github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/network_manager.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/dbus" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/interfaces/udev" 30 "github.com/snapcore/snapd/release" 31 "github.com/snapcore/snapd/snap" 32 ) 33 34 const networkManagerSummary = `allows operating as the NetworkManager service` 35 36 const networkManagerBaseDeclarationSlots = ` 37 network-manager: 38 allow-installation: 39 slot-snap-type: 40 - app 41 - core 42 deny-auto-connection: true 43 deny-connection: 44 on-classic: false 45 ` 46 47 const networkManagerPermanentSlotAppArmor = ` 48 # Description: Allow operating as the NetworkManager service. This gives 49 # privileged access to the system. 50 51 capability net_admin, 52 capability net_bind_service, 53 capability net_raw, 54 55 network netlink, 56 network bridge, 57 network inet, 58 network inet6, 59 network packet, 60 61 @{PROC}/@{pid}/net/ r, 62 @{PROC}/@{pid}/net/** r, 63 64 # used by sysctl, et al 65 @{PROC}/sys/ r, 66 @{PROC}/sys/net/ r, 67 @{PROC}/sys/net/core/ r, 68 @{PROC}/sys/net/core/** rw, 69 @{PROC}/sys/net/ipv{4,6}/ r, 70 @{PROC}/sys/net/ipv{4,6}/** rw, 71 @{PROC}/sys/net/netfilter/ r, 72 @{PROC}/sys/net/netfilter/** rw, 73 @{PROC}/sys/net/nf_conntrack_max rw, 74 75 # Needed for systemd's dhcp implementation 76 @{PROC}/sys/kernel/random/boot_id r, 77 78 /sys/devices/**/**/net/**/phys_port_id r, 79 /sys/devices/**/**/net/**/dev_id r, 80 /sys/devices/virtual/net/**/phys_port_id r, 81 /sys/devices/virtual/net/**/dev_id r, 82 /sys/devices/**/net/**/ifindex r, 83 84 /dev/rfkill rw, 85 86 /run/udev/data/* r, 87 88 # Allow read and write access for all netplan configuration files 89 # as NetworkManager will start using them to store the network 90 # configuration instead of using its own internal keyfile based 91 # format. 92 /etc/netplan/{,**} rw, 93 94 # Allow access to configuration files generated on the fly 95 # from netplan and let NetworkManager store its configuration 96 # in the same place. 97 /run/NetworkManager/{,**} rw, 98 99 # Needed by the ifupdown plugin to check which interfaces can 100 # be managed an which not. 101 /etc/network/interfaces r, 102 # Needed for systemd's dhcp implementation 103 /etc/machine-id r, 104 105 # Needed to use resolvconf from core 106 /sbin/resolvconf ixr, 107 /run/resolvconf/{,**} rk, 108 /run/resolvconf/** w, 109 /etc/resolvconf/{,**} r, 110 /lib/resolvconf/* ix, 111 # NM peeks into ifupdown configuration 112 /run/network/ifstate* r, 113 # Required by resolvconf 114 /bin/run-parts ixr, 115 /etc/resolvconf/update.d/* ix, 116 117 #include <abstractions/nameservice> 118 /run/systemd/resolve/stub-resolv.conf r, 119 120 # DBus accesses 121 #include <abstractions/dbus-strict> 122 123 # systemd-resolved (not yet included in nameservice abstraction) 124 # 125 # Allow access to the safe members of the systemd-resolved D-Bus API: 126 # 127 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 128 # 129 # This API may be used directly over the D-Bus system bus or it may be used 130 # indirectly via the nss-resolve plugin: 131 # 132 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 133 # 134 dbus send 135 bus=system 136 path="/org/freedesktop/resolve1" 137 interface="org.freedesktop.resolve1.Manager" 138 member="Resolve{Address,Hostname,Record,Service}" 139 peer=(name="org.freedesktop.resolve1"), 140 141 dbus (send) 142 bus=system 143 path="/org/freedesktop/resolve1" 144 interface="org.freedesktop.resolve1.Manager" 145 member="SetLink{DNS,MulticastDNS,Domains,LLMNR}" 146 peer=(label=unconfined), 147 148 dbus (send) 149 bus=system 150 path=/org/freedesktop/DBus 151 interface=org.freedesktop.DBus 152 member={Request,Release}Name 153 peer=(name=org.freedesktop.DBus, label=unconfined), 154 155 dbus (receive, send) 156 bus=system 157 path=/org/freedesktop/DBus 158 interface=org.freedesktop.DBus 159 member=GetConnectionUnixProcessID 160 peer=(label=unconfined), 161 162 dbus (receive, send) 163 bus=system 164 path=/org/freedesktop/DBus 165 interface=org.freedesktop.DBus 166 member=GetConnectionUnixUser 167 peer=(label=unconfined), 168 169 # Allow binding the service to the requested connection name 170 dbus (bind) 171 bus=system 172 name="org.freedesktop.NetworkManager", 173 174 # Allow traffic to/from our path and interface with any method for unconfined 175 # clients to talk to our service. 