登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 1

mysnapcore / mysnapd

forked from tupelo-shen / mysnapd 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
mir.go 4.44 KB
一键复制 编辑 原始数据 按行查看 历史
tupelo-shen 提交于 2022-11-08 09:25 . fix: interfaces commit
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157
// -*- Mode: Go; indent-tabs-mode: t -*-



/*

 * Copyright (c) 2016-2018 Canonical Ltd

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 3 as

 * published by the Free Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

 * GNU General Public License for more dtails.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.

 *

 */



package builtin



import (

	"strings"



	"gitee.com/mysnapcore/mysnapd/interfaces"

	"gitee.com/mysnapcore/mysnapd/interfaces/apparmor"

	"gitee.com/mysnapcore/mysnapd/interfaces/seccomp"

	"gitee.com/mysnapcore/mysnapd/interfaces/udev"

	"gitee.com/mysnapcore/mysnapd/snap"

)



const mirSummary = `allows operating as the Mir server`



const mirBaseDeclarationSlots = `

  mir:

    allow-installation:

      slot-snap-type:

        - app

    deny-connection: true

`



const mirPermanentSlotAppArmor = `

# Description: Allow operating as the Mir server. This gives privileged access

# to the system.



# needed since Mir is the display server, to configure tty devices

capability sys_tty_config,

/dev/tty[0-9]* rw,



# mir uses open("/dev/shm", O_TMPFILE...) which shows up in AppArmor

# as /dev/shm/#NUMBER. This is then fed to mmap with MAP_SHARED

# for communication with the client (note that the file doesn't actually

# exist and isn't accessible by other processes). Also see:

# https://www.kernel.org/doc/gorman/html/understand/understand015.html

/{dev,run}/shm/\#[0-9]* mrw,



/run/mir_socket rw,

/run/user/[0-9]*/mir_socket rw,



# Needed for mode setting via drmSetMaster() and drmDropMaster()

capability sys_admin,



# NOTE: this allows reading and inserting all input events

/dev/input/* rw,



# For using udev

network netlink raw,

/run/udev/data/c13:[0-9]* r,

/run/udev/data/+input:input[0-9]* r,

/run/udev/data/+platform:* r,

`



const mirPermanentSlotSecComp = `

# Description: Allow operating as the mir server. This gives privileged access

# to the system.

# Needed for server launch

bind

listen

# Needed by server upon client connect

accept

accept4

shmctl

# for udev

socket AF_NETLINK - NETLINK_KOBJECT_UEVENT

`



const mirConnectedSlotAppArmor = `

# Description: Permit clients to use Mir

unix (receive, send) type=seqpacket addr=none peer=(label=###PLUG_SECURITY_TAGS###),

`



const mirConnectedPlugAppArmor = `

# Description: Permit clients to use Mir

unix (receive, send) type=seqpacket addr=none peer=(label=###SLOT_SECURITY_TAGS###),

/run/mir_socket rw,

/run/user/[0-9]*/mir_socket rw,



# Mir uses /dev/shm for sharing memory with clients

/{dev,run}/shm/\#[0-9]* mrw,

`



type mirInterface struct{}



func (iface *mirInterface) Name() string {

	return "mir"

}



func (iface *mirInterface) StaticInfo() interfaces.StaticInfo {

	return interfaces.StaticInfo{

		Summary:              mirSummary,

		BaseDeclarationSlots: mirBaseDeclarationSlots,

	}

}



func (iface *mirInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {

	old := "###SLOT_SECURITY_TAGS###"

	new := slotAppLabelExpr(slot)

	snippet := strings.Replace(mirConnectedPlugAppArmor, old, new, -1)

	spec.AddSnippet(snippet)

	return nil

}



func (iface *mirInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {

	old := "###PLUG_SECURITY_TAGS###"

	new := plugAppLabelExpr(plug)

	snippet := strings.Replace(mirConnectedSlotAppArmor, old, new, -1)

	spec.AddSnippet(snippet)

	return nil

}



func (iface *mirInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {

	spec.AddSnippet(mirPermanentSlotAppArmor)

	return nil

}



func (iface *mirInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {

	spec.AddSnippet(mirPermanentSlotSecComp)

	return nil

}



func (iface *mirInterface) UDevPermanentSlot(spec *udev.Specification, slot *snap.SlotInfo) error {

	spec.TriggerSubsystem("input")

	spec.TagDevice(`KERNEL=="tty[0-9]*"`)

	spec.TagDevice(`KERNEL=="mice"`)

	spec.TagDevice(`KERNEL=="mouse[0-9]*"`)

	spec.TagDevice(`KERNEL=="event[0-9]*"`)

	spec.TagDevice(`KERNEL=="ts[0-9]*"`)

	return nil

}



func (iface *mirInterface) AutoConnect(*snap.PlugInfo, *snap.SlotInfo) bool {

	return true

}



func init() {

	registerIface(&mirInterface{})

}
Go
1
https://gitee.com/mysnapcore/mysnapd.git
git@gitee.com:mysnapcore/mysnapd.git
mysnapcore
mysnapd
mysnapd
v0.1.0
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部