gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/unity7.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "gitee.com/mysnapcore/mysnapd/interfaces" 26 "gitee.com/mysnapcore/mysnapd/interfaces/apparmor" 27 "gitee.com/mysnapcore/mysnapd/interfaces/seccomp" 28 "gitee.com/mysnapcore/mysnapd/snap" 29 ) 30 31 const unity7Summary = `allows interacting with Unity 7 services` 32 33 const unity7BaseDeclarationSlots = ` 34 unity7: 35 allow-installation: 36 slot-snap-type: 37 - core 38 ` 39 40 const unity7ConnectedPlugAppArmor = ` 41 # Description: Can access Unity7. Note, Unity 7 runs on X and requires access 42 # to various DBus services and this environment does not prevent eavesdropping 43 # or apps interfering with one another. 44 45 #include <abstractions/dbus-strict> 46 #include <abstractions/dbus-session-strict> 47 48 # Allow finding the DBus session bus id (eg, via dbus_bus_get_id()) 49 dbus (send) 50 bus=session 51 path=/org/freedesktop/DBus 52 interface=org.freedesktop.DBus 53 member=GetId 54 peer=(name=org.freedesktop.DBus, label=unconfined), 55 56 #include <abstractions/X> 57 58 #include <abstractions/fonts> 59 owner @{HOME}/.local/share/fonts/{,**} r, 60 /var/cache/fontconfig/ r, 61 /var/cache/fontconfig/** mr, 62 63 # subset of gnome abstraction 64 /etc/gnome/defaults.list r, 65 66 /etc/gtk-*/* r, 67 /usr/lib{,32,64}/gtk-*/** mr, 68 /usr/lib{,32,64}/gdk-pixbuf-*/** mr, 69 /usr/lib/@{multiarch}/gtk-*/** mr, 70 /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr, 71 72 /etc/pango/* r, 73 /usr/lib{,32,64}/pango/** mr, 74 /usr/lib/@{multiarch}/pango/** mr, 75 76 /usr/share/icons/ r, 77 /usr/share/icons/** r, 78 /usr/share/icons/*/index.theme rk, 79 /usr/share/pixmaps/ r, 80 /usr/share/pixmaps/** r, 81 82 # The snapcraft desktop part may look for schema files in various locations, so 83 # allow reading system installed schemas. 84 /usr/share/glib*/schemas/{,*} r, 85 86 # Snappy's 'xdg-open' talks to the snapd-xdg-open service which currently works 87 # only in environments supporting dbus-send (eg, X11). In the future once 88 # snappy's xdg-open supports all snaps images, this access may move to another 89 # interface. This is duplicated from desktop for compatibility with existing 90 # snaps. 91 /usr/bin/xdg-open ixr, 92 # While /usr/share/applications comes from the base runtime of the snap, it 93 # has some things that snaps actually need, so allow access to those and deny 94 # access to the others. This is duplicated from desktop for compatibility with 95 # existing snaps. 96 /usr/share/applications/ r, 97 /usr/share/applications/mimeapps.list r, 98 /usr/share/applications/xdg-open.desktop r, 99 # silence noisy denials from desktop files in core* snaps that aren't usable by 100 # snaps 101 deny /usr/share/applications/python*.desktop r, 102 deny /usr/share/applications/vim.desktop r, 103 deny /usr/share/applications/snap-handle-link.desktop r, # core16 104 105 # This allow access to the first version of the snapd-xdg-open 106 # version which was shipped outside of snapd 107 dbus (send) 108 bus=session 109 path=/ 110 interface=com.canonical.SafeLauncher 111 member=OpenURL 112 peer=(label=unconfined), 113 # ... and this allows access to the new xdg-open service which 114 # is now part of snapd itself. 