gitee.com/mysnapcore/mysnapd@v0.1.0/interfaces/polkit/backend.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2021 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  // Package polkit implements interaction between snapd and polkit.
    21  //
    22  // Snapd installs polkitd policy files on behalf of snaps that
    23  // describe administrative actions they can perform on behalf of
    24  // clients.
    25  //
    26  // The policy files are XML files whose format is described here:
    27  // https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-declaring-actions
    28  package polkit
    29  
    30  import (
    31  	"fmt"
    32  	"os"
    33  
    34  	"gitee.com/mysnapcore/mysnapd/dirs"
    35  	"gitee.com/mysnapcore/mysnapd/interfaces"
    36  	"gitee.com/mysnapcore/mysnapd/osutil"
    37  	"gitee.com/mysnapcore/mysnapd/snap"
    38  	"gitee.com/mysnapcore/mysnapd/timings"
    39  )
    40  
    41  func polkitPolicyName(snapName, nameSuffix string) string {
    42  	return snap.ScopedSecurityTag(snapName, "interface", nameSuffix) + ".policy"
    43  }
    44  
    45  // Backend is responsible for maintaining polkitd policy files.
    46  type Backend struct{}
    47  
    48  // Initialize does nothing.
    49  func (b *Backend) Initialize(*interfaces.SecurityBackendOptions) error {
    50  	return nil
    51  }
    52  
    53  // Name returns the name of the backend.
    54  func (b *Backend) Name() interfaces.SecuritySystem {
    55  	return interfaces.SecurityPolkit
    56  }
    57  
    58  // Setup installs the polkit policy files specific to a given snap.
    59  //
    60  // Polkit has no concept of a complain mode so confinment type is ignored.
    61  func (b *Backend) Setup(snapInfo *snap.Info, opts interfaces.ConfinementOptions, repo *interfaces.Repository, tm timings.Measurer) error {
    62  	snapName := snapInfo.InstanceName()
    63  	// Get the policies that apply to this snap
    64  	spec, err := repo.SnapSpecification(b.Name(), snapName)
    65  	if err != nil {
    66  		return fmt.Errorf("cannot obtain polkit specification for snap %q: %s", snapName, err)
    67  	}
    68  
    69  	// Get the files that this snap should have
    70  	glob := polkitPolicyName(snapName, "*")
    71  	content := deriveContent(spec.(*Specification), snapInfo)
    72  	dir := dirs.SnapPolkitPolicyDir
    73  
    74  	// If we do not have any content to write, there is no point
    75  	// ensuring the directory exists.
    76  	if content != nil {
    77  		if err := os.MkdirAll(dir, 0755); err != nil {
    78  			return fmt.Errorf("cannot create directory for polkit policy files %q: %s", dir, err)
    79  		}
    80  	}
    81  	_, _, err = osutil.EnsureDirState(dir, glob, content)
    82  	if err != nil {
    83  		return fmt.Errorf("cannot synchronize polkit policy files for snap %q: %s", snapName, err)
    84  	}
    85  	return nil
    86  }
    87  
    88  // Remove removes polkit policy files of a given snap.
    89  //
    90  // This method should be called after removing a snap.
    91  func (b *Backend) Remove(snapName string) error {
    92  	glob := polkitPolicyName(snapName, "*")
    93  	_, _, err := osutil.EnsureDirState(dirs.SnapPolkitPolicyDir, glob, nil)
    94  	if err != nil {
    95  		return fmt.Errorf("cannot synchronize polkit files for snap %q: %s", snapName, err)
    96  	}
    97  	return nil
    98  }
    99  
   100  // deriveContent combines security snippets collected from all the interfaces
   101  // affecting a given snap into a content map applicable to EnsureDirState.
   102  func deriveContent(spec *Specification, snapInfo *snap.Info) map[string]osutil.FileState {
   103  	policies := spec.Policies()
   104  	if len(policies) == 0 {
   105  		return nil
   106  	}
   107  	content := make(map[string]osutil.FileState, len(policies)+1)
   108  	for nameSuffix, policyContent := range policies {
   109  		filename := polkitPolicyName(snapInfo.InstanceName(), nameSuffix)
   110  		content[filename] = &osutil.MemoryFileState{
   111  			Content: policyContent,
   112  			Mode:    0644,
   113  		}
   114  	}
   115  	return content
   116  }
   117  
   118  func (b *Backend) NewSpecification() interfaces.Specification {
   119  	return &Specification{}
   120  }
   121  
   122  // SandboxFeatures returns list of features supported by snapd for polkit policy.
   123  func (b *Backend) SandboxFeatures() []string {
   124  	return nil
   125  }