176 dbus (receive, send) 177 bus=system 178 path=/org/freedesktop/NetworkManager{,/**} 179 interface=org.freedesktop.NetworkManager* 180 peer=(label=unconfined), 181 182 # Allow traffic to/from org.freedesktop.DBus for NetworkManager service 183 dbus (receive, send) 184 bus=system 185 path=/org/freedesktop/NetworkManager{,/**} 186 interface=org.freedesktop.DBus.* 187 peer=(label=unconfined), 188 189 # Allow ObjectManager methods from and signals to unconfined clients. 190 dbus (receive, send) 191 bus=system 192 path=/org/freedesktop 193 interface=org.freedesktop.DBus.ObjectManager 194 peer=(label=unconfined), 195 196 # Allow access to hostname system service 197 dbus (receive, send) 198 bus=system 199 path=/org/freedesktop/hostname1 200 interface=org.freedesktop.DBus.Properties 201 peer=(label=unconfined), 202 # do not use peer=(label=unconfined) here since this is DBus activated 203 dbus (send) 204 bus=system 205 path=/org/freedesktop/hostname1 206 interface=org.freedesktop.DBus.Properties 207 member="Get{,All}", 208 209 dbus(receive, send) 210 bus=system 211 path=/org/freedesktop/hostname1 212 interface=org.freedesktop.hostname1 213 member={Set,SetStatic}Hostname 214 peer=(label=unconfined), 215 # do not use peer=(label=unconfined) here since this is DBus activated 216 dbus (send) 217 bus=system 218 path=/org/freedesktop/hostname1 219 interface=org.freedesktop.hostname1 220 member={Set,SetStatic}Hostname, 221 222 # Sleep monitor inside NetworkManager needs this 223 # do not use peer=(label=unconfined) here since this is DBus activated 224 dbus (send) 225 bus=system 226 path=/org/freedesktop/login1 227 member=Inhibit 228 interface=org.freedesktop.login1.Manager, 229 dbus (receive) 230 bus=system 231 path=/org/freedesktop/login1 232 member=PrepareForSleep 233 interface=org.freedesktop.login1.Manager 234 peer=(label=unconfined), 235 dbus (receive) 236 bus=system 237 path=/org/freedesktop/login1 238 interface=org.freedesktop.login1.Manager 239 member=Session{New,Removed} 240 peer=(label=unconfined), 241 242 # Allow access to wpa-supplicant for managing WiFi networks 243 dbus (receive, send) 244 bus=system 245 path=/fi/w1/wpa_supplicant1{,/**} 246 interface=fi.w1.wpa_supplicant1* 247 peer=(label=unconfined), 248 dbus (receive, send) 249 bus=system 250 path=/fi/w1/wpa_supplicant1{,/**} 251 interface=org.freedesktop.DBus.* 252 peer=(label=unconfined), 253 ` 254 255 const networkManagerConnectedSlotAppArmor = ` 256 # Allow connected clients to interact with the service 257 258 # Allow traffic to/from our DBus path 259 dbus (receive, send) 260 bus=system 261 path=/org/freedesktop/NetworkManager{,/**} 262 peer=(label=###PLUG_SECURITY_TAGS###), 263 264 # Later versions of NetworkManager implement org.freedesktop.DBus.ObjectManager 265 # for clients to easily obtain all (and be alerted to added/removed) objects 266 # from the service. 267 dbus (receive, send) 268 bus=system 269 path=/org/freedesktop 270 interface=org.freedesktop.DBus.ObjectManager 271 peer=(label=###PLUG_SECURITY_TAGS###), 272 273 # Explicitly deny ptrace to silence noisy denials. These denials happen when NM 274 # tries to access /proc/<peer_pid>/stat. What apparmor prevents is showing 275 # internal process addresses that live in that file, but that has no adverse 276 # effects for NetworkManager, which just wants to find out the start time of the 277 # process. 