From 9998d80214d6a883e5a39fe0edd5a557138eb012 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 8 Jun 2017 14:44:05 +0100 Subject: [PATCH 34/49] test/containers: Check that containers can't make new containers We should prevent containers from trying to putting a container in our container so we can contain while we contain; the implementation doesn't actually have any concept of nesting or layering, so that would potentially be privilege escalation. At the moment, this is just prevented by METHOD_FLAG_PRIVILEGED. If we remove that flag when we've introduced better resource limits, then we can specifically restrict this method to not be called by containers instead: this test will make sure we do. Signed-off-by: Simon McVittie --- test/containers.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/test/containers.c b/test/containers.c index 09504bca..866da479 100644 --- a/test/containers.c +++ b/test/containers.c @@ -646,6 +646,80 @@ test_invalid_type_name (Fixture *f, } static void +test_invalid_nesting (Fixture *f, + gconstpointer context) +{ +#ifdef HAVE_CONTAINERS_TEST + GDBusProxy *nested_proxy; + GVariant *tuple; + GVariant *parameters; + + if (f->skip) + return; + + f->proxy = g_dbus_proxy_new_sync (f->unconfined_conn, + G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES, + NULL, DBUS_SERVICE_DBUS, + DBUS_PATH_DBUS, DBUS_INTERFACE_CONTAINERS1, + NULL, &f->error); + g_assert_no_error (f->error); + + /* Floating reference, call_..._sync takes ownership */ + parameters = g_variant_new ("(ssa{sv}a{sv})", + "com.example.NotFlatpak", + "sample-app", + NULL, /* no metadata */ + NULL); /* no named arguments */ + + g_test_message ("Calling AddContainerServer..."); + tuple = g_dbus_proxy_call_sync (f->proxy, "AddContainerServer", parameters, + G_DBUS_CALL_FLAGS_NONE, -1, NULL, &f->error); + + g_assert_no_error (f->error); + g_assert_nonnull (tuple); + g_assert_cmpstr (g_variant_get_type_string (tuple), ==, "(oays)"); + g_variant_get (tuple, "(o^ays)", NULL, NULL, &f->socket_dbus_address); + g_clear_pointer (&tuple, g_variant_unref); + + g_test_message ("Connecting to %s...", f->socket_dbus_address); + f->confined_conn = g_dbus_connection_new_for_address_sync ( + f->socket_dbus_address, + (G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION | + G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT), + NULL, NULL, &f->error); + g_assert_no_error (f->error); + + g_test_message ("Checking that confined app cannot nest containers..."); + nested_proxy = g_dbus_proxy_new_sync (f->confined_conn, + G_DBUS_PROXY_FLAGS_NONE, NULL, + DBUS_SERVICE_DBUS, DBUS_PATH_DBUS, + DBUS_INTERFACE_CONTAINERS1, NULL, + &f->error); + g_assert_no_error (f->error); + + /* Floating reference, call_..._sync takes ownership */ + parameters = g_variant_new ("(ssa{sv}a{sv})", + "com.example.NotFlatpak", + "inner-app", + NULL, /* no metadata */ + NULL); /* no named arguments */ + + tuple = g_dbus_proxy_call_sync (nested_proxy, "AddContainerServer", + parameters, G_DBUS_CALL_FLAGS_NONE, + -1, NULL, &f->error); + + g_assert_error (f->error, G_DBUS_ERROR, G_DBUS_ERROR_ACCESS_DENIED); + g_assert_null (tuple); + g_clear_error (&f->error); + + g_clear_object (&nested_proxy); + +#else /* !HAVE_CONTAINERS_TEST */ + g_test_skip ("Containers or gio-unix-2.0 not supported"); +#endif /* !HAVE_CONTAINERS_TEST */ +} + +static void teardown (Fixture *f, gconstpointer context G_GNUC_UNUSED) { @@ -747,6 +821,8 @@ main (int argc, setup, test_unsupported_parameter, teardown); g_test_add ("/containers/invalid-type-name", Fixture, NULL, setup, test_invalid_type_name, teardown); + g_test_add ("/containers/invalid-nesting", Fixture, NULL, + setup, test_invalid_nesting, teardown); return g_test_run (); } -- 2.11.0