test/containers: Check that containers can't make new containers

We should prevent containers from trying to put a container in our container so we can sandbox while we sandbox. The implementation doesn't actually have any concept of nesting or layering, so that would potentially be privilege escalation. At the moment, this is just prevented by METHOD_FLAG_PRIVILEGED. When we remove that flag (after we've introduced better resource limits), we can specifically restrict this method to not be called by containers instead. This test will make sure we do. Signed-off-by: Simon McVittie <smcv@collabora.com> Reviewed-by: Philip Withnall <withnall@endlessm.com> Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101354
2026-05-05 18:08:01 +02:00 · 2017-06-08 14:44:05 +01:00 · 2017-06-08 14:44:05 +01:00 · 6537b583f6
commit 6537b583f6
parent 6b8ee7a68c
1 changed files with 65 additions and 0 deletions
--- a/test/containers.c
+++ b/test/containers.c
@ -792,6 +792,69 @@ test_invalid_type_name (Fixture *f,
 #endif /* !HAVE_CONTAINERS_TEST */
 }

+/*
+ * Assert that a request to create a container server cannot come from a
+ * connection to an existing container server.
+ * (You cannot put containers in your container so you can sandbox while
+ * you sandbox.)
+ */
+static void
+test_invalid_nesting (Fixture *f,
+                      gconstpointer context)
+{
+#ifdef HAVE_CONTAINERS_TEST
+  GDBusProxy *nested_proxy;
+  GVariant *tuple;
+  GVariant *parameters;
+
+  if (f->skip)
+    return;
+
+  parameters = g_variant_new ("(ssa{sv}a{sv})",
+                              "com.example.NotFlatpak",
+                              "sample-app",
+                              NULL, /* no metadata */
+                              NULL); /* no named arguments */
+  if (!add_container_server (f, g_steal_pointer (&parameters)))
+    return;
+
+  g_test_message ("Connecting to %s...", f->socket_dbus_address);
+  f->confined_conn = g_dbus_connection_new_for_address_sync (
+      f->socket_dbus_address,
+      (G_DBUS_CONNECTION_FLAGS_MESSAGE_BUS_CONNECTION |
+       G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_CLIENT),
+      NULL, NULL, &f->error);
+  g_assert_no_error (f->error);
+
+  g_test_message ("Checking that confined app cannot nest containers...");
+  nested_proxy = g_dbus_proxy_new_sync (f->confined_conn,
+                                        G_DBUS_PROXY_FLAGS_NONE, NULL,
+                                        DBUS_SERVICE_DBUS, DBUS_PATH_DBUS,
+                                        DBUS_INTERFACE_CONTAINERS1, NULL,
+                                        &f->error);
+  g_assert_no_error (f->error);
+
+  parameters = g_variant_new ("(ssa{sv}a{sv})",
+                              "com.example.NotFlatpak",
+                              "inner-app",
+                              NULL, /* no metadata */
+                              NULL); /* no named arguments */
+  tuple = g_dbus_proxy_call_sync (nested_proxy, "AddServer",
+                                  g_steal_pointer (&parameters),
+                                  G_DBUS_CALL_FLAGS_NONE,
+                                  -1, NULL, &f->error);
+
+  g_assert_error (f->error, G_DBUS_ERROR, G_DBUS_ERROR_ACCESS_DENIED);
+  g_assert_null (tuple);
+  g_clear_error (&f->error);
+
+  g_clear_object (&nested_proxy);
+
+#else /* !HAVE_CONTAINERS_TEST */
+  g_test_skip ("Containers or gio-unix-2.0 not supported");
+#endif /* !HAVE_CONTAINERS_TEST */
+}
+
 static void
 teardown (Fixture *f,
    gconstpointer context G_GNUC_UNUSED)
@ -932,6 +995,8 @@ main (int argc,
              setup, test_unsupported_parameter, teardown);
  g_test_add ("/containers/invalid-type-name", Fixture, NULL,
              setup, test_invalid_type_name, teardown);
+  g_test_add ("/containers/invalid-nesting", Fixture, NULL,
+              setup, test_invalid_nesting, teardown);

  ret = g_test_run ();