gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/network_manager.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "gitee.com/mysnapcore/mysnapd/interfaces" 26 "gitee.com/mysnapcore/mysnapd/interfaces/apparmor" 27 "gitee.com/mysnapcore/mysnapd/interfaces/dbus" 28 "gitee.com/mysnapcore/mysnapd/interfaces/seccomp" 29 "gitee.com/mysnapcore/mysnapd/interfaces/udev" 30 "gitee.com/mysnapcore/mysnapd/release" 31 "gitee.com/mysnapcore/mysnapd/snap" 32 ) 33 34 const networkManagerSummary = `allows operating as the NetworkManager service` 35 36 const networkManagerBaseDeclarationSlots = ` 37 network-manager: 38 allow-installation: 39 slot-snap-type: 40 - app 41 - core 42 deny-auto-connection: true 43 deny-connection: 44 on-classic: false 45 ` 46 47 const networkManagerPermanentSlotAppArmor = ` 48 # Description: Allow operating as the NetworkManager service. This gives 49 # privileged access to the system. 50 51 capability net_admin, 52 capability net_bind_service, 53 capability net_raw, 54 55 network netlink, 56 network bridge, 57 network inet, 58 network inet6, 59 network packet, 60 61 @{PROC}/@{pid}/net/ r, 62 @{PROC}/@{pid}/net/** r, 63 64 # used by sysctl, et al 65 @{PROC}/sys/ r, 66 @{PROC}/sys/net/ r, 67 @{PROC}/sys/net/core/ r, 68 @{PROC}/sys/net/core/** rw, 69 @{PROC}/sys/net/ipv{4,6}/ r, 70 @{PROC}/sys/net/ipv{4,6}/** rw, 71 @{PROC}/sys/net/netfilter/ r, 72 @{PROC}/sys/net/netfilter/** rw, 73 @{PROC}/sys/net/nf_conntrack_max rw, 74 75 # Needed for systemd's dhcp implementation 76 @{PROC}/sys/kernel/random/boot_id r, 77 78 /sys/devices/**/**/net/**/phys_port_id r, 79 /sys/devices/**/**/net/**/dev_id r, 80 /sys/devices/virtual/net/**/phys_port_id r, 81 /sys/devices/virtual/net/**/dev_id r, 82 /sys/devices/**/net/**/ifindex r, 83 84 # access to bridge sysfs interfaces for bridge settings 85 /sys/devices/virtual/net/*/bridge/* rw, 86 87 /dev/rfkill rw, 88 89 /run/udev/data/* r, 90 91 # Allow read and write access for all netplan configuration files 92 # as NetworkManager will start using them to store the network 93 # configuration instead of using its own internal keyfile based 94 # format. 95 /etc/netplan/{,**} rw, 96 97 # Allow access to configuration files generated on the fly 98 # from netplan and let NetworkManager store its configuration 99 # in the same place. 100 /run/NetworkManager/{,**} rw, 101 102 # Needed by the ifupdown plugin to check which interfaces can 103 # be managed an which not. 104 /etc/network/interfaces r, 105 # Needed for systemd's dhcp implementation 106 /etc/machine-id r, 107 108 # Needed to use resolvconf from core 109 /{,usr/}sbin/resolvconf ixr, 110 /run/resolvconf/{,**} rk, 111 /run/resolvconf/** w, 112 /etc/resolvconf/{,**} r, 113 /{,usr/}lib/resolvconf/* ix, 114 # NM peeks into ifupdown configuration 115 /run/network/ifstate* r, 116 # Required by resolvconf 117 /{,usr/}bin/run-parts ixr, 118 /etc/resolvconf/update.d/* ix, 119 120 #include <abstractions/nameservice> 121 /run/systemd/resolve/stub-resolv.conf r, 122 123 # DBus accesses 124 #include <abstractions/dbus-strict> 125 126 # systemd-resolved (not yet included in nameservice abstraction) 127 # 128 # Allow access to the safe members of the systemd-resolved D-Bus API: 129 # 130 # https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html 131 # 132 # This API may be used directly over the D-Bus system bus or it may be used 133 # indirectly via the nss-resolve plugin: 134 # 135 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 136 # 137 # In the case of NM, the destination is not the well-known DBus name, 138 # instead it tracks the name owner and sends the message to the 139 # the owner's connection name, so we cannot have the name= restriction 140 # in peer=... 