github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/interfaces/builtin/network_manager.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/dbus" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/interfaces/udev" 30 "github.com/snapcore/snapd/release" 31 "github.com/snapcore/snapd/snap" 32 ) 33 34 const networkManagerSummary = `allows operating as the NetworkManager service` 35 36 const networkManagerBaseDeclarationSlots = ` 37 network-manager: 38 allow-installation: 39 slot-snap-type: 40 - app 41 - core 42 deny-auto-connection: true 43 deny-connection: 44 on-classic: false 45 ` 46 47 const networkManagerPermanentSlotAppArmor = ` 48 # Description: Allow operating as the NetworkManager service. This gives 49 # privileged access to the system. 50 51 capability net_admin, 52 capability net_bind_service, 53 capability net_raw, 54 55 network netlink, 56 network bridge, 57 network inet, 58 network inet6, 59 network packet, 60 61 @{PROC}/@{pid}/net/ r, 62 @{PROC}/@{pid}/net/** r, 63 64 # used by sysctl, et al 65 @{PROC}/sys/ r, 66 @{PROC}/sys/net/ r, 67 @{PROC}/sys/net/core/ r, 68 @{PROC}/sys/net/core/** rw, 69 @{PROC}/sys/net/ipv{4,6}/ r, 70 @{PROC}/sys/net/ipv{4,6}/** rw, 71 @{PROC}/sys/net/netfilter/ r, 72 @{PROC}/sys/net/netfilter/** rw, 73 @{PROC}/sys/net/nf_conntrack_max rw, 74 75 # Needed for systemd's dhcp implementation 76 @{PROC}/sys/kernel/random/boot_id r, 77 78 /sys/devices/**/**/net/**/phys_port_id r, 79 /sys/devices/**/**/net/**/dev_id r, 80 /sys/devices/virtual/net/**/phys_port_id r, 81 /sys/devices/virtual/net/**/dev_id r, 82 /sys/devices/**/net/**/ifindex r, 83 84 /dev/rfkill rw, 85 86 /run/udev/data/* r, 87 88 # Allow read and write access for all netplan configuration files 89 # as NetworkManager will start using them to store the network 90 # configuration instead of using its own internal keyfile based 91 # format. 92 /etc/netplan/{,**} rw, 93 94 # Allow access to configuration files generated on the fly 95 # from netplan and let NetworkManager store its configuration 96 # in the same place. 97 /run/NetworkManager/{,**} rw, 98 99 # Needed by the ifupdown plugin to check which interfaces can 100 # be managed an which not. 101 /etc/network/interfaces r, 102 # Needed for systemd's dhcp implementation 103 /etc/machine-id r, 104 105 # Needed to use resolvconf from core 106 /sbin/resolvconf ixr, 107 /run/resolvconf/{,**} rk, 108 /run/resolvconf/** w, 109 /etc/resolvconf/{,**} r, 110 /lib/resolvconf/* ix, 111 # NM peeks into ifupdown configuration 112 /run/network/ifstate* r, 113 # Required by resolvconf 114 /bin/run-parts ixr, 115 /etc/resolvconf/update.d/* ix, 116 117 #include <abstractions/nameservice> 118 /run/systemd/resolve/stub-resolv.conf r, 119 120 # DBus accesses 121 #include <abstractions/dbus-strict> 122 123 # systemd-resolved (not yet included in nameservice abstraction) 124 # 125 # Allow access to the safe members of the systemd-resolved D-Bus API: 126 # 127 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 128 # 129 # This API may be used directly over the D-Bus system bus or it may be used 130 # indirectly via the nss-resolve plugin: 131 # 132 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 133 # 134 dbus send 135 bus=system 136 path="/org/freedesktop/resolve1" 137 interface="org.freedesktop.resolve1.Manager" 138 member="Resolve{Address,Hostname,Record,Service}" 139 peer=(name="org.freedesktop.resolve1"), 140 141 dbus (send) 142 bus=system 143 path="/org/freedesktop/resolve1" 144 interface="org.freedesktop.resolve1.Manager" 145 member="SetLink{DNS,MulticastDNS,Domains,LLMNR}" 146 peer=(label=unconfined), 147 148 dbus (send) 149 bus=system 150 path=/org/freedesktop/DBus 151 interface=org.freedesktop.DBus 152 member={Request,Release}Name 153 peer=(name=org.freedesktop.DBus, label=unconfined), 154 155 dbus (receive, send) 156 bus=system 157 path=/org/freedesktop/DBus 158 interface=org.freedesktop.DBus 159 member=GetConnectionUnixProcessID 160 peer=(label=unconfined), 161 162 dbus (receive, send) 163 bus=system 164 path=/org/freedesktop/DBus 165 interface=org.freedesktop.DBus 166 member=GetConnectionUnixUser 167 peer=(label=unconfined), 168 169 # Allow binding the service to the requested connection name 170 dbus (bind) 171 bus=system 172 name="org.freedesktop.NetworkManager", 173 174 # Allow traffic to/from our path and interface with any method for unconfined 175 # clients to talk to our service. 