github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/fuse_support.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/fuse_support.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"github.com/snapcore/snapd/release"
    24  )
    25  
    26  const fuseSupportSummary = `allows access to the FUSE file system`
    27  
    28  const fuseSupportBaseDeclarationSlots = `
    29    fuse-support:
    30      allow-installation:
    31        slot-snap-type:
    32          - core
    33      deny-auto-connection: true
    34  `
    35  
    36  const fuseSupportConnectedPlugSecComp = `
    37  # Description: Can run a FUSE filesystem. Unprivileged fuse mounts are
    38  # not supported at this time.
    39  
    40  mount
    41  `
    42  
    43  const fuseSupportConnectedPlugAppArmor = `
    44  # Description: Can run a FUSE filesystem. Unprivileged fuse mounts are
    45  # not supported at this time.
    46  
    47  # Allow communicating with fuse kernel driver
    48  # https://www.kernel.org/doc/Documentation/filesystems/fuse.txt
    49  /dev/fuse rw,
    50  
    51  # Required for mounts
    52  capability sys_admin,
    53  
    54  # Allow mounts to our snap-specific writable directories
    55  # Note 1: fstype is 'fuse.<command>', eg 'fuse.sshfs'
    56  # Note 2: due to LP: #1612393 - @{HOME} can't be used in mountpoint
    57  # Note 3: local fuse mounts of filesystem directories are mediated by
    58  #         AppArmor. The actual underlying file in the source directory is
    59  #         mediated, not the presentation layer of the target directory, so
    60  #         we can safely allow all local mounts to our snap-specific writable
    61  #         directories.
    62  # Note 4: fuse supports a lot of different mount options, and applications
    63  #         are not obligated to use fusermount to mount fuse filesystems, so
    64  #         be very strict and only support the default (rw,nosuid,nodev) and
    65  #         read-only.
    66  #
    67  # parallel-installs: SNAP_USER_{DATA,COMMON} are not remapped, need to use SNAP_INSTANCE_NAME
    68  mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/{,**/},
    69  mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/@{SNAP_REVISION}/{,**/},
    70  mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/common/{,**/},
    71  mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /home/*/snap/@{SNAP_INSTANCE_NAME}/common/{,**/},
    72  # parallel-installs: SNAP_{DATA,COMMON} are remapped, use SNAP_NAME instead, for
    73  # completeness allow SNAP_INSTANCE_NAME too
    74  mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**/},
    75  mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/@{SNAP_REVISION}/{,**/},
    76  mount fstype=fuse.* options=(ro,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**/},
    77  mount fstype=fuse.* options=(rw,nosuid,nodev) ** -> /var/snap/{@{SNAP_NAME},@{SNAP_INSTANCE_NAME}}/common/{,**/},
    78  
    79  # Explicitly deny reads to /etc/fuse.conf. We do this to ensure that
    80  # the safe defaults of fuse are used (which are enforced by our mount
    81  # rules) and not system-specific options from /etc/fuse.conf that
    82  # may conflict with our mount rules.
    83  deny /etc/fuse.conf r,
    84  
    85  # Allow read access to the fuse filesystem
    86  /sys/fs/fuse/ r,
    87  /sys/fs/fuse/** r,
    88  
    89  # Unprivileged fuser mounts must use the setuid helper in the core snap
    90  # (not currently available, so don't include in policy at this time).
    91  #/{,usr/}bin/fusermount ixr,
    92  `
    93  
    94  var fuseSupportConnectedPlugUDev = []string{`KERNEL=="fuse"`}
    95  
    96  func init() {
    97  	registerIface(&commonInterface{
    98  		name:                  "fuse-support",
    99  		summary:               fuseSupportSummary,
   100  		implicitOnCore:        true,
   101  		implicitOnClassic:     !(release.ReleaseInfo.ID == "ubuntu" && release.ReleaseInfo.VersionID == "14.04"),
   102  		baseDeclarationSlots:  fuseSupportBaseDeclarationSlots,
   103  		reservedForOS:         true,
   104  		connectedPlugAppArmor: fuseSupportConnectedPlugAppArmor,
   105  		connectedPlugSecComp:  fuseSupportConnectedPlugSecComp,
   106  		connectedPlugUDev:     fuseSupportConnectedPlugUDev,
   107  	})
   108  }