github.com/rigado/snapd@v2.42.5-go-mod+incompatible/interfaces/builtin/wayland.go (about) 1 // -*- Mode: Go; indent-tabs-mode: t -*- 2 3 /* 4 * Copyright (C) 2017-2018 Canonical Ltd 5 * 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 3 as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program. If not, see <http://www.gnu.org/licenses/>. 17 * 18 */ 19 20 package builtin 21 22 import ( 23 "github.com/snapcore/snapd/interfaces" 24 "github.com/snapcore/snapd/interfaces/apparmor" 25 "github.com/snapcore/snapd/interfaces/seccomp" 26 "github.com/snapcore/snapd/interfaces/udev" 27 "github.com/snapcore/snapd/snap" 28 29 "strings" 30 ) 31 32 const waylandSummary = `allows access to compositors supporting wayland protocol` 33 34 const waylandBaseDeclarationSlots = ` 35 wayland: 36 allow-installation: 37 slot-snap-type: 38 - app 39 - core 40 deny-connection: 41 on-classic: false 42 deny-auto-connection: 43 on-classic: false 44 ` 45 46 const waylandPermanentSlotAppArmor = ` 47 # Description: Allow operating as a Wayland display server. This gives privileged access 48 # to the system. 49 50 # needed since Wayland is a display server and needs to configure tty devices 51 capability sys_tty_config, 52 /dev/tty[0-9]* rw, 53 54 # Create the Wayland socket and lock file 55 owner /run/user/[0-9]*/wayland-[0-9]* rwk, 56 # Allow access to common client Wayland sockets from non-snap clients 57 /run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, 58 59 # Allow reading an Xwayland Xauth file 60 # (see https://gitlab.gnome.org/GNOME/mutter/merge_requests/626) 61 /run/user/[0-9]*/.mutter-Xwaylandauth.* r, 62 /run/user/[0-9]*/mutter/Xauthority r, 63 64 # Allow write access to create /run/user/* to create XDG_RUNTIME_DIR (until 65 # lp:1738197 is fixed). Note this is not needed if creating a session using 66 # logind (as provided by the login-session-control snapd interface). 67 /run/user/[0-9]*/ w, 68 69 # Needed for mode setting via drmSetMaster() and drmDropMaster() 70 capability sys_admin, 71 72 # Weston probes this on start 73 /sys/devices/pci**/boot_vga r, 74 75 # NOTE: this allows reading and inserting all input events 76 /dev/input/* rw, 77 78 # For using udev 79 network netlink raw, 80 /run/udev/data/c13:[0-9]* r, 81 /run/udev/data/+input:input[0-9]* r, 82 /run/udev/data/+platform:* r, 83 84 # MESA reads this dri config file 85 /etc/drirc r, 86 ` 87 88 const waylandPermanentSlotSecComp = ` 89 # Description: Allow operating as a Wayland server. This gives privileged access 90 # to the system. 91 # Needed for server launch 92 bind 93 listen 94 # Needed by server upon client connect 95 accept 96 accept4 97 # for udev 98 socket AF_NETLINK - NETLINK_KOBJECT_UEVENT 99 ` 100 101 const waylandConnectedSlotAppArmor = ` 102 # Allow access to common client Wayland sockets for connected snaps 103 owner /run/user/[0-9]*/###PLUG_SECURITY_TAGS###/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw, 104 ` 105 106 const waylandConnectedPlugAppArmor = ` 107 # Allow access to the Wayland compositor server socket 108 owner /run/user/[0-9]*/wayland-[0-9]* rw, 109 110 # Needed when using QT_QPA_PLATFORM=wayland-egl (MESA dri config) 111 /etc/drirc r, 112 ` 113 114 type waylandInterface struct{} 115 116 func (iface *waylandInterface) Name() string { 117 return "wayland" 118 } 119 120 func (iface *waylandInterface) StaticInfo() interfaces.StaticInfo { 121 return interfaces.StaticInfo{ 122 Summary: waylandSummary, 123 ImplicitOnClassic: true, 124 BaseDeclarationSlots: waylandBaseDeclarationSlots, 125 } 126 } 127 128 func (iface *waylandInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 129 spec.AddSnippet(waylandConnectedPlugAppArmor) 130 return nil 131 } 132 133 func (iface *waylandInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error { 134 old := "###PLUG_SECURITY_TAGS###" 135 new := "snap." + plug.Snap().InstanceName() // forms the snap-instance-specific subdirectory name of /run/user/*/ used for XDG_RUNTIME_DIR 136 snippet := strings.Replace(waylandConnectedSlotAppArmor, old, new, -1) 137 spec.AddSnippet(snippet) 138 return nil 139 } 140 141 func (iface *waylandInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error { 142 spec.AddSnippet(waylandPermanentSlotSecComp) 143 return nil 144 } 145 146 func (iface *waylandInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error { 147 spec.AddSnippet(waylandPermanentSlotAppArmor) 148 return nil 149 } 150 151 func (iface *waylandInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error { 152 spec.TriggerSubsystem("input") 153 spec.TagDevice(`KERNEL=="tty[0-9]*"`) 154 spec.TagDevice(`KERNEL=="mice"`) 155 spec.TagDevice(`KERNEL=="mouse[0-9]*"`) 156 spec.TagDevice(`KERNEL=="event[0-9]*"`) 157 spec.TagDevice(`KERNEL=="ts[0-9]*"`) 158 return nil 159 } 160 161 func (iface *waylandInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool { 162 // allow what declarations allowed 163 return true 164 } 165 166 func init() { 167 registerIface(&waylandInterface{}) 168 }