github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/network_manager.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016-2017 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/dbus" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/interfaces/udev" 30 "github.com/snapcore/snapd/release" 31 "github.com/snapcore/snapd/snap" 32 ) 33 34 const networkManagerSummary = `allows operating as the NetworkManager service` 35 36 const networkManagerBaseDeclarationSlots = ` 37 network-manager: 38 allow-installation: 39 slot-snap-type: 40 - app 41 - core 42 deny-auto-connection: true 43 deny-connection: 44 on-classic: false 45 ` 46 47 const networkManagerPermanentSlotAppArmor = ` 48 # Description: Allow operating as the NetworkManager service. This gives 49 # privileged access to the system. 50 51 capability net_admin, 52 capability net_bind_service, 53 capability net_raw, 54 55 network netlink, 56 network bridge, 57 network inet, 58 network inet6, 59 network packet, 60 61 @{PROC}/@{pid}/net/ r, 62 @{PROC}/@{pid}/net/** r, 63 64 # used by sysctl, et al 65 @{PROC}/sys/ r, 66 @{PROC}/sys/net/ r, 67 @{PROC}/sys/net/core/ r, 68 @{PROC}/sys/net/core/** rw, 69 @{PROC}/sys/net/ipv{4,6}/ r, 70 @{PROC}/sys/net/ipv{4,6}/** rw, 71 @{PROC}/sys/net/netfilter/ r, 72 @{PROC}/sys/net/netfilter/** rw, 73 @{PROC}/sys/net/nf_conntrack_max rw, 74 75 # Needed for systemd's dhcp implementation 76 @{PROC}/sys/kernel/random/boot_id r, 77 78 /sys/devices/**/**/net/**/phys_port_id r, 79 /sys/devices/**/**/net/**/dev_id r, 80 /sys/devices/virtual/net/**/phys_port_id r, 81 /sys/devices/virtual/net/**/dev_id r, 82 /sys/devices/**/net/**/ifindex r, 83 84 /dev/rfkill rw, 85 86 /run/udev/data/* r, 87 88 # Allow read and write access for all netplan configuration files 89 # as NetworkManager will start using them to store the network 90 # configuration instead of using its own internal keyfile based 91 # format. 92 /etc/netplan/{,**} rw, 93 94 # Allow access to configuration files generated on the fly 95 # from netplan and let NetworkManager store its DHCP leases 96 # in the dhcp subdirectory so that console-conf can access 97 # it. 98 /run/NetworkManager/ w, 99 /run/NetworkManager/{,**} r, 100 /run/NetworkManager/dhcp/{,**} w, 101 102 # Needed by the ifupdown plugin to check which interfaces can 103 # be managed an which not. 104 /etc/network/interfaces r, 105 # Needed for systemd's dhcp implementation 106 /etc/machine-id r, 107 108 # Needed to use resolvconf from core 109 /sbin/resolvconf ixr, 110 /run/resolvconf/{,**} rk, 111 /run/resolvconf/** w, 112 /etc/resolvconf/{,**} r, 113 /lib/resolvconf/* ix, 114 # NM peeks into ifupdown configuration 115 /run/network/ifstate* r, 116 # Required by resolvconf 117 /bin/run-parts ixr, 118 /etc/resolvconf/update.d/* ix, 119 120 #include <abstractions/nameservice> 121 /run/systemd/resolve/stub-resolv.conf r, 122 123 # DBus accesses 124 #include <abstractions/dbus-strict> 125 126 # systemd-resolved (not yet included in nameservice abstraction) 127 # 128 # Allow access to the safe members of the systemd-resolved D-Bus API: 129 # 130 # https://www.freedesktop.org/wiki/Software/systemd/resolved/ 131 # 132 # This API may be used directly over the D-Bus system bus or it may be used 133 # indirectly via the nss-resolve plugin: 134 # 135 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html 136 # 137 dbus send 138 bus=system 139 path="/org/freedesktop/resolve1" 140 interface="org.freedesktop.resolve1.Manager" 141 member="Resolve{Address,Hostname,Record,Service}" 142 peer=(name="org.freedesktop.resolve1"), 143 144 dbus (send) 145 bus=system 146 path="/org/freedesktop/resolve1" 147 interface="org.freedesktop.resolve1.Manager" 148 member="SetLink{DNS,Domains}" 149 peer=(label=unconfined), 150 151 dbus (send) 152 bus=system 153 path=/org/freedesktop/DBus 154 interface=org.freedesktop.DBus 155 member={Request,Release}Name 156 peer=(name=org.freedesktop.DBus, label=unconfined), 