2015-01-16 14:19:19 +01:00
|
|
|
/***
|
|
|
|
|
This file is part of systemd.
|
|
|
|
|
|
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
|
|
|
Copyright 2013 Daniel Mack
|
|
|
|
|
Copyright 2014 Kay Sievers
|
|
|
|
|
Copyright 2014 David Herrmann
|
|
|
|
|
|
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
|
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
|
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
***/
|
|
|
|
|
|
|
|
|
|
#include <errno.h>
|
2015-02-12 14:06:32 +01:00
|
|
|
#include <poll.h>
|
2015-10-25 13:14:12 +01:00
|
|
|
#include <string.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <sys/types.h>
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
#include "sd-bus.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "sd-daemon.h"
|
|
|
|
|
|
2015-10-27 03:01:06 +01:00
|
|
|
#include "alloc-util.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "bus-control.h"
|
2015-01-16 14:19:19 +01:00
|
|
|
#include "bus-internal.h"
|
|
|
|
|
#include "bus-message.h"
|
|
|
|
|
#include "bus-util.h"
|
|
|
|
|
#include "bus-xml-policy.h"
|
|
|
|
|
#include "driver.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "fd-util.h"
|
|
|
|
|
#include "formats-util.h"
|
|
|
|
|
#include "log.h"
|
2015-01-16 14:19:19 +01:00
|
|
|
#include "proxy.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "set.h"
|
|
|
|
|
#include "strv.h"
|
2015-01-16 14:19:19 +01:00
|
|
|
#include "synthesize.h"
|
2015-10-27 00:42:07 +01:00
|
|
|
#include "user-util.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "util.h"
|
2015-01-16 14:19:19 +01:00
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
static int proxy_create_destination(Proxy *p, const char *destination, const char *local_sec, bool negotiate_fds) {
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *b = NULL;
|
2015-01-16 14:19:19 +01:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_new(&b);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to allocate bus: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_set_description(b, "sd-proxy");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set bus name: %m");
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_set_address(b, destination);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set address to connect to: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_negotiate_fds(b, negotiate_fds);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set FD negotiation: %m");
|
|
|
|
|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
r = sd_bus_negotiate_creds(b, true, SD_BUS_CREDS_EUID|SD_BUS_CREDS_PID|SD_BUS_CREDS_EGID|SD_BUS_CREDS_SELINUX_CONTEXT);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set credential negotiation: %m");
|
|
|
|
|
|
|
|
|
|
if (p->local_creds.pid > 0) {
|
|
|
|
|
b->fake_pids.pid = p->local_creds.pid;
|
|
|
|
|
b->fake_pids_valid = true;
|
|
|
|
|
|
2015-02-14 15:13:38 +01:00
|
|
|
b->fake_creds.uid = UID_INVALID;
|
2015-01-18 13:54:46 +01:00
|
|
|
b->fake_creds.euid = p->local_creds.uid;
|
2015-02-14 15:13:38 +01:00
|
|
|
b->fake_creds.suid = UID_INVALID;
|
|
|
|
|
b->fake_creds.fsuid = UID_INVALID;
|
|
|
|
|
b->fake_creds.gid = GID_INVALID;
|
2015-01-18 13:54:46 +01:00
|
|
|
b->fake_creds.egid = p->local_creds.gid;
|
2015-02-14 15:13:38 +01:00
|
|
|
b->fake_creds.sgid = GID_INVALID;
|
|
|
|
|
b->fake_creds.fsgid = GID_INVALID;
|
2015-01-16 14:19:19 +01:00
|
|
|
b->fake_creds_valid = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (local_sec) {
|
|
|
|
|
b->fake_label = strdup(local_sec);
|
|
|
|
|
if (!b->fake_label)
|
|
|
|
|
return log_oom();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b->manual_peer_interface = true;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_start(b);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to start bus client: %m");
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
p->destination_bus = b;
|
2015-01-16 14:19:19 +01:00
|
|
|
b = NULL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-17 16:20:38 +02:00
|
|
|
static int proxy_create_local(Proxy *p, bool negotiate_fds) {
|
2015-01-16 14:19:19 +01:00
|
|
|
sd_id128_t server_id;
|
2015-10-17 16:20:38 +02:00
|
|
|
sd_bus *b;
|
2015-01-16 14:19:19 +01:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_new(&b);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to allocate bus: %m");
|
|
|
|
|
|
2015-10-17 16:20:38 +02:00
|
|
|
r = sd_bus_set_fd(b, p->local_in, p->local_out);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
sd_bus_unref(b);
|
2015-01-16 14:19:19 +01:00
|
|
|
return log_error_errno(r, "Failed to set fds: %m");
|
2015-10-17 16:20:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* The fds are now owned by the bus, and we indicate that by
|
|
|
|
|
* storing the bus object in the proxy object. */
|
|
|
|
|
p->local_bus = b;
|
2015-01-16 14:19:19 +01:00
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_get_bus_id(p->destination_bus, &server_id);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to get server ID: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_set_server(b, 1, server_id);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set server mode: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_negotiate_fds(b, negotiate_fds);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set FD negotiation: %m");
|
|
|
|
|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
r = sd_bus_negotiate_creds(b, true, SD_BUS_CREDS_EUID|SD_BUS_CREDS_PID|SD_BUS_CREDS_EGID|SD_BUS_CREDS_SELINUX_CONTEXT);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set credential negotiation: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_set_anonymous(b, true);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set anonymous authentication: %m");
|
|
|
|
|
|
|
|
|
|
b->manual_peer_interface = true;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_start(b);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to start bus client: %m");
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
static int proxy_match_synthetic(sd_bus_message *m, void *userdata, sd_bus_error *error) {
|
|
|
|
|
Proxy *p = userdata;
|
|
|
|
|
|
|
|
|
|
p->synthetic_matched = true;
|
|
|
|
|
return 0; /* make sure to continue processing it in further handlers */
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-06 17:54:40 +02:00
|
|
|
/*
|
2015-07-16 15:14:43 +02:00
|
|
|
* We always need NameOwnerChanged so we can synthesize NameLost and
|
|
|
|
|
* NameAcquired. Furthermore, dbus-1 always passes unicast-signals through, so
|
|
|
|
|
* subscribe unconditionally.
