github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/system_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const systemObserveSummary = `allows observing all processes and drivers` 23 24 const systemObserveBaseDeclarationSlots = ` 25 system-observe: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 const systemObserveConnectedPlugAppArmor = ` 33 # Description: Can query system status information. This is restricted because 34 # it gives privileged read access to all processes on the system and should 35 # only be used with trusted apps. 36 37 # Needed by 'ps' 38 @{PROC}/tty/drivers r, 39 40 # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here 41 # since since ps doesn't actually need to trace other processes. Note this 42 # allows a number of accesses (assuming the associated /proc file is allowed), 43 # such as various memory address locations and esp/eip via /proc/*/stat, 44 # /proc/*/mem, /proc/*/personality, /proc/*/stack, /proc/*/syscall, 45 # /proc/*/timerslack_ns and /proc/*/wchan (see man proc). 46 # 47 # Some files like /proc/kallsyms (but anything using %pK format specifier) need 48 # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we 49 # intentionally do not allow since it could be used to defeat KASLR. 50 ptrace (read), 51 52 # Other miscellaneous accesses for observing the system 53 @{PROC}/locks r, 54 @{PROC}/modules r, 55 @{PROC}/stat r, 56 @{PROC}/vmstat r, 57 @{PROC}/zoneinfo r, 58 @{PROC}/diskstats r, 59 @{PROC}/kallsyms r, 60 @{PROC}/partitions r, 61 @{PROC}/sys/kernel/panic r, 62 @{PROC}/sys/kernel/panic_on_oops r, 63 @{PROC}/sys/vm/panic_on_oom r, 64 65 # These are not process-specific (/proc/*/... and /proc/*/task/*/...) 66 @{PROC}/*/{,task/,task/*/} r, 67 @{PROC}/*/{,task/*/}auxv r, 68 @{PROC}/*/{,task/*/}cgroup r, 69 @{PROC}/*/{,task/*/}cmdline r, 70 @{PROC}/*/{,task/*/}comm r, 71 @{PROC}/*/{,task/*/}exe r, 72 @{PROC}/*/{,task/*/}fdinfo/* r, 73 @{PROC}/*/{,task/*/}stat r, 74 @{PROC}/*/{,task/*/}statm r, 75 @{PROC}/*/{,task/*/}status r, 76 @{PROC}/*/{,task/*/}wchan r, 77 78 # Allow discovering the os-release of the host 79 /var/lib/snapd/hostfs/etc/os-release rk, 80 /var/lib/snapd/hostfs/usr/lib/os-release rk, 81 82 # Allow discovering system-wide CFS Bandwidth Control information 83 # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html 84 /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, 85 /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, 86 /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, 87 /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, 88 89 #include <abstractions/dbus-strict> 90 91 # do not use peer=(label=unconfined) here since this is DBus activated 92 dbus (send) 93 bus=system 94 path=/org/freedesktop/hostname1 95 interface=org.freedesktop.DBus.Properties 96 member=Get{,All}, 97 98 # Allow clients to introspect hostname1 99 # do not use peer=(label=unconfined) here since this is DBus activated 100 dbus (send) 101 bus=system 102 path=/org/freedesktop/hostname1 103 interface=org.freedesktop.DBus.Introspectable 104 member=Introspect, 105 106 # Allow clients to enumerate DBus connection names on common buses 107 dbus (send) 108 bus={session,system} 109 path=/org/freedesktop/DBus 110 interface=org.freedesktop.DBus 111 member=ListNames 112 peer=(label=unconfined), 113 114 # Allow clients to obtain the DBus machine ID on common buses. We do not 115 # mediate the path since any peer can be used. 116 dbus (send) 117 bus={session,system} 118 interface=org.freedesktop.DBus.Peer 119 member=GetMachineId 120 peer=(label=unconfined), 121 122 # Allow reading if protected hardlinks are enabled, but don't allow enabling or 123 # disabling them 124 @{PROC}/sys/fs/protected_hardlinks r, 125 @{PROC}/sys/fs/protected_symlinks r, 126 @{PROC}/sys/fs/protected_fifos r, 127 @{PROC}/sys/fs/protected_regular r, 128 ` 129 130 const systemObserveConnectedPlugSecComp = ` 131 # Description: Can query system status information. This is restricted because 132 # it gives privileged read access to all processes on the system and should 133 # only be used with trusted apps. 134 135 # ptrace can be used to break out of the seccomp sandbox, but ps requests 136 # 'ptrace (trace)' from apparmor. 'ps' does not need the ptrace syscall though, 137 # so we deny the ptrace here to make sure we are always safe. 138 # Note: may uncomment once ubuntu-core-launcher understands @deny rules and 139 # if/when we conditionally deny this in the future. 140 #@deny ptrace 141 ` 142 143 func init() { 144 registerIface(&commonInterface{ 145 name: "system-observe", 146 summary: systemObserveSummary, 147 implicitOnCore: true, 148 implicitOnClassic: true, 149 baseDeclarationSlots: systemObserveBaseDeclarationSlots, 150 connectedPlugAppArmor: systemObserveConnectedPlugAppArmor, 151 connectedPlugSecComp: systemObserveConnectedPlugSecComp, 152 suppressPtraceTrace: true, 153 }) 154 }