/snapd

Permalink
Switch branches/tags
zyga-demo-caps1 ppa 2.30 2.29.4.2 2.29.4.1 2.29.4 2.29.3.1 2.29.3 2.29.2 2.29.1 2.29 2.28.5 2.28.4 2.28.3 2.28.2 2.28.1 2.28 2.27.6 2.27.5 2.27.4 2.27.3 2.27.2 2.27.1 2.27 2.26.14 2.26.13 2.26.10 2.26.9 2.26.8 2.26.6 2.26.5 2.26.4 2.26.3 2.26.2 2.26.1 2.26 2.25 2.24 2.23.6 2.23.5 2.23.4 2.23.3 2.23.2 2.23.1 2.23 2.22.7 2.22.6 2.22.5 2.22.4 2.22.3 2.22.2 2.22.1 2.22 2.21.14.04.1 2.21 2.20.1.14.04 2.20.1 2.20 2.19 2.18.1 2.18 2.17.1 2.17 2.16 2.15.2 2.15.1 2.15 2.14.2.16.04 2.14.1 2.14 2.13 2.12 2.11 2.0.10 2.0.9 2.0.8.1 2.0.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.2 2.0.1 2.0 1.9.4.1 1.9.4 1.9.3 1.9.2 1.9.1 1.9 1.7.3+20160310ubuntu1 1.7.3+20160308ubuntu1 1.7.3+20160303ubuntu4 1.7.3+20160303ubuntu3 1.7.3+20160303ubuntu2 1.7.3+20160303ubuntu1 1.7.3+20160225ubuntu1 1.7.2+20160223ubuntu1 1.7.2+20160204ubuntu1
Nothing to show
Find file
snapd/interfaces/builtin/bluez.go
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
271 lines (229 sloc) 7.39 KB
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2016-2017 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package builtin
import (
"strings"
"github.com/snapcore/snapd/interfaces"
"github.com/snapcore/snapd/interfaces/apparmor"
"github.com/snapcore/snapd/interfaces/dbus"
"github.com/snapcore/snapd/interfaces/seccomp"
"github.com/snapcore/snapd/interfaces/udev"
"github.com/snapcore/snapd/release"
"github.com/snapcore/snapd/snap"
)
const bluezSummary = `allows operating as the bluez service`
const bluezBaseDeclarationSlots = `
bluez:
allow-installation:
slot-snap-type:
- app
- core
deny-auto-connection: true
deny-connection:
on-classic: false
`
const bluezPermanentSlotAppArmor = `
# Description: Allow operating as the bluez service. This gives privileged
# access to the system.
network bluetooth,
capability net_admin,
capability net_bind_service,
# libudev
network netlink raw,
# File accesses
/sys/bus/usb/drivers/btusb/ r,
/sys/bus/usb/drivers/btusb/** r,
/sys/class/bluetooth/ r,
/sys/devices/**/bluetooth/ rw,
/sys/devices/**/bluetooth/** rw,
/sys/devices/**/id/chassis_type r,
# TODO: use snappy hardware assignment for this once LP: #1498917 is fixed
/dev/rfkill rw,
# DBus accesses
#include <abstractions/dbus-strict>
dbus (send)
bus=system
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={Request,Release}Name
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (send)
bus=system
path=/org/freedesktop/*
interface=org.freedesktop.DBus.Properties
peer=(label=unconfined),
# Allow binding the service to the requested connection name
dbus (bind)
bus=system
name="org.bluez",
# Allow binding the service to the requested connection name
dbus (bind)
bus=system
name="org.bluez.obex",
# Allow traffic to/from our interface with any method for unconfined clients
# to talk to our bluez services. For the org.bluez interface we don't specify
# an Object Path since according to the bluez specification these can be
# anything (https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/doc).
dbus (receive, send)
bus=system
interface=org.bluez.*
peer=(label=unconfined),
dbus (receive, send)
bus=system
path=/org/bluez{,/**}
interface=org.freedesktop.DBus.*
peer=(label=unconfined),
# Allow traffic to/from org.freedesktop.DBus for bluez service. This rule is
# not snap-specific and grants privileged access to the org.freedesktop.DBus
# on the system bus.
dbus (receive, send)
bus=system
path=/
interface=org.freedesktop.DBus.*
peer=(label=unconfined),
# Allow access to hostname system service
dbus (receive, send)
bus=system
path=/org/freedesktop/hostname1
interface=org.freedesktop.DBus.Properties
peer=(label=unconfined),
`
const bluezConnectedSlotAppArmor = `
# Allow connected clients to interact with the service
# Allow all access to bluez service
dbus (receive, send)
