github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/online_accounts_service.go

github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/online_accounts_service.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"strings"
    24  
    25  	"github.com/snapcore/snapd/interfaces"
    26  	"github.com/snapcore/snapd/interfaces/apparmor"
    27  	"github.com/snapcore/snapd/interfaces/seccomp"
    28  	"github.com/snapcore/snapd/snap"
    29  )
    30  
    31  const onlineAccountsServiceSummary = `allows operating as the Online Accounts service`
    32  
    33  const onlineAccountsServiceBaseDeclarationSlots = `
    34    online-accounts-service:
    35      allow-installation:
    36        slot-snap-type:
    37          - app
    38      deny-connection: true
    39  `
    40  
    41  const onlineAccountsServicePermanentSlotAppArmor = `
    42  # Description: Allow operating as the Online Accounts service.
    43  
    44  # DBus accesses
    45  #include <abstractions/dbus-session-strict>
    46  
    47  dbus (send)
    48      bus=session
    49      path=/org/freedesktop/DBus
    50      interface=org.freedesktop.DBus
    51      member={RequestName,ReleaseName,GetConnectionCredentials}
    52      peer=(name=org.freedesktop.DBus, label=unconfined),
    53  
    54  # Allow binding the service to the requested connection name
    55  dbus (bind)
    56  	bus=session
    57  	name="com.ubuntu.OnlineAccounts.Manager",
    58  `
    59  
    60  const onlineAccountsServiceConnectedSlotAppArmor = `
    61  # Allow service to interact with connected clients
    62  dbus (receive, send)
    63  	bus=session
    64  	path=/com/ubuntu/OnlineAccounts{,/**}
    65  	interface=com.ubuntu.OnlineAccounts.Manager
    66  	peer=(label=###PLUG_SECURITY_TAGS###),
    67  `
    68  
    69  const onlineAccountsServiceConnectedPlugAppArmor = `
    70  # Description: Allow using Online Accounts service. Allowed to auto-connect
    71  # because the access to user data is actually mediated by the Online Accounts
    72  # service itself.
    73  
    74  #include <abstractions/dbus-session-strict>
    75  
    76  # Online Accounts v2 API
    77  dbus (receive, send)
    78      bus=session
    79      interface=com.ubuntu.OnlineAccounts.Manager
    80      path=/com/ubuntu/OnlineAccounts{,/**}
    81      peer=(label=###SLOT_SECURITY_TAGS###),
    82  
    83  # Allow clients to introspect the service
    84  dbus (send)
    85      bus=session
    86      interface=org.freedesktop.DBus.Introspectable
    87      path=/com/ubuntu/OnlineAccounts
    88      member=Introspect
    89      peer=(label=###SLOT_SECURITY_TAGS###),
    90  `
    91  
    92  const onlineAccountsServicePermanentSlotSecComp = `
    93  # dbus
    94  accept
    95  accept4
    96  bind
    97  listen
    98  `
    99  
   100  type onlineAccountsServiceInterface struct{}
   101  
   102  func (iface *onlineAccountsServiceInterface) Name() string {
   103  	return "online-accounts-service"
   104  }
   105  
   106  func (iface *onlineAccountsServiceInterface) StaticInfo() interfaces.StaticInfo {
   107  	return interfaces.StaticInfo{
   108  		Summary:              onlineAccountsServiceSummary,
   109  		BaseDeclarationSlots: onlineAccountsServiceBaseDeclarationSlots,
   110  	}
   111  }
   112  
   113  func (iface *onlineAccountsServiceInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   114  	old := "###SLOT_SECURITY_TAGS###"
   115  	new := slotAppLabelExpr(slot)
   116  	spec.AddSnippet(strings.Replace(onlineAccountsServiceConnectedPlugAppArmor, old, new, -1))
   117  	return nil
   118  }
   119  
   120  func (iface *onlineAccountsServiceInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   121  	old := "###PLUG_SECURITY_TAGS###"
   122  	new := plugAppLabelExpr(plug)
   123  	spec.AddSnippet(strings.Replace(onlineAccountsServiceConnectedSlotAppArmor, old, new, -1))
   124  	return nil
   125  }
   126  
   127  func (iface *onlineAccountsServiceInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
   128  	spec.AddSnippet(onlineAccountsServicePermanentSlotAppArmor)
   129  	return nil
   130  }
   131  
   132  func (iface *onlineAccountsServiceInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
   133  	spec.AddSnippet(onlineAccountsServicePermanentSlotSecComp)
   134  	return nil
   135  }
   136  
   137  func (iface *onlineAccountsServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
   138  	return true
   139  }
   140  
   141  func init() {
   142  	registerIface(&onlineAccountsServiceInterface{})
   143  }