github.com/hugh712/snapd@v0.0.0-20200910133618-1a99902bd583/interfaces/builtin/udisks2.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/dbus" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/interfaces/udev" 30 "github.com/snapcore/snapd/release" 31 "github.com/snapcore/snapd/snap" 32 ) 33 34 const udisks2Summary = `allows operating as or interacting with the UDisks2 service` 35 36 const udisks2BaseDeclarationSlots = ` 37 udisks2: 38 allow-installation: 39 slot-snap-type: 40 - app 41 - core 42 deny-connection: 43 on-classic: false 44 deny-auto-connection: true 45 ` 46 47 const udisks2PermanentSlotAppArmor = ` 48 # Description: Allow operating as the udisks2. This gives privileged access to 49 # the system. 50 51 # DBus accesses 52 #include <abstractions/dbus-strict> 53 dbus (send) 54 bus=system 55 path=/org/freedesktop/DBus 56 interface=org.freedesktop.DBus 57 member="{Request,Release}Name" 58 peer=(name=org.freedesktop.DBus, label=unconfined), 59 60 dbus (send) 61 bus=system 62 path=/org/freedesktop/DBus 63 interface=org.freedesktop.DBus 64 member="GetConnectionUnix{ProcessID,User}" 65 peer=(label=unconfined), 66 67 # Allow binding the service to the requested connection name 68 dbus (bind) 69 bus=system 70 name="org.freedesktop.UDisks2", 71 72 # Allow unconfined to talk to us. The API for unconfined will be limited 73 # with DBus policy, below. 74 dbus (receive, send) 75 bus=system 76 path=/org/freedesktop/UDisks2{,/**} 77 interface=org.freedesktop.DBus* 78 peer=(label=unconfined), 79 80 # Needed for mount/unmount operations 81 capability sys_admin, 82 83 # Allow scanning of devices 84 network netlink raw, 85 /run/udev/data/b[0-9]*:[0-9]* r, 86 /sys/devices/**/block/** r, 87 88 # Mount points could be in /run/media/<user>/* or /media/<user>/* 89 /run/systemd/seats/* r, 90 /{,run/}media/{,**} rw, 91 mount options=(ro,nosuid,nodev) /dev/{sd*,mmcblk*} -> /{,run/}media/**, 92 mount options=(rw,nosuid,nodev) /dev/{sd*,mmcblk*} -> /{,run/}media/**, 93 umount /{,run/}media/**, 94 95 # This should probably be patched to use $SNAP_DATA/run/... 96 /run/udisks2/{,**} rw, 97 98 # udisksd execs mount/umount to do the actual operations 99 /bin/mount ixr, 100 /bin/umount ixr, 101 102 # mount/umount (via libmount) track some mount info in these files 103 /run/mount/utab* wrl, 104 105 # Udisks2 needs to read the raw device for partition information. These rules 106 # give raw read access to the system disks and therefore the entire system. 107 /dev/sd* r, 108 /dev/mmcblk* r, 109 /dev/vd* r, 110 111 # Needed for probing raw devices 112 capability sys_rawio, 113 ` 114 115 const udisks2ConnectedSlotAppArmor = ` 116 # Allow connected clients to interact with the service. This gives privileged 117 # access to the system. 118 119 dbus (receive, send) 120 bus=system 121 path=/org/freedesktop/UDisks2/** 122 interface=org.freedesktop.DBus.Properties 123 peer=(label=###PLUG_SECURITY_TAGS###), 124 125 dbus (receive, send) 126 bus=system 127 path=/org/freedesktop/UDisks2 128 interface=org.freedesktop.DBus.ObjectManager 129 peer=(label=###PLUG_SECURITY_TAGS###), 130 131 # Allow access to the Udisks2 API 132 dbus (receive, send) 133 bus=system 134 path=/org/freedesktop/UDisks2/** 135 interface=org.freedesktop.UDisks2.