interfaces: miscellaneous updates for hardware-observe, kernel-module-control, unity7 and default

interfaces/apparmor/template.go

@@ -257,6 +257,7 @@ var defaultTemplate = []byte(`
   @{PROC}/version_signature r,
   /etc/{,writable/}hostname r,
   /etc/{,writable/}localtime r,
+  /etc/{,writable/}mailname r,
   /etc/{,writable/}timezone r,
   @{PROC}/@{pid}/io r,
   owner @{PROC}/@{pid}/limits r,
@@ -276,6 +277,7 @@ var defaultTemplate = []byte(`
   @{PROC}/sys/fs/file-max r,
   @{PROC}/sys/kernel/pid_max r,
   @{PROC}/sys/kernel/random/uuid r,
+  @{PROC}/sys/kernel/random/boot_id r,
   /sys/devices/virtual/tty/{console,tty*}/active r,
   /{,usr/}lib/ r,
 
@@ -347,6 +349,11 @@ var defaultTemplate = []byte(`
   # abstract or anonymous socket
   unix peer=(label=snap.@{SNAP_NAME}.*),
 
+  # Allow apps from the same package to communicate with each other via DBus.
+  # Note: this does not grant access to the DBus sockets of well known buses
+  # (will still need to use an appropriate interface for that).
+  dbus (receive, send) peer=(label=snap.@{SNAP_NAME}.*),
+
   # Allow apps from the same package to signal each other via signals
   signal peer=snap.@{SNAP_NAME}.*,
 

interfaces/builtin/hardware_observe.go

@@ -23,28 +23,36 @@ import (
 	"github.com/snapcore/snapd/interfaces"
 )
 
-// http://bazaar.launchpad.net/~ubuntu-security/ubuntu-core-security/trunk/view/head:/data/apparmor/policygroups/ubuntu-core/16.04/log-observe
 const hardwareObserveConnectedPlugAppArmor = `
 # Description: This interface allows for getting hardware information
-# from the system.  this is reserved because it allows reading potentially sensitive information.
-# Usage: reserved
+# from the system. This is reserved because it allows reading potentially
+# sensitive information.
 
-# used by lscpu
+# used by lscpu and 'lspci -A intel-conf1/intel-conf2'
 capability sys_rawio,
 
-# files in /sys pertaining to hardware
+# used by lspci
+capability sys_admin,
+/etc/modprobe.d/{,*} r,
+
+# files in /sys pertaining to hardware (eg, 'lspci -A linux-sysfs')
 /sys/{block,bus,class,devices,firmware}/{,**} r,
 
+# files in /proc/bus/pci (eg, 'lspci -A linux-proc')
+@{PROC}/bus/pci/{,**} r,
+
 # DMI tables
 /sys/firmware/dmi/tables/DMI r,
 /sys/firmware/dmi/tables/smbios_entry_point r,
 
+# interrupts
+@{PROC}/interrupts r,
+
 # Needed for udevadm
 /run/udev/data/** r,
 
 # util-linux
 /{,usr/}bin/lscpu ixr,
-@{PROC}/bus/pci/devices r,
 
 # lsusb
 # Note: lsusb and its database have to be shipped in the snap if not on classic
@@ -53,13 +61,31 @@ capability sys_rawio,
 /dev/ r,
 /dev/bus/usb/{,**/} r,
 /etc/udev/udev.conf r,
+
+# lshw -quiet (note, lshw also tries to create /dev/fb-*, but fails gracefully)
+@{PROC}/devices r,
+@{PROC}/ide/{,**} r,
+@{PROC}/scsi/{,**} r,
+@{PROC}/device-tree/{,**} r,
+/sys/kernel/debug/usb/devices r,
+@{PROC}/sys/abi/{,*} r,
+`
+
+const hardwareObserveConnectedPlugSecComp = `
+# Description: This interface allows for getting hardware information
+# from the system. This is reserved because it allows reading potentially
+# sensitive information.
+
+# used by 'lspci -A intel-conf1/intel-conf2'
+iopl
 `
 
 // NewHardwareObserveInterface returns a new "hardware-observe" interface.
 func NewHardwareObserveInterface() interfaces.Interface {
 	return &commonInterface{
 		name: "hardware-observe",
 		connectedPlugAppArmor: hardwareObserveConnectedPlugAppArmor,
+		connectedPlugSecComp:  hardwareObserveConnectedPlugSecComp,
 		reservedForOS:         true,
 	}
 }

interfaces/builtin/hardware_observe_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/snap"
+	"github.com/snapcore/snapd/testutil"
 )
 
 type HardwareObserveInterfaceSuite struct {
@@ -83,4 +84,10 @@ func (s *HardwareObserveInterfaceSuite) TestUsedSecuritySystems(c *C) {
 	snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityAppArmor)
 	c.Assert(err, IsNil)
 	c.Assert(snippet, Not(IsNil))
+	c.Check(string(snippet), testutil.Contains, "capability sys_rawio,\n")
+	// connected plugs have a non-nil security snippet for seccomp
+	snippet, err = s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecuritySecComp)
+	c.Assert(err, IsNil)
+	c.Assert(snippet, Not(IsNil))
+	c.Check(string(snippet), testutil.Contains, "iopl\n")
 }

interfaces/builtin/kernel_module_control.go

@@ -29,9 +29,13 @@ const kernelModuleControlConnectedPlugAppArmor = `
   capability sys_module,
   @{PROC}/modules r,
 
-  # NOTE: needed by lscpu. In the future this may be moved to system-trace or
-  # system-observe.
+  # FIXME: moved to physical-memory-observe (remove this in series 18)
   /dev/mem r,
+
+  # Required to use SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER when
+  # /proc/sys/kernel/dmesg_restrict is '1' (syslog(2)). These operations are
+  # required to verify kernel modules that are loaded.
+  capability syslog,
 `
 
 const kernelModuleControlConnectedPlugSecComp = `

interfaces/builtin/unity7.go

@@ -62,6 +62,12 @@ const unity7ConnectedPlugAppArmor = `
 /usr/share/thumbnailer/icons/**            r,
 /usr/share/themes/**                       r,
 
+# The snapcraft desktop part may look for schema files in various locations, so
+# allow reading system installed schemas.
+/usr/share/glib*/schemas/{,*}              r,
+/usr/share/gnome/glib*/schemas/{,*}        r,
+/usr/share/ubuntu/glib*/schemas/{,*}       r,
+
 # Snappy's 'xdg-open' talks to the snapd-xdg-open service which currently works
 # only in environments supporting dbus-send (eg, X11). In the future once
 # snappy's xdg-open supports all snaps images, this access may move to another