141 dbus send 142 bus=system 143 path="/org/freedesktop/resolve1" 144 interface="org.freedesktop.resolve1.Manager" 145 member="Resolve{Address,Hostname,Record,Service}" 146 peer=(label=unconfined), 147 148 dbus (send) 149 bus=system 150 path="/org/freedesktop/resolve1" 151 interface="org.freedesktop.resolve1.Manager" 152 member="SetLink{DefaultRoute,DNSOverTLS,DNS,DNSEx,DNSSEC,DNSSECNegativeTrustAnchors,MulticastDNS,Domains,LLMNR}" 153 peer=(label=unconfined), 154 155 dbus (send) 156 bus=system 157 path=/org/freedesktop/DBus 158 interface=org.freedesktop.DBus 159 member={Request,Release}Name 160 peer=(name=org.freedesktop.DBus, label=unconfined), 161 162 dbus (receive, send) 163 bus=system 164 path=/org/freedesktop/DBus 165 interface=org.freedesktop.DBus 166 member=GetConnectionUnixProcessID 167 peer=(label=unconfined), 168 169 dbus (receive, send) 170 bus=system 171 path=/org/freedesktop/DBus 172 interface=org.freedesktop.DBus 173 member=GetConnectionUnixUser 174 peer=(label=unconfined), 175 176 # Allow binding the service to the requested connection name 177 dbus (bind) 178 bus=system 179 name="org.freedesktop.NetworkManager", 180 181 # Allow traffic to/from our path and interface with any method for unconfined 182 # clients to talk to our service. 183 dbus (receive, send) 184 bus=system 185 path=/org/freedesktop/NetworkManager{,/**} 186 interface=org.freedesktop.NetworkManager* 187 peer=(label=unconfined), 188 189 # Allow traffic to/from org.freedesktop.DBus for NetworkManager service 190 dbus (receive, send) 191 bus=system 192 path=/org/freedesktop/NetworkManager{,/**} 193 interface=org.freedesktop.DBus.* 194 peer=(label=unconfined), 195 196 # Allow ObjectManager methods from and signals to unconfined clients. 197 dbus (receive, send) 198 bus=system 199 path=/org/freedesktop 200 interface=org.freedesktop.DBus.ObjectManager 201 peer=(label=unconfined), 202 203 # Allow access to hostname system service 204 dbus (receive, send) 205 bus=system 206 path=/org/freedesktop/hostname1 207 interface=org.freedesktop.DBus.Properties 208 peer=(label=unconfined), 209 # do not use peer=(label=unconfined) here since this is DBus activated 210 dbus (send) 211 bus=system 212 path=/org/freedesktop/hostname1 213 interface=org.freedesktop.DBus.Properties 214 member="Get{,All}", 215 216 dbus(receive, send) 217 bus=system 218 path=/org/freedesktop/hostname1 219 interface=org.freedesktop.hostname1 220 member={Set,SetStatic}Hostname 221 peer=(label=unconfined), 222 # do not use peer=(label=unconfined) here since this is DBus activated 223 dbus (send) 224 bus=system 225 path=/org/freedesktop/hostname1 226 interface=org.freedesktop.hostname1 227 member={Set,SetStatic}Hostname, 228 229 # Sleep monitor inside NetworkManager needs this 230 # do not use peer=(label=unconfined) here since this is DBus activated 231 dbus (send) 232 bus=system 233 path=/org/freedesktop/login1 234 member=Inhibit 235 interface=org.freedesktop.login1.Manager, 236 dbus (receive) 237 bus=system 238 path=/org/freedesktop/login1 239 member=PrepareForSleep 240 interface=org.freedesktop.login1.Manager 241 peer=(label=unconfined), 242 dbus (receive) 243 bus=system 244 path=/org/freedesktop/login1 245 interface=org.freedesktop.login1.Manager 246 member=Session{New,Removed} 247 peer=(label=unconfined), 248 249 # Allow access to wpa-supplicant for managing WiFi networks 250 dbus (receive, send) 251 bus=system 252 path=/fi/w1/wpa_supplicant1{,/**} 253 interface=fi.w1.wpa_supplicant1* 254 peer=(label=unconfined), 255 dbus (receive, send) 256 bus=system 257 path=/fi/w1/wpa_supplicant1{,/**} 258 interface=org.freedesktop.DBus.* 259 peer=(label=unconfined), 260 ` 261 262 const networkManagerConnectedSlotAppArmor = ` 263 # Allow connected clients to interact with the service 264 265 # Allow traffic to/from our DBus path 266 dbus (receive, send) 267 bus=system 268 path=/org/freedesktop/NetworkManager{,/**} 269 peer=(label=###PLUG_SECURITY_TAGS###), 270 271 # Later versions of NetworkManager implement org.freedesktop.DBus.ObjectManager 272 # for clients to easily obtain all (and be alerted to added/removed) objects 273 # from the service. 274 dbus (receive, send) 275 bus=system 276 path=/org/freedesktop 277 interface=org.freedesktop.DBus.ObjectManager 278 peer=(label=###PLUG_SECURITY_TAGS###), 279 280 # Explicitly deny ptrace to silence noisy denials. These denials happen when NM 281 # tries to access /proc/<peer_pid>/stat. What apparmor prevents is showing 282 # internal process addresses that live in that file, but that has no adverse 283 # effects for NetworkManager, which just wants to find out the start time of the 284 # process. 