summaryrefslogtreecommitdiff
path: root/src/bus-proxyd
AgeCommit message (Collapse)Author
2014-11-27bus-proxy: beef up policy enforcementLennart Poettering
- actually return permission errors to clients - use the right ucreds field - fix error paths when we cannot keep track of locally acquired names due to OOM - avoid unnecessary global variables - log when the policy denies access - enforce correct policy rule order - always request all the metadata its we need to make decisions
2014-11-27bus-proxy: check passed parameter signature of all driver method callsLennart Poettering
2014-11-26bus-policy: actually test messages against the newly added test.confLennart Poettering
2014-11-26bus-policy: also add in other bus policy tests from dbus1Lennart Poettering
dbus1 only checks if these files parse correctly so let's do the same for now.
2014-11-26bus-policy: steal a test case for prefix ownership from dbus1, and make sure ↵Lennart Poettering
it passes with the bus proxy enforcement
2014-11-25sd-bus: update to current kernel version, by splitting off the extended ↵Lennart Poettering
KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS Also: - adds support for euid, suid, fsuid, egid, sgid, fsgid fields. - makes augmentation of creds with data from /proc explicitly controllable to give apps better control over this, given that this is racy. - enables augmentation for kdbus connections (previously we only did it for dbus1). This is useful since with recent kdbus versions it is possible for clients to control the metadata they want to send. - changes sd_bus_query_sender_privilege() to take the euid of the client into consideration, if known - when we don't have permissions to read augmentation data from /proc, don't fail, just don't add the data in
2014-11-14bus-proxy: avoid redundant name validity checksLennart Poettering
Our API calls check the validity of bus names anyway, hence we don't have to do this before calling them...
2014-11-14bus-proxy: properly check for bus name prefixes when enforcing policyLennart Poettering
2014-11-14bus-proxy: drop broken access check in driverLennart Poettering
The access check call was broken (as it tried to read a service name from the UpdateActivationEnvironment() method call which doesn't carry any). Also, it's unnecessary to make any access checks here, as we just forward the call to PID 1 which should do the access checks necessary.
2014-11-13bus-proxyd: temporarily disable policy checks againDaniel Mack
There are issues to investigate on with policies shipped by some packages, which we'll address later. Move that topic out of the way for now to bring sd-bus in sync with upstream kdbus.
2014-11-11bus-proxyd: explicitly address messages to unique and well-known nameDaniel Mack
In order to check for matching policy entries at message transfers, we have to consider the following: * check the currently owned names of both the sending and the receiving peer. If the sending peer is connected via kdbus, the currently owned names are already attached to the message. If it was originated by the connection we're proxying for, we store the owned names in our own strv so we can check against them. * Walk the list of names to check which name would allow the message to pass, and explicitly use that name as destination of the message. If the destination is on kdbus, store both the connection's unique name and the chosen well-known-name in the message. That way, the kernel will make sure the supplied name is owned by the supplied unique name, at the time of sending, and return -EREMCHG otherwise. * Make the policy checks optional by retrieving the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11Revert "bus-proxyd: make policy checks optional"Michal Schmidt
This reverts commit 5bb24cccbce846c0d77e71b70a3be7f4b2ba6c0e. It does not even compile (unbalanced {)
2014-11-11bus-proxyd: make policy checks optionalDaniel Mack
Retrieve the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11bus-proxyd: move name list iteration to policy usersDaniel Mack
We need to figure out which of the possible names satisfied the policy, so we cannot do the iteration in check_policy_item() but have to leave it to the users. Test cases amended accordingly.
2014-11-11bus-proxyd: enforce policy for method callsDaniel Mack
2014-11-11bus-proxyd: enforce policy for name ownershipDaniel Mack
2014-11-11bus-proxyd: enforce policy for Hello messagesDaniel Mack
2014-11-11bus-proxyd: keep track of names acquired by legacy clientDaniel Mack
Store names successfully acquired by the legacy client into a hashmap. We need to take these names into account when checking for send policies.
