summaryrefslogtreecommitdiff
path: root/src/bus-proxyd
Commit message (Collapse)AuthorAge
* Assorted format fixesZbigniew Jędrzejewski-Szmek2015-01-22
| | | | | Types used for pids and uids in various interfaces are unpredictable. Too bad.
* bus-proxy: don't pretend everyone is rootDavid Herrmann2015-01-18
| | | | | | While it's a lovely scenario, it's probably not really useful. Fix our GetConnectionUnixUser() to return the actual 'euid' which we asked for, not the possible uninitialized 'uid'.
* bus: use EUID over UID and fix unix-credsDavid Herrmann2015-01-18
| | | | | | | | | | | | | | | | | | | | | Whenever a process performs an action on an object, the kernel uses the EUID of the process to do permission checks and to apply on any newly created objects. The UID of a process is only used if someone *ELSE* acts on the process. That is, the UID of a process defines who owns the process, the EUID defines what privileges are used by this process when performing an action. Process limits, on the other hand, are always applied to the real UID, not the effective UID. This is, because a process has a user object linked, which always corresponds to its UID. A process never has a user object linked for its EUID. Thus, accounting (and limits) is always done on the real UID. This commit fixes all sd-bus users to use the EUID when performing privilege checks and alike. Furthermore, it fixes unix-creds to be parsed as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone using UID (eg., to do user-accounting) has to fall back to the EUID as UDS does not transmit the UID.
* bus-proxy: fake all UIDs/GIDs, not just the real UID/GIDDavid Herrmann2015-01-18
| | | | | | Make sure we tell the kernel to fake all UIDs/GIDs. Otherwise, the remote side has no chance of querying our effective UID (which is usually what they're interested in).
* bus-proxy: fix bus-uid trackingDavid Herrmann2015-01-18
| | | | | | We need to implicitly allow HELLO from users with the same uid as the bus. Fix the bus-uid tracking to use the original uid, not the uid after privilege-dropping.
* bus-proxy: don't print error-messages if we check multiple destsDavid Herrmann2015-01-17
| | | | | | If we test the policy against multiple destination names, we really should not print warnings if one of the names results in DENY. Instead, pass the whole array of names to the policy and let it deal with it.
* bus-proxy: implement org.freedesktop.DBus.ReloadConfig()David Herrmann2015-01-17
| | | | Make sure to reload our xml policy configuration if requested via the bus.
* bus-proxy: fix indentationDavid Herrmann2015-01-17
| | | | Fix whitespace indentation.
* bus-proxy: drop privileges if run as rootDavid Herrmann2015-01-17
| | | | | | We cannot use "User=" in unit-files if we want to retain privileges. So make bus-proxy.c explicitly drop privileges. However, only do that if we're root, as there is no need to drop it on the user-bus.
* bus-proxy: share policy between threadsDavid Herrmann2015-01-17
| | | | | | | This implements a shared policy cache with read-write locks. We no longer parse the XML policy in each thread. This will allow us to easily implement ReloadConfig().
* bus-proxy: set custom thread namesDavid Herrmann2015-01-17
| | | | | | Set thread-names to "p$PIDu$UID" and suffix with '*' if truncated. This helps debugging bus-proxy issues if we want to figure out which connections are currently open.
* bus-proxy: turn into multi-threaded daemonDavid Herrmann2015-01-17
| | | | | | Instead of using Accept=true and running one proxy for each connection, we now run one proxy-daemon with a thread per connection. This will enable us to share resources like policies in the future.
* bus-proxy: bring back systemd-stdio-bridgeDavid Herrmann2015-01-17
| | | | | Now that we want to make bus-proxy multi-threaded, we have to bring back the systemd-stdio-bridge for our TCP use-cases.
* bus-proxy: extract proxy into Proxy objectDavid Herrmann2015-01-17
| | | | | | | | Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on.
* bus-proxy: refactor bus-creationDavid Herrmann2015-01-17
| | | | | Move local and destination bus creation into a helper function. This further reduces the line count of main().
* bus-proxyd: move synthesize_name_acquired()Daniel Mack2015-01-15
| | | | Move synthesize_name_acquired() to synthesize.c.