|
2015-07-06 17:54:40 +02:00
|
|
|
*/
|
2015-01-16 14:19:19 +01:00
|
|
|
static int proxy_prepare_matches(Proxy *p) {
|
|
|
|
|
_cleanup_free_ char *match = NULL;
|
|
|
|
|
const char *unique;
|
|
|
|
|
int r;
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
if (!p->destination_bus->is_kernel)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_get_unique_name(p->destination_bus, &unique);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to get unique name: %m");
|
|
|
|
|
|
|
|
|
|
match = strjoin("type='signal',"
|
|
|
|
|
"sender='org.freedesktop.DBus',"
|
|
|
|
|
"path='/org/freedesktop/DBus',"
|
|
|
|
|
"interface='org.freedesktop.DBus',"
|
|
|
|
|
"member='NameOwnerChanged',"
|
|
|
|
|
"arg1='",
|
|
|
|
|
unique,
|
|
|
|
|
"'",
|
|
|
|
|
NULL);
|
|
|
|
|
if (!match)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
r = sd_bus_add_match(p->destination_bus, NULL, match, proxy_match_synthetic, p);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to add match for NameLost: %m");
|
|
|
|
|
|
|
|
|
|
free(match);
|
|
|
|
|
match = strjoin("type='signal',"
|
|
|
|
|
"sender='org.freedesktop.DBus',"
|
|
|
|
|
"path='/org/freedesktop/DBus',"
|
|
|
|
|
"interface='org.freedesktop.DBus',"
|
|
|
|
|
"member='NameOwnerChanged',"
|
|
|
|
|
"arg2='",
|
|
|
|
|
unique,
|
|
|
|
|
"'",
|
|
|
|
|
NULL);
|
|
|
|
|
if (!match)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
r = sd_bus_add_match(p->destination_bus, NULL, match, proxy_match_synthetic, p);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to add match for NameAcquired: %m");
|
|
|
|
|
|
2015-07-06 17:45:26 +02:00
|
|
|
free(match);
|
|
|
|
|
match = strjoin("type='signal',"
|
|
|
|
|
"destination='",
|
|
|
|
|
unique,
|
|
|
|
|
"'",
|
|
|
|
|
NULL);
|
|
|
|
|
if (!match)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
r = sd_bus_add_match(p->destination_bus, NULL, match, proxy_match_synthetic, p);
|
2015-07-06 17:45:26 +02:00
|
|
|
if (r < 0)
|
2015-07-06 17:54:40 +02:00
|
|
|
log_error_errno(r, "Failed to add match for directed signals: %m");
|
|
|
|
|
/* FIXME: temporarily ignore error to support older kdbus versions */
|
2015-07-06 17:45:26 +02:00
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
int proxy_new(Proxy **out, int in_fd, int out_fd, const char *destination) {
|
2015-01-16 14:19:19 +01:00
|
|
|
_cleanup_(proxy_freep) Proxy *p = NULL;
|
|
|
|
|
_cleanup_free_ char *local_sec = NULL;
|
|
|
|
|
bool is_unix;
|
|
|
|
|
int r;
|
|
|
|
|
|
2015-10-17 16:20:38 +02:00
|
|
|
/* This takes possession/destroys the file descriptors passed
|
|
|
|
|
* in even on failure. The caller should hence forget about
|
|
|
|
|
* the fds in all cases after calling this function and not
|
|
|
|
|
* close them. */
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
p = new0(Proxy, 1);
|
2015-10-17 16:20:38 +02:00
|
|
|
if (!p) {
|
|
|
|
|
safe_close(in_fd);
|
|
|
|
|
safe_close(out_fd);
|
2015-01-16 14:19:19 +01:00
|
|
|
return log_oom();
|
2015-10-17 16:20:38 +02:00
|
|
|
}
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
p->local_in = in_fd;
|
|
|
|
|
p->local_out = out_fd;
|
|
|
|
|
|
|
|
|
|
p->owned_names = set_new(&string_hash_ops);
|
|
|
|
|
if (!p->owned_names)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
|
|
|
is_unix = sd_is_socket(in_fd, AF_UNIX, 0, 0) > 0 &&
|
|
|
|
|
sd_is_socket(out_fd, AF_UNIX, 0, 0) > 0;
|
|
|
|
|
|
|
|
|
|
if (is_unix) {
|
|
|
|
|
(void) getpeercred(in_fd, &p->local_creds);
|
|
|
|
|
(void) getpeersec(in_fd, &local_sec);
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = proxy_create_destination(p, destination, local_sec, is_unix);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
2015-10-17 16:20:38 +02:00
|
|
|
r = proxy_create_local(p, is_unix);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = proxy_prepare_matches(p);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
*out = p;
|
|
|
|
|
p = NULL;
|
2015-10-17 16:20:38 +02:00
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Proxy *proxy_free(Proxy *p) {
|
bus-proxy: make StartServiceByName synchronous
The StartServiceByName() call was provided by dbus-daemon to activate a
service without sending a message. On receiption, dbus-daemon schedules
an activation request (different modes are supported) and sends back the
reply once activation is done.
With kdbus, we marked StartServiceByName() as deprecated. There is no
real reason to start services explicitly. Instead, applications should
just *use* the service and rely on it being activated implicitly.