157 158 dbus (receive, send) 159 bus=system 160 path=/org/freedesktop/DBus 161 interface=org.freedesktop.DBus 162 member=GetConnectionUnixProcessID 163 peer=(label=unconfined), 164 165 dbus (receive, send) 166 bus=system 167 path=/org/freedesktop/DBus 168 interface=org.freedesktop.DBus 169 member=GetConnectionUnixUser 170 peer=(label=unconfined), 171 172 # Allow binding the service to the requested connection name 173 dbus (bind) 174 bus=system 175 name="org.freedesktop.NetworkManager", 176 177 # Allow traffic to/from our path and interface with any method for unconfined 178 # clients to talk to our service. 179 dbus (receive, send) 180 bus=system 181 path=/org/freedesktop/NetworkManager{,/**} 182 interface=org.freedesktop.NetworkManager* 183 peer=(label=unconfined), 184 185 # Allow traffic to/from org.freedesktop.DBus for NetworkManager service 186 dbus (receive, send) 187 bus=system 188 path=/org/freedesktop/NetworkManager{,/**} 189 interface=org.freedesktop.DBus.* 190 peer=(label=unconfined), 191 192 # Allow access to hostname system service 193 dbus (receive, send) 194 bus=system 195 path=/org/freedesktop/hostname1 196 interface=org.freedesktop.DBus.Properties 197 peer=(label=unconfined), 198 # do not use peer=(label=unconfined) here since this is DBus activated 199 dbus (send) 200 bus=system 201 path=/org/freedesktop/hostname1 202 interface=org.freedesktop.DBus.Properties 203 member="Get{,All}", 204 205 dbus(receive, send) 206 bus=system 207 path=/org/freedesktop/hostname1 208 interface=org.freedesktop.hostname1 209 member={Set,SetStatic}Hostname 210 peer=(label=unconfined), 211 # do not use peer=(label=unconfined) here since this is DBus activated 212 dbus (send) 213 bus=system 214 path=/org/freedesktop/hostname1 215 interface=org.freedesktop.hostname1 216 member={Set,SetStatic}Hostname, 217 218 # Sleep monitor inside NetworkManager needs this 219 # do not use peer=(label=unconfined) here since this is DBus activated 220 dbus (send) 221 bus=system 222 path=/org/freedesktop/login1 223 member=Inhibit 224 interface=org.freedesktop.login1.Manager, 225 dbus (receive) 226 bus=system 227 path=/org/freedesktop/login1 228 member=PrepareForSleep 229 interface=org.freedesktop.login1.Manager 230 peer=(label=unconfined), 231 dbus (receive) 232 bus=system 233 path=/org/freedesktop/login1 234 interface=org.freedesktop.login1.Manager 235 member=Session{New,Removed} 236 peer=(label=unconfined), 237 238 # Allow access to wpa-supplicant for managing WiFi networks 239 dbus (receive, send) 240 bus=system 241 path=/fi/w1/wpa_supplicant1{,/**} 242 interface=fi.w1.wpa_supplicant1* 243 peer=(label=unconfined), 244 dbus (receive, send) 245 bus=system 246 path=/fi/w1/wpa_supplicant1{,/**} 247 interface=org.freedesktop.DBus.* 248 peer=(label=unconfined), 249 ` 250 251 const networkManagerConnectedSlotAppArmor = ` 252 # Allow connected clients to interact with the service 253 254 # Allow traffic to/from our DBus path 255 dbus (receive, send) 256 bus=system 257 path=/org/freedesktop/NetworkManager{,/**} 258 peer=(label=###PLUG_SECURITY_TAGS###), 259 260 # Later versions of NetworkManager implement org.freedesktop.DBus.ObjectManager 261 # for clients to easily obtain all (and be alerted to added/removed) objects 262 # from the service. 263 dbus (receive, send) 264 bus=system 265 path=/org/freedesktop 266 interface=org.freedesktop.DBus.ObjectManager 267 peer=(label=###PLUG_SECURITY_TAGS###), 268 269 # Explicitly deny ptrace to silence noisy denials. These denials happen when NM 270 # tries to access /proc/<peer_pid>/stat. What apparmor prevents is showing 271 # internal process addresses that live in that file, but that has no adverse 272 # effects for NetworkManager, which just wants to find out the start time of the 273 # process. 274 deny ptrace (trace) peer=###PLUG_SECURITY_TAGS###, 275 ` 276 277 const networkManagerConnectedPlugAppArmor = ` 278 # Description: Allow using NetworkManager service. This gives privileged access 279 # to the NetworkManager service. 