trust-store

Merge lp:~thomas-voss/trust-store/fix-1518883 into lp:trust-store

fix-1518883
Merge into trunk

Proposed by Thomas Voß on 2015-11-23

Status:

Superseded

Proposed branch:

lp:~thomas-voss/trust-store/fix-1518883

Merge into:

lp:trust-store

Diff against target:

326 lines (+250/-1)

6 files modified

src/CMakeLists.txt (+3/-0)
src/core/trust/daemon.cpp (+6/-1)
src/core/trust/privilege_escalation_prevention_agent.cpp (+52/-0)
src/core/trust/privilege_escalation_prevention_agent.h (+63/-0)
tests/CMakeLists.txt (+20/-0)
tests/privilege_escalation_prevention_agent_test.cpp (+106/-0)

To merge this branch:

bzr merge lp:~thomas-voss/trust-store/fix-1518883

High

In Progress

Link a bug report

Reviewer	Review Type	Date Requested	Status
PS Jenkins bot	continuous-integration		Approve on 2015-11-23
Ubuntu Phablet Team		2015-11-23	Pending
Review via email: mp+278292@code.launchpad.net

This proposal has been superseded by a proposal from 2015-11-24.

Commit message

Introduce a trust::PrivilegeEscalationPreventionAgent, filtering out invalid requests. Fixes lp:#1518883.

Description of the change

Introduce a trust::PrivilegeEscalationPreventionAgent, filtering out invalid requests. Fixes lp:#1518883.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-11-23:

PASSED: Continuous integration, rev:138
http://jenkins.qa.ubuntu.com/job/trust-store-ci/106/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-amd64-ci/27
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/27
        deb: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/27/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-i386-ci/27

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/trust-store-ci/106/rebuild

review: Approve (continuous-integration)

