gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/mount_observe.go

gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/mount_observe.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const mountObserveSummary = `allows reading mount table and quota information`
    23  
    24  const mountObserveBaseDeclarationSlots = `
    25    mount-observe:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/mount-observe
    33  const mountObserveConnectedPlugAppArmor = `
    34  # Description: Can query system mount and disk quota information. This is
    35  # restricted because it gives privileged read access to mount arguments and
    36  # should only be used with trusted apps.
    37  
    38  /{,usr/}bin/df ixr,
    39  
    40  # Needed by 'df'. This is an information leak
    41  @{PROC}/mounts r,
    42  # Needed by 'htop' to detect whether it's running under lxc/lxd/docker
    43  @{PROC}/1/mounts r,
    44  
    45  owner @{PROC}/@{pid}/mounts r,
    46  owner @{PROC}/@{pid}/mountinfo r,
    47  owner @{PROC}/@{pid}/mountstats r,
    48  /sys/devices/*/block/{,**} r,
    49  
    50  # Needed by 'htop' to calculate RAM usage more accurately (and informational purposes, if enabled)
    51  @{PROC}/spl/kstat/zfs/arcstats r,
    52  
    53  @{PROC}/swaps r,
    54  
    55  # This is often out of date but some apps insist on using it
    56  /etc/mtab r,
    57  /etc/fstab r,
    58  
    59  # some apps also insist on consulting utab
    60  /run/mount/utab r,
    61  `
    62  
    63  const mountObserveConnectedPlugSecComp = `
    64  # Description: Can query system mount and disk quota information. This is
    65  # restricted because it gives privileged read access to mount arguments and
    66  # should only be used with trusted apps.
    67  
    68  quotactl Q_GETQUOTA - - -
    69  quotactl Q_GETINFO - - -
    70  quotactl Q_GETFMT - - -
    71  quotactl Q_XGETQUOTA - - -
    72  quotactl Q_XGETQSTAT - - -
    73  `
    74  
    75  func init() {
    76  	registerIface(&commonInterface{
    77  		name:                  "mount-observe",
    78  		summary:               mountObserveSummary,
    79  		implicitOnCore:        true,
    80  		implicitOnClassic:     true,
    81  		baseDeclarationSlots:  mountObserveBaseDeclarationSlots,
    82  		connectedPlugAppArmor: mountObserveConnectedPlugAppArmor,
    83  		connectedPlugSecComp:  mountObserveConnectedPlugSecComp,
    84  	})
    85  }