diff options
author | William Jon McCann <jmccann@redhat.com> | 2008-02-12 15:00:46 -0500 |
---|---|---|
committer | William Jon McCann <jmccann@redhat.com> | 2008-02-12 15:00:46 -0500 |
commit | 40dff5a03c7b085e34a7052efd23651d5be7674f (patch) | |
tree | 429e4ebc47f4dd027067891684172bc427b92975 | |
parent | 685f2cbf9d69da556907ba6c935fe6ab1d2eeda3 (diff) |
reverse the sense of the dbus policy
Deny first and then allow. Add a simple test
script to check method access policy.
-rw-r--r-- | NEWS | 7 | ||||
-rw-r--r-- | data/ConsoleKit.conf | 94 | ||||
-rwxr-xr-x | src/test-method-access-policy | 517 |
3 files changed, 598 insertions, 20 deletions
@@ -1,4 +1,11 @@ ============= +Version 0.2.9 +============= + + * add a ck-launch-session tool (William Jon McCann) + * don't set the session-type to the command name (William Jon McCann) + +============= Version 0.2.8 ============= diff --git a/data/ConsoleKit.conf b/data/ConsoleKit.conf index d1a6335..70a0423 100644 --- a/data/ConsoleKit.conf +++ b/data/ConsoleKit.conf @@ -7,34 +7,88 @@ <policy user="root"> <allow own="org.freedesktop.ConsoleKit"/> + <!-- Allow all methods on interfaces --> <allow send_interface="org.freedesktop.ConsoleKit.Manager"/> <allow send_interface="org.freedesktop.ConsoleKit.Seat"/> <allow send_interface="org.freedesktop.ConsoleKit.Session"/> - - <allow send_interface="org.freedesktop.ConsoleKit.Manager" - send_member="OpenSessionWithParameters"/> - <allow send_interface="org.freedesktop.ConsoleKit.Session" - send_member="Lock"/> - <allow send_interface="org.freedesktop.ConsoleKit.Session" - send_member="Unlock"/> - <allow send_destination="org.freedesktop.ConsoleKit" - send_interface="org.freedesktop.DBus.Properties" /> </policy> - <!-- Allow anyone to invoke methods on the interfaces --> + <!-- Deny all and then allow some methods on interfaces --> <policy context="default"> - <allow send_interface="org.freedesktop.ConsoleKit.Manager"/> - <allow send_interface="org.freedesktop.ConsoleKit.Seat"/> - <allow send_interface="org.freedesktop.ConsoleKit.Session"/> - - <deny send_interface="org.freedesktop.ConsoleKit.Manager" - send_member="OpenSessionWithParameters"/> - <deny send_interface="org.freedesktop.ConsoleKit.Session" - send_member="Lock"/> - <deny send_interface="org.freedesktop.ConsoleKit.Session" - send_member="Unlock"/> + <deny send_interface="org.freedesktop.ConsoleKit.Manager"/> + <deny send_interface="org.freedesktop.ConsoleKit.Seat"/> + <deny send_interface="org.freedesktop.ConsoleKit.Session"/> <deny send_destination="org.freedesktop.ConsoleKit" send_interface="org.freedesktop.DBus.Properties" /> + + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="Restart"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="Stop"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="OpenSession"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="CloseSession"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSeats"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSessionForCookie"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSessionForUnixProcess"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetCurrentSession"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSessionsForUnixUser"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSessionsForUser"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSystemIdleHint"/> + <allow send_interface="org.freedesktop.ConsoleKit.Manager" + send_member="GetSystemIdleSinceHint"/> + + <allow send_interface="org.freedesktop.ConsoleKit.Seat" + send_member="GetId"/> + <allow send_interface="org.freedesktop.ConsoleKit.Seat" + send_member="GetSessions"/> + <allow send_interface="org.freedesktop.ConsoleKit.Seat" + send_member="GetDevices"/> + <allow send_interface="org.freedesktop.ConsoleKit.Seat" + send_member="GetActiveSession"/> + <allow send_interface="org.freedesktop.ConsoleKit.Seat" + send_member="CanActivateSessions"/> + <allow send_interface="org.freedesktop.ConsoleKit.Seat" + send_member="ActivateSession"/> + + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetId"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetSeatId"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetSessionType"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetUser"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetUnixUser"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetX11Display"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetX11DisplayDevice"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetDisplayDevice"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetRemoteHostName"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="IsActive"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="IsLocal"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetCreationTime"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="Activate"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetIdleHint"/> + <allow send_interface="org.freedesktop.ConsoleKit.Session" + send_member="GetIdleSinceHint"/> </policy> </busconfig> diff --git a/src/test-method-access-policy b/src/test-method-access-policy new file mode 100755 index 0000000..f9ea8e2 --- /dev/null +++ b/src/test-method-access-policy @@ -0,0 +1,517 @@ +#!