biometryd

Merge lp:~thomas-voss/biometryd/verify-incoming-requests into lp:biometryd

verify-incoming-requests
Merge into trunk

Proposed by Thomas Voß on 2016-06-17

Status:

Merged

Approved by:

Ken VanDine on 2016-06-17

Approved revision:

Merged at revision:

Proposed branch:

lp:~thomas-voss/biometryd/verify-incoming-requests

Merge into:

lp:biometryd

Diff against target:

1169 lines (+722/-123)

14 files modified

src/biometry/CMakeLists.txt (+5/-0)
src/biometry/dbus/interface.h (+24/-13)
src/biometry/dbus/skeleton/credentials_resolver.h (+50/-0)
src/biometry/dbus/skeleton/daemon_credentials_resolver.cpp (+117/-0)
src/biometry/dbus/skeleton/daemon_credentials_resolver.h (+53/-0)
src/biometry/dbus/skeleton/device.cpp (+5/-2)
src/biometry/dbus/skeleton/device.h (+5/-1)
src/biometry/dbus/skeleton/identifier.cpp (+63/-19)
src/biometry/dbus/skeleton/identifier.h (+25/-2)
src/biometry/dbus/skeleton/request_verifier.cpp (+33/-0)
src/biometry/dbus/skeleton/request_verifier.h (+60/-0)
src/biometry/dbus/skeleton/template_store.cpp (+239/-83)
src/biometry/dbus/skeleton/template_store.h (+42/-3)
tests/CMakeLists.txt (+1/-0)

To merge this branch:

bzr merge lp:~thomas-voss/biometryd/verify-incoming-requests

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Ken VanDine		2016-06-17	Approve on 2016-06-17
Review via email: mp+297747@code.launchpad.net

Commit message

Verify incoming requests.

Description of the change

Verify incoming requests.

lp:~thomas-voss/biometryd/verify-incoming-requests updated on 2016-06-17

29. By Thomas Voß on 2016-06-17: Make sure that test cases pass if run in virtualized environments without securityfs being mounted.

Revision history for this message

Ken VanDine (ken-vandine) wrote on 2016-06-17:

