basebuilder_pel7x64builder0
5 years ago
9 changed files with 2216 additions and 0 deletions
@ -0,0 +1,17 @@
@@ -0,0 +1,17 @@
|
||||
#!/bin/sh |
||||
# Copyright (C) 2008 Red Hat, Inc. |
||||
# |
||||
# All rights reserved. This copyrighted material is made available to anyone |
||||
# wishing to use, modify, copy, or redistribute it subject to the terms and |
||||
# conditions of the GNU General Public License version 2. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
||||
# |
||||
|
||||
DBUS_SESSION_BUS_ADDRESS=`printenv DBUS_SESSION_BUS_ADDRESS` |
||||
|
||||
if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then |
||||
eval `dbus-launch --sh-syntax --exit-with-session` |
||||
fi |
@ -0,0 +1,28 @@
@@ -0,0 +1,28 @@
|
||||
From 8e3c46c33f32290bc2f205de62a7d9ba01994f72 Mon Sep 17 00:00:00 2001 |
||||
From: David King <dking@redhat.com> |
||||
Date: Wed, 7 Feb 2018 14:37:24 +0000 |
||||
Subject: [PATCH] bus: raise fd limits before dropping privs |
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1529044 |
||||
--- |
||||
bus/bus.c | 5 +++++ |
||||
1 file changed, 5 insertions(+) |
||||
|
||||
diff --git a/bus/bus.c b/bus/bus.c |
||||
index a6f8db47..4b922a89 100644 |
||||
--- a/bus/bus.c |
||||
+++ b/bus/bus.c |
||||
@@ -940,6 +940,11 @@ bus_context_new (const DBusString *confi |
||||
*/ |
||||
if (context->user != NULL) |
||||
{ |
||||
+ /* Raise the file descriptor limits before dropping the privileges |
||||
+ * required to do so. |
||||
+ */ |
||||
+ raise_file_descriptor_limit (context); |
||||
+ |
||||
if (!_dbus_change_to_daemon_user (context->user, error)) |
||||
{ |
||||
_DBUS_ASSERT_ERROR_IS_SET (error); |
||||
-- |
||||
2.14.3 |
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
From f988e7327e5d8f372cc0c7d1478d12a74be113d3 Mon Sep 17 00:00:00 2001 |
||||
From: David King <amigadave@amigadave.com> |
||||
Date: Fri, 15 Sep 2017 14:01:53 +0100 |
||||
Subject: [PATCH] Reduce default session bus max fd limits |
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1133732 |
||||
--- |
||||
bus/session.conf.in | 4 ++-- |
||||
1 file changed, 2 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/bus/session.conf.in b/bus/session.conf.in |
||||
index affa7f1d..294a051d 100644 |
||||
--- a/bus/session.conf.in |
||||
+++ b/bus/session.conf.in |
||||
@@ -69,8 +69,8 @@ |
||||
<limit name="service_start_timeout">120000</limit> |
||||
<limit name="auth_timeout">240000</limit> |
||||
<limit name="pending_fd_timeout">150000</limit> |
||||
- <limit name="max_completed_connections">100000</limit> |
||||
- <limit name="max_incomplete_connections">10000</limit> |
||||
+ <limit name="max_completed_connections">900</limit> |
||||
+ <limit name="max_incomplete_connections">92</limit> |
||||
<limit name="max_connections_per_user">100000</limit> |
||||
<limit name="max_pending_service_starts">10000</limit> |
||||
<limit name="max_names_per_connection">50000</limit> |
||||
-- |
||||
2.13.5 |
@ -0,0 +1,500 @@
@@ -0,0 +1,500 @@
|
||||
From dc2074588d3e7b5a216cb8c0b82094157c3cf773 Mon Sep 17 00:00:00 2001 |
||||
From: David King <dking@redhat.com> |
||||
Date: Mon, 25 Jun 2018 14:46:14 -0400 |
||||
Subject: [PATCH] daemon: use HOME as the working directory |
||||
|
||||
Session buses started as part of a systemd --user session are launched |
||||
with the current working directory being the home directory of the user. |
||||
Applications which are launched via dbus activation inherit the working |
||||
directory from the session bus dbus-daemon. |
||||
|
||||
When dbus-launch is used to start dbus-daemon, as is commonly the case |
||||
with a session manager such as gnome-session, this leads to applications |
||||
having a default working directory of "/", which is undesirable (as an |
||||
example, the default directory in a GTK+ save dialog becomes "/"). |
||||
|
||||
As an improvement, make dbus-launch use the value of the environment |
||||
variable HOME, if it is set, as the current working directory. |
||||
|
||||
Signed-off-by: David King <dking@redhat.com> |
||||
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=106987 |
||||
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1470310 |
||||
--- |
||||
bus/bus.c | 9 +++++++++ |
||||
dbus/dbus-sysdeps-util-unix.c | 8 +++++--- |
||||
dbus/dbus-sysdeps-util-win.c | 2 ++ |
||||
dbus/dbus-sysdeps.h | 1 + |
