Disable the Containers interface
We've had a request for a 1.14.x stable-branch, but the Containers interface is only partially implemented, not yet described in the D-Bus Specification, and not ready to be part of our API guarantees. Signed-off-by: Simon McVittie <smcv@collabora.com>
This commit is contained in:
parent
67f1a01f7b
commit
9d60676ae0
|
@ -138,7 +138,6 @@ endif()
|
|||
option(DBUS_DISABLE_ASSERT "Disable assertion checking" OFF)
|
||||
|
||||
option(DBUS_ENABLE_STATS "enable bus daemon usage statistics" OFF)
|
||||
option(DBUS_ENABLE_CONTAINERS "enable restricted servers for app-containers" OFF)
|
||||
option(ENABLE_TRADITIONAL_ACTIVATION "Enable traditional activation (without using systemd)" ON)
|
||||
|
||||
if(DBUS_LINUX)
|
||||
|
|
|
@ -149,9 +149,6 @@ ENABLE_QT_HELP:STRING=AUTO
|
|||
// enable bus daemon usage statistics
|
||||
DBUS_ENABLE_STATS:BOOL=OFF
|
||||
|
||||
// enable restricted servers for app containers
|
||||
DBUS_ENABLE_CONTAINERS:BOOL=OFF
|
||||
|
||||
// build with systemd at_console support
|
||||
ENABLE_SYSTEMD:STRING=AUTO
|
||||
|
||||
|
|
|
@ -27,6 +27,8 @@
|
|||
|
||||
#ifdef DBUS_ENABLE_CONTAINERS
|
||||
|
||||
#error This feature is not ready for production use
|
||||
|
||||
#ifndef DBUS_UNIX
|
||||
# error DBUS_ENABLE_CONTAINERS requires DBUS_UNIX
|
||||
#endif
|
||||
|
|
|
@ -1975,7 +1975,9 @@ bus_driver_fill_connection_credentials (DBusCredentials *credentials,
|
|||
dbus_pid_t pid = DBUS_PID_UNSET;
|
||||
const char *windows_sid = NULL;
|
||||
const char *linux_security_label = NULL;
|
||||
#ifdef DBUS_ENABLE_CONTAINERS
|
||||
const char *path;
|
||||
#endif
|
||||
|
||||
if (credentials == NULL && conn != NULL)
|
||||
credentials = _dbus_connection_get_credentials (conn);
|
||||
|
@ -2030,6 +2032,7 @@ bus_driver_fill_connection_credentials (DBusCredentials *credentials,
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
#ifdef DBUS_ENABLE_CONTAINERS
|
||||
/* This has to come from the connection, not the credentials */
|
||||
if (conn != NULL &&
|
||||
bus_containers_connection_is_contained (conn, &path, NULL, NULL))
|
||||
|
@ -2039,6 +2042,7 @@ bus_driver_fill_connection_credentials (DBusCredentials *credentials,
|
|||
path))
|
||||
return FALSE;
|
||||
}
|
||||
#endif
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
|
|
@ -76,11 +76,5 @@
|
|||
<limit name="max_names_per_connection">50000</limit>
|
||||
<limit name="max_match_rules_per_connection">50000</limit>
|
||||
<limit name="max_replies_per_connection">50000</limit>
|
||||
<limit name="max_containers">10000</limit>
|
||||
<limit name="max_containers_per_user">10000</limit>
|
||||
<limit name="max_container_metadata_bytes">1000000000</limit>
|
||||
<!-- This is relatively low so that app-containers (which we do not fully
|
||||
trust) do not cause DoS. -->
|
||||
<limit name="max_connections_per_container">16</limit>
|
||||
|
||||
</busconfig>
|
||||
|
|
|
@ -126,10 +126,6 @@
|
|||
<!-- <limit name="max_names_per_connection">512</limit> -->
|
||||
<!-- <limit name="max_match_rules_per_connection">512</limit> -->
|
||||
<!-- <limit name="max_replies_per_connection">128</limit> -->
|
||||
<!-- <limit name="max_containers">512</limit> -->
|
||||
<!-- <limit name="max_containers_per_user">16</limit> -->
|
||||
<!-- <limit name="max_container_metadata_bytes">4096</limit> -->
|
||||
<!-- <limit name="max_connections_per_container">8</limit> -->
|
||||
|
||||
<!-- Config files are placed here that among other things, punch
|
||||
holes in the above policy for specific services. -->
|
||||
|
|
|
@ -38,7 +38,6 @@
|
|||
#cmakedefine DBUS_RUNSTATEDIR "@DBUS_RUNSTATEDIR@"
|
||||
|
||||
#cmakedefine DBUS_ENABLE_STATS
|
||||
#cmakedefine DBUS_ENABLE_CONTAINERS
|
||||
#cmakedefine ENABLE_TRADITIONAL_ACTIVATION
|
||||
|
||||
#define TEST_LISTEN "@TEST_LISTEN@"
|
||||
|
|
11
configure.ac
