gopkg.in/ubuntu-core/snappy.v0@v0.0.0-20210902073436-25a8614f10a6/interfaces/builtin/block_devices.go (about)

     1  // -*- Mode: Go; indent-tabs-mode: t -*-
     2  
     3  /*
     4   * Copyright (C) 2019 Canonical Ltd
     5   *
     6   * This program is free software: you can redistribute it and/or modify
     7   * it under the terms of the GNU General Public License version 3 as
     8   * published by the Free Software Foundation.
     9   *
    10   * This program is distributed in the hope that it will be useful,
    11   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    12   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13   * GNU General Public License for more details.
    14   *
    15   * You should have received a copy of the GNU General Public License
    16   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    17   *
    18   */
    19  
    20  package builtin
    21  
    22  // Only allow raw disk devices; not loop, ram, CDROM, generic SCSI, network,
    23  // tape, raid, etc devices or disk partitions. For some devices, allow controller
    24  // character devices since they are used to configure the corresponding block
    25  // device.
    26  const blockDevicesSummary = `allows access to disk block devices`
    27  
    28  const blockDevicesBaseDeclarationPlugs = `
    29    block-devices:
    30      allow-installation: false
    31      deny-auto-connection: true
    32  `
    33  
    34  const blockDevicesBaseDeclarationSlots = `
    35    block-devices:
    36      allow-installation:
    37        slot-snap-type:
    38          - core
    39      deny-auto-connection: true
    40  `
    41  
    42  // https://www.kernel.org/doc/Documentation/admin-guide/devices.txt
    43  // For now, only list common devices and skip the following:
    44  // /dev/mfm{a,b} rw,                        # Acorn MFM
    45  // /dev/ad[a-p] rw,                         # ACSI
    46  // /dev/pd[a-d] rw,                         # Parallel port IDE
    47  // /dev/pf[0-3] rw,                         # Parallel port ATAPI
    48  // /dev/ub[a-z] rw,                         # USB block device
    49  const blockDevicesConnectedPlugAppArmor = `
    50  # Description: Allow write access to raw disk block devices.
    51  
    52  @{PROC}/devices r,
    53  /run/udev/data/b[0-9]*:[0-9]* r,
    54  /sys/block/ r,
    55  /sys/devices/**/block/** r,
    56  /sys/dev/block/ r,
    57  /sys/devices/platform/soc/**/mmc_host/** r,
    58  # Allow reading major and minor numbers for block special files of NVMe namespaces.
    59  /sys/devices/**/nvme/**/dev r,
    60  
    61  # Access to raw devices, not individual partitions
    62  /dev/hd[a-t] rw,                                          # IDE, MFM, RLL
    63  /dev/sd{,[a-h]}[a-z] rw,                                  # SCSI
    64  /dev/sdi[a-v] rw,                                         # SCSI continued
    65  /dev/i2o/hd{,[a-c]}[a-z] rw,                              # I2O hard disk
    66  /dev/i2o/hdd[a-x] rw,                                     # I2O hard disk continued
    67  /dev/mmcblk[0-9]{,[0-9],[0-9][0-9]} rw,                   # MMC (up to 1000 devices)
    68  /dev/vd[a-z] rw,                                          # virtio
    69  
    70  # Allow /dev/nvmeXnY namespace block devices. Please note this grants access to all
    71  # NVMe namespace block devices and that the numeric suffix on the character device
    72  # does not necessarily correspond to a namespace block device with the same suffix
    73  # From 'man nvme-format' : 
    74  #   Note, the numeric suffix on the character device, for example the 0 in
    75  #   /dev/nvme0, does NOT indicate this device handle is the parent controller
    76  #   of any namespaces with the same suffix. The namespace handle's numeral may
    77  #   be coming from the subsystem identifier, which is independent of the
    78  #   controller's identifier. Do not assume any particular device relationship
    79  #   based on their names. If you do, you may irrevocably erase data on an
    80  #   unintended device.
    81  /dev/nvme{[0-9],[1-9][0-9]}n{[1-9],[1-5][0-9],6[0-3]} rw, # NVMe (up to 100 devices, with 1-63 namespaces)
    82  
    83  # Allow /dev/nvmeX controller character devices. These character devices allow
    84  # manipulation of the block devices that we also allow above, so grouping this
    85  # access here makes sense, whereas access to individual partitions is delegated
    86  # to the raw-volume interface.
    87  /dev/nvme{[0-9],[1-9][0-9]} rw,                           # NVMe (up to 100 devices)
    88  
    89  # SCSI device commands, et al
    90  capability sys_rawio,
    91  
    92  # Perform various privileged block-device ioctl operations
    93  capability sys_admin,
    94  
    95  # Devices for various controllers used with ioctl()
    96  /dev/mpt2ctl{,_wd} rw,
    97  /dev/megaraid_sas_ioctl_node rw,
    98  `
    99  
   100  var blockDevicesConnectedPlugUDev = []string{
   101  	`SUBSYSTEM=="block"`,
   102  	// these additional subsystems may not directly be block devices but they
   103  	// allow for manipulation of the block devices and so are grouped here as
   104  	// well
   105  	`SUBSYSTEM=="nvme"`,
   106  	`KERNEL=="mpt2ctl*"`,
   107  	`KERNEL=="megaraid_sas_ioctl_node"`,
   108  }
   109  
   110  type blockDevicesInterface struct {
   111  	commonInterface
   112  }
   113  
   114  func init() {
   115  	registerIface(&blockDevicesInterface{commonInterface{
   116  		name:                  "block-devices",
   117  		summary:               blockDevicesSummary,
   118  		implicitOnCore:        true,
   119  		implicitOnClassic:     true,
   120  		baseDeclarationPlugs:  blockDevicesBaseDeclarationPlugs,
   121  		baseDeclarationSlots:  blockDevicesBaseDeclarationSlots,
   122  		connectedPlugAppArmor: blockDevicesConnectedPlugAppArmor,
   123  		connectedPlugUDev:     blockDevicesConnectedPlugUDev,
   124  	}})
   125  }