github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/interfaces/builtin/udisks2.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"strings"
    24  
    25  	"github.com/snapcore/snapd/interfaces"
    26  	"github.com/snapcore/snapd/interfaces/apparmor"
    27  	"github.com/snapcore/snapd/interfaces/dbus"
    28  	"github.com/snapcore/snapd/interfaces/seccomp"
    29  	"github.com/snapcore/snapd/interfaces/udev"
    30  	"github.com/snapcore/snapd/release"
    31  	"github.com/snapcore/snapd/snap"
    32  )
    33  
    34  const udisks2Summary = `allows operating as or interacting with the UDisks2 service`
    35  
    36  const udisks2BaseDeclarationSlots = `
    37    udisks2:
    38      allow-installation:
    39        slot-snap-type:
    40          - app
    41          - core
    42      deny-connection:
    43        on-classic: false
    44      deny-auto-connection: true
    45  `
    46  
    47  const udisks2PermanentSlotAppArmor = `
    48  # Description: Allow operating as the udisks2. This gives privileged access to
    49  # the system.
    50  
    51  # DBus accesses
    52  #include <abstractions/dbus-strict>
    53  dbus (send)
    54      bus=system
    55      path=/org/freedesktop/DBus
    56      interface=org.freedesktop.DBus
    57      member="{Request,Release}Name"
    58      peer=(name=org.freedesktop.DBus, label=unconfined),
    59  
    60  dbus (send)
    61      bus=system
    62      path=/org/freedesktop/DBus
    63      interface=org.freedesktop.DBus
    64      member="GetConnectionUnix{ProcessID,User}"
    65      peer=(label=unconfined),
    66  
    67  # Allow binding the service to the requested connection name
    68  dbus (bind)
    69      bus=system
    70      name="org.freedesktop.UDisks2",
    71  
    72  # Allow unconfined to talk to us. The API for unconfined will be limited
    73  # with DBus policy, below.
    74  dbus (receive, send)
    75      bus=system
    76      path=/org/freedesktop/UDisks2{,/**}
    77      interface=org.freedesktop.DBus*
    78      peer=(label=unconfined),
    79  
    80  # Needed for mount/unmount operations
    81  capability sys_admin,
    82  
    83  # Allow scanning of devices
    84  network netlink raw,
    85  /run/udev/data/b[0-9]*:[0-9]* r,
    86  /sys/devices/**/block/** r,
    87  
    88  # Mount points could be in /run/media/<user>/* or /media/<user>/*
    89  /run/systemd/seats/* r,
    90  /{,run/}media/{,**} rw,
    91  mount options=(ro,nosuid,nodev) /dev/{sd*,mmcblk*} -> /{,run/}media/**,
    92  mount options=(rw,nosuid,nodev) /dev/{sd*,mmcblk*} -> /{,run/}media/**,
    93  umount /{,run/}media/**,
    94  
    95  # This should probably be patched to use $SNAP_DATA/run/...
    96  /run/udisks2/{,**} rw,
    97  
    98  # udisksd execs mount/umount to do the actual operations
    99  /bin/mount ixr,
   100  /bin/umount ixr,
   101  
   102  # mount/umount (via libmount) track some mount info in these files
   103  /run/mount/utab* wrl,
   104  
   105  # Udisks2 needs to read the raw device for partition information. These rules
   106  # give raw read access to the system disks and therefore the entire system.
   107  /dev/sd* r,
   108  /dev/mmcblk* r,
   109  /dev/vd* r,
   110  
   111  # Needed for probing raw devices
   112  capability sys_rawio,
   113  `
   114  
   115  const udisks2ConnectedSlotAppArmor = `
   116  # Allow connected clients to interact with the service. This gives privileged
   117  # access to the system.
