github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/firewall_control.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/firewall_control.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const firewallControlSummary = `allows control over network firewall`
    23  
    24  const firewallControlBaseDeclarationSlots = `
    25    firewall-control:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/firewall-control
    33  const firewallControlConnectedPlugAppArmor = `
    34  # Description: Can configure firewall. This is restricted because it gives
    35  # privileged access to networking and should only be used with trusted apps.
    36  
    37  #include <abstractions/nameservice>
    38  /run/systemd/resolve/stub-resolv.conf r,
    39  
    40  # systemd-resolved (not yet included in nameservice abstraction)
    41  #
    42  # Allow access to the safe members of the systemd-resolved D-Bus API:
    43  #
    44  #   https://www.freedesktop.org/wiki/Software/systemd/resolved/
    45  #
    46  # This API may be used directly over the D-Bus system bus or it may be used
    47  # indirectly via the nss-resolve plugin:
    48  #
    49  #   https://www.freedesktop.org/software/systemd/man/nss-resolve.html
    50  #
    51  #include <abstractions/dbus-strict>
    52  dbus send
    53       bus=system
    54       path="/org/freedesktop/resolve1"
    55       interface="org.freedesktop.resolve1.Manager"
    56       member="Resolve{Address,Hostname,Record,Service}"
    57       peer=(name="org.freedesktop.resolve1"),
    58  
    59  capability net_admin,
    60  
    61  /{,usr/}{,s}bin/iptables{,-save,-restore} ixr,
    62  /{,usr/}{,s}bin/ip6tables{,-save,-restore} ixr,
    63  /{,usr/}{,s}bin/iptables-apply ixr,
    64  /{,usr/}{,s}bin/xtables-multi ixr, # ip[6]tables*
    65  
    66  # ping - child profile would be nice but seccomp causes problems with that
    67  /{,usr/}{,s}bin/ping ixr,
    68  /{,usr/}{,s}bin/ping6 ixr,
    69  capability net_raw,
    70  capability setuid,
    71  network inet raw,
    72  network inet6 raw,
    73  
    74  # iptables (note, we don't want to allow loading modules, but
    75  # we can allow reading @{PROC}/sys/kernel/modprobe).
    76  @{PROC}/sys/kernel/modprobe r,
    77  
    78  unix (bind, listen) type=stream addr="@xtables",
    79  /{,var/}run/xtables.lock rwk,
    80  
    81  @{PROC}/@{pid}/net/ r,
    82  @{PROC}/@{pid}/net/** r,
    83  
    84  # nft accesses these for routing expressions and device groups
    85  /etc/iproute2/ r,
    86  /etc/iproute2/rt_marks r,
    87  /etc/iproute2/rt_realms r,
    88  /etc/iproute2/group r,
    89  
    90  # sysctl
    91  /{,usr/}{,s}bin/sysctl ixr,
    92  @{PROC}/sys/ r,
    93  @{PROC}/sys/net/ r,
    94  @{PROC}/sys/net/core/ r,
    95  @{PROC}/sys/net/core/** r,
    96  @{PROC}/sys/net/ipv{4,6}/ r,
    97  @{PROC}/sys/net/ipv{4,6}/** r,
    98  @{PROC}/sys/net/netfilter/ r,
    99  @{PROC}/sys/net/netfilter/** r,
   100  @{PROC}/sys/net/nf_conntrack_max r,
   101  
   102  # check the state of the Kmod modules
   103  /sys/module/arp_tables/               r,
   104  /sys/module/arp_tables/initstate      r,
   105  /sys/module/br_netfilter/             r,
   106  /sys/module/br_netfilter/initstate    r,
   107  /sys/module/iptable_filter/           r,
   108  /sys/module/iptable_filter/initstate  r,
   109  /sys/module/ip6table_filter/          r,
   110  /sys/module/ip6table_filter/initstate r,
   111  /sys/module/nf_*/initstate            r,
   112  
   113  # read netfilter module parameters
   114  /sys/module/nf_*/                     r,
   115  /sys/module/nf_*/parameters/{,*}      r,
   116  
   117  # write netfilter module parameters
   118  /sys/module/nf_conntrack/parameters/hashsize w,
   119  
   120  # various firewall related sysctl files
   121  @{PROC}/sys/net/bridge/bridge-nf-call-arptables rw,
   122  @{PROC}/sys/net/bridge/bridge-nf-call-iptables rw,
   123  @{PROC}/sys/net/bridge/bridge-nf-call-ip6tables rw,
   124  @{PROC}/sys/net/bridge/bridge-nf-filter-pppoe-tagged rw,
   125  @{PROC}/sys/net/bridge/bridge-nf-filter-vlan-tagged rw,
   126  @{PROC}/sys/net/bridge/bridge-nf-pass-vlan-input-dev rw,
   127  @{PROC}/sys/net/ipv4/conf/*/rp_filter w,
   128  @{PROC}/sys/net/ipv{4,6}/conf/*/accept_source_route w,
   129  @{PROC}/sys/net/ipv{4,6}/conf/*/accept_redirects w,
   130  @{PROC}/sys/net/ipv4/icmp_echo_ignore_broadcasts w,
   131  @{PROC}/sys/net/ipv4/icmp_ignore_bogus_error_responses w,
   132  @{PROC}/sys/net/ipv4/icmp_echo_ignore_all w,
   133  @{PROC}/sys/net/ipv4/ip_forward w,
   134  @{PROC}/sys/net/ipv4/conf/*/log_martians w,
   135  @{PROC}/sys/net/ipv4/tcp_syncookies w,
   136  @{PROC}/sys/net/ipv6/conf/*/forwarding w,
   137  @{PROC}/sys/net/netfilter/nf_conntrack_helper rw,
   138  @{PROC}/sys/net/netfilter/nf_conntrack_max rw,
   139  @{PROC}/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait rw,
   140  @{PROC}/sys/net/netfilter/nf_conntrack_tcp_timeout_established rw,
   141  `
   142  
   143  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/firewall-control
   144  const firewallControlConnectedPlugSecComp = `
   145  # Description: Can configure firewall. This is restricted because it gives
   146  # privileged access to networking and should only be used with trusted apps.
   147  
   148  # for connecting to xtables abstract and netlink sockets
   149  bind
   150  socket AF_NETLINK - NETLINK_FIREWALL
   151  socket AF_NETLINK - NETLINK_NFLOG
   152  socket AF_NETLINK - NETLINK_NETFILTER
   153  socket AF_NETLINK - NETLINK_IP6_FW
   154  socket AF_NETLINK - NETLINK_ROUTE
   155  
   156  # for ping and ping6
   157  capset
   158  setuid
   159  `
   160  
   161  // These don't auto-load via iptables, etc
   162  var firewallControlConnectedPlugKmod = []string{
   163  	"arp_tables",
   164  	"br_netfilter",
   165  	"ip6table_filter",
   166  	"iptable_filter",
   167  }
   168  
   169  func init() {
   170  	registerIface(&commonInterface{
   171  		name:                     "firewall-control",
   172  		summary:                  firewallControlSummary,
   173  		implicitOnCore:           true,
   174  		implicitOnClassic:        true,
   175  		baseDeclarationSlots:     firewallControlBaseDeclarationSlots,
   176  		connectedPlugAppArmor:    firewallControlConnectedPlugAppArmor,
   177  		connectedPlugSecComp:     firewallControlConnectedPlugSecComp,
   178  		connectedPlugKModModules: firewallControlConnectedPlugKmod,
   179  		reservedForOS:            true,
   180  	})
   181  }