diff -Nru dbus-1.8.6/debian/changelog dbus-1.8.6/debian/changelog --- dbus-1.8.6/debian/changelog 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/changelog 2014-08-15 13:38:16.000000000 -0500 @@ -1,3 +1,90 @@ +dbus (1.8.6-1ubuntu1) utopic; urgency=low + + * Resynchronize on Debian testing (LP: #1320422). Remaining Ubuntu changes: + - Install binaries into / rather than /usr: + + debian/rules: Set --exec-prefix=/ + + debian/dbus.install, debian/dbus-x11.install: Install from /bin + - Use upstart to start: + + Add debian/dbus.upstart and dbus.user-session.upstart + + debian/dbus.postinst: Use upstart call instead of invoking the init.d + script for checking if we are already running. + + debian/control: versioned dependency on netbase that emits the new + deconfiguring-networking event used in upstart script. + - 20_system_conf_limit.patch: Increase max_match_rules_per_connection for + the system bus to 5000 (LP #454093) + - 81-session.conf-timeout.patch: Raise the service startup timeout from 25 + to 60 seconds. It may be too short on the live CD with slow machines. + - debian/dbus.user-session.upstart, debian/rules: Communicate session bus + to Upstart Session Init to avoid potential out-of-memory scenario + triggered by Upstart clients that do not run main loops + (LP: #1235649, LP: #1252317). + - debian/control, debian/rules: Build against libapparmor for AppArmor + D-Bus mediation + - debian/control: Use logind for session tracking, so that "at_console" + policies work with logind instead of ConsoleKit. Add "libpam-systemd" + recommends. + - debian/rules: Adjust dbus-send path to our changed install layout. + (LP: #1325364) + - debian/dbus-Xsession: Don't start a session bus if there already is one, + i. e. $DBUS_SESSION_BUS_ADDRESS is already set. (Closes: #681241) + * Dropped changes: + - debian/control: Drop version bump on the libglib2.0-dev Build-Depends. + It is no longer needed. + - debian/control: use "Breaks: unity-services (<< 6.0.0-0ubuntu6)", the + new dbus eavedropping protection was creating issues with previous + versions. This can be dropped now since upgrades from Quantal are no + longer a concern. + - debian/control, debian/rules: The tests are not run during the build. + Configure with --disable-tests, drop the build dependencies needed for + the tests. The tests should now run with the debug build using + autopkgtest. + - 00git_logind_check.patch: Fix logind check. This change is present in + upstream dbus. + - Add 00git_sd_daemon_update.patch: Update to current sytemd upstream + sd_booted() to actually check for systemd init. This change is present + in upstream dbus. + - debian/patches/aa-build-tools.patch, debian/patches/aa-mediation.patch, + debian/patches/aa-mediate-eavesdropping.patch: Drop these patches in + favor of the latest set of patches submitted for upstream inclusion + - debian/patches/02_obsolete_g_thread_api.patch: This change is present in + upstream dbus + - 0001-activation-allow-for-more-variation-than-just-system.patch, + 0002-bus-change-systemd-activation-to-activation-systemd.patch, + 0003-upstart-add-upstart-as-a-possible-activation-type.patch, + 0004-upstart-add-UpstartJob-to-service-desktop-files.patch, + 0005-activation-implement-upstart-activation.patch: These patches have + been disabled since 12.10 so it should be safe to remove them at this + point + - debian/patches/CVE-2014-3477.patch, debian/patches/CVE-2014-3532.patch, + debian/patches/CVE-2014-3533.patch: These changes are present in + upstream dbus + * 0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch, + 0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch, + 0003-Update-autoconf-file-to-build-against-libapparmor.patch, + 0004-Add-apparmor-element-support-to-bus-config-parsing.patch, + 0005-Initialize-AppArmor-mediation.patch, + 0006-Store-AppArmor-label-of-bus-during-initialization.patch, + 0007-Store-AppArmor-label-of-connecting-processes.patch, + 0008-Mediation-of-processes-that-acquire-well-known-names.patch, + 0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch, + 0010-Mediation-of-processes-sending-and-receiving-message.patch, + 0011-Mediation-of-processes-eavesdropping.patch, + 0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch, + 0013-Add-AppArmor-support-to-GetConnectionCredentials.patch: Add the + latest set of AppArmor D-Bus mediation patches. This the v3 patch set from + the upstream feature inclusion bug. + - https://bugs.freedesktop.org/show_bug.cgi?id=75113 + * aa-get-connection-apparmor-security-context.patch: Refresh this patch so + that it compiles with latest AppArmor D-Bus mediation patches. It is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + + -- Tyler Hicks Fri, 15 Aug 2014 13:37:15 -0500 + dbus (1.8.6-1) unstable; urgency=high * New upstream release @@ -159,6 +246,92 @@ -- Simon McVittie Fri, 01 Nov 2013 16:30:33 +0000 +dbus (1.6.18-0ubuntu10) utopic; urgency=medium + + * Drop upstart dependency. We ship init scripts for sysv, upstart, and + systemd now. (LP: #1351306) + + -- Martin Pitt Fri, 01 Aug 2014 15:19:20 +0200 + +dbus (1.6.18-0ubuntu9) utopic; urgency=medium + + * SECURITY UPDATE: denial of service via activation errors + - debian/patches/CVE-2014-3477.patch: improve error handling in + bus/activation.*, bus/services.c. + - CVE-2014-3477 + * SECURITY UPDATE: denial of service via ETOOMANYREFS + - debian/patches/CVE-2014-3532.patch: drop message on ETOOMANYREFS in + dbus/dbus-sysdeps.*, dbus/dbus-transport-socket.c. + - CVE-2014-3532 + * SECURITY UPDATE: denial of service via invalid file descriptor + - debian/patches/CVE-2014-3533.patch: fix memory handling in + dbus/dbus-message.c. + - CVE-2014-3533 + + -- Marc Deslauriers Thu, 03 Jul 2014 08:28:23 -0400 + +dbus (1.6.18-0ubuntu8) utopic; urgency=medium + + * debian/dbus-Xsession: Don't start a session bus if there already is one, + i. e. $DBUS_SESSION_BUS_ADDRESS is already set. (Closes: #681241) + + -- Martin Pitt Tue, 03 Jun 2014 11:07:54 +0200 + +dbus (1.6.18-0ubuntu7) utopic; urgency=medium + + * debian/rules: Adjust dbus-send path to our changed install layout. + (LP: #1325364) + + -- Martin Pitt Mon, 02 Jun 2014 09:05:53 +0200 + +dbus (1.6.18-0ubuntu6) utopic; urgency=high + + * No change rebuild against new dh_installinit, to call update-rc.d at + postinst. + + -- Dimitri John Ledkov Wed, 28 May 2014 10:39:49 +0100 + +dbus (1.6.18-0ubuntu5) utopic; urgency=medium + + * Do not fail starting user-session dbus, if e.g. /home is 100% or + ~/.cache is not-writable. + * Make sure that DBUS_SESSION_ADDRESS is only exported, after the + session dbus has been launched. + + -- Dimitri John Ledkov Fri, 02 May 2014 12:00:27 +0100 + +dbus (1.6.18-0ubuntu4) trusty; urgency=medium + + * Create ~/.cache/upstart if it doesn't already exist. + Thanks to Ryan Lovett for the patch. (LP: #1300516) + + -- Stéphane Graber Tue, 01 Apr 2014 17:53:17 -0400 + +dbus (1.6.18-0ubuntu3) trusty; urgency=low + + * aa-mediate-eavesdropping.patch: Query AppArmor when confined applications + attempt to eavesdrop on the bus. See the apparmor.d(5) man page for + AppArmor syntax details. (LP: #1262440) + * debian/control: Depend on the apparmor version containing the new + eavesdrop permission + + -- Tyler Hicks Mon, 13 Jan 2014 11:45:21 -0600 + +dbus (1.6.18-0ubuntu2) trusty; urgency=low + + [ James Hunt ] + * debian/dbus.user-session.upstart: Communicate session bus to Upstart + Session Init to avoid potential out-of-memory scenario triggered by + Upstart clients that do not run main loops (LP: #1235649, LP: #1252317). + + -- Dmitrijs Ledkovs Tue, 19 Nov 2013 11:14:58 +0000 + +dbus (1.6.18-0ubuntu1) trusty; urgency=low + + * New upstream version + + -- Sebastien Bacher Mon, 11 Nov 2013 18:07:24 +0100 + dbus (1.6.16-1) unstable; urgency=low * New upstream stable release 1.6.16 @@ -185,6 +358,124 @@ -- Simon McVittie Wed, 12 Jun 2013 14:38:34 +0100 +dbus (1.6.12-0ubuntu10) saucy; urgency=low + + * debian/patches/aa-mediation.patch: Attempt to open() the mask file in + apparmorfs/features/dbus rather than simply stat() the dbus directory. + This is an important difference because AppArmor does not mediate the + stat() syscall. This resulted in problems in an environment where + dbus-daemon, running inside of an LXC container, did not have the + necessary AppArmor rules to access apparmorfs but the stat() succeeded + so mediation was not properly disabled. (LP: #1238267) + This problem was exposed after dropping aa-kernel-compat-check.patch + because the compat check was an additional check that performed a test + query. The test query was failing in the above scenario, which did result + in mediation being disabled. + * debian/patches/aa-get-connection-apparmor-security-context.patch, + debian/patches/aa-mediate-eavesdropping.patch: Refresh these patches to + accomodate the above change + + -- Tyler Hicks Thu, 10 Oct 2013 10:40:26 -0700 + +dbus (1.6.12-0ubuntu9) saucy; urgency=low + + * debian/patches/aa-mediate-eavesdropping.patch: Fix a regression that + caused dbus-daemon to segfault when AppArmor mediation is disabled, or + unsupported by the kernel, and an application attempts to eavesdrop + (LP: #1237059) + + -- Tyler Hicks Tue, 08 Oct 2013 17:58:36 -0700 + +dbus (1.6.12-0ubuntu8) saucy; urgency=low + + * debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a + temporary compatibility check to paper over incompatibilities between + dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor + D-Bus mediation was in development. + * debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions + denied by AppArmor to be audited. Auditing such actions is the default, + but it should be possible to quiet audit messages by using the "deny" + AppArmor rule modifier. (LP: #1226356) + * debian/patches/aa-mediation.patch: Fix a bug in the code that builds + AppArmor queries for the process that is receiving a message. The + message's destination was being used, as opposed to the message's source, + as the peer name in the query string. (LP: #1233895) + * debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications + that are confined by AppArmor to eavesdrop. Ideally, this would be + configurable with AppArmor policy, but the parser does not yet support + any type of eavesdropping permission. For now, confined applications will + simply not be allowed to eavesdrop. (LP: #1229280) + + -- Tyler Hicks Fri, 04 Oct 2013 09:59:21 -0700 + +dbus (1.6.12-0ubuntu7) saucy; urgency=low + + * Enable log output in session dbus upstart job. + + -- Dmitrijs Ledkovs Fri, 04 Oct 2013 10:21:15 +0100 + +dbus (1.6.12-0ubuntu6) saucy; urgency=low + + * Specify --fork to dbus-daemon in upstart user-session mode, to get the + daemon readiness information and emit started dbus, when dbus is + actually ready to operate. (LP: #1234731) + + -- Dmitrijs Ledkovs Thu, 03 Oct 2013 17:32:15 +0100 + +dbus (1.6.12-0ubuntu5) saucy; urgency=low + + * Add support for mediation of D-Bus messages and services. AppArmor D-Bus + rules are described in the apparmor.d(5) man page. dbus-daemon will use + libapparmor to perform queries against the AppArmor policies to determine + if a connection should be able to send messages to another connection, if + a connection should be able to receive messages from another connection, + and if a connection should be able to bind to a well-known name. + - debian/patches/aa-build-tools.patch: Update build files to detect and + build against libapparmor + - debian/patches/aa-mediation.patch: Support AppArmor mediation of D-Bus + messages and services. By default, AppArmor mediation is enabled if + AppArmor is available. To disable AppArmor mediation, place + '' in each bus configuration file. See the + dbus-daemon(1) man page for more details. + - debian/patches/aa-get-connection-apparmor-security-context.patch: Add an + org.freedesktop.DBus.GetConnectionAppArmorSecurityContext method that + takes the unique name of a connection as input and returns the AppArmor + label attached to the connection + - debian/patches/aa-kernel-compat-check.patch: Perform a compatibility + check of dbus, libapparmor, and the AppArmor kernel code during + initialization to determine if everything is in place to perform + AppArmor mediation. This is a temporary patch to overcome some potential + incompatabilities during the Saucy development release and should be + dropped prior to Saucy's release. + - debian/control: Add libapparmor-dev as a Build-Depends + - debian/rules: Specify that D-Bus should be built against libapparmor + during the configure stage of the build + * debian/patches/aa-mediation.patch: Clean up the AppArmor initialization + - Don't treat any errors from aa_is_enabled() as fatal unless the AppArmor + D-Bus mode is set to "required". This should fix errors when various + test cases need to start dbus-daemon on buildds. (LP: #1217598) + - Don't print to stderr during initialization unless an error has + occurred (LP: #1217710) + - Don't redefine _dbus_warn() to syslog(). A previous comment left in the + code suggested that _dbus_warn() caused segfaults. Testing proves that + is not the case. + * debian/patches/aa-get-connection-apparmor-security-context.patch: Refresh + patch to fix offset warnings after modifying aa-mediation.patch + + -- Tyler Hicks Wed, 28 Aug 2013 13:26:13 -0700 + +dbus (1.6.12-0ubuntu2) saucy; urgency=low + + * dump DBUS_SESSION_BUS_ADDRESS into ~/.dbus-session, so we can source it + + -- Oliver Grawert Tue, 16 Jul 2013 19:56:35 +0200 + +dbus (1.6.12-0ubuntu1) saucy; urgency=low + + * New upstream version, drop CVE-2013-2168.patch included in the update + + -- Sebastien Bacher Wed, 19 Jun 2013 19:04:25 +0200 + dbus (1.6.10-1) unstable; urgency=low * New upstream stable release 1.6.10 @@ -205,6 +496,79 @@ -- Simon McVittie Wed, 08 May 2013 10:52:51 +0100 +dbus (1.6.10-0ubuntu2) saucy; urgency=low + + * SECURITY UPDATE: denial of service via _dbus_printf_string_upper_bound() + length. + - debian/patches/CVE-2013-2168.patch: use a copy of va_list in + dbus/dbus-sysdeps-unix.c, dbus/dbus-sysdeps-win.c, added test to + test/Makefile.am, test/internals/printf.c. + - CVE-2013-2168 + + -- Marc Deslauriers Thu, 13 Jun 2013 08:40:01 -0400 + +dbus (1.6.10-0ubuntu1) saucy; urgency=low + + * New upstream version + + -- Sebastien Bacher Mon, 13 May 2013 19:29:40 +0200 + +dbus (1.6.8-1ubuntu8) saucy; urgency=low + + * Add 00git_logind_check.patch: Fix logind check. + * Add 00git_sd_daemon_update.patch: Update to current sytemd upstream + sd_booted() to actually check for systemd init. + + -- Martin Pitt Mon, 29 Apr 2013 11:42:42 -0700 + +dbus (1.6.8-1ubuntu7) saucy; urgency=low + + * Use logind for session tracking, so that "at_console" policies work with + logind instead of ConsoleKit. Add "libpam-systemd" recommends. + + -- Martin Pitt Sun, 10 Mar 2013 13:39:46 +0100 + +dbus (1.6.8-1ubuntu6) raring; urgency=low + + * Tweak startup condition of user-job to block xsession-init until it's + started. (LP: #1155205) + + -- Stéphane Graber Mon, 25 Mar 2013 09:52:01 -0400 + +dbus (1.6.8-1ubuntu5) raring; urgency=low + + * debian/libdbus-1-3.postinst: Force an upgrade to restart Upstart + (to pick up new package version) if the running instance supports + it (LP: #1146653). + + -- James Hunt Thu, 14 Mar 2013 10:32:39 -0400 + +dbus (1.6.8-1ubuntu4) raring; urgency=low + + * Add upstart user session job for dbus. + + -- Stéphane Graber Tue, 12 Mar 2013 15:04:50 -0400 + +dbus (1.6.8-1ubuntu3) raring; urgency=low + + * Mark libdbus-1-dev as Multi-Arch same. + + -- Dmitrijs Ledkovs Mon, 07 Jan 2013 17:36:51 +0000 + +dbus (1.6.8-1ubuntu2) raring; urgency=low + + * The tests are not run diring the build. Configure with --disable-tests, + drop the build dependencies needed for the tests. + + -- Matthias Klose Mon, 07 Jan 2013 17:03:23 +0100 + +dbus (1.6.8-1ubuntu1) raring; urgency=low + + * Resynchronize on Debian, see 1.6.4-1ubuntu1 and 1.6.4-1ubuntu3 for a + summary of the Ubuntu changes + + -- Sebastien Bacher Wed, 07 Nov 2012 15:31:11 +0100 + dbus (1.6.8-1) unstable; urgency=low * Merge from experimental @@ -220,6 +584,72 @@ -- Simon McVittie Sat, 29 Sep 2012 13:25:50 +0100 +dbus (1.6.4-1ubuntu4) quantal-proposed; urgency=low + + * debian/patches/CVE-2012-3524-regression-fix.patch: updated to fix test + suite. + + -- Marc Deslauriers Wed, 03 Oct 2012 14:41:36 -0400 + +dbus (1.6.4-1ubuntu3) quantal-proposed; urgency=low + + * REGRESSION FIX: some applications launched with the activation helper + may need DBUS_STARTER_ADDRESS. (LP: #1058343) + - debian/patches/CVE-2012-3524-regression-fix.patch: hardcode the + starter address to the default system bus address. + * Fix unclean shutdown after dbus upgrade (LP: #740390) + - debian/libdbus-1-3.postinst: trigger an upstart re-exec before + shutdown or reboot so that it can safely unmount the root + filesystem. + + -- Marc Deslauriers Wed, 03 Oct 2012 07:14:40 -0400 + +dbus (1.6.4-1ubuntu2) quantal-proposed; urgency=low + + * SECURITY UPDATE: privilege escalation via unsanitized environment + - debian/patches/CVE-2012-3524-dbus.patch: Don't access environment + variables or run dbus-launch when setuid in configure.ac, + dbus/dbus-keyring.c, dbus/dbus-sysdeps* + - CVE-2012-3524 + + -- Marc Deslauriers Fri, 14 Sep 2012 08:57:33 -0400 + +dbus (1.6.4-1ubuntu1) quantal-proposed; urgency=low + + * Upload to quantal (lp: #1014850) + * debian/control: + - use "Breaks: unity-services (<< 6.0.0-0ubuntu6)", the new dbus + eavedropping protection was creating issues with previous versions + + [ Iain Lane ] + * Merge with Debian experimental for the new stable series. Remaining Ubuntu + changes: + - Install binaries into / rather than /usr: + + debian/rules: Set --exec-prefix=/ + + debian/dbus.install, debian/dbus-x11.install: Install from /bin + - Use upstart to start: + + Add debian/dbus.upstart. + + debian/control: Add upstart dependency. + + debian/dbus.postinst: Use upstart call instead of invoking the init.d + script for checking if we are already running. + + debian/control: versioned dependency on netbase that emits the new + deconfiguring-networking event used in upstart script. + - 20_system_conf_limit.patch: Increase max_match_rules_per_connection for + the system bus to 5000 (LP #454093) + - 81-session.conf-timeout.patch: Raise the service startup timeout from 25 + to 60 seconds. It may be too short on the live CD with slow machines. + - Add 0001-activation-allow-for-more-variation-than-just-system.patch, + 0002-bus-change-systemd-activation-to-activation-systemd.patch, + 0003-upstart-add-upstart-as-a-possible-activation-type.patch, + 0004-upstart-add-UpstartJob-to-service-desktop-files.patch, + 0005-activation-implement-upstart-activation.patch: Patches from Scott + James Remnant to implement Upstart service activation. Not upstream. + Disable patches since they do not apply and this facility is unused + anyway. + * Remove systemd BDs; not appropriate for Ubuntu. + + -- Sebastien Bacher Fri, 03 Aug 2012 12:05:38 +0200 + dbus (1.6.4-1) experimental; urgency=low * gbp.conf: switch to experimental branch @@ -505,6 +935,86 @@ -- Simon McVittie Mon, 11 Apr 2011 18:04:56 +0100 +dbus (1.4.18-1ubuntu1) precise; urgency=low + + * Merge with Debian unstable to pick up the new bug fix release. Remaining + Ubuntu changes: + - Install binaries into / rather than /usr: + + debian/rules: Set --exec-prefix=/ + + debian/dbus.install, debian/dbus-x11.install: Install from /bin + - Use upstart to start: + + Add debian/dbus.upstart. + + debian/control: Add upstart dependency. + + debian/dbus.postinst: Use upstart call instead of invoking the init.d + script for checking if we are already running. + + debian/control: versioned dependency on netbase that emits the new + deconfiguring-networking event used in upstart script. + - 20_system_conf_limit.patch: Increase max_match_rules_per_connection for + the system bus to 5000 (LP #454093) + - 81-session.conf-timeout.patch: Raise the service startup timeout from 25 + to 60 seconds. It may be too short on the live CD with slow machines. + - Add 0001-activation-allow-for-more-variation-than-just-system.patch, + 0002-bus-change-systemd-activation-to-activation-systemd.patch, + 0003-upstart-add-upstart-as-a-possible-activation-type.patch, + 0004-upstart-add-UpstartJob-to-service-desktop-files.patch, + 0005-activation-implement-upstart-activation.patch: Patches from Scott + James Remnant to implement Upstart service activation. Not upstream. + + -- Martin Pitt Wed, 22 Feb 2012 09:26:02 +0100 + +dbus (1.4.16-1ubuntu4) precise; urgency=low + + * debian/rules, debian/dbus-1-dbg.install: Only set --exec-prefix=/ in + the production build. This prevents the debug version of dbus-daemon + from overwriting the non-debug version, which crashes the dbus-python + test suite. This leaves the debug version in a somewhat bogus path, + but we won't worry about that for now. Solution given by Jason Conti. + Also closes https://bugs.freedesktop.org/show_bug.cgi?id=43303 + (LP: #913991) + + -- Barry Warsaw Tue, 10 Jan 2012 15:52:43 +0100 + +dbus (1.4.16-1ubuntu3) precise; urgency=low + + * Add a post-stop in the upstart script making sure /var/run/dbus/pid + doesn't exist after dbus has been stopped/died. This fixes dbus + not respawning when dying (segfault for example). + + -- Stéphane Graber Mon, 09 Jan 2012 15:15:50 +0100 + +dbus (1.4.16-1ubuntu2) precise; urgency=low + + * Add debian/patches/02_obsolete_g_thread_api.patch: Port to glib 2.31.x + g_thread API. Bump libglib2.0-dev build dep accordingly. (LP: #911125) + + -- Martin Pitt Tue, 03 Jan 2012 11:08:46 +0100 + +dbus (1.4.16-1ubuntu1) precise; urgency=low + + * Merge with Debian testing. Remaining changes: + - Install binaries into / rather than /usr: + + debian/rules: Set --exec-prefix=/ + + debian/dbus.install, debian/dbus-x11.install: Install from /bin + - Use upstart to start: + + Add debian/dbus.upstart. + + debian/control: Add upstart dependency. + + debian/dbus.postinst: Use upstart call instead of invoking the init.d + script for checking if we are already running. + + debian/control: versioned dependency on netbase that emits the new + deconfiguring-networking event used in upstart script. + - 20_system_conf_limit.patch: Increase max_match_rules_per_connection for + the system bus to 5000 (LP #454093) + - 81-session.conf-timeout.patch: Raise the service startup timeout from 25 + to 60 seconds. It may be too short on the live CD with slow machines. + - Add 0001-activation-allow-for-more-variation-than-just-system.patch, + 0002-bus-change-systemd-activation-to-activation-systemd.patch, + 0003-upstart-add-upstart-as-a-possible-activation-type.patch, + 0004-upstart-add-UpstartJob-to-service-desktop-files.patch, + 0005-activation-implement-upstart-activation.patch: Patches from Scott + James Remnant to implement Upstart service activation. Not upstream. + + -- Martin Pitt Tue, 18 Oct 2011 18:10:19 +0200 + dbus (1.4.8-1) unstable; urgency=low * New upstream version diff -Nru dbus-1.8.6/debian/control dbus-1.8.6/debian/control --- dbus-1.8.6/debian/control 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/control 2014-08-13 12:19:42.000000000 -0500 @@ -1,7 +1,8 @@ Source: dbus Section: admin Priority: optional -Maintainer: Utopia Maintenance Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Utopia Maintenance Team Uploaders: Sjoerd Simons , Sebastian Dröge , Michael Biebl , @@ -36,6 +37,7 @@ libdbus-glib-1-dev, libglib2.0-dev, libselinux1-dev [linux-any], + libapparmor-dev (>= 2.8.0-0ubuntu38) [linux-any], libsystemd-daemon-dev (>= 32) [linux-any], libsystemd-journal-dev (>= 32) [linux-any], libsystemd-login-dev (>= 32) [linux-any], @@ -57,7 +59,9 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, - lsb-base (>= 3.2-14) + lsb-base (>= 3.2-14), + netbase (>= 4.45ubuntu3) +Recommends: libpam-systemd Suggests: dbus-x11 Multi-Arch: foreign Description: simple interprocess messaging system (daemon and utilities) diff -Nru dbus-1.8.6/debian/dbus-Xsession dbus-1.8.6/debian/dbus-Xsession --- dbus-1.8.6/debian/dbus-Xsession 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/dbus-Xsession 2014-08-13 12:19:42.000000000 -0500 @@ -7,7 +7,7 @@ DBUSLAUNCH=/usr/bin/dbus-launch if has_option use-session-dbus; then - if [ -x "$DBUSLAUNCH" ]; then + if [ -z "$DBUS_SESSION_BUS_ADDRESS" ] && [ -x "$DBUSLAUNCH" ]; then STARTDBUS=yes fi fi diff -Nru dbus-1.8.6/debian/dbus-x11.install dbus-1.8.6/debian/dbus-x11.install --- dbus-1.8.6/debian/dbus-x11.install 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/dbus-x11.install 2014-08-13 12:07:15.000000000 -0500 @@ -1,2 +1,2 @@ -debian/tmp/usr/bin/dbus-launch +debian/tmp/bin/dbus-launch usr/bin debian/tmp/usr/share/man/man1/dbus-launch.1 diff -Nru dbus-1.8.6/debian/dbus.install-generic dbus-1.8.6/debian/dbus.install-generic --- dbus-1.8.6/debian/dbus.install-generic 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/dbus.install-generic 2014-08-13 12:07:15.000000000 -0500 @@ -1,10 +1,10 @@ debian/tmp/etc/dbus-1/ -debian/tmp/usr/bin/dbus-daemon -debian/tmp/usr/bin/dbus-cleanup-sockets -debian/tmp/usr/bin/dbus-run-session -debian/tmp/usr/bin/dbus-send -debian/tmp/usr/bin/dbus-uuidgen -debian/tmp/usr/bin/dbus-monitor +debian/tmp/bin/dbus-daemon +debian/tmp/bin/dbus-cleanup-sockets +debian/tmp/bin/dbus-run-session usr/bin +debian/tmp/bin/dbus-send usr/bin +debian/tmp/bin/dbus-uuidgen +debian/tmp/bin/dbus-monitor usr/bin debian/tmp/usr/lib/dbus-1.0/dbus-daemon-launch-helper debian/tmp/usr/share/man/man1/dbus-daemon.1 debian/tmp/usr/share/man/man1/dbus-cleanup-sockets.1 diff -Nru dbus-1.8.6/debian/dbus.postinst dbus-1.8.6/debian/dbus.postinst --- dbus-1.8.6/debian/dbus.postinst 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/dbus.postinst 2014-08-13 12:07:15.000000000 -0500 @@ -38,7 +38,8 @@ # system bus is not supported by upstream). The code added by # dh_installinit -r creates a start action, below. - if [ -x "/etc/init.d/dbus" ] && /etc/init.d/dbus status > /dev/null; then + PID=$(status "dbus" 2>/dev/null | awk '/[0-9]$/ { print $NF }') + if [ -n "$PID" ]; then # trigger an update notification which recommends to reboot [ -x /usr/share/update-notifier/notify-reboot-required ] && \ /usr/share/update-notifier/notify-reboot-required || true diff -Nru dbus-1.8.6/debian/dbus.upstart dbus-1.8.6/debian/dbus.upstart --- dbus-1.8.6/debian/dbus.upstart 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/dbus.upstart 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,25 @@ +# dbus - D-Bus system message bus +# +# The D-Bus system message bus allows system daemons and user applications +# to communicate. + +description "D-Bus system message bus" + +start on local-filesystems +stop on deconfiguring-networking + +expect fork +respawn + +pre-start script + mkdir -p /var/run/dbus + chown messagebus:messagebus /var/run/dbus + + exec dbus-uuidgen --ensure +end script + +exec dbus-daemon --system --fork + +post-start exec kill -USR1 1 + +post-stop exec rm -f /var/run/dbus/pid diff -Nru dbus-1.8.6/debian/dbus.user-session.upstart dbus-1.8.6/debian/dbus.user-session.upstart --- dbus-1.8.6/debian/dbus.user-session.upstart 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/dbus.user-session.upstart 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,22 @@ +description "DBus Session Bus" +author "Stéphane Graber " + +start on starting xsession-init + +env DBUS_DEBUG_OUTPUT=1 + +respawn +expect fork +pre-start script + DBUS_SESSION_BUS_ADDRESS=unix:abstract=$(mktemp -u /tmp/dbus-XXXXXXXXXX) + initctl set-env DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS +end script + +exec dbus-daemon --fork --session --address="$DBUS_SESSION_BUS_ADDRESS" + +post-start script + initctl set-env --global DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS + [ -d "$HOME/.cache/upstart" ] || mkdir -p "$HOME/.cache/upstart" || true + echo "DBUS_SESSION_BUS_ADDRESS=${DBUS_SESSION_BUS_ADDRESS}" >$HOME/.cache/upstart/dbus-session || true + initctl notify-dbus-address "$DBUS_SESSION_BUS_ADDRESS" || true +end script diff -Nru dbus-1.8.6/debian/libdbus-1-3.postinst dbus-1.8.6/debian/libdbus-1-3.postinst --- dbus-1.8.6/debian/libdbus-1-3.postinst 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/libdbus-1-3.postinst 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,53 @@ +#!