||||
doc/dbus-launch.1.xml.in | 4 ++++ |
||||
tools/dbus-launch.c | 22 ++++++++++++++-------- |
||||
6 files changed, 35 insertions(+), 11 deletions(-) |
||||
|
||||
diff --git a/bus/bus.c b/bus/bus.c |
||||
index f788e677..da2b2c1f 100644 |
||||
--- a/bus/bus.c |
||||
+++ b/bus/bus.c |
||||
@@ -870,63 +870,72 @@ bus_context_new (const DBusString *config_file, |
||||
|
||||
context->matchmaker = bus_matchmaker_new (); |
||||
if (context->matchmaker == NULL) |
||||
{ |
||||
BUS_SET_OOM (error); |
||||
goto failed; |
||||
} |
||||
|
||||
/* check user before we fork */ |
||||
if (context->user != NULL) |
||||
{ |
||||
if (!_dbus_verify_daemon_user (context->user)) |
||||
{ |
||||
dbus_set_error (error, DBUS_ERROR_FAILED, |
||||
"Could not get UID and GID for username \"%s\"", |
||||
context->user); |
||||
goto failed; |
||||
} |
||||
} |
||||
|
||||
/* Now become a daemon if appropriate and write out pid file in any case */ |
||||
{ |
||||
DBusString u; |
||||
|
||||
if (context->pidfile) |
||||
_dbus_string_init_const (&u, context->pidfile); |
||||
|
||||
if (((flags & BUS_CONTEXT_FLAG_FORK_NEVER) == 0 && context->fork) || |
||||
(flags & BUS_CONTEXT_FLAG_FORK_ALWAYS)) |
||||
{ |
||||
+ const char *working_dir = NULL; |
||||
+ |
||||
_dbus_verbose ("Forking and becoming daemon\n"); |
||||
|
||||
+ if (context->type != NULL && strcmp (context->type, "session") == 0) |
||||
+ working_dir = _dbus_getenv ("HOME"); |
||||
+ |
||||
+ if (working_dir == NULL) |
||||
+ working_dir = "/"; |
||||
+ |
||||
if (!_dbus_become_daemon (context->pidfile ? &u : NULL, |
||||
+ working_dir, |
||||
print_pid_pipe, |
||||
error, |
||||
context->keep_umask)) |
||||
{ |
||||
_DBUS_ASSERT_ERROR_IS_SET (error); |
||||
goto failed; |
||||
} |
||||
} |
||||
else |
||||
{ |
||||
_dbus_verbose ("Fork not requested\n"); |
||||
|
||||
/* Need to write PID file and to PID pipe for ourselves, |
||||
* not for the child process. This is a no-op if the pidfile |
||||
* is NULL and print_pid_pipe is NULL. |
||||
*/ |
||||
if (!_dbus_write_pid_to_file_and_pipe (context->pidfile ? &u : NULL, |
||||
print_pid_pipe, |
||||
_dbus_getpid (), |
||||
error)) |
||||
{ |
||||
_DBUS_ASSERT_ERROR_IS_SET (error); |
||||
goto failed; |
||||
} |
||||
} |
||||
} |
||||
|
||||
if (print_pid_pipe && _dbus_pipe_is_valid (print_pid_pipe) && |
||||
!_dbus_pipe_is_stdout_or_stderr (print_pid_pipe)) |
||||
_dbus_pipe_close (print_pid_pipe, NULL); |
||||
diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c |
||||
index 9b724cc9..30bb1441 100644 |
||||
--- a/dbus/dbus-sysdeps-util-unix.c |
||||
+++ b/dbus/dbus-sysdeps-util-unix.c |
||||
@@ -49,82 +49,84 @@ |
||||
#include <sys/socket.h> |
||||
#include <dirent.h> |
||||
#include <sys/un.h> |
||||
|
||||
#ifdef HAVE_SYSLOG_H |
||||
#include <syslog.h> |
||||
#endif |
||||
|
||||
#ifdef HAVE_SYS_SYSLIMITS_H |
||||
#include <sys/syslimits.h> |
||||
#endif |
||||
|
||||
#ifdef HAVE_SYSTEMD |
||||
#include <systemd/sd-daemon.h> |
||||
#endif |
||||
|
||||
#ifndef O_BINARY |
||||
#define O_BINARY 0 |
||||
#endif |
||||
|
||||
/** |
||||
* @addtogroup DBusInternalsUtils |
||||
* @{ |
||||
*/ |
||||
|
||||
|
||||
/** |
||||
* Does the chdir, fork, setsid, etc. to become a daemon process. |
||||
* |
||||
* @param pidfile #NULL, or pidfile to create |
||||
+ * @param working_dir directory to chdir to |
||||
* @param print_pid_pipe pipe to print daemon's pid to, or -1 for none |
||||
* @param error return location for errors |
||||
* @param keep_umask #TRUE to keep the original umask |
||||
* @returns #FALSE on failure |
||||
*/ |
||||
dbus_bool_t |
||||
_dbus_become_daemon (const DBusString *pidfile, |
||||
+ const char *working_dir, |
||||
DBusPipe *print_pid_pipe, |
||||
DBusError *error, |
||||
dbus_bool_t keep_umask) |
||||
{ |
||||
const char *s; |
||||
pid_t child_pid; |
||||
int dev_null_fd; |
||||
|
||||
_dbus_verbose ("Becoming a daemon...\n"); |
||||
|
||||
- _dbus_verbose ("chdir to /\n"); |
||||
- if (chdir ("/") < 0) |
||||
+ _dbus_verbose ("chdir to %s\n", working_dir); |
||||
+ if (chdir (working_dir) < 0) |
||||
{ |
||||
dbus_set_error (error, DBUS_ERROR_FAILED, |
||||
- "Could not chdir() to root directory"); |
||||
+ "Could not chdir() to working directory (%s)", working_dir); |
||||
return FALSE; |
||||
} |
||||
|
||||
_dbus_verbose ("forking...\n"); |
