interfaces: put base policy fragments inside each interface

interfaces/builtin/account_control.go

@@ -28,6 +28,14 @@ delete non-system users as well as to change account passwords.
 The core snap provides the slot that is shared by all the snaps.
 `
 
+const accountControlBaseDeclarationSlots = `
+  account-control:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const accountControlConnectedPlugAppArmor = `
 /{,usr/}sbin/chpasswd ixr,
 /{,usr/}sbin/user{add,del} ixr,
@@ -74,6 +82,7 @@ func init() {
 		description:           accountControlDescription,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  accountControlBaseDeclarationSlots,
 		connectedPlugAppArmor: accountControlConnectedPlugAppArmor,
 		connectedPlugSecComp:  accountControlConnectedPlugSecComp,
 		reservedForOS:         true,

interfaces/builtin/alsa.go

@@ -27,6 +27,14 @@ The alsa interface allows connected plugs to access raw ALSA devices.
 The core snap provides the slot that is shared by all the snaps.
 `
 
+const alsaBaseDeclarationSlots = `
+  alsa:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const alsaConnectedPlugAppArmor = `
 # Description: Allow access to raw ALSA devices.
 
@@ -46,6 +54,7 @@ func init() {
 		description:           alsaDescription,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  alsaBaseDeclarationSlots,
 		connectedPlugAppArmor: alsaConnectedPlugAppArmor,
 		reservedForOS:         true,
 	})

interfaces/builtin/autopilot.go

@@ -21,6 +21,14 @@ package builtin
 
 const autopilotIntrospectionSummary = `allows introspection of application user interface`
 
+const autopilotIntrospectionBaseDeclarationSlots = `
+  autopilot-introspection:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const autopilotIntrospectionPlugAppArmor = `
 # Description: Allows an application to be introspected and export its ui
 # status over DBus
@@ -60,6 +68,7 @@ func init() {
 		summary:               autopilotIntrospectionSummary,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  autopilotIntrospectionBaseDeclarationSlots,
 		connectedPlugAppArmor: autopilotIntrospectionPlugAppArmor,
 		connectedPlugSecComp:  autopilotIntrospectionPlugSecComp,
 		reservedForOS:         true,

interfaces/builtin/avahi_observe.go

@@ -21,6 +21,14 @@ package builtin
 
 const avahiObserveSummary = `allows discovering local domains, hostnames and services`
 
+const avahiObserveBaseDeclarationSlots = `
+  avahi-observe:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const avahiObserveConnectedPlugAppArmor = `
 # Description: allows domain browsing, service browsing and service resolving
 
@@ -118,6 +126,7 @@ func init() {
 		name:                  "avahi-observe",
 		summary:               avahiObserveSummary,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  avahiObserveBaseDeclarationSlots,
 		connectedPlugAppArmor: avahiObserveConnectedPlugAppArmor,
 		reservedForOS:         true,
 	})

interfaces/builtin/bluetooth_control.go

@@ -21,6 +21,14 @@ package builtin
 
 const bluetoothControlSummary = `allows managing the kernel bluetooth stack`
 
+const bluetoothControlBaseDeclarationSlots = `
+  bluetooth-control:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const bluetoothControlConnectedPlugAppArmor = `
 # Description: Allow managing the kernel side Bluetooth stack. Reserved
 # because this gives privileged access to the system.
@@ -54,6 +62,7 @@ func init() {
 		summary:               bluetoothControlSummary,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  bluetoothControlBaseDeclarationSlots,
 		connectedPlugAppArmor: bluetoothControlConnectedPlugAppArmor,
 		connectedPlugSecComp:  bluetoothControlConnectedPlugSecComp,
 		reservedForOS:         true,

interfaces/builtin/bluez.go

@@ -30,6 +30,15 @@ import (
 
 const bluezSummary = `allows operating as the bluez service`
 
+const bluezBaseDeclarationSlots = `
+  bluez:
+    allow-installation:
+      slot-snap-type:
+        - app
+    deny-connection: true
+    deny-auto-connection: true
+`
+
 const bluezPermanentSlotAppArmor = `
 # Description: Allow operating as the bluez service. This gives privileged
 # access to the system.
@@ -191,7 +200,8 @@ func (iface *bluezInterface) Name() string {
 