/bin/sh + +set -e + +if [ "$1" = configure ]; then + # A dependent library of Upstart has changed, so restart Upstart + # such that it can safely unmount the root filesystem (LP: #740390) + + # Query running version of Upstart, but only when we know + # that initctl will work. + # + # The calculated version string may be the null string if + # Upstart is not running (where for example an alternative + # init is running outside a chroot environment) or if the + # query failed for some reason. However, the version check + # below handles a null version string correctly. + UPSTART_VERSION_RUNNING=$(initctl version 2>/dev/null |\ + awk '{print $3}'|tr -d ')' || :) + + if ischroot; then + # Do not honour re-exec when requested from within a + # chroot since: + # + # (a) The version of Upstart outside might not support it. + # (b) An isolated environment such as a chroot should + # not be able to modify its containing environment. + # + # A sufficiently new Upstart will actually handle a re-exec + # request coming from telinit within a chroot correctly (by + # doing nothing) but it's simple enough to perform the check + # here and save Upstart the effort. + : + elif dpkg --compare-versions "$UPSTART_VERSION_RUNNING" ge 1.6.1; then + # We are not running inside a chroot and the running version + # of Upstart supports stateful re-exec, so we can + # restart immediately. + # + # XXX: Note that the check on the running version must + # remain *indefinitely* since it's the only safe way to + # know if stateful re-exec is supported: simply checking + # packaged version numbers is not sufficient since + # the package could be upgraded multiple times without a + # reboot. + telinit u || : + else + # Before we shutdown or reboot, we need to re-exec so that we + # can safely remount the root filesystem; we can't just do that + # here because we lose state. + touch /var/run/init.upgraded || : + fi +fi + +#DEBHELPER# diff -Nru dbus-1.8.6/debian/patches/0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch dbus-1.8.6/debian/patches/0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch --- dbus-1.8.6/debian/patches/0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,89 @@ +From 714f46ea30177f0076a41139a635f14c9cc2b618 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 10 Feb 2014 18:24:59 -0600 +Subject: [PATCH 01/13] Document AppArmor enforcement in the dbus-daemon man + page + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + doc/dbus-daemon.1.xml.in | 56 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/doc/dbus-daemon.1.xml.in b/doc/dbus-daemon.1.xml.in +index 7b7f4a1..0bd4354 100644 +--- a/doc/dbus-daemon.1.xml.in ++++ b/doc/dbus-daemon.1.xml.in +@@ -803,6 +803,31 @@ Right now the default will be the security context of the bus itself. + If two <associate> elements specify the same name, the element + appearing later in the configuration file will be used. + ++ ++ ++ <apparmor> ++ ++ ++ ++ ++The <apparmor> element is used to configure AppArmor mediation on ++the bus. It can contain one attribute that specifies the mediation mode: ++ ++ ++ <apparmor mode="(enabled|disabled|required)"/> ++ ++ ++The default mode is "enabled". In "enabled" mode, AppArmor mediation ++will be performed if AppArmor support is available in the kernel. If it is not ++available, dbus-daemon will start but AppArmor mediation will not occur. In ++"disabled" mode, AppArmor mediation is disabled. In "required" mode, AppArmor ++mediation will be enabled if AppArmor support is available, otherwise ++dbus-daemon will refuse to start. ++ ++The AppArmor mediation mode of the bus cannot be changed after the bus ++starts. Modifying the mode in the configuration file and sending a SIGHUP ++signal to the daemon has no effect on the mediation mode. ++ + + + SELinux +@@ -870,6 +895,37 @@ itself will be used. + + + ++AppArmor ++The AppArmor confinement context is stored when applications connect to ++the bus. The confinement context consists of a label and a confinement mode. ++When a security decision is required, the daemon uses the confinement context ++to query the AppArmor policy to determine if the action should be allowed or ++denied and if the action should be audited. ++ ++The daemon performs AppArmor security checks in three places. ++ ++First, any time a message is routed from one connection to another ++connection, the bus daemon will check permissions with the label of the first ++connection as source, label and/or connection name of the second connection as ++target, along with the bus name, the path name, the interface name, and the ++member name. Reply messages, such as method_return and error messages, are ++implicitly allowed if they are in response to a message that has already been ++allowed. ++ ++Second, any time a connection asks to own a name, the bus daemon will ++check permissions with the label of the connection as source, the requested ++name as target, along with the bus name. ++ ++Third, any time a connection attempts to eavesdrop, the bus daemon will ++check permissions with the label of the connection as the source, along with ++the bus name. ++ ++AppArmor rules for bus mediation are not stored in the bus configuration ++files. They are stored in the application's AppArmor profile. Please see ++apparmor.d(5) for more details. ++ ++ ++ + DEBUGGING + If you're trying to figure out where your messages are going or why + you aren't getting messages, there are several things you can try. +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch dbus-1.8.6/debian/patches/0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch --- dbus-1.8.6/debian/patches/0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,37 @@ +From d41bc5fcb462fbccb506a4ee8df4da87c547733c Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 10 Feb 2014 18:29:06 -0600 +Subject: [PATCH 02/13] Add apparmor element and attributes to the bus config + dtd + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + doc/busconfig.dtd | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/doc/busconfig.dtd b/doc/busconfig.dtd +index 0cc519b..8c5ac33 100644 +--- a/doc/busconfig.dtd ++++ b/doc/busconfig.dtd +@@ -11,7 +11,8 @@ + include | + policy | + limit | +- selinux)*> ++ selinux | ++ apparmor)*> + + + +@@ -63,3 +64,7 @@ + ++ ++ ++ +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0003-Update-autoconf-file-to-build-against-libapparmor.patch dbus-1.8.6/debian/patches/0003-Update-autoconf-file-to-build-against-libapparmor.patch --- dbus-1.8.6/debian/patches/0003-Update-autoconf-file-to-build-against-libapparmor.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0003-Update-autoconf-file-to-build-against-libapparmor.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,80 @@ +From b1d0d38c768b4ab93089d33c6217da85a1efc818 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 10 Feb 2014 17:40:03 -0600 +Subject: [PATCH 03/13] Update autoconf file to build against libapparmor + +AppArmor support can be configured at build time with --enable-apparmor +and --disable-apparmor. By default, the build time decision is +automatically decided by checking if a sufficient libapparmor is +available. + +A minimum required libapparmor is version 2.8.95. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/Makefile.am | 1 + + configure.ac | 21 +++++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/bus/Makefile.am b/bus/Makefile.am +index f335e30..4938ea8 100644 +--- a/bus/Makefile.am ++++ b/bus/Makefile.am +@@ -18,6 +18,7 @@ DBUS_LAUNCHER_LIBS = \ + AM_CPPFLAGS = \ + -I$(top_srcdir) \ + $(XML_CFLAGS) \ ++ $(APPARMOR_CFLAGS) \ + -DDBUS_SYSTEM_CONFIG_FILE=\""$(configdir)/system.conf"\" \ + -DDBUS_COMPILATION \ + -DDBUS_STATIC_BUILD \ +diff --git a/configure.ac b/configure.ac +index 13d1c87..d0bc84c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -152,6 +152,10 @@ AC_ARG_ENABLE(xml-docs, AS_HELP_STRING([--enable-xml-docs],[build XML documentat + AC_ARG_ENABLE(doxygen-docs, AS_HELP_STRING([--enable-doxygen-docs],[build DOXYGEN documentation (requires Doxygen)]),enable_doxygen_docs=$enableval,enable_doxygen_docs=auto) + AC_ARG_ENABLE(abstract-sockets, AS_HELP_STRING([--enable-abstract-sockets],[use abstract socket namespace (linux only)]),enable_abstract_sockets=$enableval,enable_abstract_sockets=auto) + AC_ARG_ENABLE(selinux, AS_HELP_STRING([--enable-selinux],[build with SELinux support]),enable_selinux=$enableval,enable_selinux=auto) ++AC_ARG_ENABLE([apparmor], ++ [AS_HELP_STRING([--enable-apparmor], [build with AppArmor support])], ++ [enable_apparmor=$enableval], ++ [enable_apparmor=auto]) + AC_ARG_ENABLE(libaudit,AS_HELP_STRING([--enable-libaudit],[build audit daemon support for SELinux]),enable_libaudit=$enableval,enable_libaudit=auto) + AC_ARG_ENABLE(inotify, AS_HELP_STRING([--enable-inotify],[build with inotify support (linux only)]),enable_inotify=$enableval,enable_inotify=auto) + AC_ARG_ENABLE(kqueue, AS_HELP_STRING([--enable-kqueue],[build with kqueue support]),enable_kqueue=$enableval,enable_kqueue=auto) +@@ -1026,6 +1030,22 @@ else + SELINUX_LIBS= + fi + ++# AppArmor detection ++AS_IF([test x$enable_apparmor = xno], ++ [have_apparmor=no], ++ [ ++ PKG_CHECK_MODULES([APPARMOR], [libapparmor >= 2.8.95], ++ [have_apparmor=yes], [have_apparmor=no]) ++ ++ AS_IF([test x$enable_apparmor = xauto -a x$have_apparmor = xno], ++ [AC_MSG_WARN([Sufficiently new AppArmor library not found])]) ++ AS_IF([test x$enable_apparmor != xauto -a x$have_apparmor = xno], ++ [AC_MSG_ERROR([AppArmor explicitly required, and AppArmor library not found])]) ++ ]) ++ ++AS_IF([test x$have_apparmor = xyes], ++ [AC_DEFINE([HAVE_APPARMOR], [1], [AppArmor Support])]) ++ + # inotify checks + if test x$enable_inotify = xno ; then + have_inotify=no; +@@ -1830,6 +1850,7 @@ echo " + Building checks: ${enable_checks} + Building bus stats API: ${enable_stats} + Building SELinux support: ${have_selinux} ++ Building AppArmor support: ${have_apparmor} + Building inotify support: ${have_inotify} + Building kqueue support: ${have_kqueue} + Building systemd support: ${have_systemd} +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0004-Add-apparmor-element-support-to-bus-config-parsing.patch dbus-1.8.6/debian/patches/0004-Add-apparmor-element-support-to-bus-config-parsing.patch --- dbus-1.8.6/debian/patches/0004-Add-apparmor-element-support-to-bus-config-parsing.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0004-Add-apparmor-element-support-to-bus-config-parsing.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,313 @@ +From db0055a9cbff9d4a1ac0cce7e0af2f8f0ca36e4f Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 10 Feb 2014 19:02:04 -0600 +Subject: [PATCH 04/13] Add apparmor element support to bus config parsing + +The element can contain a single mode attribute that has one +of three values: + + "enabled" + "disabled" + "required" + +"enabled" means that kernel support is autodetected and, if available, +AppArmor mediation occurs in dbus-daemon. If kernel support is not +detected, mediation is disabled. "disabled" means that mediation does +not occur. "required" means that kernel support must be detected for +dbus-daemon to start. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/Makefile.am | 3 ++ + bus/apparmor.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++ + bus/apparmor.h | 34 ++++++++++++++++++++ + bus/config-parser-common.c | 6 ++++ + bus/config-parser-common.h | 3 +- + bus/config-parser.c | 24 ++++++++++++++ + bus/session.conf.in | 3 ++ + bus/system.conf.in | 3 ++ + cmake/bus/CMakeLists.txt | 2 ++ + 9 files changed, 156 insertions(+), 1 deletion(-) + create mode 100644 bus/apparmor.c + create mode 100644 bus/apparmor.h + +Index: dbus-1.8.2/bus/Makefile.am +=================================================================== +--- dbus-1.8.2.orig/bus/Makefile.am 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/bus/Makefile.am 2014-05-08 14:07:34.490911782 -0500 +@@ -4,6 +4,7 @@ dbus_daemon_execdir = $(DBUS_DAEMONDIR) + DBUS_BUS_LIBS = \ + $(XML_LIBS) \ + $(SELINUX_LIBS) \ ++ $(APPARMOR_LIBS) \ + $(THREAD_LIBS) \ + $(ADT_LIBS) \ + $(NETWORK_libs) \ +@@ -59,6 +60,8 @@ BUS_SOURCES= \ + activation.c \ + activation.h \ + activation-exit-codes.h \ ++ apparmor.c \ ++ apparmor.h \ + bus.c \ + bus.h \ + config-parser.c \ +Index: dbus-1.8.2/bus/apparmor.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ dbus-1.8.2/bus/apparmor.c 2014-05-08 14:07:34.490911782 -0500 +@@ -0,0 +1,79 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- ++ * apparmor.c AppArmor security checks for D-Bus ++ * ++ * Authors: John Johansen ++ * Tyler Hicks ++ * Based on: selinux.c by Matthew Rickard ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#include ++#include "apparmor.h" ++ ++#ifdef HAVE_APPARMOR ++ ++#include ++#include ++ ++typedef enum { ++ APPARMOR_DISABLED, ++ APPARMOR_ENABLED, ++ APPARMOR_REQUIRED ++} AppArmorConfigMode; ++ ++/* Store the value of the AppArmor mediation mode in the bus configuration */ ++static AppArmorConfigMode apparmor_config_mode = APPARMOR_ENABLED; ++ ++#endif /* HAVE_APPARMOR */ ++ ++dbus_bool_t ++bus_apparmor_set_mode_from_config (const char *mode, DBusError *error) ++{ ++#ifdef HAVE_APPARMOR ++ if (mode != NULL) ++ { ++ if (strcmp (mode, "disabled") == 0) ++ apparmor_config_mode = APPARMOR_DISABLED; ++ else if (strcmp (mode, "enabled") == 0) ++ apparmor_config_mode = APPARMOR_ENABLED; ++ else if (strcmp (mode, "required") == 0) ++ apparmor_config_mode = APPARMOR_REQUIRED; ++ else ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "Mode attribute on must have value " ++ "\"required\", \"enabled\" or \"disabled\", " ++ "not \"%s\"", mode); ++ return FALSE; ++ } ++ } ++ ++ return TRUE; ++#else ++ if (mode == NULL || strcmp (mode, "disabled") == 0 || ++ strcmp (mode, "enabled") == 0) ++ return TRUE; ++ ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "Mode attribute on must have value \"enabled\" or " ++ "\"disabled\" but cannot be \"%s\" when D-Bus is built " ++ "without AppArmor support", mode); ++ return FALSE; ++#endif ++} +Index: dbus-1.8.2/bus/apparmor.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ dbus-1.8.2/bus/apparmor.h 2014-05-08 14:07:34.490911782 -0500 +@@ -0,0 +1,34 @@ ++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- ++ * apparmor.c AppArmor security checks for D-Bus ++ * ++ * Authors: John Johansen ++ * Tyler Hicks ++ * Based on: selinux.h by Matthew Rickard ++ * ++ * Licensed under the Academic Free License version 2.1 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ++ * ++ */ ++ ++#ifndef BUS_APPARMOR_H ++#define BUS_APPARMOR_H ++ ++#include ++ ++dbus_bool_t bus_apparmor_set_mode_from_config (const char *mode, ++ DBusError *error); ++ ++#endif /* BUS_APPARMOR_H */ +Index: dbus-1.8.2/bus/config-parser-common.c +=================================================================== +--- dbus-1.8.2.orig/bus/config-parser-common.c 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/bus/config-parser-common.c 2014-05-08 14:07:34.494911782 -0500 +@@ -127,6 +127,10 @@ bus_config_parser_element_name_to_type ( + { + return ELEMENT_ALLOW_ANONYMOUS; + } ++ else if (strcmp (name, "apparmor") == 0) ++ { ++ return ELEMENT_APPARMOR; ++ } + return ELEMENT_NONE; + } + +@@ -181,6 +185,8 @@ bus_config_parser_element_type_to_name ( + return "keep_umask"; + case ELEMENT_ALLOW_ANONYMOUS: + return "allow_anonymous"; ++ case ELEMENT_APPARMOR: ++ return "apparmor"; + } + + _dbus_assert_not_reached ("bad element type"); +Index: dbus-1.8.2/bus/config-parser-common.h +=================================================================== +--- dbus-1.8.2.orig/bus/config-parser-common.h 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/bus/config-parser-common.h 2014-05-08 14:07:34.494911782 -0500 +@@ -49,7 +49,8 @@ typedef enum + ELEMENT_STANDARD_SYSTEM_SERVICEDIRS, + ELEMENT_KEEP_UMASK, + ELEMENT_SYSLOG, +- ELEMENT_ALLOW_ANONYMOUS ++ ELEMENT_ALLOW_ANONYMOUS, ++ ELEMENT_APPARMOR, + } ElementType; + + ElementType bus_config_parser_element_name_to_type (const char *element_name); +Index: dbus-1.8.2/bus/config-parser.c +=================================================================== +--- dbus-1.8.2.orig/bus/config-parser.c 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/bus/config-parser.c 2014-05-08 14:07:34.494911782 -0500 +@@ -28,6 +28,7 @@ + #include "utils.h" + #include "policy.h" + #include "selinux.h" ++#include "apparmor.h" + #include + #include + #include +@@ -1131,6 +1132,27 @@ start_busconfig_child (BusConfigParser + + return TRUE; + } ++ else if (element_type == ELEMENT_APPARMOR) ++ { ++ Element *e; ++ const char *mode; ++ ++ if ((e = push_element (parser, ELEMENT_APPARMOR)) == NULL) ++ { ++ BUS_SET_OOM (error); ++ return FALSE; ++ } ++ ++ if (!locate_attributes (parser, "apparmor", ++ attribute_names, ++ attribute_values, ++ error, ++ "mode", &mode, ++ NULL)) ++ return FALSE; ++ ++ return bus_apparmor_set_mode_from_config (mode, error); ++ } + else + { + dbus_set_error (error, DBUS_ERROR_FAILED, +@@ -2063,6 +2085,7 @@ bus_config_parser_end_element (BusConfig + case ELEMENT_STANDARD_SESSION_SERVICEDIRS: + case ELEMENT_STANDARD_SYSTEM_SERVICEDIRS: + case ELEMENT_ALLOW_ANONYMOUS: ++ case ELEMENT_APPARMOR: + break; + } + +@@ -2362,6 +2385,7 @@ bus_config_parser_content (BusConfigPars + case ELEMENT_ALLOW_ANONYMOUS: + case ELEMENT_SELINUX: + case ELEMENT_ASSOCIATE: ++ case ELEMENT_APPARMOR: + if (all_whitespace (content)) + return TRUE; + else +Index: dbus-1.8.2/bus/session.conf.in +=================================================================== +--- dbus-1.8.2.orig/bus/session.conf.in 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/bus/session.conf.in 2014-05-08 14:07:34.494911782 -0500 +@@ -29,6 +29,9 @@ + on the live cd on slow machines --> + 60000 + ++ ++ ++ + + session.d +Index: dbus-1.8.2/bus/system.conf.in +=================================================================== +--- dbus-1.8.2.orig/bus/system.conf.in 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/bus/system.conf.in 2014-05-08 14:07:34.494911782 -0500 +@@ -70,6 +70,9 @@ + send_member="UpdateActivationEnvironment"/> + + ++ ++ ++ + + system.d +Index: dbus-1.8.2/cmake/bus/CMakeLists.txt +=================================================================== +--- dbus-1.8.2.orig/cmake/bus/CMakeLists.txt 2014-05-08 14:07:34.502911782 -0500 ++++ dbus-1.8.2/cmake/bus/CMakeLists.txt 2014-05-08 14:07:34.494911782 -0500 +@@ -40,6 +40,8 @@ endif (DBUS_BUS_ENABLE_INOTIFY) + set (BUS_SOURCES + ${BUS_DIR}/activation.c + ${BUS_DIR}/activation.h ++ ${BUS_DIR}/apparmor.c ++ ${BUS_DIR}/apparmor.h + ${BUS_DIR}/bus.c + ${BUS_DIR}/bus.h + ${BUS_DIR}/config-parser.c diff -Nru dbus-1.8.6/debian/patches/0005-Initialize-AppArmor-mediation.patch dbus-1.8.6/debian/patches/0005-Initialize-AppArmor-mediation.patch --- dbus-1.8.6/debian/patches/0005-Initialize-AppArmor-mediation.