luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2024-11-10 03:16:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'wip/smcv/gdbus-cross-namespace' into 'main'

Browse Source 
GDBus: Use namespace-friendly protocol for Linux message buses, and optionally other connections

See merge request GNOME/glib!2832
This commit is contained in:
Philip Withnall 2022-07-24 22:55:08 +00:00
commit 196e3605aa
10 changed files with 70 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
gio/gdbusauth.c
View File

@ -417,6 +417,7 @@ hexdecode (const gchar *str,
static GDBusAuthMechanism *
client_choose_mech_and_send_initial_response (GDBusAuth *auth,
GCredentials *credentials_that_were_sent,
GDBusConnectionFlags conn_flags,
const gchar* const *supported_auth_mechs,
GPtrArray *attempted_auth_mechs,
GDataOutputStream *dos,
@ -507,6 +508,7 @@ client_choose_mech_and_send_initial_response (GDBusAuth *auth,
initial_response_len = 0;
initial_response = _g_dbus_auth_mechanism_client_initiate (mech,
conn_flags,
&initial_response_len);
#if 0
g_printerr ("using auth mechanism with name '%s' of type '%s' with initial response '%s'\n",
@ -556,6 +558,7 @@ typedef enum
gchar *
_g_dbus_auth_run_client (GDBusAuth *auth,
GDBusAuthObserver *observer,
GDBusConnectionFlags conn_flags,
GDBusCapabilityFlags offered_capabilities,
GDBusCapabilityFlags *out_negotiated_capabilities,
GCancellable *cancellable,
@ -574,6 +577,9 @@ _g_dbus_auth_run_client (GDBusAuth *auth,
ClientState state;
GDBusCapabilityFlags negotiated_capabilities;
g_return_val_if_fail ((conn_flags & G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT), NULL);
g_return_val_if_fail (!(conn_flags & G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_SERVER), NULL);
debug_print ("CLIENT: initiating");
_g_dbus_auth_add_mechs (auth, observer);
@ -667,6 +673,7 @@ _g_dbus_auth_run_client (GDBusAuth *auth,
g_free (line);
mech = client_choose_mech_and_send_initial_response (auth,
credentials,
conn_flags,
(const gchar* const *) supported_auth_mechs,
attempted_auth_mechs,
dos,

1
gio/gdbusauth.h
View File

@ -78,6 +78,7 @@ gboolean _g_dbus_auth_run_server (GDBusAuth *auth,
gchar *_g_dbus_auth_run_client (GDBusAuth *auth,
GDBusAuthObserver *observer,
GDBusConnectionFlags conn_flags,
GDBusCapabilityFlags offered_capabilities,
GDBusCapabilityFlags *out_negotiated_capabilities,
GCancellable *cancellable,

6
gio/gdbusauthmechanism.c
View File

@ -301,11 +301,13 @@ _g_dbus_auth_mechanism_client_get_state (GDBusAuthMechanism *mechanism)
}
gchar *
_g_dbus_auth_mechanism_client_initiate (GDBusAuthMechanism *mechanism,
gsize *out_initial_response_len)
_g_dbus_auth_mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len)
{
g_return_val_if_fail (G_IS_DBUS_AUTH_MECHANISM (mechanism), NULL);
return G_DBUS_AUTH_MECHANISM_GET_CLASS (mechanism)->client_initiate (mechanism,
conn_flags,
out_initial_response_len);
}

2
gio/gdbusauthmechanism.h
View File

@ -93,6 +93,7 @@ struct _GDBusAuthMechanismClass
/* functions for client-side authentication */
GDBusAuthMechanismState (*client_get_state) (GDBusAuthMechanism *mechanism);
gchar *(*client_initiate) (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len);
void (*client_data_receive) (GDBusAuthMechanism *mechanism,
const gchar *data,
@ -140,6 +141,7 @@ void _g_dbus_auth_mechanism_server_shutdown (GDBus
GDBusAuthMechanismState _g_dbus_auth_mechanism_client_get_state (GDBusAuthMechanism *mechanism);
gchar *_g_dbus_auth_mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len);
void _g_dbus_auth_mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
const gchar *data,