2014-11-04sd-bus: rename sd_bus_get_server_id() to sd_bus_get_owner_id()Lennart Poettering
In kdbus a "server id" is mostly a misnomer, as there isn't any "server" involved anymore. Let's rename this to "owner" id hence, since it is an ID that is picked by the owner of a bus or direct connection. This matches nicely the sd_bus_get_owner_creds() call we already have.
2014-11-04sd-bus: rename "connection name" to "description" for the sd-bus API tooLennart Poettering
kdbus recently renamed this concept, and so should we in what we expose in userspace.
2014-11-04sd-bus: sync kdbus.h (ABI break)Daniel Mack
Catch up with some changes in kdbus.h: * KDBUS_{ITEM,ATTACH}_CONN_NAME were renamed to KDBUS_{ITEM,ATTACH}_CONN_DESCRIPTION, so the term 'name' is not overloaded as much. * The item types were re-ordered a little so they are lined up to the order of the corresponding KDBUS_ATTACH flags * A new item type KDBUS_ITEM_OWNED_NAME was introduced, designated to store a struct kdbus_name in item->name. KDBUS_ITEM_NAME soley stores data in item->str now * Some kerneldoc fixes
2014-10-24bus-proxy: it's OK if getpeercred doesn't workLennart Poettering
We should use the data if we can (if stdin/stdout is an AF_UNIX socket), but still work if we can't (if stdin/stdout are pipes, like in the SSH case). This effectively reverts 55534fb5e4742b0db9ae5e1e0202c53804147697
2014-10-22sd-bus: rename sd_bus_get_owner_uid(), sd_bus_get_owner_machine_id() and ↵Daniel Mack
sd_bus_get_peer_creds() Clean up the function namespace by renaming the following: sd_bus_get_owner_uid() → sd_bus_get_name_creds_uid() sd_bus_get_owner_machine_id() → sd_bus_get_name_machine_id() sd_bus_get_peer_creds() → sd_bus_get_owner_creds()
2014-10-21sd-bus: sync kdbus.h (ABI break)Daniel Mack
In kdbus.h, the following details changed: * All commands gained a 'kernel_flags' field to report the flags supported by the driver. Before, this was done in the 'flags' field in a bidirectional way, which turned out to be a problem for the code in sd-bus, as many parts of it reuse the same ioctl struct more than once and consider them to be owned by userspace. * Name listings are now returned by a new struct instead of reusing struct kdbus_cmd_name for that matter. This way, we don't add more unneeded fields to it and make the API cleaner. * 'conn_flags' was renamed to 'flags' in struct kdbus_cmd_hello to make the API a bit more unified.
2014-10-20bus-proxy: let's make use of the translated errors get_creds_by_name() ↵Lennart Poettering
provides us with
2014-10-20Revert "bus-proxyd: improve compatibility with dbus-1"Lennart Poettering
This reverts commit b0f84d4d7832659f2216bda7a7cdf51f5e79c6eb. get_creds_by_name() already translate the error nicely, we just need to make use of it.
2014-10-15bus-proxyd: add missing flag translation for RequestNameLukasz Skalski
2014-10-14bus-proxyd: improve compatibility with dbus-1Lukasz Skalski
'GetConnectionUnixProcessID', 'GetConnectionUnixUser' and 'GetConnectionSELinuxSecurityContext' methods should return 'NameHasNoOwner' error (if chosen name is not available on bus) with more detailed description - like dbus-1: Could not get PID of name 'org.freedesktop.test': no such name. Could not get UID of name 'org.freedesktop.test': no such name. Could not get security context of name 'org.freedesktop.test': no such name. Otherwise we have only laconic message without proper dbus error: Error System.Error.ENXIO: No such device or address
2014-10-10bus-proxyd: fix compatibility with old dbus-1Lukasz Skalski
'ListQueuedOwners' method should return 'NameHasNoOwner' error if chosen name is not available on bus.
