/snapd

Permalink
Switch branches/tags
zyga-demo-caps1 ppa 2.30 2.29.4.2 2.29.4.1 2.29.4 2.29.3.1 2.29.3 2.29.2 2.29.1 2.29 2.28.5 2.28.4 2.28.3 2.28.2 2.28.1 2.28 2.27.6 2.27.5 2.27.4 2.27.3 2.27.2 2.27.1 2.27 2.26.14 2.26.13 2.26.10 2.26.9 2.26.8 2.26.6 2.26.5 2.26.4 2.26.3 2.26.2 2.26.1 2.26 2.25 2.24 2.23.6 2.23.5 2.23.4 2.23.3 2.23.2 2.23.1 2.23 2.22.7 2.22.6 2.22.5 2.22.4 2.22.3 2.22.2 2.22.1 2.22 2.21.14.04.1 2.21 2.20.1.14.04 2.20.1 2.20 2.19 2.18.1 2.18 2.17.1 2.17 2.16 2.15.2 2.15.1 2.15 2.14.2.16.04 2.14.1 2.14 2.13 2.12 2.11 2.0.10 2.0.9 2.0.8.1 2.0.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.2 2.0.1 2.0 1.9.4.1 1.9.4 1.9.3 1.9.2 1.9.1 1.9 1.7.3+20160310ubuntu1 1.7.3+20160308ubuntu1 1.7.3+20160303ubuntu4 1.7.3+20160303ubuntu3 1.7.3+20160303ubuntu2 1.7.3+20160303ubuntu1 1.7.3+20160225ubuntu1 1.7.2+20160223ubuntu1 1.7.2+20160204ubuntu1
Nothing to show
Find file
snapd/interfaces/builtin/mount_observe.go
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
78 lines (65 sloc) 2.35 KB
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2016 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package builtin
const mountObserveSummary = `allows reading mount table and quota information`
const mountObserveBaseDeclarationSlots = `
mount-observe:
allow-installation:
slot-snap-type:
- core
deny-auto-connection: true
`
// http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/mount-observe
const mountObserveConnectedPlugAppArmor = `
# Description: Can query system mount and disk quota information. This is
# restricted because it gives privileged read access to mount arguments and
# should only be used with trusted apps.
/{,usr/}bin/df ixr,
# Needed by 'df'. This is an information leak
@{PROC}/mounts r,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mountstats r,
/sys/devices/*/block/{,**} r,
@{PROC}/swaps r,
# This is often out of date but some apps insist on using it
/etc/mtab r,
/etc/fstab r,
`
const mountObserveConnectedPlugSecComp = `
# Description: Can query system mount and disk quota information. This is
# restricted because it gives privileged read access to mount arguments and
# should only be used with trusted apps.
quotactl Q_GETQUOTA - - -
quotactl Q_GETINFO - - -
quotactl Q_GETFMT - - -
quotactl Q_XGETQUOTA - - -
quotactl Q_XGETQSTAT - - -
`
func init() {
registerIface(&commonInterface{
name: "mount-observe",
summary: mountObserveSummary,
implicitOnCore: true,
implicitOnClassic: true,
baseDeclarationSlots: mountObserveBaseDeclarationSlots,
connectedPlugAppArmor: mountObserveConnectedPlugAppArmor,
connectedPlugSecComp: mountObserveConnectedPlugSecComp,
reservedForOS: true,
})
}