github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/network.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/network.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016-2018 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const networkSummary = `allows access to the network`
    23  
    24  const networkBaseDeclarationSlots = `
    25    network:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29  `
    30  
    31  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/network
    32  const networkConnectedPlugAppArmor = `
    33  # Description: Can access the network as a client.
    34  #include <abstractions/nameservice>
    35  /run/systemd/resolve/stub-resolv.conf r,
    36  
    37  # systemd-resolved (not yet included in nameservice abstraction)
    38  #
    39  # Allow access to the safe members of the systemd-resolved D-Bus API:
    40  #
    41  #   https://www.freedesktop.org/wiki/Software/systemd/resolved/
    42  #
    43  # This API may be used directly over the D-Bus system bus or it may be used
    44  # indirectly via the nss-resolve plugin:
    45  #
    46  #   https://www.freedesktop.org/software/systemd/man/nss-resolve.html
    47  #
    48  #include <abstractions/dbus-strict>
    49  dbus send
    50       bus=system
    51       path="/org/freedesktop/resolve1"
    52       interface="org.freedesktop.resolve1.Manager"
    53       member="Resolve{Address,Hostname,Record,Service}"
    54       peer=(name="org.freedesktop.resolve1"),
    55  
    56  #include <abstractions/ssl_certs>
    57  
    58  @{PROC}/sys/net/core/somaxconn r,
    59  @{PROC}/sys/net/ipv4/tcp_fastopen r,
    60  
    61  # Allow using netcat as client
    62  /{,usr/}bin/nc{,.openbsd} ixr,
    63  `
    64  
    65  // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/network
    66  const networkConnectedPlugSecComp = `
    67  # Description: Can access the network as a client.
    68  bind
    69  
    70  # FIXME: some kernels require this with common functions in go's 'net' library.
    71  # While this should remain in network-bind, network-control and
    72  # network-observe, for series 16 also have it here to not break existing snaps.
    73  # Future snapd series may remove this in the future. LP: #1689536
    74  socket AF_NETLINK - NETLINK_ROUTE
    75  
    76  # Userspace SCTP
    77  # https://github.com/sctplab/usrsctp/blob/master/usrsctplib/usrsctp.h
    78  socket AF_CONN
    79  `
    80  
    81  func init() {
    82  	registerIface(&commonInterface{
    83  		name:                  "network",
    84  		summary:               networkSummary,
    85  		implicitOnCore:        true,
    86  		implicitOnClassic:     true,
    87  		baseDeclarationSlots:  networkBaseDeclarationSlots,
    88  		connectedPlugAppArmor: networkConnectedPlugAppArmor,
    89  		connectedPlugSecComp:  networkConnectedPlugSecComp,
    90  		reservedForOS:         true,
    91  	})
    92  }