2014-10-09bus-proxy: allow getpeersec() to failDaniel Mack
getpeersec() will fail for non-SELinux enabled machines, so don't make that a hard error.
2014-10-09bus-policy: move name list iteration to policy usersDaniel Mack
We need to figure out which of the possible names satisfied the policy, so we cannot do the iteration in check_policy_item() but have to leave it to the users. Test cases amended accordingly.
2014-10-07bus-proxyd: assorted cleanups and fixesDaniel Mack
Just some cleanups around policy checks that came up during review. The code is still not productive.
2014-10-07bus-proxyd: check return values of getpeercred() and getpeersec()Daniel Mack
If we can't get the remote peer or security creds, bail out. Spotted by coverity.
2014-10-06sd-bus: sync kdbus.h (ABI break)Daniel Mack
The KDBUS_CMD_FREE ioctl now uses a struct rather than a direct pointer to the offset to free. The KDBUS_CMD_MSG_CANCEL ioctl has also changes, but there's no user of it yet in systemd.
2014-10-01Remove repeated includesThomas Hindoe Paaboel Andersen
In pty.c there was both an include of our pty.h and the system installed pty.h. The latter contains only two functions openpty and forkpty. We use neither so I assume it was a typo and removed it. We still compile and pass all tests.
2014-09-28test-bus-policy: silence coverityThomas Hindoe Paaboel Andersen
Check if strjoin worked and also use _cleanup_free_ since we are here. Found with Coverity. Fixes CID#1241962
2014-09-26test-bus-policy: load policy files from TEST_DIRDaniel Mack
'make distcheck' calls test-bus-policy outside of the source tree, so it must consider the TEST_DIR variable to access its files.
2014-09-25bus-proxy: drop one wrong assert()Tom Gundersen
2014-09-25bus-proxyd: add some assertsTom Gundersen
Both as documentation, and to make Coverity happy. Fixes CID #1241495 and #1241496.
2014-09-24bus-policy: split API for bus-proxydDaniel Mack
Instead of operating on an sd_bus_message object, expose an API that has 4 functions: policy_check_own() policy_check_hello() policy_check_recv() policy_check_send() This also allows dropping extra code to parse message contents - the bus proxy already has dedicated code paths for that, and we can hook into those later. Tests amended accordingly.
2014-09-22sd-bus: sync kdbus.h (API+ABI break)Daniel Mack
The kdbus logic name registry logic was changed to transport the actual name to acquire, release or report in a kdbus item. This brings the name API a little more in line with other calls, and allows for later augmentation. Follow that change on the systemd side.
2014-09-20bus-policy: add test utilityDaniel Mack
Add some test files and routines for dbus policy checking.
2014-09-20bus-policy: add policy check functionDaniel Mack
Add policy_check() to actually check whether an incoming message is allowed by the policy. The code is not yet used from the proxy daemon, though.
2014-09-20bus-policy: print numeric [gu]id in dump_items()Daniel Mack
2014-09-20bus-policy: do not exit() from policy_dump()Daniel Mack
This function is quite useful for debugging. Exiting from it seems unnecessary.
2014-09-20bus-policy: implement dump_items() with LIST_FOREACHDaniel Mack
Instead of making the function call itself recursively.
2014-09-20bus-policy: resolve [ug]id of POLICY_ITEM_{USER,GROUP}Daniel Mack
Do the lookup during parsing already, and set i->uid, or i->gid to the numerical values.
2014-09-20bus_policy: set i->[ug]id_validDaniel Mack
2014-09-20bus-policy: append items rather than prepending themDaniel Mack
In the D-Bus policy, the order of items matters, so make sure to store them in the same order as they are parsed by the sax parser.
2014-09-20bus-policy: story mandatory items in right listDaniel Mack