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0005-Initialize-AppArmor-mediation.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,298 @@ +From ae476fe69866a06555c120630de5007ef690d0e3 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Wed, 12 Feb 2014 12:37:41 -0600 +Subject: [PATCH 05/13] Initialize AppArmor mediation + +When starting dbus-daemon, autodetect AppArmor kernel support and use +the results from parsing the busconfig to determine if mediation should +be enabled. + +In the busconfig, "enabled" means that kernel support is autodetected +and, if available, AppArmor mediation occurs in dbus-daemon. In +"enabled" mode, if kernel support is not detected, mediation is +disabled. "disabled" means that mediation does not occur. "required" +means that kernel support must be detected for dbus-daemon to start. + +Additionally, when libaudit support is built into dbus-daemon, the +AppArmor initialization routines set up the audit connection. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: John Johansen +[tyhicks: Honor enforcement modes and detect AppArmor dbus rule support] +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 147 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + bus/apparmor.h | 5 ++ + bus/bus.c | 19 ++++++++ + bus/main.c | 8 ++++ + 4 files changed, 179 insertions(+) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index 8c2cd84..78986d9 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -29,7 +29,27 @@ + #ifdef HAVE_APPARMOR + + #include ++#include ++#include ++#include ++#include ++#include ++#include + #include ++#include ++#include ++#include ++#include ++ ++#ifdef HAVE_LIBAUDIT ++#include ++#include ++#else ++#include ++#endif /* HAVE_LIBAUDIT */ ++ ++/* Store the value telling us if AppArmor D-Bus mediation is enabled. */ ++static dbus_bool_t apparmor_enabled = FALSE; + + typedef enum { + APPARMOR_DISABLED, +@@ -40,8 +60,76 @@ typedef enum { + /* Store the value of the AppArmor mediation mode in the bus configuration */ + static AppArmorConfigMode apparmor_config_mode = APPARMOR_ENABLED; + ++#ifdef HAVE_LIBAUDIT ++static int audit_fd = -1; ++#endif ++ ++void ++bus_apparmor_audit_init (void) ++{ ++#ifdef HAVE_LIBAUDIT ++ audit_fd = audit_open (); ++ ++ if (audit_fd < 0) ++ { ++ /* If kernel doesn't support audit, bail out */ ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) ++ return; ++ /* If user bus, bail out */ ++ if (errno == EPERM && getuid () != 0) ++ return; ++ _dbus_warn ("Failed opening connection to the audit subsystem"); ++ } ++#endif /* HAVE_LIBAUDIT */ ++} ++ ++static dbus_bool_t ++_bus_apparmor_aa_supports_dbus (void) ++{ ++ int mask_file; ++ DBusString aa_dbus; ++ char *aa_securityfs = NULL; ++ dbus_bool_t retval = FALSE; ++ ++ if (!_dbus_string_init (&aa_dbus)) ++ return FALSE; ++ ++ if (aa_find_mountpoint (&aa_securityfs) != 0) ++ goto out; ++ ++ if (!_dbus_string_append (&aa_dbus, aa_securityfs) || ++ !_dbus_string_append (&aa_dbus, "/features/dbus/mask")) ++ goto out; ++ ++ mask_file = open (_dbus_string_get_const_data (&aa_dbus), ++ O_RDONLY | O_CLOEXEC); ++ if (mask_file != -1) ++ { ++ retval = TRUE; ++ close (mask_file); ++ } ++ ++out: ++ free (aa_securityfs); ++ _dbus_string_free (&aa_dbus); ++ ++ return retval; ++} + #endif /* HAVE_APPARMOR */ + ++/** ++ * Do early initialization; determine whether AppArmor is enabled. ++ */ ++dbus_bool_t ++bus_apparmor_pre_init (void) ++{ ++#ifdef HAVE_APPARMOR ++ apparmor_enabled = (aa_is_enabled () && _bus_apparmor_aa_supports_dbus ()); ++#endif ++ ++ return TRUE; ++} ++ + dbus_bool_t + bus_apparmor_set_mode_from_config (const char *mode, DBusError *error) + { +@@ -77,3 +165,62 @@ bus_apparmor_set_mode_from_config (const char *mode, DBusError *error) + return FALSE; + #endif + } ++ ++/** ++ * Verify that the config mode is compatible with the kernel's AppArmor ++ * support. If AppArmor mediation will be enabled, determine the bus ++ * confinement context. ++ */ ++dbus_bool_t ++bus_apparmor_full_init (void) ++{ ++#ifdef HAVE_APPARMOR ++ if (apparmor_enabled) ++ { ++ if (apparmor_config_mode == APPARMOR_DISABLED) ++ { ++ apparmor_enabled = FALSE; ++ return TRUE; ++ } ++ } ++ else ++ { ++ if (apparmor_config_mode == APPARMOR_REQUIRED) ++ { ++ _dbus_warn ("AppArmor mediation required but not present\n"); ++ return FALSE; ++ } ++ else if (apparmor_config_mode == APPARMOR_ENABLED) ++ { ++ return TRUE; ++ } ++ } ++#endif ++ ++ return TRUE; ++} ++ ++void ++bus_apparmor_shutdown (void) ++{ ++#ifdef HAVE_APPARMOR ++ if (!apparmor_enabled) ++ return; ++ ++ _dbus_verbose ("AppArmor shutdown\n"); ++ ++#ifdef HAVE_LIBAUDIT ++ audit_close (audit_fd); ++#endif /* HAVE_LIBAUDIT */ ++ ++#endif /* HAVE_APPARMOR */ ++} ++ ++dbus_bool_t ++bus_apparmor_enabled (void) ++{ ++#ifdef HAVE_APPARMOR ++ return apparmor_enabled; ++#endif ++ return FALSE; ++} +diff --git a/bus/apparmor.h b/bus/apparmor.h +index 0d6f274..bf8f94f 100644 +--- a/bus/apparmor.h ++++ b/bus/apparmor.h +@@ -28,7 +28,12 @@ + + #include + ++void bus_apparmor_audit_init (void); ++dbus_bool_t bus_apparmor_pre_init (void); + dbus_bool_t bus_apparmor_set_mode_from_config (const char *mode, + DBusError *error); ++dbus_bool_t bus_apparmor_full_init (void); ++void bus_apparmor_shutdown (void); ++dbus_bool_t bus_apparmor_enabled (void); + + #endif /* BUS_APPARMOR_H */ +diff --git a/bus/bus.c b/bus/bus.c +index a514e31..9c26249 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -34,6 +34,7 @@ + #include "config-parser.h" + #include "signals.h" + #include "selinux.h" ++#include "apparmor.h" + #include "dir-watch.h" + #include + #include +@@ -909,6 +910,21 @@ bus_context_new (const DBusString *config_file, + bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n"); + } + ++ if (!bus_apparmor_full_init ()) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "AppArmor enabled but full initialization failed; check system log\n"); ++ goto failed; ++ } ++ ++ if (bus_apparmor_enabled ()) ++ { ++ /* Only print AppArmor mediation message when syslog support is enabled */ ++ if (context->syslog) ++ bus_context_log (context, DBUS_SYSTEM_LOG_INFO, ++ "AppArmor D-Bus mediation is enabled\n"); ++ } ++ + if (!process_config_postinit (context, parser, error)) + { + _DBUS_ASSERT_ERROR_IS_SET (error); +@@ -936,6 +952,9 @@ bus_context_new (const DBusString *config_file, + /* FIXME - why not just put this in full_init() below? */ + bus_selinux_audit_init (); + #endif ++#ifdef HAVE_APPARMOR ++ bus_apparmor_audit_init (); ++#endif + } + + dbus_server_free_data_slot (&server_data_slot); +diff --git a/bus/main.c b/bus/main.c +index e060baa..1575195 100644 +--- a/bus/main.c ++++ b/bus/main.c +@@ -39,6 +39,7 @@ + #include /* for write() and STDERR_FILENO */ + #endif + #include "selinux.h" ++#include "apparmor.h" + + static BusContext *context; + +@@ -614,6 +615,12 @@ main (int argc, char **argv) + exit (1); + } + ++ if (!bus_apparmor_pre_init ()) ++ { ++ _dbus_warn ("AppArmor pre-initialization failed\n"); ++ exit (1); ++ } ++ + dbus_error_init (&error); + context = bus_context_new (&config_file, flags, + &print_addr_pipe, &print_pid_pipe, +@@ -649,6 +656,7 @@ main (int argc, char **argv) + bus_context_shutdown (context); + bus_context_unref (context); + bus_selinux_shutdown (); ++ bus_apparmor_shutdown (); + + return 0; + } +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0006-Store-AppArmor-label-of-bus-during-initialization.patch dbus-1.8.6/debian/patches/0006-Store-AppArmor-label-of-bus-during-initialization.patch --- dbus-1.8.6/debian/patches/0006-Store-AppArmor-label-of-bus-during-initialization.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0006-Store-AppArmor-label-of-bus-during-initialization.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,136 @@ +From 2d9afc71d8ea83724944da9bce7b21ff598f0e0d Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Wed, 12 Feb 2014 17:28:13 -0600 +Subject: [PATCH 06/13] Store AppArmor label of bus during initialization + +During dbus-daemon initialization, the AppArmor confinement context +should be stored for later use when checks are to be done on messages +to/from the bus itself. + +AppArmor confinement contexts are documented in aa_getcon(2). They +contain a confinement string and a mode string. The confinement string +is typically the name of the AppArmor profile confining a given process. +The mode string gives the current enforcement mode of the process +confinement. For example, it may indicate that the confinement should be +enforced or it may indicate that the confinement should allow all +actions with the caveat that actions which would be denied should be +audited. + +It is important to note that libapparmor mallocs a single buffer to +store the con and mode strings and separates them with a NUL terminator. +Because of this, only con should be freed. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 73 insertions(+) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index 78986d9..35a297f 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -64,6 +64,56 @@ static AppArmorConfigMode apparmor_config_mode = APPARMOR_ENABLED; + static int audit_fd = -1; + #endif + ++struct BusAppArmorConfinement ++{ ++ int refcount; /* Reference count */ ++ ++ char *context; /* AppArmor confinement context (label) */ ++ char *mode; /* AppArmor confinement mode */ ++}; ++ ++typedef struct BusAppArmorConfinement BusAppArmorConfinement; ++ ++static BusAppArmorConfinement *bus_con = NULL; ++ ++static BusAppArmorConfinement* ++bus_apparmor_confinement_new (char *context, char *mode) ++{ ++ BusAppArmorConfinement *confinement; ++ ++ confinement = dbus_new0 (BusAppArmorConfinement, 1); ++ if (confinement != NULL) ++ { ++ confinement->refcount = 1; ++ confinement->context = context; ++ confinement->mode = mode; ++ } ++ ++ return confinement; ++} ++ ++static void ++bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) ++{ ++ if (!apparmor_enabled) ++ return; ++ ++ _dbus_assert (confinement != NULL); ++ _dbus_assert (confinement->refcount > 0); ++ ++ confinement->refcount -= 1; ++ ++ if (confinement->refcount == 0) ++ { ++ /** ++ * Do not free confinement->mode, as libapparmor does a single malloc for ++ * both confinement->context and confinement->mode. ++ */ ++ free (confinement->context); ++ dbus_free (confinement); ++ } ++} ++ + void + bus_apparmor_audit_init (void) + { +@@ -175,6 +225,8 @@ dbus_bool_t + bus_apparmor_full_init (void) + { + #ifdef HAVE_APPARMOR ++ char *context, *mode; ++ + if (apparmor_enabled) + { + if (apparmor_config_mode == APPARMOR_DISABLED) +@@ -182,6 +234,24 @@ bus_apparmor_full_init (void) + apparmor_enabled = FALSE; + return TRUE; + } ++ ++ if (bus_con == NULL) ++ { ++ if (aa_getcon (&context, &mode) == -1) ++ { ++ _dbus_warn ("Error getting AppArmor context of bus: %s\n", ++ _dbus_strerror (errno)); ++ return FALSE; ++ } ++ ++ bus_con = bus_apparmor_confinement_new (context, mode); ++ if (bus_con == NULL) ++ { ++ _dbus_warn ("Error allocating bus AppArmor confinement\n"); ++ free (context); ++ return FALSE; ++ } ++ } + } + else + { +@@ -209,6 +279,9 @@ bus_apparmor_shutdown (void) + + _dbus_verbose ("AppArmor shutdown\n"); + ++ bus_apparmor_confinement_unref (bus_con); ++ bus_con = NULL; ++ + #ifdef HAVE_LIBAUDIT + audit_close (audit_fd); + #endif /* HAVE_LIBAUDIT */ +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0007-Store-AppArmor-label-of-connecting-processes.patch dbus-1.8.6/debian/patches/0007-Store-AppArmor-label-of-connecting-processes.patch --- dbus-1.8.6/debian/patches/0007-Store-AppArmor-label-of-connecting-processes.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0007-Store-AppArmor-label-of-connecting-processes.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,244 @@ +From 7f2405d41c2e7c523b2c1ce3d790c9e862536b4d Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 13 Feb 2014 09:59:53 -0600 +Subject: [PATCH 07/13] Store AppArmor label of connecting processes + +When processes connect the bus, the AppArmor confinement context should +be stored for later use when checks are to be done during message +sending/receiving, acquire a name, and eavesdropping. + +Code outside of apparmor.c will need to initialize and unreference the +confinement context, so bus_apparmor_confinement_unref() can no longer +be a static function. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 96 ++++++++++++++++++++++++++++++++++++++++++-------------- + bus/apparmor.h | 5 +++ + bus/bus.h | 1 + + bus/connection.c | 22 +++++++++++++ + 4 files changed, 100 insertions(+), 24 deletions(-) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index 35a297f..fb3a97a 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -48,6 +48,8 @@ + #include + #endif /* HAVE_LIBAUDIT */ + ++#include "utils.h" ++ + /* Store the value telling us if AppArmor D-Bus mediation is enabled. */ + static dbus_bool_t apparmor_enabled = FALSE; + +@@ -72,8 +74,6 @@ struct BusAppArmorConfinement + char *mode; /* AppArmor confinement mode */ + }; + +-typedef struct BusAppArmorConfinement BusAppArmorConfinement; +- + static BusAppArmorConfinement *bus_con = NULL; + + static BusAppArmorConfinement* +@@ -92,28 +92,6 @@ bus_apparmor_confinement_new (char *context, char *mode) + return confinement; + } + +-static void +-bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) +-{ +- if (!apparmor_enabled) +- return; +- +- _dbus_assert (confinement != NULL); +- _dbus_assert (confinement->refcount > 0); +- +- confinement->refcount -= 1; +- +- if (confinement->refcount == 0) +- { +- /** +- * Do not free confinement->mode, as libapparmor does a single malloc for +- * both confinement->context and confinement->mode. +- */ +- free (confinement->context); +- dbus_free (confinement); +- } +-} +- + void + bus_apparmor_audit_init (void) + { +@@ -297,3 +275,73 @@ bus_apparmor_enabled (void) + #endif + return FALSE; + } ++ ++void ++bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) ++{ ++#ifdef HAVE_APPARMOR ++ if (!apparmor_enabled) ++ return; ++ ++ _dbus_assert (confinement != NULL); ++ _dbus_assert (confinement->refcount > 0); ++ ++ confinement->refcount -= 1; ++ ++ if (confinement->refcount == 0) ++ { ++ /** ++ * Do not free confinement->mode, as libapparmor does a single malloc for ++ * both confinement->context and confinement->mode. ++ */ ++ free (confinement->context); ++ dbus_free (confinement); ++ } ++#endif ++} ++ ++BusAppArmorConfinement* ++bus_apparmor_init_connection_confinement (DBusConnection *connection, ++ DBusError *error) ++{ ++#ifdef HAVE_APPARMOR ++ BusAppArmorConfinement *confinement; ++ char *context, *mode; ++ int fd; ++ ++ if (!apparmor_enabled) ++ return NULL; ++ ++ _dbus_assert (connection != NULL); ++ ++ if (!dbus_connection_get_socket (connection, &fd)) ++ { ++ dbus_set_error (error, DBUS_ERROR_FAILED, ++ "Failed to get socket file descriptor of connection"); ++ return NULL; ++ } ++ ++ if (aa_getpeercon (fd, &context, &mode) == -1) ++ { ++ if (errno == ENOMEM) ++ BUS_SET_OOM (error); ++ else ++ dbus_set_error (error, _dbus_error_from_errno (errno), ++ "Failed to get AppArmor confinement information of socket peer: %s", ++ _dbus_strerror (errno)); ++ return NULL; ++ } ++ ++ confinement = bus_apparmor_confinement_new (context, mode); ++ if (confinement == NULL) ++ { ++ BUS_SET_OOM (error); ++ free (context); ++ return NULL; ++ } ++ ++ return confinement; ++#else ++ return NULL; ++#endif /* HAVE_APPARMOR */ ++} +diff --git a/bus/apparmor.h b/bus/apparmor.h +index bf8f94f..8c97420 100644 +--- a/bus/apparmor.h ++++ b/bus/apparmor.h +@@ -27,6 +27,7 @@ + #define BUS_APPARMOR_H + + #include ++#include "bus.h" + + void bus_apparmor_audit_init (void); + dbus_bool_t bus_apparmor_pre_init (void); +@@ -36,4 +37,8 @@ dbus_bool_t bus_apparmor_full_init (void); + void bus_apparmor_shutdown (void); + dbus_bool_t bus_apparmor_enabled (void); + ++void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement); ++BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, ++ DBusError *error); ++ + #endif /* BUS_APPARMOR_H */ +diff --git a/bus/bus.h b/bus/bus.h +index 3597884..8e12e27 100644 +--- a/bus/bus.h ++++ b/bus/bus.h +@@ -38,6 +38,7 @@ typedef struct BusClientPolicy BusClientPolicy; + typedef struct BusPolicyRule BusPolicyRule; + typedef struct BusRegistry BusRegistry; + typedef struct BusSELinuxID BusSELinuxID; ++typedef struct BusAppArmorConfinement BusAppArmorConfinement; + typedef struct BusService BusService; + typedef struct BusOwner BusOwner; + typedef struct BusTransaction BusTransaction; +diff --git a/bus/connection.c b/bus/connection.c +index ea2d155..d15cb56 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -30,6 +30,7 @@ + #include "signals.h" + #include "expirelist.h" + #include "selinux.h" ++#include "apparmor.h" + #include + #include + #include +@@ -93,6 +94,7 @@ typedef struct + + char *cached_loginfo_string; + BusSELinuxID *selinux_id; ++ BusAppArmorConfinement *apparmor_confinement; + + long connection_tv_sec; /**< Time when we connected (seconds component) */ + long connection_tv_usec; /**< Time when we connected (microsec component) */ +@@ -404,6 +406,9 @@ free_connection_data (void *data) + + if (d->selinux_id) + bus_selinux_id_unref (d->selinux_id); ++ ++ if (d->apparmor_confinement) ++ bus_apparmor_confinement_unref (d->apparmor_confinement); + + dbus_free (d->cached_loginfo_string); + +@@ -637,6 +642,19 @@ bus_connections_setup_connection (BusConnections *connections, + goto out; + } + ++ d->apparmor_confinement = bus_apparmor_init_connection_confinement (connection, ++ &error); ++ if (dbus_error_is_set (&error)) ++ { ++ /* This is a bit bogus because we pretend all errors ++ * are OOM; this is done because we know that in bus.c ++ * an OOM error disconnects the connection, which is ++ * the same thing we want on any other error. ++ */ ++ dbus_error_free (&error); ++ goto out; ++ } ++ + if (!dbus_connection_set_watch_functions (connection, + add_connection_watch, + remove_connection_watch, +@@ -722,6 +740,10 @@ bus_connections_setup_connection (BusConnections *connections, + if (d->selinux_id) + bus_selinux_id_unref (d->selinux_id); + d->selinux_id = NULL; ++ ++ if (d->apparmor_confinement) ++ bus_apparmor_confinement_unref (d->apparmor_confinement); ++ d->apparmor_confinement = NULL; + + if (!dbus_connection_set_watch_functions (connection, + NULL, NULL, NULL, +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0008-Mediation-of-processes-that-acquire-well-known-names.patch dbus-1.8.6/debian/patches/0008-Mediation-of-processes-that-acquire-well-known-names.patch --- dbus-1.8.6/debian/patches/0008-Mediation-of-processes-that-acquire-well-known-names.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0008-Mediation-of-processes-that-acquire-well-known-names.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,431 @@ +From ff9a85435b8de42109e756c981c0afddc8461761 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 13 Feb 2014 12:55:52 -0600 +Subject: [PATCH 08/13] Mediation of processes that acquire well-known names + +When an AppArmor confined process wants to acquire a well-known name, a +check is performed to see if the action should be allowed. + +The check is based on the connection's label, the bus type, and the name +being requested. + +An example AppArmor rule that would allow the name +"com.example.ExampleName" to be acquired on the system bus would be: + + dbus bind bus=system name=com.example.ExampleName, + +To let a process acquire any name on any bus, the rule would be: + + dbus bind, + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: John Johansen +[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg] +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 281 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + bus/apparmor.h | 6 ++ + bus/connection.c | 13 +++ + bus/connection.h | 1 + + bus/services.c | 7 ++ + 5 files changed, 306 insertions(+), 2 deletions(-) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index fb3a97a..5ffce3d 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -39,15 +39,15 @@ + #include + #include + #include ++#include + #include + + #ifdef HAVE_LIBAUDIT + #include + #include +-#else +-#include + #endif /* HAVE_LIBAUDIT */ + ++#include "connection.h" + #include "utils.h" + + /* Store the value telling us if AppArmor D-Bus mediation is enabled. */ +@@ -143,6 +143,150 @@ out: + + return retval; + } ++ ++static dbus_bool_t ++modestr_is_complain (const char *mode) ++{ ++ if (mode && strcmp (mode, "complain") == 0) ++ return TRUE; ++ return FALSE; ++} ++ ++static void ++log_message (dbus_bool_t allow, const char *op, DBusString *data) ++{ ++ const char *mstr; ++ ++ if (allow) ++ mstr = "ALLOWED"; ++ else ++ mstr = "DENIED"; ++ ++#ifdef HAVE_LIBAUDIT ++ if (audit_fd >= 0) ++ { ++ DBusString avc; ++ ++ capng_get_caps_process (); ++ if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_AUDIT_WRITE)) ++ goto syslog; ++ ++ if (!_dbus_string_init (&avc)) ++ goto syslog; ++ ++ if (!_dbus_string_append_printf (&avc, ++ "apparmor=\"%s\" operation=\"dbus_%s\" %s\n", ++ mstr, op, _dbus_string_get_const_data (data))) ++ { ++ _dbus_string_free (&avc); ++ goto syslog; ++ } ++ ++ /* FIXME: need to change this to show real user */ ++ audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, ++ _dbus_string_get_const_data (&avc), ++ NULL, NULL, NULL, getuid ()); ++ _dbus_string_free (&avc); ++ return; ++ } ++ ++syslog: ++#endif /* HAVE_LIBAUDIT */ ++ ++ syslog (LOG_USER | LOG_NOTICE, "apparmor=\"%s\" operation=\"dbus_%s\" %s\n", ++ mstr, op, _dbus_string_get_const_data (data)); ++} ++ ++static dbus_bool_t ++_dbus_append_pair_uint (DBusString *auxdata, const char *name, ++ unsigned long value) ++{ ++ return _dbus_string_append (auxdata, " ") && ++ _dbus_string_append (auxdata, name) && ++ _dbus_string_append (auxdata, "=") && ++ _dbus_string_append_uint (auxdata, value); ++} ++ ++static dbus_bool_t ++_dbus_append_pair_str (DBusString *auxdata, const char *name, const char *value) ++{ ++ return _dbus_string_append (auxdata, " ") && ++ _dbus_string_append (auxdata, name) && ++ _dbus_string_append (auxdata, "=\"") && ++ _dbus_string_append (auxdata, value) && ++ _dbus_string_append (auxdata, "\""); ++} ++ ++static dbus_bool_t ++_dbus_append_mask (DBusString *auxdata, uint32_t mask) ++{ ++ const char *mask_str; ++ ++ /* Only one permission bit can be set */ ++ if (mask == AA_DBUS_SEND) ++ mask_str = "send"; ++ else if (mask == AA_DBUS_RECEIVE) ++ mask_str = "receive"; ++ else if (mask == AA_DBUS_BIND) ++ mask_str = "bind"; ++ else ++ return FALSE; ++ ++ return _dbus_append_pair_str (auxdata, "mask", mask_str); ++} ++ ++static dbus_bool_t ++is_unconfined (const char *con, const char *mode) ++{ ++ /* treat con == NULL as confined as it is going to result in a denial */ ++ if ((!mode && con && strcmp (con, "unconfined") == 0) || ++ strcmp (mode, "unconfined") == 0) ++ { ++ return TRUE; ++ } ++ ++ return FALSE; ++} ++ ++static dbus_bool_t ++query_append (DBusString *query, const char *buffer) ++{ ++ if (!_dbus_string_append_byte (query, '\0')) ++ return FALSE; ++ ++ if (buffer && !_dbus_string_append (query, buffer)) ++ return FALSE; ++ ++ return TRUE; ++} ++ ++static dbus_bool_t ++build_common_query (DBusString *query, const char *con, const char *bustype) ++{ ++ return _dbus_string_set_length (query, AA_QUERY_CMD_LABEL_SIZE) && ++ _dbus_string_append (query, con) && ++ _dbus_string_append_byte (query, '\0') && ++ _dbus_string_append_byte (query, AA_CLASS_DBUS) && ++ _dbus_string_append (query, bustype); ++} ++ ++static dbus_bool_t ++build_service_query (DBusString *query, ++ const char *con, ++ const char *bustype, ++ const char *name) ++{ ++ return build_common_query (query, con, bustype) && ++ query_append (query, name); ++} ++ ++static void ++set_error_from_query_errno (DBusError *error, int error_number) ++{ ++ dbus_set_error (error, _dbus_error_from_errno (error_number), ++ "Failed to query AppArmor policy: %s", ++ _dbus_strerror (error_number)); ++} + #endif /* HAVE_APPARMOR */ + + /** +@@ -300,6 +444,20 @@ bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) + #endif + } + ++void ++bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement) ++{ ++#ifdef HAVE_APPARMOR ++ if (!apparmor_enabled) ++ return; ++ ++ _dbus_assert (confinement != NULL); ++ _dbus_assert (confinement->refcount > 0); ++ ++ confinement->refcount += 1; ++#endif /* HAVE_APPARMOR */ ++} ++ + BusAppArmorConfinement* + bus_apparmor_init_connection_confinement (DBusConnection *connection, + DBusError *error) +@@ -345,3 +503,122 @@ bus_apparmor_init_connection_confinement (DBusConnection *connection, + return NULL; + #endif /* HAVE_APPARMOR */ + } ++ ++/** ++ * Returns true if the given connection can acquire a service, ++ * using the tasks security context ++ * ++ * @param connection connection that wants to own the service ++ * @param bustype name of the bus ++ * @param service_name the name of the service to acquire ++ * @param error the reason for failure when FALSE is returned ++ * @returns TRUE if acquire is permitted ++ */ ++dbus_bool_t ++bus_apparmor_allows_acquire_service (DBusConnection *connection, ++ const char *bustype, ++ const char *service_name, ++ DBusError *error) ++{ ++ ++#ifdef HAVE_APPARMOR ++ BusAppArmorConfinement *con = NULL; ++ DBusString qstr, auxdata; ++ dbus_bool_t free_auxdata = FALSE; ++ dbus_bool_t allow = FALSE, audit = TRUE; ++ unsigned long pid; ++ int res, serrno = 0; ++ ++ if (!apparmor_enabled) ++ return TRUE; ++ ++ _dbus_assert (connection != NULL); ++ ++ con = bus_connection_dup_apparmor_confinement (connection); ++ ++ if (is_unconfined (con->context, con->mode)) ++ { ++ allow = TRUE; ++ audit = FALSE; ++ goto out; ++ } ++ ++ if (!_dbus_string_init (&qstr)) ++ goto oom; ++ ++ if (!build_service_query (&qstr, con->context, bustype, service_name)) ++ { ++ _dbus_string_free (&qstr); ++ goto oom; ++ } ++ ++ res = aa_query_label (AA_DBUS_BIND, ++ _dbus_string_get_data (&qstr), ++ _dbus_string_get_length (&qstr), ++ &allow, &audit); ++ _dbus_string_free (&qstr); ++ if (res == -1) ++ { ++ serrno = errno; ++ set_error_from_query_errno (error, serrno); ++ goto audit; ++ } ++ ++ /* Don't fail operations on profiles in complain mode */ ++ if (modestr_is_complain (con->mode)) ++ allow = TRUE; ++ ++ if (!allow) ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, ++ "Connection \"%s\" is not allowed to own the service " ++ "\"%s\" due to AppArmor policy", ++ bus_connection_is_active (connection) ? ++ bus_connection_get_name (connection) : "(inactive)", ++ service_name); ++ ++ if (!audit) ++ goto out; ++ ++ audit: ++ if (!_dbus_string_init (&auxdata)) ++ goto oom; ++ free_auxdata = TRUE; ++ ++ if (!_dbus_append_pair_str (&auxdata, "bus", bustype ? bustype : "unknown")) ++ goto oom; ++ ++ if (!_dbus_append_pair_str (&auxdata, "name", service_name)) ++ goto oom; ++ ++ if (serrno && !_dbus_append_pair_str (&auxdata, "info", strerror (serrno))) ++ goto oom; ++ ++ if (!_dbus_append_mask (&auxdata, AA_DBUS_BIND)) ++ goto oom; ++ ++ if (connection && dbus_connection_get_unix_process_id (connection, &pid) && ++ !_dbus_append_pair_uint (&auxdata, "pid", pid)) ++ goto oom; ++ ++ if (con->context && !