github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/maliit.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/seccomp" 28 "github.com/snapcore/snapd/snap" 29 ) 30 31 const maliitSummary = `allows operating as the Maliit service` 32 33 const maliitBaseDeclarationSlots = ` 34 maliit: 35 allow-installation: 36 slot-snap-type: 37 - app 38 deny-connection: true 39 deny-auto-connection: true 40 ` 41 42 const maliitPermanentSlotAppArmor = ` 43 # Description: Allow operating as a maliit server. 44 # Communication with maliit happens in the following stages: 45 # * An application connects to the address service: org.maliit.Server.Address. 46 # * The server responds with a private unix socket of the form 47 # @/tmp/maliit-server/dbus-* on which the server is running a peer-to-peer 48 # dbus session. 49 # * All further communication happens over this channel 50 # * An application wishing to receive input then requests that it be made the 51 # active context. 52 # * At this point maliit retrieves the application's PID based on the dbus 53 # channel and verifies with Unity 8 that the application is currently 54 # focused. 55 # TODO: In the future this will be based on surface ID instead of PID 56 # * Only if the application is focused is it then able to receive input from 57 # the on-screen keyboard. 58 59 # DBus accesses 60 #include <abstractions/dbus-session-strict> 61 62 # Allow binding to the well-known maliit DBus service name for address 63 # negotiation 64 dbus (bind) 65 bus=session 66 name="org.maliit.server", 67 68 # TODO: should this be somewhere else? 69 /usr/share/glib-2.0/schemas/ r, 70 71 # maliit uses peer-to-peer dbus over a unix socket after address negotiation. 72 # Each application has its own one-to-one communication channel with the maliit 73 # server, over which all further communication happens. Send and receive rules 74 # are in the per-snap connection policy. 75 unix (bind, listen, accept) type=stream addr="@/tmp/maliit-server/dbus-*", 76 ` 77 78 const maliitConnectedSlotAppArmor = ` 79 # Provides the maliit address service which assigns an individual unix socket 80 # to each application 81 dbus (receive) 82 bus=session 83 interface="org.maliit.Server.Address" 84 path=/org/maliit/server/address 85 peer=(label=###PLUG_SECURITY_TAGS###), 86 87 dbus (receive) 88 bus=session 89 path=/org/maliit/server/address 90 interface=org.freedesktop.DBus.Properties 91 peer=(label=###PLUG_SECURITY_TAGS###), 92 93 # Provide access to the peer-to-peer dbus socket assigned by the address service 94 unix (receive, send) type=stream addr="@/tmp/maliit-server/dbus-*" peer=(label=###PLUG_SECURITY_TAGS###), 95 ` 96 97 const maliitConnectedPlugAppArmor = ` 98 # Description: Allow applications to connect to a maliit socket 99 100 #include <abstractions/dbus-session-strict> 101 102 # Allow applications to communicate with the maliit address service 103 # which assigns an individual unix socket for all further communication 104 # to happen over. 105 dbus (send) 106 bus=session 107 interface="org.maliit.Server.Address" 108 path=/org/maliit/server/address 109 peer=(label=###SLOT_SECURITY_TAGS###), 110 111 dbus (send) 112 bus=session 113 path=/org/maliit/server/address 114 interface=org.freedesktop.DBus.Properties 115 peer=(label=###SLOT_SECURITY_TAGS###), 116 117 # Provide access to the peer-to-peer dbus socket assigned by the address service 118 unix (send, receive, connect) type=stream addr=none peer=(label=###SLOT_SECURITY_TAGS###, addr="@/tmp/maliit-server/dbus-*"), 119 ` 120 121 const maliitPermanentSlotSecComp = ` 122 listen 123 accept 124 accept4 125 ` 126 127 type maliitInterface struct{} 128 129 func (iface *maliitInterface) Name() string { 130 return "maliit" 131 } 132 133 func (iface *maliitInterface) StaticInfo() interfaces.StaticInfo { 134 return interfaces.StaticInfo{ 135 Summary: maliitSummary, 136 BaseDeclarationSlots: maliitBaseDeclarationSlots, 137 } 138 } 139 140 func (iface *maliitInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 141 old := "###SLOT_SECURITY_TAGS###" 142 new := slotAppLabelExpr(slot) 143 snippet := strings.Replace(maliitConnectedPlugAppArmor, old, new, -1) 144 spec.AddSnippet(snippet) 145 return nil 146 } 147 148 func (iface *maliitInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 149 spec.AddSnippet(maliitPermanentSlotSecComp) 150 return nil 151 } 152 153 func (iface *maliitInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 154 spec.AddSnippet(maliitPermanentSlotAppArmor) 155 return nil 156 } 157 158 func (iface *maliitInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 159 old := "###PLUG_SECURITY_TAGS###" 160 new := plugAppLabelExpr(plug) 161 snippet := strings.Replace(maliitConnectedSlotAppArmor, old, new, -1) 162 spec.AddSnippet(snippet) 163 return nil 164 } 165 166 func (iface *maliitInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 167 // allow what declarations allowed 168 return true 169 } 170 171 func init() { 172 registerIface(&maliitInterface{}) 173 }