github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/interfaces/builtin/network_manager.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"strings"
    24  
    25  	"github.com/snapcore/snapd/interfaces"
    26  	"github.com/snapcore/snapd/interfaces/apparmor"
    27  	"github.com/snapcore/snapd/interfaces/dbus"
    28  	"github.com/snapcore/snapd/interfaces/seccomp"
    29  	"github.com/snapcore/snapd/interfaces/udev"
    30  	"github.com/snapcore/snapd/release"
    31  	"github.com/snapcore/snapd/snap"
    32  )
    33  
    34  const networkManagerSummary = `allows operating as the NetworkManager service`
    35  
    36  const networkManagerBaseDeclarationSlots = `
    37    network-manager:
    38      allow-installation:
    39        slot-snap-type:
    40          - app
    41          - core
    42      deny-auto-connection: true
    43      deny-connection:
    44        on-classic: false
    45  `
    46  
    47  const networkManagerPermanentSlotAppArmor = `
    48  # Description: Allow operating as the NetworkManager service. This gives
    49  # privileged access to the system.
    50  
    51  capability net_admin,
    52  capability net_bind_service,
    53  capability net_raw,
    54  
    55  network netlink,
    56  network bridge,
    57  network inet,
    58  network inet6,
    59  network packet,
    60  
    61  @{PROC}/@{pid}/net/ r,
    62  @{PROC}/@{pid}/net/** r,
    63  
    64  # used by sysctl, et al
    65  @{PROC}/sys/ r,
    66  @{PROC}/sys/net/ r,
    67  @{PROC}/sys/net/core/ r,
    68  @{PROC}/sys/net/core/** rw,
    69  @{PROC}/sys/net/ipv{4,6}/ r,
    70  @{PROC}/sys/net/ipv{4,6}/** rw,
    71  @{PROC}/sys/net/netfilter/ r,
    72  @{PROC}/sys/net/netfilter/** rw,
    73  @{PROC}/sys/net/nf_conntrack_max rw,
    74  
    75  # Needed for systemd's dhcp implementation
    76  @{PROC}/sys/kernel/random/boot_id r,
    77  
    78  /sys/devices/**/**/net/**/phys_port_id r,
    79  /sys/devices/**/**/net/**/dev_id r,
    80  /sys/devices/virtual/net/**/phys_port_id r,
    81  /sys/devices/virtual/net/**/dev_id r,
    82  /sys/devices/**/net/**/ifindex r,
    83  
    84  /dev/rfkill rw,
    85  
    86  /run/udev/data/* r,
    87  
    88  # Allow read and write access for all netplan configuration files
    89  # as NetworkManager will start using them to store the network
    90  # configuration instead of using its own internal keyfile based
    91  # format.
    92  /etc/netplan/{,**} rw,
    93  
    94  # Allow access to configuration files generated on the fly
    95  # from netplan and let NetworkManager store its configuration
    96  # in the same place.
    97  /run/NetworkManager/{,**} rw,
    98  
    99  # Needed by the ifupdown plugin to check which interfaces can
   100  # be managed an which not.
   101  /etc/network/interfaces r,
   102  # Needed for systemd's dhcp implementation
   103  /etc/machine-id r,
   104  
   105  # Needed to use resolvconf from core
   106  /sbin/resolvconf ixr,
   107  /run/resolvconf/{,**} rk,
   108  /run/resolvconf/** w,
   109  /etc/resolvconf/{,**} r,
   110  /lib/resolvconf/* ix,
   111  # NM peeks into ifupdown configuration
   112  /run/network/ifstate* r,
   113  # Required by resolvconf
   114  /bin/run-parts ixr,
   115  /etc/resolvconf/update.d/* ix,
   116  
   117  #include <abstractions/nameservice>
   118  /run/systemd/resolve/stub-resolv.conf r,
   119  
   120  # DBus accesses
   121  #include <abstractions/dbus-strict>
   122  
   123  # systemd-resolved (not yet included in nameservice abstraction)
   124  #
   125  # Allow access to the safe members of the systemd-resolved D-Bus API:
   126  #
   127  #   https://www.freedesktop.org/wiki/Software/systemd/resolved/
   128  #
   129  # This API may be used directly over the D-Bus system bus or it may be used
   130  # indirectly via the nss-resolve plugin:
   131  #
   132  #   https://www.freedesktop.org/software/systemd/man/nss-resolve.html
   133  #
   134  dbus send
   135       bus=system
   136       path="/org/freedesktop/resolve1"
   137       interface="org.freedesktop.resolve1.Manager"
   138       member="Resolve{Address,Hostname,Record,Service}"
   139       peer=(name="org.freedesktop.resolve1"),
   140  
   141  dbus (send)
   142       bus=system
   143       path="/org/freedesktop/resolve1"