||||
switch ((child_pid = fork ())) |
||||
{ |
||||
case -1: |
||||
_dbus_verbose ("fork failed\n"); |
||||
dbus_set_error (error, _dbus_error_from_errno (errno), |
||||
"Failed to fork daemon: %s", _dbus_strerror (errno)); |
||||
return FALSE; |
||||
break; |
||||
|
||||
case 0: |
||||
_dbus_verbose ("in child, closing std file descriptors\n"); |
||||
|
||||
/* silently ignore failures here, if someone |
||||
* doesn't have /dev/null we may as well try |
||||
* to continue anyhow |
||||
*/ |
||||
|
||||
dev_null_fd = open ("/dev/null", O_RDWR); |
||||
if (dev_null_fd >= 0) |
||||
{ |
||||
dup2 (dev_null_fd, 0); |
||||
dup2 (dev_null_fd, 1); |
||||
|
||||
s = _dbus_getenv ("DBUS_DEBUG_OUTPUT"); |
||||
if (s == NULL || *s == '\0') |
||||
dup2 (dev_null_fd, 2); |
||||
diff --git a/dbus/dbus-sysdeps-util-win.c b/dbus/dbus-sysdeps-util-win.c |
||||
index 3b754dbf..bfc1cb90 100644 |
||||
--- a/dbus/dbus-sysdeps-util-win.c |
||||
+++ b/dbus/dbus-sysdeps-util-win.c |
||||
@@ -27,67 +27,69 @@ |
||||
#define STRSAFE_NO_DEPRECATE |
||||
|
||||
#include "dbus-sysdeps.h" |
||||
#include "dbus-internals.h" |
||||
#include "dbus-protocol.h" |
||||
#include "dbus-string.h" |
||||
#include "dbus-sysdeps.h" |
||||
#include "dbus-sysdeps-win.h" |
||||
#include "dbus-sockets-win.h" |
||||
#include "dbus-memory.h" |
||||
#include "dbus-pipe.h" |
||||
|
||||
#include <stdio.h> |
||||
#include <stdlib.h> |
||||
#if HAVE_ERRNO_H |
||||
#include <errno.h> |
||||
#endif |
||||
#include <winsock2.h> // WSA error codes |
||||
|
||||
#ifndef DBUS_WINCE |
||||
#include <io.h> |
||||
#include <lm.h> |
||||
#include <sys/stat.h> |
||||
#endif |
||||
|
||||
|
||||
/** |
||||
* Does the chdir, fork, setsid, etc. to become a daemon process. |
||||
* |
||||
* @param pidfile #NULL, or pidfile to create |
||||
+ * @param working_dir directory to chdir to |
||||
* @param print_pid_pipe file descriptor to print daemon's pid to, or -1 for none |
||||
* @param error return location for errors |
||||
* @param keep_umask #TRUE to keep the original umask |
||||
* @returns #FALSE on failure |
||||
*/ |
||||
dbus_bool_t |
||||
_dbus_become_daemon (const DBusString *pidfile, |
||||
+ const char *working_dir, |
||||
DBusPipe *print_pid_pipe, |
||||
DBusError *error, |
||||
dbus_bool_t keep_umask) |
||||
{ |
||||
dbus_set_error (error, DBUS_ERROR_NOT_SUPPORTED, |
||||
"Cannot daemonize on Windows"); |
||||
return FALSE; |
||||
} |
||||
|
||||
/** |
||||
* Creates a file containing the process ID. |
||||
* |
||||
* @param filename the filename to write to |
||||
* @param pid our process ID |
||||
* @param error return location for errors |
||||
* @returns #FALSE on failure |
||||
*/ |
||||
static dbus_bool_t |
||||
_dbus_write_pid_file (const DBusString *filename, |
||||
unsigned long pid, |
||||
DBusError *error) |
||||
{ |
||||
const char *cfilename; |
||||
HANDLE hnd; |
||||
char pidstr[20]; |
||||
int total; |
||||
int bytes_to_write; |
||||
|
||||
_DBUS_ASSERT_ERROR_IS_CLEAR (error); |
||||
|
||||
diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h |
||||
index 0ee45c97..e569b545 100644 |
||||
--- a/dbus/dbus-sysdeps.h |
||||
+++ b/dbus/dbus-sysdeps.h |
||||
@@ -498,60 +498,61 @@ int _dbus_printf_string_upper_bound (const char *format, |
||||
va_list args); |
||||
|
||||
|
||||
/** |
||||
* Portable struct with stat() results |
||||
*/ |
||||
typedef struct |
||||
{ |
||||
unsigned long mode; /**< File mode */ |
||||
unsigned long nlink; /**< Number of hard links */ |
||||
dbus_uid_t uid; /**< User owning file */ |
||||
dbus_gid_t gid; /**< Group owning file */ |
||||
unsigned long size; /**< Size of file */ |
||||
unsigned long atime; /**< Access time */ |
||||
unsigned long mtime; /**< Modify time */ |
||||
unsigned long ctime; /**< Creation time */ |
||||
} DBusStat; |
||||
|
||||
dbus_bool_t _dbus_stat (const DBusString *filename, |
||||
DBusStat *statbuf, |
||||
DBusError *error); |
||||
DBUS_PRIVATE_EXPORT |
||||
dbus_bool_t _dbus_socketpair (DBusSocket *fd1, |
||||
DBusSocket *fd2, |
||||
dbus_bool_t blocking, |
||||
DBusError *error); |
||||
|
||||
void _dbus_print_backtrace (void); |
||||
|
||||
dbus_bool_t _dbus_become_daemon (const DBusString *pidfile, |
||||
+ const char *working_dir, |
||||
DBusPipe *print_pid_pipe, |
||||
DBusError *error, |
||||
dbus_bool_t keep_umask); |
||||
|
||||
