github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/ubuntu_download_manager.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/snap" 28 ) 29 30 const ubuntuDownloadManagerSummary = `allows operating as or interacting with the Ubuntu download manager` 31 32 const ubuntuDownloadManagerBaseDeclarationSlots = ` 33 ubuntu-download-manager: 34 allow-installation: 35 slot-snap-type: 36 - app 37 deny-connection: true 38 ` 39 40 /* The methods: allowGSMDownload, createMmsDownload, exit and setDefaultThrottle 41 are deliberately left out of this profile due to their privileged nature. */ 42 const downloadConnectedPlugAppArmor = ` 43 # Description: Can access the download manager. 44 45 #include <abstractions/dbus-session-strict> 46 47 # allow communicating with download-manager service 48 dbus (send) 49 bus=session 50 interface="org.freedesktop.DBus.Introspectable" 51 path=/ 52 member=Introspect 53 peer=(label=###SLOT_SECURITY_TAGS###), 54 dbus (send) 55 bus=session 56 interface="org.freedesktop.DBus.Introspectable" 57 path=/com/canonical/applications/download/** 58 member=Introspect 59 peer=(label=###SLOT_SECURITY_TAGS###), 60 # Allow DownloadManager to send us signals, etc 61 dbus (receive) 62 bus=session 63 interface=com.canonical.applications.Download{,er}Manager 64 peer=(label=###SLOT_SECURITY_TAGS###), 65 dbus (receive, send) 66 bus=session 67 path=/com/canonical/applications/download/@{PROFILE_DBUS}/** 68 interface=com.canonical.applications.Download 69 peer=(label=###SLOT_SECURITY_TAGS###), 70 dbus (receive) 71 bus=session 72 path=/com/canonical/applications/download/@{PROFILE_DBUS}/** 73 interface=org.freedesktop.DBus.Properties 74 peer=(label=###SLOT_SECURITY_TAGS###), 75 dbus (receive, send) 76 bus=session 77 path=/com/canonical/applications/download/@{PROFILE_DBUS}/** 78 interface=com.canonical.applications.GroupDownload 79 peer=(label=###SLOT_SECURITY_TAGS###), 80 # Be explicit about the allowed members we can send to 81 dbus (send) 82 bus=session 83 path=/ 84 interface=com.canonical.applications.DownloadManager 85 member=createDownload 86 peer=(label=###SLOT_SECURITY_TAGS###), 87 dbus (send) 88 bus=session 89 path=/ 90 interface=com.canonical.applications.DownloadManager 91 member=createDownloadGroup 92 peer=(label=###SLOT_SECURITY_TAGS###), 93 dbus (receive, send) 94 bus=session 95 path=/ 96 interface=com.canonical.applications.DownloadManager 97 member=getAllDownloads 98 peer=(label=###SLOT_SECURITY_TAGS###), 99 dbus (send) 100 bus=session 101 path=/ 102 interface=com.canonical.applications.DownloadManager 103 member=getAllDownloadsWithMetadata 104 peer=(label=###SLOT_SECURITY_TAGS###), 105 dbus (send) 106 bus=session 107 path=/ 108 interface=com.canonical.applications.DownloadManager 109 member=defaultThrottle 110 peer=(label=###SLOT_SECURITY_TAGS###), 111 dbus (send) 112 bus=session 113 path=/ 114 interface=com.canonical.applications.DownloadManager 115 member=isGSMDownloadAllowed 116 peer=(label=###SLOT_SECURITY_TAGS###), 117 ` 118 119 const downloadPermanentSlotAppArmor = ` 120 # Description: Allow operating as a download manager. 