diff -pruN 1.12.20-2/debian/changelog 1.12.20-2ubuntu4/debian/changelog --- 1.12.20-2/debian/changelog 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/changelog 2022-04-01 17:02:54.000000000 +0000 @@ -1,3 +1,48 @@ +dbus (1.12.20-2ubuntu4) jammy; urgency=medium + + * Prevent dbus from being restarted on upgrade (LP: #1962036) + + -- Dave Jones Fri, 01 Apr 2022 18:02:54 +0100 + +dbus (1.12.20-2ubuntu3) jammy; urgency=medium + + * No-change rebuild to update maintainer scripts, see LP: 1959054 + + -- Dave Jones Wed, 16 Feb 2022 16:50:50 +0000 + +dbus (1.12.20-2ubuntu2) impish; urgency=medium + + * Rework d/p/ubuntu/dont-stop-dbus.patch to avoid a deadlock during boot + (LP: #1936948) + + -- Lukas Märdian Thu, 09 Sep 2021 15:45:30 +0200 + +dbus (1.12.20-2ubuntu1) impish; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit. + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + - Make autopkgtests cross-test-friendly. + - Rework ubuntu/dont-stop-dbus.patch to actually make dbus.service _and_ + dbus.socket to not be part of the shutdown transaction. And yet make + it possible to still stop/kill/restart dbus.service if one really + wants to, because it is stuck and stopped responding to any + commands. This allows allows to restart dbus.service with + needrestart. However a finalrd hook might still be needed, to kill + dbus-daemon for good, once we pivot off rootfs. + + -- Balint Reczey Tue, 18 May 2021 10:59:54 +0200 + dbus (1.12.20-2) unstable; urgency=medium * Add Provides for the split binary packages added in experimental. @@ -13,6 +58,43 @@ dbus (1.12.20-2) unstable; urgency=mediu -- Simon McVittie Sun, 21 Feb 2021 14:02:17 +0000 +dbus (1.12.20-1ubuntu3) hirsute; urgency=medium + + * Rework ubuntu/dont-stop-dbus.patch to actually make dbus.service _and_ + dbus.socket to not be part of the shutdown transaction. And yet make + it possible to still stop/kill/restart dbus.service if one really + wants to, because it is stuck and stopped responding to any + commands. This allows allows to restart dbus.service with + needrestart. However a finalrd hook might still be needed, to kill + dbus-daemon for good, once we pivot off rootfs. + + -- Dimitri John Ledkov Fri, 26 Feb 2021 19:43:15 +0000 + +dbus (1.12.20-1ubuntu2) hirsute; urgency=medium + + * No-change rebuild to drop the udeb package. + + -- Matthias Klose Mon, 22 Feb 2021 10:30:40 +0100 + +dbus (1.12.20-1ubuntu1) groovy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit. + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + - Make autopkgtests cross-test-friendly. + + -- Iain Lane Thu, 10 Sep 2020 12:25:12 +0100 + dbus (1.12.20-1) unstable; urgency=medium [ Mark Hindley ] @@ -27,6 +109,25 @@ dbus (1.12.20-1) unstable; urgency=mediu -- Simon McVittie Thu, 02 Jul 2020 14:19:21 +0100 +dbus (1.12.18-1ubuntu1) groovy; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit. + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + - Make autopkgtests cross-test-friendly. + + -- Steve Langasek Tue, 09 Jun 2020 13:55:57 -0700 + dbus (1.12.18-1) unstable; urgency=medium [ Simon McVittie ] @@ -91,6 +192,33 @@ dbus (1.12.18-1) unstable; urgency=mediu -- Simon McVittie Tue, 02 Jun 2020 19:48:04 +0100 +dbus (1.12.16-2ubuntu2) focal; urgency=medium + + * Make autopkgtests cross-test-friendly. + + -- Steve Langasek Fri, 06 Dec 2019 21:22:40 -0800 + +dbus (1.12.16-2ubuntu1) focal; urgency=medium + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit. + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + * Removed patches included in new version: + - d/p/0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch + - d/p/0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch + + -- Marc Deslauriers Tue, 26 Nov 2019 12:58:43 -0500 + dbus (1.12.16-2) unstable; urgency=medium * Add bug number to previous changelog entry @@ -124,6 +252,55 @@ dbus (1.12.16-1) unstable; urgency=mediu -- Simon McVittie Sun, 09 Jun 2019 21:34:34 +0100 +dbus (1.12.14-1ubuntu2) eoan; urgency=medium + + * SECURITY UPDATE: DBUS_COOKIE_SHA1 implementation flaw + - d/p/0001-auth-Reject-DBUS_COOKIE_SHA1-for-users-other-than-th.patch: + reject DBUS_COOKIE_SHA1 for users other than the server owner in + dbus/dbus-auth.c. + - d/p/0002-test-Add-basic-test-coverage-for-DBUS_COOKIE_SHA1.patch: + add basic test coverage for DBUS_COOKIE_SHA1 in + dbus/dbus-auth-script.c, dbus/dbus-sysdeps-util-unix.c, + dbus/dbus-sysdeps-util-win.c, dbus/dbus-sysdeps.h, test/Makefile.am, + test/data/auth/cookie-sha1-username.auth-script, + test/data/auth/cookie-sha1.auth-script. + - CVE-2019-12749 + + -- Marc Deslauriers Tue, 11 Jun 2019 13:04:53 -0400 + +dbus (1.12.14-1ubuntu1) eoan; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit. + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + + -- Steve Langasek Wed, 22 May 2019 16:41:21 -0700 + +dbus (1.12.16-1) unstable; urgency=medium + + * New upstream stable release + - CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1 + authentication for identities that differ from the user running the + DBusServer. Previously, a local attacker could manipulate symbolic + links in their own home directory to bypass authentication and + connect to a DBusServer with elevated privileges. The standard + system and session dbus-daemons in their default configuration were + immune to this attack because they did not allow DBUS_COOKIE_SHA1, + but third-party users of DBusServer such as Upstart could be + vulnerable. (Closes: #930375) + + -- Simon McVittie Sun, 09 Jun 2019 21:34:34 +0100 + dbus (1.12.14-1) unstable; urgency=medium * New upstream release @@ -137,6 +314,30 @@ dbus (1.12.14-1) unstable; urgency=mediu -- Simon McVittie Sat, 18 May 2019 17:37:08 +0100 +dbus (1.12.12-1ubuntu1) disco; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit + (see patch header and upstream bug for details). Fixes various + causes of shutdown hangs, particularly with remote file systems. + (LP: #1438612) (LP: #1540282) + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + * Dropped changes, superseded in Debian: + - debian/tests/root: don't set ulimit on containers, since the container + may be unprivileged and "root" may not be able to raise ulimits again. + + -- Steve Langasek Thu, 31 Jan 2019 17:47:44 -0800 + dbus (1.12.12-1) unstable; urgency=medium [ Ritesh Raj Sarraf ] @@ -165,6 +366,37 @@ dbus (1.12.12-1) unstable; urgency=mediu -- Simon McVittie Tue, 04 Dec 2018 15:58:18 +0000 +dbus (1.12.10-1ubuntu2) cosmic; urgency=medium + + * debian/tests/root: don't set ulimit on containers, since the container + may be unprivileged and "root" may not be able to raise ulimits again. + + -- Steve Langasek Thu, 06 Sep 2018 03:56:07 +0000 + +dbus (1.12.10-1ubuntu1) cosmic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit + (see patch header and upstream bug for details). Fixes various + causes of shutdown hangs, particularly