gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/location_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "gitee.com/mysnapcore/mysnapd/interfaces" 26 "gitee.com/mysnapcore/mysnapd/interfaces/apparmor" 27 "gitee.com/mysnapcore/mysnapd/interfaces/dbus" 28 "gitee.com/mysnapcore/mysnapd/snap" 29 ) 30 31 const locationObserveSummary = `allows access to the current physical location` 32 33 const locationObserveBaseDeclarationSlots = ` 34 location-observe: 35 allow-installation: 36 slot-snap-type: 37 - app 38 deny-connection: true 39 deny-auto-connection: true 40 ` 41 42 const locationObservePermanentSlotAppArmor = ` 43 # Description: Allow operating as the location service. This gives privileged 44 # access to the system. 45 46 # DBus accesses 47 #include <abstractions/dbus-strict> 48 dbus (send) 49 bus=system 50 path=/org/freedesktop/DBus 51 interface=org.freedesktop.DBus 52 member="{Request,Release}Name" 53 peer=(name=org.freedesktop.DBus, label=unconfined), 54 55 dbus (send) 56 bus=system 57 path=/org/freedesktop/DBus 58 interface=org.freedesktop.DBus 59 member="GetConnectionUnix{ProcessID,User}" 60 peer=(label=unconfined), 61 62 # Allow binding the service to the requested connection name 63 dbus (bind) 64 bus=system 65 name="com.ubuntu.location.Service", 66 67 dbus (receive, send) 68 bus=system 69 path=/com/ubuntu/location/Service{,/**} 70 interface=org.freedesktop.DBus** 71 peer=(label=unconfined), 72 ` 73 74 const locationObserveConnectedSlotAppArmor = ` 75 # Allow connected clients to interact with the service 76 77 # Allow the service to host sessions 78 dbus (bind) 79 bus=system 80 name="com.ubuntu.location.Service.Session", 81 82 # Allow clients to create a session 83 dbus (receive) 84 bus=system 85 path=/com/ubuntu/location/Service 86 interface=com.ubuntu.location.Service 87 member=CreateSessionForCriteria 88 peer=(label=###PLUG_SECURITY_TAGS###), 89 90 # Allow clients to query service properties 91 dbus (receive) 92 bus=system 93 path=/com/ubuntu/location/Service 94 interface=org.freedesktop.DBus.Properties 95 member=Get 96 peer=(label=###PLUG_SECURITY_TAGS###), 97 98 # Allow clients to request starting/stopping updates 99 dbus (receive) 100 bus=system 101 path=/sessions/* 102 interface=com.ubuntu.location.Service.Session 103 member="{Start,Stop}PositionUpdates" 104 peer=(label=###PLUG_SECURITY_TAGS###), 105 106 dbus (receive) 107 bus=system 108 path=/sessions/* 109 interface=com.ubuntu.location.Service.Session 110 member="{Start,Stop}HeadingUpdates" 111 peer=(label=###PLUG_SECURITY_TAGS###), 112 113 dbus (receive) 114 bus=system 115 path=/sessions/* 116 interface=com.ubuntu.location.Service.Session 117 member="{Start,Stop}VelocityUpdates" 118 peer=(label=###PLUG_SECURITY_TAGS###), 119 120 # Allow the service to send updates to clients 121 dbus (send) 122 bus=system 123 path=/sessions/* 124 interface=com.ubuntu.location.Service.Session 125 member="Update{Position,Heading,Velocity}" 126 peer=(label=###PLUG_SECURITY_TAGS###), 127 128 dbus (send) 129 bus=system 130 path=/com/ubuntu/location/Service 131 interface=org.freedesktop.DBus.Properties 132 member=PropertiesChanged 133 peer=(label=###PLUG_SECURITY_TAGS###), 134 ` 135 136 const locationObserveConnectedPlugAppArmor = ` 137 # Description: Allow using location service. This gives privileged access to 138 # the service. 139 140 #include <abstractions/dbus-strict> 141 142 # Allow clients to query service properties 143 dbus (send) 144 bus=system 145 path=/com/ubuntu/location/Service 146 interface=org.freedesktop.DBus.Properties 147 member=Get 148 peer=(label=###SLOT_SECURITY_TAGS###), 149 150 # Allow clients to create a session 151 dbus (send) 152 bus=system 153 path=/com/ubuntu/location/Service 154 interface=com.ubuntu.location.Service 155 member=CreateSessionForCriteria 156 peer=(label=###SLOT_SECURITY_TAGS###), 157 158 # Allow clients to request starting/stopping updates 159 dbus (send) 160 bus=system 161 path=/sessions/* 162 interface=com.ubuntu.location.Service.Session 163 member="{Start,Stop}PositionUpdates" 164 peer=(label=###SLOT_SECURITY_TAGS###), 165 166 dbus (send) 167 bus=system 168 path=/sessions/* 169 interface=com.ubuntu.location.Service.Session 170 member="{Start,Stop}HeadingUpdates" 171 peer=(label=###SLOT_SECURITY_TAGS###), 172 173 dbus (send) 174 bus=system 175 path=/sessions/* 176 