lp:~thomas-voss/trust-store/fix-1518883 updated on 2015-11-27

139. By Thomas Voß on 2015-11-27: Remove obsolote check in mir::Agent.

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Thomas Voß

Ubuntu Phablet Team

 === modified file 'src/CMakeLists.txt'
 --- src/CMakeLists.txt	2015-08-31 13:16:20 +0000
 +++ src/CMakeLists.txt	2015-11-23 09:47:36 +0000
@@ -43,6 +43,9 @@
    core/trust/app_id_formatting_trust_agent.h
    core/trust/app_id_formatting_trust_agent.cpp
++  # An agent implementation preventing privilege escalation attacks.
++  core/trust/privilege_escalation_prevention_agent.cpp
++
    # An agent-implementation that allows for selectively whitelisting app ids
    core/trust/white_listing_agent.cpp
    # An agent-implementation using a store instance to cache user replies.
 === modified file 'src/core/trust/daemon.cpp'
 --- src/core/trust/daemon.cpp	2015-08-31 14:00:41 +0000
 +++ src/core/trust/daemon.cpp	2015-11-23 09:47:36 +0000
@@ -22,6 +22,7 @@
  #include <core/trust/cached_agent.h>
  #include <core/trust/expose.h>
  #include <core/trust/i18n.h>
++#include <core/trust/privilege_escalation_prevention_agent.h>
  #include <core/trust/store.h>
  #include <core/trust/white_listing_agent.h>
@@ -375,6 +376,10 @@
      }, cached_agent);
      auto formatting_agent = std::make_shared<core::trust::AppIdFormattingTrustAgent>(whitelisting_agent);
++
++    auto privilege_escalation_prevention_agent = std::make_shared<core::trust::PrivilegeEscalationPreventionAgent>(
++        core::trust::PrivilegeEscalationPreventionAgent::default_user_id_functor(),
++        formatting_agent);
      auto remote_agent = remote_agent_factory(service_name, formatting_agent, dict);
@@ -382,7 +387,7 @@
+     {
          service_name,
          bus_from_name(vm[Parameters::StoreBus::name].as<std::string>()),
--        {local_store, formatting_agent},
++        {local_store, privilege_escalation_prevention_agent},
          {remote_agent}
      };
+ }
 === added file 'src/core/trust/privilege_escalation_prevention_agent.cpp'
 --- src/core/trust/privilege_escalation_prevention_agent.cpp	1970-01-01 00:00:00 +0000
 +++ src/core/trust/privilege_escalation_prevention_agent.cpp	2015-11-23 09:47:36 +0000
@@ -0,0 +1,52 @@
++/*
++ * Copyright © 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ */
++
++#include <core/trust/privilege_escalation_prevention_agent.h>
++
++#include <unistd.h>
++#include <sys/types.h>
++
++core::trust::PrivilegeEscalationPreventionAgent::Error::Error() : std::runtime_error{"Potential privilege escalation attack detected."}
++{
++}
++
++core::trust::PrivilegeEscalationPreventionAgent::UserIdFunctor core::trust::PrivilegeEscalationPreventionAgent::default_user_id_functor()
++{
++    return []()
++    {
++        return core::trust::Uid{::getuid()};
++    };
++}
++
++core::trust::PrivilegeEscalationPreventionAgent::PrivilegeEscalationPreventionAgent(
++        const UserIdFunctor& uid_functor,
++        const std::shared_ptr<core::trust::Agent>& impl)
++    : uid_functor{uid_functor},
++      impl{impl}
++{
++    if (not impl) throw std::runtime_error
++    {
++        "Missing agent implementation."
++    };
++}
++
++core::trust::Request::Answer core::trust::PrivilegeEscalationPreventionAgent::authenticate_request_with_parameters(const core::trust::Agent::RequestParameters& parameters)
++{
++    if (uid_functor() != parameters.application.uid) throw Error{};
++    return impl->authenticate_request_with_parameters(parameters);
++}
 === added file 'src/core/trust/privilege_escalation_prevention_agent.h'
 --- src/core/trust/privilege_escalation_prevention_agent.h	1970-01-01 00:00:00 +0000
 +++ src/core/trust/privilege_escalation_prevention_agent.h	2015-11-23 09:47:36 +0000
@@ -0,0 +1,63 @@
++/*
++ * Copyright © 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ */
++
++#ifndef CORE_TRUST_PRIVILEGE_ESCALATION_PREVENTION_AGENT_H_
++#define CORE_TRUST_PRIVILEGE_ESCALATION_PREVENTION_AGENT_H_
++
++#include <core/trust/agent.h>
++
++#include <stdexcept>
++
++namespace core
++{
++namespace trust
++{
++// A PrivilegeEscalationPreventionAgent ensures that requests originating from an application
++// running under a different user than the current one are rejected immediately, thereby preventing
++// from privilege escalation issues.
++class CORE_TRUST_DLL_PUBLIC PrivilegeEscalationPreventionAgent : public core::trust::Agent
++{
++public:
++    // An Error is thrown if a potential privilege escalation attack has been detected.
++    struct Error : public std::runtime_error
++    {
++        // Error creates an instance, providing details about the escalation issue.
++        Error();
++    };
++
++    // A UserIdFunctor queries the user id under which the current process runs.
++    typedef std::function<Uid()> UserIdFunctor;
++
++    // default_user_id_functor returns a UserIdFunctor querying the current user id from the system.
++    static UserIdFunctor default_user_id_functor();
++
++    // PrivilegeEscalationPreventionAgent creates a new instance that queries the current user,
