summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--Makefile.am20
-rw-r--r--src/bus-proxyd/test-bus-policy.c165
-rw-r--r--test/bus-policy/hello.conf14
-rw-r--r--test/bus-policy/methods.conf15
-rw-r--r--test/bus-policy/ownerships.conf24
-rw-r--r--test/bus-policy/signals.conf15
7 files changed, 252 insertions, 2 deletions
diff --git a/.gitignore b/.gitignore
index 288946029b..b78a4cb4e1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -146,6 +146,7 @@
/test-bus-match
/test-bus-memfd
/test-bus-objects
+/test-bus-policy
/test-bus-server
/test-bus-signature
/test-bus-zero-copy
diff --git a/Makefile.am b/Makefile.am
index f80ffc6749..6b2ca29ce8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1342,7 +1342,8 @@ tests += \
test-async \
test-ratelimit \
test-condition-util \
- test-uid-range
+ test-uid-range \
+ test-bus-policy
EXTRA_DIST += \
test/a.service \
@@ -1374,7 +1375,12 @@ EXTRA_DIST += \
test/sysinit.target \
test/testsuite.target \
test/timers.target \
- test/unstoppable.service
+ test/unstoppable.service \
+ test/bus-policy/hello.conf \
+ test/bus-policy/methods.conf \
+ test/bus-policy/ownerships.conf \
+ test/bus-policy/signals.conf
+
EXTRA_DIST += \
src/test/test-helper.h
@@ -1782,6 +1788,16 @@ test_conf_files_SOURCES = \
test_conf_files_LDADD = \
libsystemd-shared.la
+test_bus_policy_SOURCES = \
+ src/bus-proxyd/test-bus-policy.c \
+ src/bus-proxyd/bus-policy.c \
+ src/bus-proxyd/bus-policy.h
+
+test_bus_policy_LDADD = \
+ libsystemd-capability.la \
+ libsystemd-internal.la \
+ libsystemd-shared.la
+
# ------------------------------------------------------------------------------
## .PHONY so it always rebuilds it
.PHONY: coverage lcov-run lcov-report coverage-sync
diff --git a/src/bus-proxyd/test-bus-policy.c b/src/bus-proxyd/test-bus-policy.c
new file mode 100644
index 0000000000..ed17bfe96e
--- /dev/null
+++ b/src/bus-proxyd/test-bus-policy.c
@@ -0,0 +1,165 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2014 Daniel Mack
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/poll.h>
+#include <stddef.h>
+#include <getopt.h>
+
+#include "log.h"
+#include "util.h"
+#include "sd-bus.h"
+#include "bus-internal.h"
+#include "bus-message.h"
+#include "bus-util.h"
+#include "bus-internal.h"
+#include "build.h"
+#include "strv.h"
+#include "def.h"
+#include "capability.h"
+
+#include <bus-proxyd/bus-policy.h>
+
+static int make_name_request(sd_bus *bus,
+ const char *name,
+ sd_bus_message **ret) {
+
+ int r;
+ sd_bus_message *m = NULL;
+
+ r = sd_bus_message_new_method_call(bus, &m, "org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "RequestName");
+ if (r < 0)
+ return r;
+
+ r = sd_bus_message_append_basic(m, 's', name);
+ if (r < 0)
+ return r;
+
+ m->sealed = 1;
+ sd_bus_message_rewind(m, true);
+
+ *ret = m;
+ return 0;
+}
+
+int main(int argc, char *argv[]) {
+
+ Policy p = {};
+ sd_bus_message *m;
+ struct ucred ucred = {};
+ _cleanup_bus_close_unref_ sd_bus *bus = NULL;;
+
+ assert_se(sd_bus_default_system(&bus) >= 0);
+
+ /* Fake pid for policy checks */
+ ucred.pid = 1;
+
+ /* Ownership tests */
+ assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/ownerships.conf")) == 0);
+
+ assert_se(make_name_request(bus, "org.test.test1", &m) == 0);
+ ucred.uid = 0;
+ assert_se(policy_check(&p, m, &ucred) == true);
+ ucred.uid = 1;
+ assert_se(policy_check(&p, m, &ucred) == true);
+ assert_se(sd_bus_message_unref(m) == 0);
+
+ assert_se(make_name_request(bus, "org.test.test2", &m) == 0);
+ ucred.uid = 0;
+ assert_se(policy_check(&p, m, &ucred) == true);
+ ucred.uid = 1;
+ assert_se(policy_check(&p, m, &ucred) == false);
+ assert_se(sd_bus_message_unref(m) == 0);
+
+ assert_se(make_name_request(bus, "org.test.test3", &m) == 0);
+ ucred.uid = 0;
+ assert_se(policy_check(&p, m, &ucred) == false);
+ ucred.uid = 1;
+ assert_se(policy_check(&p, m, &ucred) == false);
+ assert_se(sd_bus_message_unref(m) == 0);
+