However, we provide compatibility with dbus-daemon and implement
StartServiceByName() on the proxy via a call to
org.freedesktop.DBus.Peer.Ping() on the destination. This will activate
the peer implicitly as part of the no-op Ping() method call (regardless
whether the peer actually implements that call).
Now, the problem is, StartServiceByName() was synchronous on dbus-daemon
but isn't on bus-proxy. Hence, on return, there is no guarantee that
ListNames includes the activated name. As this is required by some
applications, we need to make this synchronous.
This patch makes the proxy track the Ping() method call and send the
reply of StartServiceByName() only once Ping() returned. We do not look
at possible errors of Ping(), as there is no strict requirement for the
peer to implement org.freedesktop.DBus.Peer. Furthermore, any interesting
error should have already been caught by sd_bus_send() before.
Note:
This race was triggered by gdbus. The gdbus-proxy implementation
relies on a name to be available after StartServiceByName()
returns. This is highly fragile and should be dropped by gdbus.
Even if the call is synchronous, there is no reason whatsoever to
assume the service did not exit-on-idle before ListNames()
returns.
However, this race is much less likely than the startup race, so
we try to be compatible to dbus-daemon now.
2015-07-31 13:25:04 +02:00
|
|
|
ProxyActivation *activation;
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
if (!p)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
bus-proxy: make StartServiceByName synchronous
The StartServiceByName() call was provided by dbus-daemon to activate a
service without sending a message. On receiption, dbus-daemon schedules
an activation request (different modes are supported) and sends back the
reply once activation is done.
With kdbus, we marked StartServiceByName() as deprecated. There is no
real reason to start services explicitly. Instead, applications should
just *use* the service and rely on it being activated implicitly.
However, we provide compatibility with dbus-daemon and implement
StartServiceByName() on the proxy via a call to
org.freedesktop.DBus.Peer.Ping() on the destination. This will activate
the peer implicitly as part of the no-op Ping() method call (regardless
whether the peer actually implements that call).
Now, the problem is, StartServiceByName() was synchronous on dbus-daemon
but isn't on bus-proxy. Hence, on return, there is no guarantee that
ListNames includes the activated name. As this is required by some
applications, we need to make this synchronous.
This patch makes the proxy track the Ping() method call and send the
reply of StartServiceByName() only once Ping() returned. We do not look
at possible errors of Ping(), as there is no strict requirement for the
peer to implement org.freedesktop.DBus.Peer. Furthermore, any interesting
error should have already been caught by sd_bus_send() before.
Note:
This race was triggered by gdbus. The gdbus-proxy implementation
relies on a name to be available after StartServiceByName()
returns. This is highly fragile and should be dropped by gdbus.
Even if the call is synchronous, there is no reason whatsoever to
assume the service did not exit-on-idle before ListNames()
returns.
However, this race is much less likely than the startup race, so
we try to be compatible to dbus-daemon now.
2015-07-31 13:25:04 +02:00
|
|
|
while ((activation = p->activations)) {
|
|
|
|
|
LIST_REMOVE(activations_by_proxy, p->activations, activation);
|
|
|
|
|
sd_bus_message_unref(activation->request);
|
|
|
|
|
sd_bus_slot_unref(activation->slot);
|
|
|
|
|
free(activation);
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-17 16:20:38 +02:00
|
|
|
if (p->local_bus)
|
|
|
|
|
sd_bus_flush_close_unref(p->local_bus);
|
|
|
|
|
else {
|
|
|
|
|
safe_close(p->local_in);
|
|
|
|
|
if (p->local_out != p->local_in)
|
|
|
|
|
safe_close(p->local_out);
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-03 19:49:03 +02:00
|
|
|
sd_bus_flush_close_unref(p->destination_bus);
|
2015-01-16 14:19:19 +01:00
|
|
|
set_free_free(p->owned_names);
|
|
|
|
|
free(p);
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
int proxy_set_policy(Proxy *p, SharedPolicy *sp, char **configuration) {
|
2015-01-16 14:19:19 +01:00
|
|
|
_cleanup_strv_free_ char **strv = NULL;
|
2015-01-17 18:07:58 +01:00
|
|
|
Policy *policy;
|
2015-01-16 14:19:19 +01:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
2015-01-17 18:07:58 +01:00
|
|
|
assert(sp);
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
/* no need to load legacy policy if destination is not kdbus */
|
2015-02-13 15:05:34 +01:00
|
|
|
if (!p->destination_bus->is_kernel)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
|
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
p->policy = sp;
|
|
|
|
|
|
|
|
|
|
policy = shared_policy_acquire(sp);
|
|
|
|
|
if (policy) {
|
|
|
|
|
/* policy already pre-loaded */
|
|
|
|
|
shared_policy_release(sp, policy);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
if (!configuration) {
|
|
|
|
|
const char *scope;
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_get_scope(p->destination_bus, &scope);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Couldn't determine bus scope: %m");
|
|
|
|
|
|
|
|
|
|
if (streq(scope, "system"))
|
2015-06-17 22:43:46 +02:00
|
|
|
strv = strv_new("/usr/share/dbus-1/system.conf",
|
|
|
|
|
"/etc/dbus-1/system.conf",
|
|
|
|
|
"/usr/share/dbus-1/system.d/",
|
2015-01-16 14:19:19 +01:00
|
|
|
