github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/system_trace.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/system_trace.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2016 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  const systemTraceSummary = `allows using kernel tracing facilities`
    23  
    24  const systemTraceBaseDeclarationSlots = `
    25    system-trace:
    26      allow-installation:
    27        slot-snap-type:
    28          - core
    29      deny-auto-connection: true
    30  `
    31  
    32  const systemTraceConnectedPlugAppArmor = `
    33  # Description: Can use kernel tracing facilities. This is restricted because it
    34  # gives privileged access to all processes on the system and should only be
    35  # used with trusted apps.
    36  
    37    # For the bpf() syscall and manipulating bpf map types
    38    capability sys_admin,
    39    capability sys_resource,
    40  
    41    # For kernel probes, etc
    42    /sys/kernel/debug/kprobes/ r,
    43    /sys/kernel/debug/kprobes/** r,
    44  
    45    /sys/kernel/debug/tracing/ r,
    46    /sys/kernel/debug/tracing/** rw,
    47  
    48    # Access to kernel headers required for iovisor/bcc. This is typically
    49    # detected with 'ls -l /lib/modules/$(uname -r)/build/' which is a symlink
    50    # to /usr/src on Ubuntu and so only /usr/src is needed.
    51    /usr/src/ r,
    52    /usr/src/** r,
    53  `
    54  
    55  const systemTraceConnectedPlugSecComp = `
    56  # Description: Can use kernel tracing facilities. This is restricted because it
    57  # gives privileged access to all processes on the system and should only be
    58  # used with trusted apps.
    59  
    60  bpf
    61  perf_event_open
    62  `
    63  
    64  func init() {
    65  	registerIface(&commonInterface{
    66  		name:                  "system-trace",
    67  		summary:               systemTraceSummary,
    68  		implicitOnCore:        true,
    69  		implicitOnClassic:     true,
    70  		baseDeclarationSlots:  systemTraceBaseDeclarationSlots,
    71  		connectedPlugAppArmor: systemTraceConnectedPlugAppArmor,
    72  		connectedPlugSecComp:  systemTraceConnectedPlugSecComp,
    73  		reservedForOS:         true,
    74  	})
    75  }