github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/block_devices.go

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/block_devices.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2019 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  // Only allow raw disk devices; not loop, ram, CDROM, generic SCSI, network,
    23  // tape, raid, etc devices or disk partitions. For some devices, allow controller
    24  // character devices since they are used to configure the corresponding block
    25  // device.
    26  const blockDevicesSummary = `allows access to disk block devices`
    27  
    28  const blockDevicesBaseDeclarationPlugs = `
    29    block-devices:
    30      allow-installation: false
    31      deny-auto-connection: true
    32  `
    33  
    34  const blockDevicesBaseDeclarationSlots = `
    35    block-devices:
    36      allow-installation:
    37        slot-snap-type:
    38          - core
    39      deny-auto-connection: true
    40  `
    41  
    42  // https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
    43  // For now, only list common devices and skip the following:
    44  // /dev/mfm{a,b} rw,                        # Acorn MFM
    45  // /dev/ad[a-p] rw,                         # ACSI
    46  // /dev/pd[a-d] rw,                         # Parallel port IDE
    47  // /dev/pf[0-3] rw,                         # Parallel port ATAPI
    48  // /dev/ub[a-z] rw,                         # USB block device
    49  const blockDevicesConnectedPlugAppArmor = `
    50  # Description: Allow write access to raw disk block devices.
    51  
    52  @{PROC}/devices r,
    53  /run/udev/data/b[0-9]*:[0-9]* r,
    54  /sys/block/ r,
    55  /sys/devices/**/block/** r,
    56  
    57  # Access to raw devices, not individual partitions
    58  /dev/hd[a-t] rw,                                          # IDE, MFM, RLL
    59  /dev/sd{,[a-h]}[a-z] rw,                                  # SCSI
    60  /dev/sdi[a-v] rw,                                         # SCSI continued
    61  /dev/i2o/hd{,[a-c]}[a-z] rw,                              # I2O hard disk
    62  /dev/i2o/hdd[a-x] rw,                                     # I2O hard disk continued
    63  /dev/mmcblk[0-9]{,[0-9],[0-9][0-9]} rw,                   # MMC (up to 1000 devices)
    64  /dev/vd[a-z] rw,                                          # virtio
    65  
    66  # Allow /dev/nvmeXnY namespace block devices. Please note this grants access to all
    67  # NVMe namespace block devices and that the numeric suffix on the character device
    68  # does not necessarily correspond to a namespace block device with the same suffix
    69  # From 'man nvme-format' : 
    70  #   Note, the numeric suffix on the character device, for example the 0 in
    71  #   /dev/nvme0, does NOT indicate this device handle is the parent controller
    72  #   of any namespaces with the same suffix. The namespace handle's numeral may
    73  #   be coming from the subsystem identifier, which is independent of the
    74  #   controller's identifier. Do not assume any particular device relationship
    75  #   based on their names. If you do, you may irrevocably erase data on an
    76  #   unintended device.
    77  /dev/nvme{[0-9],[1-9][0-9]}n{[1-9],[1-5][0-9],6[0-3]} rw, # NVMe (up to 100 devices, with 1-63 namespaces)
    78  
    79  # Allow /dev/nvmeX controller character devices. These character devices allow
    80  # manipulation of the block devices that we also allow above, so grouping this
    81  # access here makes sense, whereas access to individual partitions is delegated
    82  # to the raw-volume interface.
    83  /dev/nvme{[0-9],[1-9][0-9]} rw,                           # NVMe (up to 100 devices)
    84  
    85  # SCSI device commands, et al
    86  capability sys_rawio,
    87  
    88  # Perform various privileged block-device ioctl operations
    89  capability sys_admin,
    90  
    91  # Devices for various controllers used with ioctl()
    92  /dev/mpt2ctl{,_wd} rw,
    93  /dev/megaraid_sas_ioctl_node rw,
    94  `
    95  
    96  var blockDevicesConnectedPlugUDev = []string{
    97  	`SUBSYSTEM=="block"`,
    98  	// these additional subsystems may not directly be block devices but they
    99  	// allow for manipulation of the block devices and so are grouped here as
   100  	// well
   101  	`SUBSYSTEM=="nvme"`,
   102  	`KERNEL=="mpt2ctl*"`,
   103  	`KERNEL=="megaraid_sas_ioctl_node"`,
   104  }
   105  
   106  type blockDevicesInterface struct {
   107  	commonInterface
   108  }
   109  
   110  func init() {
   111  	registerIface(&blockDevicesInterface{commonInterface{
   112  		name:                  "block-devices",
   113  		summary:               blockDevicesSummary,
   114  		implicitOnCore:        true,
   115  		implicitOnClassic:     true,
   116  		baseDeclarationPlugs:  blockDevicesBaseDeclarationPlugs,
   117  		baseDeclarationSlots:  blockDevicesBaseDeclarationSlots,
   118  		connectedPlugAppArmor: blockDevicesConnectedPlugAppArmor,
   119  		connectedPlugUDev:     blockDevicesConnectedPlugUDev,
   120  	}})
   121  }