"/etc/dbus-1/system.d/",
|
|
|
|
|
"/etc/dbus-1/system-local.conf",
|
|
|
|
|
NULL);
|
|
|
|
|
else if (streq(scope, "user"))
|
2015-06-17 22:43:46 +02:00
|
|
|
strv = strv_new("/usr/share/dbus-1/session.conf",
|
|
|
|
|
"/etc/dbus-1/session.conf",
|
|
|
|
|
"/usr/share/dbus-1/session.d/",
|
2015-01-16 14:19:19 +01:00
|
|
|
"/etc/dbus-1/session.d/",
|
|
|
|
|
"/etc/dbus-1/session-local.conf",
|
|
|
|
|
NULL);
|
|
|
|
|
else
|
|
|
|
|
return log_error("Unknown scope %s, don't know which policy to load. Refusing.", scope);
|
|
|
|
|
|
|
|
|
|
if (!strv)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
|
|
|
configuration = strv;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
return shared_policy_preload(sp, configuration);
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int proxy_hello_policy(Proxy *p, uid_t original_uid) {
|
2015-01-17 18:07:58 +01:00
|
|
|
Policy *policy;
|
|
|
|
|
int r = 0;
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
assert(p);
|
|
|
|
|
|
|
|
|
|
if (!p->policy)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
policy = shared_policy_acquire(p->policy);
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
if (p->local_creds.uid == original_uid)
|
|
|
|
|
log_debug("Permitting access, since bus owner matches bus client.");
|
2015-01-17 18:07:58 +01:00
|
|
|
else if (policy_check_hello(policy, p->local_creds.uid, p->local_creds.gid))
|
2015-01-16 14:19:19 +01:00
|
|
|
log_debug("Permitting access due to XML policy.");
|
|
|
|
|
else
|
2015-01-17 18:07:58 +01:00
|
|
|
r = log_error_errno(EPERM, "Policy denied connection.");
|
2015-01-16 14:19:19 +01:00
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
shared_policy_release(p->policy, policy);
|
|
|
|
|
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int proxy_wait(Proxy *p) {
|
2015-02-13 15:05:34 +01:00
|
|
|
uint64_t timeout_destination, timeout_local, t;
|
|
|
|
|
int events_destination, events_local, fd;
|
2015-01-16 14:19:19 +01:00
|
|
|
struct timespec _ts, *ts;
|
|
|
|
|
struct pollfd *pollfd;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
fd = sd_bus_get_fd(p->destination_bus);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (fd < 0)
|
|
|
|
|
return log_error_errno(fd, "Failed to get fd: %m");
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
events_destination = sd_bus_get_events(p->destination_bus);
|
|
|
|
|
if (events_destination < 0)
|
|
|
|
|
return log_error_errno(events_destination, "Failed to get events mask: %m");
|
2015-01-16 14:19:19 +01:00
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_get_timeout(p->destination_bus, &timeout_destination);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to get timeout: %m");
|
|
|
|
|
|
|
|
|
|
events_local = sd_bus_get_events(p->local_bus);
|
|
|
|
|
if (events_local < 0)
|
|
|
|
|
return log_error_errno(events_local, "Failed to get events mask: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_get_timeout(p->local_bus, &timeout_local);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to get timeout: %m");
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
t = timeout_destination;
|
|
|
|
|
if (t == (uint64_t) -1 || (timeout_local != (uint64_t) -1 && timeout_local < timeout_destination))
|
2015-01-16 14:19:19 +01:00
|
|
|
t = timeout_local;
|
|
|
|
|
|
|
|
|
|
if (t == (uint64_t) -1)
|
|
|
|
|
ts = NULL;
|
|
|
|
|
else {
|
|
|
|
|
usec_t nw;
|
|
|
|
|
|
|
|
|
|
nw = now(CLOCK_MONOTONIC);
|
|
|
|
|
if (t > nw)
|
|
|
|
|
t -= nw;
|
|
|
|
|
else
|
|
|
|
|
t = 0;
|
|
|
|
|
|
|
|
|
|
ts = timespec_store(&_ts, t);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pollfd = (struct pollfd[3]) {
|
2015-02-13 17:17:45 +01:00
|
|
|
{ .fd = fd, .events = events_destination, },
|
2015-01-16 14:19:19 +01:00
|
|
|
{ .fd = p->local_in, .events = events_local & POLLIN, },
|
|
|
|
|
{ .fd = p->local_out, .events = events_local & POLLOUT, },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
r = ppoll(pollfd, 3, ts, NULL);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(errno, "ppoll() failed: %m");
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int handle_policy_error(sd_bus_message *m, int r) {
|
|
|
|
|
if (r == -ESRCH || r == -ENXIO)
|
|
|
|
|
return synthetic_reply_method_errorf(m, SD_BUS_ERROR_NAME_HAS_NO_OWNER, "Name %s is currently not owned by anyone.", m->destination);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
static int process_policy_unlocked(sd_bus *from, sd_bus *to, sd_bus_message *m, Policy *policy, const struct ucred *our_ucred, Set *owned_names) {
|
2015-01-16 14:19:19 +01:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(from);
|
|
|
|
|
assert(to);
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
if (!policy)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* dbus-1 distinguishes expected and non-expected replies by tracking
|
|
|
|
|
* method-calls and timeouts. By default, DENY rules are *NEVER* applied
|
|
|
|
|
* on expected replies, unless explicitly specified. But we dont track
|
|
|
|
|
* method-calls, thus, we cannot know whether a reply is expected.
|
|
|
|
|
* Fortunately, the kdbus forbids non-expected replies, so we can safely
|
|
|
|
|
* ignore any policy on those and let the kernel deal with it.
|
|
|
|
|
*
|
|
|
|
|
* TODO: To be correct, we should only ignore policy-tags that are
|
|
|
|
|
* applied on non-expected replies. However, so far we don't parse those
|
|
|
|
|
* tags so we let everything pass. I haven't seen a DENY policy tag on
|
|
|
|
|
* expected-replies, ever, so don't bother..
