github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/unity7.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/seccomp" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 const unity7Summary = `allows interacting with Unity 7 services` 32 33 const unity7BaseDeclarationSlots = ` 34 unity7: 35 allow-installation: 36 slot-snap-type: 37 - core 38 ` 39 40 const unity7ConnectedPlugAppArmor = ` 41 # Description: Can access Unity7. Note, Unity 7 runs on X and requires access 42 # to various DBus services and this environment does not prevent eavesdropping 43 # or apps interfering with one another. 44 45 #include <abstractions/dbus-strict> 46 #include <abstractions/dbus-session-strict> 47 48 # Allow finding the DBus session bus id (eg, via dbus_bus_get_id()) 49 dbus (send) 50 bus=session 51 path=/org/freedesktop/DBus 52 interface=org.freedesktop.DBus 53 member=GetId 54 peer=(name=org.freedesktop.DBus, label=unconfined), 55 56 #include <abstractions/X> 57 58 #include <abstractions/fonts> 59 owner @{HOME}/.local/share/fonts/{,**} r, 60 /var/cache/fontconfig/ r, 61 /var/cache/fontconfig/** mr, 62 63 # subset of gnome abstraction 64 /etc/gnome/defaults.list r, 65 66 /etc/gtk-*/* r, 67 /usr/lib{,32,64}/gtk-*/** mr, 68 /usr/lib{,32,64}/gdk-pixbuf-*/** mr, 69 /usr/lib/@{multiarch}/gtk-*/** mr, 70 /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr, 71 72 /etc/pango/* r, 73 /usr/lib{,32,64}/pango/** mr, 74 /usr/lib/@{multiarch}/pango/** mr, 75 76 /usr/share/icons/ r, 77 /usr/share/icons/** r, 78 /usr/share/icons/*/index.theme rk, 79 /usr/share/pixmaps/ r, 80 /usr/share/pixmaps/** r, 81 82 # The snapcraft desktop part may look for schema files in various locations, so 83 # allow reading system installed schemas. 84 /usr/share/glib*/schemas/{,*} r, 85 86 # Snappy's 'xdg-open' talks to the snapd-xdg-open service which currently works 87 # only in environments supporting dbus-send (eg, X11). In the future once 88 # snappy's xdg-open supports all snaps images, this access may move to another 89 # interface. This is duplicated from desktop for compatibility with existing 90 # snaps. 91 /usr/bin/xdg-open ixr, 92 # While /usr/share/applications comes from the base runtime of the snap, it 93 # has some things that snaps actually need, so allow access to those and deny 94 # access to the others. This is duplicated from desktop for compatibility with 95 # existing snaps. 96 /usr/share/applications/ r, 97 /usr/share/applications/mimeapps.list r, 98 /usr/share/applications/xdg-open.desktop r, 99 # silence noisy denials from desktop files in core* snaps that aren't usable by 100 # snaps 101 deny /usr/share/applications/python*.desktop r, 102 deny /usr/share/applications/vim.desktop r, 103 deny /usr/share/applications/snap-handle-link.desktop r, # core16 104 105 # This allow access to the first version of the snapd-xdg-open 106 # version which was shipped outside of snapd 107 dbus (send) 108 bus=session 109 path=/ 110 interface=com.canonical.SafeLauncher 111 member=OpenURL 112 peer=(label=unconfined), 113 # ... and this allows access to the new xdg-open service which 114 # is now part of snapd itself. 