Code looks good

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Thomas Voß

Ubuntu Phablet Team

 === modified file 'src/biometry/CMakeLists.txt'
 --- src/biometry/CMakeLists.txt	2016-06-02 14:17:01 +0000
 +++ src/biometry/CMakeLists.txt	2016-06-17 10:36:14 +0000
@@ -60,6 +60,11 @@
    dbus/stub/observer.h
    dbus/stub/operation.h
++  dbus/skeleton/credentials_resolver.h
++  dbus/skeleton/daemon_credentials_resolver.h
++  dbus/skeleton/daemon_credentials_resolver.cpp
++  dbus/skeleton/request_verifier.h
++  dbus/skeleton/request_verifier.cpp
    dbus/skeleton/service.h
    dbus/skeleton/service.cpp
    dbus/skeleton/device.h
 === modified file 'src/biometry/dbus/interface.h'
 --- src/biometry/dbus/interface.h	2016-06-14 20:20:10 +0000
 +++ src/biometry/dbus/interface.h	2016-06-17 10:36:14 +0000
@@ -32,6 +32,17 @@
+ {
  namespace interface
+ {
++struct Errors
++{
++    struct NotPermitted
++    {
++        static inline std::string name()
++        {
++            return "com.ubuntu.biometryd.Error.NotPermitted";
++        }
++    };
++};
++
  struct Service
+ {
      static inline std::string name()
@@ -42,7 +53,7 @@
      static inline core::dbus::types::ObjectPath path()
+     {
          return core::dbus::types::ObjectPath{"/"};
--    }
++    }
      struct Methods
+     {
@@ -60,7 +71,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
      };
@@ -91,7 +102,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -109,7 +120,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -127,7 +138,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
      };
@@ -158,7 +169,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
      };
@@ -189,7 +200,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -206,7 +217,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -224,7 +235,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -241,7 +252,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -259,7 +270,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
      };
@@ -310,7 +321,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
@@ -327,7 +338,7 @@
              inline static const std::chrono::milliseconds default_timeout()
+             {
--                return std::chrono::seconds{1};
++                return std::chrono::seconds{5};
+             }
          };
      };
 === added file 'src/biometry/dbus/skeleton/credentials_resolver.h'
 --- src/biometry/dbus/skeleton/credentials_resolver.h	1970-01-01 00:00:00 +0000
 +++ src/biometry/dbus/skeleton/credentials_resolver.h	2016-06-17 10:36:14 +0000
@@ -0,0 +1,50 @@
++/*
++ * Copyright (C) 2016 Canonical, Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as published by
++ * the Free Software Foundation; version 3.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ *
++ */
++
++#ifndef BIOMETRYD_DBUS_SKELETON_CREDENTIALS_RESOLVER_H_
++#define BIOMETRYD_DBUS_SKELETON_CREDENTIALS_RESOLVER_H_
++
++#include <biometry/do_not_copy_or_move.h>
++#include <biometry/optional.h>
++#include <biometry/dbus/skeleton/request_verifier.h>
++
++#include <core/dbus/message.h>
++
++#include <functional>
++
++namespace biometry
++{
++namespace dbus
++{
++namespace skeleton
++{
++/// @brief CredentialsResolver resolves incoming messages to RequestVerifier::Credentials.
++class CredentialsResolver : public DoNotCopyOrMove
++{
++public:
++    /// @brief resolve_credentials resolves the credentials of the application that sent msg.
++    virtual void resolve_credentials(const core::dbus::Message::Ptr& msg,
++                                     const std::function<void(const Optional<RequestVerifier::Credentials>&)>& then) = 0;
++};
++}
++}
++}
++
++#endif // BIOMETRYD_DBUS_SKELETON_CREDENTIALS_RESOLVER_H_
++
 === added file 'src/biometry/dbus/skeleton/daemon_credentials_resolver.cpp'
 --- src/biometry/dbus/skeleton/daemon_credentials_resolver.cpp	1970-01-01 00:00:00 +0000
 +++ src/biometry/dbus/skeleton/daemon_credentials_resolver.cpp	2016-06-17 10:36:14 +0000
@@ -0,0 +1,117 @@
++/*
++ * Copyright (C) 2016 Canonical, Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as published by
++ * the Free Software Foundation; version 3.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ *
++ */
++
++#include <biometry/dbus/skeleton/daemon_credentials_resolver.h>
++
++#include <biometry/application.h>
++#include <biometry/user.h>
++
++#include <core/dbus/macros.h>
++#include <core/dbus/object.h>
++
++#include <core/posix/this_process.h>
++
++namespace
++{
++bool is_running_in_a_testing_environment()
++{
++    return core::posix::this_process::env::get("BIOMETRYD_DBUS_SKELETON_IS_RUNNING_UNDER_TESTING", "0") == "1";
++}
++
++struct DBus
++{
++    static const std::string& name()
++    {
++        static const std::string s = "org.freedesktop.DBus";
++        return s;
++    }
++
++    // Gets the AppArmor confinement string associated with the unique connection name. If
++    // D-Bus is not performing AppArmor mediation, the
++    // org.freedesktop.DBus.Error.AppArmorSecurityContextUnknown error is returned.
++    DBUS_CPP_METHOD_DEF(GetConnectionAppArmorSecurityContext, DBus)
++
++    // Gets the unix user id of the user that the requesting party is running under.
++    DBUS_CPP_METHOD_DEF(GetConnectionUnixUser, DBus)
++
++    struct Stub
++    {
++        // Creates a new stub instance for the given object to access
++        // DBus functionality.
++        Stub(const core::dbus::Object::Ptr& object) : object{object}
++        {
++        }
++
++        // Creates a new stub instance for the given bus connection
++        Stub(const core::dbus::Bus::Ptr& bus)
++            : object
++              {
++                  core::dbus::Service::use_service<DBus>(bus)
++                      ->object_for_path(core::dbus::types::ObjectPath{"/org/freedesktop/DBus"})
++              }
++        {
++        }
++
++        // Gets the AppArmor confinement string associated with the unique connection name. If
++        // D-Bus is not performing AppArmor mediation, the
++        // org.freedesktop.DBus.Error.AppArmorSecurityContextUnknown error is returned.
++        //
++        // Invokes the given handler on completion.
