interfaces

package
v0.0.0-...-677ed08 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 28, 2016 License: GPL-3.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func SecurityTagGlob 

func SecurityTagGlob(snapName string) string

SecurityTagGlob returns a pattern that matches all security tags belonging to the same snap as the given app.

func ValidateName 

func ValidateName(name string) error

ValidateName checks if a string can be used as a plug or slot name.

Types

type BadInterfacesError 

type BadInterfacesError struct {
	// contains filtered or unexported fields
}

BadInterfacesError is returned when some snap interfaces could not be registered. Those interfaces not mentioned in the error were successfully registered.

func (*BadInterfacesError) Error 

func (e *BadInterfacesError) Error() string

type Interface 

type Interface interface {
	// Unique and public name of this interface.
	Name() string

	// SanitizePlug checks if a plug is correct, altering if necessary.
	SanitizePlug(plug *Plug) error

	// SanitizeSlot checks if a slot is correct, altering if necessary.
	SanitizeSlot(slot *Slot) error

	// PermanentPlugSnippet returns the snippet of text for the given security
	// system that is used during the whole lifetime of affected applications,
	// whether the plug is connected or not.
	//
	// Permanent security snippet can be used to grant permissions to a snap that
	// has a plug of a given interface even before the plug is connected to a
	// slot.
	//
	// An empty snippet is returned when there are no additional permissions
	// that are required to implement this interface or when the interface
	// doesn't recognize the security system.
	PermanentPlugSnippet(plug *Plug, securitySystem SecuritySystem) ([]byte, error)

	// ConnectedPlugSnippet returns the snippet of text for the given security
	// system that is used by affected application, while a specific connection
	// between a plug and a slot exists.
	//
	// Connection-specific security snippet can be used to grant permission to
	// a snap that has a plug of a given interface connected to a slot in
	// another snap.
	//
	// The snippet should be specific to both the plug and the slot. If the
	// slot is not necessary then consider using PermanentPlugSnippet()
	// instead.
	//
	// An empty snippet is returned when there are no additional permissions
	// that are required to implement this interface or when the interface
	// doesn't recognize the security system.
	ConnectedPlugSnippet(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)

	// PermanentSlotSnippet returns the snippet of text for the given security
	// system that is used during the whole lifetime of affected applications,
	// whether the slot is connected or not.
	//
	// Permanent security snippet can be used to grant permissions to a snap that
	// has a slot of a given interface even before the first connection to that
	// slot is made.
	//
	// An empty snippet is returned when there are no additional permissions
	// that are required to implement this interface or when the interface
	// doesn't recognize the security system.
	PermanentSlotSnippet(slot *Slot, securitySystem SecuritySystem) ([]byte, error)

	// ConnectedSlotSnippet returns the snippet of text for the given security
	// system that is used by affected application, while a specific connection
	// between a plug and a slot exists.
	//
	// Connection-specific security snippet can be used to grant permission to
	// a snap that has a slot of a given interface connected to a plug in
	// another snap.
	//
	// The snippet should be specific to both the plug and the slot, if the
	// plug is not necessary then consider using PermanentSlotSnippet()
	// instead.
	//
	// An empty snippet is returned when there are no additional permissions
	// that are required to implement this interface or when the interface
	// doesn't recognize the security system.
	ConnectedSlotSnippet(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)

	// AutoConnect returns whether plugs and slots should be implicitly
	// auto-connected when an unambiguous connection candidate is available in
	// the OS snap.
	AutoConnect() bool
}

Interface describes a group of interchangeable capabilities with common features. Interfaces act as a contract between system builders, application developers and end users.

type Interfaces 

type Interfaces struct {
	Plugs []*Plug `json:"plugs"`
	Slots []*Slot `json:"slots"`
}

Interfaces holds information about a list of plugs and slots, and their connections.

type Plug 

type Plug struct {
	*snap.PlugInfo
	Connections []SlotRef `json:"connections,omitempty"`
}

Plug represents the potential of a given snap to connect to a slot.

func (*Plug) MarshalJSON 

func (plug *Plug) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoding of plug.

type PlugRef 

type PlugRef struct {
	Snap string `json:"snap"`
	Name string `json:"plug"`
}

PlugRef is a reference to a plug.

type Repository 

type Repository struct {
	// contains filtered or unexported fields
}

Repository stores all known snappy plugs and slots and ifaces.