280 281 #include <abstractions/dbus-strict> 282 283 # Allow all access to NetworkManager service 284 dbus (receive, send) 285 bus=system 286 path=/org/freedesktop/NetworkManager{,/**} 287 peer=(label=###SLOT_SECURITY_TAGS###), 288 289 # NM implements org.freedesktop.DBus.ObjectManager too 290 dbus (receive, send) 291 bus=system 292 path=/org/freedesktop 293 interface=org.freedesktop.DBus.ObjectManager 294 peer=(label=###SLOT_SECURITY_TAGS###), 295 ` 296 297 const networkManagerConnectedPlugIntrospectionSnippet = ` 298 # Allow us to introspect the network-manager providing snap 299 dbus (send) 300 bus=system 301 interface="org.freedesktop.DBus.Introspectable" 302 member="Introspect" 303 peer=(label=###SLOT_SECURITY_TAGS###), 304 ` 305 306 const networkManagerConnectedSlotIntrospectionSnippet = ` 307 # Allow plugs to introspect us 308 dbus (receive) 309 bus=system 310 interface="org.freedesktop.DBus.Introspectable" 311 member="Introspect" 312 peer=(label=###PLUG_SECURITY_TAGS###), 313 ` 314 315 const networkManagerConnectedPlugSecComp = ` 316 # Description: This is needed to talk to the network-manager service 317 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 318 ` 319 320 const networkManagerPermanentSlotSecComp = ` 321 # Description: Allow operating as the NetworkManager service. This gives 322 # privileged access to the system. 323 accept 324 accept4 325 bind 326 listen 327 sethostname 328 # netlink 329 socket AF_NETLINK - - 330 ` 331 332 const networkManagerPermanentSlotDBus = ` 333 <!-- DBus policy for NetworkManager (upstream version 1.2.2) --> 334 <policy user="root"> 335 <allow own="org.freedesktop.NetworkManager"/> 336 <allow send_destination="org.freedesktop.NetworkManager"/> 337 338 <allow send_destination="org.freedesktop.NetworkManager" 339 send_interface="org.freedesktop.NetworkManager.PPP"/> 340 341 <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/> 342 343 <!-- These are there because some broken policies do 344 <deny send_interface="..." /> (see dbus-daemon(8) for details). 345 This seems to override that for the known VPN plugins. --> 346 <allow send_destination="org.freedesktop.NetworkManager.openconnect"/> 347 <allow send_destination="org.freedesktop.NetworkManager.openswan"/> 348 <allow send_destination="org.freedesktop.NetworkManager.openvpn"/> 349 <allow send_destination="org.freedesktop.NetworkManager.pptp"/> 350 <allow send_destination="org.freedesktop.NetworkManager.vpnc"/> 351 <allow send_destination="org.freedesktop.NetworkManager.ssh"/> 352 <allow send_destination="org.freedesktop.NetworkManager.iodine"/> 353 <allow send_destination="org.freedesktop.NetworkManager.l2tp"/> 354 <allow send_destination="org.freedesktop.NetworkManager.libreswan"/> 355 <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/> 356 <allow send_destination="org.freedesktop.NetworkManager.strongswan"/> 357 <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/> 358 359 <!-- Allow the custom name for the dnsmasq instance spawned by NM 360 from the dns dnsmasq plugin to own it's dbus name, and for 361 messages to be sent to it. 362 --> 363 <allow own="org.freedesktop.NetworkManager.dnsmasq"/> 364 <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 365 </policy> 366 367 <policy context="default"> 368 <deny own="org.freedesktop.NetworkManager"/> 369 370 <deny send_destination="org.freedesktop.NetworkManager"/> 371 372 <!-- Basic D-Bus API stuff --> 373 <allow send_destination="org.freedesktop.NetworkManager" 374 send_interface="org.freedesktop.DBus.Introspectable"/> 375 <allow send_destination="org.freedesktop.NetworkManager" 376 send_interface="org.freedesktop.DBus.Properties"/> 377 <allow send_destination="org.freedesktop.NetworkManager" 378 send_interface="org.freedesktop.DBus.ObjectManager"/> 379 380 <!