Commit Graph

21761 Commits

Author SHA1 Message Date
Philip Withnall
dd5132e041 tests: Tidy up GError assignment
No need to clear it to NULL before every time it’s used, since we assert
that it’s never set.

This introduces no functional changes.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:19:34 +00:00
Simon McVittie
2b1e706b2f gdbus-server-auth test: Create temporary directory for Unix socket
This avoids failure to listen on the given address on non-Linux Unix
kernels, where abstract sockets do not exist and so unix:tmpdir is
equivalent to unix:dir.

To avoid bugs like this one recurring, run most of these tests using
the unix:dir address type, where Linux is equivalent to other Unix
kernels; just do one unix:tmpdir test, to check that we still
interoperate with libdbus when using abstract sockets on Linux.

Resolves: GNOME/glib#1920
Fixes: 9f962ebe "Add a test for GDBusServer authentication"
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:36:19 +00:00
Simon McVittie
bab277fd50 gdbus-peer test: Use unix:dir address if exact format doesn't matter
Previously, we used unix:tmpdir, except in tests that verify that a
particular address type works (notably unix:dir). Now we use unix:dir
most of the time, and unix:tmpdir gets its own test instead.

This helps to ensure that the tests continue to work on non-Linux Unix
kernels, where abstract sockets do not exist and so unix:tmpdir is
equivalent to unix:dir, even in the common case where the developer has
only tried the test on Linux.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:35:46 +00:00
Simon McVittie
7c2e4095f4 gdbus-peer test: Stop GDBusServer before tearing down temporary directory
Otherwise, since GNOME/glib!1193, the listening socket won't be deleted,
and if we are not using abstract sockets (for example on *BSD), g_rmdir
will fail with ENOTEMPTY.

Fixes: 8e32b8e8 "gdbusserver: Delete socket and nonce file when stopping server"
Resolves: GNOME/glib#1921
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:35:06 +00:00
Simon McVittie
e1b7b1ac16 gdbus-peer test: Improve diagnostics if g_rmdir fails
Helps: GNOME/glib#1921
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:35:04 +00:00
Daniel Mustieles
0e1549eb20 Updated Spanish translation 2019-10-29 15:32:26 +01:00
Simon McVittie
4e8d058828 Merge branch '1912-gdbus-peer-test' into 'master'
tests: Isolate directories in gdbus-peer test

Closes #1912

See merge request GNOME/glib!1192
2019-10-29 08:37:22 +00:00
Simon McVittie
714f9f92b7 Merge branch '1318-dbus-server-race' into 'master'
gdbusserver: Keep a strong reference to the server in callbacks

Closes #1318

See merge request GNOME/glib!1193
2019-10-29 08:28:56 +00:00
Philip Withnall
0c07e672a2 gdbusserver: Keep a strong reference to the server in callbacks
The `on_run()` function could be executed in any worker thread from the
`GThreadedSocketListener`, but didn’t previously hold a strong reference
to the `GDBusServer`, which meant the server could be finalised in
another thread while `on_run()` was still running.

This was not ideal.

Hold a strong reference to the `GDBusServer` while the socket listener
is listening, i.e. between every paired call to `g_dbus_server_start()`
and `g_dbus_server_stop()`.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1318
2019-10-28 20:47:04 +00:00
Philip Withnall
8e32b8e87f gdbusserver: Delete socket and nonce file when stopping server
Rather than when finalising it. They should be automatically recreated
if the server is re-started.

This is important for ensuring that all externally visible behaviour of
the `GDBusServer` is synchronised with calls to
g_dbus_server_{start,stop}(). Finalisation of the server object could
happen an arbitrarily long time after g_dbus_server_stop() is called.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1318
2019-10-28 20:47:04 +00:00
Philip Withnall
d44e00fb98 Merge branch 'issue1831' into 'master'
Avoid race condition authenticating GDBusServer with libdbus client (#1831)

Closes #1831

See merge request GNOME/glib!1176
2019-10-28 20:44:30 +00:00
Simon McVittie
0655eac0ee Merge branch 'ci-libdbus' into 'master'
ci: Add libdbus development files to CI Docker images

See merge request GNOME/glib!1177
2019-10-28 20:39:22 +00:00
Simon McVittie
9a43def9ef Merge branch '954-spawn-poll' into 'master'
gspawn: Port to g_poll() from select()

Closes #954

See merge request GNOME/glib!1183
2019-10-28 20:37:18 +00:00
Philip Withnall
6fb38c3f25 tests: Isolate directories in gdbus-peer test
So that the tests all end up using separate `.dbus-keyring` directories,
and hence not racing to create and acquire lock files, use
`G_TEST_OPTION_ISOLATE_DIRS` to ensure they all run in separate
disposable directories.

