From: Simon McVittie Date: Thu, 8 Jun 2017 13:44:05 +0000 (+0100) Subject: test/containers: Check that containers can't make new containers X-Git-Tag: dbus-1.13.0~57^2~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6537b583f64f294f9a9a54660c1ce4a64b4b2aa6;p=thirdparty%2Fdbus.git test/containers: Check that containers can't make new containers We should prevent containers from trying to put a container in our container so we can sandbox while we sandbox. The implementation doesn't actually have any concept of nesting or layering, so that would potentially be privilege escalation. At the moment, this is just prevented by METHOD_FLAG_PRIVILEGED. When we remove that flag (after we've introduced better resource limits), we can specifically restrict this method to not be called by containers instead. This test will make sure we do. Signed-off-by: Simon McVittie Reviewed-by: Philip Withnall Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354 --- diff --git a/test/containers.c b/test/containers.c index 9964dd1b6..4b4a944e6 100644 --- a/test/containers.c +++ b/test/containers.c @@ -792,6 +792,69 @@ test_invalid_type_name (Fixture *f, #endif /* !HAVE_CONTAINERS_TEST */ } +/* + * Assert that a request to create a container server cannot come from a + * connection to an existing container server. + * (You cannot put containers in your container so you can sandbox while + * you sandbox.) + */ +static void +test_invalid_nesting (Fixture *f, + gconstpointer context) +{ +#ifdef HAVE_CONTAINERS_TEST + GDBusProxy *nested_proxy; + GVariant *tuple; + GVariant *parameters; + + if (f->skip) + return; + + parameters = g_variant_new ("(ssa{sv}a{sv})", + "com.example.NotFlatpak", + "sample-app", + NULL, /* no metadata */ + NULL); /* no named arguments */ + if (!add_container_server (f, g_steal_pointer (¶meters))) + return; + + g_test_message ("Connecting to %s...", f->socket_dbus_address); + f->confined_conn = g_dbus_connection_new_for_address_sync ( + f->socket_dbus_address, + (G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION | + G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT), + NULL, NULL, &f->error); + g_assert_no_error (f->error); + + g_test_message ("Checking that confined app cannot nest containers..."); + nested_proxy = g_dbus_proxy_new_sync (f->confined_conn, + G_DBUS_PROXY_FLAGS_NONE, NULL, + DBUS_SERVICE_DBUS, DBUS_PATH_DBUS, + DBUS_INTERFACE_CONTAINERS1, NULL, + &f->error); + g_assert_no_error (f->error); + + parameters = g_variant_new ("(ssa{sv}a{sv})", + "com.example.NotFlatpak", + "inner-app", + NULL, /* no metadata */ + NULL); /* no named arguments */ + tuple = g_dbus_proxy_call_sync (nested_proxy, "AddServer", + g_steal_pointer (¶meters), + G_DBUS_CALL_FLAGS_NONE, + -1, NULL, &f->error); + + g_assert_error (f->error, G_DBUS_ERROR, G_DBUS_ERROR_ACCESS_DENIED); + g_assert_null (tuple); + g_clear_error (&f->error); + + g_clear_object (&nested_proxy); + +#else /* !HAVE_CONTAINERS_TEST */ + g_test_skip ("Containers or gio-unix-2.0 not supported"); +#endif /* !HAVE_CONTAINERS_TEST */ +} + static void teardown (Fixture *f, gconstpointer context G_GNUC_UNUSED) @@ -932,6 +995,8 @@ main (int argc, setup, test_unsupported_parameter, teardown); g_test_add ("/containers/invalid-type-name", Fixture, NULL, setup, test_invalid_type_name, teardown); + g_test_add ("/containers/invalid-nesting", Fixture, NULL, + setup, test_invalid_nesting, teardown); ret = g_test_run ();