Commit Graph

21318 Commits

Author SHA1 Message Date
Philip Withnall
f371b2a9d3 Merge branch 'wip/smcv/gdbus-server-auth-test' into 'master'
gdbus-server-auth test: Include gcredentialsprivate.h

See merge request GNOME/glib!1210
2019-11-04 16:13:34 +00:00
Philip Withnall
1a53b73816 ci: Update .gitlab-ci.yml to use the latest Docker images
This is a follow-up to !1177, now that we’ve generated the new images.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-11-04 15:25:38 +00:00
Philip Withnall
8ae795ccba ci: Improve Docker building instructions slightly
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-11-04 15:25:38 +00:00
Simon McVittie
8235bbe467 gbytes: Avoid memcmp (NULL, ., 0) or memcmp (., NULL, 0)
Similar to 3837b83f, glibc memcmp is declared with the first two
arguments annotated as non-null via an attribute, which results in the
undefined behaviour sanitizer considering it to be UB to pass a null
pointer there (even if we are comparing 0 bytes, and hence not actually
dereferencing the pointer).

This shows up in /gvariant/serialiser/children when run with the
undefined behaviour sanitizer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-11-04 15:10:24 +00:00
Simon McVittie
2465e64c93 gvariant: Avoid memcmp (NULL, ., 0) or memcmp (., NULL, 0)
Similar to 3837b83f, glibc memcmp is declared with the first two
arguments annotated as non-null via an attribute, which results in the
undefined behaviour sanitizer considering it to be UB to pass a null
pointer there (even if we are comparing 0 bytes, and hence not actually
dereferencing the pointer).

This shows up in /gvariant/serialiser/children when run with the
undefined behaviour sanitizer.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-11-04 15:10:24 +00:00
Simon McVittie
e08dffb71b gsocket: Improve diagnostics on bind() failure
This is in an attempt to diagnose GNOME/glib#1912.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-11-04 15:09:15 +00:00
Simon McVittie
81936ca580 Make ld executable configurable
Tools like this should be configurable in a cross or native file. In
particular, if we are cross-compiling (with an executable wrapper like
qemu-arm), the build system ld is not necessarily able to manipulate
host system objects.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-11-04 15:08:33 +00:00
Simon McVittie
49eccfbe70 gdbus-server-auth test: Include gcredentialsprivate.h
Otherwise we'll never test the EXTERNAL-only mode, because that relies
on testing the private macros
G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED and
G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED.

Fixes: 9f962ebe "Add a test for GDBusServer authentication"
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-11-04 15:07:23 +00:00
Philip Withnall
6d8836515c Merge branch 'wip/smcv/gdbus-127001' into 'master'
gdbus-peer: Specifically listen on 127.0.0.1

Closes #1912

See merge request GNOME/glib!1212
2019-11-04 14:02:41 +00:00
Simon McVittie
7021b84f10 gdbus-peer: Specifically listen on 127.0.0.1
This bypasses any issues we might have with containers where IPv6 is
returned by name resolution (particularly since GNOME/glib!616) but
doesn't necessarily actually work.

This comes at a minor test-coverage cost: we don't test GDBusServer's
default behaviour when told to listen on "tcp:" or "nonce-tcp:", and
on systems where IPv6 is available, we don't test it. If we want to
do those, we should perhaps do them in separate tests, and disable
those tests when binding to ::1 doesn't work.

Mitigates: GNOME/glib#1912
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-11-04 13:31:14 +00:00
Philip Withnall
d97d4828d0 2.63.1
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-31 16:25:09 +00:00
Philip Withnall
ba29ef441b Merge branch 'wip/smcv/issue1923' into 'master'
goption: Relax assertion to avoid being broken by kdeinit5

Closes #1923

See merge request GNOME/glib!1206
2019-10-31 15:17:23 +00:00
Simon McVittie
00210aad87 goption: Relax assertion to avoid being broken by kdeinit5
kdeinit5 overwrites argv, which in turn results in /proc/self/cmdline
being overwritten. It seems that this is done in a way that does not
necessarily guarantee that /proc/self/cmdline will end up NUL-terminated.

However, g_file_get_contents() is documented to fill a buffer of size
len + 1, where buffer[len] == '\0', even if the file's actual contents
(from buffer[0] to buffer[len-1] inclusive) did not include a NUL;
so we can safely relax this assertion slightly.

Resolves: https://gitlab.gnome.org/GNOME/glib/issues/1923
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-31 13:54:51 +00:00
Philip Withnall
9b8ff414c1 Merge branch 'no-more-automatic-GUnixFDList' into 'master'
Revert "gdbus-codegen: emit GUnixFDLists if an arg has type 'h'"

See merge request GNOME/glib!1171
2019-10-31 13:42:55 +00:00
Philip Withnall
86bc43de51 Merge branch 'wip/mattiasb/gdbus-codegen-safer-headerguards' into 'master'
gdbus-codegen: Safer header guards

Closes #1379

See merge request GNOME/glib!1196
2019-10-31 13:29:18 +00:00
Mattias Bengtsson
4aaeac5b3c gdbus-codegen: Safer header guards
Whitelist a safe set of characters for use in header guards instead of
maintaining a (growing) blacklist.

