github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/firewall_control.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const firewallControlSummary = `allows control over network firewall` 23 24 const firewallControlBaseDeclarationSlots = ` 25 firewall-control: 26 allow-installation: 27 slot-snap-type: 28 - core 29 deny-auto-connection: true 30 ` 31 32 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/firewall-control 33 const firewallControlConnectedPlugAppArmor = ` 34 # Description: Can configure firewall. This is restricted because it gives 35 # privileged access to networking and should only be used with trusted apps. 36 37 #include <abstractions/nameservice> 38 /run/systemd/resolve/stub-resolv.conf r, 39 40 # systemd-resolved (not yet included in nameservice abstraction) 41 # 42 # Allow access to the safe members of the systemd-resolved D-Bus API: 43 # 44 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 45 # 46 # This API may be used directly over the D-Bus system bus or it may be used 47 # indirectly via the nss-resolve plugin: 48 # 49 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 50 # 51 #include <abstractions/dbus-strict> 52 dbus send 53 bus=system 54 path="/org/freedesktop/resolve1" 55 interface="org.freedesktop.resolve1.Manager" 56 member="Resolve{Address,Hostname,Record,Service}" 57 peer=(name="org.freedesktop.resolve1"), 58 59 capability net_admin, 60 61 /{,usr/}{,s}bin/iptables{,-save,-restore} ixr, 62 /{,usr/}{,s}bin/ip6tables{,-save,-restore} ixr, 63 /{,usr/}{,s}bin/iptables-apply ixr, 64 /{,usr/}{,s}bin/xtables-multi ixr, # ip[6]tables* 65 66 # ping - child profile would be nice but seccomp causes problems with that 67 /{,usr/}{,s}bin/ping ixr, 68 /{,usr/}{,s}bin/ping6 ixr, 69 capability net_raw, 70 capability setuid, 71 network inet raw, 72 network inet6 raw, 73 74 # iptables (note, we don't want to allow loading modules, but 75 # we can allow reading @{PROC}/sys/kernel/modprobe). 76 @{PROC}/sys/kernel/modprobe r, 77 78 unix (bind, listen) type=stream addr="@xtables", 79 /{,var/}run/xtables.lock rwk, 80 81 @{PROC}/@{pid}/net/ r, 82 @{PROC}/@{pid}/net/** r, 83 84 # nft accesses these for routing expressions and device groups 85 /etc/iproute2/ r, 86 /etc/iproute2/rt_marks r, 87 /etc/iproute2/rt_realms r, 88 /etc/iproute2/group r, 89 90 # sysctl 91 /{,usr/}{,s}bin/sysctl ixr, 92 @{PROC}/sys/ r, 93 @{PROC}/sys/net/ r, 94 @{PROC}/sys/net/core/ r, 95 @{PROC}/sys/net/core/** r, 96 @{PROC}/sys/net/ipv{4,6}/ r, 97 @{PROC}/sys/net/ipv{4,6}/** r, 98 @{PROC}/sys/net/netfilter/ r, 99 @{PROC}/sys/net/netfilter/** r, 100 @{PROC}/sys/net/nf_conntrack_max r, 101 102 # check the state of the Kmod modules 103 /sys/module/arp_tables/ r, 104 /sys/module/arp_tables/initstate r, 105 /sys/module/br_netfilter/ r, 106 /sys/module/br_netfilter/initstate r, 107 /sys/module/iptable_filter/ r, 108 /sys/module/iptable_filter/initstate r, 109 /sys/module/ip6table_filter/ r, 110 /sys/module/ip6table_filter/initstate r, 111 /sys/module/nf_*/initstate r, 112 113 # read netfilter module parameters 114 /sys/module/nf_*/ r, 115 /sys/module/nf_*/parameters/{,*} r, 116 117 # write netfilter module parameters 118 /sys/module/nf_conntrack/parameters/hashsize w, 119 120 # various firewall related sysctl files 121 @{PROC}/sys/net/bridge/bridge-nf-call-arptables rw, 122 @{PROC}/sys/net/bridge/bridge-nf-call-iptables rw, 123 @{PROC}/sys/net/bridge/bridge-nf-call-ip6tables rw, 124 @{PROC}/sys/net/bridge/bridge-nf-filter-pppoe-tagged rw, 125 @{PROC}/sys/net/bridge/bridge-nf-filter-vlan-tagged rw, 126 @{PROC}/sys/net/bridge/bridge-nf-pass-vlan-input-dev rw, 127 @{PROC}/sys/net/ipv4/conf/*/rp_filter w, 128 @{PROC}/sys/net/ipv{4,6}/conf/*/accept_source_route w, 129 @{PROC}/sys/net/ipv{4,6}/conf/*/accept_redirects w, 130 @{PROC}/sys/net/ipv4/icmp_echo_ignore_broadcasts w, 131 @{PROC}/sys/net/ipv4/icmp_ignore_bogus_error_responses w, 132 @{PROC}/sys/net/ipv4/icmp_echo_ignore_all w, 133 @{PROC}/sys/net/ipv4/ip_forward w, 134 @{PROC}/sys/net/ipv4/conf/*/log_martians w, 135 @{PROC}/sys/net/ipv4/tcp_syncookies w, 136 @{PROC}/sys/net/ipv6/conf/*/forwarding w, 137 @{PROC}/sys/net/netfilter/nf_conntrack_helper rw, 138 @{PROC}/sys/net/netfilter/nf_conntrack_max rw, 139 @{PROC}/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait rw, 140 @{PROC}/sys/net/netfilter/nf_conntrack_tcp_timeout_established rw, 141 ` 142 143 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/firewall-control 144 const firewallControlConnectedPlugSecComp = ` 145 # Description: Can configure firewall. This is restricted because it gives 146 # privileged access to networking and should only be used with trusted apps. 147 148 # for connecting to xtables abstract and netlink sockets 149 bind 150 socket AF_NETLINK - NETLINK_FIREWALL 151 socket AF_NETLINK - NETLINK_NFLOG 152 socket AF_NETLINK - NETLINK_NETFILTER 153 socket AF_NETLINK - NETLINK_IP6_FW 154 socket AF_NETLINK - NETLINK_ROUTE 155 156 # for ping and ping6 157 capset 158 setuid 159 ` 160 161 // These don't auto-load via iptables, etc 162 var firewallControlConnectedPlugKmod = []string{ 163 "arp_tables", 164 "br_netfilter", 165 "ip6table_filter", 166 "iptable_filter", 167 } 168 169 func init() { 170 registerIface(&commonInterface{ 171 name: "firewall-control", 172 summary: firewallControlSummary, 173 implicitOnCore: true, 174 implicitOnClassic: true, 175 baseDeclarationSlots: firewallControlBaseDeclarationSlots, 176 connectedPlugAppArmor: firewallControlConnectedPlugAppArmor, 177 connectedPlugSecComp: firewallControlConnectedPlugSecComp, 178 connectedPlugKModModules: firewallControlConnectedPlugKmod, 179 reservedForOS: true, 180 }) 181 }