diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/dbus')
12 files changed, 676 insertions, 246 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus.inc b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus.inc new file mode 100644 index 000000000..27e4bd0c4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus.inc @@ -0,0 +1,35 @@ +inherit autotools pkgconfig gettext upstream-version-is-even + +LICENSE = "AFL-2.1 | GPLv2+" +LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \ + file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c" + +SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \ + file://tmpdir.patch \ + file://dbus-1.init \ + file://clear-guid_from_server-if-send_negotiate_unix_f.patch \ + file://stop_using_selinux_set_mapping.patch \ +" + +SRC_URI[md5sum] = "28d92a7a576f7feec7ddb3bb87b28b43" +SRC_URI[sha256sum] = "9da1e3f2b73f75eec0a9e4509d64be43909d1f2853fe809528a0a53984d76420" + +EXTRA_OECONF = "--disable-xml-docs \ + --disable-doxygen-docs \ + --enable-largefile \ + --with-system-socket=/run/dbus/system_bus_socket \ + " +EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl" + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \ + user-session \ + " +PACKAGECONFIG:class-native = "" +PACKAGECONFIG:class-nativesdk = "" + +PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir},--disable-systemd --without-systemdsystemunitdir,systemd" +PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm" +PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session" +PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,," +PACKAGECONFIG[audit] = "--enable-libaudit,--disable-libaudit,audit" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch deleted file mode 100644 index d2693ed69..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42010.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 9d07424e9011e3bbe535e83043d335f3093d2916 Mon Sep 17 00:00:00 2001 -From: Simon McVittie <smcv@collabora.com> -Date: Tue, 13 Sep 2022 15:10:22 +0100 -Subject: [PATCH] dbus-marshal-validate: Check brackets in signature nest -correctly - -In debug builds with assertions enabled, a signature with incorrectly -nested `()` and `{}`, for example `a{i(u}` or `(a{ii)}`, could result -in an assertion failure. - -In production builds without assertions enabled, a signature with -incorrectly nested `()` and `{}` could potentially result in a crash -or incorrect message parsing, although we do not have a concrete example -of either of these failure modes. - -Thanks: Evgeny Vereshchagin -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 -Resolves: CVE-2022-42010 -Signed-off-by: Simon McVittie <smcv@collabora.com> ---- - dbus/dbus-marshal-validate.c | 38 +++++++++++++++++++++++++++++++++++- - 1 file changed, 37 insertions(+), 1 deletion(-) - -diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c -index 4d492f3f3..ae68414dd 100644 ---- a/dbus/dbus-marshal-validate.c -+++ b/dbus/dbus-marshal-validate.c -@@ -62,6 +62,8 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - - int element_count; - DBusList *element_count_stack; -+ char opened_brackets[DBUS_MAXIMUM_TYPE_RECURSION_DEPTH * 2 + 1] = { '\0' }; -+ char last_bracket; - - result = DBUS_VALID; - element_count_stack = NULL; -@@ -93,6 +95,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - - while (p != end) - { -+ _dbus_assert (struct_depth + dict_entry_depth >= 0); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth] == '\0'); -+ - switch (*p) - { - case DBUS_TYPE_BYTE: -@@ -136,6 +142,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - goto out; - } - -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); -+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_STRUCT_BEGIN_CHAR; - break; - - case DBUS_STRUCT_END_CHAR: -@@ -151,9 +161,20 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - goto out; - } - -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; -+ -+ if (last_bracket != DBUS_STRUCT_BEGIN_CHAR) -+ { -+ result = DBUS_INVALID_STRUCT_ENDED_BUT_NOT_STARTED; -+ goto out; -+ } -+ - _dbus_list_pop_last (&element_count_stack); - - struct_depth -= 1; -+ opened_brackets[struct_depth + dict_entry_depth] = '\0'; - break; - - case DBUS_DICT_ENTRY_BEGIN_CHAR: -@@ -178,6 +199,10 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - goto out; - } - -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ _dbus_assert (opened_brackets[struct_depth + dict_entry_depth - 1] == '\0'); -+ opened_brackets[struct_depth + dict_entry_depth - 1] = DBUS_DICT_ENTRY_BEGIN_CHAR; - break; - - case DBUS_DICT_ENTRY_END_CHAR: -@@ -186,8 +211,19 @@ _dbus_validate_signature_with_reason (const DBusString *type_str, - result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; - goto out; - } -- -+ -+ _dbus_assert (struct_depth + dict_entry_depth >= 1); -+ _dbus_assert (struct_depth + dict_entry_depth < _DBUS_N_ELEMENTS (opened_brackets)); -+ last_bracket = opened_brackets[struct_depth + dict_entry_depth - 1]; -+ -+ if (last_bracket != DBUS_DICT_ENTRY_BEGIN_CHAR) -+ { -+ result = DBUS_INVALID_DICT_ENTRY_ENDED_BUT_NOT_STARTED; -+ goto out; -+ } -+ - dict_entry_depth -= 1; -+ opened_brackets[struct_depth + dict_entry_depth] = '\0'; - - element_count = - _DBUS_POINTER_TO_INT (_dbus_list_pop_last (&element_count_stack)); --- -GitLab - diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch deleted file mode 100644 index 9284dd666..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42011.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 079bbf16186e87fb0157adf8951f19864bc2ed69 Mon Sep 17 00:00:00 2001 -From: Simon McVittie <smcv@collabora.com> -Date: Mon, 12 Sep 2022 13:14:18 +0100 -Subject: [PATCH] dbus-marshal-validate: Validate length of arrays of - fixed-length items - -This fast-path previously did not check that the array was made up -of an integer number of items. This could lead to assertion failures -and out-of-bounds accesses during subsequent message processing (which -assumes that the message has already been validated), particularly after -the addition of _dbus_header_remove_unknown_fields(), which makes it -more likely that dbus-daemon will apply non-trivial edits to messages. - -Thanks: Evgeny Vereshchagin -Fixes: e61f13cf "Bug 18064 - more efficient validation for fixed-size type arrays" -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 -Resolves: CVE-2022-42011 -Signed-off-by: Simon McVittie <smcv@collabora.com> ---- - dbus/dbus-marshal-validate.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/dbus/dbus-marshal-validate.c b/dbus/dbus-marshal-validate.c -index ae68414dd..7d0d6cf72 100644 ---- a/dbus/dbus-marshal-validate.c -+++ b/dbus/dbus-marshal-validate.c -@@ -503,13 +503,24 @@ validate_body_helper (DBusTypeReader *reader, - */ - if (dbus_type_is_fixed (array_elem_type)) - { -+ /* Note that fixed-size types all have sizes equal to -+ * their alignments, so this is really the item size. */ -+ alignment = _dbus_type_get_alignment (array_elem_type); -+ _dbus_assert (alignment == 1 || alignment == 2 || -+ alignment == 4 || alignment == 8); -+ -+ /* Because the alignment is a power of 2, this is -+ * equivalent to: (claimed_len % alignment) != 0, -+ * but avoids slower integer division */ -+ if ((claimed_len & (alignment - 1)) != 0) -+ return DBUS_INVALID_ARRAY_LENGTH_INCORRECT; -+ - /* bools need to be handled differently, because they can - * have an invalid value - */ - if (array_elem_type == DBUS_TYPE_BOOLEAN) - { - dbus_uint32_t v; -- alignment = _dbus_type_get_alignment (array_elem_type); - - while (p < array_end) - { --- -GitLab - diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch deleted file mode 100644 index 53b0e92ff..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/CVE-2022-42012.