/snapd

Permalink
Switch branches/tags
zyga-demo-caps1 ppa 2.30 2.29.4.2 2.29.4.1 2.29.4 2.29.3.1 2.29.3 2.29.2 2.29.1 2.29 2.28.5 2.28.4 2.28.3 2.28.2 2.28.1 2.28 2.27.6 2.27.5 2.27.4 2.27.3 2.27.2 2.27.1 2.27 2.26.14 2.26.13 2.26.10 2.26.9 2.26.8 2.26.6 2.26.5 2.26.4 2.26.3 2.26.2 2.26.1 2.26 2.25 2.24 2.23.6 2.23.5 2.23.4 2.23.3 2.23.2 2.23.1 2.23 2.22.7 2.22.6 2.22.5 2.22.4 2.22.3 2.22.2 2.22.1 2.22 2.21.14.04.1 2.21 2.20.1.14.04 2.20.1 2.20 2.19 2.18.1 2.18 2.17.1 2.17 2.16 2.15.2 2.15.1 2.15 2.14.2.16.04 2.14.1 2.14 2.13 2.12 2.11 2.0.10 2.0.9 2.0.8.1 2.0.8 2.0.7 2.0.6 2.0.5 2.0.4 2.0.3 2.0.2 2.0.1 2.0 1.9.4.1 1.9.4 1.9.3 1.9.2 1.9.1 1.9 1.7.3+20160310ubuntu1 1.7.3+20160308ubuntu1 1.7.3+20160303ubuntu4 1.7.3+20160303ubuntu3 1.7.3+20160303ubuntu2 1.7.3+20160303ubuntu1 1.7.3+20160225ubuntu1 1.7.2+20160223ubuntu1 1.7.2+20160204ubuntu1
Nothing to show
Find file
snapd/interfaces/builtin/process_control.go
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
71 lines (59 sloc) 2.12 KB
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2016 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package builtin
const processControlSummary = `allows controlling other processes`
const processControlBaseDeclarationSlots = `
process-control:
allow-installation:
slot-snap-type:
- core
deny-auto-connection: true
`
const processControlConnectedPlugAppArmor = `
# Description: This interface allows for controlling other processes via
# signals and nice. This is reserved because it grants privileged access to
# all processes under root or processes running under the same UID otherwise.
# /{,usr/}bin/nice is already in default policy, so just allow renice here
/{,usr/}bin/renice ixr,
capability sys_resource,
capability sys_nice,
signal,
`
const processControlConnectedPlugSecComp = `
# Description: This interface allows for controlling other processes via
# signals and nice. This is reserved because it grants privileged access to
# all processes under root or processes running under the same UID otherwise.
# Allow setting the nice value/priority for any process
nice
setpriority
sched_setaffinity
sched_setparam
sched_setscheduler
`
func init() {
registerIface(&commonInterface{
name: "process-control",
summary: processControlSummary,
implicitOnCore: true,
implicitOnClassic: true,
baseDeclarationSlots: processControlBaseDeclarationSlots,
connectedPlugAppArmor: processControlConnectedPlugAppArmor,
connectedPlugSecComp: processControlConnectedPlugSecComp,
reservedForOS: true,
})
}