 func (iface *bluezInterface) MetaData() interfaces.MetaData {
 	return interfaces.MetaData{
-		Summary: bluezSummary,
+		Summary:              bluezSummary,
+		BaseDeclarationSlots: bluezBaseDeclarationSlots,
 	}
 }
 

interfaces/builtin/bool_file.go

@@ -30,6 +30,15 @@ import (
 
 const boolFileSummary = `allows access to specific file with bool semantics`
 
+const boolFileBaseDeclarationSlots = `
+  bool-file:
+    allow-installation:
+      slot-snap-type:
+        - core
+        - gadget
+    deny-auto-connection: true
+`
+
 // boolFileInterface is the type of all the bool-file interfaces.
 type boolFileInterface struct{}
 
@@ -45,7 +54,8 @@ func (iface *boolFileInterface) Name() string {
 
 func (iface *boolFileInterface) MetaData() interfaces.MetaData {
 	return interfaces.MetaData{
-		Summary: boolFileSummary,
+		Summary:              boolFileSummary,
+		BaseDeclarationSlots: boolFileBaseDeclarationSlots,
 	}
 }
 

interfaces/builtin/browser_support.go

@@ -29,6 +29,16 @@ import (
 
 const browserSupportSummary = `allows access to various APIs needed by modern web browsers`
 
+const browserSupportBaseDeclarationSlots = `
+  browser-support:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-connection:
+      plug-attributes:
+        allow-sandbox: true
+`
+
 const browserSupportConnectedPlugAppArmor = `
 # Description: Can access various APIs needed by modern browsers (eg, Google
 # Chrome/Chromium and Mozilla) and file paths they expect. This interface is
@@ -246,9 +256,10 @@ func (iface *browserSupportInterface) Name() string {
 
 func (iface *browserSupportInterface) MetaData() interfaces.MetaData {
 	return interfaces.MetaData{
-		Summary:           browserSupportSummary,
-		ImplicitOnCore:    true,
-		ImplicitOnClassic: true,
+		Summary:              browserSupportSummary,
+		ImplicitOnCore:       true,
+		ImplicitOnClassic:    true,
+		BaseDeclarationSlots: browserSupportBaseDeclarationSlots,
 	}
 }
 

interfaces/builtin/camera.go

@@ -21,6 +21,14 @@ package builtin
 
 const cameraSummary = `allows access to all cameras`
 
+const cameraBaseDeclarationSlots = `
+  camera:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const cameraConnectedPlugAppArmor = `
 # Until we have proper device assignment, allow access to all cameras
 /dev/video[0-9]* rw,
@@ -38,6 +46,7 @@ func init() {
 		summary:               cameraSummary,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  cameraBaseDeclarationSlots,
 		connectedPlugAppArmor: cameraConnectedPlugAppArmor,
 		reservedForOS:         true,
 	})

interfaces/builtin/classic_support.go

@@ -21,6 +21,20 @@ package builtin
 
 const classicSupportSummary = `special permissions for the classic snap`
 
+const classicSupportBaseDeclarationPlugs = `
+  classic-support:
+    allow-installation: false
+    deny-auto-connection: true
+`
+
+const classicSupportBaseDeclarationSlots = `
+  classic-support:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const classicSupportPlugAppArmor = `
 # Description: permissions to use classic dimension. This policy is
 # intentionally not restricted. This gives device ownership to
@@ -108,6 +122,8 @@ func init() {
 		summary:               classicSupportSummary,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationPlugs:  classicSupportBaseDeclarationPlugs,
+		baseDeclarationSlots:  classicSupportBaseDeclarationSlots,
 		connectedPlugAppArmor: classicSupportPlugAppArmor,
 		connectedPlugSecComp:  classicSupportPlugSecComp,
 	})

interfaces/builtin/content.go

@@ -34,6 +34,22 @@ import (
 
 const contentSummary = `allows sharing code and data with other snaps`
 
+const contentBaseDeclarationSlots = `
+  content:
+    allow-installation:
+      slot-snap-type:
+        - app
+        - gadget
+    allow-connection:
+      plug-attributes:
+        content: $SLOT(content)
+    allow-auto-connection:
+      plug-publisher-id:
+        - $SLOT_PUBLISHER_ID
+      plug-attributes:
+        content: $SLOT(content)
+`
+
 // contentInterface allows sharing content between snaps
 type contentInterface struct{}
 
