gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/hardware_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const hardwareObserveSummary = `allows reading information about system hardware` 23 24 const hardwareObserveBaseDeclarationSlots = ` 25 hardware-observe: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 const hardwareObserveConnectedPlugAppArmor = ` 33 # Description: This interface allows for getting hardware information 34 # from the system. This is reserved because it allows reading potentially 35 # sensitive information. 36 37 # used by lscpu and 'lspci -A intel-conf1/intel-conf2' 38 capability sys_rawio, 39 40 # see loaded kernel modules 41 @{PROC}/modules r, 42 43 # used by lspci 44 capability sys_admin, 45 /etc/modprobe.d/{,*} r, 46 /{,usr/}lib/modprobe.d/{,*} r, 47 48 # for reading the available input devices on the system 49 /proc/bus/input/devices r, 50 51 # files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs') 52 /sys/{block,bus,class,devices,firmware}/{,**} r, 53 54 # files in /proc/bus/pci (eg, 'lspci -A linux-proc') 55 @{PROC}/bus/pci/{,**} r, 56 57 58 # power information 59 /sys/power/{,**} r, 60 /run/udev/data/+power_supply:* r, 61 62 # interrupts 63 @{PROC}/interrupts r, 64 65 # libsensors 66 /etc/sensors3.conf r, 67 /etc/sensors.d/{,*} r, 68 69 # Needed for udevadm 70 /run/udev/data/** r, 71 network netlink raw, 72 73 # util-linux 74 /{,usr/}bin/lsblk ixr, 75 /{,usr/}bin/lscpu ixr, 76 /{,usr/}bin/lsmem ixr, 77 78 79 # lsusb 80 # Note: lsusb and its database have to be shipped in the snap if not on classic 81 /{,usr/}bin/lsusb ixr, 82 /var/lib/usbutils/usb.ids r, 83 /dev/ r, 84 /dev/bus/usb/{,**/} r, 85 /etc/udev/udev.conf r, 86 87 # lshw -quiet (note, lshw also tries to create /dev/fb-*, but fails gracefully) 88 @{PROC}/devices r, 89 @{PROC}/ide/{,**} r, 90 @{PROC}/scsi/{,**} r, 91 @{PROC}/device-tree/{,**} r, 92 /sys/kernel/debug/usb/devices r, 93 @{PROC}/sys/abi/{,*} r, 94 95 # hwinfo --short 96 @{PROC}/ioports r, 97 @{PROC}/dma r, 98 @{PROC}/tty/driver/serial r, 99 @{PROC}/sys/dev/cdrom/info r, 100 101 # status of hugepages and transparent_hugepage, but not the pages themselves 102 /sys/kernel/mm/{hugepages,transparent_hugepage}/{,**} r, 103 104 # systemd-detect-virt 105 /{,usr/}bin/systemd-detect-virt ixr, 106 # VMs 107 @{PROC}/cpuinfo r, 108 @{PROC}/sysinfo r, # Linux on z/VM 109 @{PROC}/xen/capabilities r, 110 /sys/hypervisor/properties/features r, 111 /sys/hypervisor/type r, 112 113 # containers 114 /run/systemd/container r, 115 116 # /proc/1/sched in a systemd-nspawn container with '-a' is supposed to show on 117 # its first line a pid that != 1 and systemd-detect-virt tries to detect this. 118 # This doesn't seem to be the case on (at least) systemd 240 on Ubuntu. This 119 # file is somewhat sensitive for arbitrary pids, but is not overly so for pid 120 # 1. For containers, systemd won't normally look at this file since it has 121 # access to /run/systemd/container and 'container' from the environment, and 122 # systemd fails gracefully when it doesn't have access to /proc/1/sched. For 123 # VMs, systemd requires access to /proc/1/sched in its detection algorithm. 124 # See src/basic/virt.c from systemd sources for details. 125 @{PROC}/1/sched r, 126 127 # systemd-detect-virt --private-users will look at these and the access is 128 # better added to system-observe. Since snaps typically only care about 129 # --container and --vm leave these commented out. 130 #@{PROC}/@{pid}/uid_map r, 131 #@{PROC}/@{pid}/gid_map r, 132 #@{PROC}/@{pid}/setgroups r, 133 134 # systemd-detect-virt --chroot requires 'ptrace (read)' on unconfined to 135 # determine if it is running in a chroot. Like above, this is best granted via 136 # system-observe. 137 #ptrace (read) peer=unconfined, 138 ` 139 140 const hardwareObserveConnectedPlugSecComp = ` 141 # Description: This interface allows for getting hardware information 142 # from the system. This is reserved because it allows reading potentially 143 # sensitive information. 144 145 # used by 'lspci -A intel-conf1/intel-conf2' 146 iopl 147 148 # multicast statistics 149 socket AF_NETLINK - NETLINK_GENERIC 150 151 # kernel uevents 152 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 153 bind 154 ` 155 156 func init() { 157 registerIface(&commonInterface{ 158 name: "hardware-observe", 159 summary: hardwareObserveSummary, 160 implicitOnCore: true, 161 implicitOnClassic: true, 162 baseDeclarationSlots: hardwareObserveBaseDeclarationSlots, 163 connectedPlugAppArmor: hardwareObserveConnectedPlugAppArmor, 164 connectedPlugSecComp: hardwareObserveConnectedPlugSecComp, 165 }) 166 }