summaryrefslogtreecommitdiffstats
path: root/bus/policy.c
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2008-0595 dbus security policy circumventionJohn (J5) Palmieri2008-02-261-6/+26
| | | | | | | | | | | | * CVE-2008-0595 - security policy of the type <allow send_interface= "some.interface.WithMethods"/> work as an implicit allow for messages sent without an interface bypassing the default deny rules and potentially allowing restricted methods exported on the bus to be executed by unauthorized users. This patch fixes the issue. * bus/policy.c (bus_client_policy_check_can_send, bus_client_policy_check_can_receive): skip messages without an interface when evaluating an allow rule, and thus pass it to the default deny rules
* 2007-07-13 Havoc Pennington <hp@redhat.com>Havoc Pennington2007-07-141-1/+1
| | | | * Add indent-tabs-mode: nil to all file headers.
* 2007-06-09 Havoc Pennington <hp@redhat.com>Havoc Pennington2007-06-091-38/+50
| | | | | | | | | | | | | | | | | | | * bus/policy.c (bus_policy_create_client_policy): gracefully continue if the connection has no unix user - just don't apply any unix user dependent rules. * bus/config-parser.c: remove dbus-userdb.h usage * bus/bus.c: remove dbus-userdb.h usage * dbus/dbus-transport.c (_dbus_transport_get_is_authenticated): support Windows user function; also, fix the logic for checking auth as root in the default auth code (broken in the previous commit) * dbus/dbus-connection.c (dbus_connection_set_windows_user_function): new function (dbus_connection_get_windows_user): new function
* 2007-06-09 Havoc Pennington <hp@redhat.com>Havoc Pennington2007-06-091-4/+0
| | | | | | | | | | | | | | | | | | | * bus/dispatch.c (check_get_connection_unix_process_id): adapt since sysdeps-unix.h stuff isn't included anymore * bus/bus.c (bus_context_new): use more abstract functions to change user, so they can be no-ops on Windows * dbus/dbus-credentials.c, dbus/dbus-credentials.h, dbus/dbus-credentials-util.c: new files containing a fully opaque DBusCredentials data type to replace the old not opaque one. * configure.in (DBUS_UNIX): define DBUS_UNIX to match DBUS_WIN on windows * dbus/dbus-userdb.h: prohibit on Windows, next step is to clean up the uses of it in bus/*.c and factor out the parts of cookie auth that depend on it
* * bus/policy (bus_policy_create_client_policy): win32 temporary fix until ↵Ralf Habacker2007-05-191-0/+4
| | | | the userdb stuff is ported completly.
* * bus/config-parser.c, bus/policy.c, bus/policy.h, ↵Ralf Habacker2007-03-151-4/+4
| | | | bus/dbus-daemon.1.in,bus/session.conf.in: added eavesdrop support for replies - patch by olli.salli at collabora.co.uk approved by Havoc Pennington.
* commit.msgTim Dijkstra2006-12-121-3/+2
|
* * Release 0.36.2John (J5) Palmieri2005-08-291-2/+3
| | | | | | | | | | | * Add Havoc's patch that never got applied to HEAD (Bug #2436): * bus/policy.c (bus_policy_allow_user): change default "user is allowed" to be "user has same uid as the bus itself"; any allow/deny rules will override. * bus/session.conf.in: don't allow all users, since now by default the user that ran the bus can connect.
* Console user security policyJohn (J5) Palmieri2004-08-251-7/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * bus/config-parser.c: (struct PolicyType): Add POLICY_CONSOLE (struct Element.d.policy): s/gid_or_uid/gid_uid_or_at_console (start_busconfig_child): Sets up console element when <policy at_console=""> is encountered in a policy file (append_rule_from_element): Convert console elements to console rules. * bus/policy.c: (bus_policy_create_client_policy): Add console rules to the client policy based on if the client is at the console (bus_policy_append_console_rule): New function for adding a console rule to a policy (bus_policy_merge): Handle console rule merging * dbus/dbus-sysdeps.h: Added the DBUS_CONSOLE_DIR constant where we check for console user files * dbus/dbus-sysdeps.c: (_dbus_file_exists): New function which checks if the given file exists (_dbus_user_at_console): New function which does the system specific process of checking if the user is at the console * dbus/dbus-userdb.c: (_dbus_is_console_user): New function converts a UID to user name and then calls the system specific _dbus_user_at_console to see if the user is at the console and therefor a console user
* 2004-08-09 Havoc Pennington <hp@redhat.com>Havoc Pennington2004-08-101-1/+1
| | | | | * COPYING: switch to Academic Free License version 2.1 instead of 2.0, to resolve complaints about patent termination clause.
