trust-store

Merge lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable into lp:trust-store

make-process-start-time-verification-configurable
Merge into trunk

Proposed by Thomas Voß on 2015-08-13

Status:	Needs review
Proposed branch:	lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable
Merge into:	lp:trust-store
Diff against target:	149 lines (+30/-12) 5 files modified src/core/trust/daemon.cpp (+4/-3) src/core/trust/mir/prompt_main.cpp (+4/-0) src/core/trust/remote/posix.cpp (+8/-6) src/core/trust/remote/posix.h (+8/-0) tests/remote_agent_test.cpp (+6/-3)
To merge this branch:	bzr merge lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
PS Jenkins bot	continuous-integration		Approve on 2015-08-14
Ubuntu Phablet Team		2015-08-13	Pending
Review via email: mp+267923@code.launchpad.net

Commit message

Expose flag for process timestamp verification as command line argument.
Make process-start-time verification configurable.
Adjust test cases to account for new struct member.

Description of the change

Expose flag for process timestamp verification as command line argument.
Make process-start-time verification configurable.
Adjust test cases to account for new struct member.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-08-13:

PASSED: Continuous integration, rev:111
http://jenkins.qa.ubuntu.com/job/trust-store-ci/91/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-amd64-ci/12
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/12
        deb: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/12/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-i386-ci/12

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/trust-store-ci/91/rebuild

review: Approve (continuous-integration)

lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable updated on 2015-08-13

112. By Thomas Voß on 2015-08-13: Add some terminal output for debugging purposes.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-08-13:

FAILED: Continuous integration, rev:112
http://jenkins.qa.ubuntu.com/job/trust-store-ci/92/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-amd64-ci/13
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/13
        deb: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/13/artifact/work/output/*zip*/output.zip
    FAILURE: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-i386-ci/13/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/trust-store-ci/92/rebuild

review: Needs Fixing (continuous-integration)

lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable updated on 2015-08-13

113. By Thomas Voß on 2015-08-13: Temporarily enable debugging of the prompt.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-08-13:

PASSED: Continuous integration, rev:113
http://jenkins.qa.ubuntu.com/job/trust-store-ci/94/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-amd64-ci/15
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/15
        deb: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/15/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-i386-ci/15

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/trust-store-ci/94/rebuild

review: Approve (continuous-integration)

lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable updated on 2015-08-14

114. By Thomas Voß on 2015-08-14: Remove temporary terminal output.
Make whitelisting agent behavior configurable via a command-line flag 'disable-whitelisting'.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-08-14:

PASSED: Continuous integration, rev:114
http://jenkins.qa.ubuntu.com/job/trust-store-ci/95/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-amd64-ci/16
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/16
        deb: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-armhf-ci/16/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/trust-store-vivid-i386-ci/16

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/trust-store-ci/95/rebuild

review: Approve (continuous-integration)

Unmerged revisions

114. By Thomas Voß on 2015-08-14: Remove temporary terminal output.
Make whitelisting agent behavior configurable via a command-line flag 'disable-whitelisting'.
113. By Thomas Voß on 2015-08-13: Temporarily enable debugging of the prompt.
112. By Thomas Voß on 2015-08-13: Add some terminal output for debugging purposes.
111. By Thomas Voß on 2015-08-13: Expose flag for process timestamp verification as command line argument.
Adjust test cases to account for new struct member.
110. By Thomas Voß on 2015-08-13: Make process-start-time verification configurable.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Thomas Voß