   144       interface="org.freedesktop.resolve1.Manager"
   145       member="SetLink{DNS,MulticastDNS,Domains,LLMNR}"
   146       peer=(label=unconfined),
   147  
   148  dbus (send)
   149     bus=system
   150     path=/org/freedesktop/DBus
   151     interface=org.freedesktop.DBus
   152     member={Request,Release}Name
   153     peer=(name=org.freedesktop.DBus, label=unconfined),
   154  
   155  dbus (receive, send)
   156     bus=system
   157     path=/org/freedesktop/DBus
   158     interface=org.freedesktop.DBus
   159     member=GetConnectionUnixProcessID
   160     peer=(label=unconfined),
   161  
   162  dbus (receive, send)
   163     bus=system
   164     path=/org/freedesktop/DBus
   165     interface=org.freedesktop.DBus
   166     member=GetConnectionUnixUser
   167     peer=(label=unconfined),
   168  
   169  # Allow binding the service to the requested connection name
   170  dbus (bind)
   171      bus=system
   172      name="org.freedesktop.NetworkManager",
   173  
   174  # Allow traffic to/from our path and interface with any method for unconfined
   175  # clients to talk to our service.
   176  dbus (receive, send)
   177      bus=system
   178      path=/org/freedesktop/NetworkManager{,/**}
   179      interface=org.freedesktop.NetworkManager*
   180      peer=(label=unconfined),
   181  
   182  # Allow traffic to/from org.freedesktop.DBus for NetworkManager service
   183  dbus (receive, send)
   184      bus=system
   185      path=/org/freedesktop/NetworkManager{,/**}
   186      interface=org.freedesktop.DBus.*
   187      peer=(label=unconfined),
   188  
   189  # Allow access to hostname system service
   190  dbus (receive, send)
   191      bus=system
   192      path=/org/freedesktop/hostname1
   193      interface=org.freedesktop.DBus.Properties
   194      peer=(label=unconfined),
   195  # do not use peer=(label=unconfined) here since this is DBus activated
   196  dbus (send)
   197      bus=system
   198      path=/org/freedesktop/hostname1
   199      interface=org.freedesktop.DBus.Properties
   200      member="Get{,All}",
   201  
   202  dbus(receive, send)
   203      bus=system
   204      path=/org/freedesktop/hostname1
   205      interface=org.freedesktop.hostname1
   206      member={Set,SetStatic}Hostname
   207      peer=(label=unconfined),
   208  # do not use peer=(label=unconfined) here since this is DBus activated
   209  dbus (send)
   210      bus=system
   211      path=/org/freedesktop/hostname1
   212      interface=org.freedesktop.hostname1
   213      member={Set,SetStatic}Hostname,
   214  
   215  # Sleep monitor inside NetworkManager needs this
   216  # do not use peer=(label=unconfined) here since this is DBus activated
   217  dbus (send)
   218      bus=system
   219      path=/org/freedesktop/login1
   220      member=Inhibit
   221      interface=org.freedesktop.login1.Manager,
   222  dbus (receive)
   223      bus=system
   224      path=/org/freedesktop/login1
   225      member=PrepareForSleep
   226      interface=org.freedesktop.login1.Manager
   227      peer=(label=unconfined),
   228  dbus (receive)
   229      bus=system
   230      path=/org/freedesktop/login1
   231      interface=org.freedesktop.login1.Manager
   232      member=Session{New,Removed}
   233      peer=(label=unconfined),
   234  
   235  # Allow access to wpa-supplicant for managing WiFi networks
   236  dbus (receive, send)
   237      bus=system
   238      path=/fi/w1/wpa_supplicant1{,/**}
   239      interface=fi.w1.wpa_supplicant1*
   240      peer=(label=unconfined),
   241  dbus (receive, send)
   242      bus=system
   243      path=/fi/w1/wpa_supplicant1{,/**}
   244      interface=org.freedesktop.DBus.*
   245      peer=(label=unconfined),
   246  `
   247  
   248  const networkManagerConnectedSlotAppArmor = `
   249  # Allow connected clients to interact with the service
   250  
   251  # Allow traffic to/from our DBus path
   252  dbus (receive, send)
   253      bus=system
   254      path=/org/freedesktop/NetworkManager{,/**}
   255      peer=(label=###PLUG_SECURITY_TAGS###),
   256  
   257  # Later versions of NetworkManager implement org.freedesktop.DBus.ObjectManager
   258  # for clients to easily obtain all (and be alerted to added/removed) objects
   259  # from the service.
