github.com/meulengracht/snapd@v0.0.0-20210719210640-8bde69bcc84e/interfaces/builtin/hardware_observe.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const hardwareObserveSummary = `allows reading information about system hardware` 23 24 const hardwareObserveBaseDeclarationSlots = ` 25 hardware-observe: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 const hardwareObserveConnectedPlugAppArmor = ` 33 # Description: This interface allows for getting hardware information 34 # from the system. This is reserved because it allows reading potentially 35 # sensitive information. 36 37 # used by lscpu and 'lspci -A intel-conf1/intel-conf2' 38 capability sys_rawio, 39 40 # see loaded kernel modules 41 @{PROC}/modules r, 42 43 # used by lspci 44 capability sys_admin, 45 /etc/modprobe.d/{,*} r, 46 /{,usr/}lib/modprobe.d/{,*} r, 47 48 # files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs') 49 /sys/{block,bus,class,devices,firmware}/{,**} r, 50 51 # files in /proc/bus/pci (eg, 'lspci -A linux-proc') 52 @{PROC}/bus/pci/{,**} r, 53 54 # DMI tables 55 /sys/firmware/dmi/tables/DMI r, 56 /sys/firmware/dmi/tables/smbios_entry_point r, 57 58 # power information 59 /sys/power/{,**} r, 60 /run/udev/data/+power_supply:* r, 61 62 # interrupts 63 @{PROC}/interrupts r, 64 65 # libsensors 66 /etc/sensors3.conf r, 67 /etc/sensors.d/{,*} r, 68 69 # Needed for udevadm 70 /run/udev/data/** r, 71 network netlink raw, 72 73 # util-linux 74 /{,usr/}bin/lsblk ixr, 75 /{,usr/}bin/lscpu ixr, 76 /{,usr/}bin/lsmem ixr, 77 78 # lsmem 79 /sys/devices/system/memory/block_size_bytes r, 80 /sys/devices/system/memory/memory[0-9]*/removable r, 81 /sys/devices/system/memory/memory[0-9]*/state r, 82 /sys/devices/system/memory/memory[0-9]*/valid_zones r, 83 84 # lsusb 85 # Note: lsusb and its database have to be shipped in the snap if not on classic 86 /{,usr/}bin/lsusb ixr, 87 /var/lib/usbutils/usb.ids r, 88 /dev/ r, 89 /dev/bus/usb/{,**/} r, 90 /etc/udev/udev.conf r, 91 92 # lshw -quiet (note, lshw also tries to create /dev/fb-*, but fails gracefully) 93 @{PROC}/devices r, 94 @{PROC}/ide/{,**} r, 95 @{PROC}/scsi/{,**} r, 96 @{PROC}/device-tree/{,**} r, 97 /sys/kernel/debug/usb/devices r, 98 @{PROC}/sys/abi/{,*} r, 99 100 # status of hugepages and transparent_hugepage, but not the pages themselves 101 /sys/kernel/mm/{hugepages,transparent_hugepage}/{,**} r, 102 103 # systemd-detect-virt 104 /{,usr/}bin/systemd-detect-virt ixr, 105 # VMs 106 @{PROC}/cpuinfo r, 107 @{PROC}/sysinfo r, # Linux on z/VM 108 @{PROC}/xen/capabilities r, 109 /sys/hypervisor/properties/features r, 110 /sys/hypervisor/type r, 111 112 # containers 113 /run/systemd/container r, 114 115 # /proc/1/sched in a systemd-nspawn container with '-a' is supposed to show on 116 # its first line a pid that != 1 and systemd-detect-virt tries to detect this. 117 # This doesn't seem to be the case on (at least) systemd 240 on Ubuntu. This 118 # file is somewhat sensitive for arbitrary pids, but is not overly so for pid 119 # 1. For containers, systemd won't normally look at this file since it has 120 # access to /run/systemd/container and 'container' from the environment, and 121 # systemd fails gracefully when it doesn't have access to /proc/1/sched. For 122 # VMs, systemd requires access to /proc/1/sched in its detection algorithm. 123 # See src/basic/virt.c from systemd sources for details. 124 @{PROC}/1/sched r, 125 126 # systemd-detect-virt --private-users will look at these and the access is 127 # better added to system-observe. Since snaps typically only care about 128 # --container and --vm leave these commented out. 129 #@{PROC}/@{pid}/uid_map r, 130 #@{PROC}/@{pid}/gid_map r, 131 #@{PROC}/@{pid}/setgroups r, 132 133 # systemd-detect-virt --chroot requires 'ptrace (read)' on unconfined to 134 # determine if it is running in a chroot. Like above, this is best granted via 135 # system-observe. 136 #ptrace (read) peer=unconfined, 137 ` 138 139 const hardwareObserveConnectedPlugSecComp = ` 140 # Description: This interface allows for getting hardware information 141 # from the system. This is reserved because it allows reading potentially 142 # sensitive information. 143 144 # used by 'lspci -A intel-conf1/intel-conf2' 145 iopl 146 147 # multicast statistics 148 socket AF_NETLINK - NETLINK_GENERIC 149 150 # kernel uevents 151 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 152 bind 153 ` 154 155 func init() { 156 registerIface(&commonInterface{ 157 name: "hardware-observe", 158 summary: hardwareObserveSummary, 159 implicitOnCore: true, 160 implicitOnClassic: true, 161 baseDeclarationSlots: hardwareObserveBaseDeclarationSlots, 162 connectedPlugAppArmor: hardwareObserveConnectedPlugAppArmor, 163 connectedPlugSecComp: hardwareObserveConnectedPlugSecComp, 164 }) 165 }