++        void get_connection_app_armor_security_async(const std::string& name, std::function<void(const biometry::Optional<std::string>&)> handler)
++        {
++            object->invoke_method_asynchronously_with_callback<GetConnectionAppArmorSecurityContext, std::string>([handler](const core::dbus::Result<std::string>& result)
++            {
++                biometry::Optional<std::string> label; handler((not result.is_error() ?
++                                                                        label = result.value() :
++                                                                        is_running_in_a_testing_environment() ? label = "unconfined" : label));
++            }, name);
++        }
++
++        // Gets the unix user id of the sender identified by name, invoking handler on completion.
++        void get_connection_unix_user_async(const std::string& name, const std::function<void(biometry::Optional<std::uint32_t>)>& handler)
++        {
++            object->invoke_method_asynchronously_with_callback<GetConnectionUnixUser, std::uint32_t>([handler](const core::dbus::Result<std::uint32_t>& result)
++            {
++                biometry::Optional<std::uint32_t> uid; handler((not result.is_error() ? uid = result.value() : uid));
++            }, name);
++        }
++
++        core::dbus::Object::Ptr object;
++    };
++};
++}
++
++biometry::dbus::skeleton::DaemonCredentialsResolver::DaemonCredentialsResolver(const core::dbus::Bus::Ptr& bus) : bus{bus}
++{
++}
++
++void biometry::dbus::skeleton::DaemonCredentialsResolver::resolve_credentials(
++        const core::dbus::Message::Ptr& msg,
++        const std::function<void(const Optional<RequestVerifier::Credentials>&)>& then)
++{
++    DBus::Stub stub{bus};
++    stub.get_connection_unix_user_async(msg->sender(), [stub, msg, then](biometry::Optional<std::uint32_t> uid) mutable
++    {
++        stub.get_connection_app_armor_security_async(msg->sender(), [stub, msg, then, uid](const biometry::Optional<std::string>& label) mutable
++        {
++            Optional<RequestVerifier::Credentials> credentials;
++            then((label && uid ? credentials = {biometry::Application{label.get()}, biometry::User{uid.get()}} : credentials));
++        });
++    });
++}
 === added file 'src/biometry/dbus/skeleton/daemon_credentials_resolver.h'
 --- src/biometry/dbus/skeleton/daemon_credentials_resolver.h	1970-01-01 00:00:00 +0000
 +++ src/biometry/dbus/skeleton/daemon_credentials_resolver.h	2016-06-17 10:36:14 +0000
@@ -0,0 +1,53 @@
++/*
++ * Copyright (C) 2016 Canonical, Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as published by
++ * the Free Software Foundation; version 3.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ *
++ */
++
++#ifndef BIOMETRYD_DBUS_SKELETON_DAEMON_CREDENTIALS_RESOLVER_H_
++#define BIOMETRYD_DBUS_SKELETON_DAEMON_CREDENTIALS_RESOLVER_H_
++
++#include <biometry/dbus/skeleton/credentials_resolver.h>
++
++#include <core/dbus/bus.h>
++#include <core/dbus/message.h>
++
++namespace biometry
++{
++namespace dbus
++{
++namespace skeleton
++{
++/// @brief CredentialsResolver resolves incoming messages to RequestVerifier::Credentials.
++class DaemonCredentialsResolver : public CredentialsResolver
++{
++public:
++    /// @brief Initializes a new instance with the given bus connection.
++    explicit DaemonCredentialsResolver(const core::dbus::Bus::Ptr& bus);
++
++    /// @brief resolve_credentials resolves the credentials of the application that sent msg.
++    void resolve_credentials(const core::dbus::Message::Ptr& msg,
++                             const std::function<void(const Optional<RequestVerifier::Credentials>&)>& then) override;
++
++private:
++    core::dbus::Bus::Ptr bus;
++};
++}
++}
++}
++
++#endif // BIOMETRYD_DBUS_SKELETON_DAEMON_CREDENTIALS_RESOLVER_H_
++
 === modified file 'src/biometry/dbus/skeleton/device.cpp'
 --- src/biometry/dbus/skeleton/device.cpp	2016-05-02 06:16:01 +0000
 +++ src/biometry/dbus/skeleton/device.cpp	2016-06-17 10:36:14 +0000
@@ -20,6 +20,7 @@
  #include <biometry/dbus/skeleton/device.h>
  #include <biometry/dbus/interface.h>
++#include <biometry/dbus/skeleton/daemon_credentials_resolver.h>
  #include <biometry/dbus/skeleton/template_store.h>
  #include <boost/format.hpp>
@@ -93,7 +94,8 @@
          template_store_([this, &path]()
+         {
--            return TemplateStore::create_for_service_and_object(bus_, service_, service_->add_object_for_path(path), std::ref(template_store()));
++            return TemplateStore::create_for_service_and_object(bus_, service_, service_->add_object_for_path(path), std::ref(template_store()),
++                                                                std::make_shared<TemplateStore::RequestVerifier>(), std::make_shared<DaemonCredentialsResolver>(bus_));
          });
          auto reply = core::dbus::Message::make_method_return(msg);
@@ -107,7 +109,8 @@
          identifier_([this, &path]()
+         {
--            return Identifier::create_for_service_and_object(bus_, service_, service_->add_object_for_path(path), std::ref(identifier()));
++            return Identifier::create_for_service_and_object(bus_, service_, service_->add_object_for_path(path), std::ref(identifier()),
++                                                             std::make_shared<Identifier::RequestVerifier>(), std::make_shared<DaemonCredentialsResolver>(bus_));
          });
          auto reply = core::dbus::Message::make_method_return(msg);
 === modified file 'src/biometry/dbus/skeleton/device.h'
 --- src/biometry/dbus/skeleton/device.h	2016-05-04 12:17:44 +0000
 +++ src/biometry/dbus/skeleton/device.h	2016-06-17 10:36:14 +0000
@@ -44,7 +44,11 @@
      typedef std::shared_ptr<Device> Ptr;
      /// @brief create_for_bus returns a new skeleton::Device instance connected to bus, forwarding calls to impl.
--    static Ptr create_for_service_and_object(const core::dbus::Bus::Ptr& bus, const core::dbus::Service::Ptr& service, const core::dbus::Object::Ptr& object, const std::shared_ptr<biometry::Device>& impl);
++    static Ptr create_for_service_and_object(
++            const core::dbus::Bus::Ptr& bus,
++            const core::dbus::Service::Ptr& service,
++            const core::dbus::Object::Ptr& object,
