| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This prevents it leaking into spawned child processes.
Signed-off-by: Colin Walters <walters@verbum.org>
(cherry picked from commit f4e15893e5be6da6c7642bb7ef9b14d5531afe41)
|
|
|
|
|
|
|
| |
No comment.
Signed-off-by: Colin Walters <walters@verbum.org>
(cherry picked from commit 5baf2f856a9c6625993234855b07680da1c8916f)
|
|
|
|
|
|
|
|
| |
* bus/session.conf.in: Remove the reply_timeout stanza, previously
intended to increase the reply timeout, this now reduces it.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit bd2063e17e1bb57dee1a5dfed76c9dde76d55ff3)
|
|
|
|
|
|
|
|
| |
* bus/config-parser.c (bus_config_parser_new): change the default reply
timeout to "never"
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit 8f1d2a2fa8ba2f25121465ad82289c0e09c9675a)
|
|
|
|
|
|
|
|
|
| |
* bus/expirelist.c (do_expiration_with_current_time): Don't check for
expiry if expire_after is negative, will just disable the expiry timer
after the call.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit d672d0320628e93a247eeff89945c81926a42163)
|
|
|
|
|
|
|
|
| |
* bus/expirelist.c (do_expiration_with_current_time): If the item added
time fields are both zero, always expire.
Signed-off-by: Scott James Remnant <scott@ubuntu.com>
(cherry picked from commit d33cfec625bf769384cc370ad0ea660c9993aa15)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stephen Smalley wrote:
> On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
>
>> Stephen Smalley wrote:
>>
>>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
>>>
>>>> Stephen Smalley wrote:
>>>>
>> <snip>
>>
>>
>>> No, I don't want to change the behavior upon context_to_sid calls in
>>> general, as we otherwise lose all context validity checking in
>>> permissive mode.
>>>
>>> I think I'd rather change compute_sid behavior to preclude the situation
>>> from arising in the first place, possibly altering the behavior in
>>> permissive mode upon an invalid context to fall back on the ssid
>>> (process) or the tsid (object). But I'm not entirely convinced any
>>> change is required here.
>>>
>>>
>> I just want to follow up to make sure we are all on the same page here. Was the
>> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
>> or leave the code as is and fix the callers of avc_has_perm to correctly handle
>> error codes?
>>
>> I prefer the last approach because of Eamon's explanation, EINVAL is already
>> passed in errno to specify the context was invalid (and if object managers
>> aren't handling that correctly now there is a good chance they aren't handling
>> the ENOMEM case either).
>>
>
> I'd be inclined to change compute_sid (not context_to_sid) in the kernel
> to prevent invalid contexts from being formed even in permissive mode
> (scenario is a type transition where role is not authorized for the new
> type). That was originally to allow the system to boot in permissive
> mode. But an alternative would be to just stay in the caller's context
> (ssid) in that situation.
>
> Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
> may make sense, but that logic should not depend on enforcing vs.
> permissive mode.
>
>
FWIW, the following patch to D-Bus should help:
bfo21072 - Log SELinux denials better by checking errno for the cause
Note that this does not fully address the bug report since
EINVAL can still be returned in permissive mode. However the log
messages will now reflect the proper cause of the denial.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
|
|
|
| |
This patch makes various things that should be static static,
corrects some "return FALSE" where it should be NULL, etc.
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
| |
Patch suggested by Tomas Hoger <thoger@redhat.com>
|
|
|
|
|
|
|
| |
* bus/bus.c: Initialize AVC earlier:
http://lists.freedesktop.org/archives/dbus/2008-October/010493.html
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
| |
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
| |
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
| |
Signed-off-by: Colin Walters <walters@verbum.org>
|
| |
|
|
|
|
|
|
| |
The requested_reply field is necessary in send denials too because
it's used in the policy language. The connection loginfo lack in
"would deny" was just an oversight.
|
|
|
|
|
|
|
|
| |
Extend the current security logs with even more relevant
information than just the message content. This requires
some utility code to look up and cache (as a string)
the data such as the uid/pid/command when a connection is
authenticated.
|
|\ |
|
| |
| |
| |
| |
| | |
The former was too reliant on old bugs and was generally unclear.