285 deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###, 286 ` 287 288 const networkManagerConnectedPlugAppArmor = ` 289 # Description: Allow using NetworkManager service. This gives privileged access 290 # to the NetworkManager service. 291 292 #include <abstractions/dbus-strict> 293 294 # Allow all access to NetworkManager service 295 dbus (receive, send) 296 bus=system 297 path=/org/freedesktop/NetworkManager{,/**} 298 peer=(label=###SLOT_SECURITY_TAGS###), 299 300 # NM implements org.freedesktop.DBus.ObjectManager too 301 dbus (receive, send) 302 bus=system 303 path=/org/freedesktop 304 interface=org.freedesktop.DBus.ObjectManager 305 peer=(label=###SLOT_SECURITY_TAGS###), 306 307 # nmcli uses this in newer versions 308 dbus (send) 309 bus=system 310 path=/org/freedesktop/DBus 311 interface=org.freedesktop.DBus 312 member=GetConnectionUnixUser 313 peer=(label=unconfined), 314 ` 315 316 const networkManagerConnectedPlugIntrospectionSnippet = ` 317 # Allow us to introspect the network-manager providing snap 318 dbus (send) 319 bus=system 320 interface="org.freedesktop.DBus.Introspectable" 321 member="Introspect" 322 peer=(label=###SLOT_SECURITY_TAGS###), 323 ` 324 325 const networkManagerConnectedSlotIntrospectionSnippet = ` 326 # Allow plugs to introspect us 327 dbus (receive) 328 bus=system 329 interface="org.freedesktop.DBus.Introspectable" 330 member="Introspect" 331 peer=(label=###PLUG_SECURITY_TAGS###), 332 ` 333 334 const networkManagerConnectedPlugSecComp = ` 335 # Description: This is needed to talk to the network-manager service 336 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 337 ` 338 339 const networkManagerPermanentSlotSecComp = ` 340 # Description: Allow operating as the NetworkManager service. This gives 341 # privileged access to the system. 342 accept 343 accept4 344 bind 345 listen 346 sethostname 347 # netlink 348 socket AF_NETLINK - - 349 ` 350 351 const networkManagerPermanentSlotDBus = ` 352 <!-- DBus policy for NetworkManager (upstream version 1.2.2) --> 353 <policy user="root"> 354 <allow own="org.freedesktop.NetworkManager"/> 355 <allow send_destination="org.freedesktop.NetworkManager"/> 356 357 <allow send_destination="org.freedesktop.NetworkManager" 358 send_interface="org.freedesktop.NetworkManager.PPP"/> 359 360 <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/> 361 362 <!-- These are there because some broken policies do 363 <deny send_interface="..." /> (see dbus-daemon(8) for details). 364 This seems to override that for the known VPN plugins. --> 365 <allow send_destination="org.freedesktop.NetworkManager.openconnect"/> 366 <allow send_destination="org.freedesktop.NetworkManager.openswan"/> 367 <allow send_destination="org.freedesktop.NetworkManager.openvpn"/> 368 <allow send_destination="org.freedesktop.NetworkManager.pptp"/> 369 <allow send_destination="org.freedesktop.NetworkManager.vpnc"/> 370 <allow send_destination="org.freedesktop.NetworkManager.ssh"/> 371 <allow send_destination="org.freedesktop.NetworkManager.iodine"/> 372 <allow send_destination="org.freedesktop.NetworkManager.l2tp"/> 373 <allow send_destination="org.freedesktop.NetworkManager.libreswan"/> 374 <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/> 375 <allow send_destination="org.freedesktop.NetworkManager.strongswan"/> 376 <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/> 377 378 <!-- Allow the custom name for the dnsmasq instance spawned by NM 379 from the dns dnsmasq plugin to own it's dbus name, and for 380 messages to be sent to it. 381 --> 382 <allow own="org.freedesktop.NetworkManager.dnsmasq"/> 383 <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 384 </policy> 385 386 <policy context="default"> 387 <deny own="org.freedesktop.NetworkManager"/> 388 389 <deny send_destination="org.freedesktop.NetworkManager"/> 390 391 <!