115 dbus (send) 116 bus=session 117 path=/io/snapcraft/Launcher 118 interface=io.snapcraft.Launcher 119 member={OpenURL,OpenFile} 120 peer=(label=unconfined), 121 122 # Allow use of snapd's internal 'xdg-settings' 123 /usr/bin/xdg-settings ixr, 124 dbus (send) 125 bus=session 126 path=/io/snapcraft/Settings 127 interface=io.snapcraft.Settings 128 member={Check,CheckSub,Get,GetSub,Set,SetSub} 129 peer=(label=unconfined), 130 131 # input methods (ibus) 132 # subset of ibus abstraction 133 /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, 134 owner @{HOME}/.config/ibus/ r, 135 owner @{HOME}/.config/ibus/bus/ r, 136 owner @{HOME}/.config/ibus/bus/* r, 137 138 # allow communicating with ibus-daemon (this allows sniffing key events) 139 unix (connect, receive, send) 140 type=stream 141 peer=(addr="@/tmp/ibus/dbus-*"), 142 143 # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache) 144 # This should use this, but due to LP: #1856738 we cannot 145 #unix (connect, receive, send) 146 # type=stream 147 # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), 148 unix (connect, receive, send) 149 type=stream 150 peer=(addr="@/home/*/.cache/ibus/dbus-*"), 151 152 153 # input methods (mozc) 154 # allow communicating with mozc server (TODO: investigate if allows sniffing) 155 unix (connect, receive, send) 156 type=stream 157 peer=(addr="@tmp/.mozc.*"), 158 159 160 # input methods (fcitx) 161 # allow communicating with fcitx dbus service 162 dbus send 163 bus=fcitx 164 path=/org/freedesktop/DBus 165 interface=org.freedesktop.DBus 166 member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} 167 peer=(name=org.freedesktop.DBus), 168 169 owner @{HOME}/.config/fcitx/dbus/* r, 170 171 # allow creating an input context 172 dbus send 173 bus={fcitx,session} 174 path=/inputmethod 175 interface=org.fcitx.Fcitx.InputMethod 176 member=CreateIC* 177 peer=(label=unconfined), 178 179 # allow setting up and tearing down the input context 180 dbus send 181 bus={fcitx,session} 182 path=/inputcontext_[0-9]* 183 interface=org.fcitx.Fcitx.InputContext 184 member="{Close,Destroy,Enable}IC" 185 peer=(label=unconfined), 186 187 dbus send 188 bus={fcitx,session} 189 path=/inputcontext_[0-9]* 190 interface=org.fcitx.Fcitx.InputContext 191 member=Reset 192 peer=(label=unconfined), 193 194 # allow service to send us signals 195 dbus receive 196 bus=fcitx 197 peer=(label=unconfined), 198 199 dbus receive 200 bus=session 201 interface=org.fcitx.Fcitx.* 202 peer=(label=unconfined), 203 204 # use the input context 205 dbus send 206 bus={fcitx,session} 207 path=/inputcontext_[0-9]* 208 interface=org.fcitx.Fcitx.InputContext 209 member="Focus{In,Out}" 210 peer=(label=unconfined), 211 212 dbus send 213 bus={fcitx,session} 214 path=/inputcontext_[0-9]* 215 interface=org.fcitx.Fcitx.InputContext 216 member="{CommitPreedit,Set*}" 217 peer=(label=unconfined), 218 219 # this is an information leak and allows key and mouse sniffing. If the input 220 # context path were tied to the process' security label, this would not be an 221 # issue. 222 dbus send 223 bus={fcitx,session} 224 path=/inputcontext_[0-9]* 225 interface=org.fcitx.Fcitx.InputContext 226 member="{MouseEvent,ProcessKeyEvent}" 227 peer=(label=unconfined), 228 229 # this method does not exist with the sunpinyin backend (at least), so allow 230 # it for other input methods. This may consitute an information leak (which, 231 # again, could be avoided if the path were tied to the process' security 232 # label). 233 dbus send 234 bus={fcitx,session} 235 path=/inputcontext_[0-9]* 236 interface=org.freedesktop.DBus.Properties 237 member=GetAll 238 peer=(label=unconfined), 239 240 # Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink 241 # raw' rule is not finely mediated by apparmor so we mediate with seccomp arg 242 # filtering. 243 network netlink raw, 244 /run/udev/data/c13:[0-9]* r, 245 /run/udev/data/+input:* r, 246 247 # subset of freedesktop.org 248 /usr/share/mime/** r, 249 owner @{HOME}/.local/share/mime/** r, 250 owner @{HOME}/.config/user-dirs.