github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/desktop_legacy.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const desktopLegacySummary = `allows privileged access to desktop legacy methods` 23 24 // While this gives privileged access to legacy methods we should auto-connect 25 // this transitional interface since most desktop applications will need it. 26 // When safe alternative methods are added to the desktop interface by default, 27 // we can consider making this manually connected. 28 const desktopLegacyBaseDeclarationSlots = ` 29 desktop-legacy: 30 allow-installation: 31 slot-snap-type: 32 - core 33 ` 34 35 const desktopLegacyConnectedPlugAppArmor = ` 36 # Description: Can access common desktop legacy methods. This gives privileged 37 # access to the user's input. 38 39 # accessibility (a11y) 40 #include <abstractions/dbus-session-strict> 41 dbus (send) 42 bus=session 43 path=/org/a11y/bus 44 interface=org.a11y.Bus 45 member=GetAddress 46 peer=(label=unconfined), 47 48 #include <abstractions/dbus-accessibility-strict> 49 50 # Allow the accessibility services in the user session to send us any events 51 dbus (receive) 52 bus=accessibility 53 peer=(label=unconfined), 54 55 # Allow querying for capabilities and registering 56 dbus (send) 57 bus=accessibility 58 path="/org/a11y/atspi/accessible/root" 59 interface="org.a11y.atspi.Socket" 60 member="Embed" 61 peer=(name=org.a11y.atspi.Registry, label=unconfined), 62 dbus (send) 63 bus=accessibility 64 path="/org/a11y/atspi/registry" 65 interface="org.a11y.atspi.Registry" 66 member="GetRegisteredEvents" 67 peer=(name=org.a11y.atspi.Registry, label=unconfined), 68 dbus (send) 69 bus=accessibility 70 path="/org/a11y/atspi/registry/deviceeventcontroller" 71 interface="org.a11y.atspi.DeviceEventController" 72 member="Get{DeviceEvent,Keystroke}Listeners" 73 peer=(name=org.a11y.atspi.Registry, label=unconfined), 74 dbus (send) 75 bus=accessibility 76 path="/org/a11y/atspi/registry/deviceeventcontroller" 77 interface="org.a11y.atspi.DeviceEventController" 78 member="NotifyListenersSync" 79 peer=(name=org.a11y.atspi.Registry, label=unconfined), 80 81 # org.a11y.atspi is not designed for application isolation and these rules 82 # can be used to send change events for other processes. 83 dbus (send) 84 bus=accessibility 85 path="/org/a11y/atspi/accessible/root" 86 interface="org.a11y.atspi.Event.Object" 87 member="ChildrenChanged" 88 peer=(name=org.freedesktop.DBus, label=unconfined), 89 dbus (send) 90 bus=accessibility 91 path="/org/a11y/atspi/accessible/root" 92 interface="org.a11y.atspi.Accessible" 93 member="Get*" 94 peer=(label=unconfined), 95 dbus (send) 96 bus=accessibility 97 path="/org/a11y/atspi/accessible/[0-9]*" 98 interface="org.a11y.atspi.Event.Object" 99 member="{ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}" 100 peer=(name=org.freedesktop.DBus, label=unconfined), 101 dbus (send) 102 bus=accessibility 103 path="/org/a11y/atspi/accessible/[0-9]*" 104 interface="org.freedesktop.DBus.Properties" 105 member="Get{,All}" 106 peer=(label=unconfined), 107 108 dbus (send) 109 bus=accessibility 110 path="/org/a11y/atspi/cache" 111 interface="org.a11y.atspi.Cache" 112 member="{Add,Remove}Accessible" 113 peer=(name=org.freedesktop.DBus, label=unconfined), 114 115 116 # ibus 117 # subset of ibus abstraction 118 /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr, 119 owner @{HOME}/.config/ibus/ r, 120 owner @{HOME}/.config/ibus/bus/ r, 121 owner @{HOME}/.config/ibus/bus/* r, 122 123 # allow communicating with ibus-daemon (this allows sniffing key events) 124 unix (connect, receive, send) 125 type=stream 126 peer=(addr="@/tmp/ibus/dbus-*"), 127 128 129 # mozc 130 # allow communicating with mozc server 131 unix (connect, receive, send) 132 type=stream 133 peer=(addr="@tmp/.mozc.