forked from canonical/snapd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcore.go
190 lines (165 loc) · 6.67 KB
/
core.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
// -*- Mode: Go; indent-tabs-mode: t -*-
/*
* Copyright (C) 2016 Canonical Ltd
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 3 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package interfaces
import (
"fmt"
"regexp"
"github.com/snapcore/snapd/snap"
)
// Plug represents the potential of a given snap to connect to a slot.
type Plug struct {
*snap.PlugInfo
Connections []SlotRef `json:"connections,omitempty"`
}
// Ref returns reference to a plug
func (plug *Plug) Ref() PlugRef {
return PlugRef{Snap: plug.Snap.Name(), Name: plug.Name}
}
// PlugRef is a reference to a plug.
type PlugRef struct {
Snap string `json:"snap"`
Name string `json:"plug"`
}
// Slot represents a capacity offered by a snap.
type Slot struct {
*snap.SlotInfo
Connections []PlugRef `json:"connections,omitempty"`
}
// Ref returns reference to a slot
func (slot *Slot) Ref() SlotRef {
return SlotRef{Snap: slot.Snap.Name(), Name: slot.Name}
}
// SlotRef is a reference to a slot.
type SlotRef struct {
Snap string `json:"snap"`
Name string `json:"slot"`
}
// Interfaces holds information about a list of plugs and slots, and their connections.
type Interfaces struct {
Plugs []*Plug `json:"plugs"`
Slots []*Slot `json:"slots"`
}
// ConnRef holds information about plug and slot reference that form a particular connection.
type ConnRef struct {
PlugRef PlugRef
SlotRef SlotRef
}
// ID returns a string identifying a given connection.
func (conn *ConnRef) ID() string {
return fmt.Sprintf("%s:%s %s:%s", conn.PlugRef.Snap, conn.PlugRef.Name, conn.SlotRef.Snap, conn.SlotRef.Name)
}
// Interface describes a group of interchangeable capabilities with common features.
// Interfaces act as a contract between system builders, application developers
// and end users.
type Interface interface {
// Unique and public name of this interface.
Name() string
// SanitizePlug checks if a plug is correct, altering if necessary.
SanitizePlug(plug *Plug) error
// SanitizeSlot checks if a slot is correct, altering if necessary.
SanitizeSlot(slot *Slot) error
// PermanentPlugSnippet returns the snippet of text for the given security
// system that is used during the whole lifetime of affected applications,
// whether the plug is connected or not.
//
// Permanent security snippet can be used to grant permissions to a snap that
// has a plug of a given interface even before the plug is connected to a
// slot.
//
// An empty snippet is returned when there are no additional permissions
// that are required to implement this interface or when the interface
// doesn't recognize the security system.
PermanentPlugSnippet(plug *Plug, securitySystem SecuritySystem) ([]byte, error)
// ConnectedPlugSnippet returns the snippet of text for the given security
// system that is used by affected application, while a specific connection
// between a plug and a slot exists.
//
// Connection-specific security snippet can be used to grant permission to
// a snap that has a plug of a given interface connected to a slot in
// another snap.
//
// The snippet should be specific to both the plug and the slot. If the
// slot is not necessary then consider using PermanentPlugSnippet()
// instead.
//
// An empty snippet is returned when there are no additional permissions
// that are required to implement this interface or when the interface
// doesn't recognize the security system.
ConnectedPlugSnippet(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)
// PermanentSlotSnippet returns the snippet of text for the given security
// system that is used during the whole lifetime of affected applications,
// whether the slot is connected or not.
//
// Permanent security snippet can be used to grant permissions to a snap that
// has a slot of a given interface even before the first connection to that
// slot is made.
//
// An empty snippet is returned when there are no additional permissions
// that are required to implement this interface or when the interface
// doesn't recognize the security system.
PermanentSlotSnippet(slot *Slot, securitySystem SecuritySystem) ([]byte, error)
// ConnectedSlotSnippet returns the snippet of text for the given security
// system that is used by affected application, while a specific connection
// between a plug and a slot exists.
//
// Connection-specific security snippet can be used to grant permission to
// a snap that has a slot of a given interface connected to a plug in
// another snap.
//
// The snippet should be specific to both the plug and the slot, if the
// plug is not necessary then consider using PermanentSlotSnippet()
// instead.
//
// An empty snippet is returned when there are no additional permissions
// that are required to implement this interface or when the interface
// doesn't recognize the security system.
ConnectedSlotSnippet(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)
// AutoConnect returns whether plug and slot should be
// implicitly auto-connected assuming they will be an
// unambiguous connection candidate and declaration-based checks
// allow.
AutoConnect(plug *Plug, slot *Slot) bool
}
// SecuritySystem is a name of a security system.
type SecuritySystem string
const (
// SecurityAppArmor identifies the apparmor security system.
SecurityAppArmor SecuritySystem = "apparmor"
// SecuritySecComp identifies the seccomp security system.
SecuritySecComp SecuritySystem = "seccomp"
// SecurityDBus identifies the DBus security system.
SecurityDBus SecuritySystem = "dbus"
// SecurityUDev identifies the UDev security system.
SecurityUDev SecuritySystem = "udev"
// SecurityMount identifies the mount security system.
SecurityMount SecuritySystem = "mount"
// SecurityKMod identifies the kernel modules security system
SecurityKMod SecuritySystem = "kmod"
// SecuritySystemd identifies the systemd services security system
SecuritySystemd SecuritySystem = "systemd"
)
// Regular expression describing correct identifiers.
var validName = regexp.MustCompile("^[a-z](?:-?[a-z0-9])*$")
// ValidateName checks if a string can be used as a plug or slot name.
func ValidateName(name string) error {
valid := validName.MatchString(name)
if !valid {
return fmt.Errorf("invalid interface name: %q", name)
}
return nil
}