+ assert_se(make_name_request(bus, "org.test.test4", &m) == 0);
+ ucred.uid = 0;
+ assert_se(policy_check(&p, m, &ucred) == false);
+ ucred.uid = 1;
+ assert_se(policy_check(&p, m, &ucred) == true);
+ assert_se(sd_bus_message_unref(m) == 0);
+
+ policy_free(&p);
+
+ /* Signal test */
+ assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/signals.conf")) == 0);
+
+ assert_se(sd_bus_message_new_signal(bus, &m, "/an/object/path", "bli.bla.blubb", "Name") == 0);
+ ucred.uid = 0;
+ assert_se(policy_check(&p, m, &ucred) == true);
+
+ ucred.uid = 1;
+ assert_se(policy_check(&p, m, &ucred) == false);
+ assert_se(sd_bus_message_unref(m) == 0);
+
+ policy_free(&p);
+
+ /* Method calls */
+ assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/methods.conf")) == 0);
+
+ ucred.uid = 0;
+ assert_se(sd_bus_message_new_method_call(bus, &m, "org.foo.bar", "/an/object/path", "bli.bla.blubb", "Member") == 0);
+ assert_se(policy_check(&p, m, &ucred) == false);
+
+ assert_se(sd_bus_message_new_method_call(bus, &m, "org.test.test1", "/an/object/path", "bli.bla.blubb", "Member") == 0);
+ assert_se(policy_check(&p, m, &ucred) == false);
+
+ bus->is_kernel = 1;
+ assert_se(sd_bus_message_new_method_call(bus, &m, "org.test.test1", "/an/object/path", "org.test.int1", "Member") == 0);
+ assert_se(policy_check(&p, m, &ucred) == true);
+
+ assert_se(sd_bus_message_new_method_call(bus, &m, "org.test.test1", "/an/object/path", "org.test.int2", "Member") == 0);
+ assert_se(policy_check(&p, m, &ucred) == true);
+
+ policy_free(&p);
+
+ /* User and groups */
+ assert_se(policy_load(&p, STRV_MAKE("test/bus-policy/hello.conf")) == 0);
+ assert_se(sd_bus_message_new_method_call(bus, &m, "org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus", "Hello") == 0);
+ policy_dump(&p);
+
+ ucred.uid = 0;
+ assert_se(policy_check(&p, m, &ucred) == true);
+
+ ucred.uid = 1;
+ assert_se(policy_check(&p, m, &ucred) == false);
+
+ ucred.uid = 0;
+ ucred.gid = 1;
+ assert_se(policy_check(&p, m, &ucred) == false);
+
+ policy_free(&p);
+
+
+ return EXIT_SUCCESS;
+}
diff --git a/test/bus-policy/hello.conf b/test/bus-policy/hello.conf
new file mode 100644
index 0000000000..af09893de6
--- /dev/null
+++ b/test/bus-policy/hello.conf
@@ -0,0 +1,14 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+ <policy context="default">
+ <allow user="*"/>
+
+ <deny user="1"/>
+ <deny group="1"/>
+ </policy>
+
+</busconfig>
diff --git a/test/bus-policy/methods.conf b/test/bus-policy/methods.conf
new file mode 100644
index 0000000000..d6c28c71bc
--- /dev/null
+++ b/test/bus-policy/methods.conf
@@ -0,0 +1,15 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+ <policy context="default">
+ <deny send_type="method_call"/>
+
+ <deny send_destination="org.test.test1"/>
+ <allow send_destination="org.test.test1" send_interface="org.test.int1"/>
+ <allow send_destination="org.test.test1" send_interface="org.test.int2"/>
+ </policy>
+
+</busconfig>
diff --git a/test/bus-policy/ownerships.conf b/test/bus-policy/ownerships.conf
new file mode 100644
index 0000000000..bc3a230a26
--- /dev/null
+++ b/test/bus-policy/ownerships.conf
@@ -0,0 +1,24 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+ <policy context="default">
+ <allow own="org.test.test1"/>
+ </policy>
+
+ <policy context="mandatory">
+ <deny own="org.test.test3"/>
+ </policy>
+
+ <policy user="root">
+ <allow own="org.test.test2"/>
+ <allow own="org.test.test3"/>
+ </policy>
+
+ <policy user="1">
+ <allow own="org.test.test4"/>
+ </policy>
+
+</busconfig>
diff --git a/test/bus-policy/signals.conf b/test/bus-policy/signals.conf
new file mode 100644
index 0000000000..440e3fe6d0
--- /dev/null
+++ b/test/bus-policy/signals.conf
@@ -0,0 +1,15 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+ <policy context="default">
+ <allow send_type="signal"/>
+ </policy>
+
+ <policy user="1">
+ <deny send_type="signal"/>
+ </policy>
+
+</busconfig>