gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/u2f_devices.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2019 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "fmt" 24 25 "gitee.com/mysnapcore/mysnapd/interfaces" 26 "gitee.com/mysnapcore/mysnapd/interfaces/udev" 27 ) 28 29 const u2fDevicesSummary = `allows access to u2f devices` 30 31 const u2fDevicesBaseDeclarationSlots = ` 32 u2f-devices: 33 allow-installation: 34 slot-snap-type: 35 - core 36 deny-auto-connection: true 37 ` 38 39 type u2fDevice struct { 40 Name, VendorIDPattern, ProductIDPattern string 41 } 42 43 // https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules 44 var u2fDevices = []u2fDevice{ 45 { 46 Name: "Yubico YubiKey", 47 VendorIDPattern: "1050", 48 ProductIDPattern: "0113|0114|0115|0116|0120|0121|0200|0402|0403|0406|0407|0410", 49 }, 50 { 51 Name: "Happlink (formerly Plug-Up) Security KEY", 52 VendorIDPattern: "2581", 53 ProductIDPattern: "f1d0", 54 }, 55 { 56 Name: "Neowave Keydo and Keydo AES", 57 VendorIDPattern: "1e0d", 58 ProductIDPattern: "f1d0|f1ae", 59 }, 60 { 61 Name: "HyperSecu HyperFIDO", 62 VendorIDPattern: "096e|2ccf", 63 ProductIDPattern: "0880", 64 }, 65 { 66 Name: "HyperSecu HyperFIDO Pro", 67 VendorIDPattern: "2ccf", 68 ProductIDPattern: "0854", 69 }, 70 { 71 Name: "Feitian ePass FIDO, BioPass FIDO2", 72 VendorIDPattern: "096e", 73 ProductIDPattern: "0850|0852|0853|0854|0856|0858|085a|085b|085d", 74 }, 75 { 76 Name: "JaCarta U2F", 77 VendorIDPattern: "24dc", 78 ProductIDPattern: "0101", 79 }, 80 { 81 Name: "U2F Zero", 82 VendorIDPattern: "10c4", 83 ProductIDPattern: "8acf", 84 }, 85 { 86 Name: "VASCO SeccureClick", 87 VendorIDPattern: "1a44", 88 ProductIDPattern: "00bb", 89 }, 90 { 91 Name: "Bluink Key", 92 VendorIDPattern: "2abe", 93 ProductIDPattern: "1002", 94 }, 95 { 96 Name: "Thetis Key", 97 VendorIDPattern: "1ea8", 98 ProductIDPattern: "f025", 99 }, 100 { 101 Name: "Nitrokey FIDO U2F", 102 VendorIDPattern: "20a0", 103 ProductIDPattern: "4287", 104 }, 105 { 106 Name: "Nitrokey FIDO2", 107 VendorIDPattern: "20a0", 108 ProductIDPattern: "42b1", 109 }, 110 { 111 Name: "Nitrokey 3", 112 VendorIDPattern: "20a0", 113 ProductIDPattern: "42b2", 114 }, 115 { 116 Name: "Google Titan U2F", 117 VendorIDPattern: "18d1", 118 ProductIDPattern: "5026", 119 }, 120 { 121 Name: "Tomu board + chopstx U2F + SoloKeys", 122 VendorIDPattern: "0483", 123 ProductIDPattern: "cdab|a2ca", 124 }, 125 { 126 Name: "SoloKeys", 127 VendorIDPattern: "1209", 128 ProductIDPattern: "5070|50b0|beee", 129 }, 130 { 131 Name: "OnlyKey", 132 VendorIDPattern: "1d50", 133 ProductIDPattern: "60fc", 134 }, 135 { 136 Name: "MIRKey", 137 VendorIDPattern: "0483", 138 ProductIDPattern: "a2ac", 139 }, 140 { 141 Name: "Ledger Blue + Nano S + Nano X", 142 VendorIDPattern: "2c97", 143 ProductIDPattern: "0000|0001|0004|0005|0015|1005|1015|4005|4015", 144 }, 145 { 146 Name: "GoTrust Idem Key", 147 VendorIDPattern: "32a3", 148 ProductIDPattern: "3201", 149 }, 150 { 151 Name: "Trezor", 152 VendorIDPattern: "534c", 153 ProductIDPattern: "0001|0002", 154 }, 155 { 156 Name: "Trezor v2", 157 VendorIDPattern: "1209", 158 ProductIDPattern: "53c0|53c1", 159 }, 160 { 161 Name: "U2F-TOKEN (Tomu et al.)", 162 VendorIDPattern: "16d0", 163 ProductIDPattern: "0e90", 164 }, 165 } 166 167 const u2fDevicesConnectedPlugAppArmor = ` 168 # Description: Allow write access to u2f hidraw devices. 169 170 # Use a glob rule and rely on device cgroup for mediation. 171 /dev/hidraw* rw, 172 173 # char 234-254 are used for dynamic assignment, which u2f devices are 174 /run/udev/data/c23[4-9]:* r, 175 /run/udev/data/c24[0-9]:* r, 176 /run/udev/data/c25[0-4]:* r, 177 178 # misc required accesses 179 /run/udev/data/+power_supply:hid* r, 180 /run/udev/data/c14:[0-9]* r, 181 /sys/devices/**/i2c*/**/report_descriptor r, 182 /sys/devices/**/usb*/**/report_descriptor r, 183 ` 184 185 type u2fDevicesInterface struct { 186 commonInterface 187 } 188 189 func (iface *u2fDevicesInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 190 for _, d := range u2fDevices { 191 spec.TagDevice(fmt.Sprintf("# %s\nSUBSYSTEM==\"hidraw\", KERNEL==\"hidraw*\", ATTRS{idVendor}==\"%s\", ATTRS{idProduct}==\"%s\"", d.Name, d.VendorIDPattern, d.ProductIDPattern)) 192 } 193 return nil 194 } 195 196 func init() { 197 registerIface(&u2fDevicesInterface{commonInterface{ 198 name: "u2f-devices", 199 summary: u2fDevicesSummary, 200 implicitOnCore: true, 201 implicitOnClassic: true, 202 baseDeclarationSlots: u2fDevicesBaseDeclarationSlots, 203 connectedPlugAppArmor: u2fDevicesConnectedPlugAppArmor, 204 }}) 205 }