Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
interfaces/builtin: improve the bluez interface #1078
bf2abce
6d85328
7b5655d
7178a01
2211730
2f17a27
4f18baf
e29cd69
16228ad
e9b2da3
c1c084f
64adb67
6e730c1
50269c2
eb5ff8f
4df541b
f44fffe
88544c3
420f988
interfaces/builtin: specialize apparmor label based on bound apps
This patch specialized the bluez label used for dbus policy based on
how apps are bound to the bluez slot.
If there is exactly one app bound to the slot the label is precise, e.g.
"snap.bluez.bluez". If a subset of apps are bound to the slot (but not a
proper subset) then the label uses alternation, e.g.
"snap.bluez.{app1,app2}". Lastly if all the apps are bound to the bluez
slot then a wildcard is used, e.g. "snap.bluez.*".
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>- Loading branch information...
| @@ -207,21 +207,31 @@ func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *i | ||
| switch securitySystem { | ||
| case interfaces.SecurityAppArmor: | ||
| old := []byte("@SLOT_SECURITY_TAGS@") | ||
zyga
Contributor
|
||
| - buf := bytes.NewBuffer(nil) | ||
| - fmt.Fprintf(buf, "snap.%s.{", slot.Snap.Name()) | ||
| - appNames := make([]string, 0, len(slot.Apps)) | ||
| - for appName := range slot.Apps { | ||
| - appNames = append(appNames, appName) | ||
| - } | ||
| - sort.Strings(appNames) | ||
| - for i, appName := range appNames { | ||
| - if i > 0 { | ||
| - fmt.Fprintf(buf, ",") | ||
| + var new []byte | ||
| + switch { | ||
| + case len(slot.Apps) == 1: | ||
| + for appName := range slot.Apps { | ||
mvo5
Collaborator
|
||
| + new = []byte(fmt.Sprintf("snap.%s.%s", slot.Snap.Name(), appName)) | ||
| + } | ||
| + case len(slot.Apps) == len(slot.Snap.Apps): | ||
| + new = []byte(fmt.Sprintf("snap.%s.*", slot.Snap.Name())) | ||
| + case len(slot.Apps) != len(slot.Snap.Apps): | ||
| + buf := bytes.NewBuffer(nil) | ||
| + fmt.Fprintf(buf, "snap.%s.{", slot.Snap.Name()) | ||
| + appNames := make([]string, 0, len(slot.Apps)) | ||
| + for appName := range slot.Apps { | ||
| + appNames = append(appNames, appName) | ||
| + } | ||
| + sort.Strings(appNames) | ||
| + for i, appName := range appNames { | ||
mvo5
Collaborator
|
||
| + if i > 0 { | ||
| + fmt.Fprintf(buf, ",") | ||
| + } | ||
| + fmt.Fprintf(buf, appName) | ||
| } | ||
| - fmt.Fprintf(buf, appName) | ||
| + fmt.Fprintf(buf, "}") | ||
| + new = buf.Bytes() | ||
| } | ||
jdstrand
Contributor
|
||
| - fmt.Fprintf(buf, "}") | ||
| - new := buf.Bytes() | ||
| snippet := bytes.Replace(bluezConnectedPlugAppArmor, old, new, -1) | ||
| return snippet, nil | ||
| case interfaces.SecuritySecComp: | ||
We already have a pattern for replacements. Can we please stick to a single one of those so we're not introducing these for each independent feature? (@foo@ vs. ###FOO### vs. {{foo}} vs ...).