_dbus_append_pair_str (&auxdata, "profile", con->context)) ++ goto oom; ++ ++ log_message (allow, "bind", &auxdata); ++ ++ out: ++ if (con != NULL) ++ bus_apparmor_confinement_unref (con); ++ if (free_auxdata) ++ _dbus_string_free (&auxdata); ++ return allow; ++ ++ oom: ++ if (error != NULL && !dbus_error_is_set (error)) ++ BUS_SET_OOM (error); ++ allow = FALSE; ++ goto out; ++ ++#else ++ return TRUE; ++#endif /* HAVE_APPARMOR */ ++} +diff --git a/bus/apparmor.h b/bus/apparmor.h +index 8c97420..2010cbe 100644 +--- a/bus/apparmor.h ++++ b/bus/apparmor.h +@@ -38,7 +38,13 @@ void bus_apparmor_shutdown (void); + dbus_bool_t bus_apparmor_enabled (void); + + void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement); ++void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); + BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, + DBusError *error); + ++dbus_bool_t bus_apparmor_allows_acquire_service (DBusConnection *connection, ++ const char *bustype, ++ const char *service_name, ++ DBusError *error); ++ + #endif /* BUS_APPARMOR_H */ +diff --git a/bus/connection.c b/bus/connection.c +index d15cb56..c3b8860 100644 +--- a/bus/connection.c ++++ b/bus/connection.c +@@ -1129,6 +1129,19 @@ bus_connection_get_selinux_id (DBusConnection *connection) + return d->selinux_id; + } + ++BusAppArmorConfinement* ++bus_connection_dup_apparmor_confinement (DBusConnection *connection) ++{ ++ BusConnectionData *d; ++ ++ d = BUS_CONNECTION_DATA (connection); ++ ++ _dbus_assert (d != NULL); ++ ++ bus_apparmor_confinement_ref (d->apparmor_confinement); ++ return d->apparmor_confinement; ++} ++ + /** + * Checks whether the connection is registered with the message bus. + * +diff --git a/bus/connection.h b/bus/connection.h +index 9f4f9ae..a74006d 100644 +--- a/bus/connection.h ++++ b/bus/connection.h +@@ -54,6 +54,7 @@ BusActivation* bus_connection_get_activation (DBusConnection + BusMatchmaker* bus_connection_get_matchmaker (DBusConnection *connection); + const char * bus_connection_get_loginfo (DBusConnection *connection); + BusSELinuxID* bus_connection_get_selinux_id (DBusConnection *connection); ++BusAppArmorConfinement* bus_connection_dup_apparmor_confinement (DBusConnection *connection); + dbus_bool_t bus_connections_check_limits (BusConnections *connections, + DBusConnection *requesting_completion, + DBusError *error); +diff --git a/bus/services.c b/bus/services.c +index 01a720e..1d4d381 100644 +--- a/bus/services.c ++++ b/bus/services.c +@@ -36,6 +36,7 @@ + #include "policy.h" + #include "bus.h" + #include "selinux.h" ++#include "apparmor.h" + + struct BusService + { +@@ -458,6 +459,12 @@ bus_registry_acquire_service (BusRegistry *registry, + _dbus_string_get_const_data (service_name)); + goto out; + } ++ ++ if (!bus_apparmor_allows_acquire_service (connection, ++ (registry->context ? ++ bus_context_get_type (registry->context) : NULL), ++ _dbus_string_get_const_data (service_name), error)) ++ goto out; + + if (!bus_client_policy_check_can_own (policy, service_name)) + { +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch dbus-1.8.6/debian/patches/0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch --- dbus-1.8.6/debian/patches/0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,92 @@ +From bb2fa103620be710fb563e872bd90655519e828c Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Fri, 14 Mar 2014 12:12:46 -0500 +Subject: [PATCH 09/13] Do LSM checks after determining if the message is a + requested reply + +Move the call to bus_selinux_allows_send() after the call to +bus_connections_check_reply(). + +This allows LSMs to know if the message is a reply and whether or not it +was requested. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/bus.c | 53 +++++++++++++++++++++++++++++------------------------ + 1 file changed, 29 insertions(+), 24 deletions(-) + +diff --git a/bus/bus.c b/bus/bus.c +index 9c26249..7d76017 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -1479,30 +1479,6 @@ bus_context_check_security_policy (BusContext *context, + + if (sender != NULL) + { +- /* First verify the SELinux access controls. If allowed then +- * go on with the standard checks. +- */ +- if (!bus_selinux_allows_send (sender, proposed_recipient, +- dbus_message_type_to_string (dbus_message_get_type (message)), +- dbus_message_get_interface (message), +- dbus_message_get_member (message), +- dbus_message_get_error_name (message), +- dest ? dest : DBUS_SERVICE_DBUS, error)) +- { +- if (error != NULL && !dbus_error_is_set (error)) +- { +- /* don't syslog this, just set the error: avc_has_perm should +- * have already written to either the audit log or syslog */ +- complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, +- "An SELinux policy prevents this sender from sending this " +- "message to this recipient", +- 0, message, sender, proposed_recipient, FALSE, FALSE, error); +- _dbus_verbose ("SELinux security check denying send to service\n"); +- } +- +- return FALSE; +- } +- + if (bus_connection_is_active (sender)) + { + sender_policy = bus_connection_get_policy (sender); +@@ -1533,6 +1509,35 @@ bus_context_check_security_policy (BusContext *context, + } + else + { ++ sender_policy = NULL; ++ } ++ ++ /* First verify the SELinux access controls. If allowed then ++ * go on with the standard checks. ++ */ ++ if (!bus_selinux_allows_send (sender, proposed_recipient, ++ dbus_message_type_to_string (dbus_message_get_type (message)), ++ dbus_message_get_interface (message), ++ dbus_message_get_member (message), ++ dbus_message_get_error_name (message), ++ dest ? dest : DBUS_SERVICE_DBUS, error)) ++ { ++ if (error != NULL && !dbus_error_is_set (error)) ++ { ++ /* don't syslog this, just set the error: avc_has_perm should ++ * have already written to either the audit log or syslog */ ++ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED, ++ "An SELinux policy prevents this sender from sending this " ++ "message to this recipient", ++ 0, message, sender, proposed_recipient, FALSE, FALSE, error); ++ _dbus_verbose ("SELinux security check denying send to service\n"); ++ } ++ ++ return FALSE; ++ } ++ ++ if (!bus_connection_is_active (sender)) ++ { + /* Policy for inactive connections is that they can only send + * the hello message to the bus driver + */ +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0010-Mediation-of-processes-sending-and-receiving-message.patch dbus-1.8.6/debian/patches/0010-Mediation-of-processes-sending-and-receiving-message.patch --- dbus-1.8.6/debian/patches/0010-Mediation-of-processes-sending-and-receiving-message.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0010-Mediation-of-processes-sending-and-receiving-message.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,465 @@ +From c5046c508e6a8e58b37fb980d87f70a594aeb9f7 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Thu, 13 Feb 2014 13:07:32 -0600 +Subject: [PATCH 10/13] Mediation of processes sending and receiving messages + +When an AppArmor confined process wants to send or receive a message, a +check is performed to see if the action should be allowed. + +When a message is going through dbus-daemon, there are two checks +performed at once. One for the sending process and one for the receiving +process. + +The checks are based on the process's label, the bus type, destination, +path, interface, and member, as well as the peer's label and/or +destination name. + +This allows for the traditional connection-based enforcement, as well as +any fine-grained filtering desired by the system administrator. + +It is important to note that error and method_return messages are +allowed to cut down on the amount of rules needed. If a process was +allowed to send a message, it can receive error and method_return +messages. + +An example AppArmor rule that would be needed to allow a process to call +the UpdateActivationEnvironment method of the session bus itself would be: + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus), + +To receive any message on the system bus from a process confined by +the "confined-client" AppArmor profile: + + dbus receive bus=system peer=(label=confined-client), + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: John Johansen +[tyhicks: Use BusAppArmorConfinement, bug fixes, cleanup, commit msg] +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 328 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + bus/apparmor.h | 12 +++ + bus/bus.c | 19 +++- + 3 files changed, 358 insertions(+), 1 deletion(-) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index 5ffce3d..05c9704 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -280,6 +280,24 @@ build_service_query (DBusString *query, + query_append (query, name); + } + ++static dbus_bool_t ++build_message_query (DBusString *query, ++ const char *src_con, ++ const char *bustype, ++ const char *name, ++ const char *dst_con, ++ const char *path, ++ const char *interface, ++ const char *member) ++{ ++ return build_common_query (query, src_con, bustype) && ++ query_append (query, name) && ++ query_append (query, dst_con) && ++ query_append (query, path) && ++ query_append (query, interface) && ++ query_append (query, member); ++} ++ + static void + set_error_from_query_errno (DBusError *error, int error_number) + { +@@ -287,6 +305,41 @@ set_error_from_query_errno (DBusError *error, int error_number) + "Failed to query AppArmor policy: %s", + _dbus_strerror (error_number)); + } ++ ++static void ++set_error_from_denied_message (DBusError *error, ++ DBusConnection *sender, ++ DBusConnection *proposed_recipient, ++ dbus_bool_t requested_reply, ++ const char *msgtype, ++ const char *path, ++ const char *interface, ++ const char *member, ++ const char *error_name, ++ const char *destination) ++{ ++ const char *proposed_recipient_loginfo; ++ const char *unset = "(unset)"; ++ ++ proposed_recipient_loginfo = proposed_recipient ? ++ bus_connection_get_loginfo (proposed_recipient) : ++ "bus"; ++ ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, ++ "An AppArmor policy prevents this sender from sending this " ++ "message to this recipient, %d matched rules; type=\"%s\", " ++ "sender=\"%s\" (%s) interface=\"%s\" member=\"%s\" " ++ "error name=\"%s\" destination=\"%s\" (%s)", ++ requested_reply, ++ msgtype, ++ bus_connection_get_name (sender), ++ bus_connection_get_loginfo (sender), ++ interface ? interface : unset, ++ member ? member : unset, ++ error_name ? error_name : unset, ++ destination, ++ proposed_recipient_loginfo); ++} + #endif /* HAVE_APPARMOR */ + + /** +@@ -622,3 +675,278 @@ bus_apparmor_allows_acquire_service (DBusConnection *connection, + return TRUE; + #endif /* HAVE_APPARMOR */ + } ++ ++/** ++ * Check if Apparmor security controls allow the message to be sent to a ++ * particular connection based on the security context of the sender and ++ * that of the receiver. The destination connection need not be the ++ * addressed recipient, it could be an "eavesdropper" ++ * ++ * @param sender the sender of the message. ++ * @param proposed_recipient the connection the message is to be sent to. ++ * @param requested_reply TRUE if the message is a reply requested by ++ * proposed_recipient ++ * @param bustype name of the bus ++ * @param msgtype message type (method_call, error, etc.) ++ * @param path object path the message should be sent to ++ * @param interface the type of the object instance ++ * @param member the member of the object ++ * @param error_name the name of the error if the message type is error ++ * @param destination name that the message should be sent to ++ * @param source name that the message should be sent from ++ * @param error the reason for failure when FALSE is returned ++ * @returns TRUE if the message is permitted ++ */ ++dbus_bool_t ++bus_apparmor_allows_send (DBusConnection *sender, ++ DBusConnection *proposed_recipient, ++ dbus_bool_t requested_reply, ++ const char *bustype, ++ const char *msgtype, ++ const char *path, ++ const char *interface, ++ const char *member, ++ const char *error_name, ++ const char *destination, ++ const char *source, ++ DBusError *error) ++{ ++#ifdef HAVE_APPARMOR ++ BusAppArmorConfinement *src_con = NULL, *dst_con = NULL; ++ DBusString qstr, auxdata; ++ dbus_bool_t src_allow = FALSE, dst_allow = FALSE; ++ dbus_bool_t src_audit = TRUE, dst_audit = TRUE; ++ dbus_bool_t free_auxdata = FALSE; ++ unsigned long pid; ++ int len, res, src_errno = 0, dst_errno = 0; ++ uint32_t src_perm = AA_DBUS_SEND, dst_perm = AA_DBUS_RECEIVE; ++ ++ if (!apparmor_enabled) ++ return TRUE; ++ ++ _dbus_assert (sender != NULL); ++ ++ src_con = bus_connection_dup_apparmor_confinement (sender); ++ ++ if (proposed_recipient) ++ { ++ dst_con = bus_connection_dup_apparmor_confinement (proposed_recipient); ++ } ++ else ++ { ++ dst_con = bus_con; ++ bus_apparmor_confinement_ref (dst_con); ++ } ++ ++ /* map reply messages: "error" and "method_return" to initial send and ++ * receive. That is permission to receive a message from X grants ++ * permission to reply to X. And permission to send a message to Y ++ * grants permission to receive a reply from Y. Note that this only applies ++ * to requested replies. Unrequested replies still require a policy query. ++ */ ++ if (requested_reply && ++ (strcmp (msgtype, "error") == 0 || strcmp (msgtype, "method_return") == 0)) ++ { ++ /* ignore requested reply messages and let dbus reply mapping handle them ++ * as the send was already allowed ++ */ ++ src_allow = TRUE; ++ dst_allow = TRUE; ++ goto out; ++ } ++ ++ if (is_unconfined (src_con->context, src_con->mode)) ++ { ++ src_allow = TRUE; ++ src_audit = FALSE; ++ } ++ else ++ { ++ if (!_dbus_string_init (&qstr)) ++ goto oom; ++ ++ if (!build_message_query (&qstr, src_con->context, bustype, destination, ++ dst_con->context, path, interface, member)) ++ { ++ _dbus_string_free (&qstr); ++ goto oom; ++ } ++ ++ res = aa_query_label (src_perm, ++ _dbus_string_get_data (&qstr), ++ _dbus_string_get_length (&qstr), ++ &src_allow, &src_audit); ++ _dbus_string_free (&qstr); ++ if (res == -1) ++ { ++ src_errno = errno; ++ set_error_from_query_errno (error, src_errno); ++ goto audit; ++ } ++ } ++ ++ if (is_unconfined (dst_con->context, dst_con->mode)) ++ { ++ dst_allow = TRUE; ++ dst_audit = FALSE; ++ } ++ else ++ { ++ if (!_dbus_string_init (&qstr)) ++ goto oom; ++ ++ if (!build_message_query (&qstr, dst_con->context, bustype, source, ++ src_con->context, path, interface, member)) ++ { ++ _dbus_string_free (&qstr); ++ goto oom; ++ } ++ ++ res = aa_query_label (dst_perm, ++ _dbus_string_get_data (&qstr), ++ _dbus_string_get_length (&qstr), ++ &dst_allow, &dst_audit); ++ _dbus_string_free (&qstr); ++ if (res == -1) ++ { ++ dst_errno = errno; ++ set_error_from_query_errno (error, dst_errno); ++ goto audit; ++ } ++ } ++ ++ /* Don't fail operations on profiles in complain mode */ ++ if (modestr_is_complain (src_con->mode)) ++ src_allow = TRUE; ++ if (modestr_is_complain (dst_con->mode)) ++ dst_allow = TRUE; ++ ++ if (!src_allow || !dst_allow) ++ set_error_from_denied_message (error, ++ sender, ++ proposed_recipient, ++ requested_reply, ++ msgtype, ++ path, ++ interface, ++ member, ++ error_name, ++ destination); ++ ++ if (!src_audit && !dst_audit) ++ goto out; ++ ++ audit: ++ if (!_dbus_string_init (&auxdata)) ++ goto oom; ++ free_auxdata = TRUE; ++ ++ if (!_dbus_append_pair_str (&auxdata, "bus", bustype ? bustype : "unknown")) ++ goto oom; ++ ++ if (path && !_dbus_append_pair_str (&auxdata, "path", path)) ++ goto oom; ++ ++ if (interface && !_dbus_append_pair_str (&auxdata, "interface", interface)) ++ goto oom; ++ ++ if (member && !