* 2004-07-24 Havoc Pennington <hp@redhat.com>Havoc Pennington2004-07-301-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SELinux support from Matthew Rickard <mjricka@epoch.ncsc.mil> * bus/selinux.c, bus/selinux.h: new file encapsulating selinux functionality * configure.in: add --enable-selinux * bus/policy.c (bus_policy_merge): add FIXME to a comment * bus/main.c (main): initialize and shut down selinux * bus/connection.c: store SELinux ID on each connection, to avoid repeated getting of the string context and converting it into an ID * bus/bus.c (bus_context_get_policy): new accessor, though it isn't used (bus_context_check_security_policy): check whether the security context of sender connection can send to the security context of recipient connection * bus/config-parser.c: add parsing for <selinux> and <associate> * dbus/dbus-transport.c (_dbus_transport_get_unix_fd): to implement dbus_connection_get_unix_fd() * dbus/dbus-connection.c (dbus_connection_get_unix_fd): new function, used by the selinux stuff
* 2004-05-29 Havoc Pennington <hp@redhat.com>Havoc Pennington2004-05-291-1/+31
| | | | | | | | | | | | | | | | | | | | | * bus/config-parser.c (process_test_valid_subdir): temporarily stop testing config parser OOM handling, since expat has issues http://freedesktop.org/pipermail/dbus/2004-May/001153.html * bus/dbus-daemon-1.1.in: change requested_reply to send_requested_reply/receive_requested_reply so we can send the replies, not just receive them. * bus/config-parser.c: parse the new send_requested_reply/receive_requested_reply * bus/policy.c (bus_client_policy_check_can_send): add requested_reply argument and use it * bus/bus.c (bus_context_check_security_policy): pass through requested_reply status to message send check * bus/system.conf.in: adapt to requested_reply change
* 2003-12-02 Richard Hult <richard@imendio.com>Richard Hult2003-12-021-1/+1
| | | | | * Update AFL version to 2.0 throughout the source files to reflect the update that was done a while ago.
* 2003-11-26 Mikael Hallendal <micke@imendio.com>Mikael Hallendal2003-11-271-3/+9
| | | | | | * bus/*.[ch]: * dbus/*.[ch]: * glib/*.[ch]: Made ref functions return the pointer
* 2003-10-14 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-10-141-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * bus/bus.c (bus_context_check_security_policy): revamp this to work more sanely with new policy-based requested reply setup * bus/connection.c (bus_transaction_send_from_driver): set bus driver messages as no reply * bus/policy.c (bus_client_policy_check_can_receive): handle a requested_reply attribute on allow/deny rules * bus/system.conf: add <allow requested_reply="true"/> * bus/driver.c (bus_driver_handle_message): fix check for replies sent to the bus driver, which was backward. How did this ever work at all though? I think I'm missing something. * dbus/dbus-message.c (decode_header_data): require error and method return messages to have a reply serial field to be valid (_dbus_message_loader_queue_messages): break up this function; validate that reply serial and plain serial are nonzero; clean up the OOM/error handling. (get_uint_field): don't return -1 from this (dbus_message_create_header): fix signed/unsigned bug * bus/connection.c (bus_connections_expect_reply): save serial of the incoming message, not reply serial
* 2003-10-09 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-10-101-12/+5
| | | | | | | | | | | | | | | | | | | Make matching rules theoretically work (add parser). * bus/bus.c (bus_context_check_security_policy): fix up to handle the case where destination is explicitly specified as bus driver and someone else is eavesdropping. * bus/policy.c (bus_client_policy_check_can_receive): fix up definition of eavesdropping and assertion * tools/dbus-send.c (main): use dbus_message_type_from_string * bus/signals.c (bus_match_rule_parse): implement * dbus/dbus-message.c (dbus_message_type_from_string): new * dbus/dbus-errors.h (DBUS_ERROR_MATCH_RULE_INVALID): add
* 2003-09-21 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-09-211-2/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Get matching rules mostly working in the bus; only actually parsing the rule text remains. However, the client side of "signal connections" hasn't been started, this patch is only the bus side. * dbus/dispatch.c: fix for the matching rules changes * bus/driver.c (bus_driver_handle_remove_match) (bus_driver_handle_add_match): send an ack reply from these method calls * glib/dbus-gproxy.c (dbus_gproxy_begin_call): fix order of arguments, reported by Seth Nickell * bus/config-parser.c (append_rule_from_element): support eavesdrop=true|false attribute on policies so match rules can be prevented from snooping on the system bus. * bus/dbus-daemon-1.1.in: consistently use terminology "sender" and "destination" in attribute names; fix some docs bugs; add eavesdrop=true|false attribute * bus/driver.c (bus_driver_handle_add_match) (bus_driver_handle_remove_match): handle AddMatch, RemoveMatch messages * dbus/dbus-protocol.h (DBUS_SERVICE_ORG_FREEDESKTOP_BROADCAST): get rid of broadcast service concept, signals are just always broadcast * bus/signals.c, bus/dispatch.c, bus/connection.c, bus/bus.c: mostly implement matching rules stuff (currently only exposed as signal connections)