115 dbus (send) 116 bus=session 117 path=/io/snapcraft/Launcher 118 interface=io.snapcraft.Launcher 119 member={OpenURL,OpenFile} 120 peer=(label=unconfined), 121 122 # Allow use of snapd's internal 'xdg-settings' 123 /usr/bin/xdg-settings ixr, 124 dbus (send) 125 bus=session 126 path=/io/snapcraft/Settings 127 interface=io.snapcraft.Settings 128 member={Check,CheckSub,Get,GetSub,Set,SetSub} 129 peer=(label=unconfined), 130 131 # input methods (ibus) 132 # subset of ibus abstraction 133 /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, 134 owner @{HOME}/.config/ibus/ r, 135 owner @{HOME}/.config/ibus/bus/ r, 136 owner @{HOME}/.config/ibus/bus/* r, 137 138 # allow communicating with ibus-daemon (this allows sniffing key events) 139 unix (connect, receive, send) 140 type=stream 141 peer=(addr="@/tmp/ibus/dbus-*"), 142 143 # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache) 144 # This should use this, but due to LP: #1856738 we cannot 145 #unix (connect, receive, send) 146 # type=stream 147 # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), 148 unix (connect, receive, send) 149 type=stream 150 peer=(addr="@/home/*/.cache/ibus/dbus-*"), 151 152 153 # input methods (mozc) 154 # allow communicating with mozc server (TODO: investigate if allows sniffing) 155 unix (connect, receive, send) 156 type=stream 157 peer=(addr="@tmp/.mozc.*"), 158 159 160 # input methods (fcitx) 161 # allow communicating with fcitx dbus service 162 dbus send 163 bus=fcitx 164 path=/org/freedesktop/DBus 165 interface=org.freedesktop.DBus 166 member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} 167 peer=(name=org.freedesktop.DBus), 168 169 owner @{HOME}/.config/fcitx/dbus/* r, 170 171 # allow creating an input context 172 dbus send 173 bus={fcitx,session} 174 path=/inputmethod 175 interface=org.fcitx.Fcitx.InputMethod 176 member=CreateIC* 177 peer=(label=unconfined), 178 179 # allow setting up and tearing down the input context 180 dbus send 181 bus={fcitx,session} 182 path=/inputcontext_[0-9]* 183 interface=org.fcitx.Fcitx.InputContext 184 member="{Close,Destroy,Enable}IC" 185 peer=(label=unconfined), 186 187 dbus send 188 bus={fcitx,session} 189 path=/inputcontext_[0-9]* 190 interface=org.fcitx.Fcitx.InputContext 191 member=Reset 192 peer=(label=unconfined), 193 194 # allow service to send us signals 195 dbus receive 196 bus=fcitx 197 peer=(label=unconfined), 198 199 dbus receive 200 bus=session 201 interface=org.fcitx.Fcitx.* 202 peer=(label=unconfined), 203 204 # use the input context 205 dbus send 206 bus={fcitx,session} 207 path=/inputcontext_[0-9]* 208 interface=org.fcitx.Fcitx.InputContext 209 member="Focus{In,Out}" 210 peer=(label=unconfined), 211 212 dbus send 213 bus={fcitx,session} 214 path=/inputcontext_[0-9]* 215 interface=org.fcitx.Fcitx.InputContext 216 member="{CommitPreedit,Set*}" 217 peer=(label=unconfined), 218 219 # this is an information leak and allows key and mouse sniffing. If the input 220 # context path were tied to the process' security label, this would not be an 221 # issue. 222 dbus send 223 bus={fcitx,session} 224 path=/inputcontext_[0-9]* 225 interface=org.fcitx.Fcitx.InputContext 226 member="{MouseEvent,ProcessKeyEvent}" 227 peer=(label=unconfined), 228 229 # this method does not exist with the sunpinyin backend (at least), so allow 230 # it for other input methods. This may consitute an information leak (which, 231 # again, could be avoided if the path were tied to the process' security 232 # label). 233 dbus send 234 bus={fcitx,session} 235 path=/inputcontext_[0-9]* 236 interface=org.freedesktop.DBus.Properties 237 member=GetAll 238 peer=(label=unconfined), 239 240 # Needed by QtSystems on X to detect mouse and keyboard. Note, the 'netlink 241 # raw' rule is not finely mediated by apparmor so we mediate with seccomp arg 242 # filtering. 