Systemd/src/bus-proxyd/proxy.h

#pragma once

/***
  This file is part of systemd.

  Copyright 2014 David Herrmann

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "sd-bus.h"

#include "bus-xml-policy.h"

typedef struct Proxy Proxy;
typedef struct ProxyActivation ProxyActivation;

#define PROXY_ACTIVATIONS_MAX (16) /* max parallel activation requests */

struct Proxy {
        sd_bus *local_bus;
        struct ucred local_creds;
        int local_in;
        int local_out;

        sd_bus *destination_bus;

        Set *owned_names;
        SharedPolicy *policy;

        LIST_HEAD(ProxyActivation, activations);
        size_t n_activations;

        bool got_hello : 1;
        bool queue_overflow : 1;
        bool message_matched : 1;
        bool synthetic_matched : 1;
};

struct ProxyActivation {
        LIST_FIELDS(ProxyActivation, activations_by_proxy);
        Proxy *proxy;
        sd_bus_message *request;
        sd_bus_slot *slot;
};

int proxy_new(Proxy **out, int in_fd, int out_fd, const char *dest);
Proxy *proxy_free(Proxy *p);

int proxy_set_policy(Proxy *p, SharedPolicy *policy, char **configuration);
int proxy_hello_policy(Proxy *p, uid_t original_uid);
int proxy_match(sd_bus_message *m, void *userdata, sd_bus_error *error);
int proxy_run(Proxy *p);

DEFINE_TRIVIAL_CLEANUP_FUNC(Proxy*, proxy_free);
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`#pragma once`

			`/***`
			`This file is part of systemd.`

			`Copyright 2014 David Herrmann`

			`systemd is free software; you can redistribute it and/or modify it`
			`under the terms of the GNU Lesser General Public License as published by`
			`the Free Software Foundation; either version 2.1 of the License, or`
			`(at your option) any later version.`

			`systemd is distributed in the hope that it will be useful, but`
			`WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`Lesser General Public License for more details.`

			`You should have received a copy of the GNU Lesser General Public License`
			`along with systemd; If not, see <http://www.gnu.org/licenses/>.`
			`***/`

			`#include "sd-bus.h"`
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files. 2015-10-24 22:58:24 +02:00
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`#include "bus-xml-policy.h"`

			`typedef struct Proxy Proxy;`
bus-proxy: make StartServiceByName synchronous The StartServiceByName() call was provided by dbus-daemon to activate a service without sending a message. On receiption, dbus-daemon schedules an activation request (different modes are supported) and sends back the reply once activation is done. With kdbus, we marked StartServiceByName() as deprecated. There is no real reason to start services explicitly. Instead, applications should just use the service and rely on it being activated implicitly. However, we provide compatibility with dbus-daemon and implement StartServiceByName() on the proxy via a call to org.freedesktop.DBus.Peer.Ping() on the destination. This will activate the peer implicitly as part of the no-op Ping() method call (regardless whether the peer actually implements that call). Now, the problem is, StartServiceByName() was synchronous on dbus-daemon but isn't on bus-proxy. Hence, on return, there is no guarantee that ListNames includes the activated name. As this is required by some applications, we need to make this synchronous. This patch makes the proxy track the Ping() method call and send the reply of StartServiceByName() only once Ping() returned. We do not look at possible errors of Ping(), as there is no strict requirement for the peer to implement org.freedesktop.DBus.Peer. Furthermore, any interesting error should have already been caught by sd_bus_send() before. Note: This race was triggered by gdbus. The gdbus-proxy implementation relies on a name to be available after StartServiceByName() returns. This is highly fragile and should be dropped by gdbus. Even if the call is synchronous, there is no reason whatsoever to assume the service did not exit-on-idle before ListNames() returns. However, this race is much less likely than the startup race, so we try to be compatible to dbus-daemon now. 2015-07-31 13:25:04 +02:00			`typedef struct ProxyActivation ProxyActivation;`

			`#define PROXY_ACTIVATIONS_MAX (16) /* max parallel activation requests */`
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00
			`struct Proxy {`
			`sd_bus *local_bus;`
			`struct ucred local_creds;`
			`int local_in;`
			`int local_out;`

bus-proxy: we don't pointlessly abbreviate function names It's fine to abbreviate local variables, but it's not OK to abbreviate function names needlessly. This is not an excercise in writing unreadable code. 2015-02-13 15:05:34 +01:00			`sd_bus *destination_bus;`
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00
			`Set *owned_names;`
bus-proxy: share policy between threads This implements a shared policy cache with read-write locks. We no longer parse the XML policy in each thread. This will allow us to easily implement ReloadConfig(). 2015-01-17 18:07:58 +01:00			`SharedPolicy *policy;`
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00
bus-proxy: make StartServiceByName synchronous The StartServiceByName() call was provided by dbus-daemon to activate a service without sending a message. On receiption, dbus-daemon schedules an activation request (different modes are supported) and sends back the reply once activation is done. With kdbus, we marked StartServiceByName() as deprecated. There is no real reason to start services explicitly. Instead, applications should just use the service and rely on it being activated implicitly. However, we provide compatibility with dbus-daemon and implement StartServiceByName() on the proxy via a call to org.freedesktop.DBus.Peer.Ping() on the destination. This will activate the peer implicitly as part of the no-op Ping() method call (regardless whether the peer actually implements that call). Now, the problem is, StartServiceByName() was synchronous on dbus-daemon but isn't on bus-proxy. Hence, on return, there is no guarantee that ListNames includes the activated name. As this is required by some applications, we need to make this synchronous. This patch makes the proxy track the Ping() method call and send the reply of StartServiceByName() only once Ping() returned. We do not look at possible errors of Ping(), as there is no strict requirement for the peer to implement org.freedesktop.DBus.Peer. Furthermore, any interesting error should have already been caught by sd_bus_send() before. Note: This race was triggered by gdbus. The gdbus-proxy implementation relies on a name to be available after StartServiceByName() returns. This is highly fragile and should be dropped by gdbus. Even if the call is synchronous, there is no reason whatsoever to assume the service did not exit-on-idle before ListNames() returns. However, this race is much less likely than the startup race, so we try to be compatible to dbus-daemon now. 2015-07-31 13:25:04 +02:00			`LIST_HEAD(ProxyActivation, activations);`
			`size_t n_activations;`

bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`bool got_hello : 1;`
bus-proxy: complain only once about queue overflows If the local peer does not dispatch its incoming queue, the bus-proxy will slowly fill its outgoing queue. Once its full, it will continously complain that it cannot forward its messages. As it turns out, pulseaudio does have an idle background dbus connection that is not integrated into any mainloop (and given that gdbus and libdbus1 both support background shared connections, PA is probably not the only example), therefore, the bus-proxy will loudly complain if it cannot forward NameOwnerChanged events once the queue is full. This commit makes the proxy track queue-state and complain only once the queue runs full, not if it is already full. A PA bug-report (and patch) has been filed, and other applications should be fixed similarly. Hence, lets keep the error message, instead of dropping it. It's unused resources we really want to get rid of, so silencing the message does not really help (which is actually what dbus-daemon does). 2015-03-11 13:53:21 +01:00			`bool queue_overflow : 1;`
bus-proxy: never pass on unmatched broadcasts The lovely libvirtd goes into crazy mode if it receives broadcasts that it didn't subscribe to. With bus-proxyd, this might happen in 2 cases: 1) The kernel passes us an unmatched signal due to a false-positive bloom-match. 2) We generate NameOwnerChanged/NameAcquired/NameLost locally even though the peer didn't subscribe to it. dbus-daemon is reliable in what signals it passes on. So make sure we follow that style. Never ever send a signal to a local peer if it doesn't match an installed filter of that peer. 2015-07-16 15:14:43 +02:00			`bool message_matched : 1;`
			`bool synthetic_matched : 1;`
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`};`

bus-proxy: make StartServiceByName synchronous The StartServiceByName() call was provided by dbus-daemon to activate a service without sending a message. On receiption, dbus-daemon schedules an activation request (different modes are supported) and sends back the reply once activation is done. With kdbus, we marked StartServiceByName() as deprecated. There is no real reason to start services explicitly. Instead, applications should just use the service and rely on it being activated implicitly. However, we provide compatibility with dbus-daemon and implement StartServiceByName() on the proxy via a call to org.freedesktop.DBus.Peer.Ping() on the destination. This will activate the peer implicitly as part of the no-op Ping() method call (regardless whether the peer actually implements that call). Now, the problem is, StartServiceByName() was synchronous on dbus-daemon but isn't on bus-proxy. Hence, on return, there is no guarantee that ListNames includes the activated name. As this is required by some applications, we need to make this synchronous. This patch makes the proxy track the Ping() method call and send the reply of StartServiceByName() only once Ping() returned. We do not look at possible errors of Ping(), as there is no strict requirement for the peer to implement org.freedesktop.DBus.Peer. Furthermore, any interesting error should have already been caught by sd_bus_send() before. Note: This race was triggered by gdbus. The gdbus-proxy implementation relies on a name to be available after StartServiceByName() returns. This is highly fragile and should be dropped by gdbus. Even if the call is synchronous, there is no reason whatsoever to assume the service did not exit-on-idle before ListNames() returns. However, this race is much less likely than the startup race, so we try to be compatible to dbus-daemon now. 2015-07-31 13:25:04 +02:00			`struct ProxyActivation {`
			`LIST_FIELDS(ProxyActivation, activations_by_proxy);`
			`Proxy *proxy;`
			`sd_bus_message *request;`
			`sd_bus_slot *slot;`
			`};`

bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`int proxy_new(Proxy *out, int in_fd, int out_fd, const char dest);`
			`Proxy proxy_free(Proxy p);`

bus-proxy: share policy between threads This implements a shared policy cache with read-write locks. We no longer parse the XML policy in each thread. This will allow us to easily implement ReloadConfig(). 2015-01-17 18:07:58 +01:00			`int proxy_set_policy(Proxy p, SharedPolicy policy, char **configuration);`
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`int proxy_hello_policy(Proxy *p, uid_t original_uid);`
bus-proxy: never pass on unmatched broadcasts The lovely libvirtd goes into crazy mode if it receives broadcasts that it didn't subscribe to. With bus-proxyd, this might happen in 2 cases: 1) The kernel passes us an unmatched signal due to a false-positive bloom-match. 2) We generate NameOwnerChanged/NameAcquired/NameLost locally even though the peer didn't subscribe to it. dbus-daemon is reliable in what signals it passes on. So make sure we follow that style. Never ever send a signal to a local peer if it doesn't match an installed filter of that peer. 2015-07-16 15:14:43 +02:00			`int proxy_match(sd_bus_message m, void userdata, sd_bus_error *error);`
bus-proxy: extract proxy into Proxy object Move all the proxy code into a "struct Proxy" object that can be used from multiple binaries. We now dropped SMACK as we have to refactor it to work properly. We can introduce it later on. 2015-01-16 14:19:19 +01:00			`int proxy_run(Proxy *p);`

			`DEFINE_TRIVIAL_CLEANUP_FUNC(Proxy*, proxy_free);`