summaryrefslogtreecommitdiff
path: root/src/bus-proxyd
AgeCommit message (Collapse)Author
2015-01-11bus-proxy: implement 'at_console'David Herrmann
The 'at_console' policy-category allows to apply policy-items to clients depending on whether they're run from within a valid user-session or not. We use sd_uid_get_seats() to check whether a user has a valid seat (which excludes remote-sessions like ssh).
2015-01-11bus-proxy: print message direction in policy logsDavid Herrmann
Make sure to print "dbus-1 to kernel" or "kernel to dbus-1" in policy logs to better diagnose the situation.
2015-01-11bus-proxy: fix receiver policy on dbus-1 to kdbus signalsDavid Herrmann
If a dbus-1 client sends a broadcasted signal via the bus-proxy to kdbus, the bus-proxy has no idea who the receiver is. Classic dbus-daemon has bus-access and can perform policy checks for each receiver, but we cant. Instead, we know the kernel will perform receiver policy checks for broadcasts, so we can skip the policy check and just push it into the kernel. This fixes wpa_supplicant which has DENY rules on receive_type=signal for non-root. As we never know the target, we always DENY all broadcasts from wpa_supplicant. Note that will still perform receiver-policy checks for signals that we get from the kernel back to us. In those cases, we know the receiver (which is us).
2015-01-11bus-proxy: fix swapped path/interface debug messagesDavid Herrmann
The policy debug messages swapped "path=" and "interface=", fix this.
2015-01-11bus-proxy: fix policy for expected/non-expected reply tagsDavid Herrmann
dbus-1 distinguishes expected and non-expected replies. An expected reply is a reply that is sent as answer to a previously forwarded method-call before the timeout fires. Those replies are, by default, forwarded and DENY policy tags are ignored on them (unless explicitly stated otherwise). We don't track reply-windows in the bus-proxy as the kernel already does this. Furthermore, the kernel prohibits any non-expected replies (which breaks dbus-1, but it was an odd feature, anyway). Therefore, skip policy checks on replies and always let the kernel deal with it! To be correct, we should still process DENY tags marked as send_expected_reply=true (which is *NOT* the default!). However, so far we don't parse those attributes, and no-one really uses it, so lets not implement it for now. It's marked as TODO if anyone feels like fixing it.
2015-01-09bus-proxy: make sure we have creds when two legacy clients talk to each otherLennart Poettering
2015-01-09bus-proxy-test: show parsed system/session policyLennart Poettering
2015-01-09bus-proxy: eat up "*" matches, they are pointlessLennart Poettering
2015-01-09bus-proxy: dbus-daemon implies that connections from UIDs that are identical ↵Lennart Poettering
to the bus owner should be allowed Hence, copy this behaviour for bus-proxy too.
2015-01-09bus-proxyd: xml - consider empty tags as recvKay Sievers
2015-01-09bus-proxy: make sure sure eavesdrop= XML attributes are properly handledLennart Poettering
2015-01-08bus-proxyd: fix EPERM on repliesDavid Herrmann
Imagine a kdbus peer sending a method-call without EXPECT_REPLY set through the proxy to a dbus1 peer. The proxy turns the missing EXPECT_REPLY flag into a dbus1 NO_REPLY_EXPECTED flag. However, if the receipient ignores that flag (valid dbus1 behavior) and sends a reply, the proxy will try to forward it to the original peer. This will fail with EPERM as the kernel didn't track the reply. We have two options now: Either we ignore EPERM for reply messages, or we track reply-windows in the proxy so we can properly ignore replies if EXPECT_REPLY wasn't set. This commit chose the first option: ignore EPERM for replies. The only down-side is that replies without matching method call will no longer be forwarded by the proxy. This works on dbus1, though. Nobody sane does this, so lets ignore it.
2015-01-08bus-proxyd: optimize replies if they're not requestedDavid Herrmann
If a caller does not request a reply, dont send it. This skips message creation and speeds up NO_REPLY_EXPECTED cases. Note that sd-bus still handles this case internally, but if we handle it in bus-proxyd, we can skip the whole message creation step.
2015-01-08bus-proxy: augment credentials from /proc for cmdline updateDavid Herrmann
dbus1 does not provide cmdline, so we have to augment our credentials from /proc to beautify the bus-proxyd cmdline. We dont use this for anything but beautification, so there shouldn't be any problems due to /proc pid-recycling races. This fixes bus-proxyd to no longer display 'xxxxxxxxxxxxxxxxxxxxxxxxxxx' in its cmdline.
2015-01-07sd-bus: always catch name requests for the special names ↵Lennart Poettering
"org.freedesktop.DBus" and "org.freedesktop.DBus.Local" and refuse them
2015-01-05bus-proxyd: don't allow to acquire org.freedesktop.DBus nameLukasz Skalski
2015-01-05machined,bus-proxy: fix connecting to containersLennart Poettering
2014-12-30tree-wide: spelling fixesVeres Lajos
https://github.com/vlajos/misspell_fixer https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa Thanks to Torstein Husebo <torstein@huseboe.net>.
2014-12-29bus-proxy: fix sd_bus_reply_*() usageDavid Herrmann
We *must* not use sd_bus_reply_*() as it does not set the sender field correctly. Use the synthetic_reply_*() helpers instead!
2014-12-23core: rearrange code so that libsystemd/sd-bus/ does not include header ↵Lennart Poettering
files from core Stuff in src/shared or src/libsystemd should *never* include code from src/core or any of the tools, so don't do that here either. It's not OK!