* 2003-09-06 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-09-061-0/+50
| | | | | | | | | | | | | * doc/dbus-specification.sgml: partial updates * bus/dbus-daemon-1.1.in: fix the config file docs for the zillionth time; hopefully I edited the right file this time. * bus/config-parser.c (append_rule_from_element): support send_type, send_path, receive_type, receive_path * bus/policy.c: add message type and path to the list of things that can be "firewalled"
* 2003-08-19 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-08-201-18/+17
| | | | | | | | | | | | | | | | * dbus/dbus-message.c (decode_string_field): support FIELD_SENDER (dbus_message_is_error): fix this function * bus/dbus-daemon-1.1: clarify logic on when <deny>/<allow> rules match * bus/policy.c (bus_client_policy_check_can_receive): fix code to reflect clarified man page (bus_client_policy_check_can_send): ditto * bus/session.conf.in: fixup * bus/system.conf.in: fixup
* 2003-08-18 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-08-181-12/+18
| | | | | | | | | | | | | | | | | | | | | | | | * dbus/dbus-hash.c (_dbus_hash_table_insert_two_strings): fix * dbus/dbus-message.c (_dbus_message_loader_queue_messages): fix dumb bug created earlier (wrong order of args to decode_header_data()) * tools/dbus-send.c: port * tools/dbus-print-message.c (print_message): port * test/data/*messages: port all messages over * dbus/dbus-message-builder.c: support including message type * bus/driver.c: port over * bus/dispatch.c: port over to new stuff * dbus/dbus-connection.c (_dbus_connection_new_for_transport): rename disconnect signal to "Disconnected"
* 2003-08-17 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-08-181-16/+60
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This doesn't compile yet, but syncing up so I can hack on it from work. What are branches for if not broken code? ;-) * dbus/dbus-protocol.h: remove DBUS_HEADER_FIELD_NAME, add DBUS_HEADER_FIELD_INTERFACE, DBUS_HEADER_FIELD_MEMBER, DBUS_HEADER_FIELD_ERROR_NAME * dbus/dbus-hash.c: Introduce DBUS_HASH_TWO_STRINGS as hack to use for the interface+member pairs (string_hash): change to use g_str_hash algorithm (find_direct_function, find_string_function): refactor these to share most code. * dbus/dbus-message.c: port all of this over to support interface/member fields instead of name field * dbus/dbus-object-registry.c: port over * dbus/dbus-string.c (_dbus_string_validate_interface): rename from _dbus_string_validate_name * bus/dbus-daemon-1.1: change file format for the <deny>/<allow> stuff to match new message naming scheme * bus/policy.c: port over * bus/config-parser.c: parse new format
* 2003-05-17 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-05-171-0/+81
| | | | | | | | * bus/config-parser.c (merge_included): merge in policies from child configuration file. * bus/policy.c (bus_policy_merge): function to merge two policies together
* 2003-05-16 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-05-161-0/+3
| | | | | * bus/policy.c (free_rule_list_func): avoid a crash when passed NULL as DBusHashTable is annoyingly likely to do.
* 2003-04-27 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-04-271-22/+79
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unbreak my code... * dbus/dbus-transport.c (_dbus_transport_get_dispatch_status): report correct status if we finish processing authentication inside this function. * bus/activation.c (try_send_activation_failure): use bus_transaction_send_error_reply * bus/connection.c (bus_connection_get_groups): return an error explaining the problem * bus/bus.c (bus_context_check_security_policy): implement restriction here that inactive connections can only send the hello message. Also, allow bus driver to send anything to any recipient. * bus/connection.c (bus_connection_complete): create the BusClientPolicy here instead of on-demand. (bus_connection_get_policy): don't return an error * dbus/dbus-message.c (dbus_message_new_error_reply): allow NULL sender field in message being replied to * bus/bus.c (bus_context_check_security_policy): fix silly typo causing it to return FALSE always * bus/policy.c (bus_client_policy_check_can_send): fix bug where we checked sender rather than destination
* 2003-04-24 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-04-241-8/+8
| | | | | | | * dbus/dbus-message.c (dbus_message_name_is): rename (dbus_message_service_is): rename (dbus_message_sender_is): rename (dbus_message_get_service): rename
* 2003-04-15 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-04-171-5/+12
| | | | | | | | | * bus/bus.c: create and keep around a shared DBusUserDatabase object. * bus/connection.c (bus_connection_get_groups): don't cache groups for user in the connection object, since user database object now does that.