_dbus_append_pair_str (&auxdata, "member", member)) ++ goto oom; ++ ++ if (error_name && !_dbus_append_pair_str (&auxdata, "error_name", error_name)) ++ goto oom; ++ ++ len = _dbus_string_get_length (&auxdata); ++ ++ if (src_audit) ++ { ++ if (!_dbus_append_mask (&auxdata, src_perm)) ++ goto oom; ++ ++ if (destination && !_dbus_append_pair_str (&auxdata, "name", destination)) ++ goto oom; ++ ++ if (sender && dbus_connection_get_unix_process_id (sender, &pid) && ++ !_dbus_append_pair_uint (&auxdata, "pid", pid)) ++ goto oom; ++ ++ if (src_con->context && ++ !_dbus_append_pair_str (&auxdata, "profile", src_con->context)) ++ goto oom; ++ ++ if (proposed_recipient && ++ dbus_connection_get_unix_process_id (proposed_recipient, &pid) && ++ !_dbus_append_pair_uint (&auxdata, "peer_pid", pid)) ++ goto oom; ++ ++ if (dst_con->context && ++ !_dbus_append_pair_str (&auxdata, "peer_profile", dst_con->context)) ++ goto oom; ++ ++ if (src_errno && !_dbus_append_pair_str (&auxdata, "info", strerror (src_errno))) ++ goto oom; ++ ++ if (dst_errno && ++ !_dbus_append_pair_str (&auxdata, "peer_info", strerror (dst_errno))) ++ goto oom; ++ ++ log_message (src_allow, msgtype, &auxdata); ++ } ++ if (dst_audit) ++ { ++ _dbus_string_set_length (&auxdata, len); ++ ++ if (source && !_dbus_append_pair_str (&auxdata, "name", source)) ++ goto oom; ++ ++ if (!_dbus_append_mask (&auxdata, dst_perm)) ++ goto oom; ++ ++ if (proposed_recipient && ++ dbus_connection_get_unix_process_id (proposed_recipient, &pid) && ++ !_dbus_append_pair_uint (&auxdata, "pid", pid)) ++ goto oom; ++ ++ if (dst_con->context && ++ !_dbus_append_pair_str (&auxdata, "profile", dst_con->context)) ++ goto oom; ++ ++ if (sender && dbus_connection_get_unix_process_id (sender, &pid) && ++ !_dbus_append_pair_uint (&auxdata, "peer_pid", pid)) ++ goto oom; ++ ++ if (src_con->context && ++ !_dbus_append_pair_str (&auxdata, "peer_profile", src_con->context)) ++ goto oom; ++ ++ if (dst_errno && !_dbus_append_pair_str (&auxdata, "info", strerror (dst_errno))) ++ goto oom; ++ ++ if (src_errno && ++ !_dbus_append_pair_str (&auxdata, "peer_info", strerror (src_errno))) ++ goto oom; ++ ++ log_message (dst_allow, msgtype, &auxdata); ++ } ++ ++ out: ++ if (src_con != NULL) ++ bus_apparmor_confinement_unref (src_con); ++ if (dst_con != NULL) ++ bus_apparmor_confinement_unref (dst_con); ++ if (free_auxdata) ++ _dbus_string_free (&auxdata); ++ ++ return src_allow && dst_allow; ++ ++ oom: ++ if (error != NULL && !dbus_error_is_set (error)) ++ BUS_SET_OOM (error); ++ src_allow = FALSE; ++ dst_allow = FALSE; ++ goto out; ++ ++#else ++ return TRUE; ++#endif /* HAVE_APPARMOR */ ++} +diff --git a/bus/apparmor.h b/bus/apparmor.h +index 2010cbe..bdc601d 100644 +--- a/bus/apparmor.h ++++ b/bus/apparmor.h +@@ -46,5 +46,17 @@ dbus_bool_t bus_apparmor_allows_acquire_service (DBusConnection *connection, + const char *bustype, + const char *service_name, + DBusError *error); ++dbus_bool_t bus_apparmor_allows_send (DBusConnection *sender, ++ DBusConnection *proposed_recipient, ++ dbus_bool_t requested_reply, ++ const char *bustype, ++ const char *msgtype, ++ const char *path, ++ const char *interface, ++ const char *member, ++ const char *error_name, ++ const char *destination, ++ const char *source, ++ DBusError *error); + + #endif /* BUS_APPARMOR_H */ +diff --git a/bus/bus.c b/bus/bus.c +index 7d76017..263ee36 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -1438,7 +1438,7 @@ bus_context_check_security_policy (BusContext *context, + DBusMessage *message, + DBusError *error) + { +- const char *dest; ++ const char *src, *dest; + BusClientPolicy *sender_policy; + BusClientPolicy *recipient_policy; + dbus_int32_t toggles; +@@ -1447,6 +1447,7 @@ bus_context_check_security_policy (BusContext *context, + dbus_bool_t requested_reply; + + type = dbus_message_get_type (message); ++ src = dbus_message_get_sender (message); + dest = dbus_message_get_destination (message); + + /* dispatch.c was supposed to ensure these invariants */ +@@ -1536,6 +1537,22 @@ bus_context_check_security_policy (BusContext *context, + return FALSE; + } + ++ /* next verify AppArmor access controls. If allowed then ++ * go on with the standard checks. ++ */ ++ if (!bus_apparmor_allows_send (sender, proposed_recipient, ++ requested_reply, ++ bus_context_get_type (context), ++ dbus_message_type_to_string (dbus_message_get_type (message)), ++ dbus_message_get_path (message), ++ dbus_message_get_interface (message), ++ dbus_message_get_member (message), ++ dbus_message_get_error_name (message), ++ dest ? dest : DBUS_SERVICE_DBUS, ++ src ? src : DBUS_SERVICE_DBUS, ++ error)) ++ return FALSE; ++ + if (!bus_connection_is_active (sender)) + { + /* Policy for inactive connections is that they can only send +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0011-Mediation-of-processes-eavesdropping.patch dbus-1.8.6/debian/patches/0011-Mediation-of-processes-eavesdropping.patch --- dbus-1.8.6/debian/patches/0011-Mediation-of-processes-eavesdropping.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0011-Mediation-of-processes-eavesdropping.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,250 @@ +From 88c7b6f3c6af22f19089fc9597258963559bd8f0 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 13 Feb 2014 13:17:23 -0600 +Subject: [PATCH 11/13] Mediation of processes eavesdropping + +When an AppArmor confined process wants to eavesdrop on a bus, a check +is performed to see if the action should be allowed. + +The check is based on the connection's label and the bus type. + +This patch adds a new hook, which was not previously included in the +SELinux mediation, to mediate eavesdropping from +bus_driver_handle_add_match(). + +A new function is added to bus/signals.c to see if a match rule is an +eavesdropping rule since the rule flags field is private to signals.c. + +An example AppArmor rule that would allow a process to eavesdrop on the +session bus would be: + + dbus eavesdrop bus=session, + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + bus/apparmor.h | 4 ++ + bus/driver.c | 10 ++++- + bus/signals.c | 9 +++++ + bus/signals.h | 2 + + 5 files changed, 141 insertions(+), 1 deletion(-) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index 05c9704..bcae4db 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -298,6 +298,12 @@ build_message_query (DBusString *query, + query_append (query, member); + } + ++static dbus_bool_t ++build_eavesdrop_query (DBusString *query, const char *con, const char *bustype) ++{ ++ return build_common_query (query, con, bustype); ++} ++ + static void + set_error_from_query_errno (DBusError *error, int error_number) + { +@@ -950,3 +956,114 @@ bus_apparmor_allows_send (DBusConnection *sender, + return TRUE; + #endif /* HAVE_APPARMOR */ + } ++ ++/** ++ * Check if Apparmor security controls allow the connection to eavesdrop on ++ * other connections. ++ * ++ * @param connection the connection attempting to eavesdrop. ++ * @param bustype name of the bus ++ * @param error the reason for failure when FALSE is returned ++ * @returns TRUE if eavesdropping is permitted ++ */ ++dbus_bool_t ++bus_apparmor_allows_eavesdropping (DBusConnection *connection, ++ const char *bustype, ++ DBusError *error) ++{ ++#ifdef HAVE_APPARMOR ++ BusAppArmorConfinement *con = NULL; ++ DBusString qstr, auxdata; ++ dbus_bool_t allow = FALSE, audit = TRUE; ++ dbus_bool_t free_auxdata = FALSE; ++ unsigned long pid; ++ int res, serrno = 0; ++ ++ if (!apparmor_enabled) ++ return TRUE; ++ ++ con = bus_connection_dup_apparmor_confinement (connection); ++ ++ if (is_unconfined (con->context, con->mode)) ++ { ++ allow = TRUE; ++ audit = FALSE; ++ goto out; ++ } ++ ++ if (!_dbus_string_init (&qstr)) ++ goto oom; ++ ++ if (!build_eavesdrop_query (&qstr, con->context, bustype)) ++ { ++ _dbus_string_free (&qstr); ++ goto oom; ++ } ++ ++ res = aa_query_label (AA_DBUS_EAVESDROP, ++ _dbus_string_get_data (&qstr), ++ _dbus_string_get_length (&qstr), ++ &allow, &audit); ++ _dbus_string_free (&qstr); ++ if (res == -1) ++ { ++ serrno = errno; ++ set_error_from_query_errno (error, serrno); ++ goto audit; ++ } ++ ++ /* Don't fail operations on profiles in complain mode */ ++ if (modestr_is_complain (con->mode)) ++ allow = TRUE; ++ ++ if (!allow) ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, ++ "Connection \"%s\" is not allowed to eavesdrop due to " ++ "AppArmor policy", ++ bus_connection_is_active (connection) ? ++ bus_connection_get_name (connection) : "(inactive)"); ++ ++ if (!audit) ++ goto out; ++ ++ audit: ++ if (!_dbus_string_init (&auxdata)) ++ goto oom; ++ free_auxdata = TRUE; ++ ++ if (!_dbus_append_pair_str (&auxdata, "bus", bustype ? bustype : "unknown")) ++ goto oom; ++ ++ if (serrno && !_dbus_append_pair_str (&auxdata, "info", strerror (serrno))) ++ goto oom; ++ ++ if (!_dbus_append_pair_str (&auxdata, "mask", "eavesdrop")) ++ goto oom; ++ ++ if (connection && dbus_connection_get_unix_process_id (connection, &pid) && ++ !_dbus_append_pair_uint (&auxdata, "pid", pid)) ++ goto oom; ++ ++ if (con->context && !_dbus_append_pair_str (&auxdata, "profile", con->context)) ++ goto oom; ++ ++ log_message (allow, "eavesdrop", &auxdata); ++ ++ out: ++ if (con != NULL) ++ bus_apparmor_confinement_unref (con); ++ if (free_auxdata) ++ _dbus_string_free (&auxdata); ++ ++ return allow; ++ ++ oom: ++ if (error != NULL && !dbus_error_is_set (error)) ++ BUS_SET_OOM (error); ++ allow = FALSE; ++ goto out; ++ ++#else ++ return TRUE; ++#endif /* HAVE_APPARMOR */ ++} +diff --git a/bus/apparmor.h b/bus/apparmor.h +index bdc601d..625b67f 100644 +--- a/bus/apparmor.h ++++ b/bus/apparmor.h +@@ -59,4 +59,8 @@ dbus_bool_t bus_apparmor_allows_send (DBusConnection *sender, + const char *source, + DBusError *error); + ++dbus_bool_t bus_apparmor_allows_eavesdropping (DBusConnection *connection, ++ const char *bustype, ++ DBusError *error); ++ + #endif /* BUS_APPARMOR_H */ +diff --git a/bus/driver.c b/bus/driver.c +index e95a79d..820c48a 100644 +--- a/bus/driver.c ++++ b/bus/driver.c +@@ -24,6 +24,7 @@ + + #include + #include "activation.h" ++#include "apparmor.h" + #include "connection.h" + #include "driver.h" + #include "dispatch.h" +@@ -991,9 +992,10 @@ bus_driver_handle_add_match (DBusConnection *connection, + DBusError *error) + { + BusMatchRule *rule; +- const char *text; ++ const char *text, *bustype; + DBusString str; + BusMatchmaker *matchmaker; ++ BusContext *context; + + _DBUS_ASSERT_ERROR_IS_CLEAR (error); + +@@ -1026,6 +1028,12 @@ bus_driver_handle_add_match (DBusConnection *connection, + if (rule == NULL) + goto failed; + ++ context = bus_transaction_get_context (transaction); ++ bustype = context ? bus_context_get_type (context) : NULL; ++ if (bus_match_rule_get_client_is_eavesdropping (rule) && ++ !bus_apparmor_allows_eavesdropping (connection, bustype, error)) ++ goto failed; ++ + matchmaker = bus_connection_get_matchmaker (connection); + + if (!bus_matchmaker_add_rule (matchmaker, rule)) +diff --git a/bus/signals.c b/bus/signals.c +index 4c500c6..0642de5 100644 +--- a/bus/signals.c ++++ b/bus/signals.c +@@ -379,6 +379,15 @@ bus_match_rule_set_client_is_eavesdropping (BusMatchRule *rule, + } + + dbus_bool_t ++bus_match_rule_get_client_is_eavesdropping (BusMatchRule *rule) ++{ ++ if (rule->flags & BUS_MATCH_CLIENT_IS_EAVESDROPPING) ++ return TRUE; ++ else ++ return FALSE; ++} ++ ++dbus_bool_t + bus_match_rule_set_path (BusMatchRule *rule, + const char *path, + dbus_bool_t is_namespace) +diff --git a/bus/signals.h b/bus/signals.h +index a71d2e4..5db87fd 100644 +--- a/bus/signals.h ++++ b/bus/signals.h +@@ -73,6 +73,8 @@ dbus_bool_t bus_match_rule_set_arg (BusMatchRule *rule, + void bus_match_rule_set_client_is_eavesdropping (BusMatchRule *rule, + dbus_bool_t is_eavesdropping); + ++dbus_bool_t bus_match_rule_get_client_is_eavesdropping (BusMatchRule *rule); ++ + BusMatchRule* bus_match_rule_parse (DBusConnection *matches_go_to, + const DBusString *rule_text, + DBusError *error); +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch dbus-1.8.6/debian/patches/0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch --- dbus-1.8.6/debian/patches/0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,94 @@ +From 81e534eca99ca8e09ba255171b39e3744128b21e Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 13 Mar 2014 17:37:38 -0500 +Subject: [PATCH 12/13] New a{sv} helper for using byte arrays as the variant + +Create a new helper for using a byte array as the value in the mapping +from string to variant. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + dbus/dbus-asv-util.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + dbus/dbus-asv-util.h | 4 ++++ + 2 files changed, 58 insertions(+) + +diff --git a/dbus/dbus-asv-util.c b/dbus/dbus-asv-util.c +index 583e41f..d3ac5e9 100644 +--- a/dbus/dbus-asv-util.c ++++ b/dbus/dbus-asv-util.c +@@ -258,3 +258,57 @@ _dbus_asv_add_string (DBusMessageIter *arr_iter, + + return TRUE; + } ++ ++/** ++ * Create a new entry in an a{sv} (map from string to variant) ++ * with a byte array value. ++ * ++ * If this function fails, the a{sv} must be abandoned, for instance ++ * with _dbus_asv_abandon(). ++ * ++ * @param arr_iter the iterator which is appending to the array ++ * @param key a UTF-8 key for the map ++ * @param value the value ++ * @param n_elements the number of elements to append ++ * @returns #TRUE on success, or #FALSE if not enough memory ++ */ ++dbus_bool_t ++_dbus_asv_add_byte_array (DBusMessageIter *arr_iter, ++ const char *key, ++ const void *value, ++ int n_elements) ++{ ++ DBusMessageIter entry_iter; ++ DBusMessageIter var_iter; ++ DBusMessageIter byte_array_iter; ++ ++ if (!_dbus_asv_open_entry (arr_iter, &entry_iter, key, "ay", &var_iter)) ++ return FALSE; ++ ++ if (!dbus_message_iter_open_container (&var_iter, DBUS_TYPE_ARRAY, ++ DBUS_TYPE_BYTE_AS_STRING, ++ &byte_array_iter)) ++ { ++ _dbus_asv_abandon_entry (arr_iter, &entry_iter, &var_iter); ++ return FALSE; ++ } ++ ++ if (!dbus_message_iter_append_fixed_array (&byte_array_iter, DBUS_TYPE_BYTE, ++ &value, n_elements)) ++ { ++ dbus_message_iter_abandon_container (&var_iter, &byte_array_iter); ++ _dbus_asv_abandon_entry (arr_iter, &entry_iter, &var_iter); ++ return FALSE; ++ } ++ ++ if (!dbus_message_iter_close_container (&var_iter, &byte_array_iter)) ++ { ++ _dbus_asv_abandon_entry (arr_iter, &entry_iter, &var_iter); ++ return FALSE; ++ } ++ ++ if (!_dbus_asv_close_entry (arr_iter, &entry_iter, &var_iter)) ++ return FALSE; ++ ++ return TRUE; ++} +diff --git a/dbus/dbus-asv-util.h b/dbus/dbus-asv-util.h +index 0337260..277ab80 100644 +--- a/dbus/dbus-asv-util.h ++++ b/dbus/dbus-asv-util.h +@@ -42,5 +42,9 @@ dbus_bool_t _dbus_asv_add_uint32 (DBusMessageIter *arr_iter, + dbus_bool_t _dbus_asv_add_string (DBusMessageIter *arr_iter, + const char *key, + const char *value); ++dbus_bool_t _dbus_asv_add_byte_array (DBusMessageIter *arr_iter, ++ const char *key, ++ const void *value, ++ int n_elements); + + #endif +-- +1.9.1 + diff -Nru dbus-1.8.6/debian/patches/0013-Add-AppArmor-support-to-GetConnectionCredentials.patch dbus-1.8.6/debian/patches/0013-Add-AppArmor-support-to-GetConnectionCredentials.patch --- dbus-1.8.6/debian/patches/0013-Add-AppArmor-support-to-GetConnectionCredentials.