This one makes explicit exactly what is allowed and not.
|
| |
| |
| |
| |
| | |
This lets us have a backwards compatibility allow rule but still easily
see when that rule is being used.
|
| |
| |
| |
| | |
It's part of the security check, we should have it in the log.
|
|/
|
|
|
| |
We need to start logging denials so that they become more easily trackable
and debuggable.
|
|
|
|
|
| |
We need to fix all of the bare send_interface rules; see:
https://bugs.freedesktop.org/show_bug.cgi?id=18961
|
|
|
|
| |
We need some sort of general advice here.
|
|
|
|
|
|
|
| |
Our previous fix went too far towards lockdown; many things rely
on signals to work, and there's no really good reason to restrict
which signals can be emitted on the bus because we can't tie
them to a particular sender.
|
|
|
|
|
|
|
|
|
|
|
| |
The previous rule <allow send_requested_reply="true"/> was actually
applied to all messages, even if they weren't a reply. This meant
that in fact the default DBus policy was effectively allow, rather
than deny as claimed.
This fix ensures that the above rule only applies to actual reply
messages.
Signed-off-by: Colin Walters <walters@verbum.org>
|
|
|
|
|
|
| |
* bus/dir-watch-inotify.c: Always drop the watch in
handle_inotify_watch; this ensures we always readd it
correctly in bus_drop_all_directory_watches.
|
|
|
|
|
|
|
|
| |
Commit 91306ef938873fce8f2ae2d4a6b3282d0379c65a introduced
two memory leaks on OOM error paths. In one case the
environment string array wasn't getting freed, and in the
other case it was getting freed with dbus_free instead of
dbus_free_string_array.
|
|
|
|
|
|
|
|
| |
There have been a number of patches in the past try to key system
versus session bus policy off of the message bus type, when the
policy should be distinguished from more fine-grained options in the
individulal policy files. Hopefully, this man page update will make
that more clear.
|
|
|
|
|
|
|
|
| |
It adjusts the environment of activated bus clients.
This is important for session managers that get started
after the session bus daemon and want to influence the
environment of desktop services that are started by the
bus.
|
|
|
|
|
|
|
|
| |
We now keep the environment in a hash table member of the
activation object and provide a method
bus_activation_set_environment_variable to modify the
hash table. This hash table is seeded initially with the
environment of the bus daemon itself.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bus/driver.c: Add GetAdtAuditSessionData method
which returns audit data for a connection.
* configure.in: Detect ADT auditing support
* dbus/dbus-auth.c: Read ADT auditing creds.
* dbus/dbus-connection.c: Implement
dbus_connection_get_adt_audit_session_data.
* dbus/dbus-connection.h: Export it.
* dbus/dbus-credentials.c: Add support for
gathering adt_audit_data and retrieving it
via _dbus_credentials_get_adt_audit_data.
* dbus/dbus-credentials.h: Add
DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID.
* dbus/dbus-protocol.h: New error
DBUS_ERROR_ADT_AUDIT_DATA_UNKNOWN.
* dbus/dbus-sysdeps.c: Support for reading
audit credentials via ADT API.
* dbus/dbus-transport.c: New function
_dbus_transport_get_adt_audit_session_data
to retrieve credentials.
* dbus/dbus-transport.h: Export it.
|
|
|
|
|
|
|
|
|
|
| |
* bus/expirelist.c
(do_expiration_with_current_time): calculate correct min wait time
and next interval
(bus_expire_list_add, bus_expire_list_add_link): if the timeout is
disabled when we add an item to the expire list, enable the timeout
(do_expiration_with_current_time): only set timeout if there are
items to expire
|
|\
| |
| |
| |
| |
| | |
Conflicts:
ChangeLog
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
2008-04-01 Timo Hoenig <thoenig@suse.de>
Patch from Frederic Crozat <fcrozat@mandriva.com>
* bus/dir-watch-inotify.c (bus_watch_directory): Only monitor
IN_CLOSE_WRITE, IN_DELETE, IN_MOVE_TO and IN_MOVE_FROM events. This
way, only atomic changes to configuration file are monitored.
* bus/dir-watch-inotify.c (_handle_inotify_watch): Fix typo in
_dbus_verbose function call
* bus/dir-watch-inotify.c (bus_drop_all_directory_watches): Use
_dbus_strerror instead of perror
|
|/
|
|
|
|
|
|
|
|
|
|
| |
2007-11-08 Havoc Pennington <hp@redhat.com>
* bus/connection.c, bus/expirelist.c: Make the BusExpireList
struct opaque, adding accessors for manipulating the list. In this
commit there should be no change in functionality or behavior. The
purpose of this change is to improve encapsulation prior to fixing
some bugs Kimmo Hämäläinen found where the timeout is not properly
updated, since we need to e.g. take some action whenever adding
and removing stuff from the expire list.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* CVE-2008-0595 - security policy of the type <allow send_interface=
"some.interface.WithMethods"/> work as an implicit allow for
messages sent without an interface bypassing the default deny rules
and potentially allowing restricted methods exported on the bus to be
executed by unauthorized users. This patch fixes the issue.