dbus_bool_t _dbus_verify_daemon_user (const char *user); |
||||
dbus_bool_t _dbus_change_to_daemon_user (const char *user, |
||||
DBusError *error); |
||||
|
||||
dbus_bool_t _dbus_write_pid_to_file_and_pipe (const DBusString *pidfile, |
||||
DBusPipe *print_pid_pipe, |
||||
dbus_pid_t pid_to_write, |
||||
DBusError *error); |
||||
|
||||
dbus_bool_t _dbus_command_for_pid (unsigned long pid, |
||||
DBusString *str, |
||||
int max_len, |
||||
DBusError *error); |
||||
|
||||
/** A UNIX signal handler */ |
||||
typedef void (* DBusSignalHandler) (int sig); |
||||
|
||||
void _dbus_set_signal_handler (int sig, |
||||
DBusSignalHandler handler); |
||||
|
||||
dbus_bool_t _dbus_user_at_console (const char *username, |
||||
DBusError *error); |
||||
|
||||
void _dbus_init_system_log (dbus_bool_t is_daemon); |
||||
|
||||
typedef enum { |
||||
diff --git a/doc/dbus-launch.1.xml.in b/doc/dbus-launch.1.xml.in |
||||
index 5135d9ca..606c65be 100644 |
||||
--- a/doc/dbus-launch.1.xml.in |
||||
+++ b/doc/dbus-launch.1.xml.in |
||||
@@ -23,60 +23,64 @@ |
||||
<command>dbus-launch</command> |
||||
<arg choice='opt'>--version </arg> |
||||
<arg choice='opt'>--help </arg> |
||||
<arg choice='opt'>--sh-syntax </arg> |
||||
<arg choice='opt'>--csh-syntax </arg> |
||||
<arg choice='opt'>--auto-syntax </arg> |
||||
<arg choice='opt'>--binary-syntax </arg> |
||||
<arg choice='opt'>--close-stderr </arg> |
||||
<arg choice='opt'>--exit-with-session </arg> |
||||
<arg choice='opt'>--autolaunch=<replaceable>MACHINEID</replaceable></arg> |
||||
<arg choice='opt'>--config-file=<replaceable>FILENAME</replaceable></arg> |
||||
<arg choice='opt'><replaceable>PROGRAM</replaceable></arg> |
||||
<arg choice='opt' rep='repeat'><replaceable>ARGS</replaceable></arg> |
||||
<sbr/> |
||||
</cmdsynopsis> |
||||
</refsynopsisdiv> |
||||
|
||||
|
||||
<refsect1 id='description'><title>DESCRIPTION</title> |
||||
<para>The <command>dbus-launch</command> command is used to start a session bus |
||||
instance of <emphasis remap='I'>dbus-daemon</emphasis> from a shell script. |
||||
It would normally be called from a user's login |
||||
scripts. Unlike the daemon itself, <command>dbus-launch</command> exits, so |
||||
backticks or the $() construct can be used to read information from |
||||
<command>dbus-launch</command>.</para> |
||||
|
||||
<para>With no arguments, <command>dbus-launch</command> will launch a session bus |
||||
instance and print the address and PID of that instance to standard |
||||
output.</para> |
||||
|
||||
+<para>If the environment variable HOME is set, it is used as the current |
||||
+working directory. Otherwise, the root directory (<filename>/</filename>) is |
||||
+used.</para> |
||||
+ |
||||
<para>You may specify a program to be run; in this case, <command>dbus-launch</command> |
||||
will launch a session bus instance, set the appropriate environment |
||||
variables so the specified program can find the bus, and then execute the |
||||
specified program, with the specified arguments. See below for |
||||
examples.</para> |
||||
|
||||
<para>If you launch a program, <command>dbus-launch</command> will not print the |
||||
information about the new bus to standard output.</para> |
||||
|
||||
<para>When <command>dbus-launch</command> prints bus information to standard output, by |
||||
default it is in a simple key-value pairs format. However, you may |
||||
request several alternate syntaxes using the --sh-syntax, --csh-syntax, |
||||
--binary-syntax, or |
||||
--auto-syntax options. Several of these cause <command>dbus-launch</command> to emit shell code |
||||
to set up the environment.</para> |
||||
|
||||
<para>With the --auto-syntax option, <command>dbus-launch</command> looks at the value |
||||
of the SHELL environment variable to determine which shell syntax |
||||
should be used. If SHELL ends in "csh", then csh-compatible code is |
||||
emitted; otherwise Bourne shell code is emitted. Instead of passing |
||||
--auto-syntax, you may explicitly specify a particular one by using |
||||
--sh-syntax for Bourne syntax, or --csh-syntax for csh syntax. |
||||
In scripts, it's more robust to avoid --auto-syntax and you hopefully |
||||
know which shell your script is written in.</para> |
||||
|
||||
|
||||
