| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
This ensures that our rlimit is actually high enough to avoid the
denial of service described in CVE-2014-3636 part A.
CVE-2014-7824 has been allocated for this incomplete fix.
Restore the original rlimit for activated services, to avoid
them getting undesired higher limits.
(Thanks to Alban Crequy for various adjustments which have been
included in this commit.)
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=85105
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
|
|
|
|
This is one of four commits needed to address CVE-2014-3637.
The bus uses _dbus_connection_set_pending_fds_function and
_dbus_connection_get_pending_fds_count to be notified when there are pending
file descriptors. A timeout per connection is armed and disarmed when the file
descriptor list is used and emptied.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
This is one of four commits needed to address CVE-2014-3637.
When a file descriptor is passed to dbus-daemon, the associated D-Bus message
might not be fully sent to dbus-daemon yet. Dbus-daemon keeps the file
descriptor in the DBusMessageLoader of the connection, waiting for the rest of
the message. If the client stops sending the remaining bytes, dbus-daemon will
wait forever and keep that file descriptor.
This patch adds pending_fd_timeout (milliseconds) in the configuration to
disconnect a connection after a timeout when a file descriptor was sent but not
the remaining message.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
This addresses the parts of CVE-2014-3639 not already addressed by
reducing the default authentication timeout.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80851
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
This partially addresses CVE-2014-3639.
This will change the default on the system bus where the limit
<limit name="auth_timeout">...</limit>
is not specified.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80919
Reviewed-by: Thiago Macieira <thiago@kde.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
This addresses CVE-2014-3636.
Based on a patch by Alban Crequy. Now that it's the same on all
platforms, there's little point in it being set by configure/cmake.
This change fixes two distinct denials of service:
fd.o#82820, part A
------------------
Before this patch, the system bus had the following default configuration:
- max_connections_per_user: 256
- DBUS_DEFAULT_MESSAGE_UNIX_FDS: usually 1024 (or 256 on QNX, see fd.o#61176)
as defined by configure.ac
- max_incoming_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
- max_outgoing_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS*4 = usually 4096
- max_message_unix_fds: DBUS_DEFAULT_MESSAGE_UNIX_FDS = usually 1024
This means that a single user could create 256 connections and transmit
256*4096 = 1048576 file descriptors.
The file descriptors stay attached to the dbus-daemon process while they are
in the message loader, in the outgoing queue or waiting to be dispatched before
D-Bus activation.
dbus-daemon is usually limited to 65536 file descriptors (ulimit -n). If the
limit is reached and dbus-daemon needs to receive a message with a file
descriptor attached, this is signalled by recvfrom with the flag MSG_CTRUNC.
Dbus-daemon cannot recover from that error because the kernel does not have any
API to retrieve a file descriptor which has been discarded with MSG_CTRUNC.
Therefore, it closes the connection of the sender. This is not necessarily the
connection which generated the most file descriptors so it can lead to
denial-of-service attacks.
In order to prevent DoS issues, this patch reduces DEFAULT_MESSAGE_UNIX_FDS to
16:
max_connections_per_user * max_incoming_unix_fds = 256 * 64 = 16384
This is less than the usual "ulimit -n" (65536) with a good margin to
accomodate the other sources of file descriptors (stdin/stdout/stderr,
listening sockets, message loader, etc.).
Distributors on non-Linux may need to configure a smaller limit in
system.conf, if their limit on the number of fds is smaller than
Linux's.
fd.o#82820, part B
------------------
On Linux, it's not possible to send more than 253 fds in a single sendmsg()
call: sendmsg() would return -EINVAL.
#define SCM_MAX_FD 253
SCM_MAX_FD changed value during Linux history:
- it used to be (OPEN_MAX-1)
- commit c09edd6eb (Jul 2007) changed it to 255
- commit bba14de98 (Nov 2010) changed it to 253
Libdbus always sends all of a message's fds, and the beginning
of the message itself, in a single sendmsg() call. Combining these
two, a malicious sender could split a message across two or more
sendmsg() calls to construct a composite message with 254 or more
fds. When dbus-daemon attempted to relay that message to its
recipient in a single sendmsg() call, it would receive EINVAL,
interpret that as a fatal socket error and disconnect the recipient,
resulting in denial of service.
This is fixed by keeping max_message_unix_fds <= SCM_MAX_FD.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=82820
Reviewed-by: Alban Crequy <alban.crequy@collabora.co.uk>
|
|
This addresses CVE-2014-3638.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81053
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug-Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=507232
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=81043
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
How it should work:
When a D-Bus message activates a service, LSMs (SELinux or AppArmor) check
whether the message can be delivered after the service has been activated. The
service is considered activated when its well-known name is requested with
org.freedesktop.DBus.RequestName. When the message delivery is denied, the
service stays activated but should not receive the activating message (the
message which triggered the activation). dbus-daemon is supposed to drop the
activating message and reply to the sender with a D-Bus error message.
However, it does not work as expected:
1. The error message is delivered to the service instead of being delivered to
the sender. As an example, the error message could be something like:
An SELinux policy prevents this sender from sending this
message to this recipient, [...] member="MaliciousMethod"
If the sender and the service are malicious confederates and agree on a
protocol to insert information in the member name, the sender can leak
information to the service, even though the LSM attempted to block the
communication between the sender and the service.
