Skip to content

Commit

Permalink
[daemon] Restrict permissions on data and cache dirs
Browse files Browse the repository at this point in the history
  • Loading branch information
Sploder12 committed Dec 4, 2024
1 parent 68e6c0f commit f16c020
Show file tree
Hide file tree
Showing 16 changed files with 106 additions and 3 deletions.
11 changes: 11 additions & 0 deletions src/daemon/daemon_config.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
#include <multipass/ssl_cert_provider.h>
#include <multipass/standard_paths.h>
#include <multipass/utils.h>
#include <multipass/utils/permission_utils.h>

#include <QString>
#include <QSysInfo>
Expand Down Expand Up @@ -189,6 +190,16 @@ std::unique_ptr<const mp::DaemonConfig> mp::DaemonConfigBuilder::build()
std::make_unique<DefaultVMBlueprintProvider>(url_downloader.get(), cache_directory, manifest_ttl);
}

if (!storage_path.isEmpty())
{
MP_PERMISSIONS.restrict_permissions(storage_path.toStdU16String());
}
else
{
MP_PERMISSIONS.restrict_permissions(data_directory.toStdU16String());
MP_PERMISSIONS.restrict_permissions(cache_directory.toStdU16String());
}

return std::unique_ptr<const DaemonConfig>(new DaemonConfig{
std::move(url_downloader), std::move(factory), std::move(image_hosts), std::move(vault),
std::move(name_generator), std::move(ssh_key_provider), std::move(cert_provider), std::move(client_cert_store),
Expand Down
4 changes: 2 additions & 2 deletions src/daemon/default_vm_image_vault.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -671,7 +671,7 @@ QString mp::DefaultVMImageVault::extract_image_from(const VMImage& source_image,
const mp::Path& dest_dir)
{
MP_UTILS.make_dir(dest_dir, QFile::ReadOwner | QFile::WriteOwner);
MP_PERMISSIONS.take_ownership(dest_dir.toStdString());
MP_PERMISSIONS.take_ownership(dest_dir.toStdU16String());

QFileInfo file_info{source_image.image_path};
const auto image_name = file_info.fileName().remove(".xz");
Expand All @@ -683,7 +683,7 @@ QString mp::DefaultVMImageVault::extract_image_from(const VMImage& source_image,
mp::VMImage mp::DefaultVMImageVault::image_instance_from(const VMImage& prepared_image, const mp::Path& dest_dir)
{
MP_UTILS.make_dir(dest_dir, QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
MP_PERMISSIONS.take_ownership(dest_dir.toStdString());
MP_PERMISSIONS.take_ownership(dest_dir.toStdU16String());

return {mp::vault::copy(prepared_image.image_path, dest_dir),
prepared_image.id,
Expand Down
2 changes: 1 addition & 1 deletion tests/lxd/test_lxd_image_vault.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ struct LXDImageVault : public Test

mpt::MockLogger::Scope logger_scope = mpt::MockLogger::inject();
std::unique_ptr<NiceMock<mpt::MockNetworkAccessManager>> mock_network_access_manager;
mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
std::vector<mp::VMImageHost*> hosts;
Expand Down
5 changes: 5 additions & 0 deletions tests/test_alias_dict.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
#include "file_operations.h"
#include "json_test_utils.h"
#include "mock_file_ops.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_settings.h"
#include "mock_vm_image_vault.h"
Expand Down Expand Up @@ -607,6 +608,10 @@ struct DaemonAliasTestsuite

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject<StrictMock>();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};

TEST_P(DaemonAliasTestsuite, purge_removes_purged_instance_aliases_and_scripts)
Expand Down
5 changes: 5 additions & 0 deletions tests/test_client_common.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
#include "mock_cert_store.h"
#include "mock_client_rpc.h"
#include "mock_daemon.h"
#include "mock_permission_utils.h"
#include "mock_standard_paths.h"
#include "mock_utils.h"
#include "stub_terminal.h"
Expand Down Expand Up @@ -60,6 +61,10 @@ struct TestClientCommon : public mpt::DaemonTestFixture
std::make_unique<NiceMock<mpt::MockCertProvider>>()};
std::unique_ptr<mpt::MockCertStore> mock_cert_store{std::make_unique<mpt::MockCertStore>()};

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;

const std::string server_address{"localhost:50052"};
mpt::TempDir temp_dir;
};
Expand Down
32 changes: 32 additions & 0 deletions tests/test_daemon.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
#include "mock_image_host.h"
#include "mock_json_utils.h"
#include "mock_logger.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -139,6 +140,10 @@ struct Daemon : public mpt::DaemonTestFixture
mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject<StrictMock>();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;

const mpt::MockJsonUtils::GuardedMock mock_json_utils_injection = mpt::MockJsonUtils::inject<NiceMock>();
mpt::MockJsonUtils& mock_json_utils = *mock_json_utils_injection.first;
};
Expand Down Expand Up @@ -2519,4 +2524,31 @@ TEST_F(Daemon, info_all_returns_all_instances)
mp::Daemon daemon{config_builder.build()};
call_daemon_slot(daemon, &mp::Daemon::info, mp::InfoRequest{}, mock_server);
}

TEST_F(Daemon, sets_permissions_on_provided_storage_path)
{
const QString path{"Where all the secrets go"};
const std::filesystem::path std_path{path.toStdU16String()};