/usr/bin/env python +# +# Test access to methods +# + +import os +import gobject +import dbus +import dbus.glib + +bus = dbus.SystemBus () + +privileged = (os.geteuid () == 0) +if privileged: + print "Running privileged as uid=%d pid=%d" % (os.geteuid (), os.getpid ()) +else: + print "Running unprivileged as uid=%d pid=%d" % (os.geteuid (), os.getpid ()) + +print "Testing all public methods to check D-Bus policy" + +manager_obj = bus.get_object ('org.freedesktop.ConsoleKit', '/org/freedesktop/ConsoleKit/Manager') +manager = dbus.Interface (manager_obj, 'org.freedesktop.ConsoleKit.Manager') + +print "Testing Manager.OpenSession:", +res = "PASS" +try: + cookie = manager.OpenSession () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Manager.CloseSession:", +res = "PASS" +try: + manager.CloseSession (cookie) +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Manager.OpenSessionWithParameters:", +res = "PASS" +try: + cookie = manager.OpenSessionWithParameters (dbus.Array([], signature = "sv")) + if not privileged: + res = "FAIL" +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + if privileged: + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t%s" % res + +print "Testing Manager.GetSeats:", +res = "PASS" +try: + manager.GetSeats () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Manager.GetSessionForCookie:", +res = "PASS" +try: + manager.GetSessionForCookie (os.environ['XDG_SESSION_COOKIE']) +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Manager.GetSessionForUnixProcess:", +res = "PASS" +try: + manager.GetSessionForUnixProcess (os.getpid ()) +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t%s" % res + +print "Testing Manager.GetCurrentSession:", +res = "PASS" +try: + manager.GetCurrentSession () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Manager.GetSessionsForUnixUser:", +res = "PASS" +try: + manager.GetSessionsForUnixUser (os.geteuid ()) +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t%s" % res + +print "Testing Manager.GetSessionsForUser:", +res = "PASS" +try: + manager.GetSessionsForUser (os.geteuid ()) +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Manager.GetSystemIdleHint:", +res = "PASS" +try: + manager.GetSystemIdleHint () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Manager.GetSystemIdleSinceHint:", +res = "PASS" +try: + manager.GetSystemIdleSinceHint () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t%s" % res + + +# Test Seat Interface + +seat_obj = bus.get_object ('org.freedesktop.ConsoleKit', '/org/freedesktop/ConsoleKit/Seat1') +seat = dbus.Interface (seat_obj, 'org.freedesktop.ConsoleKit.Seat') + +print "Testing Seat.GetId:", +res = "PASS" +try: + seat.GetId () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t\t%s" % res + +print "Testing Seat.GetSessions:", +res = "PASS" +try: + seat.GetSessions () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Seat.GetDevices:", +res = "PASS" +try: + seat.GetDevices () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Seat.GetActiveSession:", +res = "PASS" +try: + seat.GetActiveSession () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Seat.CanActivateSessions:", +res = "PASS" +try: + seat.CanActivateSessions () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Seat.ActivateSession:", +res = "PASS" +try: + seat.ActivateSession ('/org/freedesktop/ConsoleKit/SessionN') +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +# Test Session Interface + +# create a new session so we can set props +cookie = manager.OpenSession () +ssid = manager.GetSessionForCookie (cookie) +if not ssid: + print "Could not create a session to test" + sys.exit () + +session_obj = bus.get_object ('org.freedesktop.ConsoleKit', ssid) +session = dbus.Interface (session_obj, 'org.freedesktop.ConsoleKit.Session') + +print "Testing Session.GetId:", +res = "PASS" +try: + session.GetId () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t\t%s" % res + +print "Testing Session.GetSeatId:", +res = "PASS" +try: + session.GetSeatId () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.GetSessionType:", +res = "PASS" +try: + session.GetSessionType () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Session.GetUser:", +res = "PASS" +try: + session.GetUser () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.GetUnixUser:", +res = "PASS" +try: + session.GetUnixUser () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.GetX11Display:", +res = "PASS" +try: + session.GetX11Display () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.GetX11DisplayDevice:", +res = "PASS" +try: + session.GetX11DisplayDevice () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Session.GetDisplayDevice:", +res = "PASS" +try: + session.GetDisplayDevice () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Session.GetRemoteHostName:", +res = "PASS" +try: + session.GetRemoteHostName () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Session.IsActive:", +res = "PASS" +try: + session.IsActive () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.IsLocal:", +res = "PASS" +try: + session.IsLocal () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.GetCreationTime:", +res = "PASS" +try: + session.GetCreationTime () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Session.Activate:", +res = "PASS" +try: + session.Activate () +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +print "Testing Session.Lock:", +res = "PASS" +try: + session.Lock () + if not privileged: + res = "FAIL" +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + if privileged: + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t\t%s" % res + +print "Testing Session.Unlock:", +res = "PASS" +try: + session.Unlock () + if not privileged: + res = "FAIL" +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + if privileged: + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res + +# Test session properties + +session_props = dbus.Interface (session_obj, 'org.freedesktop.DBus.Properties') + +print "Testing Properties.Get 'unix-user':", +res = "PASS" +try: + session_props.Get ('org.freedesktop.ConsoleKit.Session', "unix-user") + if not privileged: + res = "FAIL" +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + if privileged: + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Properties.Get 'cookie':", +res = "PASS" +try: + session_props.Get ('org.freedesktop.ConsoleKit.Session', "cookie") + if not privileged: + res = "FAIL" +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + if privileged: + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t%s" % res + +print "Testing Properties.Set:", +res = "PASS" +try: + session_props.Set ('org.freedesktop.ConsoleKit.Session', "unix-user", 0) + if not privileged: + res = "FAIL" +except dbus.exceptions.DBusException, e: + if e.get_dbus_name () == "org.freedesktop.DBus.Error.AccessDenied": + if privileged: + res = "FAIL" + elif e.get_dbus_name () == "org.freedesktop.DBus.Error.UnknownMethod": + res = "UKNOWN METHOD" +except: + pass +print "\t\t\t%s" % res |