This has the added benefit of meaning they don’t touch the developer’s
actual `$HOME` directory.

This reduces the false-failure rate of `gdbus-peer` by a factor of 9 for
me on my local machine.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1912
2019-10-28 20:36:51 +00:00
Philip Withnall
833579d982 tests: Move main loop and test GUID into test functions in gdbus-peer
There’s actually no need for them to be global or reused between unit
tests, so move them inside the test functions.

This is one step towards eliminating shared state between the unit
tests.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Philip Withnall
9df8d76c97 gdbusauthmechanismsha1: Create .dbus-keyrings directory recursively
If the directory is overridden, for example when running tests, the
parent directory of `.dbus-keyrings` (i.e. the fake `$HOME` directory)
might not exist. Create it automatically.

This should realistically not have an effect on non-test code.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Philip Withnall
ef3eec8a28 gdbusauthmechanismsha1: Remove unnecessary g_warning() calls
These can be hit in the tests (if multiple tests run in parallel are
racing for `~/.dbus-keyrings/org_gtk_gdbus_general.lock` for a prolonged
period) and will cause spurious test failures due to the use of
`G_DEBUG=fatal-warnings`.

Instead, allow the error messages to be inspected programmatically.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Simon McVittie
61f693fb21 Merge branch '1916-objcopy-cross-compilation' into 'master'
tests: Use objcopy from the cross-compilation file, if configured

Closes #1916

See merge request GNOME/glib!1188
2019-10-28 20:06:50 +00:00
Simon McVittie
434dbf0823 Merge branch '1897-assert-cmpmem-nonnull' into 'master'
gtestutils: Add additional non-NULL check in g_assert_cmpmem()

Closes #1897

See merge request GNOME/glib!1191
2019-10-28 20:01:44 +00:00
Simon McVittie
9f962ebeac Add a test for GDBusServer authentication
In particular, if libbdus is available, we test interoperability with
a libdbus client: see GNOME/glib#1831. Because that issue describes a
race condition, we do each test repeatedly to try to hit the failing
case.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:56:47 +00:00
Simon McVittie
ee502dbbe8 GDBus: prefer getsockopt()-style credentials-passing APIs
Conceptually, a D-Bus server is really trying to determine the credentials
of (the process that initiated) a connection, not the credentials that
the process had when it sent a particular message. Ideally, it does
this with a getsockopt()-style API that queries the credentials of the
connection's initiator without requiring any particular cooperation from
that process, avoiding a class of possible failures.

The leading '\0' in the D-Bus protocol is primarily a workaround
for platforms where the message-based credentials-passing API is
strictly better than the getsockopt()-style API (for example, on
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
or where the getsockopt()-style API does not exist at all. As a result
libdbus, the reference implementation of D-Bus, does not implement
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
SO_PEERCRED socket option is equally informative.

This change makes GDBusServer on Linux more closely match the behaviour
of libdbus.

In particular, GNOME/glib#1831 indicates that when a libdbus client
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
most likely a race condition in the early steps to connect:

        client           server
    connect
                         accept
    send '\0' <- race -> set SO_PASSCRED = 1
                         receive '\0'

If the server wins the race:

        client           server
    connect
                         accept
                         set SO_PASSCRED = 1
    send '\0'
                         receive '\0'

then everything is fine. However, if the client wins the race:

        client           server
    connect
                         accept
    send '\0'
                         set SO_PASSCRED = 1
                         receive '\0'

then the kernel does not record credentials for the message containing
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
server receives the message, the kernel knows that credentials are
desired. I would have expected the kernel to omit the credentials header
in this case, but it seems that instead, it synthesizes a credentials
structure with a dummy process ID 0, a dummy uid derived from
/proc/sys/kernel/overflowuid and a dummy gid derived from
/proc/sys/kernel/overflowgid.

In an unconfigured GDBusServer, hitting this race condition results in
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
servers on Unix platforms to allow only EXTERNAL authentication as a
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
of assumptions including a cryptographically strong PRNG and a shared
home directory with no write access by others, which are not necessarily
true for all operating systems and users. EXTERNAL authentication will
fail if the server cannot determine the client's credentials.