243 network netlink raw, 244 /run/udev/data/c13:[0-9]* r, 245 /run/udev/data/+input:* r, 246 247 # subset of freedesktop.org 248 /usr/share/mime/** r, 249 owner @{HOME}/.local/share/mime/** r, 250 owner @{HOME}/.config/user-dirs.* r, 251 252 /etc/xdg/user-dirs.conf r, 253 /etc/xdg/user-dirs.defaults r, 254 255 # gtk settings (subset of gnome abstraction) 256 owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini r, 257 owner @{HOME}/.config/gtk-3.0/settings.ini r, 258 # Note: this leaks directory names that wouldn't otherwise be known to the snap 259 owner @{HOME}/.config/gtk-3.0/bookmarks r, 260 261 # accessibility 262 #include <abstractions/dbus-accessibility-strict> 263 dbus (send) 264 bus=session 265 path=/org/a11y/bus 266 interface=org.a11y.Bus 267 member=GetAddress 268 peer=(label=unconfined), 269 dbus (send) 270 bus=session 271 path=/org/a11y/bus 272 interface=org.freedesktop.DBus.Properties 273 member=Get{,All} 274 peer=(label=unconfined), 275 276 # unfortunate, but org.a11y.atspi is not designed for separation 277 dbus (receive, send) 278 bus=accessibility 279 path=/org/a11y/atspi/** 280 peer=(label=unconfined), 281 282 # org.freedesktop.Accounts 283 dbus (send) 284 bus=system 285 path=/org/freedesktop/Accounts 286 interface=org.freedesktop.DBus.Introspectable 287 member=Introspect 288 peer=(label=unconfined), 289 290 dbus (send) 291 bus=system 292 path=/org/freedesktop/Accounts 293 interface=org.freedesktop.Accounts 294 member=FindUserById 295 peer=(label=unconfined), 296 297 # Get() is an information leak 298 # TODO: verify what it is leaking 299 dbus (receive, send) 300 bus=system 301 path=/org/freedesktop/Accounts/User[0-9]* 302 interface=org.freedesktop.DBus.Properties 303 member={Get,PropertiesChanged} 304 peer=(label=unconfined), 305 306 # gmenu 307 # Note: the gmenu DBus api was not designed for application isolation and apps 308 # may specify anything as their 'path'. For example, these work in the many 309 # cases: 310 # - /org/gtk/Application/anonymous{,/**} 311 # - /com/canonical/unity/gtk/window/[0-9]* 312 # but libreoffice does: 313 # - /org/libreoffice{,/**} 314 # As such, cannot mediate by DBus path so we'll be as strict as we can in the 315 # other mediated parts 316 dbus (send) 317 bus=session 318 interface=org.gtk.Actions 319 member=Changed 320 peer=(name=org.freedesktop.DBus, label=unconfined), 321 322 dbus (receive) 323 bus=session 324 interface=org.gtk.Actions 325 member={Activate,DescribeAll,SetState} 326 peer=(label=unconfined), 327 328 dbus (receive) 329 bus=session 330 interface=org.gtk.Menus 331 member={Start,End} 332 peer=(label=unconfined), 333 334 dbus (send) 335 bus=session 336 interface=org.gtk.Menus 337 member=Changed 338 peer=(name=org.freedesktop.DBus, label=unconfined), 339 340 # Ubuntu menus 341 dbus (send) 342 bus=session 343 path="/com/ubuntu/MenuRegistrar" 344 interface="com.ubuntu.MenuRegistrar" 345 member="{Register,Unregister}{App,Surface}Menu" 346 peer=(label=unconfined), 347 348 # url helper 349 dbus (send) 350 bus=session 351 interface=com.canonical.SafeLauncher.OpenURL 352 peer=(label=unconfined), 353 # new url helper (part of snap userd) 354 dbus (send) 355 bus=session 356 interface=io.snapcraft.Launcher.OpenURL 357 peer=(label=unconfined), 358 359 # dbusmenu 360 dbus (send) 361 bus=session 362 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*} 363 interface=com.canonical.dbusmenu 364 member="{LayoutUpdated,ItemsPropertiesUpdated}" 365 peer=(name=org.freedesktop.DBus, label=unconfined), 366 367 dbus (receive) 368 bus=session 369 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*} 370 interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}" 