func NewRepository 

func NewRepository() *Repository

NewRepository creates an empty plug repository.

func (*Repository) AddInterface 

func (r *Repository) AddInterface(i Interface) error

AddInterface adds the provided interface to the repository.

func (*Repository) AddPlug 

func (r *Repository) AddPlug(plug *Plug) error

AddPlug adds a plug to the repository. Plug names must be valid snap names, as defined by ValidateName. Plug name must be unique within a particular snap.

func (*Repository) AddSlot 

func (r *Repository) AddSlot(slot *Slot) error

AddSlot adds a new slot to the repository. Adding a slot with invalid name returns an error. Adding a slot that has the same name and snap name as another slot returns an error.

func (*Repository) AddSnap 

func (r *Repository) AddSnap(snapInfo *snap.Info) error

AddSnap adds plugs and slots declared by the given snap to the repository.

This function can be used to implement snap install or, when used along with RemoveSnap, snap upgrade.

AddSnap doesn't change existing plugs/slots. The caller is responsible for ensuring that the snap is not present in the repository in any way prior to calling this function. If this constraint is violated then no changes are made and an error is returned.

Each added plug/slot is validated according to the corresponding interface. Unknown interfaces and plugs/slots that don't validate are not added. Information about those failures are returned to the caller.

func (*Repository) AllPlugs 

func (r *Repository) AllPlugs(interfaceName string) []*Plug

AllPlugs returns all plugs of the given interface. If interfaceName is the empty string, all plugs are returned.

func (*Repository) AllSlots 

func (r *Repository) AllSlots(interfaceName string) []*Slot

AllSlots returns all slots of the given interface. If interfaceName is the empty string, all slots are returned.

func (*Repository) AutoConnectBlacklist 

func (r *Repository) AutoConnectBlacklist(snapName string) map[string]bool

AutoConnectBlacklist returns plug names that should not be auto-connected.

Plug is blacklisted if it has no connections despite using an auto-connected interface. That implies it was manually disconnected.

func (*Repository) AutoConnectCandidates 

func (r *Repository) AutoConnectCandidates(plugSnapName, plugName string) []*Slot

AutoConnectCandidates finds and returns viable auto-connection candidates for a given plug.

func (*Repository) Connect 

func (r *Repository) Connect(plugSnapName, plugName, slotSnapName, slotName string) error

Connect establishes a connection between a plug and a slot. The plug and the slot must have the same interface.

func (*Repository) Disconnect 

func (r *Repository) Disconnect(plugSnapName, plugName, slotSnapName, slotName string) error

Disconnect disconnects the named plug from the slot of the given snap.

Disconnect has three modes of operation that depend on the passed arguments:

  • If all the arguments are specified then Disconnect() finds a specific slot and a specific plug and disconnects that plug from that slot. It is an error if plug or slot cannot be found or if the connect does not exist.
  • If plugSnapName and plugName are empty then Disconnect() finds the specified slot and disconnects all the plugs connected there. It is not an error if there are no such plugs but it is still an error if the slot does not exist.
  • If plugSnapName, plugName and slotName are all empty then Disconnect finds the specified snap (designated by slotSnapName) and disconnects all the plugs from all the slots found therein. It is not an error if there are no such plugs but it is still an error if the snap does not exist or has no slots at all.

func (*Repository) DisconnectSnap 

func (r *Repository) DisconnectSnap(snapName string) ([]string, error)

DisconnectSnap disconnects all the connections to and from a given snap.

The return value is a list of names that were affected.

func (*Repository) Interface 

func (r *Repository) Interface(interfaceName string) Interface

Interface returns an interface with a given name.

func (*Repository) Interfaces 

func (r *Repository) Interfaces() *Interfaces

Interfaces returns object holding a lists of all the plugs and slots and their connections.

func (*Repository) Plug 

func (r *Repository) Plug(snapName, plugName string) *Plug

Plug returns the specified plug from the named snap.

func (*Repository) Plugs 

func (r *Repository) Plugs(snapName string) []*Plug

Plugs returns the plugs offered by the named snap.

func (*Repository) RemovePlug 

func (r *Repository) RemovePlug(snapName, plugName string) error

RemovePlug removes the named plug provided by a given snap. The removed plug must exist and must not be used anywhere.

func (*Repository) RemoveSlot 

func (r *Repository) RemoveSlot(snapName, slotName string) error

RemoveSlot removes a named slot from the given snap. Removing a slot that doesn't exist returns an error. Removing a slot that is connected to a plug returns an error.

func (*Repository) RemoveSnap 

func (r *Repository) RemoveSnap(snapName string) error

RemoveSnap removes all the plugs and slots associated with a given snap.

