github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/thumbnailer_service.go

github.com/bugraaydogar/snapd@v0.0.0-20210315170335-8c70bb858939/interfaces/builtin/thumbnailer_service.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"strings"
    24  
    25  	"github.com/snapcore/snapd/interfaces"
    26  	"github.com/snapcore/snapd/interfaces/apparmor"
    27  	"github.com/snapcore/snapd/snap"
    28  )
    29  
    30  const thumbnailerServiceSummary = `allows operating as or interacting with the Thumbnailer service`
    31  
    32  const thumbnailerServiceBaseDeclarationSlots = `
    33    thumbnailer-service:
    34      allow-installation:
    35        slot-snap-type:
    36          - app
    37      deny-auto-connection: true
    38      deny-connection: true
    39  `
    40  
    41  const thumbnailerServicePermanentSlotAppArmor = `
    42  # Description: Allow use of aa_query_label API. This
    43  # discloses the AppArmor policy for all processes.
    44  
    45  /sys/module/apparmor/parameters/enabled r,
    46  @{PROC}/@{pid}/mounts                   r,
    47  /sys/kernel/security/apparmor/.access   rw,
    48  
    49  # Description: Allow owning the Thumbnailer bus name on the session bus
    50  
    51  #include <abstractions/dbus-session-strict>
    52  
    53  dbus (send)
    54      bus=session
    55      path=/org/freedesktop/DBus
    56      interface=org.freedesktop.DBus
    57      member={RequestName,ReleaseName,GetConnectionCredentials}
    58      peer=(name=org.freedesktop.DBus, label=unconfined),
    59  
    60  dbus (bind)
    61      bus=session
    62      name=com.canonical.Thumbnailer,
    63  `
    64  
    65  const thumbnailerServiceConnectedSlotAppArmor = `
    66  # Description: Allow access to plug's data directory.
    67  
    68  @{INSTALL_DIR}/###PLUG_SNAP_NAME###/**     r,
    69  owner @{HOME}/snap/###PLUG_SNAP_NAME###/** r,
    70  /var/snap/###PLUG_SNAP_NAME###/**          r,
    71  
    72  # Description: allow client snaps to access the thumbnailer service.
    73  dbus (receive, send)
    74      bus=session
    75      interface=com.canonical.Thumbnailer
    76      path=/com/canonical/Thumbnailer
    77      peer=(label=###PLUG_SECURITY_TAGS###),
    78  `
    79  
    80  const thumbnailerServiceConnectedPlugAppArmor = `
    81  # Description: allow access to the thumbnailer D-Bus service.
    82  
    83  #include <abstractions/dbus-session-strict>
    84  
    85  dbus (receive, send)
    86      bus=session
    87      interface=com.canonical.Thumbnailer
    88      path=/com/canonical/Thumbnailer
    89      peer=(label=###SLOT_SECURITY_TAGS###),
    90  
    91  # Allow clients to introspect the service
    92  dbus (send)
    93      bus=session
    94      interface=org.freedesktop.DBus.Introspectable
    95      path=/com/canonical/Thumbnailer
    96      member=Introspect
    97      peer=(label=###SLOT_SECURITY_TAGS###),
    98  `
    99  
   100  type thumbnailerServiceInterface struct{}
   101  
   102  func (iface *thumbnailerServiceInterface) Name() string {
   103  	return "thumbnailer-service"
   104  }
   105  
   106  func (iface *thumbnailerServiceInterface) StaticInfo() interfaces.StaticInfo {
   107  	return interfaces.StaticInfo{
   108  		Summary:              thumbnailerServiceSummary,
   109  		BaseDeclarationSlots: thumbnailerServiceBaseDeclarationSlots,
   110  	}
   111  }
   112  
   113  func (iface *thumbnailerServiceInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   114  	snippet := thumbnailerServiceConnectedPlugAppArmor
   115  	old := "###SLOT_SECURITY_TAGS###"
   116  	new := slotAppLabelExpr(slot)
   117  	snippet = strings.Replace(snippet, old, new, -1)
   118  	spec.AddSnippet(snippet)
   119  	return nil
   120  }
   121  
   122  func (iface *thumbnailerServiceInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
   123  	spec.AddSnippet(thumbnailerServicePermanentSlotAppArmor)
   124  	return nil
   125  }
   126  
   127  func (iface *thumbnailerServiceInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   128  	snippet := thumbnailerServiceConnectedSlotAppArmor
   129  	old := "###PLUG_SNAP_NAME###"
   130  	// parallel-installs: PLUG_SNAP_NAME is used in the context of dbus
   131  	// mediation rules, need to use the actual instance name
   132  	new := plug.Snap().InstanceName()
   133  	snippet = strings.Replace(snippet, old, new, -1)
   134  
   135  	old = "###PLUG_SECURITY_TAGS###"
   136  	new = plugAppLabelExpr(plug)
   137  	snippet = strings.Replace(snippet, old, new, -1)
   138  	spec.AddSnippet(snippet)
   139  	return nil
   140  }
   141  
   142  func (iface *thumbnailerServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
   143  	return true
   144  }
   145  
   146  func init() {
   147  	registerIface(&thumbnailerServiceInterface{})
   148  }