++            const std::shared_ptr<biometry::Device>& impl);
      /// @brief Frees up resources and removes routes to message handlers.
      ~Device();
 === modified file 'src/biometry/dbus/skeleton/identifier.cpp'
 --- src/biometry/dbus/skeleton/identifier.cpp	2016-05-04 12:17:44 +0000
 +++ src/biometry/dbus/skeleton/identifier.cpp	2016-06-17 10:36:14 +0000
@@ -28,14 +28,34 @@
  #include <boost/format.hpp>
++namespace
++{
++core::dbus::Message::Ptr not_permitted_in_reply_to(const core::dbus::Message::Ptr& msg)
++{
++    return core::dbus::Message::make_error(msg, biometry::dbus::interface::Errors::NotPermitted::name(), "");
++}
++}
++
++bool biometry::dbus::skeleton::Identifier::RequestVerifier::verify_identify_user_request(const biometry::Application& app, const Credentials& provided)
++{
++    // Requests for the same app are fine.
++    if (app == provided.app)
++        return true;
++
++    // If app ids do not match: we unconditionally trust unconfined apps, and no one else.
++    return provided.app.as_string() == "unconfined";
++}
++
  /// @brief create_for_bus returns a new skeleton::Identifier instance connected to bus, forwarding calls to impl.
  biometry::dbus::skeleton::Identifier::Ptr biometry::dbus::skeleton::Identifier::create_for_service_and_object(
          const core::dbus::Bus::Ptr& bus,
          const core::dbus::Service::Ptr& service,
          const core::dbus::Object::Ptr& object,
--        const std::reference_wrapper<biometry::Identifier>& impl)
++        const std::reference_wrapper<biometry::Identifier>& impl,
++        const std::shared_ptr<RequestVerifier>& request_verifier,
++        const std::shared_ptr<CredentialsResolver>& credentials_resolver)
+ {
--    return Ptr{new Identifier{bus, service, object, impl}};
++    return Ptr{new Identifier{bus, service, object, impl, request_verifier, credentials_resolver}};
+ }
  // From biometry::Identifier.
@@ -48,31 +68,55 @@
          const core::dbus::Bus::Ptr& bus,
          const core::dbus::Service::Ptr& service,
          const core::dbus::Object::Ptr& object,
--        const std::reference_wrapper<biometry::Identifier>& impl)
++        const std::reference_wrapper<biometry::Identifier>& impl,
++        const std::shared_ptr<RequestVerifier>& request_verifier,
++        const std::shared_ptr<CredentialsResolver>& credentials_resolver)
      : impl{impl},
++      request_verifier{request_verifier},
++      credentials_resolver{credentials_resolver},
        bus{bus},
        service{service},
        object{object}
+ {
      object->install_method_handler<biometry::dbus::interface::Identifier::Methods::IdentifyUser>([this](const core::dbus::Message::Ptr& msg)
+     {
--        biometry::Application app = biometry::Application::system(); biometry::Reason reason = biometry::Reason::unknown();
--        auto reader = msg->reader(); reader >> app >> reason;
--        auto op = identify_user(app, reason);
--
--        core::dbus::types::ObjectPath op_path
--        {
--            (boost::format{"%1%/operation/identification/%2%"} % this->object->path().as_string() % util::counter<Identifier>().increment()).str()
--        };
--
--        ops.synchronized([this, op_path, op](IdentificationOps::ValueType& ops)
--        {
--            ops[op_path] = skeleton::Operation<Identification>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++        Identifier::credentials_resolver->resolve_credentials(msg, [this, msg](const Optional<RequestVerifier::Credentials>& credentials)
++        {
++            if (not credentials)
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            biometry::Application app = biometry::Application::system(); biometry::Reason reason = biometry::Reason::unknown();
++            auto reader = msg->reader(); reader >> app >> reason;
++
++            if (not this->request_verifier->verify_identify_user_request(app, credentials.get()))
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            auto op = identify_user(app, reason);
++
++            core::dbus::types::ObjectPath op_path
++            {
++                (boost::format{"%1%/operation/identification/%2%/%3%/%4%"}
++                    % this->object->path().as_string()
++                    % credentials.get().app.as_string()
++                    % credentials.get().user.id
++                    % util::counter<Identifier>().increment()).str()
++            };
++
++            ops.synchronized([this, op_path, op](IdentificationOps::ValueType& ops)
++            {
++                ops[op_path] = skeleton::Operation<Identification>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++            });
++
++            auto reply = core::dbus::Message::make_method_return(msg);
++            reply->writer() << op_path;
++            this->bus->send(reply);
          });
--
--        auto reply = core::dbus::Message::make_method_return(msg);
--        reply->writer() << op_path;
--        this->bus->send(reply);
      });
+ }
 === modified file 'src/biometry/dbus/skeleton/identifier.h'
 --- src/biometry/dbus/skeleton/identifier.h	2016-05-04 12:17:44 +0000
 +++ src/biometry/dbus/skeleton/identifier.h	2016-06-17 10:36:14 +0000
@@ -22,6 +22,8 @@
  #include <biometry/identifier.h>
++#include <biometry/dbus/skeleton/credentials_resolver.h>
++
  #include <core/dbus/object.h>
  #include <core/dbus/service.h>
@@ -46,8 +48,22 @@
      // Safe us some typing.
      typedef std::shared_ptr<Identifier> Ptr;
++    /// @brief RequestVerifier models verification of incoming requests.
++    class RequestVerifier : public biometry::dbus::skeleton::RequestVerifier
++    {
++    public:
++        /// @brief verify_identify_user_request returns true if the requesting app identified by provided
++        /// is allowed to run the request described by requested.
++        virtual bool verify_identify_user_request(const Application& requested, const Credentials& provided);
++    };
++
      /// @brief create_for_bus returns a new skeleton::Identifier instance connected to bus, forwarding calls to impl.
--    static Ptr create_for_service_and_object(const core::dbus::Bus::Ptr& bus, const core::dbus::Service::Ptr& service, const core::dbus::Object::Ptr& object, const std::reference_wrapper<biometry::Identifier>& impl);