121 122 # DBus accesses 123 #include <abstractions/dbus-session-strict> 124 125 # https://specifications.freedesktop.org/download-spec/latest/ 126 # allow binding to the DBus download interface 127 dbus (bind) 128 bus=session 129 name="com.canonical.applications.Downloader", 130 131 dbus (send) 132 bus=session 133 path=/org/freedesktop/DBus 134 interface=org.freedesktop.DBus 135 member="GetConnectionUnix{ProcessID,User}" 136 peer=(name=org.freedesktop.DBus, label=unconfined), 137 138 dbus (send) 139 bus=session 140 path=/org/freedesktop/DBus 141 interface=org.freedesktop.DBus 142 member="{RequestName,ReleaseName}" 143 peer=(name=org.freedesktop.DBus, label=unconfined), 144 145 dbus (send) 146 bus=session 147 path=/ 148 interface=org.freedesktop.DBus 149 member="GetConnectionAppArmorSecurityContext" 150 peer=(name=org.freedesktop.DBus, label=unconfined), 151 ` 152 153 const downloadConnectedSlotAppArmor = ` 154 # Allow connected clients to interact with the download manager 155 dbus (receive) 156 bus=session 157 path=/ 158 interface=com.canonical.applications.DownloadManager 159 member=getAllDownloads 160 peer=(label=###PLUG_SECURITY_TAGS###), 161 162 dbus (receive) 163 bus=session 164 path=/ 165 interface=com.canonical.applications.DownloadManager 166 member=createDownload 167 peer=(label=###PLUG_SECURITY_TAGS###), 168 169 dbus (receive) 170 bus=session 171 path=/com/canonical/applications/download/** 172 interface=com.canonical.applications.Download 173 peer=(label=###PLUG_SECURITY_TAGS###), 174 175 dbus (send) 176 bus=session 177 path=/com/canonical/applications/download/** 178 interface=com.canonical.applications.Download 179 peer=(name=org.freedesktop.DBus, label=###PLUG_SECURITY_TAGS###), 180 181 dbus (send) 182 bus=session 183 path=/com/canonical/applications/download/** 184 interface=org.freedesktop.DBus 185 peer=(name=org.freedesktop.DBus, label=###PLUG_SECURITY_TAGS###), 186 187 dbus (send) 188 bus=session 189 path=/com/canonical/applications/download/** 190 interface=org.freedesktop.DBus.Properties 191 peer=(name=org.freedesktop.DBus, label=###PLUG_SECURITY_TAGS###), 192 193 # Allow writing to app download directories 194 owner @{HOME}/snap/###PLUG_NAME###/common/Downloads/ rw, 195 owner @{HOME}/snap/###PLUG_NAME###/common/Downloads/** rwk, 196 ` 197 198 type ubuntuDownloadManagerInterface struct{} 199 200 func (iface *ubuntuDownloadManagerInterface) Name() string { 201 return "ubuntu-download-manager" 202 } 203 204 func (iface *ubuntuDownloadManagerInterface) StaticInfo() interfaces.StaticInfo { 205 return interfaces.StaticInfo{ 206 Summary: ubuntuDownloadManagerSummary, 207 BaseDeclarationSlots: ubuntuDownloadManagerBaseDeclarationSlots, 208 } 209 } 210 211 func (iface *ubuntuDownloadManagerInterface) String() string { 212 return iface.Name() 213 } 214 215 func (iface *ubuntuDownloadManagerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 216 old := "###SLOT_SECURITY_TAGS###" 217 new := slotAppLabelExpr(slot) 218 snippet := strings.Replace(downloadConnectedPlugAppArmor, old, new, -1) 219 spec.AddSnippet(snippet) 220 return nil 221 } 222 223 func (iface *ubuntuDownloadManagerInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 224 spec.AddSnippet(downloadPermanentSlotAppArmor) 225 return nil 226 } 227 228 func (iface *ubuntuDownloadManagerInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 229 old := "###PLUG_SECURITY_TAGS###" 230 new := plugAppLabelExpr(plug) 231 snippet := strings.Replace(downloadConnectedSlotAppArmor, old, new, -1) 232 old = "###PLUG_NAME###" 233 new = plug.Snap().InstanceName() 234 snippet = strings.Replace(snippet, old, new, -1) 235 spec.AddSnippet(snippet) 236 return nil 237 } 238 239 func (iface *ubuntuDownloadManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 240 // allow what declarations allowed 241 return true 242 } 243 244 func init() { 245 registerIface(&ubuntuDownloadManagerInterface{}) 246 }