github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/network_manager_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2019 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/release" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 const networkManagerObserveBaseDeclarationSlots = ` 32 network-manager-observe: 33 allow-installation: 34 slot-snap-type: 35 - app 36 - core 37 deny-auto-connection: true 38 deny-connection: 39 on-classic: false 40 ` 41 42 const networkManagerObserveSummary = `allows observing NetworkManager settings` 43 44 const networkManagerObserveConnectedSlotAppArmor = ` 45 dbus (receive) 46 bus=system 47 path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}" 48 interface="org.freedesktop.DBus.Properties" 49 member="Get{,All}" 50 peer=(label=###PLUG_SECURITY_TAGS###), 51 dbus (receive) 52 bus=system 53 path="/org/freedesktop/NetworkManager" 54 interface="org.freedesktop.NetworkManager" 55 member="Get{,All}Devices" 56 peer=(label=###PLUG_SECURITY_TAGS###), 57 dbus (receive) 58 bus=system 59 path="/org/freedesktop/NetworkManager/Settings" 60 interface="org.freedesktop.NetworkManager.Settings" 61 member="ListConnections" 62 peer=(label=###PLUG_SECURITY_TAGS###), 63 dbus (receive) 64 bus=system 65 path="/org/freedesktop/NetworkManager/Settings/*" 66 interface="org.freedesktop.NetworkManager.Settings.Connection" 67 member="GetSettings" 68 peer=(label=###PLUG_SECURITY_TAGS###), 69 70 # send signals for updated settings and properties from above 71 dbus (send) 72 bus=system 73 path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}" 74 interface=org.freedesktop.DBus.Properties 75 member=PropertiesChanged 76 peer=(name=org.freedesktop.NetworkManger,label=###PLUG_SECURITY_TAGS###), 77 dbus (send) 78 bus=system 79 path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}" 80 interface="org.freedesktop.NetworkManger{,.*}" 81 member=StateChanged 82 peer=(name=org.freedesktop.NetworkManger,label=###PLUG_SECURITY_TAGS###), 83 dbus (send) 84 bus=system 85 path="/org/freedesktop/NetworkManager" 86 interface=org.freedesktop.NetworkManger 87 member="Device{Added,Removed}" 88 peer=(name=org.freedesktop.NetworkManger,label=###PLUG_SECURITY_TAGS###), 89 dbus (send) 90 bus=system 91 path="/org/freedesktop/NetworkManager/Settings" 92 interface=org.freedesktop.NetworkManger.Settings 93 member=PropertiesChanged 94 peer=(name=org.freedesktop.NetworkManger,label=###PLUG_SECURITY_TAGS###), 95 dbus (send) 96 bus=system 97 path="/org/freedesktop/NetworkManager/Settings/*" 98 interface="org.freedesktop.NetworkManager.Settings.Connection" 99 member=PropertiesChanged 100 peer=(name=org.freedesktop.NetworkManger,label=###PLUG_SECURITY_TAGS###), 101 ` 102 103 const networkManagerObserveConnectedPlugAppArmor = ` 104 # Description: allows observing NetworkManager settings. This grants access to 105 # listing MAC addresses, previous networks, etc but not secrets. 106 dbus (send) 107 bus=system 108 path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}" 109 interface="org.freedesktop.DBus.Properties" 110 member="Get{,All}" 111 peer=(label=###SLOT_SECURITY_TAGS###), 112 dbus (send) 113 bus=system 114 path="/org/freedesktop/NetworkManager" 115 interface="org.freedesktop.NetworkManager" 116 member="GetDevices" 117 peer=(label=###SLOT_SECURITY_TAGS###), 118 dbus (send) 119 bus=system 120 path="/org/freedesktop/NetworkManager/Settings" 121 interface="org.freedesktop.NetworkManager.Settings" 122 member="ListConnections" 123 peer=(label=###SLOT_SECURITY_TAGS###), 124 dbus (send) 125 bus=system 126 path="/org/freedesktop/NetworkManager/Settings{,/*}" 127 interface="org.freedesktop.NetworkManager.Settings{,.Connection}" 128 member="GetSettings" 129 peer=(label=###SLOT_SECURITY_TAGS###), 130 131 # receive signals for updated settings and properties 132 dbus (receive) 133 bus=system 134 path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}" 135 interface=org.freedesktop.DBus.Properties 136 member=PropertiesChanged 137 peer=(label=###SLOT_SECURITY_TAGS###), 138 dbus (receive) 139 bus=system 140 path=/org/freedesktop/NetworkManager 141 interface=org.freedesktop.NetworkManager 142 member=PropertiesChanged 143 peer=(label=###SLOT_SECURITY_TAGS###), 144 dbus (receive) 145 bus=system 146 path="/org/freedesktop/NetworkManager{,/{ActiveConnection,Devices}/*}" 147 interface="org.freedesktop.NetworkManger{,.*}" 148 member=StateChanged 149 peer=(label=###SLOT_SECURITY_TAGS###), 150 dbus (receive) 151 bus=system 152 path="/org/freedesktop/NetworkManager" 153 interface=org.freedesktop.NetworkManger 154 member="Device{Added,Removed}" 155 peer=(label=###SLOT_SECURITY_TAGS###), 156 dbus (receive) 157 bus=system 158 path="/org/freedesktop/NetworkManager/Settings" 159 interface=org.freedesktop.NetworkManger.Settings 160 member=PropertiesChanged 161 peer=(label=###SLOT_SECURITY_TAGS###), 162 dbus (receive) 163 bus=system 164 path="/org/freedesktop/NetworkManager/Settings/*" 165 interface="org.freedesktop.NetworkManager.Settings.Connection" 166 member=PropertiesChanged 167 peer=(label=###SLOT_SECURITY_TAGS###), 168 ` 169 170 type networkManagerObserveInterface struct{} 171 172 func (iface *networkManagerObserveInterface) Name() string { 173 return "network-manager-observe" 174 } 175 176 func (iface *networkManagerObserveInterface) StaticInfo() interfaces.StaticInfo { 177 return interfaces.StaticInfo{ 178 Summary: networkManagerObserveSummary, 179 ImplicitOnClassic: true, 180 BaseDeclarationSlots: networkManagerObserveBaseDeclarationSlots, 181 } 182 } 183 184 func (iface *networkManagerObserveInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 185 old := "###SLOT_SECURITY_TAGS###" 186 var new string 187 if release.OnClassic { 188 // If we're running on classic NetworkManager will be part 189 // of the OS and will run unconfined. 190 new = "unconfined" 191 } else { 192 new = slotAppLabelExpr(slot) 193 } 194 snippet := strings.Replace(networkManagerObserveConnectedPlugAppArmor, old, new, -1) 195 spec.AddSnippet(snippet) 196 return nil 197 } 198 199 func (iface *networkManagerObserveInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 200 if !release.OnClassic { 201 old := "###PLUG_SECURITY_TAGS###" 202 new := plugAppLabelExpr(plug) 203 snippet := strings.Replace(networkManagerObserveConnectedSlotAppArmor, old, new, -1) 204 spec.AddSnippet(snippet) 205 } 206 return nil 207 } 208 209 func (iface *networkManagerObserveInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 210 // allow what declarations allowed 211 return true 212 } 213 214 func init() { 215 registerIface(&networkManagerObserveInterface{}) 216 }