<para>See <ulink url='http://www.freedesktop.org/software/dbus/'>http://www.freedesktop.org/software/dbus/</ulink> for more information |
||||
about D-Bus. See also the man page for <emphasis remap='I'>dbus-daemon</emphasis>.</para> |
||||
|
||||
</refsect1> |
||||
diff --git a/tools/dbus-launch.c b/tools/dbus-launch.c |
||||
index 80e4a241..a956684c 100644 |
||||
--- a/tools/dbus-launch.c |
||||
+++ b/tools/dbus-launch.c |
||||
@@ -592,71 +592,77 @@ kill_bus_when_session_ends (void) |
||||
/* This shouldn't happen I don't think; to avoid |
||||
* spinning on the fd forever we exit. |
||||
*/ |
||||
fprintf (stderr, "dbus-launch: error reading from stdin: %s\n", |
||||
strerror (errno)); |
||||
kill_bus_and_exit (0); |
||||
} |
||||
} |
||||
else if (FD_ISSET (tty_fd, &err_set)) |
||||
{ |
||||
verbose ("TTY has error condition\n"); |
||||
|
||||
kill_bus_and_exit (0); |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
static void |
||||
babysit (int exit_with_session, |
||||
pid_t child_pid, |
||||
int read_bus_pid_fd) /* read pid from here */ |
||||
{ |
||||
int ret; |
||||
int dev_null_fd; |
||||
const char *s; |
||||
|
||||
verbose ("babysitting, exit_with_session = %d, child_pid = %ld, read_bus_pid_fd = %d\n", |
||||
exit_with_session, (long) child_pid, read_bus_pid_fd); |
||||
|
||||
- /* We chdir ("/") since we are persistent and daemon-like, and fork |
||||
- * again so dbus-launch can reap the parent. However, we don't |
||||
- * setsid() or close fd 0 because the idea is to remain attached |
||||
- * to the tty and the X server in order to kill the message bus |
||||
- * when the session ends. |
||||
+ /* We chdir () since we are persistent and daemon-like, either to $HOME |
||||
+ * to match the behaviour of a session bus started by systemd --user, or |
||||
+ * otherwise "/". We fork again so dbus-launch can reap the parent. |
||||
+ * However, we don't setsid() or close fd 0 because the idea is to |
||||
+ * remain attached to the tty and the X server in order to kill the |
||||
+ * message bus when the session ends. |
||||
*/ |
||||
|
||||
- if (chdir ("/") < 0) |
||||
+ s = getenv ("HOME"); |
||||
+ |
||||
+ if (s == NULL || *s == '\0') |
||||
+ s = "/"; |
||||
+ |
||||
+ if (chdir (s) < 0) |
||||
{ |
||||
- fprintf (stderr, "Could not change to root directory: %s\n", |
||||
- strerror (errno)); |
||||
+ fprintf (stderr, "Could not change to working directory \"%s\": %s\n", |
||||
+ s, strerror (errno)); |
||||
exit (1); |
||||
} |
||||
|
||||
/* Close stdout/stderr so we don't block an "eval" or otherwise |
||||
* lock up. stdout is still chaining through to dbus-launch |
||||
* and in turn to the parent shell. |
||||
*/ |
||||
dev_null_fd = open ("/dev/null", O_RDWR); |
||||
if (dev_null_fd >= 0) |
||||
{ |
||||
if (!exit_with_session) |
||||
dup2 (dev_null_fd, 0); |
||||
dup2 (dev_null_fd, 1); |
||||
s = getenv ("DBUS_DEBUG_OUTPUT"); |
||||
if (s == NULL || *s == '\0') |
||||
dup2 (dev_null_fd, 2); |
||||
close (dev_null_fd); |
||||
} |
||||
else |
||||
{ |
||||
fprintf (stderr, "Failed to open /dev/null: %s\n", |
||||
strerror (errno)); |
||||
/* continue, why not */ |
||||
} |
||||
|
||||
ret = fork (); |
||||
|
||||
if (ret < 0) |
||||
{ |
||||
fprintf (stderr, "fork() failed in babysitter: %s\n", |
||||
-- |
||||
2.17.1 |
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
From b98c85f2803434eec3192cdc3e9e86425fe33428 Mon Sep 17 00:00:00 2001 |
||||
From: David King <dking@redhat.com> |
||||
Date: Tue, 3 Oct 2017 13:34:03 +0100 |
||||
Subject: [PATCH] doc: Fix dbus-send.1 uint16 typo |
||||
|
||||
https://bugs.freedesktop.org/show_bug.cgi?id=103075 |
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1467415 |
||||
--- |
||||
doc/dbus-send.1.xml.in | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/doc/dbus-send.1.xml.in b/doc/dbus-send.1.xml.in |
||||
index 67b6dfd2..271435ca 100644 |
||||
--- a/doc/dbus-send.1.xml.in |
||||
+++ b/doc/dbus-send.1.xml.in |
||||
@@ -65,7 +65,7 @@ may include containers (arrays, dicts, and variants) as described below.</para> |
||||
<array> ::= array:<type>:<value>[,<value>...] |
||||
<dict> ::= dict:<type>:<type>:<key>,<value>[,<key>,<value>...] |
||||
<variant> ::= variant:<type>:<value> |
||||
-<type> ::= string | int16 | uint 16 | int32 | uint32 | int64 | uint64 | double | byte | boolean | objpath |
||||