371 member=Get* 372 peer=(label=unconfined), 373 374 dbus (receive) 375 bus=session 376 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*} 377 interface=com.canonical.dbusmenu 378 member="{AboutTo*,Event*}" 379 peer=(label=unconfined), 380 381 dbus (receive) 382 bus=session 383 path=/{MenuBar{,/[0-9A-F]*},com/canonical/menu/[0-9A-F]*} 384 interface=org.freedesktop.DBus.Introspectable 385 member=Introspect 386 peer=(label=unconfined), 387 388 dbus (receive) 389 bus=session 390 path=/com/canonical/dbusmenu 391 interface=org.freedesktop.DBus.Properties 392 member=Get* 393 peer=(label=unconfined), 394 395 # app-indicators 396 dbus (send) 397 bus=session 398 path=/StatusNotifierWatcher 399 interface=org.freedesktop.DBus.Introspectable 400 member=Introspect 401 peer=(name=org.kde.StatusNotifierWatcher, label=unconfined), 402 403 dbus (send) 404 bus=session 405 path=/org/freedesktop/DBus 406 interface=org.freedesktop.DBus 407 member="{GetConnectionUnixProcessID,RequestName,ReleaseName}" 408 peer=(name=org.freedesktop.DBus, label=unconfined), 409 410 dbus (bind) 411 bus=session 412 name=org.kde.StatusNotifierItem-[0-9]*, 413 414 dbus (send) 415 bus=session 416 path=/StatusNotifierWatcher 417 interface=org.freedesktop.DBus.Properties 418 member=Get 419 peer=(name=org.kde.StatusNotifierWatcher, label=unconfined), 420 421 dbus (send) 422 bus=session 423 path=/{StatusNotifierWatcher,org/ayatana/NotificationItem/*} 424 interface=org.kde.StatusNotifierWatcher 425 member=RegisterStatusNotifierItem 426 peer=(label=unconfined), 427 428 dbus (send) 429 bus=session 430 path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} 431 interface=org.kde.StatusNotifierItem 432 member="New{AttentionIcon,Icon,IconThemePath,OverlayIcon,Status,Title,ToolTip}" 433 peer=(name=org.freedesktop.DBus, label=unconfined), 434 435 dbus (receive) 436 bus=session 437 path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} 438 interface=org.kde.StatusNotifierItem 439 member={Activate,ContextMenu,Scroll,SecondaryActivate,XAyatanaSecondaryActivate} 440 peer=(label=unconfined), 441 442 dbus (send) 443 bus=session 444 path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} 445 interface=com.canonical.dbusmenu 446 member="{LayoutUpdated,ItemsPropertiesUpdated}" 447 peer=(name=org.freedesktop.DBus, label=unconfined), 448 449 dbus (receive) 450 bus=session 451 path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} 452 interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} 453 member={Get*,AboutTo*,Event*} 454 peer=(label=unconfined), 455 456 # notifications 457 dbus (send) 458 bus=session 459 path=/org/freedesktop/Notifications 460 interface=org.freedesktop.Notifications 461 member="{GetCapabilities,GetServerInformation,Notify,CloseNotification}" 462 peer=(label=unconfined), 463 464 dbus (receive) 465 bus=session 466 path=/org/freedesktop/Notifications 467 interface=org.freedesktop.Notifications 468 member={ActionInvoked,NotificationClosed,NotificationReplied} 469 peer=(label=unconfined), 470 471 dbus (send) 472 bus=session 473 path=/org/ayatana/NotificationItem/* 474 interface=org.kde.StatusNotifierItem 475 member=XAyatanaNew* 476 peer=(name=org.freedesktop.DBus, label=unconfined), 477 478 # unity launcher 479 dbus (send) 480 bus=session 481 path=/com/canonical/unity/launcherentry/[0-9]* 482 interface=com.canonical.Unity.LauncherEntry 483 member=Update 484 peer=(name=org.freedesktop.DBus, label=unconfined), 485 486 dbus (send) 487 bus=session 488 path=/com/canonical/unity/launcherentry/[0-9]* 