github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/u2f_devices.go

github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/u2f_devices.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2019 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  import (
    23  	"fmt"
    24  	"github.com/snapcore/snapd/interfaces"
    25  	"github.com/snapcore/snapd/interfaces/udev"
    26  )
    27  
    28  const u2fDevicesSummary = `allows access to u2f devices`
    29  
    30  const u2fDevicesBaseDeclarationSlots = `
    31    u2f-devices:
    32      allow-installation:
    33        slot-snap-type:
    34          - core
    35      deny-auto-connection: true
    36  `
    37  
    38  type u2fDevice struct {
    39  	Name, VendorIDPattern, ProductIDPattern string
    40  }
    41  
    42  // https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules
    43  var u2fDevices = []u2fDevice{
    44  	{
    45  		Name:             "Yubico YubiKey",
    46  		VendorIDPattern:  "1050",
    47  		ProductIDPattern: "0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410",
    48  	},
    49  	{
    50  		Name:             "Happlink (formerly Plug-Up) Security KEY",
    51  		VendorIDPattern:  "2581",
    52  		ProductIDPattern: "f1d0",
    53  	},
    54  	{
    55  		Name:             "Neowave Keydo and Keydo AES",
    56  		VendorIDPattern:  "1e0d",
    57  		ProductIDPattern: "f1d0|f1ae",
    58  	},
    59  	{
    60  		Name:             "HyperSecu HyperFIDO",
    61  		VendorIDPattern:  "096e|2ccf",
    62  		ProductIDPattern: "0880",
    63  	},
    64  	{
    65  		Name:             "Feitian ePass FIDO, BioPass FIDO2",
    66  		VendorIDPattern:  "096e",
    67  		ProductIDPattern: "0850|0852|0853|0854|0856|0858|085a|085b|085d",
    68  	},
    69  	{
    70  		Name:             "JaCarta U2F",
    71  		VendorIDPattern:  "24dc",
    72  		ProductIDPattern: "0101",
    73  	},
    74  	{
    75  		Name:             "U2F Zero",
    76  		VendorIDPattern:  "10c4",
    77  		ProductIDPattern: "8acf",
    78  	},
    79  	{
    80  		Name:             "VASCO SeccureClick",
    81  		VendorIDPattern:  "1a44",
    82  		ProductIDPattern: "00bb",
    83  	},
    84  	{
    85  		Name:             "Bluink Key",
    86  		VendorIDPattern:  "2abe",
    87  		ProductIDPattern: "1002",
    88  	},
    89  	{
    90  		Name:             "Thetis Key",
    91  		VendorIDPattern:  "1ea8",
    92  		ProductIDPattern: "f025",
    93  	},
    94  	{
    95  		Name:             "Nitrokey FIDO U2F",
    96  		VendorIDPattern:  "20a0",
    97  		ProductIDPattern: "4287",
    98  	},
    99  	{
   100  		Name:             "Google Titan U2F",
   101  		VendorIDPattern:  "18d1",
   102  		ProductIDPattern: "5026",
   103  	},
   104  	{
   105  		Name:             "Tomu board + chopstx U2F + SoloKeys",
   106  		VendorIDPattern:  "0483",
   107  		ProductIDPattern: "cdab|a2ca",
   108  	},
   109  	{
   110  		Name:             "SoloKeys",
   111  		VendorIDPattern:  "1209",
   112  		ProductIDPattern: "5070|50b0",
   113  	},
   114  }
   115  
   116  const u2fDevicesConnectedPlugAppArmor = `
   117  # Description: Allow write access to u2f hidraw devices.
   118  
   119  # Use a glob rule and rely on device cgroup for mediation.
   120  /dev/hidraw* rw,
   121  
   122  # char 234-254 are used for dynamic assignment, which u2f devices are
   123  /run/udev/data/c23[4-9]:* r,
   124  /run/udev/data/c24[0-9]:* r,
   125  /run/udev/data/c25[0-4]:* r,
   126  
   127  # misc required accesses
   128  /run/udev/data/+power_supply:hid* r,
   129  /run/udev/data/c14:[0-9]* r,
   130  /sys/devices/**/i2c*/**/report_descriptor r,
   131  /sys/devices/**/usb*/**/report_descriptor r,
   132  `
   133  
   134  type u2fDevicesInterface struct {
   135  	commonInterface
   136  }
   137  
   138  func (iface *u2fDevicesInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
   139  	for _, d := range u2fDevices {
   140  		spec.TagDevice(fmt.Sprintf("# %s\nSUBSYSTEM==\"hidraw\", KERNEL==\"hidraw*\", ATTRS{idVendor}==\"%s\", ATTRS{idProduct}==\"%s\"", d.Name, d.VendorIDPattern, d.ProductIDPattern))
   141  	}
   142  	return nil
   143  }
   144  
   145  func init() {
   146  	registerIface(&u2fDevicesInterface{commonInterface{
   147  		name:                  "u2f-devices",
   148  		summary:               u2fDevicesSummary,
   149  		implicitOnCore:        true,
   150  		implicitOnClassic:     true,
   151  		baseDeclarationSlots:  u2fDevicesBaseDeclarationSlots,
   152  		connectedPlugAppArmor: u2fDevicesConnectedPlugAppArmor,
   153  		reservedForOS:         true,
   154  	}})
   155  }