The whitelist is intentionally short since reading up on all
peculiarities of the C and C++ standard for identifiers is not my idea
of fun. :)

Fixes #1379
2019-10-31 12:50:30 +00:00
Philip Withnall
623bdfd7ab Merge branch 'wip/smcv/gdbus-tests' into 'master'
Fix GDBus test failures on non-Linux (in particular FreeBSD)

Closes #1920 and #1921

See merge request GNOME/glib!1197
2019-10-31 12:38:12 +00:00
Philip Withnall
1503547766 Merge branch 'param-value-default' into 'master'
Allow using an empty GValue with g_param_value_set_default()

See merge request GNOME/glib!1186
2019-10-31 10:22:57 +00:00
Emmanuele Bassi
8b43be0f7a Merge branch 'live-file-static-analysis' into 'master'
Minor fixes from a scan-build run

See merge request GNOME/glib!1200
2019-10-30 16:23:23 +00:00
Philip Withnall
1111bc4cde gvariant-parser: Shut up a scan-build warning
Change a condition from one to an equivalent one to shut up a
`scan-build` warning about potentially dereferencing a `NULL` value.
This introduces no functional changes, as it’s not actually possible to
dereference a `NULL` value here (but `scan-build` can’t link the
nullability of `error` to the nullability of `result`).

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:37:39 +00:00
Philip Withnall
15818926b3 glocalfileinfo: Fix minor leak on error handling path for xattrs
Spotted by `scan-build`.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:35:15 +00:00
Philip Withnall
543a0c4091 tests: Fix unused variable in the threadpool-test
It looks like `continue_timeout` should be returned here, rather than
being set and never read. Spotted by `scan-build`.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:24:08 +00:00
Philip Withnall
465b4dadf3 tests: Use g_assert_*() rather than g_assert() in live-g-file test
g_assert() is compiled out by `G_DISABLE_ASSERT` and doesn’t give such
useful messages on failure.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:19:34 +00:00
Philip Withnall
c25e8ec1f2 tests: Drop pointless assignments
Or turn them into proper error checks. This shuts up some `scan-build`
warnings.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:19:34 +00:00
Philip Withnall
dd5132e041 tests: Tidy up GError assignment
No need to clear it to NULL before every time it’s used, since we assert
that it’s never set.

This introduces no functional changes.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-10-30 15:19:34 +00:00
Simon McVittie
2b1e706b2f gdbus-server-auth test: Create temporary directory for Unix socket
This avoids failure to listen on the given address on non-Linux Unix
kernels, where abstract sockets do not exist and so unix:tmpdir is
equivalent to unix:dir.

To avoid bugs like this one recurring, run most of these tests using
the unix:dir address type, where Linux is equivalent to other Unix
kernels; just do one unix:tmpdir test, to check that we still
interoperate with libdbus when using abstract sockets on Linux.

Resolves: GNOME/glib#1920
Fixes: 9f962ebe "Add a test for GDBusServer authentication"
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:36:19 +00:00
Simon McVittie
bab277fd50 gdbus-peer test: Use unix:dir address if exact format doesn't matter
Previously, we used unix:tmpdir, except in tests that verify that a
particular address type works (notably unix:dir). Now we use unix:dir
most of the time, and unix:tmpdir gets its own test instead.

This helps to ensure that the tests continue to work on non-Linux Unix
kernels, where abstract sockets do not exist and so unix:tmpdir is
equivalent to unix:dir, even in the common case where the developer has
only tried the test on Linux.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:35:46 +00:00
Simon McVittie
7c2e4095f4 gdbus-peer test: Stop GDBusServer before tearing down temporary directory
Otherwise, since GNOME/glib!1193, the listening socket won't be deleted,
and if we are not using abstract sockets (for example on *BSD), g_rmdir
will fail with ENOTEMPTY.

