gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/polkit/backend.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2021 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 // Package polkit implements interaction between snapd and polkit. 21 // 22 // Snapd installs polkitd policy files on behalf of snaps that 23 // describe administrative actions they can perform on behalf of 24 // clients. 25 // 26 // The policy files are XML files whose format is described here: 27 // https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-declaring-actions 28 package polkit 29 30 import ( 31 "fmt" 32 "os" 33 34 "gitee.com/mysnapcore/mysnapd/dirs" 35 "gitee.com/mysnapcore/mysnapd/interfaces" 36 "gitee.com/mysnapcore/mysnapd/osutil" 37 "gitee.com/mysnapcore/mysnapd/snap" 38 "gitee.com/mysnapcore/mysnapd/timings" 39 ) 40 41 func polkitPolicyName(snapName, nameSuffix string) string { 42 return snap.ScopedSecurityTag(snapName, "interface", nameSuffix) + ".policy" 43 } 44 45 // Backend is responsible for maintaining polkitd policy files. 46 type Backend struct{} 47 48 // Initialize does nothing. 49 func (b *Backend) Initialize(*interfaces.SecurityBackendOptions) error { 50 return nil 51 } 52 53 // Name returns the name of the backend. 54 func (b *Backend) Name() interfaces.SecuritySystem { 55 return interfaces.SecurityPolkit 56 } 57 58 // Setup installs the polkit policy files specific to a given snap. 59 // 60 // Polkit has no concept of a complain mode so confinment type is ignored. 61 func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository, tm timings.Measurer) error { 62 snapName := snapInfo.InstanceName() 63 // Get the policies that apply to this snap 64 spec, err := repo.SnapSpecification(b.Name(), snapName) 65 if err != nil { 66 return fmt.Errorf("cannot obtain polkit specification for snap %q: %s", snapName, err) 67 } 68 69 // Get the files that this snap should have 70 glob := polkitPolicyName(snapName, "*") 71 content := deriveContent(spec.(*Specification), snapInfo) 72 dir := dirs.SnapPolkitPolicyDir 73 74 // If we do not have any content to write, there is no point 75 // ensuring the directory exists. 76 if content != nil { 77 if err := os.MkdirAll(dir, 0755); err != nil { 78 return fmt.Errorf("cannot create directory for polkit policy files %q: %s", dir, err) 79 } 80 } 81 _, _, err = osutil.EnsureDirState(dir, glob, content) 82 if err != nil { 83 return fmt.Errorf("cannot synchronize polkit policy files for snap %q: %s", snapName, err) 84 } 85 return nil 86 } 87 88 // Remove removes polkit policy files of a given snap. 89 // 90 // This method should be called after removing a snap. 91 func (b *Backend) Remove(snapName string) error { 92 glob := polkitPolicyName(snapName, "*") 93 _, _, err := osutil.EnsureDirState(dirs.SnapPolkitPolicyDir, glob, nil) 94 if err != nil { 95 return fmt.Errorf("cannot synchronize polkit files for snap %q: %s", snapName, err) 96 } 97 return nil 98 } 99 100 // deriveContent combines security snippets collected from all the interfaces 101 // affecting a given snap into a content map applicable to EnsureDirState. 102 func deriveContent(spec *Specification, snapInfo *snap.Info) map[string]osutil.FileState { 103 policies := spec.Policies() 104 if len(policies) == 0 { 105 return nil 106 } 107 content := make(map[string]osutil.FileState, len(policies)+1) 108 for nameSuffix, policyContent := range policies { 109 filename := polkitPolicyName(snapInfo.InstanceName(), nameSuffix) 110 content[filename] = &osutil.MemoryFileState{ 111 Content: policyContent, 112 Mode: 0644, 113 } 114 } 115 return content 116 } 117 118 func (b *Backend) NewSpecification() interfaces.Specification { 119 return &Specification{} 120 } 121 122 // SandboxFeatures returns list of features supported by snapd for polkit policy. 123 func (b *Backend) SandboxFeatures() []string { 124 return nil 125 }