278 deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###, 279 ` 280 281 const networkManagerConnectedPlugAppArmor = ` 282 # Description: Allow using NetworkManager service. This gives privileged access 283 # to the NetworkManager service. 284 285 #include <abstractions/dbus-strict> 286 287 # Allow all access to NetworkManager service 288 dbus (receive, send) 289 bus=system 290 path=/org/freedesktop/NetworkManager{,/**} 291 peer=(label=###SLOT_SECURITY_TAGS###), 292 293 # NM implements org.freedesktop.DBus.ObjectManager too 294 dbus (receive, send) 295 bus=system 296 path=/org/freedesktop 297 interface=org.freedesktop.DBus.ObjectManager 298 peer=(label=###SLOT_SECURITY_TAGS###), 299 ` 300 301 const networkManagerConnectedPlugIntrospectionSnippet = ` 302 # Allow us to introspect the network-manager providing snap 303 dbus (send) 304 bus=system 305 interface="org.freedesktop.DBus.Introspectable" 306 member="Introspect" 307 peer=(label=###SLOT_SECURITY_TAGS###), 308 ` 309 310 const networkManagerConnectedSlotIntrospectionSnippet = ` 311 # Allow plugs to introspect us 312 dbus (receive) 313 bus=system 314 interface="org.freedesktop.DBus.Introspectable" 315 member="Introspect" 316 peer=(label=###PLUG_SECURITY_TAGS###), 317 ` 318 319 const networkManagerConnectedPlugSecComp = ` 320 # Description: This is needed to talk to the network-manager service 321 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 322 ` 323 324 const networkManagerPermanentSlotSecComp = ` 325 # Description: Allow operating as the NetworkManager service. This gives 326 # privileged access to the system. 327 accept 328 accept4 329 bind 330 listen 331 sethostname 332 # netlink 333 socket AF_NETLINK - - 334 ` 335 336 const networkManagerPermanentSlotDBus = ` 337 <!-- DBus policy for NetworkManager (upstream version 1.2.2) --> 338 <policy user="root"> 339 <allow own="org.freedesktop.NetworkManager"/> 340 <allow send_destination="org.freedesktop.NetworkManager"/> 341 342 <allow send_destination="org.freedesktop.NetworkManager" 343 send_interface="org.freedesktop.NetworkManager.PPP"/> 344 345 <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/> 346 347 <!-- These are there because some broken policies do 348 <deny send_interface="..." /> (see dbus-daemon(8) for details). 349 This seems to override that for the known VPN plugins. --> 350 <allow send_destination="org.freedesktop.NetworkManager.openconnect"/> 351 <allow send_destination="org.freedesktop.NetworkManager.openswan"/> 352 <allow send_destination="org.freedesktop.NetworkManager.openvpn"/> 353 <allow send_destination="org.freedesktop.NetworkManager.pptp"/> 354 <allow send_destination="org.freedesktop.NetworkManager.vpnc"/> 355 <allow send_destination="org.freedesktop.NetworkManager.ssh"/> 356 <allow send_destination="org.freedesktop.NetworkManager.iodine"/> 357 <allow send_destination="org.freedesktop.NetworkManager.l2tp"/> 358 <allow send_destination="org.freedesktop.NetworkManager.libreswan"/> 359 <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/> 360 <allow send_destination="org.freedesktop.NetworkManager.strongswan"/> 361 <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/> 362 363 <!-- Allow the custom name for the dnsmasq instance spawned by NM 364 from the dns dnsmasq plugin to own it's dbus name, and for 365 messages to be sent to it. 366 --> 367 <allow own="org.freedesktop.NetworkManager.dnsmasq"/> 368 <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 369 </policy> 370 371 <policy context="default"> 372 <deny own="org.freedesktop.NetworkManager"/> 373 374 <deny send_destination="org.freedesktop.NetworkManager"/> 375 376 <!-- Basic D-Bus API stuff --> 377 <allow send_destination="org.freedesktop.NetworkManager" 378 send_interface="org.freedesktop.DBus.Introspectable"/> 379 <allow send_destination="org.freedesktop.NetworkManager" 380 send_interface="org.freedesktop.DBus.Properties"/> 381 <allow send_destination="org.freedesktop.NetworkManager" 382 send_interface="org.freedesktop.DBus.ObjectManager"/> 383 384 <!