++    static Ptr create_for_service_and_object(const core::dbus::Bus::Ptr& bus,
++                                             const core::dbus::Service::Ptr& service,
++                                             const core::dbus::Object::Ptr& object,
++                                             const std::reference_wrapper<biometry::Identifier>& impl,
++                                             const std::shared_ptr<RequestVerifier>& request_verifier,
++                                             const std::shared_ptr<CredentialsResolver>& credentials_resolver);
      /// @brief Frees up resources and uninstalls method handlers.
      ~Identifier();
@@ -59,9 +75,16 @@
      typedef biometry::util::Synchronized<std::unordered_map<core::dbus::types::ObjectPath, Operation<Identification>::Ptr>> IdentificationOps;
      /// @brief Service creates a new instance for the given remote service and object.
--    Identifier(const core::dbus::Bus::Ptr& bus, const core::dbus::Service::Ptr& service, const core::dbus::Object::Ptr& object, const std::reference_wrapper<biometry::Identifier>& impl);
++    Identifier(const core::dbus::Bus::Ptr& bus,
++               const core::dbus::Service::Ptr& service,
++               const core::dbus::Object::Ptr& object,
++               const std::reference_wrapper<biometry::Identifier>& impl,
++               const std::shared_ptr<RequestVerifier>& request_verifier,
++               const std::shared_ptr<CredentialsResolver>& credentials_resolver);
      std::reference_wrapper<biometry::Identifier> impl;
++    std::shared_ptr<RequestVerifier> request_verifier;
++    std::shared_ptr<CredentialsResolver> credentials_resolver;
      core::dbus::Bus::Ptr bus;
      core::dbus::Service::Ptr service;
 === added file 'src/biometry/dbus/skeleton/request_verifier.cpp'
 --- src/biometry/dbus/skeleton/request_verifier.cpp	1970-01-01 00:00:00 +0000
 +++ src/biometry/dbus/skeleton/request_verifier.cpp	2016-06-17 10:36:14 +0000
@@ -0,0 +1,33 @@
++/*
++ * Copyright (C) 2016 Canonical, Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as published by
++ * the Free Software Foundation; version 3.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ *
++ */
++
++#include <biometry/dbus/skeleton/request_verifier.h>
++
++#include <iostream>
++#include <tuple>
++
++bool biometry::dbus::skeleton::operator==(const RequestVerifier::Credentials& lhs, const RequestVerifier::Credentials& rhs)
++{
++    return std::tie(lhs.app, lhs.user) == std::tie(rhs.app, rhs.user);
++}
++
++std::ostream& biometry::dbus::skeleton::operator<<(std::ostream& out, const RequestVerifier::Credentials& credentials)
++{
++    return out << "[" << credentials.app.as_string() << ", " << credentials.user << "]";
++}
 === added file 'src/biometry/dbus/skeleton/request_verifier.h'
 --- src/biometry/dbus/skeleton/request_verifier.h	1970-01-01 00:00:00 +0000
 +++ src/biometry/dbus/skeleton/request_verifier.h	2016-06-17 10:36:14 +0000
@@ -0,0 +1,60 @@
++/*
++ * Copyright (C) 2016 Canonical, Ltd.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU Lesser General Public License as published by
++ * the Free Software Foundation; version 3.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ *
++ */
++
++#ifndef BIOMETRYD_DBUS_SKELETON_REQUEST_VERIFIER_H_
++#define BIOMETRYD_DBUS_SKELETON_REQUEST_VERIFIER_H_
++
++#include <biometry/application.h>
++#include <biometry/do_not_copy_or_move.h>
++#include <biometry/user.h>
++
++#include <iosfwd>
++
++namespace biometry
++{
++namespace dbus
++{
++namespace skeleton
++{
++/// @brief RequestVerifier is the top-level point of entry to the world
++/// of verifying incoming requests for different components.
++///
++/// Most importantly, it defines the struct Credentials bundling together
++/// information about an incoming request.
++class RequestVerifier : public DoNotCopyOrMove
++{
++public:
++    /// @brief Credentials bundles an app and a user.
++    struct Credentials
++    {
++        Application app; ///< The id of the requesting component.
++        User user;       ///< The user under which the requesting component is running.
++    };
++};
++
++/// @brief operator== returns true iff lhs and rhs compare equal per component.
++bool operator==(const RequestVerifier::Credentials& lhs, const RequestVerifier::Credentials& rhs);
++/// @brief operator<< inserts credentials into out.
++std::ostream& operator<<(std::ostream& out, const RequestVerifier::Credentials& credentials);
++}
++}
++}
++
++#endif // BIOMETRYD_DBUS_SKELETON_REQUEST_VERIFIER_H_
++
 === modified file 'src/biometry/dbus/skeleton/template_store.cpp'
 --- src/biometry/dbus/skeleton/template_store.cpp	2016-06-14 21:12:44 +0000
 +++ src/biometry/dbus/skeleton/template_store.cpp	2016-06-17 10:36:14 +0000
@@ -30,13 +30,65 @@
  #include <boost/format.hpp>
++namespace
++{
++core::dbus::Message::Ptr not_permitted_in_reply_to(const core::dbus::Message::Ptr& msg)
++{
++    return core::dbus::Message::make_error(msg, biometry::dbus::interface::Errors::NotPermitted::name(), "");
++}
++
++bool verify(const biometry::dbus::skeleton::RequestVerifier::Credentials& requested, const biometry::dbus::skeleton::RequestVerifier::Credentials& provided)
++{
++    // In case of a match: good to go. Please note that we
++    // will dispatch to the trust-store in the future, once we
++    // open up the service to all applications.
++    if (requested == provided)
++        return true;
++
++    // Unconfinded apps are allowed to request operations on behalf of other applications.
++    // We still limit them to their effective uid.
++    if (provided.app.as_string() == "unconfined" && requested.user == provided.user)
++        return true;
++
++    // All other cases are forbidden.
++    return false;
++}
++}
++
++bool biometry::dbus::skeleton::TemplateStore::RequestVerifier::verify_size_request(const Credentials& requested, const Credentials& provided)
++{
++    return verify(requested, provided);
++}
++
++bool biometry::dbus::skeleton::TemplateStore::RequestVerifier::verify_list_request(const Credentials& requested, const Credentials& provided)
++{
++    return verify(requested, provided);
++}
++
