Permalink
Browse files
interfaces/builtin: don't hard-code slot name in connected plug apparmor
This patch replaces the hard-coded peer label (snap.bluez.*) for connected plugs to the security tag glob for the snap that has the slot. In practice the content should be exactly the same but now it will not be hard-coded. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
- Loading branch information...
Showing
with
14 additions
and 3 deletions.
| @@ -20,6 +20,8 @@ | ||
| package builtin | ||
| import ( | ||
| + "bytes" | ||
| + | ||
| "github.com/ubuntu-core/snappy/interfaces" | ||
| ) | ||
| @@ -96,8 +98,7 @@ var bluezConnectedPlugAppArmor = []byte(` | ||
| # Allow all access to bluez service | ||
| dbus (receive, send) | ||
| bus=system | ||
| - peer=(label=snap.bluez.*), | ||
| -# FIXME: adjust to use 'snap.<name>.<app>' from the connecting slot | ||
| + peer=(label=@SLOT_SECURITY_TAG_GLOB@), | ||
| dbus (send) | ||
| bus=system | ||
| @@ -203,7 +204,10 @@ func (iface *BluezInterface) PermanentPlugSnippet(plug *interfaces.Plug, securit | ||
| func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) { | ||
| switch securitySystem { | ||
| case interfaces.SecurityAppArmor: | ||
| - return bluezConnectedPlugAppArmor, nil | ||
| + old := []byte("@SLOT_SECURITY_TAG_GLOB@") | ||
| + new := []byte(interfaces.SecurityTagGlob(slot.Snap.Name())) | ||
zyga
Owner
|
||
| + snippet := bytes.Replace(bluezConnectedPlugAppArmor, old, new, -1) | ||
| + return snippet, nil | ||
| case interfaces.SecuritySecComp: | ||
| return bluezConnectedPlugSecComp, nil | ||
| case interfaces.SecurityUDev, interfaces.SecurityDBus: | ||
This is not sufficient because it turns into @SLOT_SECURITY_TAG_GLOB@ 'snap.bluez.*'. Granted, it is better than hardcoding but we need this to actually be: 'snap.bluez.' where '' is whatever service in the slot snap's 'apps' is being connected to. Fine to commit as is, but please add a FIXME stating this needs to be snap...