Bug 46882

Summary: Make per-connection bus names non-mandatory
Product: Telepathy Reporter: Mikhail Zabaluev <mikhail.zabaluev>
Component: tp-specAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED WONTFIX QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: normal    
Priority: medium    
Version: git master   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Mikhail Zabaluev 2012-03-02 02:18:39 UTC
In the current spec, each Connection object must get its own, dynamically composed, bus name.
This does not work well on a bus where arbitrary name ownership is prohibited by policy: while we can easily punch holes for connection manager names, the connection names are not known statically, and partial name matching is not currently supported by dbus-daemon policies. Citing dbus-daemon(1):

       Complex  globs  like  "foo.bar.*" aren't
       allowed for now because they'd be work to implement and maybe encourage
       sloppy security anyway.

Taking into account that all components that have been instantiating Connection objects to date also own ConnectionManager service names, the preferred way to enumerate Connection objects on the bus could be changed to listing ConnectionManager services and then enumerating Connection objects on these services. The requirement for a Connection to register its own bus name can be relaxed to "SHOULD (for backwards compatibility)". The implementation of TpBaseConnection in telepathy-glib can then be changed to treat the failed name ownership request as non-fatal (and get rid of one more complete bus roundtrip needed to initalize a connection).

I don't see how this change can impact session bus setups where name ownership is promiscuous (at least for the session user's connections). There are no backwards compatibility concerns for ownership-restricted bus configurations, because connection managers cannot currently work there.
Comment 1 Simon McVittie 2012-03-02 02:41:55 UTC
(In reply to comment #0)
> In the current spec, each Connection object must get its own, dynamically
> composed, bus name.

The original rationale for this was that it supports CMs implemented using a library that can only make one connection per process. On RequestConnection, such a CM could take a bus name for its Connection (perhaps with its process ID in the name), then drop its ConnectionManager name. When a second connection was requested, dbus-daemon would activate a new copy of the CM to handle the second RequestConnection call, and so on.

In practice we've never actually either done that, or wanted to do so...

The other purpose of the Connection bus names was to act as a mutex to avoid having two attempts to connect to the same account at the same time, but that proved to be more trouble than it was worth, so we now make the bus names unique (IIRC).

(In reply to comment #0)
> This does not work well on a bus where arbitrary name ownership is prohibited
> by policy: while we can easily punch holes for connection manager names, the
> connection names are not known statically, and partial name matching is not
> currently supported by dbus-daemon policies. Citing dbus-daemon(1):
> 
>        Complex  globs  like  "foo.bar.*" aren't
>        allowed for now because they'd be work to implement and maybe encourage
>        sloppy security anyway.

There's nothing to stop someone implementing

    <allow own_prefix="org.freedesktop.Telepathy.Connection.gabble"/>

as something the policy language can do. With my D-Bus maintainer hat on, I think that'd be a better way to represent this than supporting shell-style glob patterns.

I've seen others on #dbus wanting this functionality for the system bus: they want to restrict name ownership for all instances of a multiple-instance service.

> the preferred way to
> enumerate Connection objects on the bus could be changed to listing
> ConnectionManager services and then enumerating Connection objects on these
> services. The requirement for a Connection to register its own bus name can be
> relaxed to "SHOULD (for backwards compatibility)".

That would be a possibility. It breaks the original use-case for connections working like this (not that that's necessarily a problem, given that we've never implemented it).

> The implementation of
> TpBaseConnection in telepathy-glib can then be changed to treat the failed name
> ownership request as non-fatal (and get rid of one more complete bus roundtrip
> needed to initalize a connection).

TpBaseConnectionManager would have to keep a global registry of Connections by object path (or use more modern libdbus API, try_register), to avoid trying to register two connections at the same object path and crashing itself; at the moment the bus name acts as a mutex, preventing this.
Comment 2 Mikhail Zabaluev 2012-03-02 03:36:37 UTC
(In reply to comment #1)
> The original rationale for this was that it supports CMs implemented using a
> library that can only make one connection per process. On RequestConnection,
> such a CM could take a bus name for its Connection (perhaps with its process ID
> in the name), then drop its ConnectionManager name.

I suspected something like that. But that either presents a race condition, or requires all clients to gracefully handle a "can't do it now, try again later" error for RequestConnection. So this doesn't seem like it can work reliably with current client software.

> There's nothing to stop someone implementing
> 
>     <allow own_prefix="org.freedesktop.Telepathy.Connection.gabble"/>
> 
> as something the policy language can do. With my D-Bus maintainer hat on, I
> think that'd be a better way to represent this than supporting shell-style glob
> patterns.

That would be great, and perhaps bring more good to the universe than tweaking Telepathy would do.

> TpBaseConnectionManager would have to keep a global registry of Connections by
> object path (or use more modern libdbus API, try_register), to avoid trying to
> register two connections at the same object path and crashing itself;

In practice, object paths are now randomized too, right?

> at the moment the bus name acts as a mutex, preventing this.

Well, then it's an expensive socket-served mutex for purely local state, so it can hardly be the primary purpose.
Comment 3 Simon McVittie 2012-03-02 03:55:46 UTC
(In reply to comment #2)
> In practice, object paths are now randomized too, right?

They correspond 1:1 to the bus names, so, yes.

> > at the moment the bus name acts as a mutex, preventing this.
> 
> Well, then it's an expensive socket-served mutex for purely local state, so it
> can hardly be the primary purpose.

Right, this is not their primary purpose, just making use of a side-effect; if we lose the bus names, we'd have to find a different (probably purely local) solution for object path uniqueness.

Another property provided by the bus names is that they guarantee that connections' object paths are unique within the session (because uniqueness of bus names is enforced by the dbus-daemon, and the object paths correspond 1:1 to bus names). This lets you refer to a connection by its object path only, knowing that that's enough to refer to it uniquely and find its bus name (for instance, Account.Connection relies on this).

To drop the Connection bus names we'd have to have another way to find the bus name, probably by requiring that the Connection /o/fd/T/Connection/foo/bar/baz owns the well-known name "o.fd.T.ConnectionManager.foo".
Comment 4 Mikhail Zabaluev 2012-03-02 04:13:28 UTC
Thanks for the explanation; this looks like a bigger can of worms than adding a feature to dbus-daemon (filed as bug #46886).

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.