github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/unity8_pim_common.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2016 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "strings" 24 25 "github.com/snapcore/snapd/interfaces" 26 "github.com/snapcore/snapd/interfaces/apparmor" 27 "github.com/snapcore/snapd/interfaces/dbus" 28 "github.com/snapcore/snapd/interfaces/seccomp" 29 "github.com/snapcore/snapd/release" 30 "github.com/snapcore/snapd/snap" 31 ) 32 33 const unity8PimCommonPermanentSlotAppArmor = ` 34 # Description: Allow operating as the EDS service. This gives privileged access 35 # to the system. 36 37 # DBus accesses 38 #include <abstractions/dbus-session-strict> 39 40 dbus (send) 41 bus=session 42 path=/org/freedesktop/DBus 43 interface=org.freedesktop.DBus 44 member={Request,Release}Name 45 peer=(name=org.freedesktop.DBus, label=unconfined), 46 47 dbus (send) 48 bus=session 49 path=/org/freedesktop/* 50 interface=org.freedesktop.DBus.Properties 51 peer=(label=unconfined), 52 53 # Allow services to communicate with each other 54 dbus (receive, send) 55 peer=(label="snap.@{SNAP_INSTANCE_NAME}.*"), 56 57 # Allow binding the service to the requested connection name 58 dbus (bind) 59 bus=session 60 name="org.gnome.evolution.dataserver.Sources5", 61 ` 62 63 const unity8PimCommonConnectedSlotAppArmor = ` 64 # Allow service to interact with connected clients 65 66 ######################## 67 # SourceManager 68 ######################## 69 dbus (receive, send) 70 bus=session 71 path=/org/gnome/evolution/dataserver/SourceManager{,/**} 72 peer=(label=###PLUG_SECURITY_TAGS###), 73 ` 74 75 const unity8PimCommonConnectedPlugAppArmor = ` 76 # DBus accesses 77 #include <abstractions/dbus-session-strict> 78 79 ######################## 80 # SourceManager 81 ######################## 82 dbus (receive, send) 83 bus=session 84 path=/org/gnome/evolution/dataserver/SourceManager{,/**} 85 peer=(label=###SLOT_SECURITY_TAGS###), 86 87 # Allow clients to introspect the service 88 dbus (send) 89 bus=session 90 path=/org/gnome/Evolution 91 interface=org.freedesktop.DBus.Introspectable 92 member=Introspect 93 peer=(label=###SLOT_SECURITY_TAGS###), 94 ` 95 96 const unity8PimCommonPermanentSlotSecComp = ` 97 # Description: Allow operating as the EDS service. This gives privileged access 98 # to the system. 99 accept 100 accept4 101 bind 102 listen 103 shutdown 104 ` 105 106 type unity8PimCommonInterface struct { 107 name string 108 summary string 109 baseDeclarationSlots string 110 permanentSlotAppArmor string 111 connectedSlotAppArmor string 112 connectedPlugAppArmor string 113 } 114 115 func (iface *unity8PimCommonInterface) Name() string { 116 return iface.name 117 } 118 119 func (iface *unity8PimCommonInterface) StaticInfo() interfaces.StaticInfo { 120 return interfaces.StaticInfo{ 121 Summary: iface.summary, 122 BaseDeclarationSlots: iface.baseDeclarationSlots, 123 } 124 } 125 126 func (iface *unity8PimCommonInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error { 127 //FIXME: Implement support after session services are available. 128 return nil 129 } 130 131 func (iface *unity8PimCommonInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 132 old := "###SLOT_SECURITY_TAGS###" 133 new := slotAppLabelExpr(slot) 134 135 originalSnippet := unity8PimCommonConnectedPlugAppArmor + "\n" + iface.connectedPlugAppArmor 136 spec.AddSnippet(strings.Replace(originalSnippet, old, new, -1)) 137 138 // classic mode 139 if release.OnClassic { 140 // Let confined apps access unconfined service on classic 141 spec.AddSnippet(strings.Replace(originalSnippet, old, "unconfined", -1)) 142 } 143 144 return nil 145 } 146 147 func (iface *unity8PimCommonInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 148 spec.AddSnippet(unity8PimCommonPermanentSlotAppArmor) 149 spec.AddSnippet(iface.permanentSlotAppArmor) 150 return nil 151 } 152 153 func (iface *unity8PimCommonInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 154 old := "###PLUG_SECURITY_TAGS###" 155 new := plugAppLabelExpr(plug) 156 snippet := unity8PimCommonConnectedSlotAppArmor 157 snippet += "\n" + iface.connectedSlotAppArmor 158 snippet = strings.Replace(snippet, old, new, -1) 159 spec.AddSnippet(snippet) 160 return nil 161 } 162 163 func (iface *unity8PimCommonInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 164 spec.AddSnippet(unity8PimCommonPermanentSlotSecComp) 165 return nil 166 } 167 168 func (iface *unity8PimCommonInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 169 // allow what declarations allowed 170 return true 171 }