176 dbus (receive, send) 177 bus=system 178 path=/org/freedesktop/NetworkManager{,/**} 179 interface=org.freedesktop.NetworkManager* 180 peer=(label=unconfined), 181 182 # Allow traffic to/from org.freedesktop.DBus for NetworkManager service 183 dbus (receive, send) 184 bus=system 185 path=/org/freedesktop/NetworkManager{,/**} 186 interface=org.freedesktop.DBus.* 187 peer=(label=unconfined), 188 189 # Allow access to hostname system service 190 dbus (receive, send) 191 bus=system 192 path=/org/freedesktop/hostname1 193 interface=org.freedesktop.DBus.Properties 194 peer=(label=unconfined), 195 # do not use peer=(label=unconfined) here since this is DBus activated 196 dbus (send) 197 bus=system 198 path=/org/freedesktop/hostname1 199 interface=org.freedesktop.DBus.Properties 200 member="Get{,All}", 201 202 dbus(receive, send) 203 bus=system 204 path=/org/freedesktop/hostname1 205 interface=org.freedesktop.hostname1 206 member={Set,SetStatic}Hostname 207 peer=(label=unconfined), 208 # do not use peer=(label=unconfined) here since this is DBus activated 209 dbus (send) 210 bus=system 211 path=/org/freedesktop/hostname1 212 interface=org.freedesktop.hostname1 213 member={Set,SetStatic}Hostname, 214 215 # Sleep monitor inside NetworkManager needs this 216 # do not use peer=(label=unconfined) here since this is DBus activated 217 dbus (send) 218 bus=system 219 path=/org/freedesktop/login1 220 member=Inhibit 221 interface=org.freedesktop.login1.Manager, 222 dbus (receive) 223 bus=system 224 path=/org/freedesktop/login1 225 member=PrepareForSleep 226 interface=org.freedesktop.login1.Manager 227 peer=(label=unconfined), 228 dbus (receive) 229 bus=system 230 path=/org/freedesktop/login1 231 interface=org.freedesktop.login1.Manager 232 member=Session{New,Removed} 233 peer=(label=unconfined), 234 235 # Allow access to wpa-supplicant for managing WiFi networks 236 dbus (receive, send) 237 bus=system 238 path=/fi/w1/wpa_supplicant1{,/**} 239 interface=fi.w1.wpa_supplicant1* 240 peer=(label=unconfined), 241 dbus (receive, send) 242 bus=system 243 path=/fi/w1/wpa_supplicant1{,/**} 244 interface=org.freedesktop.DBus.* 245 peer=(label=unconfined), 246 ` 247 248 const networkManagerConnectedSlotAppArmor = ` 249 # Allow connected clients to interact with the service 250 251 # Allow traffic to/from our DBus path 252 dbus (receive, send) 253 bus=system 254 path=/org/freedesktop/NetworkManager{,/**} 255 peer=(label=###PLUG_SECURITY_TAGS###), 256 257 # Later versions of NetworkManager implement org.freedesktop.DBus.ObjectManager 258 # for clients to easily obtain all (and be alerted to added/removed) objects 259 # from the service. 260 dbus (receive, send) 261 bus=system 262 path=/org/freedesktop 263 interface=org.freedesktop.DBus.ObjectManager 264 peer=(label=###PLUG_SECURITY_TAGS###), 265 266 # Explicitly deny ptrace to silence noisy denials. These denials happen when NM 267 # tries to access /proc/<peer_pid>/stat. What apparmor prevents is showing 268 # internal process addresses that live in that file, but that has no adverse 269 # effects for NetworkManager, which just wants to find out the start time of the 270 # process. 271 deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###, 272 ` 273 274 const networkManagerConnectedPlugAppArmor = ` 275 # Description: Allow using NetworkManager service. This gives privileged access 276 # to the NetworkManager service. 