This function can be used to implement snap removal or, when used along with AddSnap, snap upgrade.

RemoveSnap does not remove connections. The caller is responsible for ensuring that connections are broken before calling this method. If this constraint is violated then no changes are made and an error is returned.

func (*Repository) SecuritySnippetsForSnap 

func (r *Repository) SecuritySnippetsForSnap(snapName string, securitySystem SecuritySystem) (map[string][][]byte, error)

SecuritySnippetsForSnap collects all of the snippets of a given security system that affect a given snap. The return value is indexed by app/hook security tag within that snap.

func (*Repository) Slot 

func (r *Repository) Slot(snapName, slotName string) *Slot

Slot returns the specified slot from the named snap.

func (*Repository) Slots 

func (r *Repository) Slots(snapName string) []*Slot

Slots returns the slots offered by the named snap.

type SecurityBackend 

type SecurityBackend interface {
	// Name returns the name of the backend.
	// This is intended for diagnostic messages.
	Name() string

	// Setup creates and loads security artefacts specific to a given snap.
	// The snap can be in developer mode to make security violations non-fatal
	// to the offending application process.
	//
	// This method should be called after changing plug, slots, connections
	// between them or application present in the snap.
	Setup(snapInfo *snap.Info, devMode bool, repo *Repository) error

	// Remove removes and unloads security artefacts of a given snap.
	//
	// This method should be called during the process of removing a snap.
	Remove(snapName string) error
}

SecurityBackend abstracts interactions between the interface system and the needs of a particular security system.

type SecuritySystem 

type SecuritySystem string

SecuritySystem is a name of a security system. 

const (
	// SecurityAppArmor identifies the apparmor security system.
	SecurityAppArmor SecuritySystem = "apparmor"
	// SecuritySecComp identifies the seccomp security system.
	SecuritySecComp SecuritySystem = "seccomp"
	// SecurityDBus identifies the DBus security system.
	SecurityDBus SecuritySystem = "dbus"
	// SecurityUDev identifies the UDev security system.
	SecurityUDev SecuritySystem = "udev"
	// SecurityMount identifies the mount security system.
	SecurityMount SecuritySystem = "mount"
	// SecurityKMod identifies the kernel modules security system
	SecurityKMod SecuritySystem = "kmod"
)

type Slot 

type Slot struct {
	*snap.SlotInfo
	Connections []PlugRef `json:"connections,omitempty"`
}

Slot represents a capacity offered by a snap.

func (*Slot) MarshalJSON 

func (slot *Slot) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoding of slot.

type SlotRef 

type SlotRef struct {
	Snap string `json:"snap"`
	Name string `json:"slot"`
}

SlotRef is a reference to a slot.

type TestInterface 

type TestInterface struct {
	// InterfaceName is the name of this interface
	InterfaceName string
	// AutoConnectFlag indicates whether plugs and slots should be implicitly
	// auto-connected.
	AutoConnectFlag bool
	// SanitizePlugCallback is the callback invoked inside SanitizePlug()
	SanitizePlugCallback func(plug *Plug) error
	// SanitizeSlotCallback is the callback invoked inside SanitizeSlot()
	SanitizeSlotCallback func(slot *Slot) error
	// SlotSnippetCallback is the callback invoked inside ConnectedSlotSnippet()
	SlotSnippetCallback func(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)
	// PermanentSlotSnippetCallback is the callback invoked inside PermanentSlotSnippet()
	PermanentSlotSnippetCallback func(slot *Slot, securitySystem SecuritySystem) ([]byte, error)
	// PlugSnippetCallback is the callback invoked inside ConnectedPlugSnippet()
	PlugSnippetCallback func(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)
	// PermanentPlugSnippetCallback is the callback invoked inside PermanentPlugSnippet()
	PermanentPlugSnippetCallback func(plug *Plug, securitySystem SecuritySystem) ([]byte, error)
}

TestInterface is a interface for various kind of tests. It is public so that it can be consumed from other packages.