2
gio/gdbusauthmechanismanon.c
View File

@ -60,6 +60,7 @@ static gchar *mechanism_server_get_reject_reason (GDBusAuthMe
static void mechanism_server_shutdown (GDBusAuthMechanism *mechanism);
static GDBusAuthMechanismState mechanism_client_get_state (GDBusAuthMechanism *mechanism);
static gchar *mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len);
static void mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
const gchar *data,
@ -261,6 +262,7 @@ mechanism_client_get_state (GDBusAuthMechanism *mechanism)
static gchar *
mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len)
{
GDBusAuthMechanismAnon *m = G_DBUS_AUTH_MECHANISM_ANON (mechanism);

58
gio/gdbusauthmechanismexternal.c
View File

@ -68,6 +68,7 @@ static gchar *mechanism_server_get_reject_reason (GDBusAuthMe
static void mechanism_server_shutdown (GDBusAuthMechanism *mechanism);
static GDBusAuthMechanismState mechanism_client_get_state (GDBusAuthMechanism *mechanism);
static gchar *mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len);
static void mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
const gchar *data,
@ -360,38 +361,51 @@ mechanism_client_get_state (GDBusAuthMechanism *mechanism)
static gchar *
mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len)
{
GDBusAuthMechanismExternal *m = G_DBUS_AUTH_MECHANISM_EXTERNAL (mechanism);
gchar *initial_response = NULL;
#if defined(G_OS_UNIX)
GCredentials *credentials;
#endif
g_return_val_if_fail (G_IS_DBUS_AUTH_MECHANISM_EXTERNAL (mechanism), NULL);
g_return_val_if_fail (!m->priv->is_server && !m->priv->is_client, NULL);
m->priv->is_client = TRUE;
m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_REJECTED;
m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA;
*out_initial_response_len = 0;
/* return the uid */
if (conn_flags & G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE)
{
/* If backwards-compatibility with GDBus servers < 2.73.3 is not a
* concern, we do not send an initial response, because there is
* no way to express an empty authorization identity this way.
* Instead, we'll reply to the server's first (empty) challenge
* with an empty authorization identity in our first response. */
g_debug ("Using cross-namespace EXTERNAL authentication (this will deadlock if server is GDBus < 2.73.3)");
}
else
{
/* Send the Unix uid or Windows SID as an initial response.
* This is the only thing that is interoperable with GDBus 2.73.3
* servers. */
#if defined(G_OS_UNIX)
credentials = _g_dbus_auth_mechanism_get_credentials (mechanism);
g_assert (credentials != NULL);
GCredentials *credentials;
initial_response = g_strdup_printf ("%" G_GINT64_FORMAT, (gint64) g_credentials_get_unix_user (credentials, NULL));
credentials = _g_dbus_auth_mechanism_get_credentials (mechanism);
g_assert (credentials != NULL);
initial_response = g_strdup_printf ("%" G_GINT64_FORMAT, (gint64) g_credentials_get_unix_user (credentials, NULL));
#elif defined(G_OS_WIN32)
initial_response = _g_win32_current_process_sid_string (NULL);
initial_response = _g_win32_current_process_sid_string (NULL);
#else
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic warning "-Wcpp"
#warning Dont know how to send credentials on this OS. The EXTERNAL D-Bus authentication mechanism will not work.
#pragma GCC diagnostic pop
#endif
/* GDBus < 2.73.3 servers can't have worked on this platform anyway,
* so it isn't a regression to behave as though
* G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE had been set. */
g_debug ("Unknown platform, cannot use initial response in EXTERNAL");
#endif
}
if (initial_response)
{
m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_ACCEPTED;
@ -411,8 +425,9 @@ mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
g_return_if_fail (m->priv->is_client && !m->priv->is_server);
g_return_if_fail (m->priv->state == G_DBUS_AUTH_MECHANISM_STATE_WAITING_FOR_DATA);
/* can never end up here because we are never in the WAITING_FOR_DATA state */
g_assert_not_reached ();
/* The server sent us a challenge, which should normally
* be empty. We respond with our authorization identity. */
m->priv->state = G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND;
}
static gchar *
@ -425,10 +440,11 @@ mechanism_client_data_send (GDBusAuthMechanism *mechanism,
g_return_val_if_fail (m->priv->is_client && !m->priv->is_server, NULL);
g_return_val_if_fail (m->priv->state == G_DBUS_AUTH_MECHANISM_STATE_HAVE_DATA_TO_SEND, NULL);
/* can never end up here because we are never in the HAVE_DATA_TO_SEND state */
g_assert_not_reached ();
return NULL;
/* We respond to the server's challenge by sending our
* authorization identity, which is the empty string, meaning
* whoever the out-of-band credentials say we are. */
*out_data_len = 0;
return g_strdup ("");
}
static void

