代码拉取完成,页面将自动刷新
同步操作将从 tupelo-shen/mysnapd 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2017 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package builtin
import (
"strings"
"gitee.com/mysnapcore/mysnapd/interfaces"
"gitee.com/mysnapcore/mysnapd/interfaces/apparmor"
"gitee.com/mysnapcore/mysnapd/interfaces/seccomp"
"gitee.com/mysnapcore/mysnapd/snap"
)
const storageFrameworkServiceSummary = `allows operating as or interacting with the Storage Framework`
const storageFrameworkServiceBaseDeclarationSlots = `
storage-framework-service:
allow-installation:
slot-snap-type:
- app
deny-connection: true
deny-auto-connection: true
`
const storageFrameworkServicePermanentSlotAppArmor = `
# Description: Allow use of aa_is_enabled()
# libapparmor query interface needs 'w' to perform the query and 'r' to
# read the result. This is an information leak because in addition to
# allowing querying policy for any label (precisely what
# storage-framework needs), it also allows checking the existence of
# any label.
/sys/module/apparmor/parameters/enabled r,
@{PROC}/@{pid}/mounts r,
/sys/kernel/security/apparmor/.access rw,
# Description: Allow owning the registry and storage framework bus names on the session bus.
#include <abstractions/dbus-session-strict>
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member={RequestName,ReleaseName,GetConnectionCredentials}
peer=(name=org.freedesktop.DBus, label=unconfined),
dbus (bind)
bus=session
name=com.canonical.StorageFramework.Registry,
dbus (bind)
bus=session
name=com.canonical.StorageFramework.Provider.*,
`
const storageFrameworkServiceConnectedSlotAppArmor = `
# Description: Allow clients to access the registry and storage framework services.
#include <abstractions/dbus-session-strict>
dbus (receive, send)
bus=session
interface=com.canonical.StorageFramework.Registry
path=/com/canonical/StorageFramework/Registry
peer=(label=###PLUG_SECURITY_TAGS###),
dbus (receive, send)
bus=session
interface=com.canonical.StorageFramework.Provider.*
path=/provider/*
peer=(label=###PLUG_SECURITY_TAGS###),
`
const storageFrameworkServiceConnectedPlugAppArmor = `
# Description: Allow access to the registry and storage framework services.
#include <abstractions/dbus-session-strict>
dbus (receive, send)
bus=session
interface=com.canonical.StorageFramework.Registry
path=/com/canonical/StorageFramework/Registry
peer=(label=###SLOT_SECURITY_TAGS###),
dbus (receive, send)
bus=session
interface=com.canonical.StorageFramework.Provider.*
path=/provider/*
peer=(label=###SLOT_SECURITY_TAGS###),
`
const storageFrameworkServicePermanentSlotSecComp = `
bind
`
type storageFrameworkServiceInterface struct{}
func (iface *storageFrameworkServiceInterface) Name() string {
return "storage-framework-service"
}
func (iface *storageFrameworkServiceInterface) StaticInfo() interfaces.StaticInfo {
return interfaces.StaticInfo{
Summary: storageFrameworkServiceSummary,
BaseDeclarationSlots: storageFrameworkServiceBaseDeclarationSlots,
}
}
func (iface *storageFrameworkServiceInterface) AppArmorConnectedPlug(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
snippet := storageFrameworkServiceConnectedPlugAppArmor
old := "###SLOT_SECURITY_TAGS###"
new := slotAppLabelExpr(slot)
snippet = strings.Replace(snippet, old, new, -1)
spec.AddSnippet(snippet)
return nil
}
func (iface *storageFrameworkServiceInterface) AppArmorPermanentSlot(spec *apparmor.Specification, slot *snap.SlotInfo) error {
spec.AddSnippet(storageFrameworkServicePermanentSlotAppArmor)
return nil
}
func (iface *storageFrameworkServiceInterface) AppArmorConnectedSlot(spec *apparmor.Specification, plug *interfaces.ConnectedPlug, slot *interfaces.ConnectedSlot) error {
snippet := storageFrameworkServiceConnectedSlotAppArmor
old := "###PLUG_SECURITY_TAGS###"
new := plugAppLabelExpr(plug)
snippet = strings.Replace(snippet, old, new, -1)
spec.AddSnippet(snippet)
return nil
}
func (iface *storageFrameworkServiceInterface) SecCompPermanentSlot(spec *seccomp.Specification, slot *snap.SlotInfo) error {
spec.AddSnippet(storageFrameworkServicePermanentSlotSecComp)
return nil
}
func (iface *storageFrameworkServiceInterface) AutoConnect(plug *snap.PlugInfo, slot *snap.SlotInfo) bool {
return true
}
func init() {
registerIface(&storageFrameworkServiceInterface{})
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手