github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/media_hub.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/media_hub.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2017 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"strings"
    24  
    25  	"github.com/snapcore/snapd/interfaces"
    26  	"github.com/snapcore/snapd/interfaces/apparmor"
    27  	"github.com/snapcore/snapd/interfaces/seccomp"
    28  	"github.com/snapcore/snapd/snap"
    29  )
    30  
    31  const mediaHubSummary = `allows operating as the media-hub service`
    32  
    33  const mediaHubBaseDeclarationSlots = `
    34    media-hub:
    35      allow-installation:
    36        slot-snap-type:
    37          - app
    38          - core
    39      deny-connection:
    40        on-classic: false
    41  `
    42  
    43  const mediaHubPermanentSlotAppArmor = `
    44  # Description: Allow operating as the the media-hub service.
    45  
    46  # DBus accesses
    47  #include <abstractions/dbus-session-strict>
    48  
    49  dbus (send)
    50      bus=session
    51      path=/org/freedesktop/DBus
    52      interface=org.freedesktop.DBus
    53      member="{Request,Release}Name"
    54      peer=(name=org.freedesktop.DBus, label=unconfined),
    55  
    56  # Allow querying AppArmor
    57  dbus (send)
    58      bus=session
    59      path=/org/freedesktop/DBus
    60      interface=org.freedesktop.DBus
    61      member="GetConnectionAppArmorSecurityContext"
    62      peer=(name=org.freedesktop.DBus, label=unconfined),
    63  
    64  # Allow binding the service to the requested connection name
    65  dbus (bind)
    66      bus=session
    67      name="core.ubuntu.media.Service",
    68  
    69  # Allow communications with unconfined processes
    70  dbus (receive, send)
    71      bus=session
    72      path=/com/ubuntu/media/Service{,/**}
    73      interface=org.freedesktop.DBus{,.*}
    74      peer=(label=unconfined),
    75  
    76  # Allow unconfined processes to introspect us
    77  dbus (receive)
    78      bus=session
    79      interface=org.freedesktop.DBus.Introspectable
    80      peer=(label=unconfined),
    81  
    82  dbus (receive, send)
    83      bus=session
    84      path=/core/ubuntu/media/Service{,/**}
    85      peer=(label=unconfined),
    86  
    87  # Allow sending/receiving mpris signals for session path
    88  dbus (receive, send)
    89      bus=session
    90      path=/core/ubuntu/media/Service/sessions/**
    91      interface="org.mpris.MediaPlayer2{,.Player,.TrackList}"
    92      peer=(label=unconfined),
    93  
    94  # Allow sending properties signals for session path
    95  dbus (send)
    96      bus=session
    97      path=/core/ubuntu/media/Service/sessions/**
    98      interface="org.freedesktop.DBus.Properties"
    99      peer=(label=unconfined),
   100  `
   101  
   102  const mediaHubConnectedSlotAppArmor = `
   103  # Allow clients to query/modify and get notified of service properties
   104  dbus (receive, send)
   105      bus=session
   106      interface=org.freedesktop.DBus.Properties
   107      path=/core/ubuntu/media/Service{,/**}
   108      peer=(label=###PLUG_SECURITY_TAGS###),
   109  
   110  # Allow client to introspect our DBus api
   111  dbus (receive)
   112      bus=session
   113      interface=org.freedesktop.DBus.Introspectable
   114      path=/core/ubuntu/media/Service
   115      member="Introspect"
   116      peer=(label=###PLUG_SECURITY_TAGS###),
   117  
   118  # Allow clients to manage Player sessions
   119  dbus (receive)
   120      bus=session
   121      interface="core.ubuntu.media.Service{,.*}"
   122      path=/core/ubuntu/media/Service
   123      peer=(label=###PLUG_SECURITY_TAGS###),
   124  `
   125  
   126  const mediaHubConnectedPlugAppArmor = `
   127  # Description: Allow using media-hub service.
   128  
   129  #include <abstractions/dbus-session-strict>
   130  
   131  # Allow clients to query/modify and get notified of service properties
   132  dbus (receive, send)
   133      bus=session
   134      interface=org.freedesktop.DBus.Properties
   135      path=/core/ubuntu/media/Service{,/**}
   136      peer=(label=###SLOT_SECURITY_TAGS###),
   137  
   138  # Allow client to introspect our DBus api
   139  dbus (send)
   140      bus=session
   141      interface=org.freedesktop.DBus.Introspectable
   142      path=/core/ubuntu/media/Service
   143      member="Introspect"
   144      peer=(label=###SLOT_SECURITY_TAGS###),
   145  
   146  # Allow clients to manage Player sessions
   147  dbus (send)
   148      bus=session
   149      interface="core.ubuntu.media.Service{,.*}"
   150      path=/core/ubuntu/media/Service
   151      peer=(label=###SLOT_SECURITY_TAGS###),
   152  `
   153  
   154  const mediaHubPermanentSlotSecComp = `
   155  # Description: Allow operating as the media-hub service.
   156  
   157  bind
   158  `
   159  
   160  type mediaHubInterface struct{}
   161  
   162  func (iface *mediaHubInterface) Name() string {
   163  	return "media-hub"
   164  }
   165  
   166  func (iface *mediaHubInterface) StaticInfo() interfaces.StaticInfo {
   167  	return interfaces.StaticInfo{
   168  		Summary:              mediaHubSummary,
   169  		BaseDeclarationSlots: mediaHubBaseDeclarationSlots,
   170  	}
   171  }
   172  
   173  func (iface *mediaHubInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   174  	old := "###SLOT_SECURITY_TAGS###"
   175  	new := slotAppLabelExpr(slot)
   176  	spec.AddSnippet(strings.Replace(mediaHubConnectedPlugAppArmor, old, new, -1))
   177  	return nil
   178  }
   179  
   180  func (iface *mediaHubInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
   181  	spec.AddSnippet(mediaHubPermanentSlotAppArmor)
   182  	return nil
   183  }
   184  
   185  func (iface *mediaHubInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   186  	old := "###PLUG_SECURITY_TAGS###"
   187  	new := plugAppLabelExpr(plug)
   188  	spec.AddSnippet(strings.Replace(mediaHubConnectedSlotAppArmor, old, new, -1))
   189  	return nil
   190  }
   191  
   192  func (iface *mediaHubInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
   193  	spec.AddSnippet(mediaHubPermanentSlotSecComp)
   194  	return nil
   195  }
   196  
   197  func (iface *mediaHubInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {
   198  	// allow what declarations allowed
   199  	return true
   200  }
   201  
   202  func init() {
   203  	registerIface(&mediaHubInterface{})
   204  }