-- Basic D-Bus API stuff --> 392 <allow send_destination="org.freedesktop.NetworkManager" 393 send_interface="org.freedesktop.DBus.Introspectable"/> 394 <allow send_destination="org.freedesktop.NetworkManager" 395 send_interface="org.freedesktop.DBus.Properties"/> 396 <allow send_destination="org.freedesktop.NetworkManager" 397 send_interface="org.freedesktop.DBus.ObjectManager"/> 398 399 <!-- Devices (read-only properties, no methods) --> 400 <allow send_destination="org.freedesktop.NetworkManager" 401 send_interface="org.freedesktop.NetworkManager.Device.Adsl"/> 402 <allow send_destination="org.freedesktop.NetworkManager" 403 send_interface="org.freedesktop.NetworkManager.Device.Bond"/> 404 <allow send_destination="org.freedesktop.NetworkManager" 405 send_interface="org.freedesktop.NetworkManager.Device.Bridge"/> 406 <allow send_destination="org.freedesktop.NetworkManager" 407 send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/> 408 <allow send_destination="org.freedesktop.NetworkManager" 409 send_interface="org.freedesktop.NetworkManager.Device.Wired"/> 410 <allow send_destination="org.freedesktop.NetworkManager" 411 send_interface="org.freedesktop.NetworkManager.Device.Generic"/> 412 <allow send_destination="org.freedesktop.NetworkManager" 413 send_interface="org.freedesktop.NetworkManager.Device.Gre"/> 414 <allow send_destination="org.freedesktop.NetworkManager" 415 send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/> 416 <allow send_destination="org.freedesktop.NetworkManager" 417 send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/> 418 <allow send_destination="org.freedesktop.NetworkManager" 419 send_interface="org.freedesktop.NetworkManager.Device.Modem"/> 420 <allow send_destination="org.freedesktop.NetworkManager" 421 send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/> 422 <allow send_destination="org.freedesktop.NetworkManager" 423 send_interface="org.freedesktop.NetworkManager.Device.Team"/> 424 <allow send_destination="org.freedesktop.NetworkManager" 425 send_interface="org.freedesktop.NetworkManager.Device.Tun"/> 426 <allow send_destination="org.freedesktop.NetworkManager" 427 send_interface="org.freedesktop.NetworkManager.Device.Veth"/> 428 <allow send_destination="org.freedesktop.NetworkManager" 429 send_interface="org.freedesktop.NetworkManager.Device.Vlan"/> 430 <allow send_destination="org.freedesktop.NetworkManager" 431 send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/> 432 <allow send_destination="org.freedesktop.NetworkManager" 433 send_interface="org.freedesktop.NetworkManager.AccessPoint"/> 434 435 <!-- Devices (read-only, no security required) --> 436 <allow send_destination="org.freedesktop.NetworkManager" 437 send_interface="org.freedesktop.NetworkManager.Device.WiMax"/> 438 439 <!-- Devices (read/write, secured with PolicyKit) --> 440 <allow send_destination="org.freedesktop.NetworkManager" 441 send_interface="org.freedesktop.NetworkManager.Device.Wireless"/> 442 <allow send_destination="org.freedesktop.NetworkManager" 443 send_interface="org.freedesktop.NetworkManager.Device"/> 444 445 <!-- Core stuff (read-only properties, no methods) --> 446 <allow send_destination="org.freedesktop.NetworkManager" 447 send_interface="org.freedesktop.NetworkManager.Connection.Active"/> 448 <allow send_destination="org.freedesktop.NetworkManager" 449 send_interface="org.freedesktop.NetworkManager.DHCP4Config"/> 450 <allow send_destination="org.freedesktop.NetworkManager" 451 send_interface="org.freedesktop.NetworkManager.DHCP6Config"/> 452 <allow send_destination="org.freedesktop.NetworkManager" 453 send_interface="org.freedesktop.NetworkManager.IP4Config"/> 454 <allow send_destination="org.freedesktop.NetworkManager" 455 send_interface="org.freedesktop.NetworkManager.IP6Config"/> 456 <allow send_destination="org.freedesktop.NetworkManager" 457 send_interface="org.freedesktop.NetworkManager.VPN.Connection"/> 458 459 <!