@@ -43,7 +59,8 @@ func (iface *contentInterface) Name() string {
 
 func (iface *contentInterface) MetaData() interfaces.MetaData {
 	return interfaces.MetaData{
-		Summary: contentSummary,
+		Summary:              contentSummary,
+		BaseDeclarationSlots: contentBaseDeclarationSlots,
 	}
 }
 

interfaces/builtin/core_support.go

@@ -21,6 +21,21 @@ package builtin
 
 const coreSupportSummary = `special permissions for the core snap`
 
+const coreSupportBaseDeclarationPlugs = `
+  core-support:
+    allow-installation:
+      plug-snap-type:
+        - core
+`
+
+const coreSupportBaseDeclarationSlots = `
+  core-support:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const coreSupportConnectedPlugAppArmor = `
 # Description: Can control all aspects of systemd via the systemctl command,
 # update rsyslog configuration, update systemd-timesyncd configuration and
@@ -78,10 +93,12 @@ owner /boot/uboot/config.txt.tmp rwk,
 
 func init() {
 	registerIface(&commonInterface{
-		name:              "core-support",
-		summary:           coreSupportSummary,
-		implicitOnCore:    true,
-		implicitOnClassic: true,
+		name:                 "core-support",
+		summary:              coreSupportSummary,
+		implicitOnCore:       true,
+		implicitOnClassic:    true,
+		baseDeclarationPlugs: coreSupportBaseDeclarationPlugs,
+		baseDeclarationSlots: coreSupportBaseDeclarationSlots,
 		// NOTE: core-support implicitly contains the rules from network-bind.
 		connectedPlugAppArmor: coreSupportConnectedPlugAppArmor + networkBindConnectedPlugAppArmor,
 		connectedPlugSecComp:  "" + networkBindConnectedPlugSecComp,

interfaces/builtin/cups_control.go

@@ -21,6 +21,14 @@ package builtin
 
 const cupsControlSummary = `allows access to the CUPS control socket`
 
+const cupsControlBaseDeclarationSlots = `
+  cups-control:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 const cupsControlConnectedPlugAppArmor = `
 # Description: Can access cups control socket. This is restricted because it provides
 # privileged access to configure printing.
@@ -33,6 +41,7 @@ func init() {
 		name:                  "cups-control",
 		summary:               cupsControlSummary,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  cupsControlBaseDeclarationSlots,
 		connectedPlugAppArmor: cupsControlConnectedPlugAppArmor,
 		reservedForOS:         true,
 	})

interfaces/builtin/dbus.go

@@ -33,6 +33,17 @@ import (
 
 const dbusSummary = `allows owning a specifc name on DBus`
 
+const dbusBaseDeclarationSlots = `
+  dbus:
+    allow-installation:
+      slot-snap-type:
+        - app
+    deny-connection:
+      slot-attributes:
+        name: .+
+    deny-auto-connection: true
+`
+
 const dbusPermanentSlotAppArmor = `
 # Description: Allow owning a name on DBus public bus
 
@@ -195,7 +206,8 @@ func (iface *dbusInterface) Name() string {
 
 func (iface *dbusInterface) MetaData() interfaces.MetaData {
 	return interfaces.MetaData{
-		Summary: dbusSummary,
+		Summary:              dbusSummary,
+		BaseDeclarationSlots: dbusBaseDeclarationSlots,
 	}
 }
 

interfaces/builtin/dcdbas_control.go

@@ -21,6 +21,14 @@ package builtin
 
 const dcdbasControlSummary = `allows access to Dell Systems Management Base Driver`
 
+const dcdbasControlBaseDeclarationSlots = `
+  dcdbas-control:
+    allow-installation:
+      slot-snap-type:
+        - core
+    deny-auto-connection: true
+`
+
 // https://www.kernel.org/doc/Documentation/dcdbas.txt
 const dcdbasControlConnectedPlugAppArmor = `
 # Description: This interface allows communication with Dell Systems Management Base Driver
@@ -49,6 +57,7 @@ func init() {
 		summary:               dcdbasControlSummary,
 		implicitOnCore:        true,
 		implicitOnClassic:     true,
+		baseDeclarationSlots:  dcdbasControlBaseDeclarationSlots,
 		connectedPlugAppArmor: dcdbasControlConnectedPlugAppArmor,
 		reservedForOS:         true,
 	})