github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/kernel_crypto_api.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2020 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 // https://www.kernel.org/doc/html/latest/crypto/userspace-if.html 23 // https://www.kernel.org/doc/html/latest/crypto/intro.html 24 const kernelCryptoAPISummary = `allows access to the Linux kernel crypto API` 25 26 // The kernel crypto API is designed to be used by any process (ie, using it 27 // requires no special privileges). Since it provides a kernel surface and 28 // has a CVE history, manually connect for now. 29 const kernelCryptoAPIBaseDeclarationSlots = ` 30 kernel-crypto-api: 31 allow-installation: 32 slot-snap-type: 33 - core 34 deny-auto-connection: true 35 ` 36 37 const kernelCryptoAPIConnectedPlugAppArmor = ` 38 # Description: Can access the Linux kernel crypto API 39 @{PROC}/crypto r, 40 41 # socket(AF_ALG, SOCK_SEQPACKET, ...) 42 network alg seqpacket, 43 44 # socket(AF_NETLINK, SOCK_{DGRAM,RAW}, NETLINK_CRYPTO) 45 network netlink dgram, 46 network netlink raw, 47 ` 48 49 const kernelCryptoAPIConnectedPlugSeccomp = ` 50 # Description: Can access the Linux kernel crypto API 51 socket AF_NETLINK - NETLINK_CRYPTO 52 bind 53 accept 54 ` 55 56 func init() { 57 registerIface(&commonInterface{ 58 name: "kernel-crypto-api", 59 summary: kernelCryptoAPISummary, 60 implicitOnCore: true, 61 implicitOnClassic: true, 62 connectedPlugAppArmor: kernelCryptoAPIConnectedPlugAppArmor, 63 connectedPlugSecComp: kernelCryptoAPIConnectedPlugSeccomp, 64 baseDeclarationSlots: kernelCryptoAPIBaseDeclarationSlots, 65 }) 66 }