Fixes: 8e32b8e8 "gdbusserver: Delete socket and nonce file when stopping server"
Resolves: GNOME/glib#1921
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:35:06 +00:00
Simon McVittie
e1b7b1ac16 gdbus-peer test: Improve diagnostics if g_rmdir fails
Helps: GNOME/glib#1921
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-29 16:35:04 +00:00
Daniel Mustieles
0e1549eb20 Updated Spanish translation 2019-10-29 15:32:26 +01:00
Simon McVittie
4e8d058828 Merge branch '1912-gdbus-peer-test' into 'master'
tests: Isolate directories in gdbus-peer test

Closes #1912

See merge request GNOME/glib!1192
2019-10-29 08:37:22 +00:00
Simon McVittie
714f9f92b7 Merge branch '1318-dbus-server-race' into 'master'
gdbusserver: Keep a strong reference to the server in callbacks

Closes #1318

See merge request GNOME/glib!1193
2019-10-29 08:28:56 +00:00
Philip Withnall
0c07e672a2 gdbusserver: Keep a strong reference to the server in callbacks
The `on_run()` function could be executed in any worker thread from the
`GThreadedSocketListener`, but didn’t previously hold a strong reference
to the `GDBusServer`, which meant the server could be finalised in
another thread while `on_run()` was still running.

This was not ideal.

Hold a strong reference to the `GDBusServer` while the socket listener
is listening, i.e. between every paired call to `g_dbus_server_start()`
and `g_dbus_server_stop()`.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1318
2019-10-28 20:47:04 +00:00
Philip Withnall
8e32b8e87f gdbusserver: Delete socket and nonce file when stopping server
Rather than when finalising it. They should be automatically recreated
if the server is re-started.

This is important for ensuring that all externally visible behaviour of
the `GDBusServer` is synchronised with calls to
g_dbus_server_{start,stop}(). Finalisation of the server object could
happen an arbitrarily long time after g_dbus_server_stop() is called.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1318
2019-10-28 20:47:04 +00:00
Philip Withnall
d44e00fb98 Merge branch 'issue1831' into 'master'
Avoid race condition authenticating GDBusServer with libdbus client (#1831)

Closes #1831

See merge request GNOME/glib!1176
2019-10-28 20:44:30 +00:00
Simon McVittie
0655eac0ee Merge branch 'ci-libdbus' into 'master'
ci: Add libdbus development files to CI Docker images

See merge request GNOME/glib!1177
2019-10-28 20:39:22 +00:00
Simon McVittie
9a43def9ef Merge branch '954-spawn-poll' into 'master'
gspawn: Port to g_poll() from select()

Closes #954

See merge request GNOME/glib!1183
2019-10-28 20:37:18 +00:00
Philip Withnall
6fb38c3f25 tests: Isolate directories in gdbus-peer test
So that the tests all end up using separate `.dbus-keyring` directories,
and hence not racing to create and acquire lock files, use
`G_TEST_OPTION_ISOLATE_DIRS` to ensure they all run in separate
disposable directories.

This has the added benefit of meaning they don’t touch the developer’s
actual `$HOME` directory.

This reduces the false-failure rate of `gdbus-peer` by a factor of 9 for
me on my local machine.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1912
2019-10-28 20:36:51 +00:00
Philip Withnall
833579d982 tests: Move main loop and test GUID into test functions in gdbus-peer
There’s actually no need for them to be global or reused between unit
tests, so move them inside the test functions.

This is one step towards eliminating shared state between the unit
tests.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Philip Withnall
9df8d76c97 gdbusauthmechanismsha1: Create .dbus-keyrings directory recursively
If the directory is overridden, for example when running tests, the
parent directory of `.dbus-keyrings` (i.e. the fake `$HOME` directory)
might not exist. Create it automatically.

This should realistically not have an effect on non-test code.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Philip Withnall
ef3eec8a28 gdbusauthmechanismsha1: Remove unnecessary g_warning() calls
These can be hit in the tests (if multiple tests run in parallel are
racing for `~/.dbus-keyrings/org_gtk_gdbus_general.lock` for a prolonged
period) and will cause spurious test failures due to the use of
`G_DEBUG=fatal-warnings`.

Instead, allow the error messages to be inspected programmatically.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Helps: #1912
2019-10-28 20:17:07 +00:00
Simon McVittie
61f693fb21 Merge branch '1916-objcopy-cross-compilation' into 'master'
tests: Use objcopy from the cross-compilation file, if configured

Closes #1916

See merge request GNOME/glib!1188
2019-10-28 20:06:50 +00:00
Simon McVittie
434dbf0823 Merge branch '1897-assert-cmpmem-nonnull' into 'master'
gtestutils: Add additional non-NULL check in g_assert_cmpmem()

Closes #1897

See merge request GNOME/glib!1191
2019-10-28 20:01:44 +00:00
Simon McVittie
9f962ebeac Add a test for GDBusServer authentication
In particular, if libbdus is available, we test interoperability with
a libdbus client: see GNOME/glib#1831. Because that issue describes a
race condition, we do each test repeatedly to try to hit the failing
case.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:56:47 +00:00
Simon McVittie
ee502dbbe8 GDBus: prefer getsockopt()-style credentials-passing APIs
Conceptually, a D-Bus server is really trying to determine the credentials
of (the process that initiated) a connection, not the credentials that
the process had when it sent a particular message. Ideally, it does
this with a getsockopt()-style API that queries the credentials of the
connection's initiator without requiring any particular cooperation from
that process, avoiding a class of possible failures.

