[PATCH 3/3] activation: optionally, use systemd for system bus activation
Colin Walters
walters at verbum.org
Fri Jul 9 06:19:27 PDT 2010
On Thu, Jul 8, 2010 at 8:56 PM, Lennart Poettering <mzqohf at 0pointer.de> wrote:
>
> I have now investigated this. The function the code above is from is
> called after the policy checks are done (the way it should be), and
> hence I see no problem here, as long as the policy is correctly
> written. The other messages the bus processes are protected only by
> policy logic too, and so this should be the same here.
The distinction is that this message is a signal, and the current
policy we ship has:
<allow send_type="signal"/>
Basically the semantics you *want* here are
dbus_message_had_owner_at_send_time (message,
"org.freedesktop.systemd1"). But the bus doesn't give you that
information in the message, and the policy language doesn't allow you
to do this kind of filtering. You have to implement this at a
"binding" layer by carefully watching NameOwnerChanged.
Now, maybe it's okay to say inside the bus, dbus_message_has_owner_now
(message, "org.freedesktop.systemd1"), but I'm kind of uncomfortable
with that because it's very TOCTTOU like[1], and I wouldn't want
bindings to start doing it, especially because they (unlike the bus)
would need to synchronously round-trip to the bus to ask.
> BTW, What happened to the MAYBE patches and the unix fd criticism?
I still really don't like how unix fds work but...in my mind if
there's some disagreement hp's word here should rule, and he wasn't
opposed to DBUS_TYPE_UNIX_FD, so I'll defer to that.
> I am
> currently in a mood that I could roll another D-Bus release with the
> autospawning merged (including possibly launchd) and a whitespace
> cleanup.
Remember whitespace should happen after other patches as we discussed.
[1] http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use
More information about the dbus
mailing list