-- Devices (read-only properties, no methods) --> 385 <allow send_destination="org.freedesktop.NetworkManager" 386 send_interface="org.freedesktop.NetworkManager.Device.Adsl"/> 387 <allow send_destination="org.freedesktop.NetworkManager" 388 send_interface="org.freedesktop.NetworkManager.Device.Bond"/> 389 <allow send_destination="org.freedesktop.NetworkManager" 390 send_interface="org.freedesktop.NetworkManager.Device.Bridge"/> 391 <allow send_destination="org.freedesktop.NetworkManager" 392 send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/> 393 <allow send_destination="org.freedesktop.NetworkManager" 394 send_interface="org.freedesktop.NetworkManager.Device.Wired"/> 395 <allow send_destination="org.freedesktop.NetworkManager" 396 send_interface="org.freedesktop.NetworkManager.Device.Generic"/> 397 <allow send_destination="org.freedesktop.NetworkManager" 398 send_interface="org.freedesktop.NetworkManager.Device.Gre"/> 399 <allow send_destination="org.freedesktop.NetworkManager" 400 send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/> 401 <allow send_destination="org.freedesktop.NetworkManager" 402 send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/> 403 <allow send_destination="org.freedesktop.NetworkManager" 404 send_interface="org.freedesktop.NetworkManager.Device.Modem"/> 405 <allow send_destination="org.freedesktop.NetworkManager" 406 send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/> 407 <allow send_destination="org.freedesktop.NetworkManager" 408 send_interface="org.freedesktop.NetworkManager.Device.Team"/> 409 <allow send_destination="org.freedesktop.NetworkManager" 410 send_interface="org.freedesktop.NetworkManager.Device.Tun"/> 411 <allow send_destination="org.freedesktop.NetworkManager" 412 send_interface="org.freedesktop.NetworkManager.Device.Veth"/> 413 <allow send_destination="org.freedesktop.NetworkManager" 414 send_interface="org.freedesktop.NetworkManager.Device.Vlan"/> 415 <allow send_destination="org.freedesktop.NetworkManager" 416 send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/> 417 <allow send_destination="org.freedesktop.NetworkManager" 418 send_interface="org.freedesktop.NetworkManager.AccessPoint"/> 419 420 <!-- Devices (read-only, no security required) --> 421 <allow send_destination="org.freedesktop.NetworkManager" 422 send_interface="org.freedesktop.NetworkManager.Device.WiMax"/> 423 424 <!-- Devices (read/write, secured with PolicyKit) --> 425 <allow send_destination="org.freedesktop.NetworkManager" 426 send_interface="org.freedesktop.NetworkManager.Device.Wireless"/> 427 <allow send_destination="org.freedesktop.NetworkManager" 428 send_interface="org.freedesktop.NetworkManager.Device"/> 429 430 <!-- Core stuff (read-only properties, no methods) --> 431 <allow send_destination="org.freedesktop.NetworkManager" 432 send_interface="org.freedesktop.NetworkManager.Connection.Active"/> 433 <allow send_destination="org.freedesktop.NetworkManager" 434 send_interface="org.freedesktop.NetworkManager.DHCP4Config"/> 435 <allow send_destination="org.freedesktop.NetworkManager" 436 send_interface="org.freedesktop.NetworkManager.DHCP6Config"/> 437 <allow send_destination="org.freedesktop.NetworkManager" 438 send_interface="org.freedesktop.NetworkManager.IP4Config"/> 439 <allow send_destination="org.freedesktop.NetworkManager" 440 send_interface="org.freedesktop.NetworkManager.IP6Config"/> 441 <allow send_destination="org.freedesktop.NetworkManager" 442 send_interface="org.freedesktop.NetworkManager.VPN.Connection"/> 443 444 <!-- Core stuff (read/write, secured with PolicyKit) --> 445 <allow send_destination="org.freedesktop.NetworkManager" 446 send_interface="org.freedesktop.NetworkManager"/> 447 <allow send_destination="org.freedesktop.NetworkManager" 448 send_interface="org.freedesktop.NetworkManager.Settings"/> 449 <allow send_destination="org.freedesktop.NetworkManager" 450 send_interface="org.freedesktop.NetworkManager.Settings.Connection"/> 451 452 <!