++bool biometry::dbus::skeleton::TemplateStore::RequestVerifier::verify_enroll_request(const Credentials& requested, const Credentials& provided)
++{
++    return verify(requested, provided);
++}
++
++bool biometry::dbus::skeleton::TemplateStore::RequestVerifier::verify_remove_request(const Credentials& requested, const Credentials& provided)
++{
++    return verify(requested, provided);
++}
++
++bool biometry::dbus::skeleton::TemplateStore::RequestVerifier::verify_clear_request(const Credentials& requested, const Credentials& provided)
++{
++    return verify(requested, provided);
++}
++
  biometry::dbus::skeleton::TemplateStore::Ptr biometry::dbus::skeleton::TemplateStore::create_for_service_and_object(
          const core::dbus::Bus::Ptr& bus,
          const core::dbus::Service::Ptr& service,
          const core::dbus::Object::Ptr& object,
--        const std::reference_wrapper<biometry::TemplateStore>& impl)
++        const std::reference_wrapper<biometry::TemplateStore>& impl,
++        const std::shared_ptr<RequestVerifier>& request_verifier,
++        const std::shared_ptr<CredentialsResolver>& credentials_resolver)
+ {
--    return Ptr{new TemplateStore{bus, service, object, impl}};
++    return Ptr{new TemplateStore{bus, service, object, impl, request_verifier, credentials_resolver}};
+ }
  biometry::Operation<biometry::TemplateStore::SizeQuery>::Ptr biometry::dbus::skeleton::TemplateStore::size(const biometry::Application& app, const biometry::User& user)
@@ -68,115 +120,219 @@
          const core::dbus::Bus::Ptr& bus,
          const core::dbus::Service::Ptr& service,
          const core::dbus::Object::Ptr& object,
--        const std::reference_wrapper<biometry::TemplateStore>& impl)
++        const std::reference_wrapper<biometry::TemplateStore>& impl,
++        const std::shared_ptr<RequestVerifier>& request_verifier,
++        const std::shared_ptr<CredentialsResolver>& credentials_resolver)
      : impl{impl},
++      request_verifier{request_verifier},
++      credentials_resolver{credentials_resolver},
        bus{bus},
        service{service},
        object{object}
+ {
      object->install_method_handler<biometry::dbus::interface::TemplateStore::Methods::Size>([this](const core::dbus::Message::Ptr& msg)
+     {
--        biometry::User user; biometry::Application app = biometry::Application::system();
--        auto reader = msg->reader(); reader >> app >> user;
--        auto op = size(app, user);
--
--        core::dbus::types::ObjectPath op_path
--        {
--            (boost::format{"%1%/operation/size/%2%"} % this->object->path().as_string() % util::counter<TemplateStore>().increment()).str()
--        };
--
--        ops.size.synchronized([this, op_path, op](SizeOps::ValueType& ops)
--        {
--            ops[op_path] = skeleton::Operation<SizeQuery>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++        TemplateStore::credentials_resolver->resolve_credentials(msg, [this, msg](const Optional<RequestVerifier::Credentials>& credentials)
++        {
++            if (not credentials)
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            biometry::User user; biometry::Application app = biometry::Application::system();
++            auto reader = msg->reader(); reader >> app >> user;
++
++            if (not this->request_verifier->verify_size_request({app, user}, credentials.get()))
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            auto op = size(app, user);
++
++            core::dbus::types::ObjectPath op_path
++            {
++                (boost::format{"%1%/operation/size/%2%/%3%/%4%"}
++                    % this->object->path().as_string()
++                    % credentials.get().app.as_string()
++                    % credentials.get().user.id
++                    % util::counter<TemplateStore>().increment()).str()
++            };
++
++            ops.size.synchronized([this, op_path, op](SizeOps::ValueType& ops)
++            {
++                ops[op_path] = skeleton::Operation<SizeQuery>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++            });
++
++            auto reply = core::dbus::Message::make_method_return(msg);
++            reply->writer() << op_path;
++            this->bus->send(reply);
          });
--
--        auto reply = core::dbus::Message::make_method_return(msg);
--        reply->writer() << op_path;
--        this->bus->send(reply);
      });
      object->install_method_handler<biometry::dbus::interface::TemplateStore::Methods::List>([this](const core::dbus::Message::Ptr& msg)
+     {
--        biometry::User user; biometry::Application app = biometry::Application::system();
--        auto reader = msg->reader(); reader >> app >> user;
--        auto op = list(app, user);
--
--        core::dbus::types::ObjectPath op_path
--        {
--            (boost::format{"%1%/operation/list/%2%"} % this->object->path().as_string() % util::counter<TemplateStore>().increment()).str()
--        };
--
--        ops.list.synchronized([this, op_path, op](ListOps::ValueType& ops)
--        {
--            ops[op_path] = skeleton::Operation<List>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++        TemplateStore::credentials_resolver->resolve_credentials(msg, [this, msg](const Optional<RequestVerifier::Credentials>& credentials)
++        {
++            if (not credentials)
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            biometry::User user; biometry::Application app = biometry::Application::system();
++            auto reader = msg->reader(); reader >> app >> user;
++
++            if (not this->request_verifier->verify_list_request({app, user}, credentials.get()))
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            auto op = list(app, user);
++
++            core::dbus::types::ObjectPath op_path
++            {
++                (boost::format{"%1%/operation/list/%2%/%3%/%4%"}
++                    % this->object->path().as_string()
++                    % credentials.get().app.as_string()
++                    % credentials.get().user.id
++                    % util::counter<TemplateStore>().increment()).str()
++            };
++
++            ops.list.synchronized([this, op_path, op](ListOps::ValueType& ops)
