gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/network_bind.go

gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/network_bind.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const networkBindSummary = `allows operating as a network service`
    23  
    24  const networkBindBaseDeclarationSlots = `
    25    network-bind:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29  `
    30  
    31  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/network-bind
    32  const networkBindConnectedPlugAppArmor = `
    33  # Description: Can access the network as a server.
    34  #include <abstractions/nameservice>
    35  /run/systemd/resolve/stub-resolv.conf rk,
    36  network netlink dgram, # not yet included in the nameservice abstraction
    37  
    38  # systemd-resolved (not yet included in nameservice abstraction)
    39  #
    40  # Allow access to the safe members of the systemd-resolved D-Bus API:
    41  #
    42  #   https://www.freedesktop.org/wiki/Software/systemd/resolved/
    43  #
    44  # This API may be used directly over the D-Bus system bus or it may be used
    45  # indirectly via the nss-resolve plugin:
    46  #
    47  #   https://www.freedesktop.org/software/systemd/man/nss-resolve.html
    48  #
    49  #include <abstractions/dbus-strict>
    50  dbus send
    51       bus=system
    52       path="/org/freedesktop/resolve1"
    53       interface="org.freedesktop.resolve1.Manager"
    54       member="Resolve{Address,Hostname,Record,Service}"
    55       peer=(name="org.freedesktop.resolve1"),
    56  
    57  #include <abstractions/ssl_certs>
    58  
    59  # These probably shouldn't be something that apps should use, but this offers
    60  # no information disclosure since the files are in the read-only part of the
    61  # system.
    62  /etc/hosts.deny r,
    63  /etc/hosts.allow r,
    64  
    65  @{PROC}/sys/net/core/somaxconn r,
    66  @{PROC}/sys/net/ipv4/ip_local_port_range r,
    67  
    68  # LP: #1496906: java apps need these for some reason and they leak the IPv6 IP
    69  # addresses and routes. Until we find another way to handle them (see the bug
    70  # for some options), we need to allow them to avoid developer confusion.
    71  @{PROC}/@{pid}/net/if_inet6 r,
    72  @{PROC}/@{pid}/net/ipv6_route r,
    73  
    74  # java apps attempt this, presumably to handle interface changes, but a
    75  # corresponding seccomp socket rule is required to use netlink. When
    76  # fine-grained netlink mediation is implemented (LP: #1669552), we can perhaps
    77  # allow 'read' with NETLINK_ROUTE, but for now we omit it here and don't
    78  # explicitly deny this noisy denial so --devmode isn't broken. LP: #1499897
    79  #deny network netlink dgram,
    80  `
    81  
    82  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/network-bind
    83  const networkBindConnectedPlugSecComp = `
    84  # Description: Can access the network as a server.
    85  accept
    86  accept4
    87  bind
    88  listen
    89  # TODO: remove this rule once seccomp errno with logging is implemented.
    90  # java apps attempt this, presumably to handle interface changes, but a
    91  # corresponding AppArmor rule is required (eg, network netlink dgram) to use
    92  # netlink. We allow it here but not network-bind policy for AppArmor since java
    93  # falls back gracefully when faced with an EPERM. Without this rule, the
    94  # application would be KILLed due to our default seccomp policy.
    95  socket AF_NETLINK - NETLINK_ROUTE
    96  `
    97  
    98  func init() {
    99  	registerIface(&commonInterface{
   100  		name:                  "network-bind",
   101  		summary:               networkBindSummary,
   102  		implicitOnCore:        true,
   103  		implicitOnClassic:     true,
   104  		baseDeclarationSlots:  networkBindBaseDeclarationSlots,
   105  		connectedPlugAppArmor: networkBindConnectedPlugAppArmor,
   106  		connectedPlugSecComp:  networkBindConnectedPlugSecComp,
   107  	})
   108  }