gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/network.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const networkSummary = `allows access to the network` 23 24 const networkBaseDeclarationSlots = ` 25 network: 26 allow-installation: 27 slot-snap-type: 28 - core 29 ` 30 31 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/network 32 const networkConnectedPlugAppArmor = ` 33 # Description: Can access the network as a client. 34 #include <abstractions/nameservice> 35 /run/systemd/resolve/stub-resolv.conf rk, 36 /etc/mdns.allow r, # not yet included in the mdns abstraction 37 network netlink dgram, # not yet included in the nameservice abstraction 38 39 # systemd-resolved (not yet included in nameservice abstraction) 40 # 41 # Allow access to the safe members of the systemd-resolved D-Bus API: 42 # 43 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 44 # 45 # This API may be used directly over the D-Bus system bus or it may be used 46 # indirectly via the nss-resolve plugin: 47 # 48 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 49 # 50 #include <abstractions/dbus-strict> 51 dbus send 52 bus=system 53 path="/org/freedesktop/resolve1" 54 interface="org.freedesktop.resolve1.Manager" 55 member="Resolve{Address,Hostname,Record,Service}" 56 peer=(name="org.freedesktop.resolve1"), 57 58 # libnss-systemd (D-Bus portion from nameservice abstraction) 59 # Also allow lookups for systemd-exec's DynamicUsers via D-Bus 60 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html 61 dbus send 62 bus=system 63 path="/org/freedesktop/systemd1" 64 interface="org.freedesktop.systemd1.Manager" 65 member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}" 66 peer=(name="org.freedesktop.systemd1"), 67 68 #include <abstractions/ssl_certs> 69 70 @{PROC}/sys/net/core/somaxconn r, 71 @{PROC}/sys/net/ipv4/tcp_fastopen r, 72 73 # Allow using netcat as client 74 /{,usr/}bin/nc{,.openbsd} ixr, 75 ` 76 77 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/network 78 const networkConnectedPlugSecComp = ` 79 # Description: Can access the network as a client. 80 bind 81 82 # FIXME: some kernels require this with common functions in go's 'net' library. 83 # While this should remain in network-bind, network-control and 84 # network-observe, for series 16 also have it here to not break existing snaps. 85 # Future snapd series may remove this in the future. LP: #1689536 86 socket AF_NETLINK - NETLINK_ROUTE 87 88 # Userspace SCTP 89 # https://github.com/sctplab/usrsctp/blob/master/usrsctplib/usrsctp.h 90 socket AF_CONN 91 ` 92 93 func init() { 94 registerIface(&commonInterface{ 95 name: "network", 96 summary: networkSummary, 97 implicitOnCore: true, 98 implicitOnClassic: true, 99 baseDeclarationSlots: networkBaseDeclarationSlots, 100 connectedPlugAppArmor: networkConnectedPlugAppArmor, 101 connectedPlugSecComp: networkConnectedPlugSecComp, 102 }) 103 }