gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/builtin/wayland.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "gitee.com/mysnapcore/mysnapd/interfaces" 26 "gitee.com/mysnapcore/mysnapd/interfaces/apparmor" 27 "gitee.com/mysnapcore/mysnapd/interfaces/seccomp" 28 "gitee.com/mysnapcore/mysnapd/interfaces/udev" 29 "gitee.com/mysnapcore/mysnapd/snap" 30 ) 31 32 const waylandSummary = `allows access to compositors supporting wayland protocol` 33 34 const waylandBaseDeclarationSlots = ` 35 wayland: 36 allow-installation: 37 slot-snap-type: 38 - app 39 - core 40 deny-connection: 41 on-classic: false 42 deny-auto-connection: 43 on-classic: false 44 ` 45 46 const waylandPermanentSlotAppArmor = ` 47 # Description: Allow operating as a Wayland display server. This gives privileged access 48 # to the system. 49 50 # needed since Wayland is a display server and needs to configure tty devices 51 capability sys_tty_config, 52 /dev/tty[0-9]* rw, 53 54 # Create the Wayland socket and lock file 55 owner /run/user/[0-9]*/wayland-[0-9]* rwk, 56 # Allow access to common client Wayland sockets from non-snap clients 57 /run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, 58 # Some Wayland based toolkits (Qt, GTK3, SDL2) and Xwayland create shm files to pass 59 # to the server. Although they are passed by FD we still need rw access to the file. 60 /run/user/[0-9]*/snap.*/{wayland-cursor,xwayland}-shared-* rw, 61 62 # Allow write access to create /run/user/* to create XDG_RUNTIME_DIR (until 63 # lp:1738197 is fixed). Note this is not needed if creating a session using 64 # logind (as provided by the login-session-control snapd interface). 65 /run/user/[0-9]*/ w, 66 67 # Needed for mode setting via drmSetMaster() and drmDropMaster() 68 capability sys_admin, 69 70 # Weston probes this on start 71 /sys/devices/pci**/boot_vga r, 72 73 # NOTE: this allows reading and inserting all input events 74 /dev/input/* rw, 75 76 # For using udev 77 network netlink raw, 78 /run/udev/data/c13:[0-9]* r, 79 /run/udev/data/+input:input[0-9]* r, 80 /run/udev/data/+platform:* r, 81 82 # MESA reads this dri config file 83 /etc/drirc r, 84 ` 85 86 const waylandPermanentSlotSecComp = ` 87 # Description: Allow operating as a Wayland server. This gives privileged access 88 # to the system. 89 # Needed for server launch 90 bind 91 listen 92 # Needed by server upon client connect 93 accept 94 accept4 95 # for udev 96 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 97 ` 98 99 const waylandConnectedSlotAppArmor = ` 100 # Allow access to common client Wayland sockets for connected snaps 101 owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, 102 ` 103 104 const waylandConnectedPlugAppArmor = ` 105 # Allow access to the Wayland compositor server socket 106 owner /run/user/[0-9]*/wayland-[0-9]* rw, 107 108 # Needed when using QT_QPA_PLATFORM=wayland-egl (MESA dri config) 109 /etc/drirc r, 110 ` 111 112 type waylandInterface struct{} 113 114 func (iface *waylandInterface) Name() string { 115 return "wayland" 116 } 117 118 func (iface *waylandInterface) StaticInfo() interfaces.StaticInfo { 119 return interfaces.StaticInfo{ 120 Summary: waylandSummary, 121 ImplicitOnClassic: true, 122 BaseDeclarationSlots: waylandBaseDeclarationSlots, 123 } 124 } 125 126 func (iface *waylandInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 127 spec.AddSnippet(waylandConnectedPlugAppArmor) 128 return nil 129 } 130 131 func (iface *waylandInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 132 old := "###PLUG_SECURITY_TAGS###" 133 new := "snap." + plug.Snap().InstanceName() // forms the snap-instance-specific subdirectory name of /run/user/*/ used for XDG_RUNTIME_DIR 134 snippet := strings.Replace(waylandConnectedSlotAppArmor, old, new, -1) 135 spec.AddSnippet(snippet) 136 return nil 137 } 138 139 func (iface *waylandInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 140 spec.AddSnippet(waylandPermanentSlotSecComp) 141 return nil 142 } 143 144 func (iface *waylandInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 145 spec.AddSnippet(waylandPermanentSlotAppArmor) 146 return nil 147 } 148 149 func (iface *waylandInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 150 spec.TriggerSubsystem("input") 151 spec.TagDevice(`KERNEL=="tty[0-9]*"`) 152 spec.TagDevice(`KERNEL=="mice"`) 153 spec.TagDevice(`KERNEL=="mouse[0-9]*"`) 154 spec.TagDevice(`KERNEL=="event[0-9]*"`) 155 spec.TagDevice(`KERNEL=="ts[0-9]*"`) 156 return nil 157 } 158 159 func (iface *waylandInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 160 // allow what declarations allowed 161 return true 162 } 163 164 func init() { 165 registerIface(&waylandInterface{}) 166 }