   260  dbus (receive, send)
   261      bus=system
   262      path=/org/freedesktop
   263      interface=org.freedesktop.DBus.ObjectManager
   264      peer=(label=###PLUG_SECURITY_TAGS###),
   265  
   266  # Explicitly deny ptrace to silence noisy denials. These denials happen when NM
   267  # tries to access /proc/<peer_pid>/stat.  What apparmor prevents is showing
   268  # internal process addresses that live in that file, but that has no adverse
   269  # effects for NetworkManager, which just wants to find out the start time of the
   270  # process.
   271  deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###,
   272  `
   273  
   274  const networkManagerConnectedPlugAppArmor = `
   275  # Description: Allow using NetworkManager service. This gives privileged access
   276  # to the NetworkManager service.
   277  
   278  #include <abstractions/dbus-strict>
   279  
   280  # Allow all access to NetworkManager service
   281  dbus (receive, send)
   282      bus=system
   283      path=/org/freedesktop/NetworkManager{,/**}
   284      peer=(label=###SLOT_SECURITY_TAGS###),
   285  
   286  # NM implements org.freedesktop.DBus.ObjectManager too
   287  dbus (receive, send)
   288      bus=system
   289      path=/org/freedesktop
   290      interface=org.freedesktop.DBus.ObjectManager
   291      peer=(label=###SLOT_SECURITY_TAGS###),
   292  `
   293  
   294  const networkManagerConnectedPlugIntrospectionSnippet = `
   295  # Allow us to introspect the network-manager providing snap
   296  dbus (send)
   297      bus=system
   298      interface="org.freedesktop.DBus.Introspectable"
   299      member="Introspect"
   300      peer=(label=###SLOT_SECURITY_TAGS###),
   301  `
   302  
   303  const networkManagerConnectedSlotIntrospectionSnippet = `
   304  # Allow plugs to introspect us
   305  dbus (receive)
   306      bus=system
   307      interface="org.freedesktop.DBus.Introspectable"
   308      member="Introspect"
   309      peer=(label=###PLUG_SECURITY_TAGS###),
   310  `
   311  
   312  const networkManagerConnectedPlugSecComp = `
   313  # Description: This is needed to talk to the network-manager service
   314  socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
   315  `
   316  
   317  const networkManagerPermanentSlotSecComp = `
   318  # Description: Allow operating as the NetworkManager service. This gives
   319  # privileged access to the system.
   320  accept
   321  accept4
   322  bind
   323  listen
   324  sethostname
   325  # netlink
   326  socket AF_NETLINK - -
   327  `
   328  
   329  const networkManagerPermanentSlotDBus = `
   330  <!-- DBus policy for NetworkManager (upstream version 1.2.2) -->
   331  <policy user="root">
   332      <allow own="org.freedesktop.NetworkManager"/>
   333      <allow send_destination="org.freedesktop.NetworkManager"/>
   334  
   335      <allow send_destination="org.freedesktop.NetworkManager"
   336             send_interface="org.freedesktop.NetworkManager.PPP"/>
   337  
   338      <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
   339  
   340      <!-- These are there because some broken policies do
   341           <deny send_interface="..." /> (see dbus-daemon(8) for details).
   342           This seems to override that for the known VPN plugins. -->
   343      <allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
   344      <allow send_destination="org.freedesktop.NetworkManager.openswan"/>
   345      <allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
   346      <allow send_destination="org.freedesktop.NetworkManager.pptp"/>
   347      <allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
   348      <allow send_destination="org.freedesktop.NetworkManager.ssh"/>
   349      <allow send_destination="org.freedesktop.NetworkManager.iodine"/>
   350      <allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
   351      <allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
   352      <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
   353      <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
   354      <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
   355  
   356      <!-- Allow the custom name for the dnsmasq instance spawned by NM
   357          from the dns dnsmasq plugin to own it's dbus name, and for
   358          messages to be sent to it.
