/snapd forked from snapcore/snapd

Permalink
Browse files

interfaces/builtin: don't hard-code slot name in connected plug apparmor 

This patch replaces the hard-coded peer label (snap.bluez.*) for connected
plugs to the security tag glob for the snap that has the slot. In practice
the content should be exactly the same but now it will not be hard-coded.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
  • Loading branch information...
1 parent e29cd69 commit 16228ad739da17d0ff975a1d781db4a53dfdbc79 @zyga committed Apr 25, 2016
Unified Split
Showing with 14 additions and 3 deletions.
  1. +7 −3 interfaces/builtin/bluez.go
  2. +7 −0 interfaces/builtin/bluez_test.go
View
10 interfaces/builtin/bluez.go
@@ -20,6 +20,8 @@
package builtin
import (
+ "bytes"
+
"github.com/ubuntu-core/snappy/interfaces"
)
@@ -96,8 +98,7 @@ var bluezConnectedPlugAppArmor = []byte(`
# Allow all access to bluez service
dbus (receive, send)
bus=system
- peer=(label=snap.bluez.*),
-# FIXME: adjust to use 'snap.<name>.<app>' from the connecting slot
+ peer=(label=@SLOT_SECURITY_TAG_GLOB@),
dbus (send)
bus=system
@@ -203,7 +204,10 @@ func (iface *BluezInterface) PermanentPlugSnippet(plug *interfaces.Plug, securit
func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
switch securitySystem {
case interfaces.SecurityAppArmor:
- return bluezConnectedPlugAppArmor, nil
+ old := []byte("@SLOT_SECURITY_TAG_GLOB@")
+ new := []byte(interfaces.SecurityTagGlob(slot.Snap.Name()))
@jdstrand

jdstrand Apr 26, 2016
Edited 1 time

This is not sufficient because it turns into @SLOT_SECURITY_TAG_GLOB@ 'snap.bluez.*'. Granted, it is better than hardcoding but we need this to actually be: 'snap.bluez.' where '' is whatever service in the slot snap's 'apps' is being connected to. Fine to commit as is, but please add a FIXME stating this needs to be snap...

@zyga

zyga Apr 26, 2016

Owner

This would have to be a list of apps because (it's possible) that bluez snap will have many apps bound to this slot. Is that something we're okay with?

@jdstrand

jdstrand Apr 26, 2016
Edited 1 time

As for list, yes. Here would be the various patterns as I see them:

  • snap..* # connected to snap, not snap.app
  • snap.. # connected to snap.app
  • snap..{app1,app2,app3} # connected to snap.app1, snap.app2 and snap.app3, but not snap.app4
@zyga

zyga Apr 26, 2016

Owner

Oh, nice, I like {app1,...} approach. I'll update this pull request to use this.
+ snippet := bytes.Replace(bluezConnectedPlugAppArmor, old, new, -1)
+ return snippet, nil
case interfaces.SecuritySecComp:
return bluezConnectedPlugSecComp, nil
case interfaces.SecurityUDev, interfaces.SecurityDBus:
View
7 interfaces/builtin/bluez_test.go
@@ -25,6 +25,7 @@ import (
"github.com/ubuntu-core/snappy/interfaces"
"github.com/ubuntu-core/snappy/interfaces/builtin"
"github.com/ubuntu-core/snappy/snap"
+ "github.com/ubuntu-core/snappy/testutil"
)
type BluezInterfaceSuite struct {
@@ -55,6 +56,12 @@ func (s *BluezInterfaceSuite) TestName(c *C) {
c.Assert(s.iface.Name(), Equals, "bluez")
}
+func (s *BluezInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabel(c *C) {
+ snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityAppArmor)
+ c.Assert(err, IsNil)
+ c.Assert(string(snippet), testutil.Contains, "peer=(label=snap.bluez.*),")
+}
+
func (s *BluezInterfaceSuite) TestUnusedSecuritySystems(c *C) {
systems := [...]interfaces.SecuritySystem{interfaces.SecurityAppArmor,
interfaces.SecuritySecComp, interfaces.SecurityDBus,

0 comments on commit 16228ad

Please sign in to comment.