Age | Commit message (Collapse) | Author |
|
The 'at_console' policy-category allows to apply policy-items to clients
depending on whether they're run from within a valid user-session or not.
We use sd_uid_get_seats() to check whether a user has a valid seat (which
excludes remote-sessions like ssh).
|
|
Make sure to print "dbus-1 to kernel" or "kernel to dbus-1" in policy logs
to better diagnose the situation.
|
|
If a dbus-1 client sends a broadcasted signal via the bus-proxy to kdbus,
the bus-proxy has no idea who the receiver is. Classic dbus-daemon has
bus-access and can perform policy checks for each receiver, but we cant.
Instead, we know the kernel will perform receiver policy checks for
broadcasts, so we can skip the policy check and just push it into the
kernel.
This fixes wpa_supplicant which has DENY rules on receive_type=signal for
non-root. As we never know the target, we always DENY all broadcasts from
wpa_supplicant.
Note that will still perform receiver-policy checks for signals that we
get from the kernel back to us. In those cases, we know the receiver
(which is us).
|
|
The policy debug messages swapped "path=" and "interface=", fix this.
|
|
dbus-1 distinguishes expected and non-expected replies. An expected reply
is a reply that is sent as answer to a previously forwarded method-call
before the timeout fires. Those replies are, by default, forwarded and
DENY policy tags are ignored on them (unless explicitly stated otherwise).
We don't track reply-windows in the bus-proxy as the kernel already does
this. Furthermore, the kernel prohibits any non-expected replies (which
breaks dbus-1, but it was an odd feature, anyway).
Therefore, skip policy checks on replies and always let the kernel deal
with it!
To be correct, we should still process DENY tags marked as
send_expected_reply=true (which is *NOT* the default!). However, so far we
don't parse those attributes, and no-one really uses it, so lets not
implement it for now. It's marked as TODO if anyone feels like fixing it.
|
|
|
|
|
|
|
|
to the bus owner should be allowed
Hence, copy this behaviour for bus-proxy too.
|
|
|
|
|
|
Imagine a kdbus peer sending a method-call without EXPECT_REPLY set
through the proxy to a dbus1 peer. The proxy turns the missing
EXPECT_REPLY flag into a dbus1 NO_REPLY_EXPECTED flag. However, if the
receipient ignores that flag (valid dbus1 behavior) and sends a reply, the
proxy will try to forward it to the original peer. This will fail with
EPERM as the kernel didn't track the reply.
We have two options now: Either we ignore EPERM for reply messages, or we
track reply-windows in the proxy so we can properly ignore replies if
EXPECT_REPLY wasn't set.
This commit chose the first option: ignore EPERM for replies. The only
down-side is that replies without matching method call will no longer be
forwarded by the proxy. This works on dbus1, though.
Nobody sane does this, so lets ignore it.
|
|
If a caller does not request a reply, dont send it. This skips message
creation and speeds up NO_REPLY_EXPECTED cases. Note that sd-bus still
handles this case internally, but if we handle it in bus-proxyd, we can
skip the whole message creation step.
|
|
dbus1 does not provide cmdline, so we have to augment our credentials from
/proc to beautify the bus-proxyd cmdline. We dont use this for anything
but beautification, so there shouldn't be any problems due to /proc
pid-recycling races.
This fixes bus-proxyd to no longer display 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
in its cmdline.
|
|
"org.freedesktop.DBus" and "org.freedesktop.DBus.Local" and refuse them
|
|
|
|
|
|
https://github.com/vlajos/misspell_fixer
https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa
Thanks to Torstein Husebo <torstein@huseboe.net>.
|
|
We *must* not use sd_bus_reply_*() as it does not set the sender field
correctly. Use the synthetic_reply_*() helpers instead!
|
|
files from core
Stuff in src/shared or src/libsystemd should *never* include code from
src/core or any of the tools, so don't do that here either. It's not OK!
|
|
sd_bus_creds_get_well_known_names() fails with -ENODATA in case the
message has no names attached, which is intended behavior if the
remote connection didn't own any names at the time of sending.
The function already deals with 'sender_names' being an empty strv,
so we can just continue in such cases.
|
|
Messages to destinations that are not currently owned by any bus connection
will cause kdbus related function to return with either -ENXIO or -ESRCH.
