services/mgmt/device/imp: propagate Debug permissions to apps
Propagate permission lists fo an invoked application so that
permission list changes on the app name in the device manager also
apply equally for direct connection to the app's __debug names.
Change-Id: I38b02d4c6e11d429292c42c1e7cb4e7d9afd1cb0
diff --git a/services/mgmt/device/impl/acl_propagator.go b/services/mgmt/device/impl/acl_propagator.go
index ce62b33..893c228 100644
--- a/services/mgmt/device/impl/acl_propagator.go
+++ b/services/mgmt/device/impl/acl_propagator.go
@@ -3,6 +3,7 @@
import (
"path/filepath"
+ "v.io/v23/security"
"v.io/v23/services/security/access"
"v.io/x/ref/services/mgmt/lib/acls"
@@ -16,13 +17,25 @@
// setACLsForDebugging constructs an ACL file for use by applications that
// permits principals with a Debug right on an application instance to
// access names in the app's __debug space.
-func setACLsForDebugging(acl access.Permissions, instancePath string, aclstore *acls.PathStore) error {
+func setACLsForDebugging(blessings []string, acl access.Permissions, instancePath string, aclstore *acls.PathStore) error {
path := computePath(instancePath)
newACL := make(access.Permissions)
+
+ // Add blessings for the DM so that it can access the app too.
+
+ set := func(bl security.BlessingPattern) {
+ for _, tag := range []access.Tag{access.Resolve, access.Debug} {
+ newACL.Add(bl, string(tag))
+ }
+ }
+
+ for _, b := range blessings {
+ set(security.BlessingPattern(b))
+ }
+
// add Resolve for every blessing that has debug
for _, v := range acl["Debug"].In {
- newACL.Add(v, "Resolve")
- newACL.Add(v, "Debug")
+ set(v)
}
return aclstore.Set(path, newACL, "")
}
diff --git a/services/mgmt/device/impl/app_service.go b/services/mgmt/device/impl/app_service.go
index ad0a09c..5f13379 100644
--- a/services/mgmt/device/impl/app_service.go
+++ b/services/mgmt/device/impl/app_service.go
@@ -723,7 +723,10 @@
if err := initializeInstance(instanceDir, suspended); err != nil {
return instanceDir, instanceID, err
}
- if err := setACLsForDebugging(aclCopy, instanceDir, i.aclstore); err != nil {
+ // TODO(rjkroege): Divide the permission lists into those used by the device manager
+ // and those used by the application itself.
+ dmBlessings, _ := security.BlessingNames(call.Context(), security.CallSideLocal)
+ if err := setACLsForDebugging(dmBlessings, aclCopy, instanceDir, i.aclstore); err != nil {
return instanceDir, instanceID, err
}
return instanceDir, instanceID, nil
@@ -830,6 +833,9 @@
cfg.Set(mgmt.AddressConfigKey, "127.0.0.1:0")
cfg.Set(mgmt.ParentBlessingConfigKey, info.DeviceManagerPeerPattern)
+ appAclDir := filepath.Join(instanceDir, "debugacls", "data")
+ cfg.Set("veyron.acl.file", "runtime:"+appAclDir)
+
// Set up any agent-specific state.
// NOTE(caprita): This ought to belong in genCmd.
var agentCleaner func()
@@ -1340,7 +1346,8 @@
return err
}
if isInstance {
- if err := setACLsForDebugging(acl, dir, i.aclstore); err != nil {
+ dmBlessings, _ := security.BlessingNames(call.Context(), security.CallSideLocal)
+ if err := setACLsForDebugging(dmBlessings, acl, dir, i.aclstore); err != nil {
return err
}
}
diff --git a/services/mgmt/device/impl/debug_acls_test.go b/services/mgmt/device/impl/debug_acls_test.go
index bb927b1..0f2ad2d 100644
--- a/services/mgmt/device/impl/debug_acls_test.go
+++ b/services/mgmt/device/impl/debug_acls_test.go
@@ -146,10 +146,10 @@
verifyLog(t, hjCtx, "dm", "apps", appID, bobApp, "logs", "*")
verifyPProfCmdLine(t, hjCtx, "app", "dm", "apps", appID, bobApp, "pprof")
- // TODO(rjkroege): Propagate the permission lists such that they are the same for hackerjoe
- // directly connecting to the app.
- verifyFailGlob(t, hjCtx, appGlobtests)
- testAccessFail(t, verror.ErrNoAccess.ID, hjCtx, "hackerjoe", "appV1", "__debug", "stats/system/pid")
+ // Permissions are propagated to the app so hackerjoe can connect
+ // directly to the app too.
+ verifyGlob(t, hjCtx, "app", globtestminus, res)
+ verifyStatsValues(t, hjCtx, "appV1", "__debug", "stats/system/start-time*")
// Alice might be able to help but Bob didn't give Alice access to the debug ACLs.
testAccessFail(t, verror.ErrNoAccess.ID, aliceCtx, "Alice", "dm", "apps", appID, bobApp, "stats/system/pid")
@@ -168,9 +168,9 @@
verifyLog(t, aliceCtx, "dm", "apps", appID, bobApp, "logs", "*")
verifyPProfCmdLine(t, aliceCtx, "app", "dm", "apps", appID, bobApp, "pprof")
- // TODO(rjkroege): Propagate the permission lists such that they are the same for Alice
- // directly connecting to the app.
- verifyFailGlob(t, aliceCtx, appGlobtests)
+ // Alice can also now connect directly to the app.
+ verifyGlob(t, aliceCtx, "app", globtestminus, res)
+ verifyStatsValues(t, aliceCtx, "appV1", "__debug", "stats/system/start-time*")
// Bob is glum because no one can help him fix his app so he stops it.
stopApp(t, bobCtx, appID, bobApp)