* 136 peer=(label=###PLUG_SECURITY_TAGS###), 137 138 # Allow clients to introspect the service 139 dbus (receive) 140 bus=system 141 path=/org/freedesktop/UDisks2 142 interface=org.freedesktop.DBus.Introspectable 143 member=Introspect 144 peer=(label=###PLUG_SECURITY_TAGS###), 145 ` 146 147 const udisks2ConnectedPlugAppArmor = ` 148 # Description: Allow using udisks service. This gives privileged access to the 149 # service. 150 151 #include <abstractions/dbus-strict> 152 153 dbus (receive, send) 154 bus=system 155 path=/org/freedesktop/UDisks2/** 156 interface=org.freedesktop.DBus.Properties 157 peer=(label=###SLOT_SECURITY_TAGS###), 158 # do not use peer=(label=unconfined) here since this is DBus activated 159 dbus (send) 160 bus=system 161 path=/org/freedesktop/UDisks2/** 162 interface=org.freedesktop.DBus.Properties 163 member="Get{,All}", 164 165 dbus (receive, send) 166 bus=system 167 path=/org/freedesktop/UDisks2 168 interface=org.freedesktop.DBus.ObjectManager 169 peer=(label=###SLOT_SECURITY_TAGS###), 170 171 # Allow access to the Udisks2 API 172 dbus (receive, send) 173 bus=system 174 path=/org/freedesktop/UDisks2/** 175 interface=org.freedesktop.UDisks2.* 176 peer=(label=###SLOT_SECURITY_TAGS###), 177 178 # Allow clients to introspect the service 179 # do not use peer=(label=unconfined) here since this is DBus activated 180 dbus (send) 181 bus=system 182 path=/org/freedesktop/UDisks2{,/**} 183 interface=org.freedesktop.DBus.Introspectable 184 member=Introspect, 185 ` 186 187 const udisks2PermanentSlotSecComp = ` 188 bind 189 chown32 190 fchown 191 fchown32 192 fchownat 193 lchown 194 lchown32 195 mount 196 shmctl 197 umount 198 umount2 199 # libudev 200 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 201 ` 202 203 const udisks2PermanentSlotDBus = ` 204 <policy user="root"> 205 <allow own="org.freedesktop.UDisks2"/> 206 <allow send_destination="org.freedesktop.UDisks2"/> 207 </policy> 208 209 <policy context="default"> 210 <allow send_destination="org.freedesktop.UDisks2" send_interface="org.freedesktop.DBus.Introspectable" /> 211 </policy> 212 ` 213 214 const udisks2ConnectedPlugDBus = ` 215 <policy context="default"> 216 <deny own="org.freedesktop.UDisks2"/> 217 <deny send_destination="org.freedesktop.UDisks2"/> 218 </policy> 219 ` 220 221 const udisks2PermanentSlotUDev = ` 222 # These udev rules come from the upstream udisks2 package 223 # 224 # This file contains udev rules for udisks 2.x 225 # 226 # Do not edit this file, it will be overwritten on updates 227 # 228 229 # ------------------------------------------------------------------------ 230 # Probing 231 # ------------------------------------------------------------------------ 232 233 # Skip probing if not a block device or if requested by other rules 234 # 235 SUBSYSTEM!="block", GOTO="udisks_probe_end" 236 ENV{DM_MULTIPATH_DEVICE_PATH}=="?*", GOTO="udisks_probe_end" 237 ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="?*", GOTO="udisks_probe_end" 238 239 # MD-RAID (aka Linux Software RAID) members 240 # 241 # TODO: file bug against mdadm(8) to have --export-prefix option that can be used with e.g. UDISKS_MD_MEMBER 242 # 243 SUBSYSTEM=="block", ENV{ID_FS_USAGE}=="raid", ENV{ID_FS_TYPE}=="linux_raid_member", ENV{UDISKS_MD_MEMBER_LEVEL}=="", IMPORT{program}="/bin/sh -c '/sbin/mdadm --examine --export $tempnode | sed s/^MD_/UDISKS_MD_MEMBER_/g'" 244 245 SUBSYSTEM=="block", KERNEL=="md*", ENV{DEVTYPE}!="partition", IMPORT{program}="/bin/sh -c '/sbin/mdadm --detail --export $tempnode | sed s/^MD_/UDISKS_MD_/g'" 246 247 LABEL="udisks_probe_end" 248 249 # ------------------------------------------------------------------------ 250 # Tag floppy drives since they need special care 251 252 # PC floppy drives 253 # 254 KERNEL=="fd*", ENV{ID_DRIVE_FLOPPY}="1" 255 256 # USB floppy drives 257 # 258 SUBSYSTEMS=="usb", ATTRS{bInterfaceClass}=="08", ATTRS{bInterfaceSubClass}=="04", ENV{ID_DRIVE_FLOPPY}="1" 259 260 # ATA Zip drives 261 # 262 ENV{ID_VENDOR}=="*IOMEGA*", ENV{ID_MODEL}=="*ZIP*", ENV{ID_DRIVE_FLOPPY_ZIP}="1" 263 264 # TODO: figure out if the drive supports SD and SDHC and what the current 265 # kind of media is - right now we just assume SD 266 KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ENV{DEVTYPE}=="disk", ENV{ID_DRIVE_FLASH_SD}="1", ENV{ID_DRIVE_MEDIA_FLASH_SD}="1" 267 # ditto for memstick 268 KERNEL=="mspblk[0-9]", SUBSYSTEMS=="memstick", ENV{DEVTYPE}=="disk", ENV{ID_DRIVE_FLASH_MS}="1", ENV{ID_DRIVE_MEDIA_FLASH_MS}="1" 269 270 # TODO: maybe automatically convert udisks1 properties to udisks2 ones? 271 # (e.g. UDISKS_PRESENTATION_HIDE -> UDISKS_IGNORE) 272 273 # ------------------------------------------------------------------------ 274 # ------------------------------------------------------------------------ 275 # ------------------------------------------------------------------------ 276 # Whitelist for tagging drives with the property media type. 277 # TODO: figure out where to store this database 278 279 SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1" 280 SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_MS}="1" 281 SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:2", ENV{ID_DRIVE_FLASH_SM}="1" 282 SUBSYSTEMS=="usb", ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0248", ENV{ID_INSTANCE}=="0:3", ENV{ID_DRIVE_FLASH_SD}="1" 283 284 SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1" 285 SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_SM}="1" 286 SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:2", ENV{ID_DRIVE_FLASH_SD}="1" 287 SUBSYSTEMS=="usb", ATTRS{idVendor}=="05e3", ATTRS{idProduct}=="070e", ENV{ID_INSTANCE}=="0:3", ENV{ID_DRIVE_FLASH_MS}="1" 288 289 # APPLE SD Card Reader (MacbookPro5,4) 290 # 291 SUBSYSTEMS=="usb", ATTRS{idVendor}=="05ac", ATTRS{idProduct}=="8403", ENV{ID_DRIVE_FLASH_SD}="1" 292 293 # Realtek card readers 294 DRIVERS=="rts_pstor", ENV{ID_DRIVE_FLASH_SD}="1" 295 DRIVERS=="rts5229", ENV{ID_DRIVE_FLASH_SD}="1" 296 297 # Lexar Dual Slot USB 3.0 Reader Professional 298 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="05dc",ENV{ID_MODEL_ID}=="b049", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1" 299 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="05dc",ENV{ID_MODEL_ID}=="b049", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_SD}="1" 300 301 # Transcend USB 3.0 Multi-Card Reader (TS-RDF8K) 302 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="8564",ENV{ID_MODEL_ID}=="4000", ENV{ID_INSTANCE}=="0:0", ENV{ID_DRIVE_FLASH_CF}="1" 303 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="8564",ENV{ID_MODEL_ID}=="4000", ENV{ID_INSTANCE}=="0:1", ENV{ID_DRIVE_FLASH_SD}="1" 304 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="8564",ENV{ID_MODEL_ID}=="4000", ENV{ID_INSTANCE}=="0:2", ENV{ID_DRIVE_FLASH_MS}="1" 305 306 # Common theme 307 # 308 SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*Reader*SD*", ENV{ID_DRIVE_FLASH_SD}="1" 309 SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*CF_Reader*", ENV{ID_DRIVE_FLASH_CF}="1" 310 SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*SM_Reader*", ENV{ID_DRIVE_FLASH_SM}="1" 311 SUBSYSTEMS=="usb", ENV{ID_MODEL}=="*MS_Reader*", ENV{ID_DRIVE_FLASH_MS}="1" 312 313 # USB stick / thumb drives 314 # 315 SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="*Kingston*", ENV{ID_MODEL}=="*DataTraveler*", ENV{ID_DRIVE_THUMB}="1" 316 SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="*SanDisk*", ENV{ID_MODEL}=="*Cruzer*", ENV{ID_CDROM}!="1", ENV{ID_DRIVE_THUMB}="1" 317 SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="HP", ENV{ID_MODEL}=="*v125w*", ENV{ID_DRIVE_THUMB}="1" 318 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="13fe", ENV{ID_MODEL}=="*Patriot*", ENV{ID_DRIVE_THUMB}="1" 319 SUBSYSTEMS=="usb", ENV{ID_VENDOR}=="*JetFlash*", ENV{ID_MODEL}=="*Transcend*", ENV{ID_DRIVE_THUMB}="1" 320 321 # SD-Card reader in Chromebook Pixel 322 SUBSYSTEMS=="usb", ENV{ID_VENDOR_ID}=="05e3", ENV{ID_MODEL_ID}=="0727", ENV{ID_DRIVE_FLASH_SD}="1" 323 324 # ------------------------------------------------------------------------ 325 # ------------------------------------------------------------------------ 326 # ------------------------------------------------------------------------ 327 # Devices which should not be display in the user interface 328 # 329 # (note that RAID/LVM members are not normally shown in an user 330 # interface so setting UDISKS_IGNORE at first does not seem to achieve 331 # anything. However it helps for RAID/LVM members that are encrypted 332 # using LUKS. See bug #51439.) 333 334 # Apple Bootstrap partitions 335 ENV{ID_PART_ENTRY_SCHEME}=="mac", ENV{ID_PART_ENTRY_TYPE}=="Apple_Bootstrap", ENV{UDISKS_IGNORE}="1" 336 337 # Apple Boot partitions 338 ENV{ID_PART_ENTRY_SCHEME}=="gpt", ENV{ID_PART_ENTRY_TYPE}=="426f6f74-0000-11aa-aa11-00306543ecac", ENV{UDISKS_IGNORE}="1" 339 340 # special DOS partition types (EFI, hidden, etc.) and RAID/LVM 341 # see http://www.win.tue.nl/~aeb/partitions/partition_types-1.html 342 ENV{ID_PART_ENTRY_SCHEME}=="dos", \ 343 ENV{ID_PART_ENTRY_TYPE}=="0x0|0x11|0x12|0x14|0x16|0x17|0x1b|0x1c|0x1e|0x27|0x3d|0x84|0x8d|0x8e|0x90|0x91|0x92|0x93|0x97|0x98|0x9a|0x9b|0xbb|0xc2|0xc3|0xdd|0xef|0xfd", \ 344 ENV{UDISKS_IGNORE}="1" 345 346 # special GUID-identified partition types (EFI System Partition, BIOS Boot partition, RAID/LVM) 347 # see http://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs 348 ENV{ID_PART_ENTRY_SCHEME}=="gpt", \ 349 ENV{ID_PART_ENTRY_TYPE}=="c12a7328-f81f-11d2-ba4b-00a0c93ec93b|21686148-6449-6e6f-744e-656564454649|a19d880f-05fc-4d3b-a006-743f0f84911e|e6d6d379-f507-44c2-a23c-238f2a3df928|e3c9e316-0b5c-4db8-817d-f92df00215ae|de94bba4-06d1-4d40-a16a-bfd50179d6ac", \ 350 ENV{UDISKS_IGNORE}="1" 351 352 # MAC recovery/tool partitions which are useless on Linux 353 ENV{ID_PART_ENTRY_SCHEME}=="mac", \ 354 ENV{ID_CDROM}=="?*", ENV{ID_FS_TYPE}=="udf", ENV{ID_FS_LABEL}=="WD*SmartWare", \ 355 ENV{UDISKS_IGNORE}="1" 356 357 # recovery partitions 358 ENV{ID_FS_TYPE}=="ntfs|vfat", \ 359 ENV{ID_FS_LABEL}=="Recovery|RECOVERY|Lenovo_Recovery|HP_RECOVERY|Recovery_Partition|DellUtility|DellRestore|IBM_SERVICE|SERVICEV001|SERVICEV002|SYSTEM_RESERVED|System_Reserved|WINRE_DRV|DIAGS|IntelRST", \ 360 ENV{UDISKS_IGNORE}="1" 361 362 # read-only non-Linux software installer partitions 363 ENV{ID_VENDOR}=="Sony", ENV{ID_MODEL}=="PRS*Launcher", ENV{UDISKS_IGNORE}="1" 364 365 # non-Linux software 366 KERNEL=="sr*", ENV{ID_VENDOR}=="SanDisk", ENV{ID_MODEL}=="Cruzer", ENV{ID_FS_LABEL}=="U3_System", ENV{UDISKS_IGNORE}="1" 367 368 # Content created using isohybrid (typically used on CDs and USB 369 # sticks for bootable media) is a bit special insofar that the 370 # interesting content is on a DOS partition with type 0x00 ... which 371 # is hidden above. So undo this. 372 # 373 # See http://mjg59.dreamwidth.org/11285.html for more details 374 # 375 ENV{ID_PART_TABLE_TYPE}=="dos", ENV{ID_PART_ENTRY_TYPE}=="0x0", ENV{ID_PART_ENTRY_NUMBER}=="1", ENV{ID_FS_TYPE}=="iso9660|udf", ENV{UDISKS_IGNORE}="0" 376 ` 377 378 type udisks2Interface struct{} 379 380 func (iface *udisks2Interface) Name() string { 381 return "udisks2" 382 } 383 384 func (iface *udisks2Interface) StaticInfo() interfaces.StaticInfo { 385 return interfaces.StaticInfo{ 386 Summary: udisks2Summary, 387 ImplicitOnClassic: true, 388 BaseDeclarationSlots: udisks2BaseDeclarationSlots, 389 } 390 } 391 392 func (iface *udisks2Interface) DBusConnectedPlug(spec *dbus.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 393 if !release.OnClassic { 394 spec.AddSnippet(udisks2ConnectedPlugDBus) 395 } 396 return nil 397 } 398 399 func (iface *udisks2Interface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 400 if !release.OnClassic { 401 spec.AddSnippet(udisks2PermanentSlotDBus) 402 } 403 return nil 404 } 405 406 func (iface *udisks2Interface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 407 old := "###SLOT_SECURITY_TAGS###" 408 var new string 409 if release.OnClassic { 410 new = "unconfined" 411 } else { 412 new = slotAppLabelExpr(slot) 413 } 414 snippet := strings.Replace(udisks2ConnectedPlugAppArmor, old, new, -1) 415 spec.AddSnippet(snippet) 416 return nil 417 } 418 419 func (iface *udisks2Interface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 420 if !release.OnClassic { 421 spec.AddSnippet(udisks2PermanentSlotAppArmor) 422 } 423 return nil 424 } 425 426 func (iface *udisks2Interface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 427 if !release.OnClassic { 428 spec.AddSnippet(udisks2PermanentSlotUDev) 429 spec.TagDevice(`SUBSYSTEM=="block"`) 430 // # This tags all USB devices, so we'll use AppArmor to mediate specific access (eg, /dev/sd* and /dev/mmcblk*) 431 spec.TagDevice(`SUBSYSTEM=="usb"`) 432 } 433 return nil 434 } 435 436 func (iface *udisks2Interface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 437 if !release.OnClassic { 438 old := "###PLUG_SECURITY_TAGS###" 439 new := plugAppLabelExpr(plug) 440 snippet := strings.Replace(udisks2ConnectedSlotAppArmor, old, new, -1) 441 spec.AddSnippet(snippet) 442 } 443 return nil 444 } 445 446 func (iface *udisks2Interface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 447 if !release.OnClassic { 448 spec.AddSnippet(udisks2PermanentSlotSecComp) 449 } 450 return nil 451 } 452 453 func (iface *udisks2Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 454 // allow what declarations allowed 455 return true 456 } 457 458 func init() { 459 registerIface(&udisks2Interface{}) 460 }