Permalink
Browse files

interfaces/builtin: use precise labels for bluez

This patch makes the bluez interface use precise apparmor labels for
dbus communication. From now on, connected plugs will be able to talk to
just those apps that are bound to the bluez slot.

Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
  • Loading branch information...
1 parent 16228ad commit e9b2da3d1459d1f0dfa92036f0de477757024a4b @zyga committed Apr 26, 2016
Showing with 24 additions and 4 deletions.
  1. +19 −3 interfaces/builtin/bluez.go
  2. +5 −1 interfaces/builtin/bluez_test.go
@@ -21,6 +21,8 @@ package builtin
import (
"bytes"
+ "fmt"
+ "sort"
"github.com/ubuntu-core/snappy/interfaces"
)
@@ -98,7 +100,7 @@ var bluezConnectedPlugAppArmor = []byte(`
# Allow all access to bluez service
dbus (receive, send)
bus=system
- peer=(label=@SLOT_SECURITY_TAG_GLOB@),
+ peer=(label=@SLOT_SECURITY_TAGS@),
dbus (send)
bus=system
@@ -204,8 +206,22 @@ func (iface *BluezInterface) PermanentPlugSnippet(plug *interfaces.Plug, securit
func (iface *BluezInterface) ConnectedPlugSnippet(plug *interfaces.Plug, slot *interfaces.Slot, securitySystem interfaces.SecuritySystem) ([]byte, error) {
switch securitySystem {
case interfaces.SecurityAppArmor:
- old := []byte("@SLOT_SECURITY_TAG_GLOB@")
- new := []byte(interfaces.SecurityTagGlob(slot.Snap.Name()))
+ old := []byte("@SLOT_SECURITY_TAGS@")
+ buf := bytes.NewBuffer(nil)
+ fmt.Fprintf(buf, "snap.%s.{", slot.Snap.Name())
+ appNames := make([]string, 0, len(slot.Apps))
+ for appName := range slot.Apps {
+ appNames = append(appNames, appName)
+ }
+ sort.Strings(appNames)
+ for i, appName := range appNames {
+ if i > 0 {
+ fmt.Fprintf(buf, ",")
+ }
+ fmt.Fprintf(buf, appName)
+ }
+ fmt.Fprintf(buf, "}")
+ new := buf.Bytes()
snippet := bytes.Replace(bluezConnectedPlugAppArmor, old, new, -1)
return snippet, nil
case interfaces.SecuritySecComp:
@@ -41,6 +41,10 @@ var _ = Suite(&BluezInterfaceSuite{
Snap: &snap.Info{SuggestedName: "bluez"},
Name: "bluez",
Interface: "bluez",
+ Apps: map[string]*snap.AppInfo{
+ "app1": &snap.AppInfo{Name: "app1"},
+ "app2": &snap.AppInfo{Name: "app2"},
+ },
},
},
plug: &interfaces.Plug{
@@ -59,7 +63,7 @@ func (s *BluezInterfaceSuite) TestName(c *C) {
func (s *BluezInterfaceSuite) TestConnectedPlugSnippetUsesSlotLabel(c *C) {
snippet, err := s.iface.ConnectedPlugSnippet(s.plug, s.slot, interfaces.SecurityAppArmor)
c.Assert(err, IsNil)
- c.Assert(string(snippet), testutil.Contains, "peer=(label=snap.bluez.*),")
+ c.Assert(string(snippet), testutil.Contains, "peer=(label=snap.bluez.{app1,app2}),")
}
func (s *BluezInterfaceSuite) TestUnusedSecuritySystems(c *C) {

0 comments on commit e9b2da3

Please sign in to comment.