github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/kernel_crypto_api.go

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/kernel_crypto_api.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2020 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  // https://www.kernel.org/doc/html/latest/crypto/userspace-if.html
    23  // https://www.kernel.org/doc/html/latest/crypto/intro.html
    24  const kernelCryptoAPISummary = `allows access to the Linux kernel crypto API`
    25  
    26  // The kernel crypto API is designed to be used by any process (ie, using it
    27  // requires no special privileges). Since it provides a kernel surface and
    28  // has a CVE history, manually connect for now.
    29  const kernelCryptoAPIBaseDeclarationSlots = `
    30    kernel-crypto-api:
    31      allow-installation:
    32        slot-snap-type:
    33          - core
    34      deny-auto-connection: true
    35  `
    36  
    37  const kernelCryptoAPIConnectedPlugAppArmor = `
    38  # Description: Can access the Linux kernel crypto API
    39  @{PROC}/crypto r,
    40  
    41  # socket(AF_ALG, SOCK_SEQPACKET, ...)
    42  network alg seqpacket,
    43  
    44  # socket(AF_NETLINK, SOCK_{DGRAM,RAW}, NETLINK_CRYPTO)
    45  network netlink dgram,
    46  network netlink raw,
    47  `
    48  
    49  const kernelCryptoAPIConnectedPlugSeccomp = `
    50  # Description: Can access the Linux kernel crypto API
    51  socket AF_NETLINK - NETLINK_CRYPTO
    52  bind
    53  accept
    54  `
    55  
    56  func init() {
    57  	registerIface(&commonInterface{
    58  		name:                  "kernel-crypto-api",
    59  		summary:               kernelCryptoAPISummary,
    60  		implicitOnCore:        true,
    61  		implicitOnClassic:     true,
    62  		connectedPlugAppArmor: kernelCryptoAPIConnectedPlugAppArmor,
    63  		connectedPlugSecComp:  kernelCryptoAPIConnectedPlugSeccomp,
    64  		baseDeclarationSlots:  kernelCryptoAPIBaseDeclarationSlots,
    65  	})
    66  }