|
|
|
|
|
*/
|
|
|
|
|
if (m->reply_cookie > 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (from->is_kernel) {
|
|
|
|
|
uid_t sender_uid = UID_INVALID;
|
|
|
|
|
gid_t sender_gid = GID_INVALID;
|
|
|
|
|
char **sender_names = NULL;
|
|
|
|
|
|
|
|
|
|
/* Driver messages are always OK */
|
|
|
|
|
if (streq_ptr(m->sender, "org.freedesktop.DBus"))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* The message came from the kernel, and is sent to our legacy client. */
|
2015-02-13 15:33:42 +01:00
|
|
|
(void) sd_bus_creds_get_well_known_names(&m->creds, &sender_names);
|
2015-01-16 14:19:19 +01:00
|
|
|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
(void) sd_bus_creds_get_euid(&m->creds, &sender_uid);
|
|
|
|
|
(void) sd_bus_creds_get_egid(&m->creds, &sender_gid);
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
if (sender_uid == UID_INVALID || sender_gid == GID_INVALID) {
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *sender_creds = NULL;
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
/* If the message came from another legacy
|
|
|
|
|
* client, then the message creds will be
|
|
|
|
|
* missing, simply because on legacy clients
|
|
|
|
|
* per-message creds were unknown. In this
|
|
|
|
|
* case, query the creds of the peer
|
|
|
|
|
* instead. */
|
|
|
|
|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
r = bus_get_name_creds_kdbus(from, m->sender, SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID, true, &sender_creds);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return handle_policy_error(m, r);
|
|
|
|
|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
(void) sd_bus_creds_get_euid(sender_creds, &sender_uid);
|
|
|
|
|
(void) sd_bus_creds_get_egid(sender_creds, &sender_gid);
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* First check whether the sender can send the message to our name */
|
2015-01-17 21:18:52 +01:00
|
|
|
if (policy_check_send(policy, sender_uid, sender_gid, m->header->type, owned_names, NULL, m->path, m->interface, m->member, false, NULL) &&
|
|
|
|
|
policy_check_recv(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, sender_names, m->path, m->interface, m->member, false))
|
|
|
|
|
return 0;
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
/* Return an error back to the caller */
|
|
|
|
|
if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL)
|
|
|
|
|
return synthetic_reply_method_errorf(m, SD_BUS_ERROR_ACCESS_DENIED, "Access prohibited by XML receiver policy.");
|
|
|
|
|
|
|
|
|
|
/* Return 1, indicating that the message shall not be processed any further */
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (to->is_kernel) {
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *destination_creds = NULL;
|
2015-01-16 14:19:19 +01:00
|
|
|
uid_t destination_uid = UID_INVALID;
|
|
|
|
|
gid_t destination_gid = GID_INVALID;
|
|
|
|
|
const char *destination_unique = NULL;
|
|
|
|
|
char **destination_names = NULL;
|
2015-01-17 21:18:52 +01:00
|
|
|
char *n;
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
/* Driver messages are always OK */
|
|
|
|
|
if (streq_ptr(m->destination, "org.freedesktop.DBus"))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* The message came from the legacy client, and is sent to kdbus. */
|
|
|
|
|
if (m->destination) {
|
|
|
|
|
r = bus_get_name_creds_kdbus(to, m->destination,
|
|
|
|
|
SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|SD_BUS_CREDS_PID,
|
2015-01-16 14:19:19 +01:00
|
|
|
true, &destination_creds);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return handle_policy_error(m, r);
|
|
|
|
|
|
|
|
|
|
r = sd_bus_creds_get_unique_name(destination_creds, &destination_unique);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return handle_policy_error(m, r);
|
|
|
|
|
|
2015-02-13 15:33:42 +01:00
|
|
|
(void) sd_bus_creds_get_well_known_names(destination_creds, &destination_names);
|
2015-01-16 14:19:19 +01:00
|
|
|
|
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
2015-01-18 13:55:55 +01:00
|
|
|
(void) sd_bus_creds_get_euid(destination_creds, &destination_uid);
|
|
|
|
|
(void) sd_bus_creds_get_egid(destination_creds, &destination_gid);
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* First check if we (the sender) can send to this name */
|
2015-07-01 18:31:18 +02:00
|
|
|
if (sd_bus_message_is_signal(m, NULL, NULL)) {
|
|
|
|
|
/* If we forward a signal from dbus-1 to kdbus, we have
|
|
|
|
|
* no idea who the recipient is. Therefore, we cannot
|
|
|
|
|
* apply any dbus-1 policies that match on receiver
|
|
|
|
|
* credentials. We know sd-bus always sets
|
|
|
|
|
* KDBUS_MSG_SIGNAL, so the kernel applies policies to
|
|
|
|
|
* the message. Therefore, skip policy checks in this
|
|
|
|
|
* case. */
|
|
|
|
|
return 0;
|
|
|
|
|
} else if (policy_check_send(policy, our_ucred->uid, our_ucred->gid, m->header->type, NULL, destination_names, m->path, m->interface, m->member, true, &n)) {
|
2015-01-17 21:18:52 +01:00
|
|
|
if (n) {
|
|
|
|
|
/* If we made a receiver decision, then remember which
|
|
|
|
|
* name's policy we used, and to which unique ID it
|
|
|
|
|
* mapped when we made the decision. Then, let's pass
|
|
|
|
|
* this to the kernel when sending the message, so that
|
|
|
|
|
* it refuses the operation should the name and unique
|
|
|
|
|
* ID not map to each other anymore. */
|
|
|
|
|
|
|
|
|
|
r = free_and_strdup(&m->destination_ptr, n);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = bus_kernel_parse_unique_name(destination_unique, &m->verify_destination_id);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
2015-07-01 18:31:18 +02:00
|
|
|
if (policy_check_recv(policy, destination_uid, destination_gid, m->header->type, owned_names, NULL, m->path, m->interface, m->member, true))
|
2015-01-17 21:18:52 +01:00
|
|
|
return 0;
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Return an error back to the caller */
