summaryrefslogtreecommitdiff
path: root/src/bus-proxyd
AgeCommit message (Collapse)Author
2015-01-08bus-proxyd: fix EPERM on repliesDavid Herrmann
Imagine a kdbus peer sending a method-call without EXPECT_REPLY set through the proxy to a dbus1 peer. The proxy turns the missing EXPECT_REPLY flag into a dbus1 NO_REPLY_EXPECTED flag. However, if the receipient ignores that flag (valid dbus1 behavior) and sends a reply, the proxy will try to forward it to the original peer. This will fail with EPERM as the kernel didn't track the reply. We have two options now: Either we ignore EPERM for reply messages, or we track reply-windows in the proxy so we can properly ignore replies if EXPECT_REPLY wasn't set. This commit chose the first option: ignore EPERM for replies. The only down-side is that replies without matching method call will no longer be forwarded by the proxy. This works on dbus1, though. Nobody sane does this, so lets ignore it.
2015-01-08bus-proxyd: optimize replies if they're not requestedDavid Herrmann
If a caller does not request a reply, dont send it. This skips message creation and speeds up NO_REPLY_EXPECTED cases. Note that sd-bus still handles this case internally, but if we handle it in bus-proxyd, we can skip the whole message creation step.
2015-01-08bus-proxy: augment credentials from /proc for cmdline updateDavid Herrmann
dbus1 does not provide cmdline, so we have to augment our credentials from /proc to beautify the bus-proxyd cmdline. We dont use this for anything but beautification, so there shouldn't be any problems due to /proc pid-recycling races. This fixes bus-proxyd to no longer display 'xxxxxxxxxxxxxxxxxxxxxxxxxxx' in its cmdline.
2015-01-07sd-bus: always catch name requests for the special names ↵Lennart Poettering
"org.freedesktop.DBus" and "org.freedesktop.DBus.Local" and refuse them
2015-01-05bus-proxyd: don't allow to acquire org.freedesktop.DBus nameLukasz Skalski
2015-01-05machined,bus-proxy: fix connecting to containersLennart Poettering
2014-12-30tree-wide: spelling fixesVeres Lajos
https://github.com/vlajos/misspell_fixer https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa Thanks to Torstein Husebo <torstein@huseboe.net>.
2014-12-29bus-proxy: fix sd_bus_reply_*() usageDavid Herrmann
We *must* not use sd_bus_reply_*() as it does not set the sender field correctly. Use the synthetic_reply_*() helpers instead!
2014-12-23core: rearrange code so that libsystemd/sd-bus/ does not include header ↵Lennart Poettering
files from core Stuff in src/shared or src/libsystemd should *never* include code from src/core or any of the tools, so don't do that here either. It's not OK!
2014-12-23bus-proxyd: ignore errors from sd_bus_creds_get_well_known_names()Daniel Mack
sd_bus_creds_get_well_known_names() fails with -ENODATA in case the message has no names attached, which is intended behavior if the remote connection didn't own any names at the time of sending. The function already deals with 'sender_names' being an empty strv, so we can just continue in such cases.
2014-12-23bus-proxyd: handle -ESRCH and -ENXIO gracefullyDaniel Mack
Messages to destinations that are not currently owned by any bus connection will cause kdbus related function to return with either -ENXIO or -ESRCH. Such conditions should not make the proxyd terminate but send a sane SD_BUS_ERROR_NAME_HAS_NO_OWNER error reply to the proxied connection.
2014-12-09bus-proxy: cloning smack labelPrzemyslaw Kedzierski
When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-08bus-proxy: fix compat with autostarted servicesLennart Poettering
2014-12-02bus-proxy: don't log bus policy every single time we runLennart Poettering
2014-11-28treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1Lennart Poettering
2014-11-28sd-bus: rename sd_bus_get_owner_id() → sd_bus_get_bus_id()Lennart Poettering
The ID returned really doesn't identify the owner, but the bus instance, hence fix this misnaming. Also, update "busctl status" to show the ID in its output.
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28treewide: more log_*_errno + return simplificationsMichal Schmidt
2014-11-28bus-proxy: automatically detect scope of bus and derive which XML snippets ↵Lennart Poettering
to load from that
2014-11-28sd-bus: rename default bus address constants, they aren't "paths" but ↵Lennart Poettering
"addresses"
2014-11-28sd-bus: rework credential query logicLennart Poettering
Also, make the call to free kdbus slices generic and use it everywhere
2014-11-28treewide: no need to negate errno for log_*_errno()Michal Schmidt
It corrrectly handles both positive and negative errno values.
2014-11-28treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt
As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
2014-11-27bus-proxy: beef up policy enforcementLennart Poettering
- actually return permission errors to clients - use the right ucreds field - fix error paths when we cannot keep track of locally acquired names due to OOM - avoid unnecessary global variables - log when the policy denies access - enforce correct policy rule order - always request all the metadata its we need to make decisions
2014-11-27bus-proxy: check passed parameter signature of all driver method callsLennart Poettering
2014-11-26bus-policy: actually test messages against the newly added test.confLennart Poettering
2014-11-26bus-policy: also add in other bus policy tests from dbus1Lennart Poettering
dbus1 only checks if these files parse correctly so let's do the same for now.
2014-11-26bus-policy: steal a test case for prefix ownership from dbus1, and make sure ↵Lennart Poettering
it passes with the bus proxy enforcement
2014-11-25sd-bus: update to current kernel version, by splitting off the extended ↵Lennart Poettering
KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS Also: - adds support for euid, suid, fsuid, egid, sgid, fsgid fields. - makes augmentation of creds with data from /proc explicitly controllable to give apps better control over this, given that this is racy. - enables augmentation for kdbus connections (previously we only did it for dbus1). This is useful since with recent kdbus versions it is possible for clients to control the metadata they want to send. - changes sd_bus_query_sender_privilege() to take the euid of the client into consideration, if known - when we don't have permissions to read augmentation data from /proc, don't fail, just don't add the data in
2014-11-14bus-proxy: avoid redundant name validity checksLennart Poettering
Our API calls check the validity of bus names anyway, hence we don't have to do this before calling them...
