gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/dm_crypt.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2021 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "gitee.com/mysnapcore/mysnapd/snap" 24 ) 25 26 const dmCryptSummary = `allows encryption and decryption of block storage devices` 27 28 const dmCryptBaseDeclarationSlots = ` 29 dm-crypt: 30 allow-installation: 31 slot-snap-type: 32 - core 33 deny-auto-connection: true 34 ` 35 const dmCryptBaseDeclarationPlugs = ` 36 dm-crypt: 37 allow-installation: false 38 deny-auto-connection: true 39 ` 40 41 // The type for this interface 42 type dmCryptInterface struct{} 43 44 // XXX: this should not hardcode mount points like /run/media/ but 45 // unless we have an interface like "mount-control" this is needed 46 const dmCryptConnectedPlugAppArmor = ` 47 # Allow mapper access 48 /dev/mapper/control rw, 49 /dev/dm-[0-9]* rw, 50 # allow use of cryptsetup from core snap 51 /{,usr/}sbin/cryptsetup ixr, 52 # Mount points could be in /run/media/<user>/* or /media/<user>/* 53 /run/systemd/seats/* r, 54 /{,run/}media/{,**} rw, 55 mount options=(ro,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, 56 mount options=(rw,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, 57 58 # exec mount/umount to do the actual operations 59 /{,usr/}bin/mount ixr, 60 /{,usr/}bin/umount ixr, 61 62 # mount/umount (via libmount) track some mount info in these files 63 /{,var/}run/mount/utab* wrlk, 64 65 # Allow access to the file locking mechanism 66 /{,var/}run/cryptsetup/ r, 67 /{,var/}run/cryptsetup/* rwk, 68 ` 69 70 const dmCryptConnectedPlugSecComp = ` 71 # Description: Allow kernel keyring manipulation 72 add_key 73 keyctl 74 request_key 75 ` 76 77 // dm-crypt 78 // Note that often dm-crypt is statically linked into the kernel (CONFIG_DM_CRYPT=y) 79 // This is usual for the custom kernels for projects where disk encryption is required. 80 var dmCryptConnectedPlugKmod = []string{ 81 "dm_crypt", 82 } 83 84 var dmCryptConnectedPlugUDev = []string{ 85 `KERNEL=="device-mapper"`, 86 `KERNEL=="dm-[0-9]"`, 87 `SUBSYSTEM=="block"`, 88 } 89 90 func (iface *dmCryptInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 91 // Allow what is allowed in the declarations 92 return true 93 } 94 95 func init() { 96 registerIface(&commonInterface{ 97 name: "dm-crypt", 98 summary: dmCryptSummary, 99 implicitOnCore: true, 100 implicitOnClassic: true, 101 baseDeclarationSlots: dmCryptBaseDeclarationSlots, 102 baseDeclarationPlugs: dmCryptBaseDeclarationPlugs, 103 connectedPlugAppArmor: dmCryptConnectedPlugAppArmor, 104 connectedPlugSecComp: dmCryptConnectedPlugSecComp, 105 connectedPlugKModModules: dmCryptConnectedPlugKmod, 106 connectedPlugUDev: dmCryptConnectedPlugUDev, 107 }) 108 }