   359      -->
   360      <allow own="org.freedesktop.NetworkManager.dnsmasq"/>
   361      <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
   362  </policy>
   363  
   364  <policy context="default">
   365      <deny own="org.freedesktop.NetworkManager"/>
   366  
   367      <deny send_destination="org.freedesktop.NetworkManager"/>
   368  
   369      <!-- Basic D-Bus API stuff -->
   370      <allow send_destination="org.freedesktop.NetworkManager"
   371             send_interface="org.freedesktop.DBus.Introspectable"/>
   372      <allow send_destination="org.freedesktop.NetworkManager"
   373             send_interface="org.freedesktop.DBus.Properties"/>
   374      <allow send_destination="org.freedesktop.NetworkManager"
   375             send_interface="org.freedesktop.DBus.ObjectManager"/>
   376  
   377      <!-- Devices (read-only properties, no methods) -->
   378      <allow send_destination="org.freedesktop.NetworkManager"
   379             send_interface="org.freedesktop.NetworkManager.Device.Adsl"/>
   380      <allow send_destination="org.freedesktop.NetworkManager"
   381             send_interface="org.freedesktop.NetworkManager.Device.Bond"/>
   382      <allow send_destination="org.freedesktop.NetworkManager"
   383             send_interface="org.freedesktop.NetworkManager.Device.Bridge"/>
   384      <allow send_destination="org.freedesktop.NetworkManager"
   385             send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/>
   386      <allow send_destination="org.freedesktop.NetworkManager"
   387             send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
   388      <allow send_destination="org.freedesktop.NetworkManager"
   389             send_interface="org.freedesktop.NetworkManager.Device.Generic"/>
   390      <allow send_destination="org.freedesktop.NetworkManager"
   391             send_interface="org.freedesktop.NetworkManager.Device.Gre"/>
   392      <allow send_destination="org.freedesktop.NetworkManager"
   393             send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/>
   394      <allow send_destination="org.freedesktop.NetworkManager"
   395             send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/>
   396      <allow send_destination="org.freedesktop.NetworkManager"
   397             send_interface="org.freedesktop.NetworkManager.Device.Modem"/>
   398      <allow send_destination="org.freedesktop.NetworkManager"
   399             send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/>
   400      <allow send_destination="org.freedesktop.NetworkManager"
   401             send_interface="org.freedesktop.NetworkManager.Device.Team"/>
   402      <allow send_destination="org.freedesktop.NetworkManager"
   403             send_interface="org.freedesktop.NetworkManager.Device.Tun"/>
   404      <allow send_destination="org.freedesktop.NetworkManager"
   405             send_interface="org.freedesktop.NetworkManager.Device.Veth"/>
   406      <allow send_destination="org.freedesktop.NetworkManager"
   407             send_interface="org.freedesktop.NetworkManager.Device.Vlan"/>
   408      <allow send_destination="org.freedesktop.NetworkManager"
   409             send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/>
   410      <allow send_destination="org.freedesktop.NetworkManager"
   411             send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
   412  
   413      <!-- Devices (read-only, no security required) -->
   414      <allow send_destination="org.freedesktop.NetworkManager"
   415             send_interface="org.freedesktop.NetworkManager.Device.WiMax"/>
   416  
   417      <!-- Devices (read/write, secured with PolicyKit) -->
   418      <allow send_destination="org.freedesktop.NetworkManager"
   419             send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
   420      <allow send_destination="org.freedesktop.NetworkManager"
   421             send_interface="org.freedesktop.NetworkManager.Device"/>
   422  
   423      <!-- Core stuff (read-only properties, no methods) -->
   424      <allow send_destination="org.freedesktop.NetworkManager"
   425             send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
   426      <allow send_destination="org.freedesktop.NetworkManager"
   427             send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
   428      <allow send_destination="org.freedesktop.NetworkManager"
   429             send_interface="org.freedesktop.NetworkManager.DHCP6Config"/>
   430      <allow send_destination="org.freedesktop.NetworkManager"
   431             send_interface="org.freedesktop.NetworkManager.IP4Config"/>
   432      <allow send_destination="org.freedesktop.NetworkManager"
   433             send_interface="org.freedesktop.NetworkManager.IP6Config"/>
   434      <allow send_destination="org.freedesktop.NetworkManager"
   435             send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
   436  
