- Add back working syslog patch

2008-12-10 19:41:23 +00:00 · 2008-12-10 19:41:23 +00:00 · ab62747e51
commit ab62747e51
parent 69ee509654
2 changed files with 196 additions and 1 deletions
--- a/dbus-1.2.8-syslog.patch
+++ b/dbus-1.2.8-syslog.patch
@ -0,0 +1,190 @@
 From cde84d96106bd005a98d064fe392301ba1f87743 Mon Sep 17 00:00:00 2001
 From: Colin Walters <walters@verbum.org>
 Date: Wed, 10 Dec 2008 14:17:02 -0500
 Subject: [PATCH] Add syslog of security denials and configuration file reloads
 We need to start logging denials so that they become more easily trackable
 and debuggable.
 ---
 bus/bus.c                     |   41 +++++++++++++++++++++++++++++++----------
 bus/main.c                    |    1 +
 dbus/dbus-sysdeps-unix.c      |    1 -
 dbus/dbus-sysdeps-util-unix.c |   38 ++++++++++++++++++++++++++++++++++++++
 dbus/dbus-sysdeps.h           |    3 +++
 5 files changed, 73 insertions(+), 11 deletions(-)
 diff --git a/bus/bus.c b/bus/bus.c
 index 42cc295..8d7879a 100644
 --- a/bus/bus.c
 +++ b/bus/bus.c
@@ -834,6 +834,7 @@ bus_context_reload_config (BusContext *context,
     }
   ret = TRUE;
 +  _dbus_log_info ("Reloaded configuration\n");
  failed:  
   if (parser != NULL)
     bus_config_parser_unref (parser);
@@ -1315,13 +1316,13 @@ bus_context_check_security_policy (BusContext     *context,
                                          message))
     {
       const char *dest;
 +      const char *msg = "A security policy in place prevents this sender "
 +                        "from sending this message to this recipient, "
 +                        "see message bus configuration file (rejected message "
 +                        "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\")";
       dest = dbus_message_get_destination (message);
 -      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
 -                      "A security policy in place prevents this sender "
 -                      "from sending this message to this recipient, "
 -                      "see message bus configuration file (rejected message "
 -                      "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\")",
 +      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
                       dbus_message_get_interface (message) ?
                       dbus_message_get_interface (message) : "(unset)",
                       dbus_message_get_member (message) ?
@@ -1329,6 +1330,15 @@ bus_context_check_security_policy (BusContext     *context,
                       dbus_message_get_error_name (message) ?
                       dbus_message_get_error_name (message) : "(unset)",
                       dest ? dest : DBUS_SERVICE_DBUS);
 +      /* Needs to be duplicated to avoid calling malloc and having to handle OOM */
 +      _dbus_log_security (msg,
 +                          dbus_message_get_interface (message) ?
 +                          dbus_message_get_interface (message) : "(unset)",
 +                          dbus_message_get_member (message) ?
 +                          dbus_message_get_member (message) : "(unset)",
 +                          dbus_message_get_error_name (message) ?
 +                          dbus_message_get_error_name (message) : "(unset)",
 +                          dest ? dest : DBUS_SERVICE_DBUS);
       _dbus_verbose ("security policy disallowing message due to sender policy\n");
       return FALSE;
     }
@@ -1341,14 +1351,14 @@ bus_context_check_security_policy (BusContext     *context,
                                             addressed_recipient, proposed_recipient,
                                             message))
     {
 +      const char *msg = "A security policy in place prevents this recipient "
 +                        "from receiving this message from this sender, "
 +                        "see message bus configuration file (rejected message "
 +                        "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\" reply serial %u requested_reply=%d)";
       const char *dest;
       dest = dbus_message_get_destination (message);
 -      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
 -                      "A security policy in place prevents this recipient "
 -                      "from receiving this message from this sender, "
 -                      "see message bus configuration file (rejected message "
 -                      "had interface \"%s\" member \"%s\" error name \"%s\" destination \"%s\" reply serial %u requested_reply=%d)",
 +      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, msg,
                       dbus_message_get_interface (message) ?
                       dbus_message_get_interface (message) : "(unset)",
                       dbus_message_get_member (message) ?
@@ -1358,6 +1368,17 @@ bus_context_check_security_policy (BusContext     *context,
                       dest ? dest : DBUS_SERVICE_DBUS,
                       dbus_message_get_reply_serial (message),
                       requested_reply);
 +      /* Needs to be duplicated to avoid calling malloc and having to handle OOM */
 +      _dbus_log_security (error, DBUS_ERROR_ACCESS_DENIED, msg,
 +                          dbus_message_get_interface (message) ?
 +                          dbus_message_get_interface (message) : "(unset)",
 +                          dbus_message_get_member (message) ?
