github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/interfaces/builtin/system_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const systemObserveSummary = `allows observing all processes and drivers` 23 24 const systemObserveBaseDeclarationSlots = ` 25 system-observe: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 const systemObserveConnectedPlugAppArmor = ` 33 # Description: Can query system status information. This is restricted because 34 # it gives privileged read access to all processes on the system and should 35 # only be used with trusted apps. 36 37 # Needed by 'ps' 38 @{PROC}/tty/drivers r, 39 40 # This ptrace is an information leak. Intentionlly omit 'ptrace (trace)' here 41 # since since ps doesn't actually need to trace other processes. Note this 42 # allows a number of accesses (assuming the associated /proc file is allowed), 43 # such as various memory address locations and esp/eip via /proc/*/stat, 44 # /proc/*/mem, /proc/*/personality, /proc/*/stack, /proc/*/syscall, 45 # /proc/*/timerslack_ns and /proc/*/wchan (see man proc). 46 # 47 # Some files like /proc/kallsyms (but anything using %pK format specifier) need 48 # 'capability syslog' when /proc/sys/kernel/kptr_restrict=1, but we 49 # intentionally do not allow since it could be used to defeat KASLR. 50 ptrace (read), 51 52 # Other miscellaneous accesses for observing the system 53 @{PROC}/locks r, 54 @{PROC}/modules r, 55 @{PROC}/stat r, 56 @{PROC}/vmstat r, 57 @{PROC}/diskstats r, 58 @{PROC}/kallsyms r, 59 @{PROC}/partitions r, 60 @{PROC}/sys/kernel/panic r, 61 @{PROC}/sys/kernel/panic_on_oops r, 62 @{PROC}/sys/vm/panic_on_oom r, 63 64 # These are not process-specific (/proc/*/... and /proc/*/task/*/...) 65 @{PROC}/*/{,task/,task/*/} r, 66 @{PROC}/*/{,task/*/}auxv r, 67 @{PROC}/*/{,task/*/}cgroup r, 68 @{PROC}/*/{,task/*/}cmdline r, 69 @{PROC}/*/{,task/*/}comm r, 70 @{PROC}/*/{,task/*/}exe r, 71 @{PROC}/*/{,task/*/}fdinfo/* r, 72 @{PROC}/*/{,task/*/}stat r, 73 @{PROC}/*/{,task/*/}statm r, 74 @{PROC}/*/{,task/*/}status r, 75 @{PROC}/*/{,task/*/}wchan r, 76 77 # Allow discovering the os-release of the host 78 /var/lib/snapd/hostfs/etc/os-release rk, 79 /var/lib/snapd/hostfs/usr/lib/os-release rk, 80 81 # Allow discovering system-wide CFS Bandwidth Control information 82 # https://www.kernel.org/doc/html/latest/scheduler/sched-bwc.html 83 /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us r, 84 /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, 85 /sys/fs/cgroup/cpu,cpuacct/cpu.shares r, 86 /sys/fs/cgroup/cpu,cpuacct/cpu.stat r, 87 88 #include <abstractions/dbus-strict> 89 90 # do not use peer=(label=unconfined) here since this is DBus activated 91 dbus (send) 92 bus=system 93 path=/org/freedesktop/hostname1 94 interface=org.freedesktop.DBus.Properties 95 member=Get{,All}, 96 97 # Allow clients to introspect hostname1 98 # do not use peer=(label=unconfined) here since this is DBus activated 99 dbus (send) 100 bus=system 101 path=/org/freedesktop/hostname1 102 interface=org.freedesktop.DBus.Introspectable 103 member=Introspect, 104 105 # Allow clients to enumerate DBus connection names on common buses 106 dbus (send) 107 bus={session,system} 108 path=/org/freedesktop/DBus 109 interface=org.freedesktop.DBus 110 member=ListNames 111 peer=(label=unconfined), 112 113 # Allow clients to obtain the DBus machine ID on common buses. We do not 114 # mediate the path since any peer can be used. 115 dbus (send) 116 bus={session,system} 117 interface=org.freedesktop.DBus.Peer 118 member=GetMachineId 119 peer=(label=unconfined), 120 ` 121 122 const systemObserveConnectedPlugSecComp = ` 123 # Description: Can query system status information. This is restricted because 124 # it gives privileged read access to all processes on the system and should 125 # only be used with trusted apps. 126 127 # ptrace can be used to break out of the seccomp sandbox, but ps requests 128 # 'ptrace (trace)' from apparmor. 'ps' does not need the ptrace syscall though, 129 # so we deny the ptrace here to make sure we are always safe. 130 # Note: may uncomment once ubuntu-core-launcher understands @deny rules and 131 # if/when we conditionally deny this in the future. 132 #@deny ptrace 133 ` 134 135 func init() { 136 registerIface(&commonInterface{ 137 name: "system-observe", 138 summary: systemObserveSummary, 139 implicitOnCore: true, 140 implicitOnClassic: true, 141 baseDeclarationSlots: systemObserveBaseDeclarationSlots, 142 connectedPlugAppArmor: systemObserveConnectedPlugAppArmor, 143 connectedPlugSecComp: systemObserveConnectedPlugSecComp, 144 suppressPtraceTrace: true, 145 }) 146 }