interfaces/builtin: use precise labels for bluez

This patch makes the bluez interface use precise apparmor labels for dbus communication. From now on, connected plugs will be able to talk to just those apps that are bound to the bluez slot. Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
zyga · e9b2da3d1459d1f0dfa92036f0de477757024a4b · zyga committed Apr 26, 2016 · Apr 26, 2016 · e9b2da3
1 parent 16228ad
commit e9b2da3d1459d1f0dfa92036f0de477757024a4b
Unified Split

Showing with 24 additions and 4 deletions.

+19 −3 interfaces/builtin/bluez.go

+5 −1 interfaces/builtin/bluez_test.go
diff --git a/interfaces/builtin/bluez.go b/interfaces/builtin/bluez.go
@@ -21,6 +21,8 @@ package builtin
 
 import (
 	"bytes"
+	"fmt"
+	"sort"
 
 	"github.com/ubuntu-core/snappy/interfaces"
 )
@@ -98,7 +100,7 @@ var bluezConnectedPlugAppArmor = []byte(`
 # Allow all access to bluez service
 dbus (receive, send)
     bus=system
-    peer=(label=@SLOT_SECURITY_TAG_GLOB@),
+    peer=(label=@SLOT_SECURITY_TAGS@),
 
 dbus (send)
     bus=system
@@ -204,8 +206,22 @@ func (iface *BluezInterface) PermanentPlugSnippet(plug *interfaces.Plug, securit
 func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
 	switch securitySystem {
 	case interfaces.SecurityAppArmor:
-		old := []byte("@SLOT_SECURITY_TAG_GLOB@")
-		new := []byte(interfaces.SecurityTagGlob(slot.Snap.Name()))
+		old := []byte("@SLOT_SECURITY_TAGS@")
+		buf := bytes.NewBuffer(nil)
+		fmt.Fprintf(buf, "snap.%s.{", slot.Snap.Name())
+		appNames := make([]string, 0, len(slot.Apps))
+		for appName := range slot.Apps {
+			appNames = append(appNames, appName)
+		}
+		sort.Strings(appNames)
+		for i, appName := range appNames {
+			if i > 0 {
+				fmt.Fprintf(buf, ",")
+			}
+			fmt.Fprintf(buf, appName)
+		}
+		fmt.Fprintf(buf, "}")
+		new := buf.Bytes()
 		snippet := bytes.Replace(bluezConnectedPlugAppArmor, old, new, -1)
 		return snippet, nil
 	case interfaces.SecuritySecComp:
diff --git a/interfaces/builtin/bluez_test.go b/interfaces/builtin/bluez_test.go
@@ -41,6 +41,10 @@ var _ = Suite(&BluezInterfaceSuite{
 			Snap:      &snap.Info{SuggestedName: "bluez"},
 			Name:      "bluez",
 			Interface: "bluez",
+			Apps: map[string]*snap.AppInfo{
+				"app1": &snap.AppInfo{Name: "app1"},
+				"app2": &snap.AppInfo{Name: "app2"},
+			},
 		},
 	},
 	plug: &interfaces.Plug{
@@ -59,7 +63,7 @@ func (s *BluezInterfaceSuite) TestName(c *C) {
 func (s *BluezInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabel(c *C) {
 	snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityAppArmor)
 	c.Assert(err, IsNil)
-	c.Assert(string(snippet), testutil.Contains, "peer=(label=snap.bluez.*),")
+	c.Assert(string(snippet), testutil.Contains, "peer=(label=snap.bluez.{app1,app2}),")
 }
 
 func (s *BluezInterfaceSuite) TestUnusedSecuritySystems(c *C) {