2
gio/gdbusauthmechanismsha1.c
View File

@ -119,6 +119,7 @@ static gchar *mechanism_server_get_reject_reason (GDBusAuthMe
static void mechanism_server_shutdown (GDBusAuthMechanism *mechanism);
static GDBusAuthMechanismState mechanism_client_get_state (GDBusAuthMechanism *mechanism);
static gchar *mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len);
static void mechanism_client_data_receive (GDBusAuthMechanism *mechanism,
const gchar *data,
@ -1160,6 +1161,7 @@ mechanism_client_get_state (GDBusAuthMechanism *mechanism)
static gchar *
mechanism_client_initiate (GDBusAuthMechanism *mechanism,
GDBusConnectionFlags conn_flags,
gsize *out_initial_response_len)
{
GDBusAuthMechanismSha1 *m = G_DBUS_AUTH_MECHANISM_SHA1 (mechanism);

4
gio/gdbusconnection.c
View File

@ -2569,6 +2569,7 @@ initable_init (GInitable *initable,
connection->auth = _g_dbus_auth_new (connection->stream);
connection->guid = _g_dbus_auth_run_client (connection->auth,
connection->authentication_observer,
connection->flags,
get_offered_capabilities_max (connection),
&connection->capabilities,
cancellable,
@ -7368,6 +7369,9 @@ get_uninitialized_connection (GBusType bus_type,
ret = g_object_new (G_TYPE_DBUS_CONNECTION,
"address", address,
"flags", G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT |
#ifdef __linux__
G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE |
#endif
G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION,
"exit-on-close", TRUE,
NULL);

9
gio/gioenums.h
View File

@ -1216,6 +1216,12 @@ typedef enum
* delayed until g_dbus_connection_start_message_processing() is called.
* @G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_REQUIRE_SAME_USER: When authenticating
* as a server, require the UID of the peer to be the same as the UID of the server. (Since: 2.68)
* @G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE: When authenticating, try to use
* protocols that work across a Linux user namespace boundary, even if this
* reduces interoperability with older D-Bus implementations. This currently
* affects client-side `EXTERNAL` authentication, for which this flag makes
* connections to a server in another user namespace succeed, but causes
* a deadlock when connecting to a GDBus server older than 2.73.3. Since: 2.74
*
* Flags used when creating a new #GDBusConnection.
*
@ -1228,7 +1234,8 @@ typedef enum {
G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS = (1<<2),
G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION = (1<<3),
G_DBUS_CONNECTION_FLAGS_DELAY_MESSAGE_PROCESSING = (1<<4),
G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_REQUIRE_SAME_USER GLIB_AVAILABLE_ENUMERATOR_IN_2_68 = (1<<5)
G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_REQUIRE_SAME_USER GLIB_AVAILABLE_ENUMERATOR_IN_2_68 = (1<<5),
G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE GLIB_AVAILABLE_ENUMERATOR_IN_2_74 = (1<<6)
} GDBusConnectionFlags;
/**

3
gio/tests/gdbus-connection.c
View File

@ -1234,6 +1234,9 @@ test_connection_basic (void)
flags == G_DBUS_CAPABILITY_FLAGS_UNIX_FD_PASSING);
connection_flags = g_dbus_connection_get_flags (connection);
/* Ignore G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE, it's an
* implementation detail whether we set it */
connection_flags &= ~G_DBUS_CONNECTION_FLAGS_CROSS_NAMESPACE;
g_assert_cmpint (connection_flags, ==,
G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT |
G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION);