github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/snap-device-helper

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/snap-device-helper (about)

     1  #!/bin/sh
     2  # udev callout to allow a snap to access a device node
     3  set -e
     4  # debugging
     5  #exec >>/tmp/snap-device-helper.log
     6  #exec 2>&1
     7  #set -x
     8  # end debugging
     9  
    10  ACTION="$1"
    11  APPNAME="$2"
    12  DEVPATH="$3"
    13  MAJMIN="$4"
    14  [ -n "$APPNAME" ] || { echo "no app name given" >&2; exit 1; }
    15  [ -n "$DEVPATH" ] || { echo "no devpath given" >&2; exit 1; }
    16  [ -n "$MAJMIN" ] || { echo "no major/minor given" >&2; exit 0; }
    17  
    18  NOSNAP="${APPNAME#snap_}"
    19  [ "$NOSNAP" != "$APPNAME" ] || { echo "malformed appname $APPNAME" >&2; exit 1; }
    20  
    21  # FIXME: this will break for instances that are called "hook" :(
    22  # Handle hooks first, the nosnap part looks like this:
    23  # - "$snap_hook_$hookname"
    24  # - "$snap_$instance_hook_$hookname
    25  # we need to make sure we change this to:
    26  # - "$snap_hook.$hookname"
    27  # - "$snap_$instance_hook.$hookname"
    28  if [ -z "${NOSNAP##*_hook_hook_*}" ]; then
    29      # $instance is 'hook'; $snap_hook_hook.$hookname -> $snap_hook_hook.$hookname
    30      NOSNAP="${NOSNAP%_hook_*}_hook.${NOSNAP#*_hook_hook_}"
    31  elif [ -z "${NOSNAP##*_hook_*}" ]; then
    32      # $snap_$instance_hook_$hookname -> $snap_$instance_hook.$hookname
    33      NOSNAP="${NOSNAP%_hook_*}_hook.${NOSNAP#*_hook_}"
    34  fi
    35  
    36  # Now deal with app/instance untangling
    37  if [ "${NOSNAP#*_*_}" = "${NOSNAP}" ]; then
    38      # snap_<snap>_<app> -> snap.<snap>.<app>
    39      SNAPAPP="snap.${NOSNAP%_*}.${NOSNAP#*_}"
    40  else
    41      # snap_<snap>_<instance>_<app> -> snap.<snap>_<instance>.<app>
    42      SNAPAPP="snap.${NOSNAP%_*}.${NOSNAP#*_*_}"
    43  fi
    44  
    45  DEVICES_CGROUP=${DEVICES_CGROUP:="/sys/fs/cgroup/devices"}
    46  app_dev_cgroup="$DEVICES_CGROUP/$SNAPAPP"
    47  
    48  # The cgroup is only present after snap start so ignore any cgroup changes
    49  # (eg, 'add' on boot, hotplug, hotunplug) when the cgroup doesn't exist
    50  # yet. LP: #1762182.
    51  if [ ! -e "$app_dev_cgroup" ]; then
    52      exit 0
    53  fi
    54  
    55  # check if it's a block or char dev
    56  # TODO: re-write this to be more robust, the bash variable substitution done 
    57  # here is quite awkard :-/
    58  if [ "${DEVPATH#*/block/}" != "$DEVPATH" ]; then
    59      type="b"
    60  elif [ "${DEVPATH#*/nvme/nvme*/nvme*n*}" != "$DEVPATH" ]; then
    61      # char devices are .../nvme/nvme* but block devices are
    62      # .../nvme/nvme*/nvme*n* and .../nvme/nvme*/nvme*n*p*
    63      # so if have a device that has nvme/nvme*/nvme*n* in it,
    64      # treat it as a block device
    65      type="b"
    66  else
    67      type="c"
    68  fi
    69  
    70  acl="$type $MAJMIN rwm"
    71  case "$ACTION" in
    72      add|change)
    73          echo "$acl" > "$app_dev_cgroup/devices.allow"
    74          ;;
    75      remove)
    76          echo "$acl" > "$app_dev_cgroup/devices.deny"
    77          ;;
    78      *)
    79          echo "ERROR: unknown action $ACTION" >&2
    80          exit 1 ;;
    81  esac