github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/interfaces/builtin/block_devices.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2019 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  // Only allow raw disk devices; not loop, ram, CDROM, generic SCSI, network,
    23  // tape, raid, etc devices or disk partitions. For some devices, allow controller
    24  // character devices since they are used to configure the corresponding block
    25  // device.
    26  const blockDevicesSummary = `allows access to disk block devices`
    27  
    28  const blockDevicesBaseDeclarationPlugs = `
    29    block-devices:
    30      allow-installation: false
    31      deny-auto-connection: true
    32  `
    33  
    34  const blockDevicesBaseDeclarationSlots = `
    35    block-devices:
    36      allow-installation:
    37        slot-snap-type:
    38          - core
    39      deny-auto-connection: true
    40  `
    41  
    42  // https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
    43  // For now, only list common devices and skip the following:
    44  // /dev/mfm{a,b} rw,                        # Acorn MFM
    45  // /dev/ad[a-p] rw,                         # ACSI
    46  // /dev/pd[a-d] rw,                         # Parallel port IDE
    47  // /dev/pf[0-3] rw,                         # Parallel port ATAPI
    48  // /dev/ub[a-z] rw,                         # USB block device
    49  const blockDevicesConnectedPlugAppArmor = `
    50  # Description: Allow write access to raw disk block devices.
    51  
    52  @{PROC}/devices r,
    53  /run/udev/data/b[0-9]*:[0-9]* r,
    54  /sys/block/ r,
    55  /sys/devices/**/block/** r,
    56  /sys/devices/platform/soc/**/mmc_host/** r,
    57  
    58  # Access to raw devices, not individual partitions
    59  /dev/hd[a-t] rw,                                          # IDE, MFM, RLL
    60  /dev/sd{,[a-h]}[a-z] rw,                                  # SCSI
    61  /dev/sdi[a-v] rw,                                         # SCSI continued
    62  /dev/i2o/hd{,[a-c]}[a-z] rw,                              # I2O hard disk
    63  /dev/i2o/hdd[a-x] rw,                                     # I2O hard disk continued
    64  /dev/mmcblk[0-9]{,[0-9],[0-9][0-9]} rw,                   # MMC (up to 1000 devices)
    65  /dev/vd[a-z] rw,                                          # virtio
    66  
    67  # Allow /dev/nvmeXnY namespace block devices. Please note this grants access to all
    68  # NVMe namespace block devices and that the numeric suffix on the character device
    69  # does not necessarily correspond to a namespace block device with the same suffix
    70  # From 'man nvme-format' : 
    71  #   Note, the numeric suffix on the character device, for example the 0 in
    72  #   /dev/nvme0, does NOT indicate this device handle is the parent controller
    73  #   of any namespaces with the same suffix. The namespace handle's numeral may
    74  #   be coming from the subsystem identifier, which is independent of the
    75  #   controller's identifier. Do not assume any particular device relationship
    76  #   based on their names. If you do, you may irrevocably erase data on an
    77  #   unintended device.
    78  /dev/nvme{[0-9],[1-9][0-9]}n{[1-9],[1-5][0-9],6[0-3]} rw, # NVMe (up to 100 devices, with 1-63 namespaces)
    79  
    80  # Allow /dev/nvmeX controller character devices. These character devices allow
    81  # manipulation of the block devices that we also allow above, so grouping this
    82  # access here makes sense, whereas access to individual partitions is delegated
    83  # to the raw-volume interface.
    84  /dev/nvme{[0-9],[1-9][0-9]} rw,                           # NVMe (up to 100 devices)
    85  
    86  # SCSI device commands, et al
    87  capability sys_rawio,
    88  
    89  # Perform various privileged block-device ioctl operations
    90  capability sys_admin,
    91  
    92  # Devices for various controllers used with ioctl()
    93  /dev/mpt2ctl{,_wd} rw,
    94  /dev/megaraid_sas_ioctl_node rw,
    95  `
    96  
    97  var blockDevicesConnectedPlugUDev = []string{
    98  	`SUBSYSTEM=="block"`,
    99  	// these additional subsystems may not directly be block devices but they
   100  	// allow for manipulation of the block devices and so are grouped here as
   101  	// well
   102  	`SUBSYSTEM=="nvme"`,
   103  	`KERNEL=="mpt2ctl*"`,
   104  	`KERNEL=="megaraid_sas_ioctl_node"`,
   105  }
   106  
   107  type blockDevicesInterface struct {
   108  	commonInterface
   109  }
   110  
   111  func init() {
   112  	registerIface(&blockDevicesInterface{commonInterface{
   113  		name:                  "block-devices",
   114  		summary:               blockDevicesSummary,
   115  		implicitOnCore:        true,
   116  		implicitOnClassic:     true,
   117  		baseDeclarationPlugs:  blockDevicesBaseDeclarationPlugs,
   118  		baseDeclarationSlots:  blockDevicesBaseDeclarationSlots,
   119  		connectedPlugAppArmor: blockDevicesConnectedPlugAppArmor,
   120  		connectedPlugUDev:     blockDevicesConnectedPlugUDev,
   121  	}})
   122  }