Ubuntu Phablet Team

1	=== modified file 'src/core/trust/daemon.cpp'
2	--- src/core/trust/daemon.cpp 2014-10-15 17:53:44 +0000
3	+++ src/core/trust/daemon.cpp 2015-08-14 09:37:25 +0000
4	@@ -262,7 +262,8 @@
5	core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
6	dict.count("description-pattern") > 0 ?
7	dict.at("description-pattern") :
8	- "Application %1% is trying to access " + service_name + "."
9	+ "Application %1% is trying to access " + service_name + ".",
10	+ dict.count("verify-process-timestamp") > 0
11	};
12
13	return core::trust::remote::posix::Skeleton::create_skeleton_for_configuration(config);
14	@@ -366,10 +367,10 @@
15	core::trust::CachedAgentGlogReporter::Configuration{})
16	});
17
18	- auto whitelisting_agent = std::make_shared<core::trust::WhiteListingAgent>([](const core::trust::Agent::RequestParameters& params) -> bool
19	+ auto whitelisting_agent = std::make_shared<core::trust::WhiteListingAgent>([vm](const core::trust::Agent::RequestParameters& params) -> bool
20	{
21	static auto unconfined_predicate = core::trust::WhiteListingAgent::always_grant_for_unconfined();
22	- return unconfined_predicate(params) \|\| params.application.id == "com.ubuntu.camera_camera";
23	+ return not (vm.count("disable-whitelisting") > 0) && (unconfined_predicate(params) \|\| params.application.id == "com.ubuntu.camera_camera");
24	}, cached_agent);
25
26	auto formatting_agent = std::make_shared<core::trust::AppIdFormattingTrustAgent>(whitelisting_agent);
27
28	=== modified file 'src/core/trust/mir/prompt_main.cpp'
29	--- src/core/trust/mir/prompt_main.cpp 2015-02-13 12:07:56 +0000
30	+++ src/core/trust/mir/prompt_main.cpp 2015-08-14 09:37:25 +0000
31	@@ -36,6 +36,8 @@
32
33	#include <core/posix/this_process.h>
34
35	+#include <thread>
36	+
37	#include "prompt_config.h"
38	#include "prompt_main.h"
39
40	@@ -99,6 +101,8 @@
41
42	int main(int argc, char** argv)
43	{
44	+ std::this_thread::sleep_for(std::chrono::seconds(10));
45	+
46	boost::program_options::options_description options;
47	options.add_options()
48	(cli::option_server_socket, boost::program_options::value<std::string>(), "Mir server socket to connect to.")
49
50	=== modified file 'src/core/trust/remote/posix.cpp'
51	--- src/core/trust/remote/posix.cpp 2014-07-29 16:06:22 +0000
52	+++ src/core/trust/remote/posix.cpp 2015-08-14 09:37:25 +0000
53	@@ -255,6 +255,7 @@
54	start_time_resolver{configuration.start_time_resolver},
55	app_id_resolver{configuration.app_id_resolver},
56	description_pattern{configuration.description_format},
57	+ verify_process_start_time{configuration.verify_process_start_time},
58	endpoint{configuration.endpoint},
59	socket{configuration.io_service}
60	{
61	@@ -310,14 +311,15 @@
62	core::trust::Request::Answer remote::posix::Skeleton::process_incoming_request(const core::trust::remote::posix::Request& request)
63	{
64	// We first validate the process start time again.
65	- if (start_time_resolver(request.app_pid) != request.app_start_time) throw std::runtime_error
66	+ if (verify_process_start_time)
67	{
68	- "Potential spoofing detected on incoming request."
69	- };
70	+ if (start_time_resolver(request.app_pid) != request.app_start_time) throw std::runtime_error
71	+ {
72	+ "Potential spoofing detected on incoming request."
73	+ };
74	+ }
75
76	- // Assemble the description.
77	auto app_id = app_id_resolver(request.app_pid);
78	- auto description = (boost::format{description_pattern} % app_id).str();
79
80	// And reach out to the user.
81	// TODO(tvoss): How to handle exceptions here?
82	@@ -328,6 +330,6 @@
83	request.app_pid,
84	app_id,
85	request.feature,
86	- description
87	+ description_pattern
88	});
89	}
90
91	=== modified file 'src/core/trust/remote/posix.h'
92	--- src/core/trust/remote/posix.h 2014-08-04 07:57:05 +0000
93	+++ src/core/trust/remote/posix.h 2015-08-14 09:37:25 +0000
94	@@ -210,6 +210,10 @@
95	// Pattern for assembling the prompt dialog's description given
96	// an app id.
97	std::string description_format;
98	+ // If set to true, enforces spoofing-prevention by inspecting and comparing
99	+ // process start times. This causes issues for the case of crossing the
100	+ // Android/Ubuntu boundary and we have to make it configurable.
101	+ bool verify_process_start_time;
102	};
103
104	static Ptr create_skeleton_for_configuration(const Configuration& configuration);
105	@@ -239,6 +243,10 @@
106	// Pattern for assembling the prompt dialog's description given
107	// an app id.
108	std::string description_pattern;
109	+ // If set to true, enforces spoofing-prevention by inspecting and comparing
110	+ // process start times. This causes issues for the case of crossing the
111	+ // Android/Ubuntu boundary and we have to make it configurable.
112	+ bool verify_process_start_time;
113	// The endpoint in the filesystem that we are connected with.
114	boost::asio::local::stream_protocol::endpoint endpoint;
115	// The actual socket for communication with the service.
116
117	=== modified file 'tests/remote_agent_test.cpp'
118	--- tests/remote_agent_test.cpp 2014-08-06 13:42:23 +0000
119	+++ tests/remote_agent_test.cpp 2015-08-14 09:37:25 +0000
120	@@ -359,7 +359,8 @@
121	boost::asio::local::stream_protocol::endpoint{UnixDomainSocketRemoteAgent::endpoint_for_testing},
122	process_start_time_resolver.to_functional(),
123	core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
124	- "Just a test for %1%."
125	+ "Just a test for %1%.",
126	+ true
127	};
128
129	auto skeleton = core::trust::remote::posix::Skeleton::create_skeleton_for_configuration(config);
130	@@ -523,7 +524,8 @@
131	boost::asio::local::stream_protocol::endpoint{endpoint_for_acceptance_testing},
132	core::trust::remote::helpers::proc_stat_start_time_resolver(),
133	core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
134	- "Just a test for %1%."
135	+ "Just a test for %1%.",
136	+ true
137	};
138
139	stub_ready.wait_for_signal_ready_for(std::chrono::milliseconds{1000});
140	@@ -761,7 +763,8 @@
141	boost::asio::local::stream_protocol::endpoint{endpoint_for_acceptance_testing},
142	core::trust::remote::helpers::proc_stat_start_time_resolver(),
143	core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
144	- "Just a test for %1%."
145	+ "Just a test for %1%.",
146	+ true
147	};
148
149	stub_ready.wait_for_signal_ready_for(std::chrono::milliseconds{1000});