Merge lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable into lp:trust-store

Proposed by Thomas Voß on 2015-08-13
Status: Needs review
Proposed branch: lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable
Merge into: lp:trust-store
Diff against target: 149 lines (+30/-12)
5 files modified
src/core/trust/daemon.cpp (+4/-3)
src/core/trust/mir/prompt_main.cpp (+4/-0)
src/core/trust/remote/posix.cpp (+8/-6)
src/core/trust/remote/posix.h (+8/-0)
tests/remote_agent_test.cpp (+6/-3)
To merge this branch: bzr merge lp:~thomas-voss/trust-store/make-process-start-time-verification-configurable
Reviewer Review Type Date Requested Status
PS Jenkins bot continuous-integration Approve on 2015-08-14
Ubuntu Phablet Team 2015-08-13 Pending
Review via email: mp+267923@code.launchpad.net

Commit message

Expose flag for process timestamp verification as command line argument.
Make process-start-time verification configurable.
Adjust test cases to account for new struct member.

Description of the change

Expose flag for process timestamp verification as command line argument.
Make process-start-time verification configurable.
Adjust test cases to account for new struct member.

To post a comment you must log in.
112. By Thomas Voß on 2015-08-13

Add some terminal output for debugging purposes.

113. By Thomas Voß on 2015-08-13

Temporarily enable debugging of the prompt.

114. By Thomas Voß on 2015-08-14

Remove temporary terminal output.
Make whitelisting agent behavior configurable via a command-line flag 'disable-whitelisting'.

Unmerged revisions

114. By Thomas Voß on 2015-08-14

Remove temporary terminal output.
Make whitelisting agent behavior configurable via a command-line flag 'disable-whitelisting'.

113. By Thomas Voß on 2015-08-13

Temporarily enable debugging of the prompt.

112. By Thomas Voß on 2015-08-13

Add some terminal output for debugging purposes.

111. By Thomas Voß on 2015-08-13

Expose flag for process timestamp verification as command line argument.
Adjust test cases to account for new struct member.

