From ab62747e5174c2dd4fabec75f0beb25b4bab5bcb Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Dec 10 2008 19:41:23 +0000 Subject: - Add back working syslog patch --- diff --git a/dbus-1.2.8-syslog.patch b/dbus-1.2.8-syslog.patch new file mode 100644 index 0000000..7ba6116 --- /dev/null +++ b/dbus-1.2.8-syslog.patch @@ -0,0 +1,190 @@ +From cde84d96106bd005a98d064fe392301ba1f87743 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Wed, 10 Dec 2008 14:17:02 -0500 +Subject: [PATCH] Add syslog of security denials and configuration file reloads + +We need to start logging denials so that they become more easily trackable +and debuggable. +--- + bus/bus.c | 41 +++++++++++++++++++++++++++++++---------- + bus/main.c | 1 + + dbus/dbus-sysdeps-unix.c | 1 - + dbus/dbus-sysdeps-util-unix.c | 38 ++++++++++++++++++++++++++++++++++++++ + dbus/dbus-sysdeps.h | 3 +++ + 5 files changed, 73 insertions(+), 11 deletions(-) + +diff --git a/bus/bus.c b/bus/bus.c +index 42cc295..8d7879a 100644 +--- a/bus/bus.c ++++ b/bus/bus.c +@@ -834,6 +834,7 @@ bus_context_reload_config (BusContext *context, + } + ret = TRUE; + ++ _dbus_log_info ("Reloaded configuration\n"); + failed: + if (parser != NULL) + bus_config_parser_unref (parser); +@@ -1315,13 +1316,13 @@ bus_context_check_security_policy (BusContext *context, + message)) + { + const char *dest; ++ const char *msg = "A security policy in place prevents this sender " ++ "from sending this message to this recipient, " ++ "see message bus configuration file (rejected message " ++ "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\")"; + + dest = dbus_message_get_destination (message); +- dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, +- "A security policy in place prevents this sender " +- "from sending this message to this recipient, " +- "see message bus configuration file (rejected message " +- "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\")", ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? +@@ -1329,6 +1330,15 @@ bus_context_check_security_policy (BusContext *context, + dbus_message_get_error_name (message) ? + dbus_message_get_error_name (message) : "(unset)", + dest ? dest : DBUS_SERVICE_DBUS); ++ /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ ++ _dbus_log_security (msg, ++ dbus_message_get_interface (message) ? ++ dbus_message_get_interface (message) : "(unset)", ++ dbus_message_get_member (message) ? ++ dbus_message_get_member (message) : "(unset)", ++ dbus_message_get_error_name (message) ? ++ dbus_message_get_error_name (message) : "(unset)", ++ dest ? dest : DBUS_SERVICE_DBUS); + _dbus_verbose ("security policy disallowing message due to sender policy\n"); + return FALSE; + } +@@ -1341,14 +1351,14 @@ bus_context_check_security_policy (BusContext *context, + addressed_recipient, proposed_recipient, + message)) + { ++ const char *msg = "A security policy in place prevents this recipient " ++ "from receiving this message from this sender, " ++ "see message bus configuration file (rejected message " ++ "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\" reply serial %u requested_reply=%d)"; + const char *dest; + + dest = dbus_message_get_destination (message); +- dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, +- "A security policy in place prevents this recipient " +- "from receiving this message from this sender, " +- "see message bus configuration file (rejected message " +- "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\" reply serial %u requested_reply=%d)", ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg, + dbus_message_get_interface (message) ? + dbus_message_get_interface (message) : "(unset)", + dbus_message_get_member (message) ? +@@ -1358,6 +1368,17 @@ bus_context_check_security_policy (BusContext *context, + dest ? dest : DBUS_SERVICE_DBUS, + dbus_message_get_reply_serial (message), + requested_reply); ++ /* Needs to be duplicated to avoid calling malloc and having to handle OOM */ ++ _dbus_log_security (error, DBUS_ERROR_ACCESS_DENIED, msg, ++ dbus_message_get_interface (message) ? ++ dbus_message_get_interface (message) : "(unset)", ++ dbus_message_get_member (message) ? ++ dbus_message_get_member (message) : "(unset)", ++ dbus_message_get_error_name (message) ? ++ dbus_message_get_error_name (message) : "(unset)", ++ dest ? dest : DBUS_SERVICE_DBUS, ++ dbus_message_get_reply_serial (message), ++ requested_reply); + _dbus_verbose ("security policy disallowing message due to recipient policy\n"); + return FALSE; + } +diff --git a/bus/main.c b/bus/main.c +index 51538fe..23ebb3e 100644 +--- a/bus/main.c ++++ b/bus/main.c +@@ -178,6 +178,7 @@ handle_reload_watch (DBusWatch *watch, + dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY)); + _dbus_warn ("Unable to reload configuration: %s\n", + error.message); ++ _dbus_log_info ("Unable to reload configuration: %s\n", error.message); + dbus_error_free (&error); + } + return TRUE; +diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c +index fb40d5a..01516a1 100644 +--- a/dbus/dbus-sysdeps-unix.c ++++ b/dbus/dbus-sysdeps-unix.c +@@ -2786,7 +2786,6 @@ _dbus_full_duplex_pipe (int *fd1, + #endif + } + +- + /** + * Measure the length of the given format string and arguments, + * not including the terminating nul. +diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c +index d8718c2..0b0badd 100644 +--- a/dbus/dbus-sysdeps-util-unix.c ++++ b/dbus/dbus-sysdeps-util-unix.c +@@ -456,6 +456,44 @@ _dbus_change_to_daemon_user (const char *user, + return FALSE; + } + ++/** ++ * Log an informative message. Intended for use primarily by ++ * the system bus. ++ * ++ * @param msg a printf-style format string ++ * @param args arguments for the format string ++ */ ++void ++_dbus_log_info (const char *msg, ...) ++{ ++ va_list args; ++ ++ va_start (args, msg); ++ ++ vsyslog (LOG_DAEMON|LOG_NOTICE, msg, args); ++ ++ va_end (args); ++} ++ ++/** ++ * Log a security-related message. Intended for use primarily by ++ * the system bus. ++ * ++ * @param msg a printf-style format string ++ * @param args arguments for the format string ++ */ ++void ++_dbus_log_security (const char *msg, ...) ++{ ++ va_list args; ++ ++ va_start (args, msg); ++ ++ vsyslog (LOG_AUTH|LOG_NOTICE, msg, args); ++ ++ va_end (args); ++} ++ + /** Installs a UNIX signal handler + * + * @param sig the signal to handle +diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h +index 469b5e5..1a67d0c 100644 +--- a/dbus/dbus-sysdeps.h ++++ b/dbus/dbus-sysdeps.h +@@ -421,6 +421,9 @@ void _dbus_set_signal_handler (int sig, + dbus_bool_t _dbus_user_at_console (const char *username, + DBusError *error); + ++void _dbus_log_info (const char *msg, ...); ++void _dbus_log_security (const char *msg, ...); ++ + /* Define DBUS_VA_COPY() to do the right thing for copying va_list variables. + * config.h may have already defined DBUS_VA_COPY as va_copy or __va_copy. + */ +-- +1.6.0.4 + diff --git a/dbus.spec b/dbus.spec index 55242dd..acd4f08 100644 --- a/dbus.spec +++ b/dbus.spec @@ -8,7 +8,7 @@ Summary: D-BUS message bus Name: dbus Version: 1.2.8 -Release: 2%{?dist} +Release: 3%{?dist} URL: http://www.freedesktop.org/software/dbus/ Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz Source1: doxygen_to_devhelp.xsl @@ -40,6 +40,7 @@ Conflicts: cups < 1:1.1.20-4 Patch0: start-early.patch Patch1: dbus-1.0.1-generate-xml-docs.patch Patch6: dbus-1.2.1-increase-timeout.patch +Patch7: dbus-1.2.8-syslog.patch %description D-BUS is a system for sending messages between applications. It is @@ -94,6 +95,7 @@ in this separate package so server systems need not install X. %patch0 -p1 -b .start-early %patch1 -p1 -b .generate-xml-docs %patch6 -p1 -b .increase-timeout +%patch7 -p1 -b .syslog autoreconf -f -i @@ -225,6 +227,9 @@ fi %{_includedir}/* %changelog +* Wed Dec 10 2008 Colin Walters - 1.2.8-3 +- Add back working syslog patch + * Tue Dec 09 2008 Colin Walters - 1.2.8-2 - Remove accidentally added syslog patch