+<type> ::= string | int16 | uint16 | int32 | uint32 | int64 | uint64 | double | byte | boolean | objpath |
||||
</literallayout> <!-- .fi --> |
||||
|
||||
<para>D-Bus supports more types than these, but <command>dbus-send</command> currently |
||||
-- |
||||
2.13.6 |
@ -0,0 +1,268 @@
@@ -0,0 +1,268 @@
|
||||
diff -urN dbus-1.10.24.old/bus/driver.c dbus-1.10.24/bus/driver.c |
||||
--- dbus-1.10.24.old/bus/driver.c 2017-09-25 16:20:08.000000000 +0100 |
||||
+++ dbus-1.10.24/bus/driver.c 2018-02-13 10:15:09.570439595 +0000 |
||||
@@ -555,6 +555,9 @@ |
||||
char **services; |
||||
BusRegistry *registry; |
||||
int i; |
||||
+#ifdef HAVE_SELINUX |
||||
+ dbus_bool_t mls_enabled; |
||||
+#endif |
||||
DBusMessageIter iter; |
||||
DBusMessageIter sub; |
||||
|
||||
@@ -601,9 +604,58 @@ |
||||
} |
||||
} |
||||
|
||||
+#ifdef HAVE_SELINUX |
||||
+ mls_enabled = bus_selinux_mls_enabled (); |
||||
+#endif |
||||
i = 0; |
||||
while (i < len) |
||||
{ |
||||
+#ifdef HAVE_SELINUX |
||||
+ if (mls_enabled) |
||||
+ { |
||||
+ const char *requester; |
||||
+ BusService *service; |
||||
+ DBusString str; |
||||
+ DBusConnection *service_conn; |
||||
+ DBusConnection *requester_conn; |
||||
+ |
||||
+ requester = dbus_message_get_destination (reply); |
||||
+ _dbus_string_init_const (&str, requester); |
||||
+ service = bus_registry_lookup (registry, &str); |
||||
+ |
||||
+ if (service == NULL) |
||||
+ { |
||||
+ _dbus_warn_check_failed ("service lookup failed: %s", requester); |
||||
+ ++i; |
||||
+ continue; |
||||
+ } |
||||
+ requester_conn = bus_service_get_primary_owners_connection (service); |
||||
+ _dbus_string_init_const (&str, services[i]); |
||||
+ service = bus_registry_lookup (registry, &str); |
||||
+ if (service == NULL) |
||||
+ { |
||||
+ _dbus_warn_check_failed ("service lookup failed: %s", services[i]); |
||||
+ ++i; |
||||
+ continue; |
||||
+ } |
||||
+ service_conn = bus_service_get_primary_owners_connection (service); |
||||
+ |
||||
+ if (!bus_selinux_allows_name (requester_conn, service_conn, error)) |
||||
+ { |
||||
+ if (dbus_error_is_set (error) && |
||||
+ dbus_error_has_name (error, DBUS_ERROR_NO_MEMORY)) |
||||
+ { |
||||
+ dbus_free_string_array (services); |
||||
+ dbus_message_unref (reply); |
||||
+ return FALSE; |
||||
+ } |
||||
+ |
||||
+ /* Skip any services which are disallowed by SELinux policy. */ |
||||
+ ++i; |
||||
+ continue; |
||||
+ } |
||||
+ } |
||||
+#endif |
||||
if (!dbus_message_iter_append_basic (&sub, DBUS_TYPE_STRING, |
||||
&services[i])) |
||||
{ |
||||
diff -urN dbus-1.10.24.old/bus/selinux.c dbus-1.10.24/bus/selinux.c |
||||
--- dbus-1.10.24.old/bus/selinux.c 2017-07-28 07:24:16.000000000 +0100 |
||||
+++ dbus-1.10.24/bus/selinux.c 2018-02-13 10:35:14.311477447 +0000 |
||||
@@ -61,6 +61,9 @@ |
||||
/* Store the value telling us if SELinux is enabled in the kernel. */ |
||||
static dbus_bool_t selinux_enabled = FALSE; |
||||
|
||||
+/* Store the value telling us if SELinux with MLS is enabled in the kernel. */ |
||||
+static dbus_bool_t selinux_mls_enabled = FALSE; |
||||
+ |
||||
/* Store an avc_entry_ref to speed AVC decisions. */ |
||||
static struct avc_entry_ref aeref; |
||||
|
||||
@@ -273,6 +276,20 @@ |
||||
} |
||||
|
||||
/** |
||||
+ * Return whether or not SELinux with MLS support is enabled; must be |
||||
+ * called after bus_selinux_init. |
||||
+ */ |
||||
+dbus_bool_t |
||||
+bus_selinux_mls_enabled (void) |
||||
+{ |
||||
+#ifdef HAVE_SELINUX |
||||
+ return selinux_mls_enabled; |
||||
+#else |
||||
+ return FALSE; |
||||
+#endif /* HAVE_SELINUX */ |
||||
+} |
||||
+ |
||||
+/** |
||||
* Do early initialization; determine whether SELinux is enabled. |
||||
*/ |
||||
dbus_bool_t |
||||
@@ -292,6 +309,16 @@ |
||||
} |
||||
|
||||
selinux_enabled = r != 0; |
||||
+ |
||||
+ r = is_selinux_mls_enabled (); |
||||
+ if (r < 0) |
||||
+ { |
||||
+ _dbus_warn ("Could not tell if SELinux MLS is enabled: %s\n", |
||||
+ _dbus_strerror (errno)); |
||||
+ return FALSE; |
||||
+ } |
||||
+ |
||||
+ selinux_mls_enabled = r != 0; |
||||
return TRUE; |
||||
#else |
||||
return TRUE; |
||||
@@ -304,14 +331,18 @@ |
||||
*/ |
||||
/* security dbus class constants */ |
||||
#define SECCLASS_DBUS 1 |
||||
+#define SECCLASS_CONTEXT 2 |
||||
|
||||
/* dbus's per access vector constants */ |
||||
#define DBUS__ACQUIRE_SVC 1 |
||||
#define DBUS__SEND_MSG 2 |
||||