++    // forwarding valid requests to impl.
++    PrivilegeEscalationPreventionAgent(const UserIdFunctor& uid_functor, const std::shared_ptr<Agent>& impl);
++
++    // From core::trust::Agent
++    Request::Answer authenticate_request_with_parameters(const RequestParameters& parameters) override;
++
++private:
++    UserIdFunctor uid_functor;
++    std::shared_ptr<Agent> impl;
++};
++}
++}
++
++#endif // CORE_TRUST_PRIVILEGE_ESCALATION_PREVENTION_AGENT_H_
 === modified file 'tests/CMakeLists.txt'
 --- tests/CMakeLists.txt	2014-11-14 12:17:24 +0000
 +++ tests/CMakeLists.txt	2015-11-23 09:47:36 +0000
@@ -59,6 +59,11 @@
+ )
  add_executable(
++  privilege_escalation_prevention_agent_test
++  privilege_escalation_prevention_agent_test.cpp
++)
++
++add_executable(
    cached_agent_test
    cached_agent_test.cpp
+ )
@@ -166,6 +171,20 @@
+ )
  target_link_libraries(
++  privilege_escalation_prevention_agent_test
++
++  trust-store
++
++  gmock
++
++  gtest
++  gtest_main
++
++  ${PROCESS_CPP_LIBRARIES}
++)
++
++
++target_link_libraries(
    cached_agent_test
    trust-store
@@ -226,6 +245,7 @@
  add_test(app_id_formatting_trust_agent_test ${CMAKE_CURRENT_BINARY_DIR}/app_id_formatting_trust_agent_test)
  add_test(cached_agent_test ${CMAKE_CURRENT_BINARY_DIR}/cached_agent_test)
  add_test(white_listing_agent_test ${CMAKE_CURRENT_BINARY_DIR}/white_listing_agent_test)
++add_test(privilege_escalation_prevention_agent_test ${CMAKE_CURRENT_BINARY_DIR}/privilege_escalation_prevention_agent_test)
  # TODO(tvoss) Re-enable daemon tests once CI issues are resolved.
  # add_test(daemon_test ${CMAKE_CURRENT_BINARY_DIR}/daemon_test)
  add_test(dbus_test ${CMAKE_CURRENT_BINARY_DIR}/dbus_test)
 === added file 'tests/privilege_escalation_prevention_agent_test.cpp'
 --- tests/privilege_escalation_prevention_agent_test.cpp	1970-01-01 00:00:00 +0000
 +++ tests/privilege_escalation_prevention_agent_test.cpp	2015-11-23 09:47:36 +0000
@@ -0,0 +1,106 @@
++/*
++ * Copyright © 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ */
++
++#include <core/trust/privilege_escalation_prevention_agent.h>
++
++#include "mock_agent.h"
++#include "the.h"
++
++#include <gmock/gmock.h>
++
++namespace
++{
++std::shared_ptr<testing::NiceMock<MockAgent>> a_mocked_agent()
++{
++    return std::make_shared<testing::NiceMock<MockAgent>>();
++}
++
++struct MockUserIdFunctor
++{
++    core::trust::PrivilegeEscalationPreventionAgent::UserIdFunctor to_functional()
++    {
++        return [this]()
++        {
++            return get_uid();
++        };
++    }
++
++    MOCK_METHOD0(get_uid, core::trust::Uid());
++};
++}
++
++TEST(PrivilegeEscalationPreventionAgent, ctor_throws_for_null_agent)
++{
++    EXPECT_ANY_THROW(core::trust::PrivilegeEscalationPreventionAgent
++    (
++        core::trust::PrivilegeEscalationPreventionAgent::default_user_id_functor(),
++        std::shared_ptr<core::trust::Agent>()
++    ));
++}
++
++TEST(PrivilegeEscalationPreventionAgent, queries_user_id_for_incoming_request_and_dispatches_to_impl_if_no_privilege_escalation_detected)
++{
++    using namespace ::testing;
++
++    auto mock_agent = a_mocked_agent();
++
++    auto params = the::default_request_parameters_for_testing();
++    params.application.id = params.application.id + std::string{"_app"} + std::string{"_1.2.3"};
++
++    MockUserIdFunctor uif;
++    EXPECT_CALL(uif, get_uid())
++            .Times(1)
++            .WillRepeatedly(Return(params.application.uid));
++
++    EXPECT_CALL(*mock_agent, authenticate_request_with_parameters(params))
++            .Times(1)
++            .WillRepeatedly(Return(core::trust::Request::Answer::denied));
++
++    core::trust::PrivilegeEscalationPreventionAgent agent{uif.to_functional(), mock_agent};
++
++    EXPECT_EQ(core::trust::Request::Answer::denied,
++              agent.authenticate_request_with_parameters(params));
++}
++
++TEST(PrivilegeEscalationPreventionAgent, invokes_user_id_functor_for_incoming_request_and_throws_if_privilege_escalation_detected)
++{
++    using namespace ::testing;
++
++    auto mock_agent = a_mocked_agent();
++
++    auto params = the::default_request_parameters_for_testing();
++    params.application.id = params.application.id + std::string{"_app"} + std::string{"_1.2.3"};
++
++    MockUserIdFunctor uif;
++    EXPECT_CALL(uif, get_uid())
++            .Times(1)
++            .WillRepeatedly(Return(core::trust::Uid{12}));
++
++    EXPECT_CALL(*mock_agent, authenticate_request_with_parameters(params))
++            .Times(0);
++
++    core::trust::PrivilegeEscalationPreventionAgent agent{uif.to_functional(), mock_agent};
++
++    EXPECT_THROW(agent.authenticate_request_with_parameters(params), core::trust::PrivilegeEscalationPreventionAgent::Error);
++}
++
++TEST(PrivilegeEscalationPreventionAgentDefaultUserIdFunctor, returns_current_user_id)
++{
++    auto f = core::trust::PrivilegeEscalationPreventionAgent::default_user_id_functor();
++    EXPECT_EQ(core::trust::Uid(::getuid()), f());
++}