summaryrefslogtreecommitdiff
path: root/src/bus-proxyd/bus-proxyd.c
AgeCommit message (Collapse)Author
2014-12-09bus-proxy: cloning smack labelPrzemyslaw Kedzierski
When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-08bus-proxy: fix compat with autostarted servicesLennart Poettering
2014-12-02bus-proxy: don't log bus policy every single time we runLennart Poettering
2014-11-28treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1Lennart Poettering
2014-11-28sd-bus: rename sd_bus_get_owner_id() → sd_bus_get_bus_id()Lennart Poettering
The ID returned really doesn't identify the owner, but the bus instance, hence fix this misnaming. Also, update "busctl status" to show the ID in its output.
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28treewide: more log_*_errno + return simplificationsMichal Schmidt
2014-11-28bus-proxy: automatically detect scope of bus and derive which XML snippets ↵Lennart Poettering
to load from that
2014-11-28sd-bus: rename default bus address constants, they aren't "paths" but ↵Lennart Poettering
"addresses"
2014-11-28sd-bus: rework credential query logicLennart Poettering
Also, make the call to free kdbus slices generic and use it everywhere
2014-11-28treewide: no need to negate errno for log_*_errno()Michal Schmidt
It corrrectly handles both positive and negative errno values.
2014-11-28treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt
As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
2014-11-27bus-proxy: beef up policy enforcementLennart Poettering
- actually return permission errors to clients - use the right ucreds field - fix error paths when we cannot keep track of locally acquired names due to OOM - avoid unnecessary global variables - log when the policy denies access - enforce correct policy rule order - always request all the metadata its we need to make decisions
2014-11-27bus-proxy: check passed parameter signature of all driver method callsLennart Poettering
2014-11-25sd-bus: update to current kernel version, by splitting off the extended ↵Lennart Poettering
KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS Also: - adds support for euid, suid, fsuid, egid, sgid, fsgid fields. - makes augmentation of creds with data from /proc explicitly controllable to give apps better control over this, given that this is racy. - enables augmentation for kdbus connections (previously we only did it for dbus1). This is useful since with recent kdbus versions it is possible for clients to control the metadata they want to send. - changes sd_bus_query_sender_privilege() to take the euid of the client into consideration, if known - when we don't have permissions to read augmentation data from /proc, don't fail, just don't add the data in
2014-11-14bus-proxy: avoid redundant name validity checksLennart Poettering
Our API calls check the validity of bus names anyway, hence we don't have to do this before calling them...
2014-11-14bus-proxy: drop broken access check in driverLennart Poettering
The access check call was broken (as it tried to read a service name from the UpdateActivationEnvironment() method call which doesn't carry any). Also, it's unnecessary to make any access checks here, as we just forward the call to PID 1 which should do the access checks necessary.
2014-11-13bus-proxyd: temporarily disable policy checks againDaniel Mack
There are issues to investigate on with policies shipped by some packages, which we'll address later. Move that topic out of the way for now to bring sd-bus in sync with upstream kdbus.
2014-11-11bus-proxyd: explicitly address messages to unique and well-known nameDaniel Mack
In order to check for matching policy entries at message transfers, we have to consider the following: * check the currently owned names of both the sending and the receiving peer. If the sending peer is connected via kdbus, the currently owned names are already attached to the message. If it was originated by the connection we're proxying for, we store the owned names in our own strv so we can check against them. * Walk the list of names to check which name would allow the message to pass, and explicitly use that name as destination of the message. If the destination is on kdbus, store both the connection's unique name and the chosen well-known-name in the message. That way, the kernel will make sure the supplied name is owned by the supplied unique name, at the time of sending, and return -EREMCHG otherwise. * Make the policy checks optional by retrieving the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11Revert "bus-proxyd: make policy checks optional"Michal Schmidt
This reverts commit 5bb24cccbce846c0d77e71b70a3be7f4b2ba6c0e. It does not even compile (unbalanced {)
2014-11-11bus-proxyd: make policy checks optionalDaniel Mack
Retrieve the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11bus-proxyd: move name list iteration to policy usersDaniel Mack
We need to figure out which of the possible names satisfied the policy, so we cannot do the iteration in check_policy_item() but have to leave it to the users. Test cases amended accordingly.