   118  
   119  dbus (receive, send)
   120      bus=system
   121      path=/org/freedesktop/UDisks2/**
   122      interface=org.freedesktop.DBus.Properties
   123      peer=(label=###PLUG_SECURITY_TAGS###),
   124  
   125  dbus (receive, send)
   126      bus=system
   127      path=/org/freedesktop/UDisks2
   128      interface=org.freedesktop.DBus.ObjectManager
   129      peer=(label=###PLUG_SECURITY_TAGS###),
   130  
   131  # Allow access to the Udisks2 API
   132  dbus (receive, send)
   133      bus=system
   134      path=/org/freedesktop/UDisks2/**
   135      interface=org.freedesktop.UDisks2.*
   136      peer=(label=###PLUG_SECURITY_TAGS###),
   137  
   138  # Allow clients to introspect the service
   139  dbus (receive)
   140      bus=system
   141      path=/org/freedesktop/UDisks2
   142      interface=org.freedesktop.DBus.Introspectable
   143      member=Introspect
   144      peer=(label=###PLUG_SECURITY_TAGS###),
   145  `
   146  
   147  const udisks2ConnectedPlugAppArmor = `
   148  # Description: Allow using udisks service. This gives privileged access to the
   149  # service.
   150  
   151  #include <abstractions/dbus-strict>
   152  
   153  dbus (receive, send)
   154      bus=system
   155      path=/org/freedesktop/UDisks2/**
   156      interface=org.freedesktop.DBus.Properties
   157      peer=(label=###SLOT_SECURITY_TAGS###),
   158  # do not use peer=(label=unconfined) here since this is DBus activated
   159  dbus (send)
   160      bus=system
   161      path=/org/freedesktop/UDisks2/**
   162      interface=org.freedesktop.DBus.Properties
   163      member="Get{,All}",
   164  
   165  dbus (receive, send)
   166      bus=system
   167      path=/org/freedesktop/UDisks2
   168      interface=org.freedesktop.DBus.ObjectManager
   169      peer=(label=###SLOT_SECURITY_TAGS###),
   170  
   171  # Allow access to the Udisks2 API
   172  dbus (receive, send)
   173      bus=system
   174      path=/org/freedesktop/UDisks2/**
   175      interface=org.freedesktop.UDisks2.*
   176      peer=(label=###SLOT_SECURITY_TAGS###),
   177  
   178  # Allow clients to introspect the service
   179  # do not use peer=(label=unconfined) here since this is DBus activated
   180  dbus (send)
   181      bus=system
   182      path=/org/freedesktop/UDisks2{,/**}
   183      interface=org.freedesktop.DBus.Introspectable
   184      member=Introspect,
   185  `
   186  
   187  const udisks2PermanentSlotSecComp = `
   188  bind
   189  chown32
   190  fchown
   191  fchown32
   192  fchownat
   193  lchown
   194  lchown32
   195  mount
   196  shmctl
   197  umount
   198  umount2
   199  # libudev
   200  socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
   201  `
   202  
   203  const udisks2PermanentSlotDBus = `
   204  <policy user="root">
   205      <allow own="org.freedesktop.UDisks2"/>
   206      <allow send_destination="org.freedesktop.UDisks2"/>
   207  </policy>
   208  
   209  <policy context="default">
   210      <allow send_destination="org.freedesktop.UDisks2" send_interface="org.freedesktop.DBus.Introspectable" />
   211  </policy>
   212  `
   213  
   214  const udisks2ConnectedPlugDBus = `
   215  <policy context="default">
   216      <deny own="org.freedesktop.UDisks2"/>
   217      <deny send_destination="org.freedesktop.UDisks2"/>
   218  </policy>
   219  `
   220  
   221  const udisks2PermanentSlotUDev = `
   222  # These udev rules come from the upstream udisks2 package
   223  #
   224  # This file contains udev rules for udisks 2.x
   225  #
   226  # Do not edit this file, it will be overwritten on updates
   227  #
   228  
   229  # ------------------------------------------------------------------------
   230  # Probing
   231  # ------------------------------------------------------------------------
   232  
   233  # Skip probing if not a block device or if requested by other rules
   234  #
   235  SUBSYSTEM!="block", GOTO="udisks_probe_end"
   236  ENV{DM_MULTIPATH_DEVICE_PATH}=="?*", GOTO="udisks_probe_end"
   237  ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="?*", GOTO="udisks_probe_end"
   238  
   239  # MD-RAID (aka Linux Software RAID) members
