1. 09 Sep, 2020 2 commits
  2. 07 Sep, 2020 4 commits
  3. 08 Jul, 2020 2 commits
  4. 05 Jun, 2020 6 commits
    • ballock's avatar
      Merge branch 'jb48869' into 'master' · f60c37e9
      ballock authored
      [firewall] Fix tests and special cases. JB#48869
      
      See merge request mer-core/connman!275
      f60c37e9
    • ballock's avatar
      b38f30f3
    • ballock's avatar
      [unit] Add tests for iptables validator. JB#48869 · aeb7578d
      ballock authored
      This extends validator code coverage and also verifies that options do
      not accept empty strings as their parameters.
      
      Multiple -m matches are also tested.
      aeb7578d
    • ballock's avatar
      [firewall] Fix iptables validator bugs. JB#48869 · 74c8d4d1
      ballock authored
      clean_match_option
      ------------------
      
      This example rule would fail, while being correct:
      -p tcp -m tcp ! --tcp-option 1 -m tcp ! --tcp-option 2 -j ACCEPT
      
      The reason is that tcp match has AF_UNSPEC instead of the particular
      AF_INET/AF_INET6 protocol specified in its requirements.
      
      Although it's possible to add a more complicated check (first to see,
      if the match's family_dep is not UNSPEC, then if it equals the family,
      but there's no need to since we only execute cleanup when the match
      was already in the invoked_matches list, and it could have been there
      only if it meets the conditions of the match.
      
      Ergo: this check is unnecessary and harmful.
      
      is_valid_port_or_service_range
      ------------------------------
      
      tokens[i] will only be false at the end of the vector, not when the
      string is empty. Thus, this check does what the g_strv_length does.
      
      handle_ports
      ------------
      
      It turned out that the function allows to use an empty
      string ('') as a correct value, which should not be allowed.
      
      Since like with the previous function, we can either use tokens[i] to
      indicate vector end or g_strv_length. However, since we need to verify
      that the split vector is empty, this form was chosen.
      74c8d4d1
    • ballock's avatar
      [doc] Update firewall documentation. JB#48869 · 872ab71c
      ballock authored
      872ab71c
    • Slava Monich's avatar
      Merge branch 'wifi-dontcrash' into 'master' · 61934257
      Slava Monich authored
      Clear wifi_bss -> wifi_network pointers when wifi_network us being deleted
      
      See merge request mer-core/connman!277
      61934257
  5. 04 Jun, 2020 4 commits
    • Slava Monich's avatar
      [wifi] Clear wifi_bss -> wifi_network pointers on delete. JB#47990 · 15a3407d
      Slava Monich authored
      When WiFi is being turned off, wifi_network is getting deallocated before
      wifi_bss, causing crashes like this one:
      
         Invalid read of size 4
            at 0x3496E: wifi_network_update_strength (sailfish_wifi.c:1626)
            by 0x36A8D: wifi_device_bss_signal_changed (sailfish_wifi.c:2908)
            by 0x4CB06E7: _g_closure_invoke_va (gclosure.c)
            by 0x4CC3EF7: g_signal_emit_valist (gsignal.c)
            by 0x4CC42EB: g_signal_emit (gsignal.c)
            by 0x4B591F1: gsupplicant_bss_signal_property_change (gsupplicant_bss.c)
            ...
         Address 0x68b0038 is 8 bytes inside a block of size 100 free'd
            at 0x48432B0: free (vg_replace_malloc.c)
            by 0x34D75: wifi_network_delete (sailfish_wifi.c:1763)
            by 0x35321: wifi_device_delete_network (sailfish_wifi.c:2009)
            by 0x3538D: wifi_device_remove_all_networks_cb (sailfish_wifi.c:2036)
            by 0x4D434B3: g_slist_foreach (gslist.c)
            by 0x353BB: wifi_device_remove_all_networks (sailfish_wifi.c:2042)
            by 0x3895B: wifi_device_set_state (sailfish_wifi.c:3952)
            by 0x387D3: wifi_device_disable (sailfish_wifi.c:3883)
            by 0x39263: wifi_device_driver_disable (sailfish_wifi.c:4307)
            by 0x512AF: __connman_device_disable (device.c:265)
            by 0x8B3AB: technology_affect_devices (technology.c:742)
            by 0x8B835: technology_disable (technology.c:901)
            by 0x8BABF: set_powered (technology.c:1017)
            by 0x8BFA7: set_property (technology.c:1165)
            ...
      15a3407d
    • Jussi Laakkonen's avatar
      Merge branch 'jb48797' into 'master' · c4ac4802
      Jussi Laakkonen authored
      [openfortivpn] Implement VPN plugin for openfortivpn. JB#48797
      
      See merge request mer-core/connman!258
      c4ac4802
    • Alexey's avatar
      [openfortivpn] Implement VPN plugin for openfortivpn. JB#48797 · 2213c44e
      Alexey authored
      Co-authored-by: Jussi Laakkonen's avatarJussi Laakkonen <jussi.laakkonen@jolla.com>
      
      This adds a new VPN plugin that uses openfortivpn binary to access
      FortiNet VPNs with the help of ppp. Code is based on existing L2TP and
      OpenConnect plugins. Plugin structure follows same approach as in L2TP
      plugin. Property management is similar to OpenConnect plugin.
      
