forked from snapcore/snapd
/
login_session_observe.go
127 lines (107 loc) · 3.29 KB
/
login_session_observe.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2019 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package builtin
const loginSessionObserveSummary = `allows reading login and session information`
const loginSessionObserveBaseDeclarationSlots = `
login-session-observe:
allow-installation:
slot-snap-type:
- core
deny-auto-connection: true
`
const loginSessionObserveConnectedPlugAppArmor = `
# Allow reading login and session information
/{,usr/}bin/who ixr,
/var/log/wtmp rk,
/{,var/}run/utmp rk,
/{,usr/}bin/lastlog ixr,
/var/log/lastlog rk,
/{,usr/}bin/faillog ixr,
/var/log/faillog rk,
# systemd session information (session files, but not .ref files)
/run/systemd/sessions/ r,
/run/systemd/sessions/*[0-9] rk,
# Supported loginctl commands:
# - list-sessions
# - show-session N
# - list-users
# - show-user N
# - list-seats
# - show-seat N
/{,usr/}bin/loginctl ixr,
#include <abstractions/dbus-strict>
# Introspection of org.freedesktop.login1
# do not use peer=(label=unconfined) here since this is DBus activated
dbus (send)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Introspectable
member=Introspect,
dbus (send)
bus=system
path=/org/freedesktop/login1{,/seat/*,/session/*,/user/*}
interface=org.freedesktop.DBus.Properties
member=Get{,All},
dbus (receive)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.DBus.Properties
member=PropertiesChanged
peer=(label=unconfined),
dbus (receive)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={Session,User,Seat}New
peer=(label=unconfined),
dbus (receive)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member={Session,User,Seat}Removed
peer=(label=unconfined),
dbus (receive)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=PrepareFor{Shutdow,Sleep}
peer=(label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=List{Seats,Sessions,Users},
dbus (send)
bus=system
path=/org/freedesktop/login1
interface=org.freedesktop.login1.Manager
member=Get{Seat,Session,User},
`
type loginSessionObserveInterface struct {
commonInterface
}
func init() {
registerIface(&loginSessionObserveInterface{commonInterface: commonInterface{
name: "login-session-observe",
summary: loginSessionObserveSummary,
implicitOnCore: true,
implicitOnClassic: true,
baseDeclarationSlots: loginSessionObserveBaseDeclarationSlots,
connectedPlugAppArmor: loginSessionObserveConnectedPlugAppArmor,
}})
}