* r, 251 252 /etc/xdg/user-dirs.conf r, 253 /etc/xdg/user-dirs.defaults r, 254 255 # gtk settings (subset of gnome abstraction) 256 owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r, 257 owner @{HOME}/.config/gtk-3.0/settings.ini r, 258 # Note: this leaks directory names that wouldn't otherwise be known to the snap 259 owner @{HOME}/.config/gtk-3.0/bookmarks r, 260 261 # accessibility 262 #include <abstractions/dbus-accessibility-strict> 263 dbus (send) 264 bus=session 265 path=/org/a11y/bus 266 interface=org.a11y.Bus 267 member=GetAddress 268 peer=(label=unconfined), 269 dbus (send) 270 bus=session 271 path=/org/a11y/bus 272 interface=org.freedesktop.DBus.Properties 273 member=Get{,All} 274 peer=(label=unconfined), 275 276 # unfortunate, but org.a11y.atspi is not designed for separation 277 dbus (receive, send) 278 bus=accessibility 279 path=/org/a11y/atspi/** 280 peer=(label=unconfined), 281 282 # org.freedesktop.Accounts 283 dbus (send) 284 bus=system 285 path=/org/freedesktop/Accounts 286 interface=org.freedesktop.DBus.Introspectable 287 member=Introspect 288 peer=(label=unconfined), 289 290 dbus (send) 291 bus=system 292 path=/org/freedesktop/Accounts 293 interface=org.freedesktop.Accounts 294 member=FindUserById 295 peer=(label=unconfined), 296 297 # Get() is an information leak 298 # TODO: verify what it is leaking 299 dbus (receive, send) 300 bus=system 301 path=/org/freedesktop/Accounts/User[0-9]* 302 interface=org.freedesktop.DBus.Properties 303 member={Get,PropertiesChanged} 304 peer=(label=unconfined), 305 306 # gmenu 307 # Note: the gmenu DBus api was not designed for application isolation and apps 308 # may specify anything as their 'path'. For example, these work in the many 309 # cases: 310 # - /org/gtk/Application/anonymous{,/**} 311 # - /com/canonical/unity/gtk/window/[0-9]* 312 # but libreoffice does: 313 # - /org/libreoffice{,/**} 314 # As such, cannot mediate by DBus path so we'll be as strict as we can in the 315 # other mediated parts 316 dbus (send) 317 bus=session 318 interface=org.gtk.Actions 319 member=Changed 320 peer=(label=unconfined), 321 322 dbus (receive) 323 bus=session 324 interface=org.gtk.Actions 325 member={Activate,DescribeAll,SetState} 326 peer=(label=unconfined), 327 328 dbus (receive) 329 bus=session 330 interface=org.gtk.Menus 331 member={Start,End} 332 peer=(label=unconfined), 333 334 dbus (send) 335 bus=session 336 interface=org.gtk.Menus 337 member=Changed 338 peer=(label=unconfined), 339 340 # Ubuntu menus 341 dbus (send) 342 bus=session 343 path="/com/ubuntu/MenuRegistrar" 344 interface="com.ubuntu.MenuRegistrar" 345 member="{Register,Unregister}{App,Surface}Menu" 346 peer=(label=unconfined), 347 348 # url helper 349 dbus (send) 350 bus=session 351 interface=com.canonical.SafeLauncher.OpenURL 352 peer=(label=unconfined), 353 # new url helper (part of snap userd) 354 dbus (send) 355 bus=session 356 interface=io.snapcraft.Launcher.OpenURL 357 peer=(label=unconfined), 358 359 # dbusmenu 360 dbus (send) 361 bus=session 362 path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}} 363 interface=com.canonical.dbusmenu 364 member="{LayoutUpdated,ItemsPropertiesUpdated}" 365 peer=(label=unconfined), 366 367 dbus (receive) 368 bus=session 369 path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}} 370 interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}" 371 member=Get* 372 peer=(label=unconfined), 373 374 dbus (receive) 375 bus=session 376 path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}} 377 interface=com.canonical.dbusmenu 