-- Core stuff (read/write, secured with PolicyKit) --> 460 <allow send_destination="org.freedesktop.NetworkManager" 461 send_interface="org.freedesktop.NetworkManager"/> 462 <allow send_destination="org.freedesktop.NetworkManager" 463 send_interface="org.freedesktop.NetworkManager.Settings"/> 464 <allow send_destination="org.freedesktop.NetworkManager" 465 send_interface="org.freedesktop.NetworkManager.Settings.Connection"/> 466 467 <!-- Agents; secured with PolicyKit. Any process can talk to 468 the AgentManager API, but only NetworkManager can talk 469 to the agents themselves. --> 470 <allow send_destination="org.freedesktop.NetworkManager" 471 send_interface="org.freedesktop.NetworkManager.AgentManager"/> 472 473 <!-- Root-only functions --> 474 <deny send_destination="org.freedesktop.NetworkManager" 475 send_interface="org.freedesktop.NetworkManager" 476 send_member="SetLogging"/> 477 <deny send_destination="org.freedesktop.NetworkManager" 478 send_interface="org.freedesktop.NetworkManager" 479 send_member="Sleep"/> 480 <deny send_destination="org.freedesktop.NetworkManager" 481 send_interface="org.freedesktop.NetworkManager.Settings" 482 send_member="LoadConnections"/> 483 <deny send_destination="org.freedesktop.NetworkManager" 484 send_interface="org.freedesktop.NetworkManager.Settings" 485 send_member="ReloadConnections"/> 486 487 <deny own="org.freedesktop.NetworkManager.dnsmasq"/> 488 <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 489 </policy> 490 491 <limit name="max_replies_per_connection">1024</limit> 492 <limit name="max_match_rules_per_connection">2048</limit> 493 ` 494 495 type networkManagerInterface struct{} 496 497 func (iface *networkManagerInterface) Name() string { 498 return "network-manager" 499 } 500 501 func (iface *networkManagerInterface) StaticInfo() interfaces.StaticInfo { 502 return interfaces.StaticInfo{ 503 Summary: networkManagerSummary, 504 ImplicitOnClassic: true, 505 BaseDeclarationSlots: networkManagerBaseDeclarationSlots, 506 } 507 } 508 509 func (iface *networkManagerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 510 old := "###SLOT_SECURITY_TAGS###" 511 var new string 512 if release.OnClassic { 513 // If we're running on classic NetworkManager will be part 514 // of the OS snap and will run unconfined. 515 new = "unconfined" 516 } else { 517 new = slotAppLabelExpr(slot) 518 } 519 snippet := strings.Replace(networkManagerConnectedPlugAppArmor, old, new, -1) 520 spec.AddSnippet(snippet) 521 if !release.OnClassic { 522 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 523 snippet := strings.Replace(networkManagerConnectedPlugIntrospectionSnippet, old, new, -1) 524 spec.AddSnippet(snippet) 525 } 526 return nil 527 } 528 529 func (iface *networkManagerInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 530 old := "###PLUG_SECURITY_TAGS###" 531 new := plugAppLabelExpr(plug) 532 snippet := strings.Replace(networkManagerConnectedSlotAppArmor, old, new, -1) 533 spec.AddSnippet(snippet) 534 if !release.OnClassic { 535 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 536 snippet := strings.Replace(networkManagerConnectedSlotIntrospectionSnippet, old, new, -1) 537 spec.AddSnippet(snippet) 538 } 539 return nil 540 } 541 542 func (iface *networkManagerInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 543 spec.AddSnippet(networkManagerPermanentSlotAppArmor) 544 return nil 545 } 546 547 func (iface *networkManagerInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 548 spec.AddSnippet(networkManagerPermanentSlotDBus) 549 return nil 550 } 551 552 func (iface *networkManagerInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 553 spec.AddSnippet(networkManagerPermanentSlotSecComp) 554 return nil 555 } 556 557 func (iface *networkManagerInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 558 spec.TagDevice(`KERNEL=="rfkill"`) 559 return nil 560 } 561 562 func (iface *networkManagerInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 563 spec.AddSnippet(networkManagerConnectedPlugSecComp) 564 return nil 565 } 566 567 func (iface *networkManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 568 // allow what declarations allowed 569 return true 570 } 571 572 func init() { 573 registerIface(&networkManagerInterface{}) 574 }