|
||||
+#define CONTEXT__CONTAINS 1 |
||||
+ |
||||
#ifdef HAVE_SELINUX |
||||
static struct security_class_mapping dbus_map[] = { |
||||
{ "dbus", { "acquire_svc", "send_msg", NULL } }, |
||||
+ { "context", { "contains", NULL } }, |
||||
{ NULL } |
||||
}; |
||||
#endif /* HAVE_SELINUX */ |
||||
@@ -734,6 +765,102 @@ |
||||
#endif /* HAVE_SELINUX */ |
||||
|
||||
/** |
||||
+ * Check if SELinux security controls allow one connection to determine the |
||||
+ * name of the other, taking into account MLS considerations. |
||||
+ * |
||||
+ * @param source the requester of the name. |
||||
+ * @param destination the name being requested. |
||||
+ * @returns whether the name should be visible by the source of the request |
||||
+ */ |
||||
+dbus_bool_t |
||||
+bus_selinux_allows_name (DBusConnection *source, |
||||
+ DBusConnection *destination, |
||||
+ DBusError *error) |
||||
+{ |
||||
+#ifdef HAVE_SELINUX |
||||
+ int err; |
||||
+ char *policy_type; |
||||
+ unsigned long spid, tpid; |
||||
+ BusSELinuxID *source_sid; |
||||
+ BusSELinuxID *dest_sid; |
||||
+ dbus_bool_t ret; |
||||
+ dbus_bool_t string_alloced; |
||||
+ DBusString auxdata; |
||||
+ |
||||
+ if (!selinux_mls_enabled) |
||||
+ return TRUE; |
||||
+ |
||||
+ err = selinux_getpolicytype (&policy_type); |
||||
+ if (err < 0) |
||||
+ { |
||||
+ dbus_set_error_const (error, DBUS_ERROR_IO_ERROR, |
||||
+ "Failed to get SELinux policy type"); |
||||
+ return FALSE; |
||||
+ } |
||||
+ |
||||
+ /* Only check against MLS policy if running under that policy. */ |
||||
+ if (strcmp (policy_type, "mls") != 0) |
||||
+ { |
||||
+ free (policy_type); |
||||
+ return TRUE; |
||||
+ } |
||||
+ |
||||
+ free (policy_type); |
||||
+ |
||||
+ _dbus_assert (source != NULL); |
||||
+ _dbus_assert (destination != NULL); |
||||
+ |
||||
+ if (!source || !dbus_connection_get_unix_process_id (source, &spid)) |
||||
+ spid = 0; |
||||
+ if (!destination || !dbus_connection_get_unix_process_id (destination, &tpid)) |
||||
+ tpid = 0; |
||||
+ |
||||
+ string_alloced = FALSE; |
||||
+ if (!_dbus_string_init (&auxdata)) |
||||
+ goto oom; |
||||
+ string_alloced = TRUE; |
||||
+ |
||||
+ if (spid) |
||||
+ { |
||||
+ if (!_dbus_string_append (&auxdata, " spid=")) |
||||
+ goto oom; |
||||
+ |
||||
+ if (!_dbus_string_append_uint (&auxdata, spid)) |
||||
+ goto oom; |
||||
+ } |
||||
+ |
||||
+ if (tpid) |
||||
+ { |
||||
+ if (!_dbus_string_append (&auxdata, " tpid=")) |
||||
+ goto oom; |
||||
+ |
||||
+ if (!_dbus_string_append_uint (&auxdata, tpid)) |
||||
+ goto oom; |
||||
+ } |
||||
+ |
||||
+ source_sid = bus_connection_get_selinux_id (source); |
||||
+ dest_sid = bus_connection_get_selinux_id (destination); |
||||
+ |
||||
+ ret = bus_selinux_check (source_sid, |
||||
+ dest_sid, |
||||
+ SECCLASS_CONTEXT, |
||||
+ CONTEXT__CONTAINS, |
||||
+ &auxdata); |
||||
+ |
||||
+ _dbus_string_free (&auxdata); |
||||
+ return ret; |
||||
+ |
||||
+ oom: |
||||
+ if (string_alloced) |
||||
+ _dbus_string_free (&auxdata); |
||||
+ BUS_SET_OOM (error); |
||||
+ return FALSE; |
||||
+#else |
||||
+ return TRUE; |
||||
+#endif /* HAVE_SELINUX */ |
||||
+} |
||||
+ |
||||
+/** |
||||
* Read the SELinux ID from the connection. |
||||
* |
||||
* @param connection the connection to read from |
||||
Binary files dbus-1.10.24.old/bus/.selinux.c.swp and dbus-1.10.24/bus/.selinux.c.swp differ |
||||
diff -urN dbus-1.10.24.old/bus/selinux.h dbus-1.10.24/bus/selinux.h |
||||
--- dbus-1.10.24.old/bus/selinux.h 2017-07-28 07:24:16.000000000 +0100 |
||||
+++ dbus-1.10.24/bus/selinux.h 2018-02-13 10:15:09.573439444 +0000 |
||||
@@ -32,6 +32,7 @@ |
||||
void bus_selinux_shutdown (void); |
||||
|
||||
dbus_bool_t bus_selinux_enabled (void); |
||||
+dbus_bool_t bus_selinux_mls_enabled (void); |
||||
|
||||
void bus_selinux_id_ref (BusSELinuxID *sid); |
||||
void bus_selinux_id_unref (BusSELinuxID *sid); |
||||
@@ -54,6 +55,10 @@ |
||||
const char *service_name, |
||||
DBusError *error); |
||||
|
||||
+dbus_bool_t bus_selinux_allows_name (DBusConnection *source, |
||||
+ DBusConnection *destination, |
||||
+ DBusError *error); |
||||
+ |
||||
dbus_bool_t bus_selinux_allows_send (DBusConnection *sender, |
||||
DBusConnection *proposed_recipient, |
||||
const char *msgtype, /* Supplementary audit data */ |
@ -0,0 +1,46 @@
@@ -0,0 +1,46 @@
|
||||
