Age | Commit message (Collapse) | Author |
|
Remove the optional sepearate opening of the directory,
it would be just too complicated with the change to
multiple directories.
Move the middle of execute_directory() to a seperate
function to make it easier to grok.
|
|
The 'at_console' policy-category allows to apply policy-items to clients
depending on whether they're run from within a valid user-session or not.
We use sd_uid_get_seats() to check whether a user has a valid seat (which
excludes remote-sessions like ssh).
|
|
Make sure to print "dbus-1 to kernel" or "kernel to dbus-1" in policy logs
to better diagnose the situation.
|
|
If a dbus-1 client sends a broadcasted signal via the bus-proxy to kdbus,
the bus-proxy has no idea who the receiver is. Classic dbus-daemon has
bus-access and can perform policy checks for each receiver, but we cant.
Instead, we know the kernel will perform receiver policy checks for
broadcasts, so we can skip the policy check and just push it into the
kernel.
This fixes wpa_supplicant which has DENY rules on receive_type=signal for
non-root. As we never know the target, we always DENY all broadcasts from
wpa_supplicant.
Note that will still perform receiver-policy checks for signals that we
get from the kernel back to us. In those cases, we know the receiver
(which is us).
|
|
The policy debug messages swapped "path=" and "interface=", fix this.
|
|
dbus-1 distinguishes expected and non-expected replies. An expected reply
is a reply that is sent as answer to a previously forwarded method-call
before the timeout fires. Those replies are, by default, forwarded and
DENY policy tags are ignored on them (unless explicitly stated otherwise).
We don't track reply-windows in the bus-proxy as the kernel already does
this. Furthermore, the kernel prohibits any non-expected replies (which
breaks dbus-1, but it was an odd feature, anyway).
Therefore, skip policy checks on replies and always let the kernel deal
with it!
To be correct, we should still process DENY tags marked as
send_expected_reply=true (which is *NOT* the default!). However, so far we
don't parse those attributes, and no-one really uses it, so lets not
implement it for now. It's marked as TODO if anyone feels like fixing it.
|
|
Make sure to extract the log-priority when comparing against
max-log-level, otherwise, we will always drop those messages.
This fixes bus-proxyd to properly send warnings on policy blocks.
|
|
|
|
imply calling session/user instead
This turns "lock-session", "activate", "unlock-session",
"enable-linger", "disable-linger" into commands that take no argument,
optionally in which case the callers session/user is implied.
|
|
needlessly send it if we don't actually need it
|
|
|
|
|
|
|
|
to the bus owner should be allowed
Hence, copy this behaviour for bus-proxy too.
|
|
|
|
|
|
|
|
determine them from the caller credentials
More specifically, if an operation is requested on a session with an
empty name, the caller's session is used. If an operation is requested
on a seat with an empty name, the seat of the caller's session is used.
Finally, if an operation on the user with UID -1 is requested, the user
of the client's session is used (and not the UID of the client!).
|
|
Makes "busctl introspect" a lot more fun.
|
|
caller's session status
Similar for user-status and seat-status.
|
|
Among other things, avoid log_struct() unless we really need it.
Also, use "r" as variable to store function errors in, instead of "err".
"r" is pretty much what we use everywhere else, hence using the same
here make sense.
FInally, in the child, when we want to log, make sure to open the
logging framework first, since it is explicitly closed in preparation
for the exec().
|
|
Now that we bump rlimit, we do not really know how many files
we can open. Remove the check.
https://bugzilla.redhat.com/show_bug.cgi?id=1179980
|
|
|
|
Make sure to append bloom-filters to all signal-messages, not only
broadcasts.
|
|
|
|
non-fatal
This should be useful for user namespaces.
|
|
|
|
|
|
|
|
|
|
|
|
methods, start the polkit agent on terminals
|
|
|
|
user-status" and "loginctl session-status"
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=66396
|
|
|
|
Imagine a kdbus peer sending a method-call without EXPECT_REPLY set
through the proxy to a dbus1 peer. The proxy turns the missing
EXPECT_REPLY flag into a dbus1 NO_REPLY_EXPECTED flag. However, if the
receipient ignores that flag (valid dbus1 behavior) and sends a reply, the
proxy will try to forward it to the original peer. This will fail with
EPERM as the kernel didn't track the reply.
We have two options now: Either we ignore EPERM for reply messages, or we
track reply-windows in the proxy so we can properly ignore replies if
EXPECT_REPLY wasn't set.
This commit chose the first option: ignore EPERM for replies. The only
down-side is that replies without matching method call will no longer be
forwarded by the proxy. This works on dbus1, though.
Nobody sane does this, so lets ignore it.
|
|
If a caller does not request a reply, dont send it. This skips message
creation and speeds up NO_REPLY_EXPECTED cases. Note that sd-bus still
handles this case internally, but if we handle it in bus-proxyd, we can
skip the whole message creation step.
|
|
dbus1 does not provide cmdline, so we have to augment our credentials from
/proc to beautify the bus-proxyd cmdline. We dont use this for anything
but beautification, so there shouldn't be any problems due to /proc
pid-recycling races.
This fixes bus-proxyd to no longer display 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
in its cmdline.
|
|
|
|
|
|
Add a {} sentinal entry so the config-iterator can properly iterate all
array elements. Fixes a segfault in the dbus1-generator.
|
|
|
|
When there are a lot of split out journal files, we might run out of fds
quicker then we want. Hence: bump RLIMIT_NOFILE to 16K if possible.
Do these even for journalctl. On Fedora the soft RLIMIT_NOFILE is at 1K,
the hard at 4K by default for normal user processes, this code hence
bumps this up for users to 4K.
https://bugzilla.redhat.com/show_bug.cgi?id=1179980
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1178051
|
|
fd_setcrtime()
|
|
Given the write patterns on disk images, we better should turn COW off
for them. In particular as the file systems used inside the disk images
should do their own data integrity checks anyway and we don't need
multiple layers of it.
|
|
btrfs' COW logic results in heavily fragment journal files, which is
detrimental for perfomance. Hence, turn off COW for journal files as we
create them.
Turning off COW comes at the cost of data integrity guarantees, but this
should be acceptable, given that we do our own checksumming, and
generally have a pretty conservative write pattern.
Also see discussion on linux-btrfs:
http://www.spinics.net/lists/linux-btrfs/msg41001.html
|
|
connected terminal
So far, if we had no knowledge about the correct $TERM we defaulted to
v102, as a safe, conservative choice. However, the terminfo data for
vt102 is not aware of pageup/pagedown, which makes "less" much harder
work with than necessary. Setting vt220 allows them to work correctly.
"vt220" should be a sufficiently safe choice too, given that xterm,
gnome-terminal and the linux console all strive to implement vt220 as
baseline, already to pass pageup/pagedown correctly to apps.
Effectively, with this change "journalctl -e" run inside a
"systemd-nspawn" terminal will now run a pager where pageup/pagedown
works, which is quite an improvement of usability for containers.
|
|
|