|
|
|
|
|
if (m->header->type == SD_BUS_MESSAGE_METHOD_CALL)
|
|
|
|
|
return synthetic_reply_method_errorf(m, SD_BUS_ERROR_ACCESS_DENIED, "Access prohibited by XML sender policy.");
|
|
|
|
|
|
|
|
|
|
/* Return 1, indicating that the message shall not be processed any further */
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-17 18:07:58 +01:00
|
|
|
static int process_policy(sd_bus *from, sd_bus *to, sd_bus_message *m, SharedPolicy *sp, const struct ucred *our_ucred, Set *owned_names) {
|
|
|
|
|
Policy *policy;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(sp);
|
|
|
|
|
|
|
|
|
|
policy = shared_policy_acquire(sp);
|
|
|
|
|
r = process_policy_unlocked(from, to, m, policy, our_ucred, owned_names);
|
|
|
|
|
shared_policy_release(sp, policy);
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
static int process_hello(Proxy *p, sd_bus_message *m) {
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *n = NULL;
|
2015-01-16 14:19:19 +01:00
|
|
|
bool is_hello;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
/* As reaction to hello we need to respond with two messages:
|
|
|
|
|
* the callback reply and the NameAcquired for the unique
|
|
|
|
|
* name, since hello is otherwise obsolete on kdbus. */
|
|
|
|
|
|
|
|
|
|
is_hello =
|
|
|
|
|
sd_bus_message_is_method_call(m, "org.freedesktop.DBus", "Hello") &&
|
|
|
|
|
streq_ptr(m->destination, "org.freedesktop.DBus");
|
|
|
|
|
|
|
|
|
|
if (!is_hello) {
|
|
|
|
|
if (p->got_hello)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2015-02-13 15:34:11 +01:00
|
|
|
return log_error_errno(EIO, "First packet isn't hello (it's %s.%s), aborting.", m->interface, m->member);
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p->got_hello)
|
2015-02-13 15:34:11 +01:00
|
|
|
return log_error_errno(EIO, "Got duplicate hello, aborting.");
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
p->got_hello = true;
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
if (!p->destination_bus->is_kernel)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_message_new_method_return(m, &n);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to generate HELLO reply: %m");
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_message_append(n, "s", p->destination_bus->unique_name);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to append unique name to HELLO reply: %m");
|
|
|
|
|
|
|
|
|
|
r = bus_message_append_sender(n, "org.freedesktop.DBus");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to append sender to HELLO reply: %m");
|
|
|
|
|
|
|
|
|
|
r = bus_seal_synthetic_message(p->local_bus, n);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to seal HELLO reply: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_send(p->local_bus, n, NULL);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to send HELLO reply: %m");
|
|
|
|
|
|
|
|
|
|
n = sd_bus_message_unref(n);
|
|
|
|
|
r = sd_bus_message_new_signal(
|
|
|
|
|
p->local_bus,
|
|
|
|
|
&n,
|
|
|
|
|
"/org/freedesktop/DBus",
|
|
|
|
|
"org.freedesktop.DBus",
|
|
|
|
|
"NameAcquired");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to allocate initial NameAcquired message: %m");
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_message_append(n, "s", p->destination_bus->unique_name);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to append unique name to NameAcquired message: %m");
|
|
|
|
|
|
|
|
|
|
r = bus_message_append_sender(n, "org.freedesktop.DBus");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to append sender to NameAcquired message: %m");
|
|
|
|
|
|
2015-07-31 11:12:52 +02:00
|
|
|
r = sd_bus_message_set_destination(n, p->destination_bus->unique_name);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set destination for NameAcquired message: %m");
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
r = bus_seal_synthetic_message(p->local_bus, n);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to seal NameAcquired message: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_bus_send(p->local_bus, n, NULL);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to send NameAcquired message: %m");
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int patch_sender(sd_bus *a, sd_bus_message *m) {
|
|
|
|
|
char **well_known = NULL;
|
|
|
|
|
sd_bus_creds *c;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(a);
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
if (!a->is_kernel)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* We will change the sender of messages from the bus driver
|
|
|
|
|
* so that they originate from the bus driver. This is a
|
|
|
|
|
* speciality originating from dbus1, where the bus driver did
|
|
|
|
|
* not have a unique id, but only the well-known name. */
|
|
|
|
|
|
|
|
|
|
c = sd_bus_message_get_creds(m);
|
|
|
|
|
if (!c)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
r = sd_bus_creds_get_well_known_names(c, &well_known);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
if (strv_contains(well_known, "org.freedesktop.DBus"))
|
|
|
|
|
m->sender = "org.freedesktop.DBus";
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
static int proxy_process_destination_to_local(Proxy *p) {
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
|
2015-07-16 15:14:43 +02:00
|
|
|
bool matched, matched_synthetic;
|
2015-01-16 14:19:19 +01:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
/*
|
|
|
|
|
* Usually, we would just take any message that the bus passes to us
|
|
|
|
|
* and forward it to the local connection. However, there are actually
|
|
|
|
|
* applications that fail if they receive broadcasts that they didn't
|
|
|
|
|
* subscribe to. Therefore, we actually emulate a real broadcast
|
|
|
|
|
* matching here, and discard any broadcasts that weren't matched. Our
|
|
|
|
|
* match-handlers remembers whether a message was matched by any rule,
|
|
|
|
|
* by marking it in @p->message_matched.