++            {
++                ops[op_path] = skeleton::Operation<List>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++            });
++
++            auto reply = core::dbus::Message::make_method_return(msg);
++            reply->writer() << op_path;
++            this->bus->send(reply);
          });
--
--        auto reply = core::dbus::Message::make_method_return(msg);
--        reply->writer() << op_path;
--        this->bus->send(reply);
      });
      object->install_method_handler<biometry::dbus::interface::TemplateStore::Methods::Enroll>([this](const core::dbus::Message::Ptr& msg)
+     {
--        biometry::User user; biometry::Application app = biometry::Application::system();
--        auto reader = msg->reader(); reader >> app >> user;
--        auto op = enroll(app, user);
--
--        core::dbus::types::ObjectPath op_path
--        {
--            (boost::format{"%1%/operation/enroll/%2%"} % this->object->path().as_string() % util::counter<TemplateStore>().increment()).str()
--        };
--
--        ops.enroll.synchronized([this, op_path, op](EnrollOps::ValueType& ops)
--        {
--            ops[op_path] = skeleton::Operation<Enrollment>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++        TemplateStore::credentials_resolver->resolve_credentials(msg, [this, msg](const Optional<RequestVerifier::Credentials>& credentials)
++        {
++            if (not credentials)
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            biometry::User user; biometry::Application app = biometry::Application::system();
++            auto reader = msg->reader(); reader >> app >> user;
++
++            if (not this->request_verifier->verify_enroll_request({app, user}, credentials.get()))
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            auto op = enroll(app, user);
++
++            core::dbus::types::ObjectPath op_path
++            {
++                (boost::format{"%1%/operation/enroll/%2%/%3%/%4%"}
++                    % this->object->path().as_string()
++                    % credentials.get().app.as_string()
++                    % credentials.get().user.id
++                    % util::counter<TemplateStore>().increment()).str()
++            };
++
++            ops.enroll.synchronized([this, op_path, op](EnrollOps::ValueType& ops)
++            {
++                ops[op_path] = skeleton::Operation<Enrollment>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++            });
++
++            auto reply = core::dbus::Message::make_method_return(msg);
++            reply->writer() << op_path;
++            this->bus->send(reply);
          });
--
--        auto reply = core::dbus::Message::make_method_return(msg);
--        reply->writer() << op_path;
--        this->bus->send(reply);
      });
      object->install_method_handler<biometry::dbus::interface::TemplateStore::Methods::Remove>([this](const core::dbus::Message::Ptr& msg)
+     {
--        biometry::User user; biometry::Application app = biometry::Application::system(); biometry::TemplateStore::TemplateId id{0};
--        auto reader = msg->reader(); reader >> app >> user >> id;
--        auto op = remove(app, user, id);
--
--        core::dbus::types::ObjectPath op_path
--        {
--            (boost::format{"%1%/operation/remove/%2%"} % this->object->path().as_string() % util::counter<TemplateStore>().increment()).str()
--        };
--
--        ops.remove.synchronized([this, op_path, op](RemoveOps::ValueType& ops)
--        {
--            ops[op_path] = skeleton::Operation<Removal>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++        TemplateStore::credentials_resolver->resolve_credentials(msg, [this, msg](const Optional<RequestVerifier::Credentials>& credentials)
++        {
++            if (not credentials)
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            biometry::User user; biometry::Application app = biometry::Application::system(); biometry::TemplateStore::TemplateId id{0};
++            auto reader = msg->reader(); reader >> app >> user >> id;
++
++            if (not this->request_verifier->verify_remove_request({app, user}, credentials.get()))
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            auto op = remove(app, user, id);
++
++            core::dbus::types::ObjectPath op_path
++            {
++                (boost::format{"%1%/operation/remove/%2%/%3%/%4%"}
++                    % this->object->path().as_string()
++                    % credentials.get().app.as_string()
++                    % credentials.get().user.id
++                    % util::counter<TemplateStore>().increment()).str()
++            };
++
++            ops.remove.synchronized([this, op_path, op](RemoveOps::ValueType& ops)
++            {
++                ops[op_path] = skeleton::Operation<Removal>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++            });
++
++            auto reply = core::dbus::Message::make_method_return(msg);
++            reply->writer() << op_path;
++            this->bus->send(reply);
          });
--
--        auto reply = core::dbus::Message::make_method_return(msg);
--        reply->writer() << op_path;
--        this->bus->send(reply);
      });
      object->install_method_handler<biometry::dbus::interface::TemplateStore::Methods::Clear>([this](const core::dbus::Message::Ptr& msg)
+     {
--        biometry::User user; biometry::Application app = biometry::Application::system();
--        auto reader = msg->reader(); reader >> app >> user;
--        auto op = clear(app, user);
--
--        core::dbus::types::ObjectPath op_path
--        {
--            (boost::format{"%1%/operation/clear/%2%"} % this->object->path().as_string() % util::counter<TemplateStore>().increment()).str()
--        };
--
--        ops.clear.synchronized([this, op_path, op](ClearOps::ValueType& ops)
--        {
--            ops[op_path] = skeleton::Operation<Clearance>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++        TemplateStore::credentials_resolver->resolve_credentials(msg, [this, msg](const Optional<RequestVerifier::Credentials>& credentials)
++        {
++            if (not credentials)
