github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/network_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const networkObserveSummary = `allows querying network status` 23 24 const networkObserveBaseDeclarationSlots = ` 25 network-observe: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/network-observe 33 const networkObserveConnectedPlugAppArmor = ` 34 # Description: Can query network status information. This is restricted because 35 # it gives privileged read-only access to networking information and should 36 # only be used with trusted apps. 37 38 # network-observe can't allow this otherwise we are basically network-control, 39 # but don't explicitly deny since someone might try to use network-control with 40 # network-observe and that shouldn't fail weirdly 41 #capability net_admin, 42 43 #include <abstractions/nameservice> 44 /run/systemd/resolve/stub-resolv.conf r, 45 46 # systemd-resolved (not yet included in nameservice abstraction) 47 # 48 # Allow access to the safe members of the systemd-resolved D-Bus API: 49 # 50 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 51 # 52 # This API may be used directly over the D-Bus system bus or it may be used 53 # indirectly via the nss-resolve plugin: 54 # 55 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 56 # 57 #include <abstractions/dbus-strict> 58 dbus send 59 bus=system 60 path="/org/freedesktop/resolve1" 61 interface="org.freedesktop.resolve1.Manager" 62 member="Resolve{Address,Hostname,Record,Service}" 63 peer=(name="org.freedesktop.resolve1"), 64 65 #include <abstractions/ssl_certs> 66 67 # see loaded kernel modules 68 @{PROC}/modules r, 69 70 @{PROC}/@{pid}/net/ r, 71 @{PROC}/@{pid}/net/** r, 72 73 # used by sysctl, et al (sysctl net) 74 @{PROC}/sys/ r, 75 @{PROC}/sys/net/ r, 76 @{PROC}/sys/net/core/ r, 77 @{PROC}/sys/net/core/** r, 78 @{PROC}/sys/net/ipv{4,6}/ r, 79 @{PROC}/sys/net/ipv{4,6}/** r, 80 @{PROC}/sys/net/netfilter/ r, 81 @{PROC}/sys/net/netfilter/** r, 82 @{PROC}/sys/net/nf_conntrack_max r, 83 84 # networking tools 85 /{,usr/}{,s}bin/arp ixr, 86 /{,usr/}{,s}bin/bridge ixr, 87 /{,usr/}{,s}bin/ifconfig ixr, 88 /{,usr/}{,s}bin/ip ixr, 89 /{,usr/}{,s}bin/ipmaddr ixr, 90 /{,usr/}{,s}bin/iptunnel ixr, 91 /{,usr/}{,s}bin/netstat ixr, # -p not supported 92 /{,usr/}{,s}bin/nstat ixr, # allows zeroing 93 #/{,usr/}{,s}bin/pppstats ixr, # needs sys_module 94 /{,usr/}{,s}bin/route ixr, 95 /{,usr/}{,s}bin/routel ixr, 96 /{,usr/}{,s}bin/rtacct ixr, 97 /{,usr/}{,s}bin/ss ixr, 98 /{,usr/}{,s}bin/sysctl ixr, 99 /{,usr/}{,s}bin/tc ixr, 100 101 # arp 102 network netlink dgram, 103 104 # ip, et al 105 /etc/iproute2/{,**} r, 106 107 # ping - child profile would be nice but seccomp causes problems with that 108 /{,usr/}{,s}bin/ping ixr, 109 /{,usr/}{,s}bin/ping6 ixr, 110 capability net_raw, 111 capability setuid, 112 network inet raw, 113 network inet6 raw, 114 115 # route 116 /etc/networks r, 117 /etc/ethers r, 118 119 /etc/rpc r, 120 121 # network devices 122 /sys/devices/**/net/** rk, 123 124 # for receiving kobject_uevent() net messages from the kernel 125 network netlink raw, 126 ` 127 128 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/network-observe 129 const networkObserveConnectedPlugSecComp = ` 130 # Description: Can query network status information. This is restricted because 131 # it gives privileged read-only access to networking information and should 132 # only be used with trusted apps. 133 134 # for ping and ping6 135 capset 136 137 # for using socket(AF_NETLINK, ...) 138 bind 139 140 # for ss 141 socket AF_NETLINK - NETLINK_INET_DIAG 142 143 # arp 144 socket AF_NETLINK - NETLINK_ROUTE 145 146 # multicast statistics 147 socket AF_NETLINK - NETLINK_GENERIC 148 149 # for receiving kobject_uevent() net messages from the kernel 150 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 151 ` 152 153 func init() { 154 registerIface(&commonInterface{ 155 name: "network-observe", 156 summary: networkObserveSummary, 157 implicitOnCore: true, 158 implicitOnClassic: true, 159 baseDeclarationSlots: networkObserveBaseDeclarationSlots, 160 connectedPlugAppArmor: networkObserveConnectedPlugAppArmor, 161 connectedPlugSecComp: networkObserveConnectedPlugSecComp, 162 }) 163 }