interfaces/desktop: allow access to Mutter IdleMonitor idle time (sna…

…pcore#13304)

* interfaces/desktop: allow access to Mutter IdleMonitor idle time

Whilst other methods on the Mutter IdleMonitor look potentially problematic,
GetIdletime should be relatively safe to expose to all desktop applications - in
particular this is used by firefox nowadays as seen in
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2037655

Signed-off-by: Alex Murray <alex.murray@canonical.com>

* interfaces/desktop: support Mutter Idletime on Ubuntu Core Desktop

Move this rule into desktopConnectedPlugAppArmor and change the peer label
restriction to be a name instead so that it matches both classic and Ubuntu Core
based desktops.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

* interfaces/desktop: Use correct label for Mutter on both classic and UC

Thanks @jhenstridge for the suggestion.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

---------

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Co-authored-by: Miguel Pires <miguel.pires@canonical.com>

interfaces/builtin/desktop.go

@@ -21,6 +21,7 @@ package builtin
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/snapcore/snapd/dirs"
 	"github.com/snapcore/snapd/interfaces"
@@ -126,6 +127,13 @@ dbus (send)
     path=/org/freedesktop/portal/documents{,/**}
     peer=(name=org.freedesktop.portal.Documents),
 
+# Allow to get the current idle time only from Mutter
+dbus (send)
+    bus=session
+    path="/org/gnome/Mutter/IdleMonitor/Core"
+    interface="org.gnome.Mutter.IdleMonitor"
+    member="GetIdletime"
+    peer=(label=###SLOT_SECURITY_TAGS###),
 `
 
 const desktopConnectedPlugAppArmorClassic = `
@@ -430,7 +438,17 @@ func (iface *desktopInterface) fontconfigDirs(plug *interfaces.ConnectedPlug) ([
 }
 
 func (iface *desktopInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
-	spec.AddSnippet(desktopConnectedPlugAppArmor)
+	old := "###SLOT_SECURITY_TAGS###"
+	var new string
+	if implicitSystemConnectedSlot(slot) {
+		// we are running on a system that has the desktop slot
+		// provided by the OS snap and so will run unconfined
+		new = "unconfined"
+	} else {
+		new = slotAppLabelExpr(slot)
+	}
+	snippet := strings.Replace(desktopConnectedPlugAppArmor, old, new, -1)
+	spec.AddSnippet(snippet)
 	if implicitSystemConnectedSlot(slot) {
 		// Extra rules that have not been ported to work with
 		// a desktop slot provided by a snap.

interfaces/builtin/desktop_test.go

@@ -111,6 +111,10 @@ func (s *DesktopInterfaceSuite) TestAppArmorSpec(c *C) {
 	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Description: Can access basic graphical desktop resources")
 	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "#include <abstractions/fonts>")
 
+	// check desktop interface uses correct label for Mutter when provided
+	// by a snap
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "  member=\"GetIdletime\"\n    peer=(label=\"snap.provider.app\"),\n")
+
 	// There are UpdateNS rules to allow mounting the font directories too
 	updateNS := spec.UpdateNS()
 	c.Check(updateNS, testutil.Contains, "  # Read-only access to /usr/share/fonts\n")
@@ -135,6 +139,10 @@ func (s *DesktopInterfaceSuite) TestAppArmorSpec(c *C) {
 	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "/etc/gtk-3.0/settings.ini r,")
 	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "# Allow access to xdg-desktop-portal and xdg-document-portal")
 
+	// check desktop interface uses correct label for Mutter when provided
+	// by the system
+	c.Check(spec.SnippetForTag("snap.consumer.app"), testutil.Contains, "  member=\"GetIdletime\"\n    peer=(label=unconfined),\n")
+
 	// As well as the font directories, the document portal can be mounted
 	updateNS = spec.UpdateNS()
 	c.Check(updateNS, testutil.Contains, "  # Mount the document portal\n")