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 236f16e444e88a984cf12b09225e0f8efa6c5b44 Mon Sep 17 00:00:00 2001 -From: Simon McVittie <smcv@collabora.com> -Date: Fri, 30 Sep 2022 13:46:31 +0100 -Subject: [PATCH] dbus-marshal-byteswap: Byte-swap Unix fd indexes if needed - -When a D-Bus message includes attached file descriptors, the body of the -message contains unsigned 32-bit indexes pointing into an out-of-band -array of file descriptors. Some D-Bus APIs like GLib's GDBus refer to -these indexes as "handles" for the associated fds (not to be confused -with a Windows HANDLE, which is a kernel object). - -The assertion message removed by this commit is arguably correct up to -a point: fd-passing is only reasonable on a local machine, and no known -operating system allows processes of differing endianness even on a -multi-endian ARM or PowerPC CPU, so it makes little sense for the sender -to specify a byte-order that differs from the byte-order of the recipient. - -However, this doesn't account for the fact that a malicious sender -doesn't have to restrict itself to only doing things that make sense. -On a system with untrusted local users, a message sender could crash -the system dbus-daemon (a denial of service) by sending a message in -the opposite endianness that contains handles to file descriptors. - -Before this commit, if assertions are enabled, attempting to byteswap -a fd index would cleanly crash the message recipient with an assertion -failure. If assertions are disabled, attempting to byteswap a fd index -would silently do nothing without advancing the pointer p, causing the -message's type and the pointer into its contents to go out of sync, which -can result in a subsequent crash (the crash demonstrated by fuzzing was -a use-after-free, but other failure modes might be possible). - -In principle we could resolve this by rejecting wrong-endianness messages -from a local sender, but it's actually simpler and less code to treat -wrong-endianness messages as valid and byteswap them. - -Thanks: Evgeny Vereshchagin -Fixes: ba7daa60 "unix-fd: add basic marshalling code for unix fds" -Resolves: https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 -Resolves: CVE-2022-42012 -Signed-off-by: Simon McVittie <smcv@collabora.com> ---- - dbus/dbus-marshal-byteswap.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/dbus/dbus-marshal-byteswap.c b/dbus/dbus-marshal-byteswap.c -index e9de6f02a..9dd1246f9 100644 ---- a/dbus/dbus-marshal-byteswap.c -+++ b/dbus/dbus-marshal-byteswap.c -@@ -62,6 +62,7 @@ byteswap_body_helper (DBusTypeReader *reader, - case DBUS_TYPE_BOOLEAN: - case DBUS_TYPE_INT32: - case DBUS_TYPE_UINT32: -+ case DBUS_TYPE_UNIX_FD: - { - p = _DBUS_ALIGN_ADDRESS (p, 4); - *((dbus_uint32_t*)p) = DBUS_UINT32_SWAP_LE_BE (*((dbus_uint32_t*)p)); -@@ -192,11 +193,6 @@ byteswap_body_helper (DBusTypeReader *reader, - } - break; - -- case DBUS_TYPE_UNIX_FD: -- /* fds can only be passed on a local machine, so byte order must always match */ -- _dbus_assert_not_reached("attempted to byteswap unix fds which makes no sense"); -- break; -- - default: - _dbus_assert_not_reached ("invalid typecode in supposedly-validated signature"); - break; --- -GitLab - diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/clear-guid_from_server-if-send_negotiate_unix_f.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/clear-guid_from_server-if-send_negotiate_unix_f.patch new file mode 100644 index 000000000..6bb6d9c82 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/clear-guid_from_server-if-send_negotiate_unix_f.patch @@ -0,0 +1,104 @@ +From b8f84bd39485d3977625c9a8b8e8cff5d23be56f Mon Sep 17 00:00:00 2001 +From: Roy Li <rongqing.li@windriver.com> +Date: Thu, 27 Feb 2014 09:05:02 +0800 +Subject: [PATCH] dbus: clear guid_from_server if send_negotiate_unix_fd + failed + +Upstream-Status: Submitted + +bus-test dispatch test failed with below information: + ./bus/bus-test: Running message dispatch test + Activating service name='org.freedesktop.DBus.TestSuiteEchoService' + Successfully activated service 'org.freedesktop.DBus.TestSuiteEchoService' + 6363: assertion failed "_dbus_string_get_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server) == 0" file "dbus-auth.c" line 1545 function process_ok + ./bus/bus-test(_dbus_print_backtrace+0x29) [0x80cb969] + ./bus/bus-test(_dbus_abort+0x14) [0x80cfb44] + ./bus/bus-test(_dbus_real_assert+0x53) [0x80b52c3] + ./bus/bus-test() [0x80e24da] + ./bus/bus-test(_dbus_auth_do_work+0x388) [0x80e3848] + ./bus/bus-test() [0x80aea49] + ./bus/bus-test() [0x80affde] + ./bus/bus-test(_dbus_transport_handle_watch+0xb1) [0x80ad841] + ./bus/bus-test(_dbus_connection_handle_watch+0x104) [0x8089174] + ./bus/bus-test(dbus_watch_handle+0xd8) [0x80b15e8] + ./bus/bus-test(_dbus_loop_iterate+0x4a9) [0x80d1509] + ./bus/bus-test(bus_test_run_clients_loop+0x5d) [0x808129d] + ./bus/bus-test() [0x806cab0] + ./bus/bus-test() [0x806e0ca] + ./bus/bus-test() [0x806da6f] + ./bus/bus-test(_dbus_test_oom_handling+0x18c) [0x80b5c8c] + ./bus/bus-test() [0x806f723] + ./bus/bus-test(bus_dispatch_test+0x3c) [0x8071aac] + ./bus/bus-test(main+0x1b7) [0x805acc7] + /lib/libc.so.6(__libc_start_main+0xf3) [0x45f919b3] + ./bus/bus-test() [0x805ae39] + +The stack is below: + #0 0xffffe425 in __kernel_vsyscall () + #1 0x45fa62d6 in raise () from /lib/libc.so.6 + #2 0x45fa9653 in abort () from /lib/libc.so.6 + #3 0x080cfb65 in _dbus_abort () at dbus-sysdeps.c:94 + #4 0x080b52c3 in _dbus_real_assert (condition=0, + condition_text=condition_text@entry=0x8117a38 "_dbus_string_get_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server) == 0", + file=file@entry=0x8117273 "dbus-auth.c", line=line@entry=1545, + func=func@entry=0x8117f8e <__FUNCTION__.3492> "process_ok") + data=0x8157290) at dbus-connection.c:1515 + #0 0x00000033fee353e9 in raise () from /lib64/libc.so.6 + #1 0x00000033fee38508 in abort () from /lib64/libc.so.6 + #2 0x000000000047d585 in _dbus_abort () at dbus-sysdeps.c:94 + #3 0x0000000000466486 in _dbus_real_assert (condition=<optimized out>, + condition_text=condition_text@entry=0x4c2988 "_dbus_string_get_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server) == 0", + file=file@entry=0x4c21a5 "dbus-auth.c", line=line@entry=1546, + func=func@entry=0x4c2fce <__FUNCTION__.3845> "process_ok") + at dbus-internals.c:931 + #4 0x000000000048d424 in process_ok (args_from_ok=0x7fffffffe480, + auth=0x6ff340) at dbus-auth.c:1546 + #5 handle_client_state_waiting_for_data (auth=0x6ff340, + command=<optimized out>, args=0x7fffffffe480) at dbus-auth.c:1996 + #6 0x000000000048e789 in process_command (auth=0x6ff340) at dbus-auth.c:2208 + #7 _dbus_auth_do_work (auth=0x6ff340) at dbus-auth.c:2458 + #8 0x000000000046091d in do_authentication ( + transport=transport@entry=0x6ffaa0, do_reading=do_reading@entry=1, + do_writing=do_writing@entry=0, + auth_completed=auth_completed@entry=0x7fffffffe55c) + at dbus-transport-socket.c:442 + #9 0x0000000000461d08 in socket_handle_watch (transport=0x6ffaa0, + watch=0x6f4190, flags=1) at dbus-transport-socket.c:921 + #10 0x000000000045fa3a in _dbus_transport_handle_watch (transport=0x6ffaa0, + +Once send_negotiate_unix_fd failed, this failure will happen, since +auth->guid_from_server has been set to some value before +send_negotiate_unix_fd. send_negotiate_unix_fd failure will lead to +this auth be handled by process_ok again, but this auth->guid_from_server +is not zero. + +So we should clear auth->guid_from_server if send_negotiate_unix_fd failed + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + dbus/dbus-auth.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c +index d2c37a7..37b45c6 100644 +--- a/dbus/dbus-auth.c ++++ b/dbus/dbus-auth.c +@@ -1571,8 +1571,13 @@ process_ok(DBusAuth *auth, + _dbus_verbose ("Got GUID '%s' from the server\n", + _dbus_string_get_const_data (& DBUS_AUTH_CLIENT (auth)->guid_from_server)); + +- if (auth->unix_fd_possible) +- return send_negotiate_unix_fd(auth); ++ if (auth->unix_fd_possible) { ++ if (!send_negotiate_unix_fd(auth)) { ++ _dbus_string_set_length (& DBUS_AUTH_CLIENT (auth)->guid_from_server, 0); ++ return FALSE; ++ } ++ return TRUE; ++ } + + _dbus_verbose("Not negotiating unix fd passing, since not possible\n"); + return send_begin (auth); +-- +1.7.10.4 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/dbus-1.init b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/dbus-1.init new file mode 100644 index 000000000..90e167e57 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/dbus-1.init @@ -0,0 +1,123 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: dbus +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 1 +# Short-Description: D-Bus systemwide message bus +# Description: D-Bus is a simple interprocess messaging system, used +# for sending messages between applications. +### END INIT INFO +# +# -*- coding: utf-8 -*- +# Debian init.d script for D-BUS +# Copyright © 2003 Colin Walters <walters@debian.org> + +# set -e + +# Source function library. +. /etc/init.d/functions + +DAEMON=@bindir@/dbus-daemon +NAME=dbus +DAEMONUSER=messagebus # must match /usr/share/dbus-1/system.conf +PIDFILE=/var/run/dbus/pid # must match /usr/share/dbus-1/system.conf +UUIDDIR=/var/lib/dbus +DESC="system message bus" +EVENTDIR=/etc/dbus-1/event.d + +test -x $DAEMON || exit 0 + +# Source defaults file; edit that file to configure this script. +ENABLED=1 +PARAMS="" +if [ -e /etc/default/dbus ]; then + . /etc/default/dbus +fi + +test "$ENABLED" != "0" || exit 0 + +start_it_up() +{ + mkdir -p "`dirname $PIDFILE`" + if [ -e $PIDFILE ]; then + PIDDIR=/proc/$(cat $PIDFILE) + if [ -d ${PIDDIR} -a "$(readlink -f ${PIDDIR}/exe)" = "${DAEMON}" ]; then + echo "$DESC already started; not starting." + else + echo "Removing stale PID file $PIDFILE." + rm -f $PIDFILE + fi + fi + + if [ ! -d $UUIDDIR ]; then + mkdir -p $UUIDDIR + chown $DAEMONUSER $UUIDDIR + chgrp $DAEMONUSER $UUIDDIR + fi + + dbus-uuidgen --ensure + + echo -n "Starting $DESC: " + start-stop-daemon -o --start --quiet --pidfile $PIDFILE \ + --user $DAEMONUSER --exec $DAEMON -- --system $PARAMS + echo "$NAME." + if [ -d $EVENTDIR ]; then + run-parts --arg=start $EVENTDIR + fi +} + +shut_it_down() +{ + if [ -d $EVENTDIR ]; then + # TODO: --reverse when busybox supports it + run-parts --arg=stop $EVENTDIR + fi + echo -n "Stopping $DESC: " + start-stop-daemon -o --stop --quiet --pidfile $PIDFILE \ + --user $DAEMONUSER + # We no longer include these arguments so that start-stop-daemon + # can do its job even given that we may have been upgraded. + # We rely on the pidfile being sanely managed + # --exec $DAEMON -- --system $PARAMS + echo "$NAME." + rm -f $PIDFILE +} + +reload_it() +{ + echo -n "Reloading $DESC config: " + dbus-send --print-reply --system --type=method_call \ + --dest=org.freedesktop.DBus \ + / org.freedesktop.DBus.ReloadConfig > /dev/null + # hopefully this is enough time for dbus to reload it's config file. + echo "done." +} + +case "$1" in + start) + start_it_up + ;; + stop) + shut_it_down + ;; + status) + status $DAEMON + exit $? + ;; + reload|force-reload) + reload_it + ;; + restart) + shut_it_down + sleep 1 + start_it_up + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|status|restart|reload|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/python-config.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/python-config.patch new file mode 100644 index 000000000..da2f10c72 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/python-config.patch @@ -0,0 +1,34 @@ +When building the dbus-ptest package, we have to enable python. However +checking if the host-system python has the necessary library isn't useful. + +Disable the python module check for cross compiling. + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Mark Hatle <mark.hatle@windriver.com> + +--- + configure.ac | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 80d27b4..becc1cc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -279,13 +279,6 @@ if test "x$enable_tests" = xyes; then + # full test coverage is required, Python is a hard dependency + AC_MSG_NOTICE([Full test coverage (--enable-tests=yes) requires Python, dbus-python, pygi]) + AM_PATH_PYTHON([2.6]) +- AC_MSG_CHECKING([for Python modules for full test coverage]) +- if "$PYTHON" -c "import dbus, gi.repository.GObject, dbus.mainloop.glib"; then +- AC_MSG_RESULT([yes]) +- else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([cannot import dbus, gi.repository.GObject, dbus.mainloop.glib Python modules]) +- fi + else + # --enable-tests not given: do not abort if Python is missing + AM_PATH_PYTHON([2.6], [], [:]) +-- +1.9.