   240  #
   241  # TODO: file bug against mdadm(8) to have --export-prefix option that can be used with e.g. UDISKS_MD_MEMBER
   242  #
   243  SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="raid", ENV{ID_FS_TYPE}=="linux_raid_member", ENV{UDISKS_MD_MEMBER_LEVEL}=="", IMPORT{program}="/bin/sh -c '/sbin/mdadm --examine --export $tempnode | sed s/^MD_/UDISKS_MD_MEMBER_/g'"
   244  
   245  SUBSYSTEM=="block", KERNEL=="md*", ENV{DEVTYPE}!="partition", IMPORT{program}="/bin/sh -c '/sbin/mdadm --detail --export $tempnode | sed s/^MD_/UDISKS_MD_/g'"
   246  
   247  LABEL="udisks_probe_end"
   248  
   249  # ------------------------------------------------------------------------
   250  # Tag floppy drives since they need special care
   251  
   252  # PC floppy drives
   253  #
   254  KERNEL=="fd*", ENV{ID_DRIVE_FLOPPY}="1"
   255  
   256  # USB floppy drives
   257  #
   258  SUBSYSTEMS=="usb", ATTRS{bInterfaceClass}=="08", ATTRS{bInterfaceSubClass}=="04", ENV{ID_DRIVE_FLOPPY}="1"
   259  
   260  # ATA Zip drives
   261  #
   262  ENV{ID_VENDOR}=="*IOMEGA*", ENV{ID_MODEL}=="*ZIP*", ENV{ID_DRIVE_FLOPPY_ZIP}="1"
   263  
   264  # TODO: figure out if the drive supports SD and SDHC and what the current
   265  # kind of media is - right now we just assume SD
   266  KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ENV{DEVTYPE}=="disk", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1"
   267  # ditto for memstick
   268  KERNEL=="mspblk[0-9]", SUBSYSTEMS=="memstick", ENV{DEVTYPE}=="disk", ENV{ID_DRIVE_FLASH_MS}="1", ENV{ID_DRIVE_MEDIA_FLASH_MS}="1"
   269  
   270  # TODO: maybe automatically convert udisks1 properties to udisks2 ones?
   271  # (e.g. UDISKS_PRESENTATION_HIDE -> UDISKS_IGNORE)
   272  
   273  # ------------------------------------------------------------------------
   274  # ------------------------------------------------------------------------
   275  # ------------------------------------------------------------------------
   276  # Whitelist for tagging drives with the property media type.
   277  # TODO: figure out where to store this database
   278  
   279  SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1"
   280  SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_MS}="1"
   281  SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:2", ENV{ID_DRIVE_FLASH_SM}="1"
   282  SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:3", ENV{ID_DRIVE_FLASH_SD}="1"
   283  
   284  SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1"
   285  SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_SM}="1"
   286  SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:2", ENV{ID_DRIVE_FLASH_SD}="1"
   287  SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:3", ENV{ID_DRIVE_FLASH_MS}="1"
   288  
   289  # APPLE SD Card Reader (MacbookPro5,4)
   290  #
   291  SUBSYSTEMS=="usb", ATTRS{idVendor}=="05ac", ATTRS{idProduct}=="8403", ENV{ID_DRIVE_FLASH_SD}="1"
   292  
   293  # Realtek card readers
   294  DRIVERS=="rts_pstor", ENV{ID_DRIVE_FLASH_SD}="1"
   295  DRIVERS=="rts5229", ENV{ID_DRIVE_FLASH_SD}="1"
   296  
   297  # Lexar Dual Slot USB 3.0 Reader Professional
   298  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="05dc",ENV{ID_MODEL_ID}=="b049", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1"
   299  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="05dc",ENV{ID_MODEL_ID}=="b049", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_SD}="1"
   300  
   301  # Transcend USB 3.0 Multi-Card Reader (TS-RDF8K)
   302  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="8564",ENV{ID_MODEL_ID}=="4000", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1"
   303  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="8564",ENV{ID_MODEL_ID}=="4000", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_SD}="1"
   304  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="8564",ENV{ID_MODEL_ID}=="4000", ENV{ID_INSTANCE}=="0:2", ENV{ID_DRIVE_FLASH_MS}="1"
   305  
   306  # Common theme
   307  #
   308  SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*Reader*SD*", ENV{ID_DRIVE_FLASH_SD}="1"