EXPECT_CALL(mock_platform, multipass_storage_location()).WillOnce(Return(path));
EXPECT_CALL(mock_permission_utils, restrict_permissions(std_path));

config_builder.build();
}

TEST_F(Daemon, sets_permissions_on_storage_dirs)
{

config_builder.data_directory = "Sensitive data location";
const std::filesystem::path std_data_path{config_builder.data_directory.toStdU16String()};

config_builder.cache_directory = "Pirate's secret cache";
const std::filesystem::path std_cache_path{config_builder.cache_directory.toStdU16String()};

EXPECT_CALL(mock_permission_utils, restrict_permissions(std_data_path));
EXPECT_CALL(mock_permission_utils, restrict_permissions(std_cache_path));

config_builder.build();
}

} // namespace
5 changes: 5 additions & 0 deletions tests/test_daemon_authenticate.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

#include "common.h"
#include "daemon_test_fixture.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -50,6 +51,10 @@ struct TestDaemonAuthenticate : public mpt::DaemonTestFixture

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};
} // namespace

Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_clone.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

#include "common.h"
#include "daemon_test_fixture.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_virtual_machine.h"
Expand Down Expand Up @@ -57,6 +58,10 @@ struct TestDaemonClone : public mpt::DaemonTestFixture

const mpt::MockPlatform::GuardedMock attr{mpt::MockPlatform::inject<NiceMock>()};
const mpt::MockPlatform& mock_platform = *attr.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};

TEST_F(TestDaemonClone, missingOnSrcInstance)
Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_find.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#include "common.h"
#include "daemon_test_fixture.h"
#include "mock_image_host.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_settings.h"
#include "mock_vm_blueprint_provider.h"
Expand Down Expand Up @@ -55,6 +56,10 @@ struct DaemonFind : public mpt::DaemonTestFixture

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject<StrictMock>();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};

TEST_F(DaemonFind, blankQueryReturnsAllData)
Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_launch.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include "common.h"
#include "daemon_test_fixture.h"
#include "mock_image_host.h"
#include "mock_permission_utils.h"
#include "mock_json_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
Expand Down Expand Up @@ -54,6 +55,10 @@ struct TestDaemonLaunch : public mpt::DaemonTestFixture
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockJsonUtils::GuardedMock mock_json_utils_injection = mpt::MockJsonUtils::inject<NiceMock>();

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};

TEST_F(TestDaemonLaunch, blueprintFoundMountsWorkspaceWithNameOverride)
Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_mount.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "mock_file_ops.h"
#include "mock_logger.h"
#include "mock_mount_handler.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -68,6 +69,10 @@ struct TestDaemonMount : public mpt::DaemonTestFixture

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};
} // namespace

Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_snapshot_restore.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

#include "common.h"
#include "daemon_test_fixture.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -65,6 +66,10 @@ struct TestDaemonSnapshotRestoreBase : public mpt::DaemonTestFixture
mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject<StrictMock>();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;

mpt::MockVirtualMachineFactory& mock_factory = *use_a_mock_vm_factory();

std::vector<mp::NetworkInterface> extra_interfaces;
Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_start.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
#include "common.h"
#include "mock_image_host.h"
#include "mock_mount_handler.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -54,6 +55,10 @@ struct TestDaemonStart : public mpt::DaemonTestFixture

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject<StrictMock>();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};

TEST_F(TestDaemonStart, successfulStartOkStatus)
Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_suspend.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
#include "common.h"
#include "daemon_test_fixture.h"
#include "mock_mount_handler.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -54,6 +55,10 @@ struct TestDaemonSuspend : public mpt::DaemonTestFixture

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};
} // namespace

Expand Down
5 changes: 5 additions & 0 deletions tests/test_daemon_umount.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include "daemon_test_fixture.h"
#include "mock_logger.h"
#include "mock_mount_handler.h"
#include "mock_permission_utils.h"
#include "mock_platform.h"
#include "mock_server_reader_writer.h"
#include "mock_settings.h"
Expand Down Expand Up @@ -57,6 +58,10 @@ struct TestDaemonUmount : public mpt::DaemonTestFixture

mpt::MockSettings::GuardedMock mock_settings_injection = mpt::MockSettings::inject();
mpt::MockSettings& mock_settings = *mock_settings_injection.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};
} // namespace

Expand Down
5 changes: 5 additions & 0 deletions tests/unix/test_daemon_rpc.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
#include <tests/mock_cert_store.h>
#include <tests/mock_daemon.h>
#include <tests/mock_logger.h>
#include <tests/mock_permission_utils.h>
#include <tests/mock_platform.h>
#include <tests/mock_utils.h>

Expand Down Expand Up @@ -98,6 +99,10 @@ struct TestDaemonRpc : public mpt::DaemonTestFixture

mpt::MockUtils::GuardedMock attr{mpt::MockUtils::inject<NiceMock>()};
mpt::MockUtils* mock_utils = attr.first;

const mpt::MockPermissionUtils::GuardedMock mock_permission_utils_injection =
mpt::MockPermissionUtils::inject<NiceMock>();
mpt::MockPermissionUtils& mock_permission_utils = *mock_permission_utils_injection.first;
};
} // namespace

Expand Down

0 comments on commit f16c020

Please sign in to comment.