2014-11-11bus-proxyd: enforce policy for method callsDaniel Mack
2014-11-11bus-proxyd: enforce policy for name ownershipDaniel Mack
2014-11-11bus-proxyd: enforce policy for Hello messagesDaniel Mack
2014-11-11bus-proxyd: keep track of names acquired by legacy clientDaniel Mack
Store names successfully acquired by the legacy client into a hashmap. We need to take these names into account when checking for send policies.
2014-11-04sd-bus: rename sd_bus_get_server_id() to sd_bus_get_owner_id()Lennart Poettering
In kdbus a "server id" is mostly a misnomer, as there isn't any "server" involved anymore. Let's rename this to "owner" id hence, since it is an ID that is picked by the owner of a bus or direct connection. This matches nicely the sd_bus_get_owner_creds() call we already have.
2014-11-04sd-bus: rename "connection name" to "description" for the sd-bus API tooLennart Poettering
kdbus recently renamed this concept, and so should we in what we expose in userspace.
2014-11-04sd-bus: sync kdbus.h (ABI break)Daniel Mack
Catch up with some changes in kdbus.h: * KDBUS_{ITEM,ATTACH}_CONN_NAME were renamed to KDBUS_{ITEM,ATTACH}_CONN_DESCRIPTION, so the term 'name' is not overloaded as much. * The item types were re-ordered a little so they are lined up to the order of the corresponding KDBUS_ATTACH flags * A new item type KDBUS_ITEM_OWNED_NAME was introduced, designated to store a struct kdbus_name in item->name. KDBUS_ITEM_NAME soley stores data in item->str now * Some kerneldoc fixes
2014-10-24bus-proxy: it's OK if getpeercred doesn't workLennart Poettering
We should use the data if we can (if stdin/stdout is an AF_UNIX socket), but still work if we can't (if stdin/stdout are pipes, like in the SSH case). This effectively reverts 55534fb5e4742b0db9ae5e1e0202c53804147697
2014-10-22sd-bus: rename sd_bus_get_owner_uid(), sd_bus_get_owner_machine_id() and ↵Daniel Mack
sd_bus_get_peer_creds() Clean up the function namespace by renaming the following: sd_bus_get_owner_uid() → sd_bus_get_name_creds_uid() sd_bus_get_owner_machine_id() → sd_bus_get_name_machine_id() sd_bus_get_peer_creds() → sd_bus_get_owner_creds()
2014-10-21sd-bus: sync kdbus.h (ABI break)Daniel Mack
In kdbus.h, the following details changed: * All commands gained a 'kernel_flags' field to report the flags supported by the driver. Before, this was done in the 'flags' field in a bidirectional way, which turned out to be a problem for the code in sd-bus, as many parts of it reuse the same ioctl struct more than once and consider them to be owned by userspace. * Name listings are now returned by a new struct instead of reusing struct kdbus_cmd_name for that matter. This way, we don't add more unneeded fields to it and make the API cleaner. * 'conn_flags' was renamed to 'flags' in struct kdbus_cmd_hello to make the API a bit more unified.
2014-10-20bus-proxy: let's make use of the translated errors get_creds_by_name() ↵Lennart Poettering
provides us with
2014-10-20Revert "bus-proxyd: improve compatibility with dbus-1"Lennart Poettering
This reverts commit b0f84d4d7832659f2216bda7a7cdf51f5e79c6eb. get_creds_by_name() already translate the error nicely, we just need to make use of it.