2014-12-23bus-proxyd: ignore errors from sd_bus_creds_get_well_known_names()Daniel Mack
sd_bus_creds_get_well_known_names() fails with -ENODATA in case the message has no names attached, which is intended behavior if the remote connection didn't own any names at the time of sending. The function already deals with 'sender_names' being an empty strv, so we can just continue in such cases.
2014-12-23bus-proxyd: handle -ESRCH and -ENXIO gracefullyDaniel Mack
Messages to destinations that are not currently owned by any bus connection will cause kdbus related function to return with either -ENXIO or -ESRCH. Such conditions should not make the proxyd terminate but send a sane SD_BUS_ERROR_NAME_HAS_NO_OWNER error reply to the proxied connection.
2014-12-09bus-proxy: cloning smack labelPrzemyslaw Kedzierski
When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
2014-12-08bus-proxy: fix compat with autostarted servicesLennart Poettering
2014-12-02bus-proxy: don't log bus policy every single time we runLennart Poettering
2014-11-28treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1Lennart Poettering
2014-11-28sd-bus: rename sd_bus_get_owner_id() → sd_bus_get_bus_id()Lennart Poettering
The ID returned really doesn't identify the owner, but the bus instance, hence fix this misnaming. Also, update "busctl status" to show the ID in its output.
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28treewide: more log_*_errno + return simplificationsMichal Schmidt
2014-11-28bus-proxy: automatically detect scope of bus and derive which XML snippets ↵Lennart Poettering
to load from that
2014-11-28sd-bus: rename default bus address constants, they aren't "paths" but ↵Lennart Poettering
"addresses"
2014-11-28sd-bus: rework credential query logicLennart Poettering
Also, make the call to free kdbus slices generic and use it everywhere
2014-11-28treewide: no need to negate errno for log_*_errno()Michal Schmidt
It corrrectly handles both positive and negative errno values.
2014-11-28treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt
As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
2014-11-27bus-proxy: beef up policy enforcementLennart Poettering
- actually return permission errors to clients - use the right ucreds field - fix error paths when we cannot keep track of locally acquired names due to OOM - avoid unnecessary global variables - log when the policy denies access - enforce correct policy rule order - always request all the metadata its we need to make decisions
2014-11-27bus-proxy: check passed parameter signature of all driver method callsLennart Poettering
2014-11-26bus-policy: actually test messages against the newly added test.confLennart Poettering
2014-11-26bus-policy: also add in other bus policy tests from dbus1Lennart Poettering
dbus1 only checks if these files parse correctly so let's do the same for now.
2014-11-26bus-policy: steal a test case for prefix ownership from dbus1, and make sure ↵Lennart Poettering
it passes with the bus proxy enforcement
2014-11-25sd-bus: update to current kernel version, by splitting off the extended ↵Lennart Poettering
KDBUS_ITEM_PIDS structure from KDBUS_ITEM_CREDS Also: - adds support for euid, suid, fsuid, egid, sgid, fsgid fields. - makes augmentation of creds with data from /proc explicitly controllable to give apps better control over this, given that this is racy. - enables augmentation for kdbus connections (previously we only did it for dbus1). This is useful since with recent kdbus versions it is possible for clients to control the metadata they want to send. - changes sd_bus_query_sender_privilege() to take the euid of the client into consideration, if known - when we don't have permissions to read augmentation data from /proc, don't fail, just don't add the data in
2014-11-14bus-proxy: avoid redundant name validity checksLennart Poettering
Our API calls check the validity of bus names anyway, hence we don't have to do this before calling them...
2014-11-14bus-proxy: properly check for bus name prefixes when enforcing policyLennart Poettering
2014-11-14bus-proxy: drop broken access check in driverLennart Poettering
The access check call was broken (as it tried to read a service name from the UpdateActivationEnvironment() method call which doesn't carry any). Also, it's unnecessary to make any access checks here, as we just forward the call to PID 1 which should do the access checks necessary.
2014-11-13bus-proxyd: temporarily disable policy checks againDaniel Mack
There are issues to investigate on with policies shipped by some packages, which we'll address later. Move that topic out of the way for now to bring sd-bus in sync with upstream kdbus.
2014-11-11bus-proxyd: explicitly address messages to unique and well-known nameDaniel Mack
In order to check for matching policy entries at message transfers, we have to consider the following: * check the currently owned names of both the sending and the receiving peer. If the sending peer is connected via kdbus, the currently owned names are already attached to the message. If it was originated by the connection we're proxying for, we store the owned names in our own strv so we can check against them. * Walk the list of names to check which name would allow the message to pass, and explicitly use that name as destination of the message. If the destination is on kdbus, store both the connection's unique name and the chosen well-known-name in the message. That way, the kernel will make sure the supplied name is owned by the supplied unique name, at the time of sending, and return -EREMCHG otherwise. * Make the policy checks optional by retrieving the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11Revert "bus-proxyd: make policy checks optional"Michal Schmidt
This reverts commit 5bb24cccbce846c0d77e71b70a3be7f4b2ba6c0e. It does not even compile (unbalanced {)
2014-11-11bus-proxyd: make policy checks optionalDaniel Mack
Retrieve the bus owner creds, and when the uid matches the current user's uid and is non-null, don't check the bus policy.
2014-11-11bus-proxyd: move name list iteration to policy usersDaniel Mack
We need to figure out which of the possible names satisfied the policy, so we cannot do the iteration in check_policy_item() but have to leave it to the users. Test cases amended accordingly.
2014-11-11bus-proxyd: enforce policy for method callsDaniel Mack
2014-11-11bus-proxyd: enforce policy for name ownershipDaniel Mack