277 278 #include <abstractions/dbus-strict> 279 280 # Allow all access to NetworkManager service 281 dbus (receive, send) 282 bus=system 283 path=/org/freedesktop/NetworkManager{,/**} 284 peer=(label=###SLOT_SECURITY_TAGS###), 285 286 # NM implements org.freedesktop.DBus.ObjectManager too 287 dbus (receive, send) 288 bus=system 289 path=/org/freedesktop 290 interface=org.freedesktop.DBus.ObjectManager 291 peer=(label=###SLOT_SECURITY_TAGS###), 292 ` 293 294 const networkManagerConnectedPlugIntrospectionSnippet = ` 295 # Allow us to introspect the network-manager providing snap 296 dbus (send) 297 bus=system 298 interface="org.freedesktop.DBus.Introspectable" 299 member="Introspect" 300 peer=(label=###SLOT_SECURITY_TAGS###), 301 ` 302 303 const networkManagerConnectedSlotIntrospectionSnippet = ` 304 # Allow plugs to introspect us 305 dbus (receive) 306 bus=system 307 interface="org.freedesktop.DBus.Introspectable" 308 member="Introspect" 309 peer=(label=###PLUG_SECURITY_TAGS###), 310 ` 311 312 const networkManagerConnectedPlugSecComp = ` 313 # Description: This is needed to talk to the network-manager service 314 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 315 ` 316 317 const networkManagerPermanentSlotSecComp = ` 318 # Description: Allow operating as the NetworkManager service. This gives 319 # privileged access to the system. 320 accept 321 accept4 322 bind 323 listen 324 sethostname 325 # netlink 326 socket AF_NETLINK - - 327 ` 328 329 const networkManagerPermanentSlotDBus = ` 330 <!-- DBus policy for NetworkManager (upstream version 1.2.2) --> 331 <policy user="root"> 332 <allow own="org.freedesktop.NetworkManager"/> 333 <allow send_destination="org.freedesktop.NetworkManager"/> 334 335 <allow send_destination="org.freedesktop.NetworkManager" 336 send_interface="org.freedesktop.NetworkManager.PPP"/> 337 338 <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/> 339 340 <!-- These are there because some broken policies do 341 <deny send_interface="..." /> (see dbus-daemon(8) for details). 342 This seems to override that for the known VPN plugins. --> 343 <allow send_destination="org.freedesktop.NetworkManager.openconnect"/> 344 <allow send_destination="org.freedesktop.NetworkManager.openswan"/> 345 <allow send_destination="org.freedesktop.NetworkManager.openvpn"/> 346 <allow send_destination="org.freedesktop.NetworkManager.pptp"/> 347 <allow send_destination="org.freedesktop.NetworkManager.vpnc"/> 348 <allow send_destination="org.freedesktop.NetworkManager.ssh"/> 349 <allow send_destination="org.freedesktop.NetworkManager.iodine"/> 350 <allow send_destination="org.freedesktop.NetworkManager.l2tp"/> 351 <allow send_destination="org.freedesktop.NetworkManager.libreswan"/> 352 <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/> 353 <allow send_destination="org.freedesktop.NetworkManager.strongswan"/> 354 <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/> 355 356 <!-- Allow the custom name for the dnsmasq instance spawned by NM 357 from the dns dnsmasq plugin to own it's dbus name, and for 358 messages to be sent to it. 359 --> 360 <allow own="org.freedesktop.NetworkManager.dnsmasq"/> 361 <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 362 </policy> 363 364 <policy context="default"> 365 <deny own="org.freedesktop.NetworkManager"/> 366 367 <deny send_destination="org.freedesktop.NetworkManager"/> 368 369 <!-- Basic D-Bus API stuff --> 370 <allow send_destination="org.freedesktop.NetworkManager" 371 send_interface="org.freedesktop.DBus.Introspectable"/> 372 <allow send_destination="org.freedesktop.NetworkManager" 373 send_interface="org.freedesktop.DBus.Properties"/> 374 <allow send_destination="org.freedesktop.NetworkManager" 375 send_interface="org.freedesktop.DBus.ObjectManager"/> 376 377 <!