378 member="{AboutTo*,Event*}" 379 peer=(label=unconfined), 380 381 dbus (receive) 382 bus=session 383 path=/{MenuBar{,/[0-9A-F]*},com/canonical/{menu/[0-9A-F]*,dbusmenu}} 384 interface=org.freedesktop.DBus.Introspectable 385 member=Introspect 386 peer=(label=unconfined), 387 388 dbus (receive) 389 bus=session 390 path=/com/canonical/dbusmenu 391 interface=org.freedesktop.DBus.Properties 392 member=Get* 393 peer=(label=unconfined), 394 395 # app-indicators 396 dbus (send) 397 bus=session 398 path=/StatusNotifierWatcher 399 interface=org.freedesktop.DBus.Introspectable 400 member=Introspect 401 peer=(name=org.kde.StatusNotifierWatcher, label=unconfined), 402 403 dbus (send) 404 bus=session 405 path=/org/freedesktop/DBus 406 interface=org.freedesktop.DBus 407 member="{GetConnectionUnixProcessID,RequestName,ReleaseName}" 408 peer=(name=org.freedesktop.DBus, label=unconfined), 409 410 dbus (bind) 411 bus=session 412 name=org.kde.StatusNotifierItem-[0-9]*, 413 414 dbus (send) 415 bus=session 416 path=/StatusNotifierWatcher 417 interface=org.freedesktop.DBus.Properties 418 member=Get 419 peer=(name=org.kde.StatusNotifierWatcher, label=unconfined), 420 421 dbus (send) 422 bus=session 423 path=/{StatusNotifierWatcher,org/ayatana/NotificationItem/*} 424 interface=org.kde.StatusNotifierWatcher 425 member=RegisterStatusNotifierItem 426 peer=(label=unconfined), 427 428 dbus (send) 429 bus=session 430 path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} 431 interface=org.kde.StatusNotifierItem 432 member="New{AttentionIcon,Icon,IconThemePath,OverlayIcon,Status,Title,ToolTip}" 433 peer=(label=unconfined), 434 435 dbus (receive) 436 bus=session 437 path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} 438 interface=org.kde.StatusNotifierItem 439 member={Activate,ContextMenu,Scroll,SecondaryActivate,XAyatanaSecondaryActivate} 440 peer=(label=unconfined), 441 442 dbus (send) 443 bus=session 444 path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} 445 interface=com.canonical.dbusmenu 446 member="{LayoutUpdated,ItemsPropertiesUpdated}" 447 peer=(label=unconfined), 448 449 dbus (receive) 450 bus=session 451 path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} 452 interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} 453 member={Get*,AboutTo*,Event*} 454 peer=(label=unconfined), 455 456 # notifications 457 dbus (send) 458 bus=session 459 path=/org/freedesktop/Notifications 460 interface=org.freedesktop.Notifications 461 member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}" 462 peer=(label=unconfined), 463 464 dbus (receive) 465 bus=session 466 path=/org/freedesktop/Notifications 467 interface=org.freedesktop.Notifications 468 member={ActionInvoked,NotificationClosed,NotificationReplied} 469 peer=(label=unconfined), 470 471 # KDE Plasma's Inhibited property indicating "do not disturb" mode 472 # https://invent.kde.org/plasma/plasma-workspace/-/blob/master/libnotificationmanager/dbus/org.freedesktop.Notifications.xml#L42 473 dbus (send) 474 bus=session 475 path=/org/freedesktop/Notifications 476 interface=org.freedesktop.DBus.Properties 477 member="Get{,All}" 478 peer=(label=unconfined), 479 480 dbus (receive) 481 bus=session 482 path=/org/freedesktop/Notifications 483 interface=org.freedesktop.DBus.Properties 484 member=PropertiesChanged 485 peer=(label=unconfined), 486 487 dbus (send) 488 bus=session 489 path=/org/ayatana/NotificationItem/* 490 interface=org.kde.StatusNotifierItem 491 member=XAyatanaNew* 492 peer=(label=unconfined), 493 494 # unity launcher 495 dbus (send) 496 bus=session 497 path=/com/canonical/unity/launcherentry/[0-9]* 