   437      <!-- Core stuff (read/write, secured with PolicyKit) -->
   438      <allow send_destination="org.freedesktop.NetworkManager"
   439             send_interface="org.freedesktop.NetworkManager"/>
   440      <allow send_destination="org.freedesktop.NetworkManager"
   441             send_interface="org.freedesktop.NetworkManager.Settings"/>
   442      <allow send_destination="org.freedesktop.NetworkManager"
   443             send_interface="org.freedesktop.NetworkManager.Settings.Connection"/>
   444  
   445      <!-- Agents; secured with PolicyKit.  Any process can talk to
   446           the AgentManager API, but only NetworkManager can talk
   447           to the agents themselves. -->
   448      <allow send_destination="org.freedesktop.NetworkManager"
   449             send_interface="org.freedesktop.NetworkManager.AgentManager"/>
   450  
   451      <!-- Root-only functions -->
   452      <deny send_destination="org.freedesktop.NetworkManager"
   453            send_interface="org.freedesktop.NetworkManager"
   454            send_member="SetLogging"/>
   455      <deny send_destination="org.freedesktop.NetworkManager"
   456            send_interface="org.freedesktop.NetworkManager"
   457            send_member="Sleep"/>
   458      <deny send_destination="org.freedesktop.NetworkManager"
   459            send_interface="org.freedesktop.NetworkManager.Settings"
   460            send_member="LoadConnections"/>
   461      <deny send_destination="org.freedesktop.NetworkManager"
   462            send_interface="org.freedesktop.NetworkManager.Settings"
   463            send_member="ReloadConnections"/>
   464  
   465      <deny own="org.freedesktop.NetworkManager.dnsmasq"/>
   466      <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
   467  </policy>
   468  
   469  <limit name="max_replies_per_connection">1024</limit>
   470  <limit name="max_match_rules_per_connection">2048</limit>
   471  `
   472  
   473  type networkManagerInterface struct{}
   474  
   475  func (iface *networkManagerInterface) Name() string {
   476  	return "network-manager"
   477  }
   478  
   479  func (iface *networkManagerInterface) StaticInfo() interfaces.StaticInfo {
   480  	return interfaces.StaticInfo{
   481  		Summary:              networkManagerSummary,
   482  		ImplicitOnClassic:    true,
   483  		BaseDeclarationSlots: networkManagerBaseDeclarationSlots,
   484  	}
   485  }
   486  
   487  func (iface *networkManagerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   488  	old := "###SLOT_SECURITY_TAGS###"
   489  	var new string
   490  	if release.OnClassic {
   491  		// If we're running on classic NetworkManager will be part
   492  		// of the OS snap and will run unconfined.
   493  		new = "unconfined"
   494  	} else {
   495  		new = slotAppLabelExpr(slot)
   496  	}
   497  	snippet := strings.Replace(networkManagerConnectedPlugAppArmor, old, new, -1)
   498  	spec.AddSnippet(snippet)
   499  	if !release.OnClassic {
   500  		// See https://bugs.launchpad.net/snapd/+bug/1849291 for details.
   501  		snippet := strings.Replace(networkManagerConnectedPlugIntrospectionSnippet, old, new, -1)
   502  		spec.AddSnippet(snippet)
   503  	}
   504  	return nil
   505  }
   506  
   507  func (iface *networkManagerInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   508  	old := "###PLUG_SECURITY_TAGS###"
   509  	new := plugAppLabelExpr(plug)
   510  	snippet := strings.Replace(networkManagerConnectedSlotAppArmor, old, new, -1)
   511  	spec.AddSnippet(snippet)
   512  	if !release.OnClassic {
   513  		// See https://bugs.launchpad.net/snapd/+bug/1849291 for details.
   514  		snippet := strings.Replace(networkManagerConnectedSlotIntrospectionSnippet, old, new, -1)
   515  		spec.AddSnippet(snippet)
   516  	}
   517  	return nil
   518  }
   519  
   520  func (iface *networkManagerInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
   521  	spec.AddSnippet(networkManagerPermanentSlotAppArmor)
   522  	return nil
   523  }
   524  
   525  func (iface *networkManagerInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error {
   526  	spec.AddSnippet(networkManagerPermanentSlotDBus)
   527  	return nil
   528  }
   529  
   530  func (iface *networkManagerInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
   531  	spec.AddSnippet(networkManagerPermanentSlotSecComp)
   532  	return nil
   533  }
   534  
   535  func (iface *networkManagerInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
   536  	spec.TagDevice(`KERNEL=="rfkill"`)
   537  	return nil
   538  }
   539  
   540  func (iface *networkManagerInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   541  	spec.AddSnippet(networkManagerConnectedPlugSecComp)
   542  	return nil
   543  }
   544  
   545  func (iface *networkManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
   546  	// allow what declarations allowed
   547  	return true
   548  }
   549  
   550  func init() {
   551  	registerIface(&networkManagerInterface{})
   552  }