From b17615cda8a7ec80692d84e544b71e8183461aa5 Mon Sep 17 00:00:00 2001 |
||||
From: Roy Li <rongqing.li@windriver.com> |
||||
Date: Wed, 21 Jan 2015 09:28:53 +0000 |
||||
Subject: [PATCH] dbus: clear guid_from_server if send_negotiate_unix_fd failed |
||||
|
||||
Once send_negotiate_unix_fd failed, this failure will happen, since |
||||
auth->guid_from_server has been set to some value before |
||||
send_negotiate_unix_fd. send_negotiate_unix_fd failure will lead to this |
||||
auth be handled by process_ok again, but this auth->guid_from_server is |
||||
not zero. |
||||
|
||||
So we should clear auth->guid_from_server if send_negotiate_unix_fd |
||||
failed. |
||||
|
||||
http://lists.freedesktop.org/archives/dbus/2014-February/016122.html |
||||
https://bugs.freedesktop.org/show_bug.cgi?id=75589 |
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1183755 |
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com> |
||||
--- |
||||
dbus/dbus-auth.c | 10 +++++++++- |
||||
1 file changed, 9 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c |
||||
index d2c37a7..dd6e61d 100644 |
||||
--- a/dbus/dbus-auth.c |
||||
+++ b/dbus/dbus-auth.c |
||||
@@ -1572,7 +1572,15 @@ process_ok(DBusAuth *auth, |
||||
_dbus_string_get_const_data (& DBUS_AUTH_CLIENT (auth)->guid_from_server)); |
||||
|
||||
if (auth->unix_fd_possible) |
||||
- return send_negotiate_unix_fd(auth); |
||||
+ { |
||||
+ if (!send_negotiate_unix_fd (auth)) |
||||
+ { |
||||
+ _dbus_string_set_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server, 0); |
||||
+ return FALSE; |
||||
+ } |
||||
+ |
||||
+ return TRUE; |
||||
+ } |
||||
|
||||
_dbus_verbose("Not negotiating unix fd passing, since not possible\n"); |
||||
return send_begin (auth); |
||||
-- |
||||
2.2.1 |
@ -0,0 +1,66 @@
@@ -0,0 +1,66 @@
|
||||
From a82e1be24d0211d4358d8ff3b8cd06dae71a9993 Mon Sep 17 00:00:00 2001 |
||||
From: David King <dking@redhat.com> |
||||
Date: Mon, 22 Aug 2016 09:43:29 +0100 |
||||
Subject: [PATCH] Use _raw() calls to avoid SELinux context translation |
||||
|
||||
When the credentials obtained from the client socket are used in future |
||||
security checks, no context translation should be performed, so |
||||
getpeercon() should be replaced with getpeercon_raw(), and similar |
||||
changes should me be made for other calls such as avc_sid_to_context() |
||||
and getcon(). |
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1356141 |
||||
--- |
||||
bus/selinux.c | 10 +++++----- |
||||
1 file changed, 5 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/bus/selinux.c b/bus/selinux.c |
||||
index 2fb4a8b..13361aa 100644 |
||||
--- a/bus/selinux.c |
||||
+++ b/bus/selinux.c |
||||
@@ -412,14 +412,14 @@ bus_selinux_full_init (void) |
||||
bus_context = NULL; |
||||
bus_sid = SECSID_WILD; |
||||
|
||||
- if (getcon (&bus_context) < 0) |
||||
+ if (getcon_raw (&bus_context) < 0) |
||||
{ |
||||
_dbus_verbose ("Error getting context of bus: %s\n", |
||||
_dbus_strerror (errno)); |
||||
return FALSE; |
||||
} |
||||
|
||||
- if (avc_context_to_sid (bus_context, &bus_sid) < 0) |
||||
+ if (avc_context_to_sid_raw (bus_context, &bus_sid) < 0) |
||||
{ |
||||
_dbus_verbose ("Error getting SID from bus context: %s\n", |
||||
_dbus_strerror (errno)); |
||||
@@ -713,7 +713,7 @@ bus_selinux_append_context (DBusMessage *message, |
||||
#ifdef HAVE_SELINUX |
||||
char *context; |
||||
|
||||
- if (avc_sid_to_context (SELINUX_SID_FROM_BUS (sid), &context) < 0) |
||||
+ if (avc_sid_to_context_raw (SELINUX_SID_FROM_BUS (sid), &context) < 0) |
||||
{ |
||||
if (errno == ENOMEM) |
||||
BUS_SET_OOM (error); |
||||
@@ -766,7 +766,7 @@ bus_connection_read_selinux_context (DBusConnection *connection, |
||||
return FALSE; |
||||
} |
||||
|
||||
- if (getpeercon (fd, con) < 0) |
||||
+ if (getpeercon_raw (fd, con) < 0) |
||||
{ |
||||
_dbus_verbose ("Error getting context of socket peer: %s\n", |
||||
_dbus_strerror (errno)); |
||||
@@ -901,7 +901,7 @@ bus_selinux_init_connection_id (DBusConnection *connection, |
||||
|
||||
_dbus_verbose ("Converting context to SID to store on connection\n"); |
||||
|
||||
- if (avc_context_to_sid (con, &sid) < 0) |
||||
+ if (avc_context_to_sid_raw (con, &sid) < 0) |
||||
{ |
||||
if (errno == ENOMEM) |
||||
BUS_SET_OOM (error); |
||||
-- |
||||
2.7.4 |
Loading…
Reference in new issue