* bus/policy.c (bus_client_policy_check_can_send,
bus_client_policy_check_can_receive): skip messages without an
interface when evaluating an allow rule, and thus pass it to the
default deny rules
|
|
|
|
|
|
| |
* dbus/dbus-sysdeps-unix.c: define _GNU_SOURCE
* bus/selinux.c: include limits.h
* Patch by Matthias Clasen <mclasen at redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
2008-01-17 Timo Hoenig <thoenig@suse.de>
* fix inotify support
* bus/dir-watch-inotify.c (_handle_inotify_watch): fix reading of the
inotify events. Also, use ssize_t not size_t for 'ret'.
* bus/dir-watch-inotify.c (bus_watch_directory): watch not only for
IN_MODIFY but also for IN_CREATE and IN_DELETE
* bus/dir-watch-inotify.c (bus_drop_all_directory_watches): drop the
inotify watches more elegantly by closing inotify:_fd, set inotify_fd to
-1 after dropping the watches
|
|
|
|
|
|
| |
2008-01-15 John (J5) Palmieri <johnp@redhat.com>
* bus/messagebus.in: add lsb headers (FDO Bug #11491)
|
|
|
|
|
|
|
|
| |
2008-01-15 John (J5) Palmieri <johnp@redhat.com>
* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
* bus/bus.c (setup_server): check failed allocation (FDO Bug #12920)
|
|
|
|
|
|
|
|
| |
2008-01-15 John (J5) Palmieri <johnp@redhat.com>
* bus/bus.c (bus_context_check_security_policy): rewrite selinux error
handling to not abort due to a NULL read and to set the error only if
it is not already set (Based off of FDO Bug #12430)
|
|
|
|
|
|
|
|
|
|
|
| |
2008-01-15 John (J5) Palmieri <johnp@redhat.com>
* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
* bus/config-parser.c (locate_attributes): remove dead code which
always evaluated to TRUE
* dbus/dbus-shell.c (_dbus_shell_quote): remove unused code
|
|
|
|
|
|
|
|
|
| |
2008-01-14 John (J5) Palmieri <johnp@redhat.com>
* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
* bus/connection.c (bus_connection_complete): plug a possible
BusClientPolicy leak (FDO Bug #13242)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
2008-01-14 John (J5) Palmieri <johnp@redhat.com>
* patch by Frederic Crozat <fcrozat at mandriva dot com> (FDO Bz#
13268)
* add inotify support
* bus/Makefile.am: add inotify module to the build
* bus/dir-watch-inotify.c: inotify module based off the dnotify and
kqueue modules
* configure.in: add checks and switch for inotify
also add a printout at the end of configure if inotify and kqueue
support is being built in (dnotify already had this)
|
|
|
|
|
|
|
|
|
| |
2008-01-14 John (J5) Palmieri <johnp@redhat.com>
* patch by Frederic Crozat <fcrozat at mandriva dot com>
* bus/dir-watch-dnotify.c (bus_watch_directory): watch for file
creates also
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
_dbus_string_copy_to_buffer weird behavior.
2007-10-31 Havoc Pennington <hp@redhat.com>
* bus/selinux.c (log_audit_callback): rewrite to use
_dbus_string_copy_to_buffer_with_nul()
* dbus/dbus-string.c (_dbus_string_copy_to_buffer): change to NOT
nul-terminate the buffer; fail an assertion if there is not enough
space in the target buffer. This fixes two bugs where
copy_to_buffer was used to copy the binary bytes in a UUID, where
nul termination did not make sense. Bug reported by David Castelow.
(_dbus_string_copy_to_buffer_with_nul): new function that always
nul-terminates the buffer, and fails an assertion if there is not
enough space in the buffer.
|
|
|
|
|
|
|
|
|
|
|
|
| |
namespace it
2007-10-23 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): use the new name here
* bus/selinux.c (bus_selinux_audit_init): rename from audit_init()
to avoid possible libc conflict, and declare it in .h file to
avoid a warning
|
|
|
|
|
|
| |
2007-10-19 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): put audit_init() in HAVE_SELINUX
|
|
|
|
|
|
|
|
|
|
|
|
| |
2007-10-19 Havoc Pennington <hp@redhat.com>
* bus/bus.c (bus_context_new): put the audit_init() in here
instead, which I believe ends up being the same as where it was
before, though I'm not sure I understand why it goes here.
* dbus/dbus-sysdeps-util-unix.c (_dbus_change_to_daemon_user):
remove audit_init() from here, this file can't depend on code in
bus/ directory
|
|
|
|
|
| |
CVS ignores these automatically, so they weren't in the .cvsignore when Ryan
converted the repository.
|