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/0013-Add-AppArmor-support-to-GetConnectionCredentials.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,148 @@ +From 5f02e343dc3982b3606cbf55c8de2976cb401833 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 13 Feb 2014 13:21:51 -0600 +Subject: [PATCH 13/13] Add AppArmor support to GetConnectionCredentials + +Allow for querying the AppArmor context and mode of a given bus +connection using the org.freedesktop.DBus.GetConnectionCredentials +method. + +By calling GetConnectionCredentials with the connection name as the +argument, the AppArmor confinement context will be included in the +returned dictionary. The key is "AppArmorContext" and the value is a +byte string, which may not be UTF-8. + +Additionally, the confinement mode for the connection is made available. +The key is "AppArmorMode" and the value is a byte string. There are no +documented constraints regarding the mode string in the AppArmor +documentation, so a byte string is used. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113 +Signed-off-by: Tyler Hicks +--- + bus/apparmor.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + bus/apparmor.h | 4 ++++ + bus/driver.c | 3 +++ + doc/dbus-specification.xml | 16 ++++++++++++++++ + 4 files changed, 69 insertions(+) + +Index: dbus-1.8.2/bus/apparmor.c +=================================================================== +--- dbus-1.8.2.orig/bus/apparmor.c 2014-05-08 14:08:15.478912756 -0500 ++++ dbus-1.8.2/bus/apparmor.c 2014-05-08 14:08:15.462912756 -0500 +@@ -28,6 +28,7 @@ + + #ifdef HAVE_APPARMOR + ++#include + #include + #include + #include +@@ -563,6 +564,51 @@ bus_apparmor_init_connection_confinement + #endif /* HAVE_APPARMOR */ + } + ++dbus_bool_t ++bus_apparmor_get_connection_credentials (DBusConnection *conn, ++ DBusMessageIter *array_iter, ++ DBusError *error) ++{ ++#if HAVE_APPARMOR ++ BusAppArmorConfinement *confinement; ++ char *context, *mode; ++ ++ _DBUS_ASSERT_ERROR_IS_CLEAR (error); ++ ++ confinement = bus_connection_dup_apparmor_confinement (conn); ++ if (confinement == NULL) ++ return TRUE; ++ ++ context = confinement->context; ++ mode = confinement->mode; ++ ++ if (context != NULL) ++ { ++ if (!_dbus_asv_add_byte_array (array_iter, "AppArmorContext", ++ context, strlen (context))) ++ goto oom; ++ } ++ ++ if (mode != NULL) ++ { ++ if (!_dbus_asv_add_byte_array (array_iter, "AppArmorMode", ++ mode, strlen (mode))) ++ goto oom; ++ } ++ ++ bus_apparmor_confinement_unref (confinement); ++ return TRUE; ++ ++ oom: ++ BUS_SET_OOM (error); ++ ++ bus_apparmor_confinement_unref (confinement); ++ return FALSE; ++#else ++ return TRUE; ++#endif /* HAVE_APPARMOR */ ++} ++ + /** + * Returns true if the given connection can acquire a service, + * using the tasks security context +Index: dbus-1.8.2/bus/apparmor.h +=================================================================== +--- dbus-1.8.2.orig/bus/apparmor.h 2014-05-08 14:08:15.478912756 -0500 ++++ dbus-1.8.2/bus/apparmor.h 2014-05-08 14:08:15.466912756 -0500 +@@ -42,6 +42,10 @@ void bus_apparmor_confinement_ref (BusAp + BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, + DBusError *error); + ++dbus_bool_t bus_apparmor_get_connection_credentials (DBusConnection *conn, ++ DBusMessageIter *array_iter, ++ DBusError *error); ++ + dbus_bool_t bus_apparmor_allows_acquire_service (DBusConnection *connection, + const char *bustype, + const char *service_name, +Index: dbus-1.8.2/bus/driver.c +=================================================================== +--- dbus-1.8.2.orig/bus/driver.c 2014-05-08 14:08:15.478912756 -0500 ++++ dbus-1.8.2/bus/driver.c 2014-05-08 14:08:15.466912756 -0500 +@@ -1571,6 +1571,9 @@ bus_driver_handle_get_connection_credent + goto oom; + } + ++ if (!bus_apparmor_get_connection_credentials (conn, &array_iter, error)) ++ goto failed; ++ + if (!_dbus_asv_close (&reply_iter, &array_iter)) + goto oom; + +Index: dbus-1.8.2/doc/dbus-specification.xml +=================================================================== +--- dbus-1.8.2.orig/doc/dbus-specification.xml 2014-05-08 14:08:15.478912756 -0500 ++++ dbus-1.8.2/doc/dbus-specification.xml 2014-05-08 14:08:15.470912756 -0500 +@@ -5829,6 +5829,22 @@ + this concept. On Unix, this is the process ID defined by + POSIX. + ++ ++ AppArmorContext ++ ARRAY of BYTE ++ The AppArmor confinement context of the connection. This ++ byte string, which may not be UTF-8, is the same string as ++ returned in the *con argument by the aa_getcon() family of ++ AppArmor functions. ++ ++ ++ AppArmorMode ++ ARRAY of BYTE ++ The AppArmor confinement mode for the connection. This ++ byte string, which may not be UTF-8, is the same string as ++ returned in the *mode argument by the aa_getcon() family of ++ AppArmor functions. ++ + + + diff -Nru dbus-1.8.6/debian/patches/20_system_conf_limit.patch dbus-1.8.6/debian/patches/20_system_conf_limit.patch --- dbus-1.8.6/debian/patches/20_system_conf_limit.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/20_system_conf_limit.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,12 @@ +Index: dbus-1.2.16/bus/system.conf.in +=================================================================== +--- dbus-1.2.16.orig/bus/system.conf.in 2009-10-23 20:06:56.000000000 +0200 ++++ dbus-1.2.16/bus/system.conf.in 2009-10-23 20:09:53.000000000 +0200 +@@ -80,4 +80,7 @@ + + contexts/dbus_contexts + ++ ++ 5000 + diff -Nru dbus-1.8.6/debian/patches/81-session.conf-timeout.patch dbus-1.8.6/debian/patches/81-session.conf-timeout.patch --- dbus-1.8.6/debian/patches/81-session.conf-timeout.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/81-session.conf-timeout.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,16 @@ +# Description: Raise the service startup timeout from 25 to 60 seconds. It may be too short on the live CD with slow machines. +# UbuntuSpecific: Debian and upstream are not concerned about live CDs + +--- dbus-1.2.14.orig/bus/session.conf.in 2006-11-19 23:58:47.378368108 +0100 ++++ dbus-1.2.14/bus/session.conf.in 2006-11-19 23:59:13.123835260 +0100 +@@ -25,6 +25,10 @@ + + + ++ ++ 60000 ++ + + session.d diff -Nru dbus-1.8.6/debian/patches/aa-get-connection-apparmor-security-context.patch dbus-1.8.6/debian/patches/aa-get-connection-apparmor-security-context.patch --- dbus-1.8.6/debian/patches/aa-get-connection-apparmor-security-context.patch 1969-12-31 18:00:00.000000000 -0600 +++ dbus-1.8.6/debian/patches/aa-get-connection-apparmor-security-context.patch 2014-08-13 12:07:15.000000000 -0500 @@ -0,0 +1,166 @@ +Description: Add DBus method to return the AA context of a connection + Allows the AppArmor label that is attached to a D-Bus connection to be + queried using the unique connection name. + . + For example, + $ dbus-send --print-reply --system --dest=org.freedesktop.DBus \ + /org/freedesktop/DBus \ + org.freedesktop.DBus.GetConnectionAppArmorSecurityContext string::1.4 + method return sender=org.freedesktop.DBus -> dest=:1.50 reply_serial=2 + string "/usr/sbin/cupsd" +Author: Tyler Hicks +Forwarded: not-needed + +Index: dbus-1.8.2/bus/apparmor.c +=================================================================== +--- dbus-1.8.2.orig/bus/apparmor.c 2014-05-08 14:38:24.162955742 -0500 ++++ dbus-1.8.2/bus/apparmor.c 2014-05-08 14:38:24.154955742 -0500 +@@ -480,6 +480,20 @@ bus_apparmor_enabled (void) + return FALSE; + } + ++const char* ++bus_apparmor_confinement_get_context (BusAppArmorConfinement *confinement) ++{ ++#ifdef HAVE_APPARMOR ++ if (!apparmor_enabled) ++ return NULL; ++ ++ _dbus_assert (confinement != NULL); ++ ++ return confinement->context; ++#endif /* HAVE_APPARMOR */ ++ return NULL; ++} ++ + void + bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) + { +Index: dbus-1.8.2/bus/apparmor.h +=================================================================== +--- dbus-1.8.2.orig/bus/apparmor.h 2014-05-08 14:38:24.162955742 -0500 ++++ dbus-1.8.2/bus/apparmor.h 2014-05-08 14:38:24.154955742 -0500 +@@ -39,6 +39,7 @@ dbus_bool_t bus_apparmor_enabled (void); + + void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement); + void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); ++const char* bus_apparmor_confinement_get_context (BusAppArmorConfinement *confinement); + BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, + DBusError *error); + +Index: dbus-1.8.2/bus/driver.c +=================================================================== +--- dbus-1.8.2.orig/bus/driver.c 2014-05-08 14:38:24.162955742 -0500 ++++ dbus-1.8.2/bus/driver.c 2014-05-08 14:40:37.986958923 -0500 +@@ -1604,6 +1604,87 @@ bus_driver_handle_get_connection_credent + } + + static dbus_bool_t ++bus_driver_handle_get_connection_apparmor_security_context (DBusConnection *connection, ++ BusTransaction *transaction, ++ DBusMessage *message, ++ DBusError *error) ++{ ++ const char *service; ++ DBusString str; ++ BusRegistry *registry; ++ BusService *serv; ++ DBusConnection *primary_connection; ++ DBusMessage *reply; ++ BusAppArmorConfinement *confinement; ++ const char *context; ++ ++ _DBUS_ASSERT_ERROR_IS_CLEAR (error); ++ ++ registry = bus_connection_get_registry (connection); ++ ++ service = NULL; ++ reply = NULL; ++ confinement = NULL; ++ ++ if (! dbus_message_get_args (message, error, DBUS_TYPE_STRING, &service, ++ DBUS_TYPE_INVALID)) ++ goto failed; ++ ++ _dbus_verbose ("asked for security context of connection %s\n", service); ++ ++ _dbus_string_init_const (&str, service); ++ serv = bus_registry_lookup (registry, &str); ++ if (serv == NULL) ++ { ++ dbus_set_error (error, ++ DBUS_ERROR_NAME_HAS_NO_OWNER, ++ "Could not get security context of name '%s': no such name", service); ++ goto failed; ++ } ++ ++ primary_connection = bus_service_get_primary_owners_connection (serv); ++ ++ reply = dbus_message_new_method_return (message); ++ if (reply == NULL) ++ goto oom; ++ ++ confinement = bus_connection_dup_apparmor_confinement (primary_connection); ++ context = bus_apparmor_confinement_get_context (confinement); ++ if (context == NULL) ++ { ++ dbus_set_error (error, ++ DBUS_ERROR_APPARMOR_SECURITY_CONTEXT_UNKNOWN, ++ "Could not determine security context for '%s'", service); ++ goto failed; ++ } ++ ++ if (! dbus_message_append_args (reply, ++ DBUS_TYPE_STRING, ++ &context, ++ DBUS_TYPE_INVALID)) ++ goto failed; ++ ++ if (! bus_transaction_send_from_driver (transaction, connection, reply)) ++ goto oom; ++ ++ bus_apparmor_confinement_unref (confinement); ++ dbus_message_unref (reply); ++ ++ return TRUE; ++ ++ oom: ++ BUS_SET_OOM (error); ++ ++ failed: ++ _DBUS_ASSERT_ERROR_IS_SET (error); ++ if (confinement) ++ bus_apparmor_confinement_unref (confinement); ++ if (reply) ++ dbus_message_unref (reply); ++ return FALSE; ++} ++ ++static dbus_bool_t + bus_driver_handle_reload_config (DBusConnection *connection, + BusTransaction *transaction, + DBusMessage *message, +@@ -1775,6 +1856,10 @@ static const MessageHandler dbus_message + DBUS_TYPE_STRING_AS_STRING, + DBUS_TYPE_ARRAY_AS_STRING DBUS_TYPE_BYTE_AS_STRING, + bus_driver_handle_get_connection_selinux_security_context }, ++ { "GetConnectionAppArmorSecurityContext", ++ DBUS_TYPE_STRING_AS_STRING, ++ DBUS_TYPE_STRING_AS_STRING, ++ bus_driver_handle_get_connection_apparmor_security_context }, + { "ReloadConfig", + "", + "", +Index: dbus-1.8.2/dbus/dbus-protocol.h +=================================================================== +--- dbus-1.8.2.orig/dbus/dbus-protocol.h 2014-05-08 14:38:24.162955742 -0500 ++++ dbus-1.8.2/dbus/dbus-protocol.h 2014-05-08 14:38:24.158955742 -0500 +@@ -439,6 +439,8 @@ extern "C" { + #define DBUS_ERROR_INVALID_FILE_CONTENT "org.freedesktop.DBus.Error.InvalidFileContent" + /** Asked for SELinux security context and it wasn't available. */ + #define DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown" ++/** Asked for AppArmor security context and it wasn't available. */ ++#define DBUS_ERROR_APPARMOR_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.AppArmorSecurityContextUnknown" + /** Asked for ADT audit data and it wasn't available. */ + #define DBUS_ERROR_ADT_AUDIT_DATA_UNKNOWN "org.freedesktop.DBus.Error.AdtAuditDataUnknown" + /** There's already an object with the requested object path. */ diff -Nru dbus-1.8.6/debian/patches/series dbus-1.8.6/debian/patches/series --- dbus-1.8.6/debian/patches/series 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/patches/series 2014-08-13 14:28:59.000000000 -0500 @@ -1 +1,17 @@ 01_no-fatal-warnings.patch +20_system_conf_limit.patch +81-session.conf-timeout.patch +0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch +0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch +0003-Update-autoconf-file-to-build-against-libapparmor.patch +0004-Add-apparmor-element-support-to-bus-config-parsing.patch +0005-Initialize-AppArmor-mediation.patch +0006-Store-AppArmor-label-of-bus-during-initialization.patch +0007-Store-AppArmor-label-of-connecting-processes.patch +0008-Mediation-of-processes-that-acquire-well-known-names.patch +0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch +0010-Mediation-of-processes-sending-and-receiving-message.patch +0011-Mediation-of-processes-eavesdropping.patch +0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch +0013-Add-AppArmor-support-to-GetConnectionCredentials.patch +aa-get-connection-apparmor-security-context.patch diff -Nru dbus-1.8.6/debian/rules dbus-1.8.6/debian/rules --- dbus-1.8.6/debian/rules 2014-06-30 09:16:58.000000000 -0500 +++ dbus-1.8.6/debian/rules 2014-08-13 12:51:13.000000000 -0500 @@ -33,6 +33,7 @@ common_configure_flags += \ --enable-libaudit \ --enable-selinux \ + --enable-apparmor \ --enable-systemd \ --with-systemdsystemunitdir=/lib/systemd/system \ $(NULL) @@ -110,6 +111,7 @@ -- \ $(common_configure_flags) \ $(normal_configure_flags) \ + --exec-prefix=/ \ $(NULL) dh_auto_configure \ --builddirectory=build-debug \ @@ -140,6 +142,8 @@ dh_auto_install make -C build-debug install-exec DESTDIR=$(CURDIR)/debian/tmp make -C build-udeb install-exec DESTDIR=$(CURDIR)/debian/tmp-udeb + # adjust dbus-send path for our changed install layout + sed -i 's!^ExecReload=.*dbus-send!ExecReload=/usr/bin/dbus-send!' debian/tmp/lib/systemd/system/dbus.service override_dh_link: dh_link -plibdbus-1-dev lib/$(DEB_HOST_MULTIARCH)/$$(basename $$(readlink debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/libdbus-1.so)) usr/lib/$(DEB_HOST_MULTIARCH)/libdbus-1.so @@ -162,6 +166,7 @@ lib/$(DEB_HOST_MULTIARCH) dh_install --remaining-packages --list-missing $(dh_install_options) install -m 644 -D debian/dbus-Xsession debian/dbus-x11/etc/X11/Xsession.d/75dbus_dbus-launch + install -m 644 -D debian/dbus.user-session.upstart debian/dbus/usr/share/upstart/sessions/dbus.conf override_dh_installinit: dh_installinit -pdbus -r