   309  SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*CF_Reader*", ENV{ID_DRIVE_FLASH_CF}="1"
   310  SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*SM_Reader*", ENV{ID_DRIVE_FLASH_SM}="1"
   311  SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*MS_Reader*", ENV{ID_DRIVE_FLASH_MS}="1"
   312  
   313  # USB stick / thumb drives
   314  #
   315  SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="*Kingston*", ENV{ID_MODEL}=="*DataTraveler*", ENV{ID_DRIVE_THUMB}="1"
   316  SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="*SanDisk*", ENV{ID_MODEL}=="*Cruzer*", ENV{ID_CDROM}!="1", ENV{ID_DRIVE_THUMB}="1"
   317  SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="HP", ENV{ID_MODEL}=="*v125w*", ENV{ID_DRIVE_THUMB}="1"
   318  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="13fe", ENV{ID_MODEL}=="*Patriot*", ENV{ID_DRIVE_THUMB}="1"
   319  SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="*JetFlash*", ENV{ID_MODEL}=="*Transcend*", ENV{ID_DRIVE_THUMB}="1"
   320  
   321  # SD-Card reader in Chromebook Pixel
   322  SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="05e3", ENV{ID_MODEL_ID}=="0727", ENV{ID_DRIVE_FLASH_SD}="1"
   323  
   324  # ------------------------------------------------------------------------
   325  # ------------------------------------------------------------------------
   326  # ------------------------------------------------------------------------
   327  # Devices which should not be display in the user interface
   328  #
   329  # (note that RAID/LVM members are not normally shown in an user
   330  # interface so setting UDISKS_IGNORE at first does not seem to achieve
   331  # anything. However it helps for RAID/LVM members that are encrypted
   332  # using LUKS. See bug #51439.)
   333  
   334  # Apple Bootstrap partitions
   335  ENV{ID_PART_ENTRY_SCHEME}=="mac", ENV{ID_PART_ENTRY_TYPE}=="Apple_Bootstrap", ENV{UDISKS_IGNORE}="1"
   336  
   337  # Apple Boot partitions
   338  ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_TYPE}=="426f6f74-0000-11aa-aa11-00306543ecac", ENV{UDISKS_IGNORE}="1"
   339  
   340  # special DOS partition types (EFI, hidden, etc.) and RAID/LVM
   341  # see http://www.win.tue.nl/~aeb/partitions/partition_types-1.html
   342  ENV{ID_PART_ENTRY_SCHEME}=="dos", \
   343    ENV{ID_PART_ENTRY_TYPE}=="0x0|0x11|0x12|0x14|0x16|0x17|0x1b|0x1c|0x1e|0x27|0x3d|0x84|0x8d|0x8e|0x90|0x91|0x92|0x93|0x97|0x98|0x9a|0x9b|0xbb|0xc2|0xc3|0xdd|0xef|0xfd", \
   344    ENV{UDISKS_IGNORE}="1"
   345  
   346  # special GUID-identified partition types (EFI System Partition, BIOS Boot partition, RAID/LVM)
   347  # see http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs
   348  ENV{ID_PART_ENTRY_SCHEME}=="gpt", \
   349    ENV{ID_PART_ENTRY_TYPE}=="c12a7328-f81f-11d2-ba4b-00a0c93ec93b|21686148-6449-6e6f-744e-656564454649|a19d880f-05fc-4d3b-a006-743f0f84911e|e6d6d379-f507-44c2-a23c-238f2a3df928|e3c9e316-0b5c-4db8-817d-f92df00215ae|de94bba4-06d1-4d40-a16a-bfd50179d6ac", \
   350    ENV{UDISKS_IGNORE}="1"
   351  
   352  # MAC recovery/tool partitions which are useless on Linux
   353  ENV{ID_PART_ENTRY_SCHEME}=="mac", \
   354    ENV{ID_CDROM}=="?*", ENV{ID_FS_TYPE}=="udf", ENV{ID_FS_LABEL}=="WD*SmartWare", \
   355    ENV{UDISKS_IGNORE}="1"
   356  
   357  # recovery partitions
   358  ENV{ID_FS_TYPE}=="ntfs|vfat", \
   359    ENV{ID_FS_LABEL}=="Recovery|RECOVERY|Lenovo_Recovery|HP_RECOVERY|Recovery_Partition|DellUtility|DellRestore|IBM_SERVICE|SERVICEV001|SERVICEV002|SYSTEM_RESERVED|System_Reserved|WINRE_DRV|DIAGS|IntelRST", \
   360    ENV{UDISKS_IGNORE}="1"
   361  
   362  # read-only non-Linux software installer partitions
   363  ENV{ID_VENDOR}=="Sony", ENV{ID_MODEL}=="PRS*Launcher", ENV{UDISKS_IGNORE}="1"
   364  
   365  # non-Linux software
   366  KERNEL=="sr*", ENV{ID_VENDOR}=="SanDisk", ENV{ID_MODEL}=="Cruzer", ENV{ID_FS_LABEL}=="U3_System", ENV{UDISKS_IGNORE}="1"
   367  
   368  # Content created using isohybrid (typically used on CDs and USB
   369  # sticks for bootable media) is a bit special insofar that the
   370  # interesting content is on a DOS partition with type 0x00 ... which
   371  # is hidden above. So undo this.