-- Devices (read-only properties, no methods) --> 381 <allow send_destination="org.freedesktop.NetworkManager" 382 send_interface="org.freedesktop.NetworkManager.Device.Adsl"/> 383 <allow send_destination="org.freedesktop.NetworkManager" 384 send_interface="org.freedesktop.NetworkManager.Device.Bond"/> 385 <allow send_destination="org.freedesktop.NetworkManager" 386 send_interface="org.freedesktop.NetworkManager.Device.Bridge"/> 387 <allow send_destination="org.freedesktop.NetworkManager" 388 send_interface="org.freedesktop.NetworkManager.Device.Bluetooth"/> 389 <allow send_destination="org.freedesktop.NetworkManager" 390 send_interface="org.freedesktop.NetworkManager.Device.Wired"/> 391 <allow send_destination="org.freedesktop.NetworkManager" 392 send_interface="org.freedesktop.NetworkManager.Device.Generic"/> 393 <allow send_destination="org.freedesktop.NetworkManager" 394 send_interface="org.freedesktop.NetworkManager.Device.Gre"/> 395 <allow send_destination="org.freedesktop.NetworkManager" 396 send_interface="org.freedesktop.NetworkManager.Device.Infiniband"/> 397 <allow send_destination="org.freedesktop.NetworkManager" 398 send_interface="org.freedesktop.NetworkManager.Device.Macvlan"/> 399 <allow send_destination="org.freedesktop.NetworkManager" 400 send_interface="org.freedesktop.NetworkManager.Device.Modem"/> 401 <allow send_destination="org.freedesktop.NetworkManager" 402 send_interface="org.freedesktop.NetworkManager.Device.OlpcMesh"/> 403 <allow send_destination="org.freedesktop.NetworkManager" 404 send_interface="org.freedesktop.NetworkManager.Device.Team"/> 405 <allow send_destination="org.freedesktop.NetworkManager" 406 send_interface="org.freedesktop.NetworkManager.Device.Tun"/> 407 <allow send_destination="org.freedesktop.NetworkManager" 408 send_interface="org.freedesktop.NetworkManager.Device.Veth"/> 409 <allow send_destination="org.freedesktop.NetworkManager" 410 send_interface="org.freedesktop.NetworkManager.Device.Vlan"/> 411 <allow send_destination="org.freedesktop.NetworkManager" 412 send_interface="org.freedesktop.NetworkManager.WiMax.Nsp"/> 413 <allow send_destination="org.freedesktop.NetworkManager" 414 send_interface="org.freedesktop.NetworkManager.AccessPoint"/> 415 416 <!-- Devices (read-only, no security required) --> 417 <allow send_destination="org.freedesktop.NetworkManager" 418 send_interface="org.freedesktop.NetworkManager.Device.WiMax"/> 419 420 <!-- Devices (read/write, secured with PolicyKit) --> 421 <allow send_destination="org.freedesktop.NetworkManager" 422 send_interface="org.freedesktop.NetworkManager.Device.Wireless"/> 423 <allow send_destination="org.freedesktop.NetworkManager" 424 send_interface="org.freedesktop.NetworkManager.Device"/> 425 426 <!-- Core stuff (read-only properties, no methods) --> 427 <allow send_destination="org.freedesktop.NetworkManager" 428 send_interface="org.freedesktop.NetworkManager.Connection.Active"/> 429 <allow send_destination="org.freedesktop.NetworkManager" 430 send_interface="org.freedesktop.NetworkManager.DHCP4Config"/> 431 <allow send_destination="org.freedesktop.NetworkManager" 432 send_interface="org.freedesktop.NetworkManager.DHCP6Config"/> 433 <allow send_destination="org.freedesktop.NetworkManager" 434 send_interface="org.freedesktop.NetworkManager.IP4Config"/> 435 <allow send_destination="org.freedesktop.NetworkManager" 436 send_interface="org.freedesktop.NetworkManager.IP6Config"/> 437 <allow send_destination="org.freedesktop.NetworkManager" 438 send_interface="org.freedesktop.NetworkManager.VPN.Connection"/> 439 440 <!-- Core stuff (read/write, secured with PolicyKit) --> 441 <allow send_destination="org.freedesktop.NetworkManager" 442 send_interface="org.freedesktop.NetworkManager"/> 443 <allow send_destination="org.freedesktop.NetworkManager" 444 send_interface="org.freedesktop.NetworkManager.Settings"/> 445 <allow send_destination="org.freedesktop.NetworkManager" 446 send_interface="org.freedesktop.NetworkManager.Settings.Connection"/> 447 448 <!