github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/lxd_support.go

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/lxd_support.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const lxdSupportSummary = `allows operating as the LXD service`
    23  
    24  const lxdSupportBaseDeclarationPlugs = `
    25    lxd-support:
    26      allow-installation: false
    27      deny-auto-connection: true
    28  `
    29  
    30  const lxdSupportBaseDeclarationSlots = `
    31    lxd-support:
    32      allow-installation:
    33        slot-snap-type:
    34          - core
    35      deny-auto-connection: true
    36  `
    37  
    38  const lxdSupportConnectedPlugAppArmor = `
    39  # Description: Can change to any apparmor profile (including unconfined) thus
    40  # giving access to all resources of the system so LXD may manage what to give
    41  # to its containers. This gives device ownership to connected snaps.
    42  @{PROC}/**/attr/{,apparmor/}current r,
    43  /{,usr/}{,s}bin/aa-exec ux,
    44  
    45  # Allow discovering the os-release of the host
    46  /var/lib/snapd/hostfs/{etc,usr/lib}/os-release r,
    47  `
    48  
    49  const lxdSupportConnectedPlugSecComp = `
    50  # Description: Can access all syscalls of the system so LXD may manage what to
    51  # give to its containers, giving device ownership to connected snaps.
    52  @unrestricted
    53  `
    54  
    55  func init() {
    56  	registerIface(&commonInterface{
    57  		name:                  "lxd-support",
    58  		summary:               lxdSupportSummary,
    59  		implicitOnCore:        true,
    60  		implicitOnClassic:     true,
    61  		baseDeclarationSlots:  lxdSupportBaseDeclarationSlots,
    62  		baseDeclarationPlugs:  lxdSupportBaseDeclarationPlugs,
    63  		connectedPlugAppArmor: lxdSupportConnectedPlugAppArmor,
    64  		connectedPlugSecComp:  lxdSupportConnectedPlugSecComp,
    65  	})
    66  }