bus=system
peer=(label=###PLUG_SECURITY_TAGS###),
`
const bluezConnectedPlugAppArmor = `
# Description: Allow using bluez service. This gives privileged access to the
# bluez service.
#include <abstractions/dbus-strict>
# Allow all access to bluez service
dbus (receive, send)
bus=system
peer=(label=###SLOT_SECURITY_TAGS###),
dbus (send)
bus=system
peer=(name=org.bluez, label=unconfined),
dbus (send)
bus=system
peer=(name=org.bluez.obex, label=unconfined),
dbus (receive)
bus=system
path=/
interface=org.freedesktop.DBus.ObjectManager
peer=(label=unconfined),
dbus (receive)
bus=system
path=/org/bluez{,/**}
interface=org.freedesktop.DBus.*
peer=(label=unconfined),
`
const bluezPermanentSlotSecComp = `
# Description: Allow operating as the bluez service. This gives privileged
# access to the system.
accept
accept4
bind
listen
# libudev
socket AF_NETLINK - NETLINK_KOBJECT_UEVENT
`
const bluezPermanentSlotDBus = `
<policy user="root">
<allow own="org.bluez"/>
<allow own="org.bluez.obex"/>
<allow send_destination="org.bluez"/>
<allow send_destination="org.bluez.obex"/>
<allow send_interface="org.bluez.Agent1"/>
<allow send_interface="org.bluez.ThermometerWatcher1"/>
<allow send_interface="org.bluez.AlertAgent1"/>
<allow send_interface="org.bluez.Profile1"/>
<allow send_interface="org.bluez.HeartRateWatcher1"/>
<allow send_interface="org.bluez.CyclingSpeedWatcher1"/>
<allow send_interface="org.bluez.GattCharacteristic1"/>
<allow send_interface="org.bluez.GattDescriptor1"/>
<allow send_interface="org.freedesktop.DBus.ObjectManager"/>
<allow send_interface="org.freedesktop.DBus.Properties"/>
</policy>
<policy context="default">
<deny send_destination="org.bluez"/>
</policy>
`
type bluezInterface struct{}
func (iface *bluezInterface) Name() string {
return "bluez"
}
func (iface *bluezInterface) StaticInfo() interfaces.StaticInfo {
return interfaces.StaticInfo{
Summary: bluezSummary,
ImplicitOnClassic: true,
BaseDeclarationSlots: bluezBaseDeclarationSlots,
}
}
func (iface *bluezInterface) DBusPermanentSlot(spec *dbus.Specification, slot *snap.SlotInfo) error {
if !release.OnClassic {
spec.AddSnippet(bluezPermanentSlotDBus)
}
return nil
}
func (iface *bluezInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
old := "###SLOT_SECURITY_TAGS###"
var new string
if release.OnClassic {
new = "unconfined"
} else {
new = slotAppLabelExpr(slot)
}
snippet := strings.Replace(bluezConnectedPlugAppArmor, old, new, -1)
spec.AddSnippet(snippet)
return nil
}
func (iface *bluezInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
if !release.OnClassic {
old := "###PLUG_SECURITY_TAGS###"
new := plugAppLabelExpr(plug)
snippet := strings.Replace(bluezConnectedSlotAppArmor, old, new, -1)
spec.AddSnippet(snippet)
}
return nil
}
func (iface *bluezInterface) UDevConnectedPlug(spec *udev.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
spec.TagDevice(`KERNEL=="rfkill"`)
return nil
}
func (iface *bluezInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
if !release.OnClassic {
spec.AddSnippet(bluezPermanentSlotAppArmor)
}
return nil
}
func (iface *bluezInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
if !release.OnClassic {
spec.AddSnippet(bluezPermanentSlotSecComp)
}
return nil
}
func (iface *bluezInterface) AutoConnect(*interfaces.Plug, *interfaces.Slot) bool {
// allow what declarations allowed
return true
}
func init() {
registerIface(&bluezInterface{})
}