* bus-proxy: factor out code for driver handling and message synthesisDaniel Mack2015-01-15
| | | | | Move synthesize_*() into synthesize.c and bus_proxy_process_driver() into driver.c for better code separation.
* bus-proxy: implement 'at_console'David Herrmann2015-01-11
| | | | | | | The 'at_console' policy-category allows to apply policy-items to clients depending on whether they're run from within a valid user-session or not. We use sd_uid_get_seats() to check whether a user has a valid seat (which excludes remote-sessions like ssh).
* bus-proxy: print message direction in policy logsDavid Herrmann2015-01-11
| | | | | Make sure to print "dbus-1 to kernel" or "kernel to dbus-1" in policy logs to better diagnose the situation.
* bus-proxy: fix receiver policy on dbus-1 to kdbus signalsDavid Herrmann2015-01-11
| | | | | | | | | | | | | | | | | If a dbus-1 client sends a broadcasted signal via the bus-proxy to kdbus, the bus-proxy has no idea who the receiver is. Classic dbus-daemon has bus-access and can perform policy checks for each receiver, but we cant. Instead, we know the kernel will perform receiver policy checks for broadcasts, so we can skip the policy check and just push it into the kernel. This fixes wpa_supplicant which has DENY rules on receive_type=signal for non-root. As we never know the target, we always DENY all broadcasts from wpa_supplicant. Note that will still perform receiver-policy checks for signals that we get from the kernel back to us. In those cases, we know the receiver (which is us).
* bus-proxy: fix swapped path/interface debug messagesDavid Herrmann2015-01-11
| | | | The policy debug messages swapped "path=" and "interface=", fix this.
* bus-proxy: fix policy for expected/non-expected reply tagsDavid Herrmann2015-01-11
| | | | | | | | | | | | | | | | | | | dbus-1 distinguishes expected and non-expected replies. An expected reply is a reply that is sent as answer to a previously forwarded method-call before the timeout fires. Those replies are, by default, forwarded and DENY policy tags are ignored on them (unless explicitly stated otherwise). We don't track reply-windows in the bus-proxy as the kernel already does this. Furthermore, the kernel prohibits any non-expected replies (which breaks dbus-1, but it was an odd feature, anyway). Therefore, skip policy checks on replies and always let the kernel deal with it! To be correct, we should still process DENY tags marked as send_expected_reply=true (which is *NOT* the default!). However, so far we don't parse those attributes, and no-one really uses it, so lets not implement it for now. It's marked as TODO if anyone feels like fixing it.
* bus-proxy: make sure we have creds when two legacy clients talk to each otherLennart Poettering2015-01-09
|
* bus-proxy-test: show parsed system/session policyLennart Poettering2015-01-09
|
* bus-proxy: eat up "*" matches, they are pointlessLennart Poettering2015-01-09
|
* bus-proxy: dbus-daemon implies that connections from UIDs that are identical ↵Lennart Poettering2015-01-09
| | | | | | to the bus owner should be allowed Hence, copy this behaviour for bus-proxy too.
* bus-proxyd: xml - consider empty tags as recvKay Sievers2015-01-09
|
* bus-proxy: make sure sure eavesdrop= XML attributes are properly handledLennart Poettering2015-01-09
|
* bus-proxyd: fix EPERM on repliesDavid Herrmann2015-01-08
| | | | | | | | | | | | | | | | | | Imagine a kdbus peer sending a method-call without EXPECT_REPLY set through the proxy to a dbus1 peer. The proxy turns the missing EXPECT_REPLY flag into a dbus1 NO_REPLY_EXPECTED flag. However, if the receipient ignores that flag (valid dbus1 behavior) and sends a reply, the proxy will try to forward it to the original peer. This will fail with EPERM as the kernel didn't track the reply. We have two options now: Either we ignore EPERM for reply messages, or we track reply-windows in the proxy so we can properly ignore replies if EXPECT_REPLY wasn't set. This commit chose the first option: ignore EPERM for replies. The only down-side is that replies without matching method call will no longer be forwarded by the proxy. This works on dbus1, though. Nobody sane does this, so lets ignore it.
