github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/process_control.go

github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/process_control.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const processControlSummary = `allows controlling other processes`
    23  
    24  const processControlBaseDeclarationSlots = `
    25    process-control:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  const processControlConnectedPlugAppArmor = `
    33  # Description: This interface allows for controlling other processes via
    34  # signals, cpu affinity and nice. This is reserved because it grants privileged
    35  # access to all processes under root or processes running under the same UID
    36  # otherwise.
    37  
    38  # /{,usr/}bin/nice is already in default policy
    39  /{,usr/}bin/renice ixr,
    40  /{,usr/}bin/taskset ixr,
    41  
    42  capability sys_resource,
    43  capability sys_nice,
    44  
    45  capability kill,
    46  signal (send),
    47  /{,usr/}bin/kill ixr,
    48  /{,usr/}bin/pkill ixr,
    49  `
    50  
    51  const processControlConnectedPlugSecComp = `
    52  # Description: This interface allows for controlling other processes via
    53  # signals, cpu affinity and nice. This is reserved because it grants privileged
    54  # access to all processes under root or processes running under the same UID
    55  # otherwise.
    56  
    57  # Allow setting the nice value/priority for any process
    58  nice
    59  setpriority
    60  sched_setaffinity
    61  sched_setattr
    62  sched_setparam
    63  sched_setscheduler
    64  `
    65  
    66  func init() {
    67  	registerIface(&commonInterface{
    68  		name:                  "process-control",
    69  		summary:               processControlSummary,
    70  		implicitOnCore:        true,
    71  		implicitOnClassic:     true,
    72  		baseDeclarationSlots:  processControlBaseDeclarationSlots,
    73  		connectedPlugAppArmor: processControlConnectedPlugAppArmor,
    74  		connectedPlugSecComp:  processControlConnectedPlugSecComp,
    75  	})
    76  }