489 interface=com.canonical.dbusmenu 490 member="{LayoutUpdated,ItemsPropertiesUpdated}" 491 peer=(name=org.freedesktop.DBus, label=unconfined), 492 493 dbus (receive) 494 bus=session 495 path=/com/canonical/unity/launcherentry/[0-9]* 496 interface="{com.canonical.dbusmenu,org.freedesktop.DBus.Properties}" 497 member=Get* 498 peer=(label=unconfined), 499 500 ###SNAP_DESKTOP_FILE_RULES### 501 # Snaps are unable to use the data in mimeinfo.cache (since they can't execute 502 # the returned desktop file themselves). unity messaging menu doesn't require 503 # mimeinfo.cache and xdg-mime will fallback to reading the desktop files 504 # directly to look for MimeType. Since reading the snap's own desktop files is 505 # allowed, we can safely deny access to this file (and xdg-mime will either 506 # return one of the snap's mimetypes, or none). 507 deny /var/lib/snapd/desktop/applications/mimeinfo.cache r, 508 509 # then allow talking to Unity DBus service 510 dbus (send) 511 bus=session 512 interface=org.freedesktop.DBus.Properties 513 path=/com/canonical/indicator/messages/service 514 member=GetAll 515 peer=(label=unconfined), 516 517 dbus (send) 518 bus=session 519 path=/com/canonical/indicator/messages/service 520 interface=com.canonical.indicator.messages.service 521 member={Register,Unregister}Application 522 peer=(label=unconfined), 523 524 # When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule 525 # allows the snap to access parallel installs of this snap. 526 dbus (receive) 527 bus=session 528 interface=org.freedesktop.DBus.Properties 529 path=/com/canonical/indicator/messages/###UNITY_SNAP_NAME###_*_desktop 530 member=GetAll 531 peer=(label=unconfined), 532 533 # When @{SNAP_NAME} == @{SNAP_INSTANCE_NAME}, this rule 534 # allows the snap to access parallel installs of this snap. 535 dbus (receive, send) 536 bus=session 537 interface=com.canonical.indicator.messages.application 538 path=/com/canonical/indicator/messages/###UNITY_SNAP_NAME###_*_desktop 539 peer=(label=unconfined), 540 541 # This rule is meant to be covered by abstractions/dbus-session-strict but 542 # the unity launcher code has a typo that uses /org/freedesktop/dbus as the 543 # path instead of /org/freedesktop/DBus, so we need to all it here. 544 dbus (send) 545 bus=session 546 path=/org/freedesktop/dbus 547 interface=org.freedesktop.DBus 548 member=NameHasOwner 549 peer=(name=org.freedesktop.DBus, label=unconfined), 550 551 # appmenu 552 dbus (send) 553 bus=session 554 path=/org/freedesktop/DBus 555 interface=org.freedesktop.DBus 556 member=ListNames 557 peer=(name=org.freedesktop.DBus, label=unconfined), 558 559 dbus (send) 560 bus=session 561 path=/com/canonical/AppMenu/Registrar 562 interface=com.canonical.AppMenu.Registrar 563 member="{RegisterWindow,UnregisterWindow}" 564 peer=(label=unconfined), 565 566 dbus (send) 567 bus=session 568 path=/com/canonical/AppMenu/Registrar 569 interface=com.canonical.dbusmenu 570 member=UnregisterWindow 571 peer=(label=unconfined), 572 573 dbus (receive) 574 bus=session 575 path=/com/canonical/menu/[0-9]* 576 interface="{org.freedesktop.DBus.Properties,com.canonical.dbusmenu}" 577 member="{GetAll,GetLayout}" 578 peer=(label=unconfined), 579 580 # Allow requesting interest in receiving media key events. This tells Gnome 581 # settings that our application should be notified when key events we are 582 # interested in are pressed, and allows us to receive those events. 583 dbus (receive, send) 584 bus=session 585 interface=org.gnome.SettingsDaemon.MediaKeys 586 path=/org/gnome/SettingsDaemon/MediaKeys 587 peer=(label=unconfined), 588 dbus (send) 589 bus=session 590 interface=org.freedesktop.DBus.Properties 591 path=/org/gnome/SettingsDaemon/MediaKeys 592 member="Get{,All}" 593 peer=(label=unconfined), 594 595 # Allow checking status, activating and locking the screensaver 596 # mate 597 dbus (send) 598 bus=session 599 path="/{,org/mate/}ScreenSaver" 600 interface=org.mate.ScreenSaver 601 member="{GetActive,GetActiveTime,Lock,SetActive}" 602 peer=(label=unconfined), 603 604 dbus (receive) 605 bus=session 606 path="/{,org/mate/}ScreenSaver" 607 interface=org.mate.ScreenSaver 608 member=ActiveChanged 609 peer=(label=unconfined), 610 611 # Unity 612 dbus (send) 613 bus=session 614 interface=com.canonical.Unity.Session 615 path=/com/canonical/Unity/Session 616 member="{ActivateScreenSaver,IsLocked,Lock}" 617 peer=(label=unconfined), 618 619 # Allow unconfined to introspect us 620 dbus (receive) 621 bus=session 622 interface=org.freedesktop.DBus.Introspectable 623 member=Introspect 624 peer=(label=unconfined), 625 626 # gtk2/gvfs gtk_show_uri() 627 dbus (send) 628 bus=session 629 path=/org/gtk/vfs/mounttracker 630 interface=org.gtk.vfs.MountTracker 631 member=ListMountableInfo, 632 dbus (send) 633 bus=session 634 path=/org/gtk/vfs/mounttracker 635 interface=org.gtk.vfs.MountTracker 636 member=LookupMount, 637 ` 638 639 const unity7ConnectedPlugSeccomp = ` 640 # Description: Can access Unity7. Note, Unity 7 runs on X and requires access 641 # to various DBus services and this environment does not prevent eavesdropping 642 # or apps interfering with one another. 643 644 # Needed by QtSystems on X to detect mouse and keyboard 645 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 646 bind 647 ` 648 649 type unity7Interface struct{} 650 651 func (iface *unity7Interface) Name() string { 652 return "unity7" 653 } 654 655 func (iface *unity7Interface) StaticInfo() interfaces.StaticInfo { 656 return interfaces.StaticInfo{ 657 Summary: unity7Summary, 658 ImplicitOnClassic: true, 659 BaseDeclarationSlots: unity7BaseDeclarationSlots, 660 } 661 } 662 663 func (iface *unity7Interface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 664 // Unity7 will take the desktop filename and convert all '-' and '+' 665 // (and '.', but we don't care about that here because the rule above 666 // already does that) to '_'. Since we know that the desktop filename 667 // starts with the snap name, perform this conversion on the snap name. 668 // 669 // parallel-installs: UNITY_SNAP_NAME is used in the context of dbus 670 // mediation, this unintentionally opens access to dbus paths of keyed 671 // instances of @{SNAP_NAME} to @{SNAP_NAME} snap 672 new := strings.Replace(plug.Snap().DesktopPrefix(), "-", "_", -1) 673 new = strings.Replace(new, "+", "_", -1) 674 old := "###UNITY_SNAP_NAME###" 675 snippet := strings.Replace(unity7ConnectedPlugAppArmor, old, new, -1) 676 677 old = "###SNAP_DESKTOP_FILE_RULES###" 678 new = strings.Join(getDesktopFileRules(plug.Snap().DesktopPrefix()), "\n") 679 snippet = strings.Replace(snippet, old, new+"\n", -1) 680 681 spec.AddSnippet(snippet) 682 return nil 683 } 684 685 func (iface *unity7Interface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 686 spec.AddSnippet(unity7ConnectedPlugSeccomp) 687 return nil 688 } 689 690 func (iface *unity7Interface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 691 // allow what declarations allowed 692 return true 693 } 694 695 func init() { 696 registerIface(&unity7Interface{}) 697 }