498 interface=com.canonical.Unity.LauncherEntry 499 member=Update 500 peer=(label=unconfined), 501 502 dbus (send) 503 bus=session 504 path=/com/canonical/unity/launcherentry/[0-9]* 505 interface=com.canonical.dbusmenu 506 member="{LayoutUpdated,ItemsPropertiesUpdated}" 507 peer=(label=unconfined), 508 509 dbus (receive) 510 bus=session 511 path=/com/canonical/unity/launcherentry/[0-9]* 512 interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}" 513 member=Get* 514 peer=(label=unconfined), 515 516 ###SNAP_DESKTOP_FILE_RULES### 517 # Snaps are unable to use the data in mimeinfo.cache (since they can't execute 518 # the returned desktop file themselves). unity messaging menu doesn't require 519 # mimeinfo.cache and xdg-mime will fallback to reading the desktop files 520 # directly to look for MimeType. Since reading the snap's own desktop files is 521 # allowed, we can safely deny access to this file (and xdg-mime will either 522 # return one of the snap's mimetypes, or none). 523 deny /var/lib/snapd/desktop/applications/mimeinfo.cache r, 524 525 # then allow talking to Unity DBus service 526 dbus (send) 527 bus=session 528 interface=org.freedesktop.DBus.Properties 529 path=/com/canonical/indicator/messages/service 530 member=GetAll 531 peer=(label=unconfined), 532 533 dbus (send) 534 bus=session 535 path=/com/canonical/indicator/messages/service 536 interface=com.canonical.indicator.messages.service 537 member={Register,Unregister}Application 538 peer=(label=unconfined), 539 540 # When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule 541 # allows the snap to access parallel installs of this snap. 542 dbus (receive) 543 bus=session 544 interface=org.freedesktop.DBus.Properties 545 path=/com/canonical/indicator/messages/###UNITY_SNAP_NAME###_*_desktop 546 member=GetAll 547 peer=(label=unconfined), 548 549 # When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule 550 # allows the snap to access parallel installs of this snap. 551 dbus (receive, send) 552 bus=session 553 interface=com.canonical.indicator.messages.application 554 path=/com/canonical/indicator/messages/###UNITY_SNAP_NAME###_*_desktop 555 peer=(label=unconfined), 556 557 # This rule is meant to be covered by abstractions/dbus-session-strict but 558 # the unity launcher code has a typo that uses /org/freedesktop/dbus as the 559 # path instead of /org/freedesktop/DBus, so we need to all it here. 560 dbus (send) 561 bus=session 562 path=/org/freedesktop/dbus 563 interface=org.freedesktop.DBus 564 member=NameHasOwner 565 peer=(name=org.freedesktop.DBus, label=unconfined), 566 567 # appmenu 568 dbus (send) 569 bus=session 570 path=/org/freedesktop/DBus 571 interface=org.freedesktop.DBus 572 member=ListNames 573 peer=(name=org.freedesktop.DBus, label=unconfined), 574 575 dbus (send) 576 bus=session 577 path=/com/canonical/AppMenu/Registrar 578 interface=com.canonical.AppMenu.Registrar 579 member="{RegisterWindow,UnregisterWindow}" 580 peer=(label=unconfined), 581 582 dbus (send) 583 bus=session 584 path=/com/canonical/AppMenu/Registrar 585 interface=com.canonical.dbusmenu 586 member=UnregisterWindow 587 peer=(label=unconfined), 588 589 dbus (receive) 590 bus=session 591 path=/com/canonical/menu/[0-9]* 592 interface="{org.freedesktop.DBus.Properties,com.canonical.dbusmenu}" 593 member="{GetAll,GetLayout}" 594 peer=(label=unconfined), 595 596 # Allow requesting interest in receiving media key events. This tells Gnome 597 # settings that our application should be notified when key events we are 598 # interested in are pressed, and allows us to receive those events. 