|
|
|
|
|
*/
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_process(p->destination_bus, &m);
|
2015-07-16 15:14:43 +02:00
|
|
|
|
|
|
|
|
matched = p->message_matched;
|
|
|
|
|
matched_synthetic = p->synthetic_matched;
|
|
|
|
|
p->message_matched = false;
|
|
|
|
|
p->synthetic_matched = false;
|
|
|
|
|
|
2015-02-13 16:11:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN) /* Treat 'connection reset by peer' as clean exit condition */
|
2015-02-13 15:36:15 +01:00
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0) {
|
2015-02-13 15:36:15 +01:00
|
|
|
log_error_errno(r, "Failed to process destination bus: %m");
|
2015-01-16 14:19:19 +01:00
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
if (r == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!m)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
/* We officially got EOF, let's quit */
|
|
|
|
|
if (sd_bus_message_is_signal(m, "org.freedesktop.DBus.Local", "Disconnected"))
|
|
|
|
|
return -ECONNRESET;
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
r = synthesize_name_acquired(p, p->destination_bus, p->local_bus, m);
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to synthesize message: %m");
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
/* discard broadcasts that were not matched by any MATCH rule */
|
|
|
|
|
if (!matched && !sd_bus_message_get_destination(m)) {
|
|
|
|
|
if (!matched_synthetic)
|
2015-07-27 15:41:53 +02:00
|
|
|
log_debug("Dropped unmatched broadcast: uid=" UID_FMT " gid=" GID_FMT " pid=" PID_FMT " message=%s path=%s interface=%s member=%s sender=%s destination=%s",
|
|
|
|
|
p->local_creds.uid, p->local_creds.gid, p->local_creds.pid, bus_message_type_to_string(m->header->type),
|
|
|
|
|
strna(m->path), strna(m->interface), strna(m->member), strna(m->sender), strna(m->destination));
|
2015-07-16 15:14:43 +02:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
patch_sender(p->destination_bus, m);
|
2015-01-16 14:19:19 +01:00
|
|
|
|
|
|
|
|
if (p->policy) {
|
2015-02-13 15:05:34 +01:00
|
|
|
r = process_policy(p->destination_bus, p->local_bus, m, p->policy, &p->local_creds, p->owned_names);
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to process policy: %m");
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = sd_bus_send(p->local_bus, m, NULL);
|
|
|
|
|
if (r < 0) {
|
2015-02-13 16:11:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
2015-01-16 14:19:19 +01:00
|
|
|
return r;
|
2015-02-13 15:38:38 +01:00
|
|
|
|
|
|
|
|
/* If the peer tries to send a reply and it is
|
2015-08-06 11:42:40 +02:00
|
|
|
* rejected with EBADSLT by the kernel, we ignore the
|
2015-02-13 15:38:38 +01:00
|
|
|
* error. This catches cases where the original
|
|
|
|
|
* method-call didn't had EXPECT_REPLY set, but the
|
|
|
|
|
* proxy-peer still sends a reply. This is allowed in
|
|
|
|
|
* dbus1, but not in kdbus. We don't want to track
|
|
|
|
|
* reply-windows in the proxy, so we simply ignore
|
2015-08-06 11:42:40 +02:00
|
|
|
* EBADSLT for all replies. The only downside is, that
|
2015-02-13 15:38:38 +01:00
|
|
|
* callers are no longer notified if their replies are
|
|
|
|
|
* dropped. However, this is equivalent to the
|
|
|
|
|
* caller's timeout to expire, so this should be
|
|
|
|
|
* acceptable. Nobody sane sends replies without a
|
|
|
|
|
* matching method-call, so nobody should care. */
|
2015-08-06 13:45:46 +02:00
|
|
|
|
|
|
|
|
/* FIXME: remove -EPERM when kdbus is updated */
|
2015-08-06 11:42:40 +02:00
|
|
|
if ((r == -EPERM || r == -EBADSLT) && m->reply_cookie > 0)
|
2015-02-13 15:38:38 +01:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
/* Return the error to the client, if we can */
|
|
|
|
|
synthetic_reply_method_errnof(m, r, "Failed to forward message we got from destination: %m");
|
bus-proxy: complain only once about queue overflows
If the local peer does not dispatch its incoming queue, the bus-proxy will
slowly fill its outgoing queue. Once its full, it will continously
complain that it cannot forward its messages.
As it turns out, pulseaudio does have an idle background dbus connection
that is not integrated into any mainloop (and given that gdbus and
libdbus1 both support background shared connections, PA is probably not
the only example), therefore, the bus-proxy will loudly complain if it
cannot forward NameOwnerChanged events once the queue is full.
This commit makes the proxy track queue-state and complain only once the
queue runs full, not if it is already full.
A PA bug-report (and patch) has been filed, and other applications should
be fixed similarly. Hence, lets keep the error message, instead of
dropping it. It's unused resources we really want to get rid of, so
silencing the message does not really help (which is actually what
dbus-daemon does).
2015-03-11 13:53:21 +01:00
|
|
|
if (r == -ENOBUFS) {
|
|
|
|
|
/* if local dbus1 peer does not dispatch its queue, warn only once */
|
|
|
|
|
if (!p->queue_overflow)
|
|
|
|
|
log_error("Dropped messages due to queue overflow of local peer (pid: "PID_FMT" uid: "UID_FMT")", p->local_creds.pid, p->local_creds.uid);
|
|
|
|
|
p->queue_overflow = true;
|
|
|
|
|
} else
|
|
|
|
|
log_error_errno(r,
|
|
|
|
|
"Failed to forward message we got from destination: uid=" UID_FMT " gid=" GID_FMT" message=%s destination=%s path=%s interface=%s member=%s: %m",
|
|
|
|
|
p->local_creds.uid, p->local_creds.gid, bus_message_type_to_string(m->header->type),
|
|
|
|
|
strna(m->destination), strna(m->path), strna(m->interface), strna(m->member));
|
|
|
|
|
|
2015-02-13 15:38:38 +01:00
|
|
|
return 1;
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
bus-proxy: complain only once about queue overflows
If the local peer does not dispatch its incoming queue, the bus-proxy will
slowly fill its outgoing queue. Once its full, it will continously
complain that it cannot forward its messages.
