From e53857867d6ffb945aa02940b1564d73bfa3624d Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 8 Jun 2017 14:44:05 +0100 Subject: [PATCH] test/containers: Check that containers can't make new containers We should prevent containers from trying to putting a container in our container so we can contain while we contain; the implementation doesn't actually have any concept of nesting or layering, so that would potentially be privilege escalation. At the moment, this is just prevented by METHOD_FLAG_PRIVILEGED. If we remove that flag when we've introduced better resource limits, then we can specifically restrict this method to not be called by containers instead: this test will make sure we do. Signed-off-by: Simon McVittie --- Use refactored add_container_server() --- test/containers.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/test/containers.c b/test/containers.c index 4e8400ec..5279b63b 100644 --- a/test/containers.c +++ b/test/containers.c @@ -773,6 +773,66 @@ test_invalid_type_name (Fixture *f, } static void +test_invalid_nesting (Fixture *f, + gconstpointer context) +{ +#ifdef HAVE_CONTAINERS_TEST + GDBusProxy *nested_proxy; + GVariant *tuple; + GVariant *parameters; + + if (f->skip) + return; + + /* Floating reference, call_..._sync takes ownership */ + parameters = g_variant_new ("(ssa{sv}a{sv})", + "com.example.NotFlatpak", + "sample-app", + NULL, /* no metadata */ + NULL); /* no named arguments */ + + if (!add_container_server (f, parameters)) + return; + + g_test_message ("Connecting to %s...", f->socket_dbus_address); + f->confined_conn = g_dbus_connection_new_for_address_sync ( + f->socket_dbus_address, + (G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION | + G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT), + NULL, NULL, &f->error); + g_assert_no_error (f->error); + + g_test_message ("Checking that confined app cannot nest containers..."); + nested_proxy = g_dbus_proxy_new_sync (f->confined_conn, + G_DBUS_PROXY_FLAGS_NONE, NULL, + DBUS_SERVICE_DBUS, DBUS_PATH_DBUS, + DBUS_INTERFACE_CONTAINERS1, NULL, + &f->error); + g_assert_no_error (f->error); + + /* Floating reference, call_..._sync takes ownership */ + parameters = g_variant_new ("(ssa{sv}a{sv})", + "com.example.NotFlatpak", + "inner-app", + NULL, /* no metadata */ + NULL); /* no named arguments */ + + tuple = g_dbus_proxy_call_sync (nested_proxy, "AddContainerServer", + parameters, G_DBUS_CALL_FLAGS_NONE, + -1, NULL, &f->error); + + g_assert_error (f->error, G_DBUS_ERROR, G_DBUS_ERROR_ACCESS_DENIED); + g_assert_null (tuple); + g_clear_error (&f->error); + + g_clear_object (&nested_proxy); + +#else /* !HAVE_CONTAINERS_TEST */ + g_test_skip ("Containers or gio-unix-2.0 not supported"); +#endif /* !HAVE_CONTAINERS_TEST */ +} + +static void teardown (Fixture *f, gconstpointer context G_GNUC_UNUSED) { @@ -888,6 +948,8 @@ main (int argc, setup, test_unsupported_parameter, teardown); g_test_add ("/containers/invalid-type-name", Fixture, NULL, setup, test_invalid_type_name, teardown); + g_test_add ("/containers/invalid-nesting", Fixture, NULL, + setup, test_invalid_nesting, teardown); return g_test_run (); } -- 2.13.2