In particular, this caused a regression when CVE-2019-14822 was fixed
in ibus, which appears to be resolved by this commit. Qt clients
(which use libdbus) intermittently fail to connect to an ibus server
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
authentication or non-matching uids.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
2019-10-28 19:56:00 +00:00
Simon McVittie
1485a97d80 credentials: Invalid Linux struct ucred means "no information"
On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one
might expect it to fail with an appropriate error like ENOTSUP or
EPROTONOSUPPORT. However, it appears that in fact it succeeds, but
yields a credentials structure with pid 0, uid -1 and gid -1. These
are not real process, user and group IDs that can be allocated to a
real process (pid 0 needs to be reserved to give kill(0) its documented
special semantics, and similarly uid and gid -1 need to be reserved for
setresuid() and setresgid()) so it is not meaningful to signal them to
high-level API users.

An API user with Linux-specific knowledge can still inspect these fields
via g_credentials_get_native() if desired.

Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message
on a receiving Unix socket, but the sending socket had not enabled
SO_PASSCRED at the time that the message was sent, it is possible
for it to succeed but yield a credentials structure with pid 0, uid
/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even
if we were to read those pseudo-files, we cannot distinguish between
the overflow IDs and a real process that legitimately has the same IDs
(typically they are set to 'nobody' and 'nogroup', which can be used
by a real process), so we detect this situation by noticing that
pid == 0, and to save syscalls we do not read the overflow IDs from
/proc at all.

This results in a small API change: g_credentials_is_same_user() now
returns FALSE if we compare two credentials structures that are both
invalid. This seems like reasonable, conservative behaviour: if we cannot
prove that they are the same user, we should assume they are not.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:55:47 +00:00
Simon McVittie
ef1035d9d8 gcredentialsprivate: Document the various private macros
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:54:08 +00:00
Emmanuele Bassi
1ad64e183f Merge branch '1911-flags-enums-leak' into 'master'
gparamspecs: Fix type class leaks on error handling paths

See merge request GNOME/glib!1189
2019-10-28 19:53:38 +00:00
Philip Withnall
22cf2c8f4c gtestutils: Add additional non-NULL check in g_assert_cmpmem()
The compiler can’t work out from the combination of other conditions
that it’s not possible for (m2 == NULL) to hold true when memcmp() is
called, so add an explicit condition.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1897
2019-10-28 17:36:36 +00:00
Philip Withnall
c73bd53eb8 Merge branch 'fbsd_build' into 'master'
Update documentation with FreeBSD build instructions

See merge request GNOME/glib!1120
2019-10-28 17:26:26 +00:00
Philip Withnall
1a3bba4670 gparamspecs: Fix type class leaks on error handling paths
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1911
2019-10-28 14:57:33 +00:00
Philip Withnall
57aaee76d5 docs: Add objcopy to example cross-compilation file
Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1916
2019-10-28 12:11:12 +00:00
Philip Withnall
2d2e96dc51 tests: Use objcopy from the cross-compilation file, if configured
Otherwise we’ll end up using the host’s `objcopy`, which will output
object files in the wrong format.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1916
2019-10-28 12:08:48 +00:00
Emmanuele Bassi
ca1dbb38d8 tests: Do not init the default value
The call to g_param_value_set_default() will do that for us, now.
2019-10-26 14:06:31 +01:00
Emmanuele Bassi
f7824da85f Do not validate a GValue initialized with the default
There's really no point in going through validation, if we know the
value we're validating is coming straight from the GParamSpec.
2019-10-26 14:04:26 +01:00
Emmanuele Bassi
6ad799ac67 Constify g_param_value_defaults() argument
The GValue we pass in is supposed to not be modified by the GParamSpec.
2019-10-26 14:03:16 +01:00
Emmanuele Bassi
47d558baa7 Allow passing empty GValue to g_param_value_set_default()
Since we have the type of the GValue we're going to initialize, we can
allow passing an empty (but valid) GValue when retrieving the default
value of a GParamSpec.