 +                          dbus_message_get_member (message) : "(unset)",
 +                          dbus_message_get_error_name (message) ?
 +                          dbus_message_get_error_name (message) : "(unset)",
 +                          dest ? dest : DBUS_SERVICE_DBUS,
 +                          dbus_message_get_reply_serial (message),
 +                          requested_reply);
       _dbus_verbose ("security policy disallowing message due to recipient policy\n");
       return FALSE;
     }
 diff --git a/bus/main.c b/bus/main.c
 index 51538fe..23ebb3e 100644
 --- a/bus/main.c
 +++ b/bus/main.c
@@ -178,6 +178,7 @@ handle_reload_watch (DBusWatch    *watch,
 		    dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY));
       _dbus_warn ("Unable to reload configuration: %s\n",
 		  error.message);
 +      _dbus_log_info ("Unable to reload configuration: %s\n", error.message);
       dbus_error_free (&error);
     }
   return TRUE;
 diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
 index fb40d5a..01516a1 100644
 --- a/dbus/dbus-sysdeps-unix.c
 +++ b/dbus/dbus-sysdeps-unix.c
@@ -2786,7 +2786,6 @@ _dbus_full_duplex_pipe (int        *fd1,
 #endif
 }
 -
 /**
  * Measure the length of the given format string and arguments,
  * not including the terminating nul.
 diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c
 index d8718c2..0b0badd 100644
 --- a/dbus/dbus-sysdeps-util-unix.c
 +++ b/dbus/dbus-sysdeps-util-unix.c
@@ -456,6 +456,44 @@ _dbus_change_to_daemon_user  (const char    *user,
  return FALSE;
 }
 +/**
 + * Log an informative message.  Intended for use primarily by
 + * the system bus.
 + *
 + * @param msg a printf-style format string
 + * @param args arguments for the format string
 + */
 +void 
 +_dbus_log_info (const char *msg, ...)
 +{
 +  va_list args;
 +
 +  va_start (args, msg);
 +
 +  vsyslog (LOG_DAEMON|LOG_NOTICE, msg, args);
 + 
 +  va_end (args);
 +}
 +
 +/**
 + * Log a security-related message.  Intended for use primarily by
 + * the system bus.
 + *
 + * @param msg a printf-style format string
 + * @param args arguments for the format string
 + */
 +void 
 +_dbus_log_security (const char *msg, ...)
 +{
 +  va_list args;
 +
 +  va_start (args, msg);
 +
 +  vsyslog (LOG_AUTH|LOG_NOTICE, msg, args);
 + 
 +  va_end (args);
 +}
 +
 /** Installs a UNIX signal handler
  *
  * @param sig the signal to handle
 diff --git a/dbus/dbus-sysdeps.h b/dbus/dbus-sysdeps.h
 index 469b5e5..1a67d0c 100644
 --- a/dbus/dbus-sysdeps.h
 +++ b/dbus/dbus-sysdeps.h
@@ -421,6 +421,9 @@ void _dbus_set_signal_handler (int               sig,
 dbus_bool_t _dbus_user_at_console (const char *username,
                                    DBusError  *error);
 +void _dbus_log_info (const char *msg, ...);
 +void _dbus_log_security (const char *msg, ...);
 +
 /* Define DBUS_VA_COPY() to do the right thing for copying va_list variables. 
  * config.h may have already defined DBUS_VA_COPY as va_copy or __va_copy. 
  */
 -- 
 1.6.0.4
--- a/dbus.spec
+++ b/dbus.spec
@ -8,7 +8,7 @@
 Summary: D-BUS message bus
 Name: dbus
 Version: 1.2.8
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL: http://www.freedesktop.org/software/dbus/
 Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
 Source1: doxygen_to_devhelp.xsl
@ -40,6 +40,7 @@ Conflicts: cups < 1:1.1.20-4
 Patch0: start-early.patch
 Patch1: dbus-1.0.1-generate-xml-docs.patch
 Patch6: dbus-1.2.1-increase-timeout.patch
 Patch7: dbus-1.2.8-syslog.patch
 %description
 D-BUS is a system for sending messages between applications. It is
@ -94,6 +95,7 @@ in this separate package so server systems need not install X.
 %patch0 -p1 -b .start-early
 %patch1 -p1 -b .generate-xml-docs
 %patch6 -p1 -b .increase-timeout
 %patch7 -p1 -b .syslog
 autoreconf -f -i
@ -225,6 +227,9 @@ fi
 %{_includedir}/*
 %changelog
 * Wed Dec 10 2008 Colin Walters <walters@redhat.com> - 1.2.8-3
 - Add back working syslog patch
 * Tue Dec 09 2008 Colin Walters <walters@redhat.com> - 1.2.8-2
 - Remove accidentally added syslog patch