diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile.am | 20 | ||||
-rw-r--r-- | src/bus-proxyd/test-bus-policy.c | 165 | ||||
-rw-r--r-- | test/bus-policy/hello.conf | 14 | ||||
-rw-r--r-- | test/bus-policy/methods.conf | 15 | ||||
-rw-r--r-- | test/bus-policy/ownerships.conf | 24 | ||||
-rw-r--r-- | test/bus-policy/signals.conf | 15 |
7 files changed, 252 insertions, 2 deletions
diff --git a/.gitignore b/.gitignore index 288946029b..b78a4cb4e1 100644 --- a/.gitignore +++ b/.gitignore @@ -146,6 +146,7 @@ /test-bus-match /test-bus-memfd /test-bus-objects +/test-bus-policy /test-bus-server /test-bus-signature /test-bus-zero-copy diff --git a/Makefile.am b/Makefile.am index f80ffc6749..6b2ca29ce8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1342,7 +1342,8 @@ tests += \ test-async \ test-ratelimit \ test-condition-util \ - test-uid-range + test-uid-range \ + test-bus-policy EXTRA_DIST += \ test/a.service \ @@ -1374,7 +1375,12 @@ EXTRA_DIST += \ test/sysinit.target \ test/testsuite.target \ test/timers.target \ - test/unstoppable.service + test/unstoppable.service \ + test/bus-policy/hello.conf \ + test/bus-policy/methods.conf \ + test/bus-policy/ownerships.conf \ + test/bus-policy/signals.conf + EXTRA_DIST += \ src/test/test-helper.h @@ -1782,6 +1788,16 @@ test_conf_files_SOURCES = \ test_conf_files_LDADD = \ libsystemd-shared.la +test_bus_policy_SOURCES = \ + src/bus-proxyd/test-bus-policy.c \ + src/bus-proxyd/bus-policy.c \ + src/bus-proxyd/bus-policy.h + +test_bus_policy_LDADD = \ + libsystemd-capability.la \ + libsystemd-internal.la \ + libsystemd-shared.la + # ------------------------------------------------------------------------------ ## .PHONY so it always rebuilds it .PHONY: coverage lcov-run lcov-report coverage-sync diff --git a/src/bus-proxyd/test-bus-policy.c b/src/bus-proxyd/test-bus-policy.c new file mode 100644 index 0000000000..ed17bfe96e --- /dev/null +++ b/src/bus-proxyd/test-bus-policy.c @@ -0,0 +1,165 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2014 Daniel Mack + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <sys/socket.h> +#include <sys/un.h> +#include <sys/types.h> +#include <fcntl.h> +#include <unistd.h> +#include <string.h> +#include <errno.h> +#include <sys/poll.h> +#include <stddef.h> +#include <getopt.h> + +#include "log.h" +#include "util.h" +#include "sd-bus.h" +#include "bus-internal.h" +#include "bus-message.h" +#include "bus-util.h" +#include "bus-internal.h" +#include "build.h" +#include "strv.h" +#include "def.h" +#include "capability.h" + +#include <bus-proxyd/bus-policy.h> + +static int make_name_request(sd_bus *bus, + const char *name, + sd_bus_message **ret) { + + int r; + sd_bus_message *m = NULL; + + r = sd_bus_message_new_method_call(bus, &m, "org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "RequestName"); + if (r < 0) + return r; + + r = sd_bus_message_append_basic(m, 's', name); + if (r < 0) + return r; + + m->sealed = 1; + sd_bus_message_rewind(m, true); + + *ret = m; + return 0; +} + +int main(int argc, char *argv[]) { + + Policy p = {}; + sd_bus_message *m; + struct ucred ucred = {}; + _cleanup_bus_close_unref_ sd_bus *bus = NULL;; + + assert_se(sd_bus_default_system(&bus) >= 0); + + /* Fake pid for policy checks */ + ucred.pid = 1; + + /* Ownership tests */ + assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/ownerships.conf")) == 0); + + assert_se(make_name_request(bus, "org.test.test1", &m) == 0); + ucred.uid = 0; + assert_se(policy_check(&p, m, &ucred) == true); + ucred.uid = 1; + assert_se(policy_check(&p, m, &ucred) == true); + assert_se(sd_bus_message_unref(m) == 0); + + assert_se(make_name_request(bus, "org.test.test2", &m) == 0); + ucred.uid = 0; + assert_se(policy_check(&p, m, &ucred) == true); + ucred.uid = 1; + assert_se(policy_check(&p, m, &ucred) == false); + assert_se(sd_bus_message_unref(m) == 0); + + assert_se(make_name_request(bus, "org.test.test3", &m) == 0); + ucred.uid = 