As it turns out, pulseaudio does have an idle background dbus connection
that is not integrated into any mainloop (and given that gdbus and
libdbus1 both support background shared connections, PA is probably not
the only example), therefore, the bus-proxy will loudly complain if it
cannot forward NameOwnerChanged events once the queue is full.
This commit makes the proxy track queue-state and complain only once the
queue runs full, not if it is already full.
A PA bug-report (and patch) has been filed, and other applications should
be fixed similarly. Hence, lets keep the error message, instead of
dropping it. It's unused resources we really want to get rid of, so
silencing the message does not really help (which is actually what
dbus-daemon does).
2015-03-11 13:53:21 +01:00
|
|
|
p->queue_overflow = false;
|
2015-01-16 14:19:19 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
static int proxy_process_local_to_destination(Proxy *p) {
|
tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
2015-11-27 19:13:45 +01:00
|
|
|
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
|
2015-01-16 14:19:19 +01:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
|
|
|
|
|
|
|
|
|
r = sd_bus_process(p->local_bus, &m);
|
2015-02-13 16:11:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN) /* Treat 'connection reset by peer' as clean exit condition */
|
2015-02-13 15:36:15 +01:00
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0) {
|
2015-02-13 15:36:15 +01:00
|
|
|
log_error_errno(r, "Failed to process local bus: %m");
|
2015-01-16 14:19:19 +01:00
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
if (r == 0)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!m)
|
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
/* We officially got EOF, let's quit */
|
|
|
|
|
if (sd_bus_message_is_signal(m, "org.freedesktop.DBus.Local", "Disconnected"))
|
|
|
|
|
return -ECONNRESET;
|
|
|
|
|
|
|
|
|
|
r = process_hello(p, m);
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to process HELLO: %m");
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 1;
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
r = bus_proxy_process_driver(p, p->destination_bus, p->local_bus, m, p->policy, &p->local_creds, p->owned_names);
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to process driver calls: %m");
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
if (p->policy) {
|
2015-02-13 15:05:34 +01:00
|
|
|
r = process_policy(p->local_bus, p->destination_bus, m, p->policy, &p->local_creds, p->owned_names);
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
|
|
|
|
return r;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to process policy: %m");
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-13 15:05:34 +01:00
|
|
|
r = sd_bus_send(p->destination_bus, m, NULL);
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0) {
|
2015-02-13 16:11:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
2015-02-13 15:38:38 +01:00
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
/* The name database changed since the policy check, hence let's check again */
|
|
|
|
|
if (r == -EREMCHG)
|
2015-01-16 14:19:19 +01:00
|
|
|
continue;
|
2015-02-13 15:38:38 +01:00
|
|
|
|
2015-08-06 11:42:40 +02:00
|
|
|
/* see above why EBADSLT is ignored for replies */
|
|
|
|
|
if ((r == -EPERM || r == -EBADSLT) && m->reply_cookie > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 1;
|
2015-02-13 15:38:38 +01:00
|
|
|
|
|
|
|
|
synthetic_reply_method_errnof(m, r, "Failed to forward message we got from local: %m");
|
2015-02-14 19:01:21 +01:00
|
|
|
log_error_errno(r,
|
|
|
|
|
"Failed to forward message we got from local: uid=" UID_FMT " gid=" GID_FMT" message=%s destination=%s path=%s interface=%s member=%s: %m",
|
|
|
|
|
p->local_creds.uid, p->local_creds.gid, bus_message_type_to_string(m->header->type),
|
|
|
|
|
strna(m->destination), strna(m->path), strna(m->interface), strna(m->member));
|
2015-02-13 15:38:38 +01:00
|
|
|
return 1;
|
2015-01-16 14:19:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-07-16 15:14:43 +02:00
|
|
|
int proxy_match(sd_bus_message *m, void *userdata, sd_bus_error *error) {
|
|
|
|
|
Proxy *p = userdata;
|
|
|
|
|
|
|
|
|
|
p->message_matched = true;
|
|
|
|
|
return 0; /* make sure to continue processing it in further handlers */
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-16 14:19:19 +01:00
|
|
|
int proxy_run(Proxy *p) {
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
bool busy = false;
|
|
|
|
|
|
|
|
|
|
if (p->got_hello) {
|
|
|
|
|
/* Read messages from bus, to pass them on to our client */
|
2015-02-13 15:05:34 +01:00
|
|
|
r = proxy_process_destination_to_local(p);
|
2015-02-13 16:11:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r < 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return r;
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
busy = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Read messages from our client, to pass them on to the bus */
|
2015-02-13 15:05:34 +01:00
|
|
|
r = proxy_process_local_to_destination(p);
|
2015-02-13 16:11:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
2015-01-16 14:19:19 +01:00
|
|
|
return 0;
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r < 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
return r;
|
2015-02-13 15:36:15 +01:00
|
|
|
if (r > 0)
|
2015-01-16 14:19:19 +01:00
|
|
|
busy = true;
|
|
|
|
|
|
|
|
|
|
if (!busy) {
|
|
|
|
|
r = proxy_wait(p);
|
2015-02-13 17:17:45 +01:00
|
|
|
if (r == -ECONNRESET || r == -ENOTCONN)
|
|
|
|
|
return 0;
|
2015-01-16 14:19:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|