-- Devices (read-only properties, no methods) --> 378 <allow send_destination="org.freedesktop.NetworkManager" 379 send_interface="org.freedesktop.NetworkManager.Device.Adsl"/> 380 <allow send_destination="org.freedesktop.NetworkManager" 381 send_interface="org.freedesktop.NetworkManager.Device.Bond"/> 382 <allow send_destination="org.freedesktop.NetworkManager" 383 send_interface="org.freedesktop.NetworkManager.Device.Bridge"/> 384 <allow send_destination="org.freedesktop.NetworkManager" 385 send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/> 386 <allow send_destination="org.freedesktop.NetworkManager" 387 send_interface="org.freedesktop.NetworkManager.Device.Wired"/> 388 <allow send_destination="org.freedesktop.NetworkManager" 389 send_interface="org.freedesktop.NetworkManager.Device.Generic"/> 390 <allow send_destination="org.freedesktop.NetworkManager" 391 send_interface="org.freedesktop.NetworkManager.Device.Gre"/> 392 <allow send_destination="org.freedesktop.NetworkManager" 393 send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/> 394 <allow send_destination="org.freedesktop.NetworkManager" 395 send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/> 396 <allow send_destination="org.freedesktop.NetworkManager" 397 send_interface="org.freedesktop.NetworkManager.Device.Modem"/> 398 <allow send_destination="org.freedesktop.NetworkManager" 399 send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/> 400 <allow send_destination="org.freedesktop.NetworkManager" 401 send_interface="org.freedesktop.NetworkManager.Device.Team"/> 402 <allow send_destination="org.freedesktop.NetworkManager" 403 send_interface="org.freedesktop.NetworkManager.Device.Tun"/> 404 <allow send_destination="org.freedesktop.NetworkManager" 405 send_interface="org.freedesktop.NetworkManager.Device.Veth"/> 406 <allow send_destination="org.freedesktop.NetworkManager" 407 send_interface="org.freedesktop.NetworkManager.Device.Vlan"/> 408 <allow send_destination="org.freedesktop.NetworkManager" 409 send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/> 410 <allow send_destination="org.freedesktop.NetworkManager" 411 send_interface="org.freedesktop.NetworkManager.AccessPoint"/> 412 413 <!-- Devices (read-only, no security required) --> 414 <allow send_destination="org.freedesktop.NetworkManager" 415 send_interface="org.freedesktop.NetworkManager.Device.WiMax"/> 416 417 <!-- Devices (read/write, secured with PolicyKit) --> 418 <allow send_destination="org.freedesktop.NetworkManager" 419 send_interface="org.freedesktop.NetworkManager.Device.Wireless"/> 420 <allow send_destination="org.freedesktop.NetworkManager" 421 send_interface="org.freedesktop.NetworkManager.Device"/> 422 423 <!-- Core stuff (read-only properties, no methods) --> 424 <allow send_destination="org.freedesktop.NetworkManager" 425 send_interface="org.freedesktop.NetworkManager.Connection.Active"/> 426 <allow send_destination="org.freedesktop.NetworkManager" 427 send_interface="org.freedesktop.NetworkManager.DHCP4Config"/> 428 <allow send_destination="org.freedesktop.NetworkManager" 429 send_interface="org.freedesktop.NetworkManager.DHCP6Config"/> 430 <allow send_destination="org.freedesktop.NetworkManager" 431 send_interface="org.freedesktop.NetworkManager.IP4Config"/> 432 <allow send_destination="org.freedesktop.NetworkManager" 433 send_interface="org.freedesktop.NetworkManager.IP6Config"/> 434 <allow send_destination="org.freedesktop.NetworkManager" 435 send_interface="org.freedesktop.NetworkManager.VPN.Connection"/> 436 437 <!-- Core stuff (read/write, secured with PolicyKit) --> 438 <allow send_destination="org.freedesktop.NetworkManager" 439 send_interface="org.freedesktop.NetworkManager"/> 440 <allow send_destination="org.freedesktop.NetworkManager" 441 send_interface="org.freedesktop.NetworkManager.Settings"/> 442 <allow send_destination="org.freedesktop.NetworkManager" 443 send_interface="org.freedesktop.NetworkManager.Settings.Connection"/> 444 445 <!