github.com/ethanhsieh/snapd@v0.0.0-20210615102523-3db9b8e4edc5/interfaces/builtin/dm_crypt.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2021 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "github.com/snapcore/snapd/snap" 24 ) 25 26 const dmCryptSummary = `allows encryption and decryption of block storage devices` 27 28 const dmCryptBaseDeclarationSlots = ` 29 dm-crypt: 30 allow-installation: 31 slot-snap-type: 32 - core 33 deny-auto-connection: true 34 ` 35 const dmCryptBaseDeclarationPlugs = ` 36 dm-crypt: 37 allow-installation: false 38 deny-auto-connection: true 39 ` 40 41 // The type for this interface 42 type dmCryptInterface struct{} 43 44 // XXX: this should not hardcode mount points like /run/media/ but 45 // unless we have an interface like "mount-control" this is needed 46 const dmCryptConnectedPlugAppArmor = ` 47 # Allow mapper access 48 /dev/mapper/control rw, 49 /dev/dm-[0-9]* rw, 50 # allow use of cryptsetup from core snap 51 /{,usr/}sbin/cryptsetup ixr, 52 # Mount points could be in /run/media/<user>/* or /media/<user>/* 53 /run/systemd/seats/* r, 54 /{,run/}media/{,**} rw, 55 mount options=(ro,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, 56 mount options=(rw,nosuid,nodev) /dev/dm-[0-9]* -> /{,run/}media/**, 57 58 # exec mount/umount to do the actual operations 59 /{,usr/}bin/mount ixr, 60 /{,usr/}bin/umount ixr, 61 62 # mount/umount (via libmount) track some mount info in these files 63 /run/mount/utab* wrlk, 64 ` 65 66 const dmCryptConnectedPlugSecComp = ` 67 # Description: Allow kernel keyring manipulation 68 add_key 69 keyctl 70 request_key 71 ` 72 73 // dm-crypt 74 // Note that often dm-crypt is statically linked into the kernel (CONFIG_DM_CRYPT=y) 75 // This is usual for the custom kernels for projects where disk encryption is required. 76 var dmCryptConnectedPlugKmod = []string{ 77 "dm_crypt", 78 } 79 80 var dmCryptConnectedPlugUDev = []string{ 81 `KERNEL=="device-mapper"`, 82 `KERNEL=="dm-[0-9]"`, 83 `SUBSYSTEM=="block"`, 84 } 85 86 func (iface *dmCryptInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 87 // Allow what is allowed in the declarations 88 return true 89 } 90 91 func init() { 92 registerIface(&commonInterface{ 93 name: "dm-crypt", 94 summary: dmCryptSummary, 95 implicitOnCore: true, 96 implicitOnClassic: true, 97 baseDeclarationSlots: dmCryptBaseDeclarationSlots, 98 baseDeclarationPlugs: dmCryptBaseDeclarationPlugs, 99 connectedPlugAppArmor: dmCryptConnectedPlugAppArmor, 100 connectedPlugSecComp: dmCryptConnectedPlugSecComp, 101 connectedPlugKModModules: dmCryptConnectedPlugKmod, 102 connectedPlugUDev: dmCryptConnectedPlugUDev, 103 }) 104 }