which we'll address later. Move that topic out of the
way for now to bring sd-bus in sync with upstream kdbus.
2014-11-13 20:41:51 +01:00