110. By Thomas Voß on 2015-08-13

Make process-start-time verification configurable.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/core/trust/daemon.cpp'
2--- src/core/trust/daemon.cpp 2014-10-15 17:53:44 +0000
3+++ src/core/trust/daemon.cpp 2015-08-14 09:37:25 +0000
4@@ -262,7 +262,8 @@
5 core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
6 dict.count("description-pattern") > 0 ?
7 dict.at("description-pattern") :
8- "Application %1% is trying to access " + service_name + "."
9+ "Application %1% is trying to access " + service_name + ".",
10+ dict.count("verify-process-timestamp") > 0
11 };
12
13 return core::trust::remote::posix::Skeleton::create_skeleton_for_configuration(config);
14@@ -366,10 +367,10 @@
15 core::trust::CachedAgentGlogReporter::Configuration{})
16 });
17
18- auto whitelisting_agent = std::make_shared<core::trust::WhiteListingAgent>([](const core::trust::Agent::RequestParameters& params) -> bool
19+ auto whitelisting_agent = std::make_shared<core::trust::WhiteListingAgent>([vm](const core::trust::Agent::RequestParameters& params) -> bool
20 {
21 static auto unconfined_predicate = core::trust::WhiteListingAgent::always_grant_for_unconfined();
22- return unconfined_predicate(params) || params.application.id == "com.ubuntu.camera_camera";
23+ return not (vm.count("disable-whitelisting") > 0) && (unconfined_predicate(params) || params.application.id == "com.ubuntu.camera_camera");
24 }, cached_agent);
25
26 auto formatting_agent = std::make_shared<core::trust::AppIdFormattingTrustAgent>(whitelisting_agent);
27
28=== modified file 'src/core/trust/mir/prompt_main.cpp'
29--- src/core/trust/mir/prompt_main.cpp 2015-02-13 12:07:56 +0000
30+++ src/core/trust/mir/prompt_main.cpp 2015-08-14 09:37:25 +0000
31@@ -36,6 +36,8 @@
32
33 #include <core/posix/this_process.h>
34
35+#include <thread>
36+
37 #include "prompt_config.h"
38 #include "prompt_main.h"
39
40@@ -99,6 +101,8 @@
41
42 int main(int argc, char** argv)
43 {
44+ std::this_thread::sleep_for(std::chrono::seconds(10));
45+
46 boost::program_options::options_description options;
47 options.add_options()
48 (cli::option_server_socket, boost::program_options::value<std::string>(), "Mir server socket to connect to.")
49
50=== modified file 'src/core/trust/remote/posix.cpp'
51--- src/core/trust/remote/posix.cpp 2014-07-29 16:06:22 +0000
52+++ src/core/trust/remote/posix.cpp 2015-08-14 09:37:25 +0000
53@@ -255,6 +255,7 @@
54 start_time_resolver{configuration.start_time_resolver},
55 app_id_resolver{configuration.app_id_resolver},
56 description_pattern{configuration.description_format},
57+ verify_process_start_time{configuration.verify_process_start_time},
58 endpoint{configuration.endpoint},
59 socket{configuration.io_service}
60 {
61@@ -310,14 +311,15 @@
62 core::trust::Request::Answer remote::posix::Skeleton::process_incoming_request(const core::trust::remote::posix::Request& request)
63 {
64 // We first validate the process start time again.
65- if (start_time_resolver(request.app_pid) != request.app_start_time) throw std::runtime_error
66+ if (verify_process_start_time)
67 {
68- "Potential spoofing detected on incoming request."
69- };
70+ if (start_time_resolver(request.app_pid) != request.app_start_time) throw std::runtime_error
71+ {
72+ "Potential spoofing detected on incoming request."
73+ };
74+ }
75
76- // Assemble the description.
77 auto app_id = app_id_resolver(request.app_pid);
78- auto description = (boost::format{description_pattern} % app_id).str();
79
80 // And reach out to the user.
81 // TODO(tvoss): How to handle exceptions here?
82@@ -328,6 +330,6 @@
83 request.app_pid,
84 app_id,
85 request.feature,
86- description
87+ description_pattern
88 });
89 }
90
91=== modified file 'src/core/trust/remote/posix.h'
92--- src/core/trust/remote/posix.h 2014-08-04 07:57:05 +0000
93+++ src/core/trust/remote/posix.h 2015-08-14 09:37:25 +0000
94@@ -210,6 +210,10 @@
95 // Pattern for assembling the prompt dialog's description given
96 // an app id.
97 std::string description_format;
98+ // If set to true, enforces spoofing-prevention by inspecting and comparing
99+ // process start times. This causes issues for the case of crossing the
100+ // Android/Ubuntu boundary and we have to make it configurable.
101+ bool verify_process_start_time;
102 };
103
104 static Ptr create_skeleton_for_configuration(const Configuration& configuration);
105@@ -239,6 +243,10 @@
106 // Pattern for assembling the prompt dialog's description given
107 // an app id.
108 std::string description_pattern;
109+ // If set to true, enforces spoofing-prevention by inspecting and comparing
110+ // process start times. This causes issues for the case of crossing the
111+ // Android/Ubuntu boundary and we have to make it configurable.
112+ bool verify_process_start_time;
113 // The endpoint in the filesystem that we are connected with.
114 boost::asio::local::stream_protocol::endpoint endpoint;
115 // The actual socket for communication with the service.
116
117=== modified file 'tests/remote_agent_test.cpp'
118--- tests/remote_agent_test.cpp 2014-08-06 13:42:23 +0000
119+++ tests/remote_agent_test.cpp 2015-08-14 09:37:25 +0000
120@@ -359,7 +359,8 @@
121 boost::asio::local::stream_protocol::endpoint{UnixDomainSocketRemoteAgent::endpoint_for_testing},
122 process_start_time_resolver.to_functional(),
123 core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
124- "Just a test for %1%."
125+ "Just a test for %1%.",
126+ true
127 };
128
129 auto skeleton = core::trust::remote::posix::Skeleton::create_skeleton_for_configuration(config);
130@@ -523,7 +524,8 @@
131 boost::asio::local::stream_protocol::endpoint{endpoint_for_acceptance_testing},
132 core::trust::remote::helpers::proc_stat_start_time_resolver(),
133 core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
134- "Just a test for %1%."
135+ "Just a test for %1%.",
136+ true
137 };
138
139 stub_ready.wait_for_signal_ready_for(std::chrono::milliseconds{1000});
140@@ -761,7 +763,8 @@
141 boost::asio::local::stream_protocol::endpoint{endpoint_for_acceptance_testing},
142 core::trust::remote::helpers::proc_stat_start_time_resolver(),
143 core::trust::remote::helpers::aa_get_task_con_app_id_resolver(),
144- "Just a test for %1%."
145+ "Just a test for %1%.",
146+ true
147 };
148
149 stub_ready.wait_for_signal_ready_for(std::chrono::milliseconds{1000});

Subscribers

People subscribed via source and target branches