with remote file systems. + (LP: #1438612) (LP: #1540282) + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + * Dropped changes, no longer needed: + - Clean up /etc/init/dbus.conf on upgrades. This needs to be kept until + after 18.04 LTS. + + -- Steve Langasek Fri, 31 Aug 2018 10:29:17 -0700 + dbus (1.12.10-1) unstable; urgency=medium * New upstream release @@ -253,6 +485,29 @@ dbus (1.12.4-1) unstable; urgency=medium -- Simon McVittie Thu, 08 Feb 2018 15:05:57 +0000 +dbus (1.12.2-1ubuntu1) bionic; urgency=medium + + * Sync with Debian. Remaining changes: + - Clean up /etc/init/dbus.conf on upgrades. This needs to be kept until + after 18.04 LTS. + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit + (see patch header and upstream bug for details). Fixes various + causes of shutdown hangs, particularly with remote file systems. + (LP: #1438612) (LP: #1540282) + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + + -- Jeremy Bicha Wed, 15 Nov 2017 17:22:22 -0500 + dbus (1.12.2-1) unstable; urgency=low * New upstream release 1.12.2 @@ -274,6 +529,29 @@ dbus (1.12.2-1) unstable; urgency=low -- Simon McVittie Mon, 13 Nov 2017 15:36:08 +0000 +dbus (1.12.0-1ubuntu1) bionic; urgency=medium + + * Sync with Debian. Remaining changes: + - Clean up /etc/init/dbus.conf on upgrades. This needs to be kept until + after 18.04 LTS. + - Add dont-stop-dbus.patch: Don't stop D-Bus in the service unit + (see patch header and upstream bug for details). Fixes various + causes of shutdown hangs, particularly with remote file systems. + (LP: #1438612) (LP: #1540282) + - debian/dbus.postinst, debian/rules: Don't start D-Bus on package + installation, as that doesn't work any more with dont-stop-dbus.patch. + Instead, start dbus.socket in postinst, which will then start D-Bus + on demand after package installation. + - Add aa-get-connection-apparmor-security-context.patch: This is not + intended for upstream inclusion. It implements a bus method + (GetConnectionAppArmorSecurityContext) to get a connection's AppArmor + security context but upstream D-Bus has recently added a generic way of + getting a connection's security credentials (GetConnectionCredentials). + Ubuntu should carry this patch until packages in the archive are moved + over to the new, generic method of getting a connection's credentials. + + -- Jeremy Bicha Mon, 30 Oct 2017 19:25:39 -0400 + dbus (1.12.0-1) unstable; urgency=medium * New upstream stable release 1.12.0 @@ -2183,7 +2461,6 @@ dbus (1.1.1-2) UNRELEASED; urgency=low -- Michael Biebl Wed, 27 Jun 2007 01:42:38 +0200 - dbus (1.1.1-1) unstable; urgency=low [ Michael Biebl ] @@ -2493,8 +2770,6 @@ dbus (0.62-2) unstable; urgency=low -- Sjoerd Simons Wed, 21 Jun 2006 10:47:00 +0200 - - dbus (0.62-1) unstable; urgency=low * New upstream release diff -pruN 1.12.20-2/debian/control 1.12.20-2ubuntu4/debian/control --- 1.12.20-2/debian/control 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/control 2021-09-09 13:28:02.000000000 +0000 @@ -1,7 +1,8 @@ Source: dbus Section: admin Priority: optional -Maintainer: Utopia Maintenance Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Utopia Maintenance Team Uploaders: Sjoerd Simons , Sebastian Dröge , diff -pruN 1.12.20-2/debian/dbus.postinst 1.12.20-2ubuntu4/debian/dbus.postinst --- 1.12.20-2/debian/dbus.postinst 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/dbus.postinst 2021-06-28 12:15:25.000000000 +0000 @@ -94,3 +94,8 @@ fi if [ "$1" = configure ] && [ -n "$2" ]; then reload_dbus_config fi + +# We don't start dbus.service in postinst, so ensure dbus.socket is running +if [ "$1" = configure ] && [ -d /run/systemd/system ]; then + systemctl try-restart sockets.target || true +fi diff -pruN 1.12.20-2/debian/gbp.conf 1.12.20-2ubuntu4/debian/gbp.conf --- 1.12.20-2/debian/gbp.conf 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/gbp.conf 2021-06-28 12:15:25.