core: merge branch 'th/keyfile-owner-check-bgo701112'

Renable checking owner of keyfile files but disable that
behavior for tests.

For that, add a nm_utils_get_testing() function to core to detect
whether the code is running as part of a test.

https://bugzilla.gnome.org/show_bug.cgi?id=701112

include/nm-test-utils.h

@@ -96,6 +96,10 @@
 #include "nm-glib-compat.h"
 #include "gsystem-local-alloc.h"
 
+#ifdef __NETWORKMANAGER_LOGGING_H__
+/* We are running tests under src/ */
+#include "NetworkManagerUtils.h"
+#endif
 
 /* Analog to EXIT_SUCCESS and EXIT_FAILURE. */
 #define EXIT_SKIP (77)
@@ -258,6 +262,11 @@ __nmtst_init (int *argc, char ***argv, gboolean assert_logging, const char *log_
 	g_assert (!argc || (g_strv_length (*argv) == *argc));
 	g_assert (!assert_logging || (!log_level && !log_domains));
 
+#ifdef __NETWORKMANAGER_UTILS_H__
+	if (!nm_utils_get_testing_initialized ())
+		_nm_utils_set_testing (_NM_UTILS_TEST_GENERAL);
+#endif
+
 	if (argc)
 		__nmtst_internal.orig_argv = g_strdupv (*argv);
 

src/NetworkManagerUtils.c

@@ -59,6 +59,60 @@
 #define CLOCK_BOOTTIME 7
 #endif
 
+G_STATIC_ASSERT (sizeof (NMUtilsTestFlags) <= sizeof (int));
+int _nm_utils_testing = 0;
+
+gboolean
+nm_utils_get_testing_initialized ()
+{
+	NMUtilsTestFlags flags;
+
+	flags = (NMUtilsTestFlags) _nm_utils_testing;
+	if (flags == NM_UTILS_TEST_NONE)
+		flags = (NMUtilsTestFlags) g_atomic_int_get (&_nm_utils_testing);
+	return flags != NM_UTILS_TEST_NONE;
+}
+
+NMUtilsTestFlags
+nm_utils_get_testing ()
+{
+	NMUtilsTestFlags flags;
+
+	flags = (NMUtilsTestFlags) _nm_utils_testing;
+	if (flags != NM_UTILS_TEST_NONE) {
+		/* Flags already initialized. Return them. */
+		return flags & NM_UTILS_TEST_ALL;
+	}
+
+	/* Accessing nm_utils_get_testing() causes us to set the flags to initialized.
+	 * Detecting running tests also based on g_test_initialized(). */
+	flags = _NM_UTILS_TEST_INITIALIZED;
+	if (g_test_initialized ())
+		flags |= _NM_UTILS_TEST_GENERAL;
+
+	if (g_atomic_int_compare_and_exchange (&_nm_utils_testing, 0, (int) flags)) {
+		/* Done. We set it. */
+		return flags & NM_UTILS_TEST_ALL;
+	}
+	/* It changed in the meantime (??). Re-read the value. */
+	return ((NMUtilsTestFlags) _nm_utils_testing) & NM_UTILS_TEST_ALL;
+}
+
+void
+_nm_utils_set_testing (NMUtilsTestFlags flags)
+{
+	g_assert (!NM_FLAGS_ANY (flags, ~NM_UTILS_TEST_ALL));
+
+	/* mask out everything except ALL, and always set GENERAL. */
+	flags = (flags & NM_UTILS_TEST_ALL) | (_NM_UTILS_TEST_GENERAL | _NM_UTILS_TEST_INITIALIZED);
+
+	if (!g_atomic_int_compare_and_exchange (&_nm_utils_testing, 0, (int) flags)) {
+		/* We only allow setting _nm_utils_set_testing() once, before fetching the
+		 * value with nm_utils_get_testing(). */
+		g_return_if_reached ();
+	}
+}
+
 /*
  * nm_ethernet_address_is_valid:
  * @addr: pointer to a binary or ASCII Ethernet address

src/NetworkManagerUtils.h

@@ -189,4 +189,24 @@ void nm_utils_array_remove_at_indexes (GArray *array, const guint *indexes_to_de
 
 void nm_utils_setpgid (gpointer unused);
 
+typedef enum {
+	NM_UTILS_TEST_NONE                              = 0,
+
+	/* Internal flag, marking that either nm_utils_get_testing() or _nm_utils_set_testing() was called. */
+	_NM_UTILS_TEST_INITIALIZED                      = (1LL << 0),
+
+	/* Indicate that test mode is enabled in general. Explicitly calling _nm_utils_set_testing() will always set this flag. */
+	_NM_UTILS_TEST_GENERAL                          = (1LL << 1),
+
+	/* Don't check the owner of keyfiles during testing. */
+	NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK            = (1LL << 2),
+
+	_NM_UTILS_TEST_LAST,
+	NM_UTILS_TEST_ALL                               = (((_NM_UTILS_TEST_LAST - 1) << 1) - 1) & ~(_NM_UTILS_TEST_INITIALIZED),
+} NMUtilsTestFlags;
+
+gboolean nm_utils_get_testing_initialized (void);
+NMUtilsTestFlags nm_utils_get_testing (void);
+void _nm_utils_set_testing (NMUtilsTestFlags flags);
+
 #endif /* __NETWORKMANAGER_UTILS_H__ */

src/nm-dbus-manager.c

@@ -36,6 +36,7 @@
 #include <dbus/dbus-glib-lowlevel.h>
 #include <string.h>
 #include "nm-logging.h"
+#include "NetworkManagerUtils.h"
 
 #define PRIV_SOCK_PATH NMRUNDIR "/private"
 #define PRIV_SOCK_TAG  "private"
@@ -491,7 +492,7 @@ private_server_setup (NMDBusManager *self)
 	NMDBusManagerPrivate *priv = NM_DBUS_MANAGER_GET_PRIVATE (self);
 
 	/* Skip this step if this is just a test program */
-	if (g_test_initialized ())
+	if (nm_utils_get_testing ())
 		return;
 
 	/* Set up our main private DBus socket */

src/settings/plugins/keyfile/reader.c

@@ -27,6 +27,7 @@
 
 #include "nm-logging.h"
 #include "nm-keyfile-internal.h"
+#include "NetworkManagerUtils.h"
 
 static const char *
 _fmt_warn (const char *group, NMSetting *setting, const char *property_name, const char *message, char **out_message)
@@ -90,7 +91,6 @@ nm_keyfile_plugin_connection_from_file (const char *filename, GError **error)
 {
 	GKeyFile *key_file;
 	struct stat statbuf;
-	gboolean bad_permissions;
 	NMConnection *connection = NULL;
 	GError *verify_error = NULL;
 
@@ -100,15 +100,22 @@ nm_keyfile_plugin_connection_from_file (const char *filename, GError **error)
 		return NULL;
 	}
 
-	bad_permissions = statbuf.st_mode & 0077;
-
-	if (bad_permissions) {
+	if (statbuf.st_mode & 0077) {
 		g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
 		             "File permissions (%o) were insecure",
 		             statbuf.st_mode);
 		return NULL;
 	}
 
+	if (!NM_FLAGS_HAS (nm_utils_get_testing (), NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK)) {
+		if (statbuf.st_uid != 0) {
+			g_set_error (error, NM_SETTINGS_ERROR, NM_SETTINGS_ERROR_INVALID_CONNECTION,
+			             "File owner (%o) is insecure",
+			             statbuf.st_mode);
+			return NULL;
+		}
+	}
+
 	key_file = g_key_file_new ();
 	if (!g_key_file_load_from_file (key_file, filename, G_KEY_FILE_NONE, error))
 		goto out;

src/settings/plugins/keyfile/tests/test-keyfile.c

@@ -3632,6 +3632,7 @@ NMTST_DEFINE ();
 
 int main (int argc, char **argv)
 {
+	_nm_utils_set_testing (NM_UTILS_TEST_NO_KEYFILE_OWNER_CHECK);
 	nmtst_init_assert_logging (&argc, &argv, "INFO", "DEFAULT");
 
 	/* The tests */