   372  #
   373  # See http://mjg59.dreamwidth.org/11285.html for more details
   374  #
   375  ENV{ID_PART_TABLE_TYPE}=="dos", ENV{ID_PART_ENTRY_TYPE}=="0x0", ENV{ID_PART_ENTRY_NUMBER}=="1", ENV{ID_FS_TYPE}=="iso9660|udf", ENV{UDISKS_IGNORE}="0"
   376  `
   377  
   378  type udisks2Interface struct{}
   379  
   380  func (iface *udisks2Interface) Name() string {
   381  	return "udisks2"
   382  }
   383  
   384  func (iface *udisks2Interface) StaticInfo() interfaces.StaticInfo {
   385  	return interfaces.StaticInfo{
   386  		Summary:              udisks2Summary,
   387  		ImplicitOnClassic:    true,
   388  		BaseDeclarationSlots: udisks2BaseDeclarationSlots,
   389  	}
   390  }
   391  
   392  func (iface *udisks2Interface) DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   393  	if !release.OnClassic {
   394  		spec.AddSnippet(udisks2ConnectedPlugDBus)
   395  	}
   396  	return nil
   397  }
   398  
   399  func (iface *udisks2Interface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error {
   400  	if !release.OnClassic {
   401  		spec.AddSnippet(udisks2PermanentSlotDBus)
   402  	}
   403  	return nil
   404  }
   405  
   406  func (iface *udisks2Interface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   407  	old := "###SLOT_SECURITY_TAGS###"
   408  	var new string
   409  	if release.OnClassic {
   410  		new = "unconfined"
   411  	} else {
   412  		new = slotAppLabelExpr(slot)
   413  	}
   414  	snippet := strings.Replace(udisks2ConnectedPlugAppArmor, old, new, -1)
   415  	spec.AddSnippet(snippet)
   416  	return nil
   417  }
   418  
   419  func (iface *udisks2Interface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
   420  	if !release.OnClassic {
   421  		spec.AddSnippet(udisks2PermanentSlotAppArmor)
   422  	}
   423  	return nil
   424  }
   425  
   426  func (iface *udisks2Interface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {
   427  	if !release.OnClassic {
   428  		spec.AddSnippet(udisks2PermanentSlotUDev)
   429  		spec.TagDevice(`SUBSYSTEM=="block"`)
   430  		// # This tags all USB devices, so we'll use AppArmor to mediate specific access (eg, /dev/sd* and /dev/mmcblk*)
   431  		spec.TagDevice(`SUBSYSTEM=="usb"`)
   432  	}
   433  	return nil
   434  }
   435  
   436  func (iface *udisks2Interface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   437  	if !release.OnClassic {
   438  		old := "###PLUG_SECURITY_TAGS###"
   439  		new := plugAppLabelExpr(plug)
   440  		snippet := strings.Replace(udisks2ConnectedSlotAppArmor, old, new, -1)
   441  		spec.AddSnippet(snippet)
   442  	}
   443  	return nil
   444  }
   445  
   446  func (iface *udisks2Interface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
   447  	if !release.OnClassic {
   448  		spec.AddSnippet(udisks2PermanentSlotSecComp)
   449  	}
   450  	return nil
   451  }
   452  
   453  func (iface *udisks2Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
   454  	// allow what declarations allowed
   455  	return true
   456  }
   457  
   458  func init() {
   459  	registerIface(&udisks2Interface{})
   460  }