-- Agents; secured with PolicyKit. Any process can talk to 449 the AgentManager API, but only NetworkManager can talk 450 to the agents themselves. --> 451 <allow send_destination="org.freedesktop.NetworkManager" 452 send_interface="org.freedesktop.NetworkManager.AgentManager"/> 453 454 <!-- Root-only functions --> 455 <deny send_destination="org.freedesktop.NetworkManager" 456 send_interface="org.freedesktop.NetworkManager" 457 send_member="SetLogging"/> 458 <deny send_destination="org.freedesktop.NetworkManager" 459 send_interface="org.freedesktop.NetworkManager" 460 send_member="Sleep"/> 461 <deny send_destination="org.freedesktop.NetworkManager" 462 send_interface="org.freedesktop.NetworkManager.Settings" 463 send_member="LoadConnections"/> 464 <deny send_destination="org.freedesktop.NetworkManager" 465 send_interface="org.freedesktop.NetworkManager.Settings" 466 send_member="ReloadConnections"/> 467 468 <deny own="org.freedesktop.NetworkManager.dnsmasq"/> 469 <deny send_destination="org.freedesktop.NetworkManager.dnsmasq"/> 470 </policy> 471 472 <limit name="max_replies_per_connection">1024</limit> 473 <limit name="max_match_rules_per_connection">2048</limit> 474 ` 475 476 type networkManagerInterface struct{} 477 478 func (iface *networkManagerInterface) Name() string { 479 return "network-manager" 480 } 481 482 func (iface *networkManagerInterface) StaticInfo() interfaces.StaticInfo { 483 return interfaces.StaticInfo{ 484 Summary: networkManagerSummary, 485 ImplicitOnClassic: true, 486 BaseDeclarationSlots: networkManagerBaseDeclarationSlots, 487 } 488 } 489 490 func (iface *networkManagerInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 491 old := "###SLOT_SECURITY_TAGS###" 492 var new string 493 if release.OnClassic { 494 // If we're running on classic NetworkManager will be part 495 // of the OS snap and will run unconfined. 496 new = "unconfined" 497 } else { 498 new = slotAppLabelExpr(slot) 499 } 500 snippet := strings.Replace(networkManagerConnectedPlugAppArmor, old, new, -1) 501 spec.AddSnippet(snippet) 502 if !release.OnClassic { 503 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 504 snippet := strings.Replace(networkManagerConnectedPlugIntrospectionSnippet, old, new, -1) 505 spec.AddSnippet(snippet) 506 } 507 return nil 508 } 509 510 func (iface *networkManagerInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 511 old := "###PLUG_SECURITY_TAGS###" 512 new := plugAppLabelExpr(plug) 513 snippet := strings.Replace(networkManagerConnectedSlotAppArmor, old, new, -1) 514 spec.AddSnippet(snippet) 515 if !release.OnClassic { 516 // See https://bugs.launchpad.net/snapd/+bug/1849291 for details. 517 snippet := strings.Replace(networkManagerConnectedSlotIntrospectionSnippet, old, new, -1) 518 spec.AddSnippet(snippet) 519 } 520 return nil 521 } 522 523 func (iface *networkManagerInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 524 spec.AddSnippet(networkManagerPermanentSlotAppArmor) 525 return nil 526 } 527 528 func (iface *networkManagerInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 529 spec.AddSnippet(networkManagerPermanentSlotDBus) 530 return nil 531 } 532 533 func (iface *networkManagerInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 534 spec.AddSnippet(networkManagerPermanentSlotSecComp) 535 return nil 536 } 537 538 func (iface *networkManagerInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 539 spec.TagDevice(`KERNEL=="rfkill"`) 540 return nil 541 } 542 543 func (iface *networkManagerInterface) SecCompConnectedPlug(spec *seccomp.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 544 spec.AddSnippet(networkManagerConnectedPlugSecComp) 545 return nil 546 } 547 548 func (iface *networkManagerInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 549 // allow what declarations allowed 550 return true 551 } 552 553 func init() { 554 registerIface(&networkManagerInterface{}) 555 }