      Additionally, via patch in openfortivpn, --trust-all-certs, is supported
      as a property to disable certificate signature checks. Following
      properties are supported so far, which are saved to the settings:
      
       Name                              Value                Option
       openfortivpn.AllowSelfSignedCert  string: true|false   --trust-all-certs
       openfortivpn.TrustedCert          string: fingerprint  --trusted-cert
       openfortivpn.Port                 string: digits
      
      By default, if Port is omitted, openfortivpn uses port 10433.
      Signed-off-by: Alexey's avatarAlexey Andreev <a.andreev@omprussia.ru>
      Signed-off-by: Jussi Laakkonen's avatarJussi Laakkonen <jussi.laakkonen@jolla.com>
      2213c44e
    • Slava Monich's avatar
      vpn: Constify struct vpn_driver pointer · d4924a38
      Slava Monich authored
      There's no reason for it to be writable
      d4924a38
  6. 03 Jun, 2020 2 commits
  7. 29 May, 2020 10 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb49506' into 'master' · c56c3eec
      Jussi Laakkonen authored
      [connman] Add vpnd crash recovery functionality. Fixes JB#49506
      
      See merge request mer-core/connman!270
      c56c3eec
    • Jussi Laakkonen's avatar
      [unit] Improve storage tests for vpnd crash and request limit. JB#49506 · 0dc4cc02
      Jussi Laakkonen authored
      Use main loop iteration simulation for testing the timeout
      functionality. Add new tests for vpnd crashing alone, after and in
      between user change process.
      
      Implement some missing test cases to existing tests as well. Reorganize
      tests a bit.
      
      Add also fixes for most of the leaks and errors reported by valgrind.
      Still some oddities left. Most of the leaks seem to be from the
      g_test_run, though.
      0dc4cc02
    • Jussi Laakkonen's avatar
      [unit] Fix iptables, globalproxy, storage, systemd login tests. JB#49506 · 223e0f17
      Jussi Laakkonen authored
      Fix iptables unit test tool, globalproxy test and storage test after
      storage changes. Add notifier stubs for systemd login test.
      223e0f17
    • Jussi Laakkonen's avatar
    • Jussi Laakkonen's avatar
      [config] Register to storage notifications for config inotify. JB#49506 · 3ab96ef9
      Jussi Laakkonen authored
      Listen and react to user id changes in config.c. Add a notifier for the
      new user to listen for config changes. If the user id is different from
      the one connmand is running, add notifier to it and copy the storagedir
      of that user to be removed later on from inotify (shutdown or another
      user change).
      3ab96ef9
    • Jussi Laakkonen's avatar
      [systemd login] Register to storage notifications. JB#49506 · 6f98b9ba
      Jussi Laakkonen authored
      Register to storage notifications to receive uid changes. Set the uid
      always to login_data, if it exists.
      6f98b9ba
    • Jussi Laakkonen's avatar
      [connman] Add uid changed notifier use to storage callbacks. JB#49506 · 0befa35a
      Jussi Laakkonen authored
      Use __connman_notifier_storage_uid_changed() as storage uid_changed
      callback.
      0befa35a
    • Jussi Laakkonen's avatar
      [storage] Limit user change reqs, vpnd crash recovery with timeouts. JB#49506 · 2b930b9d
      Jussi Laakkonen authored
      1) Record D-Bus pending call to restrict one user change call to be made
      at a time. If there is a pending call report back EBUSY to differentiate
      that process from the EALREADY reported when user is already set as the
      one that is requested.
      
      2) Send current uid to vpnd if it restarts after crash. This is achieved
      by implementing a service watcher for vpnd that sets a bool for sending
      the current uid to vpnd when it comes back to keep connmand and vpnd
      synchronized. Removal detection is used to avoid sending the user change
      when services are starting.
      
      storage.c now also saves the current uid that was required for the vpnd
      synchronization. This allows for more robust error replies in case the
      uid is already set.
      
      Added uid changed callback and use of it in uid changes. In order to
      support both connmand and vpnd the notify functionality must be added as
      a callback. Vpnd does not use notify, nor it does to save the uid.
      
      When getting a reply from vpnd the uid in the request data may equal the
      current_uid in case when vpnd has crashed and connmand has sent a user
      change message after detecting vpnd to be back online. It is feasible to
      stop processing at that point to avoid additional unnecessary calls to
      be made.
      
      In error cases when returning to root user use geteuid() instead of 0 as
      uid.
      
      3) Add functionality for sending a delayed user change when a) there is
      already a pending user change waiting for a reply (timeout) b) a service
      or D-Bus related error is reported back. This enables better error
      tolerance and handling the potential crashes in between user change
      process.
      2b930b9d
    • Jussi Laakkonen's avatar
      [notifier] Add storage uid changed notify functionality. JB#49506 · c0ae879d
      Jussi Laakkonen authored
      Storage does need to inform about user id changes to other components
      using the user change functionality. This enables informing about the
      newly set uid.
      c0ae879d
    • Slava Monich's avatar
      Merge branch 'optimize_wifi' into 'master' · 2877561f
      Slava Monich authored
      Optimize WiFi
      
      See merge request mer-core/connman!273
      2877561f
  8. 28 May, 2020 10 commits