-- Agents; secured with PolicyKit. Any process can talk to 446 the AgentManager API, but only NetworkManager can talk 447 to the agents themselves. --> 448 <allow send_destination="org.freedesktop.NetworkManager" 449 send_interface="org.freedesktop.NetworkManager.AgentManager"/> 450 451 <!-- Root-only functions --> 452 <deny send_destination="org.freedesktop.NetworkManager" 453 send_interface="org.freedesktop.NetworkManager" 454 send_member="SetLogging"/> 455 <deny send_destination="org.freedesktop.NetworkManager" 456 send_interface="org.freedesktop.NetworkManager" 457 send_member="Sleep"/> 458 <deny send_destination="org.freedesktop.NetworkManager" 459 send_interface="org.freedesktop.NetworkManager.Settings" 460 send_member="LoadConnections"/> 461 <deny send_destination="org.freedesktop.NetworkManager" 462 send_interface="org.freedesktop.NetworkManager.Settings" 463 send_member="ReloadConnections"/> 464 465 <deny own="org.freedesktop.NetworkManager.dnsmasq"/> 466 <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 467 </policy> 468 469 <limit name="max_replies_per_connection">1024</limit> 470 <limit name="max_match_rules_per_connection">2048</limit> 471 ` 472 473 type networkManagerInterface struct{} 474 475 func (iface *networkManagerInterface) Name() string { 476 return "network-manager" 477 } 478 479 func (iface *networkManagerInterface) StaticInfo() interfaces.StaticInfo { 480 return interfaces.StaticInfo{ 481 Summary: networkManagerSummary, 482 ImplicitOnClassic: true, 483 BaseDeclarationSlots: networkManagerBaseDeclarationSlots, 484 } 485 } 486 487 func (iface *networkManagerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 488 old := "###SLOT_SECURITY_TAGS###" 489 var new string 490 if release.OnClassic { 491 // If we're running on classic NetworkManager will be part 492 // of the OS snap and will run unconfined. 493 new = "unconfined" 494 } else { 495 new = slotAppLabelExpr(slot) 496 } 497 snippet := strings.Replace(networkManagerConnectedPlugAppArmor, old, new, -1) 498 spec.AddSnippet(snippet) 499 if !release.OnClassic { 500 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 501 snippet := strings.Replace(networkManagerConnectedPlugIntrospectionSnippet, old, new, -1) 502 spec.AddSnippet(snippet) 503 } 504 return nil 505 } 506 507 func (iface *networkManagerInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 508 old := "###PLUG_SECURITY_TAGS###" 509 new := plugAppLabelExpr(plug) 510 snippet := strings.Replace(networkManagerConnectedSlotAppArmor, old, new, -1) 511 spec.AddSnippet(snippet) 512 if !release.OnClassic { 513 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 514 snippet := strings.Replace(networkManagerConnectedSlotIntrospectionSnippet, old, new, -1) 515 spec.AddSnippet(snippet) 516 } 517 return nil 518 } 519 520 func (iface *networkManagerInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 521 spec.AddSnippet(networkManagerPermanentSlotAppArmor) 522 return nil 523 } 524 525 func (iface *networkManagerInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 526 spec.AddSnippet(networkManagerPermanentSlotDBus) 527 return nil 528 } 529 530 func (iface *networkManagerInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 531 spec.AddSnippet(networkManagerPermanentSlotSecComp) 532 return nil 533 } 534 535 func (iface *networkManagerInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 536 spec.TagDevice(`KERNEL=="rfkill"`) 537 return nil 538 } 539 540 func (iface *networkManagerInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 541 spec.AddSnippet(networkManagerConnectedPlugSecComp) 542 return nil 543 } 544 545 func (iface *networkManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 546 // allow what declarations allowed 547 return true 548 } 549 550 func init() { 551 registerIface(&networkManagerInterface{}) 552 }