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = ubuntu/bionic upstream-branch = upstream/1.12.x patch-numbers = False diff -pruN 1.12.20-2/debian/.gitignore 1.12.20-2ubuntu4/debian/.gitignore --- 1.12.20-2/debian/.gitignore 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -/*.debhelper -/*.debhelper.log -/*.substvars -/.debhelper/ -/autoreconf.after -/autoreconf.before -/build-*/ -/dbus-1-dbg/ -/dbus-1-doc/ -/dbus-tests/ -/dbus-udeb/ -/dbus-user-session/ -/dbus-x11/ -/dbus/ -/debhelper-build-stamp -/files -/libdbus-1-3-udeb/ -/libdbus-1-3.symbols -/libdbus-1-3/ -/libdbus-1-dev/ -/tmp-home/ -/tmp-udeb/ -/tmp/ diff -pruN 1.12.20-2/debian/patches/series 1.12.20-2ubuntu4/debian/patches/series --- 1.12.20-2/debian/patches/series 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/patches/series 2021-09-09 13:28:02.000000000 +0000 @@ -1,2 +1,4 @@ debian/session.conf-system.conf-include-legacy-files-as-.dpkg-ba.patch debian/tests-Multiply-timeouts-by-20-on-riscv64.patch +ubuntu/aa-get-connection-apparmor-security-context.patch +ubuntu/dont-stop-dbus.patch diff -pruN 1.12.20-2/debian/patches/ubuntu/aa-get-connection-apparmor-security-context.patch 1.12.20-2ubuntu4/debian/patches/ubuntu/aa-get-connection-apparmor-security-context.patch --- 1.12.20-2/debian/patches/ubuntu/aa-get-connection-apparmor-security-context.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/patches/ubuntu/aa-get-connection-apparmor-security-context.patch 2021-06-28 12:15:25.000000000 +0000 @@ -0,0 +1,187 @@ +From: Tyler Hicks +Date: Fri, 15 Aug 2014 13:37:15 -0500 +Subject: Add DBus method to return the AA context of a connection + +Allows the AppArmor label that is attached to a D-Bus connection to be +queried using the unique connection name. + +For example, +$ dbus-send --print-reply --system --dest=org.freedesktop.DBus \ + /org/freedesktop/DBus \ + org.freedesktop.DBus.GetConnectionAppArmorSecurityContext string::1.4 + method return sender=org.freedesktop.DBus -> dest=:1.50 reply_serial=2 + string "/usr/sbin/cupsd" + +[Altered by Simon McVittie: survive non-UTF-8 contexts which +would otherwise be a local denial of service, except that Ubuntu +inherits a non-fatal warnings patch from Debian; new commit message +taken from the Ubuntu changelog; do not emit unreachable code if +AppArmor is disabled.] + +Forwarded: not-needed +--- + bus/apparmor.c | 15 +++++++++ + bus/apparmor.h | 1 + + bus/driver.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + dbus/dbus-protocol.h | 2 ++ + 4 files changed, 108 insertions(+) + +diff --git a/bus/apparmor.c b/bus/apparmor.c +index 985f5e9..2eba37b 100644 +--- a/bus/apparmor.c ++++ b/bus/apparmor.c +@@ -502,6 +502,21 @@ bus_apparmor_enabled (void) + #endif + } + ++const char* ++bus_apparmor_confinement_get_label (BusAppArmorConfinement *confinement) ++{ ++#ifdef HAVE_APPARMOR ++ if (!apparmor_enabled) ++ return NULL; ++ ++ _dbus_assert (confinement != NULL); ++ ++ return confinement->label; ++#else ++ return