* bus-proxyd: optimize replies if they're not requestedDavid Herrmann2015-01-08
| | | | | | | If a caller does not request a reply, dont send it. This skips message creation and speeds up NO_REPLY_EXPECTED cases. Note that sd-bus still handles this case internally, but if we handle it in bus-proxyd, we can skip the whole message creation step.
* bus-proxy: augment credentials from /proc for cmdline updateDavid Herrmann2015-01-08
| | | | | | | | | | dbus1 does not provide cmdline, so we have to augment our credentials from /proc to beautify the bus-proxyd cmdline. We dont use this for anything but beautification, so there shouldn't be any problems due to /proc pid-recycling races. This fixes bus-proxyd to no longer display 'xxxxxxxxxxxxxxxxxxxxxxxxxxx' in its cmdline.
* sd-bus: always catch name requests for the special names ↵Lennart Poettering2015-01-07
| | | | "org.freedesktop.DBus" and "org.freedesktop.DBus.Local" and refuse them
* bus-proxyd: don't allow to acquire org.freedesktop.DBus nameLukasz Skalski2015-01-05
|
* machined,bus-proxy: fix connecting to containersLennart Poettering2015-01-05
|
* tree-wide: spelling fixesVeres Lajos2014-12-30
| | | | | | | https://github.com/vlajos/misspell_fixer https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa Thanks to Torstein Husebo <torstein@huseboe.net>.
* bus-proxy: fix sd_bus_reply_*() usageDavid Herrmann2014-12-29
| | | | | We *must* not use sd_bus_reply_*() as it does not set the sender field correctly. Use the synthetic_reply_*() helpers instead!
* core: rearrange code so that libsystemd/sd-bus/ does not include header ↵Lennart Poettering2014-12-23
| | | | | | | files from core Stuff in src/shared or src/libsystemd should *never* include code from src/core or any of the tools, so don't do that here either. It's not OK!
* bus-proxyd: ignore errors from sd_bus_creds_get_well_known_names()Daniel Mack2014-12-23
| | | | | | | | | sd_bus_creds_get_well_known_names() fails with -ENODATA in case the message has no names attached, which is intended behavior if the remote connection didn't own any names at the time of sending. The function already deals with 'sender_names' being an empty strv, so we can just continue in such cases.
* bus-proxyd: handle -ESRCH and -ENXIO gracefullyDaniel Mack2014-12-23
| | | | | | | | Messages to destinations that are not currently owned by any bus connection will cause kdbus related function to return with either -ENXIO or -ESRCH. Such conditions should not make the proxyd terminate but send a sane SD_BUS_ERROR_NAME_HAS_NO_OWNER error reply to the proxied connection.
* bus-proxy: cloning smack labelPrzemyslaw Kedzierski2014-12-09
| | | | | | | | | | | | | | | | | | | | | | When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
* bus-proxy: fix compat with autostarted servicesLennart Poettering2014-12-08
|
* bus-proxy: don't log bus policy every single time we runLennart Poettering2014-12-02
|
* treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1Lennart Poettering2014-11-28
|
* sd-bus: rename sd_bus_get_owner_id() → sd_bus_get_bus_id()Lennart Poettering2014-11-28
| | | | | | | The ID returned really doesn't identify the owner, but the bus instance, hence fix this misnaming. Also, update "busctl status" to show the ID in its output.
* treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt2014-11-28
| | | | | | | | | | | If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
* treewide: more log_*_errno + return simplificationsMichal Schmidt2014-11-28
|
* bus-proxy: automatically detect scope of bus and derive which XML snippets ↵Lennart Poettering2014-11-28
| | | | to load from that
* sd-bus: rename default bus address constants, they aren't "paths" but ↵Lennart Poettering2014-11-28
| | | | "addresses"
* sd-bus: rework credential query logicLennart Poettering2014-11-28
| | | | Also, make the call to free kdbus slices generic and use it everywhere
* treewide: no need to negate errno for log_*_errno()Michal Schmidt2014-11-28
| | | | It corrrectly handles both positive and negative errno values.