github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/interfaces/builtin/utils.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"bytes"
    24  	"fmt"
    25  	"path/filepath"
    26  	"regexp"
    27  	"sort"
    28  
    29  	"github.com/snapcore/snapd/dirs"
    30  	"github.com/snapcore/snapd/interfaces"
    31  	"github.com/snapcore/snapd/release"
    32  	"github.com/snapcore/snapd/snap"
    33  )
    34  
    35  // The maximum number of Usb bInterfaceNumber.
    36  const UsbMaxInterfaces = 32
    37  
    38  // labelExpr returns the specification of the apparmor label describing
    39  // given apps and hooks. The result has one of three forms,
    40  // depending on how apps are bound to the slot:
    41  //
    42  // - "snap.$snap_instance.$app" if there is exactly one app bound
    43  // - "snap.$snap_instance.{$app1,...$appN, $hook1...$hookN}" if there are some, but not all, apps/hooks bound
    44  // - "snap.$snap_instance.*" if all apps/hook are bound to the plug or slot
    45  func labelExpr(apps map[string]*snap.AppInfo, hooks map[string]*snap.HookInfo, snap *snap.Info) string {
    46  	var buf bytes.Buffer
    47  
    48  	names := make([]string, 0, len(apps)+len(hooks))
    49  	for appName := range apps {
    50  		names = append(names, appName)
    51  	}
    52  	for hookName := range hooks {
    53  		names = append(names, fmt.Sprintf("hook.%s", hookName))
    54  	}
    55  	sort.Strings(names)
    56  
    57  	fmt.Fprintf(&buf, `"snap.%s.`, snap.InstanceName())
    58  	if len(names) == 1 {
    59  		buf.WriteString(names[0])
    60  	} else if len(apps) == len(snap.Apps) && len(hooks) == len(snap.Hooks) {
    61  		buf.WriteByte('*')
    62  	} else if len(names) > 0 {
    63  		buf.WriteByte('{')
    64  		for _, name := range names {
    65  			buf.WriteString(name)
    66  			buf.WriteByte(',')
    67  		}
    68  		// remove trailing comma
    69  		buf.Truncate(buf.Len() - 1)
    70  		buf.WriteByte('}')
    71  	} // else: len(names)==0, gives "snap.<name>." that doesn't match anything
    72  	buf.WriteByte('"')
    73  	return buf.String()
    74  }
    75  
    76  // XXX: rename as it includes hooks too
    77  func slotAppLabelExpr(slot *interfaces.ConnectedSlot) string {
    78  	return labelExpr(slot.Apps(), slot.Hooks(), slot.Snap())
    79  }
    80  
    81  // XXX: rename as it includes hooks too
    82  func plugAppLabelExpr(plug *interfaces.ConnectedPlug) string {
    83  	return labelExpr(plug.Apps(), plug.Hooks(), plug.Snap())
    84  }
    85  
    86  // Determine if the permanent slot side is provided by the system. On classic
    87  // systems some implicit slots can be provided by the system or by an
    88  // application snap (eg avahi can be installed as deb or snap).
    89  // - slot owned by the system (core/snapd snap) usually requires no action
    90  // - slot owned by an application snap typically requires rules updates
    91  func implicitSystemPermanentSlot(slot *snap.SlotInfo) bool {
    92  	if release.OnClassic &&
    93  		(slot.Snap.Type() == snap.TypeOS || slot.Snap.Type() == snap.TypeSnapd) {
    94  		return true
    95  	}
    96  	return false
    97  }
    98  
    99  // Determine if the connected slot side is provided by the system. As for
   100  // isPermanentSlotSystemSlot(), the slot can be owned by the system or an
   101  // application.
   102  func implicitSystemConnectedSlot(slot *interfaces.ConnectedSlot) bool {
   103  	if release.OnClassic &&
   104  		(slot.Snap().Type() == snap.TypeOS || slot.Snap().Type() == snap.TypeSnapd) {
   105  		return true
   106  	}
   107  	return false
   108  }
   109  
   110  // determine if the given slot attribute path matches the regex.
   111  // invalidErrFmt provides a fmt.Errorf format to create an error in
   112  // the case the path does not matches, it should allow to include
   113  // slotRef and be something like: "slot %q path attribute must be a
   114  // valid <path kind>".
   115  func verifySlotPathAttribute(slotRef *interfaces.SlotRef, attrs interfaces.Attrer, reg *regexp.Regexp, invalidErrFmt string) (string, error) {
   116  	var path string
   117  	if err := attrs.Attr("path", &path); err != nil || path == "" {
   118  		return "", fmt.Errorf("slot %q must have a path attribute", slotRef)
   119  	}
   120  	cleanPath := filepath.Clean(path)
   121  	if cleanPath != path {
   122  		return "", fmt.Errorf(`cannot use slot %q path %q: try %q"`, slotRef, path, cleanPath)
   123  	}
   124  	if !reg.MatchString(cleanPath) {
   125  		return "", fmt.Errorf(invalidErrFmt, slotRef)
   126  	}
   127  	return cleanPath, nil
   128  }
   129  
   130  // aareExclusivePatterns takes a string and generates deny alternations. Eg,
   131  // aareExclusivePatterns("foo") returns:
   132  // []string{
   133  //   "[^f]*",
   134  //   "f[^o]*",
   135  //   "fo[^o]*",
   136  // }
   137  func aareExclusivePatterns(orig string) []string {
   138  	// This function currently is only intended to be used with desktop
   139  	// prefixes as calculated by info.DesktopPrefix (the snap name and
   140  	// instance name, if present). To avoid having to worry about aare
   141  	// special characters, etc, perform ValidateDesktopPrefix() and return
   142  	// an empty list if invalid. If this function is modified for other
   143  	// input, aare/quoting/etc will have to be considered.
   144  	if !snap.ValidateDesktopPrefix(orig) {
   145  		return nil
   146  	}
   147  
   148  	s := make([]string, len(orig))
   149  
   150  	prefix := ""
   151  	for i, letter := range orig {
   152  		prefix = orig[:i]
   153  		s[i] = fmt.Sprintf("%s[^%c]*", prefix, letter)
   154  	}
   155  	return s
   156  }
   157  
   158  // getDesktopFileRules(<snap instance name>) generates snippet rules for
   159  // allowing access to the specified snap's desktop files in
   160  // dirs.SnapDesktopFilesDir, but explicitly denies access to all other snaps'
   161  // desktop files since xdg libraries may try to read all the desktop files
   162  // in the dir, causing excessive noise. (LP: #1868051)
   163  func getDesktopFileRules(snapInstanceName string) []string {
   164  	baseDir := dirs.SnapDesktopFilesDir
   165  
   166  	rules := []string{
   167  		"# Support applications which use the unity messaging menu, xdg-mime, etc",
   168  		"# This leaks the names of snaps with desktop files",
   169  		fmt.Sprintf("%s/ r,", baseDir),
   170  		"# Allowing reading only our desktop files (required by (at least) the unity",
   171  		"# messaging menu).",
   172  		"# parallel-installs: this leaks read access to desktop files owned by keyed",
   173  		"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap",
   174  		fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", baseDir),
   175  		"# Explicitly deny access to other snap's desktop files",
   176  		fmt.Sprintf("deny %s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,", baseDir),
   177  	}
   178  	for _, t := range aareExclusivePatterns(snapInstanceName) {
   179  		rules = append(rules, fmt.Sprintf("deny %s/%s r,", baseDir, t))
   180  	}
   181  
   182  	return rules
   183  }