2014-11-14bus-proxy: properly check for bus name prefixes when enforcing policyLennart Poettering
2014-11-14bus-proxy: drop broken access check in driverLennart Poettering
The access check call was broken (as it tried to read a service name from the UpdateActivationEnvironment() method call which doesn't carry any). Also, it's unnecessary to make any access checks here, as we just forward the call to PID 1 which should do the access checks necessary.
2014-11-13bus-proxyd: temporarily disable policy checks againDaniel Mack
There are issues to investigate on with policies shipped by some packages, which we'll address later. Move that topic out of the way for now to bring sd-bus in sync with upstream kdbus.
2014-11-11bus-proxyd: explicitly address messages to unique and well-known nameDaniel Mack
In order to check for matching policy entries at message transfers, we have to consider the following: * check the currently owned names of both the sending and the receiving peer. If the sending peer is connected via kdbus, the currently owned names are already attached to the message. If it was originated by the connection we're proxying for, we store the owned names in our own strv so we can check against them. * Walk the list of names to check which name would allow the message to pass, and explicitly use that name as destination of the message. If the destination is on kdbus, store both the connection's unique name and the chosen well-known-name in the message. That way, the kernel will make sure the supplied name is owned by the supplied unique name, at the time of sending, and return -EREMCHG otherwise. * Make the policy checks optional by retrieving the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11Revert "bus-proxyd: make policy checks optional"Michal Schmidt
This reverts commit 5bb24cccbce846c0d77e71b70a3be7f4b2ba6c0e. It does not even compile (unbalanced {)
2014-11-11bus-proxyd: make policy checks optionalDaniel Mack
Retrieve the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11bus-proxyd: move name list iteration to policy usersDaniel Mack
We need to figure out which of the possible names satisfied the policy, so we cannot do the iteration in check_policy_item() but have to leave it to the users. Test cases amended accordingly.
2014-11-11bus-proxyd: enforce policy for method callsDaniel Mack
2014-11-11bus-proxyd: enforce policy for name ownershipDaniel Mack
2014-11-11bus-proxyd: enforce policy for Hello messagesDaniel Mack
2014-11-11bus-proxyd: keep track of names acquired by legacy clientDaniel Mack
Store names successfully acquired by the legacy client into a hashmap. We need to take these names into account when checking for send policies.
2014-11-04sd-bus: rename sd_bus_get_server_id() to sd_bus_get_owner_id()Lennart Poettering
In kdbus a "server id" is mostly a misnomer, as there isn't any "server" involved anymore. Let's rename this to "owner" id hence, since it is an ID that is picked by the owner of a bus or direct connection. This matches nicely the sd_bus_get_owner_creds() call we already have.
2014-11-04sd-bus: rename "connection name" to "description" for the sd-bus API tooLennart Poettering
kdbus recently renamed this concept, and so should we in what we expose in userspace.
2014-11-04sd-bus: sync kdbus.h (ABI break)Daniel Mack
Catch up with some changes in kdbus.h: * KDBUS_{ITEM,ATTACH}_CONN_NAME were renamed to KDBUS_{ITEM,ATTACH}_CONN_DESCRIPTION, so the term 'name' is not overloaded as much. * The item types were re-ordered a little so they are lined up to the order of the corresponding KDBUS_ATTACH flags * A new item type KDBUS_ITEM_OWNED_NAME was introduced, designated to store a struct kdbus_name in item->name. KDBUS_ITEM_NAME soley stores data in item->str now * Some kerneldoc fixes
2014-10-24bus-proxy: it's OK if getpeercred doesn't workLennart Poettering
We should use the data if we can (if stdin/stdout is an AF_UNIX socket), but still work if we can't (if stdin/stdout are pipes, like in the SSH case). This effectively reverts 55534fb5e4742b0db9ae5e1e0202c53804147697
2014-10-22sd-bus: rename sd_bus_get_owner_uid(), sd_bus_get_owner_machine_id() and ↵Daniel Mack
sd_bus_get_peer_creds() Clean up the function namespace by renaming the following: sd_bus_get_owner_uid() → sd_bus_get_name_creds_uid() sd_bus_get_owner_machine_id() → sd_bus_get_name_machine_id() sd_bus_get_peer_creds() → sd_bus_get_owner_creds()
2014-10-21sd-bus: sync kdbus.h (ABI break)Daniel Mack
In kdbus.h, the following details changed: * All commands gained a 'kernel_flags' field to report the flags supported by the driver. Before, this was done in the 'flags' field in a bidirectional way, which turned out to be a problem for the code in sd-bus, as many parts of it reuse the same ioctl struct more than once and consider them to be owned by userspace. * Name listings are now returned by a new struct instead of reusing struct kdbus_cmd_name for that matter. This way, we don't add more unneeded fields to it and make the API cleaner. * 'conn_flags' was renamed to 'flags' in struct kdbus_cmd_hello to make the API a bit more unified.
2014-10-20bus-proxy: let's make use of the translated errors get_creds_by_name() ↵Lennart Poettering
provides us with
2014-10-20Revert "bus-proxyd: improve compatibility with dbus-1"Lennart Poettering
This reverts commit b0f84d4d7832659f2216bda7a7cdf51f5e79c6eb. get_creds_by_name() already translate the error nicely, we just need to make use of it.
2014-10-15bus-proxyd: add missing flag translation for RequestNameLukasz Skalski