2014-10-15bus-proxyd: add missing flag translation for RequestNameLukasz Skalski
2014-10-14bus-proxyd: improve compatibility with dbus-1Lukasz Skalski
'GetConnectionUnixProcessID', 'GetConnectionUnixUser' and 'GetConnectionSELinuxSecurityContext' methods should return 'NameHasNoOwner' error (if chosen name is not available on bus) with more detailed description - like dbus-1: Could not get PID of name 'org.freedesktop.test': no such name. Could not get UID of name 'org.freedesktop.test': no such name. Could not get security context of name 'org.freedesktop.test': no such name. Otherwise we have only laconic message without proper dbus error: Error System.Error.ENXIO: No such device or address
2014-10-10bus-proxyd: fix compatibility with old dbus-1Lukasz Skalski
'ListQueuedOwners' method should return 'NameHasNoOwner' error if chosen name is not available on bus.
2014-10-09bus-proxy: allow getpeersec() to failDaniel Mack
getpeersec() will fail for non-SELinux enabled machines, so don't make that a hard error.
2014-10-07bus-proxyd: check return values of getpeercred() and getpeersec()Daniel Mack
If we can't get the remote peer or security creds, bail out. Spotted by coverity.
2014-10-06sd-bus: sync kdbus.h (ABI break)Daniel Mack
The KDBUS_CMD_FREE ioctl now uses a struct rather than a direct pointer to the offset to free. The KDBUS_CMD_MSG_CANCEL ioctl has also changes, but there's no user of it yet in systemd.
2014-10-01Remove repeated includesThomas Hindoe Paaboel Andersen
In pty.c there was both an include of our pty.h and the system installed pty.h. The latter contains only two functions openpty and forkpty. We use neither so I assume it was a typo and removed it. We still compile and pass all tests.
2014-09-25bus-proxyd: add some assertsTom Gundersen
Both as documentation, and to make Coverity happy. Fixes CID #1241495 and #1241496.
2014-09-22sd-bus: sync kdbus.h (API+ABI break)Daniel Mack
The kdbus logic name registry logic was changed to transport the actual name to acquire, release or report in a kdbus item. This brings the name API a little more in line with other calls, and allows for later augmentation. Follow that change on the systemd side.
2014-08-21notify: send STOPPING=1 from our daemonsLennart Poettering
2014-08-05bus-proxy: service_name_is_valid will never be < 0Thomas Hindoe Paaboel Andersen
2014-08-04bus: always explicitly close bus from main programsLennart Poettering
Since b5eca3a2059f9399d1dc52cbcf9698674c4b1cf0 we don't attempt to GC busses anymore when unsent messages remain that keep their reference, when they otherwise are not referenced anymore. This means that if we explicitly want connections to go away, we need to close them. With this change we will no do so explicitly wherver we connect to the bus from a main program (and thus know when the bus connection should go away), or when we create a private bus connection, that really should go away after our use. This fixes connection leaks in the NSS and PAM modules.
2014-08-03Unify parse_argv styleZbigniew Jędrzejewski-Szmek
getopt is usually good at printing out a nice error message when commandline options are invalid. It distinguishes between an unknown option and a known option with a missing arg. It is better to let it do its job and not use opterr=0 unless we actually want to suppress messages. So remove opterr=0 in the few places where it wasn't really useful. When an error in options is encountered, we should not print a lengthy help() and overwhelm the user, when we know precisely what is wrong with the commandline. In addition, since help() prints to stdout, it should not be used except when requested with -h or --help. Also, simplify things here and there.
2014-07-25bus-proxyd: fix incorrect comparisonLukas Nykryn
We should be interested in k variable.
2014-07-25bus-proxyd: fix incorrect comparisonLukas Nykryn
Err can't be bigger then zero. Rest of the code uses negative Exxxx values.
2014-07-03sd-bus: support connecting to remote hosts, directly into containersLennart Poettering
systemctl -H root@foobar:waldi will now show a list of services running on container "waldi" on host "foobar", using "root" for authenticating at "foobar". Since entereing a container requires priviliges, this will only work correctly for root logins.