interface=com.ubuntu.location.Service.Session 177 member="{Start,Stop}VelocityUpdates" 178 peer=(label=###SLOT_SECURITY_TAGS###), 179 180 dbus (send) 181 bus=system 182 path=/com/ubuntu/location/Service/sessions/* 183 interface=com.ubuntu.location.Service.Session 184 member="{Start,Stop}PositionUpdates" 185 peer=(label=###SLOT_SECURITY_TAGS###), 186 187 dbus (send) 188 bus=system 189 path=/com/ubuntu/location/Service/sessions/* 190 interface=com.ubuntu.location.Service.Session 191 member="{Start,Stop}HeadingUpdates" 192 peer=(label=###SLOT_SECURITY_TAGS###), 193 194 dbus (send) 195 bus=system 196 path=/com/ubuntu/location/Service/sessions/* 197 interface=com.ubuntu.location.Service.Session 198 member="{Start,Stop}VelocityUpdates" 199 peer=(label=###SLOT_SECURITY_TAGS###), 200 201 # Allow clients to receive updates from the service 202 dbus (receive) 203 bus=system 204 path=/sessions/* 205 interface=com.ubuntu.location.Service.Session 206 member="Update{Position,Heading,Velocity}" 207 peer=(label=###SLOT_SECURITY_TAGS###), 208 209 dbus (receive) 210 bus=system 211 path=/com/ubuntu/location/Service/sessions/* 212 interface=com.ubuntu.location.Service.Session 213 member="Update{Position,Heading,Velocity}" 214 peer=(label=###SLOT_SECURITY_TAGS###), 215 216 dbus (receive) 217 bus=system 218 path=/com/ubuntu/location/Service 219 interface=org.freedesktop.DBus.Properties 220 member=PropertiesChanged 221 peer=(label=###SLOT_SECURITY_TAGS###), 222 223 dbus (receive) 224 bus=system 225 path=/ 226 interface=org.freedesktop.DBus.ObjectManager 227 peer=(label=unconfined), 228 229 # Allow clients to introspect the service 230 dbus (send) 231 bus=system 232 path=/com/ubuntu/location/Service 233 interface=org.freedesktop.DBus.Introspectable 234 member=Introspect 235 peer=(label=###SLOT_SECURITY_TAGS###), 236 ` 237 238 const locationObservePermanentSlotDBus = ` 239 <policy user="root"> 240 <allow own="com.ubuntu.location.Service"/> 241 <allow own="com.ubuntu.location.Service.Session"/> 242 <allow send_destination="com.ubuntu.location.Service"/> 243 <allow send_destination="com.ubuntu.location.Service.Session"/> 244 <allow send_interface="com.ubuntu.location.Service"/> 245 <allow send_interface="com.ubuntu.location.Service.Session"/> 246 </policy> 247 ` 248 249 const locationObserveConnectedPlugDBus = ` 250 <policy context="default"> 251 <deny own="com.ubuntu.location.Service"/> 252 <allow send_destination="com.ubuntu.location.Service"/> 253 <allow send_destination="com.ubuntu.location.Service.Session"/> 254 <allow send_interface="com.ubuntu.location.Service"/> 255 <allow send_interface="com.ubuntu.location.Service.Session"/> 256 </policy> 257 ` 258 259 type locationObserveInterface struct{} 260 261 func (iface *locationObserveInterface) Name() string { 262 return "location-observe" 263 } 264 265 func (iface *locationObserveInterface) StaticInfo() interfaces.StaticInfo { 266 return interfaces.StaticInfo{ 267 Summary: locationObserveSummary, 268 BaseDeclarationSlots: locationObserveBaseDeclarationSlots, 269 } 270 } 271 272 func (iface *locationObserveInterface) DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 273 spec.AddSnippet(locationObserveConnectedPlugDBus) 274 return nil 275 } 276 277 func (iface *locationObserveInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 278 spec.AddSnippet(locationObservePermanentSlotDBus) 279 return nil 280 } 281 282 func (iface *locationObserveInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 283 old := "###SLOT_SECURITY_TAGS###" 284 new := slotAppLabelExpr(slot) 285 snippet := strings.Replace(locationObserveConnectedPlugAppArmor, old, new, -1) 286 spec.AddSnippet(snippet) 287 return nil 288 } 289 290 func (iface *locationObserveInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 291 spec.AddSnippet(locationObservePermanentSlotAppArmor) 292 return nil 293 } 294 295 func (iface *locationObserveInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 296 old := "###PLUG_SECURITY_TAGS###" 297 new := plugAppLabelExpr(plug) 298 snippet := strings.Replace(locationObserveConnectedSlotAppArmor, old, new, -1) 299 spec.AddSnippet(snippet) 300 return nil 301 } 302 303 func (iface *locationObserveInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 304 // allow what declarations allowed 305 return true 306 } 307 308 func init() { 309 registerIface(&locationObserveInterface{}) 310 }