11
configure.ac
|
@ -1710,16 +1710,6 @@ AC_ARG_ENABLE([user-session],
|
|||
AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION],
|
||||
[test "x$enable_user_session" = xyes])
|
||||
|
||||
AC_ARG_ENABLE([containers],
|
||||
[AS_HELP_STRING([--enable-containers],
|
||||
[enable restricted servers for app containers])],
|
||||
[], [enable_containers=no])
|
||||
AS_IF([test "x$enable_containers" = xyes && test "x$dbus_unix" != xyes],
|
||||
[AC_MSG_ERROR([Restricted servers for app containers require Unix])])
|
||||
AS_IF([test "x$enable_containers" = xyes],
|
||||
[AC_DEFINE([DBUS_ENABLE_CONTAINERS], [1],
|
||||
[Define to enable restricted servers for app containers])])
|
||||
|
||||
AC_CONFIG_FILES([
|
||||
Doxyfile
|
||||
dbus/Version
|
||||
|
@ -1801,7 +1791,6 @@ echo "
|
|||
Building assertions: ${enable_asserts}
|
||||
Building checks: ${enable_checks}
|
||||
Building bus stats API: ${enable_stats}
|
||||
Building container API: ${enable_containers}
|
||||
Building SELinux support: ${have_selinux}
|
||||
Building AppArmor support: ${have_apparmor}
|
||||
Building inotify support: ${have_inotify}
|
||||
|
|
|
@ -86,8 +86,6 @@ typedef enum
|
|||
*/
|
||||
/** The interface exported by the object with #DBUS_SERVICE_DBUS and #DBUS_PATH_DBUS */
|
||||
#define DBUS_INTERFACE_DBUS "org.freedesktop.DBus"
|
||||
/** The restricted container interface exported by the dbus-daemon */
|
||||
#define DBUS_INTERFACE_CONTAINERS1 "org.freedesktop.DBus.Containers1"
|
||||
/** The monitoring interface exported by the dbus-daemon */
|
||||
#define DBUS_INTERFACE_MONITORING "org.freedesktop.DBus.Monitoring"
|
||||
|
||||
|
|
|
@ -840,14 +840,6 @@ Available limit names are:</para>
|
|||
(number of calls-in-progress)
|
||||
"reply_timeout" : milliseconds (thousandths)
|
||||
until a method call times out
|
||||
"max_containers" : max number of restricted servers for use
|
||||
in app-containers, in total
|
||||
"max_containers_per_user" : max number of app-containers per Unix uid
|
||||
"max_container_metadata_bytes": max number of bytes of metadata to store
|
||||
for each app-container
|
||||
"max_connections_per_container": max number of (authenticated or
|
||||
unauthenticated) connections to each
|
||||
app-container
|
||||
</literallayout> <!-- .fi -->
|
||||
|
||||
|
||||
|
|
|
@ -46,6 +46,8 @@
|
|||
|
||||
#include "test-utils-glib.h"
|
||||
|
||||
#define DBUS_INTERFACE_CONTAINERS1 "org.freedesktop.DBus.Containers1"
|
||||
|
||||
typedef struct {
|
||||
TestMainContext *ctx;
|
||||
gboolean skip;
|
||||
|
|
|
@ -13,9 +13,4 @@
|
|||
<!-- Allow anyone to own anything -->
|
||||
<allow own="*"/>
|
||||
</policy>
|
||||
|
||||
<limit name="max_containers">5</limit>
|
||||
<limit name="max_containers_per_user">3</limit>
|
||||
<limit name="max_container_metadata_bytes">4096</limit>
|
||||
<limit name="max_connections_per_container">3</limit>
|
||||
</busconfig>
|
||||
|
|
|
@ -57,11 +57,4 @@
|
|||
<limit name="max_names_per_connection">50000</limit>
|
||||
<limit name="max_match_rules_per_connection">50000</limit>
|
||||
<limit name="max_replies_per_connection">50000</limit>
|
||||
<limit name="max_containers">10000</limit>
|
||||
<limit name="max_containers_per_user">10000</limit>
|
||||
<limit name="max_container_metadata_bytes">1000000000</limit>
|
||||
<!-- This is relatively low so that app-containers (which we do not fully
|
||||
trust) do not cause DoS. -->
|
||||
<limit name="max_connections_per_container">16</limit>
|
||||
|
||||
</busconfig>
|
||||
|
|
|
@ -636,10 +636,6 @@ test_creds (Fixture *f,
|
|||
g_assert_not_reached ();
|
||||
#endif
|
||||
}
|
||||
else if (g_str_has_prefix (name, DBUS_INTERFACE_CONTAINERS1 "."))
|
||||
{
|
||||
g_assert_not_reached ();
|
||||
}
|
||||
|
||||
dbus_message_iter_next (&arr_iter);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue