github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/storage_framework_service.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/seccomp" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 const storageFrameworkServiceSummary = `allows operating as or interacting with the Storage Framework` 32 33 const storageFrameworkServiceBaseDeclarationSlots = ` 34 storage-framework-service: 35 allow-installation: 36 slot-snap-type: 37 - app 38 deny-connection: true 39 deny-auto-connection: true 40 ` 41 42 const storageFrameworkServicePermanentSlotAppArmor = ` 43 # Description: Allow use of aa_is_enabled() 44 45 # libapparmor query interface needs 'w' to perform the query and 'r' to 46 # read the result. This is an information leak because in addition to 47 # allowing querying policy for any label (precisely what 48 # storage-framework needs), it also allows checking the existence of 49 # any label. 50 51 /sys/module/apparmor/parameters/enabled r, 52 @{PROC}/@{pid}/mounts r, 53 /sys/kernel/security/apparmor/.access rw, 54 55 # Description: Allow owning the registry and storage framework bus names on the session bus. 56 57 #include <abstractions/dbus-session-strict> 58 59 dbus (send) 60 bus=session 61 path=/org/freedesktop/DBus 62 interface=org.freedesktop.DBus 63 member={RequestName,ReleaseName,GetConnectionCredentials} 64 peer=(name=org.freedesktop.DBus, label=unconfined), 65 66 dbus (bind) 67 bus=session 68 name=com.canonical.StorageFramework.Registry, 69 70 dbus (bind) 71 bus=session 72 name=com.canonical.StorageFramework.Provider.*, 73 ` 74 75 const storageFrameworkServiceConnectedSlotAppArmor = ` 76 # Description: Allow clients to access the registry and storage framework services. 77 78 #include <abstractions/dbus-session-strict> 79 80 dbus (receive, send) 81 bus=session 82 interface=com.canonical.StorageFramework.Registry 83 path=/com/canonical/StorageFramework/Registry 84 peer=(label=###PLUG_SECURITY_TAGS###), 85 86 dbus (receive, send) 87 bus=session 88 interface=com.canonical.StorageFramework.Provider.* 89 path=/provider/* 90 peer=(label=###PLUG_SECURITY_TAGS###), 91 ` 92 93 const storageFrameworkServiceConnectedPlugAppArmor = ` 94 # Description: Allow access to the registry and storage framework services. 95 96 #include <abstractions/dbus-session-strict> 97 98 dbus (receive, send) 99 bus=session 100 interface=com.canonical.StorageFramework.Registry 101 path=/com/canonical/StorageFramework/Registry 102 peer=(label=###SLOT_SECURITY_TAGS###), 103 104 dbus (receive, send) 105 bus=session 106 interface=com.canonical.StorageFramework.Provider.* 107 path=/provider/* 108 peer=(label=###SLOT_SECURITY_TAGS###), 109 ` 110 111 const storageFrameworkServicePermanentSlotSecComp = ` 112 bind 113 ` 114 115 type storageFrameworkServiceInterface struct{} 116 117 func (iface *storageFrameworkServiceInterface) Name() string { 118 return "storage-framework-service" 119 } 120 121 func (iface *storageFrameworkServiceInterface) StaticInfo() interfaces.StaticInfo { 122 return interfaces.StaticInfo{ 123 Summary: storageFrameworkServiceSummary, 124 BaseDeclarationSlots: storageFrameworkServiceBaseDeclarationSlots, 125 } 126 } 127 128 func (iface *storageFrameworkServiceInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 129 snippet := storageFrameworkServiceConnectedPlugAppArmor 130 old := "###SLOT_SECURITY_TAGS###" 131 new := slotAppLabelExpr(slot) 132 snippet = strings.Replace(snippet, old, new, -1) 133 spec.AddSnippet(snippet) 134 return nil 135 } 136 137 func (iface *storageFrameworkServiceInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 138 spec.AddSnippet(storageFrameworkServicePermanentSlotAppArmor) 139 return nil 140 } 141 142 func (iface *storageFrameworkServiceInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 143 snippet := storageFrameworkServiceConnectedSlotAppArmor 144 old := "###PLUG_SECURITY_TAGS###" 145 new := plugAppLabelExpr(plug) 146 snippet = strings.Replace(snippet, old, new, -1) 147 spec.AddSnippet(snippet) 148 return nil 149 } 150 151 func (iface *storageFrameworkServiceInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 152 spec.AddSnippet(storageFrameworkServicePermanentSlotSecComp) 153 return nil 154 } 155 156 func (iface *storageFrameworkServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool { 157 return true 158 } 159 160 func init() { 161 registerIface(&storageFrameworkServiceInterface{}) 162 }