func (*TestInterface) AutoConnect 

func (t *TestInterface) AutoConnect() bool

AutoConnect returns whether plugs and slots should be implicitly auto-connected when an unambiguous connection candidate is available in the OS snap.

func (*TestInterface) ConnectedPlugSnippet 

func (t *TestInterface) ConnectedPlugSnippet(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)

ConnectedPlugSnippet returns the configuration snippet "required" to offer a test plug. Providers don't gain any extra permissions.

func (*TestInterface) ConnectedSlotSnippet 

func (t *TestInterface) ConnectedSlotSnippet(plug *Plug, slot *Slot, securitySystem SecuritySystem) ([]byte, error)

ConnectedSlotSnippet returns the configuration snippet "required" to use a test plug. Consumers don't gain any extra permissions.

func (*TestInterface) Name 

func (t *TestInterface) Name() string

Name returns the name of the test interface.

func (*TestInterface) PermanentPlugSnippet 

func (t *TestInterface) PermanentPlugSnippet(plug *Plug, securitySystem SecuritySystem) ([]byte, error)

PermanentPlugSnippet returns the configuration snippet "required" to offer a test plug. Providers don't gain any extra permissions.

func (*TestInterface) PermanentSlotSnippet 

func (t *TestInterface) PermanentSlotSnippet(slot *Slot, securitySystem SecuritySystem) ([]byte, error)

PermanentSlotSnippet returns the configuration snippet "required" to use a test plug. Consumers don't gain any extra permissions.

func (*TestInterface) SanitizePlug 

func (t *TestInterface) SanitizePlug(plug *Plug) error

SanitizePlug checks and possibly modifies a plug.

func (*TestInterface) SanitizeSlot 

func (t *TestInterface) SanitizeSlot(slot *Slot) error

SanitizeSlot checks and possibly modifies a slot.

func (*TestInterface) String 

func (t *TestInterface) String() string

String() returns the same value as Name().

type TestSecurityBackend 

type TestSecurityBackend struct {
	// SetupCalls stores information about all calls to Setup
	SetupCalls []TestSetupCall
	// RemoveCalls stores information about all calls to Remove
	RemoveCalls []string
	// SetupCallback is an callback that is optionally called in Setup
	SetupCallback func(snapInfo *snap.Info, developerMode bool, repo *Repository) error
	// RemoveCallback is a callback that is optionally called in Remove
	RemoveCallback func(snapName string) error
}

TestSecurityBackend is a security backend intended for testing.

func (*TestSecurityBackend) Name 

func (b *TestSecurityBackend) Name() string

Name returns the name of the security backend.

func (*TestSecurityBackend) Remove 

func (b *TestSecurityBackend) Remove(snapName string) error

Remove records information about the call and calls the remove callback if one is defined

func (*TestSecurityBackend) Setup 

func (b *TestSecurityBackend) Setup(snapInfo *snap.Info, devMode bool, repo *Repository) error

Setup records information about the call and calls the setup callback if one is defined.

type TestSetupCall 

type TestSetupCall struct {
	// SnapInfo is a copy of the snapInfo argument to a particular call to Setup
	SnapInfo *snap.Info
	// DevMode is a copy of the developerMode argument to a particular call to Setup
	DevMode bool
}

TestSetupCall stores details about calls to TestSecurityBackend.Setup

Source Files

View all Source files

Directories

Path Synopsis
Package apparmor contains primitives for working with apparmor.
 Package apparmor contains primitives for working with apparmor.
package backendtest contains common code for testing backends
 package backendtest contains common code for testing backends
Package dbus implements interaction between snappy and dbus.
 Package dbus implements interaction between snappy and dbus.
Package kmod implements a backend which loads kernel modules on behalf of interfaces.
 Package kmod implements a backend which loads kernel modules on behalf of interfaces.
Package mount implements mounts that get mapped into the snap
 Package mount implements mounts that get mapped into the snap
Package seccomp implements integration between snappy and ubuntu-core-launcher around seccomp.
 Package seccomp implements integration between snappy and ubuntu-core-launcher around seccomp.
Package udev implements integration between snappy, udev and ubuntu-core-laucher around tagging character and block devices so that they can be accessed by applications.
 Package udev implements integration between snappy, udev and ubuntu-core-laucher around tagging character and block devices so that they can be accessed by applications.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.