github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/location_control.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/dbus" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 const locationControlSummary = `allows operating as the location service` 32 33 const locationControlBaseDeclarationSlots = ` 34 location-control: 35 allow-installation: 36 slot-snap-type: 37 - app 38 deny-connection: true 39 deny-auto-connection: true 40 ` 41 42 const locationControlPermanentSlotAppArmor = ` 43 # Description: Allow operating as the location service. This gives privileged 44 # access to the system. 45 46 # DBus accesses 47 #include <abstractions/dbus-strict> 48 dbus (send) 49 bus=system 50 path=/org/freedesktop/DBus 51 interface=org.freedesktop.DBus 52 member="{Request,Release}Name" 53 peer=(name=org.freedesktop.DBus, label=unconfined), 54 55 dbus (send) 56 bus=system 57 path=/org/freedesktop/DBus 58 interface=org.freedesktop.DBus 59 member="GetConnectionUnix{ProcessID,User}" 60 peer=(label=unconfined), 61 62 # Allow binding the service to the requested connection name 63 dbus (bind) 64 bus=system 65 name="com.ubuntu.location.Service", 66 67 dbus (receive, send) 68 bus=system 69 path=/com/ubuntu/location/Service{,/**} 70 interface=org.freedesktop.DBus** 71 peer=(label=unconfined), 72 ` 73 74 const locationControlConnectedSlotAppArmor = ` 75 # Allow connected clients to interact with the service 76 77 # Allow clients to register providers 78 dbus (receive) 79 bus=system 80 path=/com/ubuntu/location/Service 81 interface=com.ubuntu.location.Service 82 member="AddProvider" 83 peer=(label=###PLUG_SECURITY_TAGS###), 84 85 dbus (send) 86 bus=system 87 path=/providers/{,**} 88 interface=com.ubuntu.location.Service.Provider 89 member="{Satisfies,Enable,Disable,Activate,Deactivate,OnNewEvent}" 90 peer=(label=###PLUG_SECURITY_TAGS###), 91 92 dbus (send) 93 bus=system 94 path=/providers/{,**} 95 interface=org.freedesktop.DBus.Properties 96 member="{Get,Set}" 97 peer=(label=###PLUG_SECURITY_TAGS###), 98 99 dbus (receive) 100 bus=system 101 path=/providers/{,**} 102 interface=org.freedesktop.DBus.Properties 103 member="PropertiesChanged" 104 peer=(label=###PLUG_SECURITY_TAGS###), 105 106 # Allow clients to query/modify service properties 107 dbus (receive) 108 bus=system 109 path=/com/ubuntu/location/Service 110 interface=org.freedesktop.DBus.Properties 111 member="{Get,Set}" 112 peer=(label=###PLUG_SECURITY_TAGS###), 113 114 dbus (send) 115 bus=system 116 path=/com/ubuntu/location/Service 117 interface=org.freedesktop.DBus.Properties 118 member=PropertiesChanged 119 peer=(label=###PLUG_SECURITY_TAGS###), 120 ` 121 122 const locationControlConnectedPlugAppArmor = ` 123 # Description: Allow using location service. This gives privileged access to 124 # the service. 125 126 #include <abstractions/dbus-strict> 127 128 # Allow clients to register providers 129 dbus (send) 130 bus=system 131 path=/com/ubuntu/location/Service 132 interface=com.ubuntu.location.Service 133 member="AddProvider" 134 peer=(label=###SLOT_SECURITY_TAGS###), 135 136 dbus (receive) 137 bus=system 138 path=/providers/{,**} 139 interface=com.ubuntu.location.Service.Provider 140 member="{Satisfies,Enable,Disable,Activate,Deactivate,OnNewEvent}" 141 peer=(label=###SLOT_SECURITY_TAGS###), 142 143 dbus (receive) 144 bus=system 145 path=/providers/{,**} 146 interface=org.freedesktop.DBus.Properties 147 member="PropertiesChanged" 148 peer=(label=###SLOT_SECURITY_TAGS###), 149 150 dbus (send) 151 bus=system 152 path=/providers/{,**} 153 interface=org.freedesktop.DBus.Properties 154 member="PropertiesChanged" 155 peer=(label=###SLOT_SECURITY_TAGS###), 156 157 # Allow clients to query service properties 158 dbus (send) 159 bus=system 160 path=/com/ubuntu/location/Service 161 interface=org.freedesktop.DBus.Properties 162 member="{Get,Set}" 163 peer=(label=###SLOT_SECURITY_TAGS###), 164 165 dbus (receive) 166 bus=system 167 path=/com/ubuntu/location/Service 168 interface=org.freedesktop.DBus.Properties 169 member=PropertiesChanged 170 peer=(label=###SLOT_SECURITY_TAGS###), 171 172 dbus (receive) 173 bus=system 174 path=/ 175 interface=org.freedesktop.DBus.ObjectManager 176 peer=(label=unconfined), 177 178 # Allow clients to introspect the service 179 dbus (send) 180 bus=system 181 path=/com/ubuntu/location/Service 182 interface=org.freedesktop.DBus.Introspectable 183 member=Introspect 184 peer=(label=###SLOT_SECURITY_TAGS###), 185 ` 186 187 const locationControlPermanentSlotDBus = ` 188 <policy user="root"> 189 <allow own="com.ubuntu.location.Service"/> 190 <allow send_destination="com.ubuntu.location.Service"/> 191 <allow send_interface="com.ubuntu.location.Service"/> 192 <allow send_interface="com.ubuntu.location.Service.Provider"/> 193 </policy> 194 ` 195 196 const locationControlConnectedPlugDBus = ` 197 <policy context="default"> 198 <deny own="com.ubuntu.location.Service"/> 199 <allow send_destination="com.ubuntu.location.Service"/> 200 <allow send_interface="com.ubuntu.location.Service"/> 201 <allow receive_interface="com.ubuntu.location.Service.Provider"/> 202 </policy> 203 ` 204 205 type locationControlInterface struct{} 206 207 func (iface *locationControlInterface) Name() string { 208 return "location-control" 209 } 210 211 func (iface *locationControlInterface) StaticInfo() interfaces.StaticInfo { 212 return interfaces.StaticInfo{ 213 Summary: locationControlSummary, 214 BaseDeclarationSlots: locationControlBaseDeclarationSlots, 215 } 216 } 217 218 func (iface *locationControlInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 219 old := "###SLOT_SECURITY_TAGS###" 220 new := slotAppLabelExpr(slot) 221 snippet := strings.Replace(locationControlConnectedPlugAppArmor, old, new, -1) 222 spec.AddSnippet(snippet) 223 return nil 224 } 225 226 func (iface *locationControlInterface) DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 227 spec.AddSnippet(locationControlConnectedPlugDBus) 228 return nil 229 } 230 231 func (iface *locationControlInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 232 spec.AddSnippet(locationControlPermanentSlotDBus) 233 return nil 234 } 235 236 func (iface *locationControlInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 237 spec.AddSnippet(locationControlPermanentSlotAppArmor) 238 return nil 239 } 240 241 func (iface *locationControlInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 242 old := "###PLUG_SECURITY_TAGS###" 243 new := plugAppLabelExpr(plug) 244 snippet := strings.Replace(locationControlConnectedSlotAppArmor, old, new, -1) 245 spec.AddSnippet(snippet) 246 return nil 247 } 248 249 func (iface *locationControlInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 250 // allow what declarations allowed 251 return true 252 } 253 254 func init() { 255 registerIface(&locationControlInterface{}) 256 }