The leading '\0' in the D-Bus protocol is primarily a workaround
for platforms where the message-based credentials-passing API is
strictly better than the getsockopt()-style API (for example, on
FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not),
or where the getsockopt()-style API does not exist at all. As a result
libdbus, the reference implementation of D-Bus, does not implement
Linux SCM_CREDENTIALS at all - it has no reason to do so, because the
SO_PEERCRED socket option is equally informative.

This change makes GDBusServer on Linux more closely match the behaviour
of libdbus.

In particular, GNOME/glib#1831 indicates that when a libdbus client
connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS
message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is
most likely a race condition in the early steps to connect:

        client           server
    connect
                         accept
    send '\0' <- race -> set SO_PASSCRED = 1
                         receive '\0'

If the server wins the race:

        client           server
    connect
                         accept
                         set SO_PASSCRED = 1
    send '\0'
                         receive '\0'

then everything is fine. However, if the client wins the race:

        client           server
    connect
                         accept
    send '\0'
                         set SO_PASSCRED = 1
                         receive '\0'

then the kernel does not record credentials for the message containing
'\0' (because SO_PASSCRED was 0 at the time). However, by the time the
server receives the message, the kernel knows that credentials are
desired. I would have expected the kernel to omit the credentials header
in this case, but it seems that instead, it synthesizes a credentials
structure with a dummy process ID 0, a dummy uid derived from
/proc/sys/kernel/overflowuid and a dummy gid derived from
/proc/sys/kernel/overflowgid.

In an unconfigured GDBusServer, hitting this race condition results in
falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually
succeeds in authenticating the peer's uid. However, we encourage AF_UNIX
servers on Unix platforms to allow only EXTERNAL authentication as a
security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series
of assumptions including a cryptographically strong PRNG and a shared
home directory with no write access by others, which are not necessarily
true for all operating systems and users. EXTERNAL authentication will
fail if the server cannot determine the client's credentials.

In particular, this caused a regression when CVE-2019-14822 was fixed
in ibus, which appears to be resolved by this commit. Qt clients
(which use libdbus) intermittently fail to connect to an ibus server
(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1
authentication or non-matching uids.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831
2019-10-28 19:56:00 +00:00
Simon McVittie
1485a97d80 credentials: Invalid Linux struct ucred means "no information"
On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one
might expect it to fail with an appropriate error like ENOTSUP or
EPROTONOSUPPORT. However, it appears that in fact it succeeds, but
yields a credentials structure with pid 0, uid -1 and gid -1. These
are not real process, user and group IDs that can be allocated to a
real process (pid 0 needs to be reserved to give kill(0) its documented
special semantics, and similarly uid and gid -1 need to be reserved for
setresuid() and setresgid()) so it is not meaningful to signal them to
high-level API users.

An API user with Linux-specific knowledge can still inspect these fields
via g_credentials_get_native() if desired.

Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message
on a receiving Unix socket, but the sending socket had not enabled
SO_PASSCRED at the time that the message was sent, it is possible
for it to succeed but yield a credentials structure with pid 0, uid
/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even
if we were to read those pseudo-files, we cannot distinguish between
the overflow IDs and a real process that legitimately has the same IDs
(typically they are set to 'nobody' and 'nogroup', which can be used
by a real process), so we detect this situation by noticing that
pid == 0, and to save syscalls we do not read the overflow IDs from
/proc at all.

This results in a small API change: g_credentials_is_same_user() now
returns FALSE if we compare two credentials structures that are both
invalid. This seems like reasonable, conservative behaviour: if we cannot
prove that they are the same user, we should assume they are not.

Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:55:47 +00:00
Simon McVittie
ef1035d9d8 gcredentialsprivate: Document the various private macros
Signed-off-by: Simon McVittie <smcv@collabora.com>
2019-10-28 19:54:08 +00:00
Emmanuele Bassi
1ad64e183f Merge branch '1911-flags-enums-leak' into 'master'
gparamspecs: Fix type class leaks on error handling paths

See merge request GNOME/glib!1189
2019-10-28 19:53:38 +00:00
Philip Withnall
22cf2c8f4c gtestutils: Add additional non-NULL check in g_assert_cmpmem()
The compiler can’t work out from the combination of other conditions
that it’s not possible for (m2 == NULL) to hold true when memcmp() is
called, so add an explicit condition.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Fixes: #1897
2019-10-28 17:36:36 +00:00
Philip Withnall
c73bd53eb8 Merge branch 'fbsd_build' into 'master'
Update documentation with FreeBSD build instructions

See merge request GNOME/glib!1120
2019-10-28 17:26:26 +00:00