2. The error message is delivered as a reply to the RequestName call from
service. It means the activated service will believe it cannot request the
name and might exit. The sender could activate the service frequently and
systemd will give up activating it. Thus the denial of service.
The following changes fix the bug:
- bus_activation_send_pending_auto_activation_messages() only returns an error
in case of OOM. The prototype is changed to return TRUE, or FALSE on OOM
(and its only caller sets the OOM error).
- When a client is not allowed to talk to the service, a D-Bus error message
is pre-allocated to be delivered to the client as part of the transaction.
The error is not propagated to the caller so RequestName will not fail
(except on OOM).
[fixed a misleading comment -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78979
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Colin Walters <walters@verbum.org>
|
|
|
|
Enhances usability under systemd by making the documentation available
with systemctl status or systemctl help.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=77447
Reviewed-by: Simon McVittie
|
|
|
|
application naming scheme.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=73495
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
naming scheme.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=73495
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=73495
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
The algorithm to collapse a subsidiary config file's data into the
master data structure forgot to examine this flag.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=73475
Reviewed-by: Chengwei Yang <chengwei.yang@intel.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
[FreeBSD and OpenBSD contributors clarified that O_CLOEXEC has been
supported for ~ 2 years on both, so for the moment we're assuming
that every platform with kqueue also has working O_CLOEXEC. Please reopen
the bug, with a tested patch that uses _dbus_fd_set_close_on_exec() instead,
if this assumption turns out to be false. -smcv]
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=72213
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
There is a DBusList* member of BusTransaction named "connections", while
its getter function bus_transaction_get_connections() returns
context->connections which in fact is a BusConnections pointer, this is
quite confusing. Because this is what bus_context_get_connections()
returns.
This patch call out to bus_context_get_connections() directly and remove
the then unused bus_transaction_get_connections().
https://bugs.freedesktop.org/show_bug.cgi?id=71597
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
There are memory blocks leak when doing bus-test, both dispatch-sha1 and
dispatch test cases complain memory blocks leak.
This patch also fix fd leaks.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69332
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69332
[altered commit message to not say it fixes memory leaks -smcv]
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
The message bus which can monitor its conf dirs for changes and reload
confs immediately if dir monitor enabled, for example, inotify in Linux,
kqueue in *BSD.
However, it doesn't apply policy rules change for completed connections,
so to apply policy rules change, the client connection has to disconnect
first and then re-connect to message bus.
For imcomplete connections, it always has the latest review of policy
rules.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=39463
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
Signed-off-by: Radoslaw Pajak <r.pajak@samsung.com>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=71526
|
|
Previous to the introduction of selinux_set_mapping(), DBus pulled
constants generated from the system's policy at build time. But this
means it's impossible to replace the system policy without rebuilding
userspace components.
This patch maps from arbitrary class/perm indices used by D-Bus and
the policy values and handles all the translation at runtime on
avc_has_perm() calls.
Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719
Reviewed-By: Colin Walters <walters@verbum.org>
Tested-By: Colin Walters <walters@verbum.org>
|
|
|
|
As soon as capng_clear() is called, we won't appear to have
CAP_AUDIT_WRITE. Fix this by checking for it before resetting the
libcap state.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062
Tested-by: Laurent Bigonville <bigon@debian.org>
Reviewed-by: Laurent Bigonville <bigon@debian.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Lennart Poettering <lennart@poettering.net>
|
|
DBusBabysitter->executable is defined as executable name to use in error
messages. However, if servicehelper used, then the executable name is
servicehelper. It's not much help because we couldn't figure out which
service we're trying to activated if error happens.
In the following patch, we'll use service name to be activated as the
child log identifier and add a parameter to
_dbus_spawn_async_with_babysitter() to pass the log identifier. Since
this is not the case in test, so executable changed to log_name.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68559
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=60859
Reviewed-by: Chengwei Yang
[removed unused variable based on review -smcv]
|
|
As Simon's comment
https://bugs.freedesktop.org/show_bug.cgi?id=66068#c8
we can do this in UNIX environment.
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=70799
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Reviewed-by: Ryan Lortie <desrt@desrt.ca>
|
|
|
|
Key-word "Group" of DBus .service file hasn't been used since it was
introduced in 2007, so it's fine to remove it.
https://bugs.freedesktop.org/show_bug.cgi?id=19158
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=66728
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
On platforms that use getpeereid(), this can't work.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=60340
Reviewed-by: Colin Walters <walters@verbum.org>
|
|
When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.
This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.
This makes audit/selinux enabled D-Bus work in a Linux container.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062
Acked-by: Thiago Macieira <thiago@kde.org>
Acked-by: Colin Walters <walters@verbum.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
On Windows, the dbus-daemon is not able to fork (daemonize). If someone
explicitly requests forking, it should fail, but if someone
explicitly requests *not* forking, there seems no harm in allowing it.
A few of the regression tests specifically require a dbus-daemon that
will not fork, so allowing this option on Windows means those tests
don't need an extra OS condition.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68852
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
It must be one of the "only smcv tests this" configurations...
|
|
Sharing a static variable between threads is not safe in general,
and this function is used in the shared libdbus (for nonce files),
so it can't rely on being single-threaded.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68610
Reviewed-by: Ralf Habacker <ralf.habacker@freenet.de>
|
|
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68303
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
|
|
At previous, it will do get pid and print a verbose string per inotify
event, and then do send signal to the daemon.
This patch changes the behavior to get pid and print a verbose string
one time.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=68303
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
|
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
|