This will eliminate additional checks and an unnecessary reset.
2019-10-26 14:01:16 +01:00
Philip Withnall
1bebba0430 Merge branch 'ossfuzz-10286-variant-parser-recursion' into 'master'
gvariant: Limit recursion in g_variant_parse()

See merge request GNOME/glib!1173
2019-10-25 17:44:24 +00:00
Philip Withnall
f343ec5f82 Merge branch 'gtimezone' into 'master'
syscall flood on every time*() function call

See merge request GNOME/glib!1105
2019-10-25 17:27:49 +00:00
rim
551e83662d gtimezone: Cache UTC and local TZ indefinitely
Previously, these GTimeZone objects were being cached in the `time_zones` cache, but dropped from it when their final ref was dropped (which was frequently). That meant additional reads of `/etc/localtime` next time they were created, which was noticeable on profiles. Keep a permanent ref to the UTC and local timezones.
2019-10-25 17:27:49 +00:00
Philip Withnall
a7242d4a5e gspawn: Port to g_poll() from select()
This removes the limitation of select() that only FDs with values lower
than FD_SETSIZE can be used. Previously, if the out/err pipe FDs had
high values (which could happen if a large process, like Firefox, was
spawning subprocesses while having a lot of FDs open), GLib would abort
due to an assertion failure in libc.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #954
2019-10-25 16:36:45 +01:00
Sebastian Dröge
5e17a98d19 Merge branch 'source-thread-safety-docs' into 'master'
gmain: Clarify thread safety of some common GSource functions

See merge request GNOME/glib!1181
2019-10-25 14:16:34 +00:00
Sebastian Dröge
ab98d4e285 Merge branch 'wip/hadess/fix-api-docs-typo' into 'master'
gio: Fix typo in URL

See merge request GNOME/glib!1182
2019-10-25 13:35:37 +00:00
Bastien Nocera
0d3b1d55e9 gio: Fix typo in URL
Left-over quote in URL.
2019-10-25 15:09:08 +02:00
Philip Withnall
ca4dace62b gmain: Clarify thread safety of some common GSource functions
See https://stackoverflow.com/q/58555626/2931197.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-25 12:13:31 +01:00
Sebastian Dröge
2e9b2761d6 Merge branch 'main-context-pusher' into 'master'
gmain: Add GMainContextPusher convenience API

See merge request GNOME/glib!983
2019-10-24 11:58:34 +00:00
Sebastian Dröge
05be19b9f7 Merge branch 'wip/smcv/array-memcpy-ub' into 'master'
array: Avoid use of memcpy(dest, NULL, 0)

See merge request GNOME/glib!1180
2019-10-24 11:49:09 +00:00
Philip Withnall
d62c1dad22 Merge branch 'wip/array-doc-comments' into 'master'
Improve GPtrArray doc-comments

See merge request GNOME/glib!1179
2019-10-24 11:44:38 +00:00
Simon McVittie
3837b83f5a array: Avoid use of memcpy(dest, NULL, 0)
glibc declares memcpy() with the first two arguments (the pointers)
annotated as non-null via an attribute, which results in the undefined
behaviour sanitizer considering it to be UB to pass a null pointer
in the second argument, even if we are copying 0 bytes (and hence not
actually dereferencing the pointer).

This shows up in array-test when run with the undefined behaviour
sanitizer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-24 12:08:20 +01:00
Simon McVittie
acbbe7b8c4 array: Add tests based on the g_ptr_array_sort[_with_data] doc-comments
Note that I deliberately haven't used g_autoptr here, because while we
encourage GLib users to use g_autoptr in their own code, GLib itself
still supports being compiled in environments like MSVC that can't
support g_autoptr.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-24 12:02:33 +01:00
Simon McVittie
ee13eb518d array: Fix handling of user_data in doc-comment
The user_data for g_ptr_array_sort_with_data is passed directly, not
with an extra layer of pointer like the data pointers.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Fixes: 52c130f8
2019-10-24 11:57:29 +01:00
Simon McVittie
ef6fe191ac array: Remove unnecessary casts from doc-comments
Let's not encourage library users to sprinkle casts through their code
when they don't need to.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Fixes: 52c130f8
2019-10-24 11:57:13 +01:00
Jordi Mas
8a7b375216 Update Catalan translation 2019-10-23 21:58:05 +02:00
Philip Withnall
21f8f89820 gmain: Add GMainContextPusher convenience API
This is like `GMutexLocker`, in that if you are able to use
`g_autoptr()`, it makes popping a `GMainContext` off the thread-default
main context stack easier when exiting a function.

A few uses of `G_GNUC_{BEGIN,END}_IGNORE_DEPRECATIONS` are needed to
avoid warnings when building apps against GLib with
`GLIB_VERSION_MAX_ALLOWED < GLIB_VERSION_2_64`.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-23 11:35:58 +01:00