gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/netlink_audit.go

gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/netlink_audit.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"errors"
    24  
    25  	"gitee.com/mysnapcore/mysnapd/interfaces"
    26  	apparmor_sandbox "gitee.com/mysnapcore/mysnapd/sandbox/apparmor"
    27  	"gitee.com/mysnapcore/mysnapd/strutil"
    28  )
    29  
    30  const netlinkAuditSummary = `allows access to kernel audit system through netlink`
    31  
    32  const netlinkAuditBaseDeclarationSlots = `
    33    netlink-audit:
    34      allow-installation:
    35        slot-snap-type:
    36          - core
    37      deny-auto-connection: true
    38  `
    39  
    40  const netlinkAuditConnectedPlugSecComp = `
    41  # Description: Can use netlink to read/write to kernel audit system.
    42  bind
    43  socket AF_NETLINK - NETLINK_AUDIT
    44  `
    45  
    46  const netlinkAuditConnectedPlugAppArmor = `
    47  # Description: Can use netlink to read/write to kernel audit system.
    48  network netlink,
    49  
    50  # CAP_NET_ADMIN required for multicast netlink sockets per 'man 7 netlink'
    51  capability net_admin,
    52  
    53  # CAP_AUDIT_READ required to read the audit log via the netlink multicast socket
    54  # per 'man 7 capabilities'
    55  capability audit_read,
    56  
    57  # CAP_AUDIT_WRITE required to write to the audit log via the netlink multicast
    58  # socket per 'man 7 capabilities'
    59  capability audit_write,
    60  `
    61  
    62  type netlinkAuditInterface struct {
    63  	commonInterface
    64  }
    65  
    66  func (iface *netlinkAuditInterface) BeforeConnectPlug(plug *interfaces.ConnectedPlug) error {
    67  	if apparmor_sandbox.ProbedLevel() == apparmor_sandbox.Unsupported {
    68  		// no apparmor means we don't have to deal with parser features
    69  		return nil
    70  	}
    71  	features, err := apparmor_sandbox.ParserFeatures()
    72  	if err != nil {
    73  		return err
    74  	}
    75  
    76  	if !strutil.ListContains(features, "cap-audit-read") {
    77  		// the host system doesn't have the required feature to compile the
    78  		// policy (that happens in 14.04)
    79  		return errors.New("cannot connect plug on system without audit_read support")
    80  	}
    81  
    82  	return nil
    83  }
    84  
    85  func init() {
    86  	registerIface(&netlinkAuditInterface{commonInterface{
    87  		name:                  "netlink-audit",
    88  		summary:               netlinkAuditSummary,
    89  		implicitOnCore:        true,
    90  		implicitOnClassic:     true,
    91  		baseDeclarationSlots:  netlinkAuditBaseDeclarationSlots,
    92  		connectedPlugSecComp:  netlinkAuditConnectedPlugSecComp,
    93  		connectedPlugAppArmor: netlinkAuditConnectedPlugAppArmor,
    94  	}})
    95  }