NULL; ++#endif ++} ++ + void + bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement) + { +diff --git a/bus/apparmor.h b/bus/apparmor.h +index ed465f7..b8146df 100644 +--- a/bus/apparmor.h ++++ b/bus/apparmor.h +@@ -38,6 +38,7 @@ dbus_bool_t bus_apparmor_enabled (void); + + void bus_apparmor_confinement_unref (BusAppArmorConfinement *confinement); + void bus_apparmor_confinement_ref (BusAppArmorConfinement *confinement); ++const char* bus_apparmor_confinement_get_label (BusAppArmorConfinement *confinement); + BusAppArmorConfinement* bus_apparmor_init_connection_confinement (DBusConnection *connection, + DBusError *error); + +diff --git a/bus/driver.c b/bus/driver.c +index cd0a714..d1669cb 100644 +--- a/bus/driver.c ++++ b/bus/driver.c +@@ -2005,6 +2005,91 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection, + return FALSE; + } + ++static dbus_bool_t ++bus_driver_handle_get_connection_apparmor_security_context (DBusConnection *connection, ++ BusTransaction *transaction, ++ DBusMessage *message, ++ DBusError *error) ++{ ++ const char *service; ++ DBusString str; ++ BusRegistry *registry; ++ BusService *serv; ++ DBusConnection *primary_connection; ++ DBusMessage *reply; ++ BusAppArmorConfinement *confinement; ++ const char *label; ++ ++ _DBUS_ASSERT_ERROR_IS_CLEAR (error); ++ ++ registry = bus_connection_get_registry (connection); ++ ++ service = NULL; ++ reply = NULL; ++ confinement = NULL; ++ ++ if (! dbus_message_get_args (message, error, DBUS_TYPE_STRING, &service, ++ DBUS_TYPE_INVALID)) ++ goto failed; ++ ++ _dbus_verbose ("asked for security context of connection %s\n", service); ++ ++ _dbus_string_init_const (&str, service); ++ serv = bus_registry_lookup (registry, &str); ++ if (serv == NULL) ++ { ++ dbus_set_error (error, ++ DBUS_ERROR_NAME_HAS_NO_OWNER, ++ "Could not get security context of name '%s': no such name", service); ++ goto failed; ++ } ++ ++ primary_connection = bus_service_get_primary_owners_connection (serv); ++ ++ reply = dbus_message_new_method_return (message); ++ if (reply == NULL) ++ goto oom; ++ ++ confinement = bus_connection_dup_apparmor_confinement (primary_connection); ++ label = bus_apparmor_confinement_get_label (confinement); ++ ++ if (label == NULL) ++ { ++ dbus_set_error (error, ++ DBUS_ERROR_APPARMOR_SECURITY_CONTEXT_UNKNOWN, ++ "Could not determine security context for '%s'", service); ++ goto failed; ++ } ++ ++ if (!dbus_validate_utf8 (label, error)) ++ goto failed; ++ ++ if (! dbus_message_append_args (reply, ++ DBUS_TYPE_STRING, ++ &label, ++ DBUS_TYPE_INVALID)) ++ goto failed; ++ ++ if (! bus_transaction_send_from_driver (transaction, connection, reply)) ++ goto oom; ++ ++ bus_apparmor_confinement_unref (confinement); ++ dbus_message_unref (reply); ++ ++ return TRUE; ++ ++ oom: ++ BUS_SET_OOM (error); ++ ++ failed: ++ _DBUS_ASSERT_ERROR_IS_SET (error); ++ if (confinement) ++ bus_apparmor_confinement_unref (confinement); ++ if (reply) ++ dbus_message_unref (reply); ++ return FALSE; ++} ++ + static dbus_bool_t + bus_driver_handle_reload_config (DBusConnection *connection, + BusTransaction *transaction, +@@ -2479,6 +2564,11 @@ static const MessageHandler dbus_message_handlers[] = { + DBUS_TYPE_ARRAY_AS_STRING DBUS_TYPE_BYTE_AS_STRING, + bus_driver_handle_get_connection_selinux_security_context, + METHOD_FLAG_ANY_PATH }, ++ { "GetConnectionAppArmorSecurityContext", ++ DBUS_TYPE_STRING_AS_STRING, ++ DBUS_TYPE_STRING_AS_STRING, ++ bus_driver_handle_get_connection_apparmor_security_context, ++ METHOD_FLAG_ANY_PATH }, + { "ReloadConfig", + "", + "", +diff --git a/dbus/dbus-protocol.h b/dbus/dbus-protocol.h +index 933c365..2b7fd23 100644 +--- a/dbus/dbus-protocol.h ++++ b/dbus/dbus-protocol.h +@@ -444,6 +444,8 @@ extern "C" { + #define DBUS_ERROR_INVALID_FILE_CONTENT "org.freedesktop.DBus.Error.InvalidFileContent" + /** Asked for SELinux security context and it wasn't available. */ + #define DBUS_ERROR_SELINUX_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown" ++/** Asked for AppArmor security context and it wasn't available. */ ++#define DBUS_ERROR_APPARMOR_SECURITY_CONTEXT_UNKNOWN "org.freedesktop.DBus.Error.AppArmorSecurityContextUnknown" + /** Asked for ADT audit data and it wasn't available. */ + #define DBUS_ERROR_ADT_AUDIT_DATA_UNKNOWN "org.freedesktop.DBus.Error.AdtAuditDataUnknown" + /** There's already an object with the requested object path. */ diff -pruN 1.12.20-2/debian/patches/ubuntu/dont-stop-dbus.patch 1.12.20-2ubuntu4/debian/patches/ubuntu/dont-stop-dbus.patch --- 1.12.20-2/debian/patches/ubuntu/dont-stop-dbus.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/patches/ubuntu/dont-stop-dbus.patch 2021-09-09 13:39:31.000000000 +0000 @@ -0,0 +1,100 @@ +From: Martin Pitt +Date: Tue, 31 Mar 2015 18:46:06 +0200 +Subject: Don't stop D-Bus in the service unit + +D-Bus is getting stopped too early during shutdown, so that services on the bus +are still running (and being shut down) after that. This leads to shutdown +hangs due to remote file systems not getting unmounted as wpa_supplicant is +already gone, or avahi or NetworkManager getting lots of errors because they +get disconnected, etc. As D-Bus does not keep its state between restarts, +dbus.socket also does not help us. + +Also, stopping D-Bus in a running system isn't something which we ever +supported; to the contrary, we patched several packages to avoid +restarting/stopping D-Bus in postinsts, as stopping d-bus in a running system +is shooting yourself into the foot (independent of which init system you use). +Thus leaving D-Bus running until the bitter end should be fine, it doesn't have +any file system things to do on shutdown. This also approximates the brave new +kdbus world where d-bus is basically "always available". + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89847 +Bug-Ubuntu: https://launchpad.net/bugs/1438612 + +26 Feb 2021 Updates from xnox + +Whilst the original patch was okish, it didn't actually work +right. dbus.service had Requires dbus.socket, which in turn did not +try refuse being stopped, thus socket was being stopped / going away +whilst the dbus service is still running. Also that happened on +shutdown. And sometimes dbus can hang and refuses to answer, in such +cases it is best to let people be able to kill it and restart it. Plus +with needrestart integration we kind of can restart dbus and some +basic services to keep machine alive. So, to actually prevent dbus +from being stopped on shutdown undo the previous incarnation of the +patch and instead do this: + +Dependencies: +* Add DefaultDependencies=no +* Instead of Requires/After sysinit.target, add back Wants/After sysinit.target. +* Add back After basic.target +* Do not add back Conflicts/Before shutdown.target + +Do that for _both_ dbus.service and dbus.socket. + +dbus.service: +* Drop the Killmode, ExecStop things +* Make ExecStart be @/usr/bin/dbus-daemon @dbus-daemon .... thus it + will now be survie systemd-shutdown kill spree + +End result is that now one can use $ sudo +/etc/needrestart/restart.d/dbus.service to restart dbus, and yet it is +not part of the shutdown transactions. + +09 Sep 2021 Updates from slyon + +The previous update made it be not part of the shutdown transaction, but +introduced a deadlock during bootup like this: + + systemd[1]: basic.target: starting held back, waiting for: sockets.target + systemd[1]: dbus.socket: starting held back, waiting for: basic.target + systemd[1]: dbus.service: starting held back, waiting for: dbus.socket + +Therefore we need to remove the After=basic.target dependency of dbus.socket +to break that dependency loop. + +--- + bus/dbus.service.in | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: dbus-1.12.20/bus/dbus.service.in +=================================================================== +--- dbus-1.12.20.orig/bus/dbus.service.in ++++ dbus-1.12.20/bus/dbus.service.in +@@ -2,8 +2,12 @@ + Description=D-Bus System Message Bus + Documentation=man:dbus-daemon(1) + Requires=dbus.socket ++# Do not stop on shutdown ++DefaultDependencies=no ++Wants=sysinit.target ++After=sysinit.target basic.target + + [Service] +-ExecStart=@EXPANDED_BINDIR@/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only ++ExecStart=@@EXPANDED_BINDIR@/dbus-daemon @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only + ExecReload=@EXPANDED_BINDIR@/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig + OOMScoreAdjust=-900 +Index: dbus-1.12.20/bus/dbus.socket.in +=================================================================== +--- dbus-1.12.20.orig/bus/dbus.socket.in ++++ dbus-1.12.20/bus/dbus.socket.in +@@ -1,5 +1,9 @@ + [Unit] + Description=D-Bus System Message Bus Socket ++# Do not stop on shutdown ++DefaultDependencies=no ++Wants=sysinit.target ++After=sysinit.target + + [Socket] + ListenStream=@DBUS_SYSTEM_SOCKET@ diff -pruN 1.12.20-2/debian/rules 1.12.20-2ubuntu4/debian/rules --- 1.12.20-2/debian/rules 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/rules 2022-04-01 17:02:54.000000000 +0000 @@ -256,11 +256,10 @@ endif override_dh_missing: dh_missing $(dh_missing_options) -# Yes, we do need both --no- options here. https://bugs.debian.org/837528 override_dh_installinit: - dh_installinit -pdbus --no-stop-on-upgrade --no-restart-after-upgrade + dh_installinit -pdbus --no-start --no-stop-on-upgrade override_dh_installsystemd: - dh_installsystemd -pdbus --no-stop-on-upgrade --no-restart-after-upgrade + dh_installsystemd -pdbus --no-start --no-stop-on-upgrade override_dh_installdocs: dh_installdocs --all AUTHORS NEWS README diff -pruN 1.12.20-2/debian/tests/build 1.12.20-2ubuntu4/debian/tests/build --- 1.12.20-2/debian/tests/build 2021-02-21 14:02:17.000000000 +0000 +++ 1.12.20-2ubuntu4/debian/tests/build 2021-09-09 13:28:02.000000000 +0000 @@ -10,6 +10,12 @@ fi cd "$AUTOPKGTEST_TMP" +if [ -n "${DEB_HOST_GNU_TYPE:-}" ]; then + CROSS_COMPILE="$DEB_HOST_GNU_TYPE-" +else + CROSS_COMPILE= +fi + echo "1..1" cat > connect.c <<'EOF' @@ -40,7 +46,7 @@ EOF # We don't exercise static linking because libsystemd is not available # as a static library. -gcc -o connect connect.c $(pkg-config --cflags --libs dbus-1) +${CROSS_COMPILE}gcc -o connect connect.c $(${CROSS_COMPILE}pkg-config --cflags --libs dbus-1) test -x connect dbus-run-session -- ./connect echo "# everything seems OK"