*"), 134 135 136 # fcitx 137 # allow communicating with fcitx dbus service 138 dbus send 139 bus=fcitx 140 path=/org/freedesktop/DBus 141 interface=org.freedesktop.DBus 142 member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} 143 peer=(name=org.freedesktop.DBus), 144 145 owner @{HOME}/.config/fcitx/dbus/* r, 146 147 # allow creating an input context 148 dbus send 149 bus={fcitx,session} 150 path=/inputmethod 151 interface=org.fcitx.Fcitx.InputMethod 152 member=CreateIC* 153 peer=(label=unconfined), 154 155 # allow setting up and tearing down the input context 156 dbus send 157 bus={fcitx,session} 158 path=/inputcontext_[0-9]* 159 interface=org.fcitx.Fcitx.InputContext 160 member="{Close,Destroy,Enable}IC" 161 peer=(label=unconfined), 162 163 dbus send 164 bus={fcitx,session} 165 path=/inputcontext_[0-9]* 166 interface=org.fcitx.Fcitx.InputContext 167 member=Reset 168 peer=(label=unconfined), 169 170 # allow service to send us signals 171 dbus receive 172 bus=fcitx 173 peer=(label=unconfined), 174 175 dbus receive 176 bus=session 177 interface=org.fcitx.Fcitx.* 178 peer=(label=unconfined), 179 180 # use the input context 181 dbus send 182 bus={fcitx,session} 183 path=/inputcontext_[0-9]* 184 interface=org.fcitx.Fcitx.InputContext 185 member="Focus{In,Out}" 186 peer=(label=unconfined), 187 188 dbus send 189 bus={fcitx,session} 190 path=/inputcontext_[0-9]* 191 interface=org.fcitx.Fcitx.InputContext 192 member="{CommitPreedit,Set*}" 193 peer=(label=unconfined), 194 195 # this is an information leak and allows key and mouse sniffing. If the input 196 # context path were tied to the process' security label, this would not be an 197 # issue. 198 dbus send 199 bus={fcitx,session} 200 path=/inputcontext_[0-9]* 201 interface=org.fcitx.Fcitx.InputContext 202 member="{MouseEvent,ProcessKeyEvent}" 203 peer=(label=unconfined), 204 205 # this method does not exist with the sunpinyin backend (at least), so allow 206 # it for other input methods. This may consitute an information leak (which, 207 # again, could be avoided if the path were tied to the process' security 208 # label). 209 dbus send 210 bus={fcitx,session} 211 path=/inputcontext_[0-9]* 212 interface=org.freedesktop.DBus.Properties 213 member=GetAll 214 peer=(label=unconfined), 215 216 # gtk2/gvfs gtk_show_uri() 217 dbus (send) 218 bus=session 219 path=/org/gtk/vfs/mounttracker 220 interface=org.gtk.vfs.MountTracker 221 member=ListMountableInfo, 222 dbus (send) 223 bus=session 224 path=/org/gtk/vfs/mounttracker 225 interface=org.gtk.vfs.MountTracker 226 member=LookupMount, 227 228 # This leaks the names of snaps with desktop files 229 /var/lib/snapd/desktop/applications/ r, 230 /var/lib/snapd/desktop/applications/mimeinfo.cache r, 231 # Support BAMF_DESKTOP_FILE_HINT by allowing reading our desktop files 232 # parallel-installs: this leaks read access to desktop files owned by keyed 233 # instances of @{SNAP_NAME} to @{SNAP_NAME} snap 234 /var/lib/snapd/desktop/applications/@{SNAP_INSTANCE_NAME}_*.desktop r, 235 ` 236 237 const desktopLegacyConnectedPlugSecComp = ` 238 # Description: Can access common desktop legacy methods. This gives privileged 239 # access to the user's input. 240 241 listen 242 accept 243 accept4 244 ` 245 246 func init() { 247 registerIface(&commonInterface{ 248 name: "desktop-legacy", 249 summary: desktopLegacySummary, 250 implicitOnClassic: true, 251 baseDeclarationSlots: desktopLegacyBaseDeclarationSlots, 252 connectedPlugAppArmor: desktopLegacyConnectedPlugAppArmor, 253 connectedPlugSecComp: desktopLegacyConnectedPlugSecComp, 254 reservedForOS: true, 255 }) 256 }