0; + assert_se(policy_check(&p, m, &ucred) == false); + ucred.uid = 1; + assert_se(policy_check(&p, m, &ucred) == false); + assert_se(sd_bus_message_unref(m) == 0); + + assert_se(make_name_request(bus, "org.test.test4", &m) == 0); + ucred.uid = 0; + assert_se(policy_check(&p, m, &ucred) == false); + ucred.uid = 1; + assert_se(policy_check(&p, m, &ucred) == true); + assert_se(sd_bus_message_unref(m) == 0); + + policy_free(&p); + + /* Signal test */ + assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/signals.conf")) == 0); + + assert_se(sd_bus_message_new_signal(bus, &m, "/an/object/path", "bli.bla.blubb", "Name") == 0); + ucred.uid = 0; + assert_se(policy_check(&p, m, &ucred) == true); + + ucred.uid = 1; + assert_se(policy_check(&p, m, &ucred) == false); + assert_se(sd_bus_message_unref(m) == 0); + + policy_free(&p); + + /* Method calls */ + assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/methods.conf")) == 0); + + ucred.uid = 0; + assert_se(sd_bus_message_new_method_call(bus, &m, "org.foo.bar", "/an/object/path", "bli.bla.blubb", "Member") == 0); + assert_se(policy_check(&p, m, &ucred) == false); + + assert_se(sd_bus_message_new_method_call(bus, &m, "org.test.test1", "/an/object/path", "bli.bla.blubb", "Member") == 0); + assert_se(policy_check(&p, m, &ucred) == false); + + bus->is_kernel = 1; + assert_se(sd_bus_message_new_method_call(bus, &m, "org.test.test1", "/an/object/path", "org.test.int1", "Member") == 0); + assert_se(policy_check(&p, m, &ucred) == true); + + assert_se(sd_bus_message_new_method_call(bus, &m, "org.test.test1", "/an/object/path", "org.test.int2", "Member") == 0); + assert_se(policy_check(&p, m, &ucred) == true); + + policy_free(&p); + + /* User and groups */ + assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/hello.conf")) == 0); + assert_se(sd_bus_message_new_method_call(bus, &m, "org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "Hello") == 0); + policy_dump(&p); + + ucred.uid = 0; + assert_se(policy_check(&p, m, &ucred) == true); + + ucred.uid = 1; + assert_se(policy_check(&p, m, &ucred) == false); + + ucred.uid = 0; + ucred.gid = 1; + assert_se(policy_check(&p, m, &ucred) == false); + + policy_free(&p); + + + return EXIT_SUCCESS; +} diff --git a/test/bus-policy/hello.conf b/test/bus-policy/hello.conf new file mode 100644 index 0000000000..af09893de6 --- /dev/null +++ b/test/bus-policy/hello.conf @@ -0,0 +1,14 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <allow user="*"/> + + <deny user="1"/> + <deny group="1"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/methods.conf b/test/bus-policy/methods.conf new file mode 100644 index 0000000000..d6c28c71bc --- /dev/null +++ b/test/bus-policy/methods.conf @@ -0,0 +1,15 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <deny send_type="method_call"/> + + <deny send_destination="org.test.test1"/> + <allow send_destination="org.test.test1" send_interface="org.test.int1"/> + <allow send_destination="org.test.test1" send_interface="org.test.int2"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/ownerships.conf b/test/bus-policy/ownerships.conf new file mode 100644 index 0000000000..bc3a230a26 --- /dev/null +++ b/test/bus-policy/ownerships.conf @@ -0,0 +1,24 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <allow own="org.test.test1"/> + </policy> + + <policy context="mandatory"> + <deny own="org.test.test3"/> + </policy> + + <policy user="root"> + <allow own="org.test.test2"/> + <allow own="org.test.test3"/> + </policy> + + <policy user="1"> + <allow own="org.test.test4"/> + </policy> + +</busconfig> diff --git a/test/bus-policy/signals.conf b/test/bus-policy/signals.conf new file mode 100644 index 0000000000..440e3fe6d0 --- /dev/null +++ b/test/bus-policy/signals.conf @@ -0,0 +1,15 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + + <policy context="default"> + <allow send_type="signal"/> + </policy> + + <policy user="1"> + <deny send_type="signal"/> + </policy> + +</busconfig> |