599 dbus (receive, send) 600 bus=session 601 interface=org.gnome.SettingsDaemon.MediaKeys 602 path=/org/gnome/SettingsDaemon/MediaKeys 603 peer=(label=unconfined), 604 dbus (send) 605 bus=session 606 interface=org.freedesktop.DBus.Properties 607 path=/org/gnome/SettingsDaemon/MediaKeys 608 member="Get{,All}" 609 peer=(label=unconfined), 610 611 # Allow checking status, activating and locking the screensaver 612 # mate 613 dbus (send) 614 bus=session 615 path="/{,org/mate/}ScreenSaver" 616 interface=org.mate.ScreenSaver 617 member="{GetActive,GetActiveTime,Lock,SetActive}" 618 peer=(label=unconfined), 619 620 dbus (receive) 621 bus=session 622 path="/{,org/mate/}ScreenSaver" 623 interface=org.mate.ScreenSaver 624 member=ActiveChanged 625 peer=(label=unconfined), 626 627 # Unity 628 dbus (send) 629 bus=session 630 interface=com.canonical.Unity.Session 631 path=/com/canonical/Unity/Session 632 member="{ActivateScreenSaver,IsLocked,Lock}" 633 peer=(label=unconfined), 634 635 # Allow unconfined to introspect us 636 dbus (receive) 637 bus=session 638 interface=org.freedesktop.DBus.Introspectable 639 member=Introspect 640 peer=(label=unconfined), 641 642 # gtk2/gvfs gtk_show_uri() 643 dbus (send) 644 bus=session 645 path=/org/gtk/vfs/mounttracker 646 interface=org.gtk.vfs.MountTracker 647 member=ListMountableInfo, 648 dbus (send) 649 bus=session 650 path=/org/gtk/vfs/mounttracker 651 interface=org.gtk.vfs.MountTracker 652 member=LookupMount, 653 ` 654 655 const unity7ConnectedPlugSeccomp = ` 656 # Description: Can access Unity7. Note, Unity 7 runs on X and requires access 657 # to various DBus services and this environment does not prevent eavesdropping 658 # or apps interfering with one another. 659 660 # Needed by QtSystems on X to detect mouse and keyboard 661 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 662 bind 663 ` 664 665 type unity7Interface struct{} 666 667 func (iface *unity7Interface) Name() string { 668 return "unity7" 669 } 670 671 func (iface *unity7Interface) StaticInfo() interfaces.StaticInfo { 672 return interfaces.StaticInfo{ 673 Summary: unity7Summary, 674 ImplicitOnClassic: true, 675 BaseDeclarationSlots: unity7BaseDeclarationSlots, 676 } 677 } 678 679 func (iface *unity7Interface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 680 // Unity7 will take the desktop filename and convert all '-' and '+' 681 // (and '.', but we don't care about that here because the rule above 682 // already does that) to '_'. Since we know that the desktop filename 683 // starts with the snap name, perform this conversion on the snap name. 684 // 685 // parallel-installs: UNITY_SNAP_NAME is used in the context of dbus 686 // mediation, this unintentionally opens access to dbus paths of keyed 687 // instances of @{SNAP_NAME} to @{SNAP_NAME} snap 688 new := strings.Replace(plug.Snap().DesktopPrefix(), "-", "_", -1) 689 new = strings.Replace(new, "+", "_", -1) 690 old := "###UNITY_SNAP_NAME###" 691 snippet := strings.Replace(unity7ConnectedPlugAppArmor, old, new, -1) 692 693 old = "###SNAP_DESKTOP_FILE_RULES###" 694 new = strings.Join(getDesktopFileRules(plug.Snap().DesktopPrefix()), "\n") 695 snippet = strings.Replace(snippet, old, new+"\n", -1) 696 697 spec.AddSnippet(snippet) 698 return nil 699 } 700 701 func (iface *unity7Interface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 702 spec.AddSnippet(unity7ConnectedPlugSeccomp) 703 return nil 704 } 705 706 func (iface *unity7Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 707 // allow what declarations allowed 708 return true 709 } 710 711 func init() { 712 registerIface(&unity7Interface{}) 713 }