* 2003-04-13 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-04-141-35/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dbus/dbus-mainloop.c: fix some reentrancy issues by refcounting callbacks * test/data/valid-config-files/debug-allow-all.conf.in: allow all users * dbus/dbus-transport.c (_dbus_transport_get_dispatch_status): fix to only recover unused bytes if we're already authenticated (_dbus_transport_get_is_authenticated): fix to still mark us authenticated if there are unused bytes. * bus/dispatch.c: implement security policy checking * bus/connection.c (bus_transaction_send_from_driver): new * bus/bus.c (bus_context_check_security_policy): new * bus/dispatch.c (send_service_nonexistent_error): delete this, now we just set the DBusError and it gets converted to an error reply. * bus/connection.c (allow_user_function): enable code using actual data from the config file * bus/policy.c (list_allows_user): handle wildcard rules for user/group connection perms
* 2003-04-13 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-04-131-1/+114
| | | | | | | | | | * bus/config-parser.c: Load up the BusPolicy and BusPolicyRules * dbus/dbus-sysdeps.c (_dbus_get_user_id): new function * bus/policy.c (bus_policy_append_mandatory_rule) (bus_policy_append_default_rule, bus_policy_append_user_rule) (bus_policy_append_group_rule): new functions
* 2003-04-12 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-04-121-19/+294
| | | | | | | | | | | * bus/policy.h: change BusPolicy to be the thing from the config file, and rename old BusPolicy to BusClientPolicy * bus/bus.c, bus/connection.c, bus/config-parser.c: change to match change in how policy works * dbus/dbus-internals.h: mark assert_not_reached as __attribute((noreturn))__
* 2003-03-24 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-03-251-0/+16
| | | | | | | | | | | | | | | | * dbus/dbus-sysdeps.c (_dbus_set_fd_nonblocking): move to this file * dbus/dbus-errors.c (dbus_set_error, dbus_set_error_const): allow NULL argument for "message" if the error is a well-known one, fill in a generic message in this case. * dbus/dbus-errors.h (DBusResultCode): Kill DBusResultCode in favor of DBusError * bus/test.c (bus_test_flush_bus): add * bus/policy.c (bus_policy_test): test code stub
* 2003-03-23 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-03-241-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | * dbus/dbus-threads.c (dbus_mutex_new, dbus_condvar_new): with DBUS_BUILD_TESTS, actually alloc/free a block of memory for the mutex, so we can check for proper memory management and OOM handling. * dbus/dbus-dataslot.c: remove the mutex from DBusDataSlotAllocator and lock it manually when using it, to simplify fitting it into the global slots framework. * dbus/dbus-threads.c (init_static_locks): rework how we're handling global locks so they are easily shut down. * bus/policy.c (bus_policy_append_rule): fix * bus/test-main.c (main): check for memleaks * dbus/dbus-test.c (dbus_internal_do_not_use_run_tests): make test suite check for memleaks * dbus/dbus-memory.c: add support in test mode for tracking number of outstanding blocks
* 2003-03-23 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-03-231-1/+19
| | | | | | | | | | * bus/policy.c, bus/bus.c, bus/connection.c: implement allow/deny policies code * dbus/dbus-hash.h: add ULONG hash keys * dbus/dbus-sysdeps.c (_dbus_get_groups): new (_dbus_get_group_id): new function
* 2003-03-20 Havoc Pennington <hp@pobox.com>Havoc Pennington2003-03-201-10/+244
| | | | | | | | | | | | | * bus/connection.c (bus_connection_send_oom_error): assert that message has a sender (connection_execute_transaction): ditto (bus_connection_preallocate_oom_error): fix to set the sender, and set recipient to the destination service, not the bus driver * bus/policy.c: hacking * dbus/dbus-message.c (dbus_message_service_is): new function (dbus_message_sender_is): new
* 2003-03-19 Havoc Pennington <hp@redhat.com>Havoc Pennington2003-03-191-0/+163
* bus/policy.c: start sketching code for policy restrictions on what connections can do.