-- Agents; secured with PolicyKit. Any process can talk to 453 the AgentManager API, but only NetworkManager can talk 454 to the agents themselves. --> 455 <allow send_destination="org.freedesktop.NetworkManager" 456 send_interface="org.freedesktop.NetworkManager.AgentManager"/> 457 458 <!-- Root-only functions --> 459 <deny send_destination="org.freedesktop.NetworkManager" 460 send_interface="org.freedesktop.NetworkManager" 461 send_member="SetLogging"/> 462 <deny send_destination="org.freedesktop.NetworkManager" 463 send_interface="org.freedesktop.NetworkManager" 464 send_member="Sleep"/> 465 <deny send_destination="org.freedesktop.NetworkManager" 466 send_interface="org.freedesktop.NetworkManager.Settings" 467 send_member="LoadConnections"/> 468 <deny send_destination="org.freedesktop.NetworkManager" 469 send_interface="org.freedesktop.NetworkManager.Settings" 470 send_member="ReloadConnections"/> 471 472 <deny own="org.freedesktop.NetworkManager.dnsmasq"/> 473 <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 474 </policy> 475 476 <limit name="max_replies_per_connection">1024</limit> 477 <limit name="max_match_rules_per_connection">2048</limit> 478 ` 479 480 type networkManagerInterface struct{} 481 482 func (iface *networkManagerInterface) Name() string { 483 return "network-manager" 484 } 485 486 func (iface *networkManagerInterface) StaticInfo() interfaces.StaticInfo { 487 return interfaces.StaticInfo{ 488 Summary: networkManagerSummary, 489 ImplicitOnClassic: true, 490 BaseDeclarationSlots: networkManagerBaseDeclarationSlots, 491 } 492 } 493 494 func (iface *networkManagerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 495 old := "###SLOT_SECURITY_TAGS###" 496 var new string 497 if release.OnClassic { 498 // If we're running on classic NetworkManager will be part 499 // of the OS snap and will run unconfined. 500 new = "unconfined" 501 } else { 502 new = slotAppLabelExpr(slot) 503 } 504 snippet := strings.Replace(networkManagerConnectedPlugAppArmor, old, new, -1) 505 spec.AddSnippet(snippet) 506 if !release.OnClassic { 507 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 508 snippet := strings.Replace(networkManagerConnectedPlugIntrospectionSnippet, old, new, -1) 509 spec.AddSnippet(snippet) 510 } 511 return nil 512 } 513 514 func (iface *networkManagerInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 515 old := "###PLUG_SECURITY_TAGS###" 516 new := plugAppLabelExpr(plug) 517 snippet := strings.Replace(networkManagerConnectedSlotAppArmor, old, new, -1) 518 spec.AddSnippet(snippet) 519 if !release.OnClassic { 520 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 521 snippet := strings.Replace(networkManagerConnectedSlotIntrospectionSnippet, old, new, -1) 522 spec.AddSnippet(snippet) 523 } 524 return nil 525 } 526 527 func (iface *networkManagerInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 528 spec.AddSnippet(networkManagerPermanentSlotAppArmor) 529 return nil 530 } 531 532 func (iface *networkManagerInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 533 spec.AddSnippet(networkManagerPermanentSlotDBus) 534 return nil 535 } 536 537 func (iface *networkManagerInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 538 spec.AddSnippet(networkManagerPermanentSlotSecComp) 539 return nil 540 } 541 542 func (iface *networkManagerInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 543 spec.TagDevice(`KERNEL=="rfkill"`) 544 return nil 545 } 546 547 func (iface *networkManagerInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 548 spec.AddSnippet(networkManagerConnectedPlugSecComp) 549 return nil 550 } 551 552 func (iface *networkManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 553 // allow what declarations allowed 554 return true 555 } 556 557 func init() { 558 registerIface(&networkManagerInterface{}) 559 }