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/run-ptest b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/run-ptest new file mode 100755 index 000000000..d3eec0823 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/run-ptest @@ -0,0 +1,35 @@ +#!/bin/sh + +output() { + retcode=$? + if [ $retcode -eq 0 ] + then echo "PASS: $i" + elif [ $retcode -eq 77 ] + then echo "SKIP: $i" + else echo "FAIL: $i" + fi +} + +export DBUS_TEST_HOMEDIR=./test +export XDG_RUNTIME_DIR=./test +export LD_LIBRARY_PATH=@PTEST_PATH@/test/.libs + +files=`ls test/test-*` + +for i in $files +do + #these programs are used by testcase test-bus, don't run here + #additionally, test-names needs to be run under X + if [ $i = "test/test-service" ] \ + || [ $i = "test/test-shell-service" ] \ + || [ $i = "test/test-segfault" ] \ + || [ $i = "test/test-bus" ] \ + || [ $i = "test/test-names" ] + then + continue + fi + + ./$i ./test/data >/dev/null 2>&1 + output +done + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch new file mode 100644 index 000000000..7035098e4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch @@ -0,0 +1,148 @@ +From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville <bigon@bigon.be> +Date: Sat, 3 Mar 2018 11:15:23 +0100 +Subject: [PATCH] Stop using selinux_set_mapping() function + +Currently, if the "dbus" security class or the associated AV doesn't +exist, dbus-daemon fails to initialize and exits immediately. Also the +security classes or access vector cannot be reordered in the policy. +This can be a problem for people developing their own policy or trying +to access a machine where, for some reasons, there is not policy defined +at all. + +The code here copy the behaviour of the selinux_check_access() function. +We cannot use this function here as it doesn't allow us to define the +AVC entry reference. + +See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2 + +Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198 +--- + bus/selinux.c | 75 ++++++++++++++++++++++++++++----------------------- + 1 file changed, 42 insertions(+), 33 deletions(-) + + +Upstream-Status: Backport +Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com> +diff --git a/bus/selinux.c b/bus/selinux.c + +--- a/bus/selinux.c 2021-08-11 14:45:59.048513026 +0000 ++++ b/bus/selinux.c 2021-08-11 14:57:47.144846966 +0000 +@@ -311,24 +311,6 @@ + #endif + } + +-/* +- * Private Flask definitions; the order of these constants must +- * exactly match that of the structure array below! +- */ +-/* security dbus class constants */ +-#define SECCLASS_DBUS 1 +- +-/* dbus's per access vector constants */ +-#define DBUS__ACQUIRE_SVC 1 +-#define DBUS__SEND_MSG 2 +- +-#ifdef HAVE_SELINUX +-static struct security_class_mapping dbus_map[] = { +- { "dbus", { "acquire_svc", "send_msg", NULL } }, +- { NULL } +-}; +-#endif /* HAVE_SELINUX */ +- + /** + * Establish dynamic object class and permission mapping and + * initialize the user space access vector cache (AVC) for D-Bus and set up +@@ -350,13 +332,6 @@ + + _dbus_verbose ("SELinux is enabled in this kernel.\n"); + +- if (selinux_set_mapping (dbus_map) < 0) +- { +- _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).", +- strerror (errno)); +- return FALSE; +- } +- + avc_entry_ref_init (&aeref); + if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0) + { +@@ -421,19 +396,53 @@ + static dbus_bool_t + bus_selinux_check (BusSELinuxID *sender_sid, + BusSELinuxID *override_sid, +- security_class_t target_class, +- access_vector_t requested, ++ const char *target_class, ++ const char *requested, + DBusString *auxdata) + { ++ int saved_errno; ++ security_class_t security_class; ++ access_vector_t requested_access; ++ + if (!selinux_enabled) + return TRUE; + ++ security_class = string_to_security_class (target_class); ++ if (security_class == 0) ++ { ++ saved_errno = errno; ++ log_callback (SELINUX_ERROR, "Unknown class %s", target_class); ++ if (security_deny_unknown () == 0) ++ { ++ return TRUE; ++ } ++ ++ _dbus_verbose ("Unknown class %s\n", target_class); ++ errno = saved_errno; ++ return FALSE; ++ } ++ ++ requested_access = string_to_av_perm (security_class, requested); ++ if (requested_access == 0) ++ { ++ saved_errno = errno; ++ log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class); ++ if (security_deny_unknown () == 0) ++ { ++ return TRUE; ++ } ++ ++ _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class); ++ errno = saved_errno; ++ return FALSE; ++ } ++ + /* Make the security check. AVC checks enforcing mode here as well. */ + if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid), + override_sid ? + SELINUX_SID_FROM_BUS (override_sid) : + bus_sid, +- target_class, requested, &aeref, auxdata) < 0) ++ security_class, requested_access, &aeref, auxdata) < 0) + { + switch (errno) + { +@@ -500,8 +509,8 @@ + + ret = bus_selinux_check (connection_sid, + service_sid, +- SECCLASS_DBUS, +- DBUS__ACQUIRE_SVC, ++ "dbus", ++ "acquire_svc", + &auxdata); + + _dbus_string_free (&auxdata); +@@ -629,8 +638,8 @@ + + ret = bus_selinux_check (sender_sid, + recipient_sid, +- SECCLASS_DBUS, +- DBUS__SEND_MSG, ++ "dbus", ++ "send_msg", + &auxdata); + + _dbus_string_free (&auxdata); diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/tmpdir.patch b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/tmpdir.patch new file mode 100644 index 000000000..bf086e178 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus/tmpdir.patch @@ -0,0 +1,44 @@ +From 5105fedd7fa13dadd2d0d864fb77873b83b79a4b Mon Sep 17 00:00:00 2001 +From: Koen Kooi <koen@dominion.thruhere.net> +Date: Thu, 23 Jun 2011 13:52:09 +0200 +Subject: [PATCH] buildsys: hardcode socketdir to /tmp + +the TMPDIR env var isn't always pointing to the right target path + +Upstream-Status: Inappropriate [embedded] + +Signed-off-by: Koen Kooi <koen@dominion.thruhere.net> + +Original comment: + + avoid to check tmp dir at build time. instead uses hard coded /tmp here + comment added by Kevin Tian <kevin.tian@intel.com> +--- + configure.ac | 11 +---------- + 1 files changed, 1 insertions(+), 10 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 408054b..6d26180 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1483,16 +1483,7 @@ AC_SUBST(TEST_LAUNCH_HELPER_BINARY) + AC_DEFINE_UNQUOTED(DBUS_TEST_LAUNCH_HELPER_BINARY, "$TEST_LAUNCH_HELPER_BINARY", + [Full path to the launch helper test program in the builddir]) + +-#### Find socket directories +-if ! test -z "$TMPDIR" ; then +- DEFAULT_SOCKET_DIR=$TMPDIR +-elif ! test -z "$TEMP" ; then +- DEFAULT_SOCKET_DIR=$TEMP +-elif ! test -z "$TMP" ; then +- DEFAULT_SOCKET_DIR=$TMP +-else +- DEFAULT_SOCKET_DIR=/tmp +-fi ++DEFAULT_SOCKET_DIR=/tmp + + DEFAULT_SOCKET_DIR=`echo $DEFAULT_SOCKET_DIR | sed 's/+/%2B/g'` + +-- +1.6.6.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend deleted file mode 100644 index af073e92a..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_%.bbappend +++ /dev/null @@ -1,6 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" -SRC_URI += " \ - file://CVE-2022-42010.patch \ - file://CVE-2022-42011.patch \ - file://CVE-2022-42012.patch \ - " diff --git a/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_1.12.28.bb b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_1.12.28.bb new file mode 100644 index 000000000..48947209d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/dbus/dbus_1.12.28.bb @@ -0,0 +1,153 @@ +SUMMARY = "D-Bus message bus" +DESCRIPTION = "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed." +HOMEPAGE = "https://dbus.freedesktop.org" +SECTION = "base" + +require dbus.inc + +DEPENDS = "expat virtual/libintl autoconf-archive" +PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '${PN}-ptest', '', d)}" +ALLOW_EMPTY:dbus-ptest = "1" +RDEPENDS:dbus-ptest:class-target = "dbus-test-ptest" +RDEPENDS:${PN} += "${PN}-common ${PN}-tools" +RDEPENDS:${PN}:class-native = "" + +inherit useradd update-rc.d + +INITSCRIPT_NAME = "dbus-1" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." + +python __anonymous() { + if not bb.utils.contains('DISTRO_FEATURES', 'sysvinit', True, False, d): + d.setVar("INHIBIT_UPDATERCD_BBCLASS", "1") +} + +PACKAGES =+ "${PN}-lib ${PN}-common ${PN}-tools" + +USERADD_PACKAGES = "dbus-common" +USERADD_PARAM:dbus-common = "--system --home ${localstatedir}/lib/dbus \ + --no-create-home --shell /bin/false \ + --user-group messagebus" + +CONFFILES:${PN} = "${sysconfdir}/dbus-1/system.conf ${sysconfdir}/dbus-1/session.conf" + +DEBIANNAME:${PN} = "dbus-1" + +OLDPKGNAME = "dbus-x11" +OLDPKGNAME:class-nativesdk = "" + +# for compatibility +RPROVIDES:${PN} = "${OLDPKGNAME}" +RREPLACES:${PN} += "${OLDPKGNAME}" + +FILES:${PN} = "${bindir}/dbus-daemon* \ + ${bindir}/dbus-cleanup-sockets \ + ${bindir}/dbus-launch \ + ${bindir}/dbus-run-session \ + ${libexecdir}/dbus* \ + ${sysconfdir} \ + ${localstatedir} \ + ${systemd_system_unitdir} \ + ${systemd_user_unitdir} \ + ${nonarch_libdir}/tmpfiles.d/dbus.conf \ +" +FILES:${PN}-common = "${sysconfdir}/dbus-1 \ + ${datadir}/dbus-1/services \ + ${datadir}/dbus-1/system-services \ + ${datadir}/dbus-1/session.d \ + ${datadir}/dbus-1/session.conf \ + ${datadir}/dbus-1/system.d \ + ${datadir}/dbus-1/system.conf \ + ${systemd_system_unitdir}/dbus.socket \ + ${systemd_system_unitdir}/sockets.target.wants \ + ${systemd_user_unitdir}/dbus.socket \ + ${systemd_user_unitdir}/sockets.target.wants \ + ${nonarch_libdir}/sysusers.d/dbus.conf \ +" +FILES:${PN}-tools = "${bindir}/dbus-uuidgen \ + ${bindir}/dbus-send \ + ${bindir}/dbus-monitor \ + ${bindir}/dbus-update-activation-environment \ +" +FILES:${PN}-lib = "${libdir}/lib*.so.*" +RRECOMMENDS:${PN}-lib = "${PN}" +FILES:${PN}-dev += "${libdir}/dbus-1.0/include ${bindir}/dbus-test-tool ${datadir}/xml/dbus-1" + +PACKAGE_WRITE_DEPS += "${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','systemd-systemctl-native','',d)}" +pkg_postinst:dbus() { + # If both systemd and sysvinit are enabled, mask the dbus-1 init script + if ${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','true','false',d)}; then + if [ -n "$D" ]; then + OPTS="--root=$D" + fi + systemctl $OPTS mask dbus-1.service + fi + + if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then + /etc/init.d/populate-volatile.sh update + fi +} + + +EXTRA_OECONF += "--disable-tests" + +do_install() { + autotools_do_install + + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/init.d + sed 's:@bindir@:${bindir}:' < ${WORKDIR}/dbus-1.init >${WORKDIR}/dbus-1.init.sh + install -m 0755 ${WORKDIR}/dbus-1.init.sh ${D}${sysconfdir}/init.d/dbus-1 + install -d ${D}${sysconfdir}/default/volatiles + echo "d messagebus messagebus 0755 ${localstatedir}/run/dbus none" \ + > ${D}${sysconfdir}/default/volatiles/99_dbus + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + for i in dbus.target.wants sockets.target.wants multi-user.target.wants; do \ + install -d ${D}${systemd_system_unitdir}/$i; done + install -m 0644 ${B}/bus/dbus.service ${B}/bus/dbus.socket ${D}${systemd_system_unitdir}/ + ln -fs ../dbus.socket ${D}${systemd_system_unitdir}/dbus.target.wants/dbus.socket + ln -fs ../dbus.socket ${D}${systemd_system_unitdir}/sockets.target.wants/dbus.socket + ln -fs ../dbus.service ${D}${systemd_system_unitdir}/multi-user.target.wants/dbus.service + fi + + + mkdir -p ${D}${localstatedir}/lib/dbus + + chown messagebus:messagebus ${D}${localstatedir}/lib/dbus + + chown root:messagebus ${D}${libexecdir}/dbus-daemon-launch-helper + chmod 4755 ${D}${libexecdir}/dbus-daemon-launch-helper + + # Remove Red Hat initscript + rm -rf ${D}${sysconfdir}/rc.d + + # Remove empty testexec directory as we don't build tests + rm -rf ${D}${libdir}/dbus-1.0/test + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run +} + +do_install:class-native() { + autotools_do_install + + # dbus-launch has no X support so lets not install it in case the host + # has a more featured and useful version + rm -f ${D}${bindir}/dbus-launch +} + +do_install:class-nativesdk() { + autotools_do_install + + # dbus-launch has no X support so lets not install it in case the host + # has a more featured and useful version + rm -f ${D}${bindir}/dbus-launch + + # Remove /var/run to avoid QA error + rm -rf ${D}${localstatedir}/run +} +BBCLASSEXTEND = "native nativesdk" + +INSANE_SKIP:${PN}-ptest += "build-deps" |