github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/network.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 const networkSummary = `allows access to the network` 23 24 const networkBaseDeclarationSlots = ` 25 network: 26 allow-installation: 27 slot-snap-type: 28 - core 29 ` 30 31 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/network 32 const networkConnectedPlugAppArmor = ` 33 # Description: Can access the network as a client. 34 #include <abstractions/nameservice> 35 /run/systemd/resolve/stub-resolv.conf r, 36 37 # systemd-resolved (not yet included in nameservice abstraction) 38 # 39 # Allow access to the safe members of the systemd-resolved D-Bus API: 40 # 41 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 42 # 43 # This API may be used directly over the D-Bus system bus or it may be used 44 # indirectly via the nss-resolve plugin: 45 # 46 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 47 # 48 #include <abstractions/dbus-strict> 49 dbus send 50 bus=system 51 path="/org/freedesktop/resolve1" 52 interface="org.freedesktop.resolve1.Manager" 53 member="Resolve{Address,Hostname,Record,Service}" 54 peer=(name="org.freedesktop.resolve1"), 55 56 #include <abstractions/ssl_certs> 57 58 @{PROC}/sys/net/core/somaxconn r, 59 @{PROC}/sys/net/ipv4/tcp_fastopen r, 60 61 # Allow using netcat as client 62 /{,usr/}bin/nc{,.openbsd} ixr, 63 ` 64 65 // http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/seccomp/policygroups/ubuntu-core/16.04/network 66 const networkConnectedPlugSecComp = ` 67 # Description: Can access the network as a client. 68 bind 69 70 # FIXME: some kernels require this with common functions in go's 'net' library. 71 # While this should remain in network-bind, network-control and 72 # network-observe, for series 16 also have it here to not break existing snaps. 73 # Future snapd series may remove this in the future. LP: #1689536 74 socket AF_NETLINK - NETLINK_ROUTE 75 76 # Userspace SCTP 77 # https://github.com/sctplab/usrsctp/blob/master/usrsctplib/usrsctp.h 78 socket AF_CONN 79 ` 80 81 func init() { 82 registerIface(&commonInterface{ 83 name: "network", 84 summary: networkSummary, 85 implicitOnCore: true, 86 implicitOnClassic: true, 87 baseDeclarationSlots: networkBaseDeclarationSlots, 88 connectedPlugAppArmor: networkConnectedPlugAppArmor, 89 connectedPlugSecComp: networkConnectedPlugSecComp, 90 reservedForOS: true, 91 }) 92 }