github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/interfaces/backends/backends.go

github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/interfaces/backends/backends.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package backends
    21  
    22  import (
    23  	"fmt"
    24  
    25  	"github.com/snapcore/snapd/interfaces"
    26  	"github.com/snapcore/snapd/interfaces/apparmor"
    27  	"github.com/snapcore/snapd/interfaces/dbus"
    28  	"github.com/snapcore/snapd/interfaces/kmod"
    29  	"github.com/snapcore/snapd/interfaces/mount"
    30  	"github.com/snapcore/snapd/interfaces/seccomp"
    31  	"github.com/snapcore/snapd/interfaces/systemd"
    32  	"github.com/snapcore/snapd/interfaces/udev"
    33  	apparmor_sandbox "github.com/snapcore/snapd/sandbox/apparmor"
    34  )
    35  
    36  var All []interfaces.SecurityBackend = backends()
    37  
    38  func backends() []interfaces.SecurityBackend {
    39  	all := []interfaces.SecurityBackend{
    40  		// Because of how the GPIO interface is implemented the systemd backend
    41  		// must be earlier in the sequence than the apparmor backend.
    42  		&systemd.Backend{},
    43  		&seccomp.Backend{},
    44  		&dbus.Backend{},
    45  		&udev.Backend{},
    46  		&mount.Backend{},
    47  		&kmod.Backend{},
    48  	}
    49  
    50  	// TODO use something like:
    51  	// level, summary := apparmor.ProbeResults()
    52  
    53  	// This should be logger.Noticef but due to ordering of initialization
    54  	// calls, the logger is not ready at this point yet and the message goes
    55  	// nowhere. Per advice from other snapd developers, we just print it
    56  	// directly.
    57  	//
    58  	// TODO: on this should become a user-visible message via the user-warning
    59  	// framework, so that users are aware that we have non-strict confinement.
    60  	// By printing this directly we ensure it will end up the journal for the
    61  	// snapd.service. This aspect should be retained even after the switch to
    62  	// user-warning.
    63  	fmt.Printf("AppArmor status: %s\n", apparmor_sandbox.Summary())
    64  
    65  	// Enable apparmor backend if there is any level of apparmor support,
    66  	// including partial feature set. This will allow snap-confine to always
    67  	// link to apparmor and check if it is enabled on boot, knowing that there
    68  	// is always *some* profile to apply to each snap process.
    69  	//
    70  	// When some features are missing the backend will generate more permissive
    71  	// profiles that keep applications operational, in forced-devmode.
    72  	switch apparmor_sandbox.ProbedLevel() {
    73  	case apparmor_sandbox.Partial, apparmor_sandbox.Full:
    74  		all = append(all, &apparmor.Backend{})
    75  	}
    76  	return all
    77  }