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            biometry::User user; biometry::Application app = biometry::Application::system();
++            auto reader = msg->reader(); reader >> app >> user;
++
++            if (not this->request_verifier->verify_clear_request({app, user}, credentials.get()))
++            {
++                this->bus->send(not_permitted_in_reply_to(msg));
++                return;
++            }
++
++            auto op = clear(app, user);
++
++            core::dbus::types::ObjectPath op_path
++            {
++                (boost::format{"%1%/operation/clear/%2%/%3%/%4%"}
++                    % this->object->path().as_string()
++                    % credentials.get().app.as_string()
++                    % credentials.get().user.id
++                    % util::counter<TemplateStore>().increment()).str()
++            };
++
++            ops.clear.synchronized([this, op_path, op](ClearOps::ValueType& ops)
++            {
++                ops[op_path] = skeleton::Operation<Clearance>::create_for_object(this->bus, this->service->add_object_for_path(op_path), op);
++            });
++
++            auto reply = core::dbus::Message::make_method_return(msg);
++            reply->writer() << op_path;
++            this->bus->send(reply);
          });
--
--        auto reply = core::dbus::Message::make_method_return(msg);
--        reply->writer() << op_path;
--        this->bus->send(reply);
      });
+ }
 === modified file 'src/biometry/dbus/skeleton/template_store.h'
 --- src/biometry/dbus/skeleton/template_store.h	2016-06-14 21:12:44 +0000
 +++ src/biometry/dbus/skeleton/template_store.h	2016-06-17 10:36:14 +0000
@@ -22,6 +22,8 @@
  #include <biometry/template_store.h>
++#include <biometry/dbus/skeleton/credentials_resolver.h>
++#include <biometry/dbus/skeleton/request_verifier.h>
  #include <biometry/util/synchronized.h>
  #include <core/dbus/object.h>
@@ -46,8 +48,39 @@
      // Safe us some typing
      typedef std::shared_ptr<TemplateStore> Ptr;
++    /// @brief RequestVerifier models verification of incoming requests.
++    class RequestVerifier : public biometry::dbus::skeleton::RequestVerifier
++    {
++    public:
++        /// @brief verify_size_request returns true if the application   identified by credentials
++        /// is permitted to query the number of enrolled templates for the app and user bundled in request.
++        virtual bool verify_size_request(const Credentials& requested, const Credentials& provided);
++
++        /// @brief verify_list_request returns true if the application identified by credentials is
++        /// allowed to list all templates for the user and app bundled in request.
++        virtual bool verify_list_request(const Credentials& requested, const Credentials& provided);
++
++        /// @brief verify_enroll_request returns true if the application identified by credentials is
++        /// allowed to enroll a new template for the app and user bundled in request.
++        virtual bool verify_enroll_request(const Credentials& requested, const Credentials& provided);
++
++        /// @brief verify_remove_request returns true if the application identified by credentials is
++        /// allowed to remove a template for the app and user bundled in request.
++        virtual bool verify_remove_request(const Credentials& requested, const Credentials& provided);
++
++        /// @brief verify_clear_request returns true if the application identified by credentials is
++        /// allowed to clear all templates for the app and user bundled in request.
++        virtual bool verify_clear_request(const Credentials& requested, const Credentials& provided);
++    };
++
      /// @brief create_for_bus returns a new skeleton::TemplateStore instance connected to bus, forwarding calls to impl.
--    static Ptr create_for_service_and_object(const core::dbus::Bus::Ptr& bus, const core::dbus::Service::Ptr& service, const core::dbus::Object::Ptr& object, const std::reference_wrapper<biometry::TemplateStore>& impl);
++    static Ptr create_for_service_and_object(
++            const core::dbus::Bus::Ptr& bus,
++            const core::dbus::Service::Ptr& service,
++            const core::dbus::Object::Ptr& object,
++            const std::reference_wrapper<biometry::TemplateStore>& impl,
++            const std::shared_ptr<RequestVerifier>& request_verifier,
++            const std::shared_ptr<CredentialsResolver>& credentials_resolver);
      /// @brief Frees up resources and uninstall message handlers.
      ~TemplateStore();
@@ -68,11 +101,17 @@
      typedef util::Synchronized<std::unordered_map<core::dbus::types::ObjectPath, Operation<Clearance>::Ptr>> ClearOps;
      /// @brief TemplateStore creates a new instance for the given remote service and object.
--    TemplateStore(const core::dbus::Bus::Ptr& bus, const core::dbus::Service::Ptr& service, const core::dbus::Object::Ptr& object, const std::reference_wrapper<biometry::TemplateStore>& impl);
++    TemplateStore(const core::dbus::Bus::Ptr& bus,
++                  const core::dbus::Service::Ptr& service,
++                  const core::dbus::Object::Ptr& object,
++                  const std::reference_wrapper<biometry::TemplateStore>& impl,
++                  const std::shared_ptr<RequestVerifier>& request_verifier,
++                  const std::shared_ptr<CredentialsResolver>& credentials_resolver);
      std::reference_wrapper<biometry::TemplateStore> impl;
--
++    std::shared_ptr<RequestVerifier> request_verifier;
++    std::shared_ptr<CredentialsResolver> credentials_resolver;
      core::dbus::Bus::Ptr bus;
      core::dbus::Service::Ptr service;
      core::dbus::Object::Ptr object;
 === modified file 'tests/CMakeLists.txt'
 --- tests/CMakeLists.txt	2016-05-11 14:39:41 +0000
 +++ tests/CMakeLists.txt	2016-06-17 10:36:14 +0000
@@ -44,6 +44,7 @@
      gtest_main)
    add_test(${test_name} ${CMAKE_CURRENT_BINARY_DIR}/${test_name} --gtest_filter=*-*requires*)
++  set_tests_properties(${test_name} PROPERTIES ENVIRONMENT "BIOMETRYD_DBUS_SKELETON_IS_RUNNING_UNDER_TESTING=1")
  endmacro(BIOMETRYD_ADD_TEST)
  add_library(biometryd_devices_plugin_dl SHARED biometryd_devices_plugin_dl.cpp)