Such conditions should not make the proxyd terminate but send a sane
SD_BUS_ERROR_NAME_HAS_NO_OWNER error reply to the proxied connection.
|
|
When dbus client connects to systemd-bus-proxyd through
Unix domain socket proxy takes client's smack label and sets for itself.
It is done before and independent of dropping privileges.
The reason of such soluton is fact that tests of access rights
performed by lsm may take place inside kernel, not only
in userspace of recipient of message.
The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label.
In case of systemd running in system mode, CAP_MAC_ADMIN
should be added to CapabilityBoundingSet in service file of bus-proxyd.
In case of systemd running in user mode ('systemd --user')
it can be achieved by addition
Capabilities=cap_mac_admin=i and SecureBits=keep-caps
to user@.service file
and setting cap_mac_admin+ei on bus-proxyd binary.
|
|
|
|
|
|
|
|
The ID returned really doesn't identify the owner, but the bus instance,
hence fix this misnaming.
Also, update "busctl status" to show the ID in its output.
|
|
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.
Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'
Plus some whitespace, linewrap, and indent adjustments.
|
|
|
|
to load from that
|
|
"addresses"
|
|
Also, make the call to free kdbus slices generic and use it everywhere
|
|
It corrrectly handles both positive and negative errno values.
|
|
As a followup to 086891e5c1 "log: add an "error" parameter to all
low-level logging calls and intrdouce log_error_errno() as log calls
that take error numbers", use sed to convert the simple cases to use
the new macros:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/'
Multi-line log_*() invocations are not covered.
And we also should add log_unit_*_errno().
|
|
- actually return permission errors to clients
- use the right ucreds field
- fix error paths when we cannot keep track of locally acquired names
due to OOM
- avoid unnecessary global variables
- log when the policy denies access
- enforce correct policy rule order
- always request all the metadata its we need to make decisions
|
|
|
|
|
|
dbus1 only checks if these files parse correctly so let's do the same for now.
|
|
it passes with the bus proxy enforcement
|
|
KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS
Also:
- adds support for euid, suid, fsuid, egid, sgid, fsgid fields.
- makes augmentation of creds with data from /proc explicitly
controllable to give apps better control over this, given that this is
racy.
- enables augmentation for kdbus connections (previously we only did it
for dbus1). This is useful since with recent kdbus versions it is
possible for clients to control the metadata they want to send.
- changes sd_bus_query_sender_privilege() to take the euid of the client
into consideration, if known
- when we don't have permissions to read augmentation data from /proc,
don't fail, just don't add the data in
|
|
Our API calls check the validity of bus names anyway, hence we don't
have to do this before calling them...
|
|
|
|
The access check call was broken (as it tried to read a service name
from the UpdateActivationEnvironment() method call which doesn't carry
any). Also, it's unnecessary to make any access checks here, as we just
forward the call to PID 1 which should do the access checks necessary.
|
|
There are issues to investigate on with policies shipped by some
packages, which we'll address later. Move that topic out of the
way for now to bring sd-bus in sync with upstream kdbus.
|
|
In order to check for matching policy entries at message transfers, we
have to consider the following:
* check the currently owned names of both the sending and the receiving
peer. If the sending peer is connected via kdbus, the currently owned
names are already attached to the message. If it was originated by the
connection we're proxying for, we store the owned names in our own strv
so we can check against them.
* Walk the list of names to check which name would allow the message to
pass, and explicitly use that name as destination of the message. If the
destination is on kdbus, store both the connection's unique name and the
chosen well-known-name in the message. That way, the kernel will make sure
the supplied name is owned by the supplied unique name, at the time of
sending, and return -EREMCHG otherwise.
* Make the policy checks optional by retrieving the bus owner creds, and
when the uid matches the current user's uid and is non-null, don't check
the bus policy.
|
|
This reverts commit 5bb24cccbce846c0d77e71b70a3be7f4b2ba6c0e.
It does not even compile (unbalanced {)
|
|
Retrieve the bus owner creds, and when the uid matches the current user's
uid and is non-null, don't check the bus policy.
|
|
We need to figure out which of the possible names satisfied the policy,
so we cannot do the iteration in check_policy_item() but have to leave it
to the users.
Test cases amended accordingly.
|
|
|
|
|