Age | Commit message (Collapse) | Author |
|
|
|
|
|
Even if the lower-leveld dbus1 protocol calls it "serial", let's expose
the word "cookie" for this instead, as this is what kdbus uses and since
it doesn't imply monotonicity the same way "serial" does.
|
|
|
|
|
|
before parsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also make thread_local available w/o including <threads.h>.
(as the latter hasn't been implemented, but this part is trivial)
|
|
|
|
|
|
Previously we'd open the connection in the originating namespace, which
meant most peers of the bus would not be able to make sense of the
PID/UID/... identity of us since we didn't exist in the namespace they
run in. However they require this identity for privilege decisions,
hence disallowing access to anything from the host.
Instead, when connecting to a container, create a temporary subprocess,
make it join the container's namespace and then connect from there to
the kdbus instance. This is similar to how we do it for socket
conections already.
THis also unifies the namespacing code used by machinectl and the bus
APIs.
|
|
|
|
When trying a couple of addresses one after the other, make sure to
reattach the fds to the event loop.
|
|
With this change a failing event source handler will not cause the
entire event loop to fail. Instead, we just disable the specific event
source, log a message at debug level and go on.
This also introduces a new concept of "exit code" which can be stored in
the event loop and is returned by sd_event_loop(). We also rename "quit"
to "exit" everywhere else.
Altogether this should make things more robus and keep errors local
while still providing a way to return event loop errors in a clear way.
|
|
|
|
|
|
|
|
kdbus fortunately exposes the container's busses in the host fs, hence
we can access it directly instead of doing the namespacing dance.
|
|
This adds the new library call sd_journal_open_container() and a new
"-M" switch to journalctl. Particular care is taken that journalctl's
"-b" switch resolves to the current boot ID of the container, not the
host.
|
|
|
|
We support unreffing NULL pointers just fine and we shouldn't pay the
_unlikely_() price for it, not get a debug message if we do, hence let's
not use assert_return() here.
|
|
Introduces a new concept of "trusted" vs. "untrusted" busses. For the
latter libsystemd-bus will automatically do per-method access control,
for the former all access is automatically granted. Per-method access
control is encoded in the vtables: by default all methods are only
accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag
is set for a method it is accessible to unprivileged clients too. By
default whether a client is privileged is determined via checking for
its CAP_SYS_ADMIN capability, but this can be altered via the
SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field
of the method.
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and
SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note
however that read access is unrestricted, as PropertiesChanged messages
might send out the values anyway as an unrestricted broadcast.
By default the system bus is set to "untrusted" and the user bus is
"trusted" since per-method access control on the latter is unnecessary.
On dbus1 busses we check the UID of the caller rather than the
configured capability since the capability cannot be determined without
race. On kdbus the capability is checked if possible from the attached
meta-data of a message and otherwise queried from the sending peer.
This also decorates the vtables of the various daemons we ship with
these flags.
|
|
We shouldn export what isn't necessary or useful to clients, so let's
add the protocol definitions we only need internally into a private
header.
|
|
(also, rename _SD_BUS_CREDS_MAX to _SD_BUX_CRED_ALL, since "MAX" so far
was used to indicate one higher than the highest valid value, and this
is not correct here.)
|
|
|
|
Since we want to retain the ability to break kernel ←→ userspace ABI
after the next release, let's not make use by default of kdbus, so that
people with future kernels will not suddenly break with current systemd
versions.
kdbus support is left in all builds but must now be explicitly requested
at runtime (for example via setting $DBUS_SESSION_BUS). Via a configure
switch the old behaviour can be restored. In fact, we change autogen.sh
to do this, so that git builds (which run autogen.sh) get kdbus by
default, but tarball builds (which ue the configure defaults) do not get
it, and hence this stays out of the distros by default.
|
|
|
|
|
|
The name list and query functions now work differently in kdbus, as the
result is stored in the connection's pool, rather than being copied back
through the ioctl buffer. That also safes us some logic, as we don't
have to resize the communication buffer in a loop with growing buffer
sizes.
Due to this, KDBUS_CMD_MSG_RELEASE was renamed to KDBUS_CMD_FREE, as it
is now used outside the message logic as well.
|
|
|
|
|
|
because the destination is unavailable
|
|
The signals appear entirely redundant due to NameOwnerChange, hence
don't do them in the new library, instead leave them for the
compatibility bridge only.
Also, set the serial number for synthesized messages to (uint32_t) -1.
|
|
We need this so that one incoming kernel message can result in two
high-level bus messages, for the case where we synthesize NameAcquired
and NameOwnerChanged in the same instance.
|
|
Factor out code from sd_bus_negotiate_attach_creds() to a generic
translate function, so it can be used from other places.
|
|
|
|
matches against NameOwnerChange
|
|
kdbus_cmd_hello now has a new uint64_t flags field for the requested
attachments. Follow that change in libsystemd-bus.
|
|
This way we can unify handling of credentials that are attached to
messages, or can be queried for bus name owners or connection peers.
This also adds the ability to extend incomplete credential information
with data from /proc,
Also, provide a convenience call that will automatically determine the
most appropriate credential object for an incoming message, by using the
the attached information if possible, the sending name information if
available and otherwise the peer's credentials.
|
|
|
|
|
|
can be freed
|
|
|
|
|
|
Message handler callbacks can be simplified drastically if the
dispatcher automatically replies to method calls if errors are returned.
Thus: add an sd_bus_error argument to all message handlers. When we
dispatch a message handler and it returns negative or a set sd_bus_error
we send this as message error back to the client. This means errors
returned by handlers by default are given back to clients instead of
rippling all the way up to the event loop, which is desirable to make
things robust.
As a side-effect we can now easily turn the SELinux checks into normal
function calls, since the method call dispatcher will generate the right
error replies automatically now.
Also, make sure we always pass the error structure to all property and
method handlers as last argument to follow the usual style of passing
variables for return values as last argument.
|