gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/process_control.go

gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/process_control.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const processControlSummary = `allows controlling other processes`
    23  
    24  const processControlBaseDeclarationSlots = `
    25    process-control:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  const processControlConnectedPlugAppArmor = `
    33  # Description: This interface allows for controlling other processes via
    34  # signals, cpu affinity and nice. This is reserved because it grants privileged
    35  # access to all processes under root or processes running under the same UID
    36  # otherwise.
    37  # Note: Scope augmented by allowing read/write for /proc/self_pid/coredump_filter
    38  # (needed by opensearch)
    39  
    40  # /{,usr/}bin/nice is already in default policy
    41  /{,usr/}bin/renice ixr,
    42  /{,usr/}bin/taskset ixr,
    43  
    44  capability sys_resource,
    45  capability sys_nice,
    46  
    47  capability kill,
    48  signal (send),
    49  /{,usr/}bin/kill ixr,
    50  /{,usr/}bin/pkill ixr,
    51  
    52  @{PROC}/[0-9]*/coredump_filter wr,
    53  `
    54  
    55  const processControlConnectedPlugSecComp = `
    56  # Description: This interface allows for controlling other processes via
    57  # signals, cpu affinity and nice. This is reserved because it grants privileged
    58  # access to all processes under root or processes running under the same UID
    59  # otherwise.
    60  
    61  # Allow setting the nice value/priority for any process
    62  nice
    63  setpriority
    64  sched_setaffinity
    65  sched_setattr
    66  sched_setparam
    67  sched_setscheduler
    68  `
    69  
    70  func init() {
    71  	registerIface(&commonInterface{
    72  		name:                  "process-control",
    73  		summary:               processControlSummary,
    74  		implicitOnCore:        true,
    75  		implicitOnClassic:     true,
    76  		baseDeclarationSlots:  processControlBaseDeclarationSlots,
    77  		connectedPlugAppArmor: processControlConnectedPlugAppArmor,
    78  		connectedPlugSecComp:  processControlConnectedPlugSecComp,
    79  	})
    80  }