The changes to interfaces API landed in master last week (24/03) and all affected PRs (implementing new interfaces) were updated to use the new API. This was a massive change that affected (internally) all currently available interfaces.
With this change we removed ConnectedSlotSnippet, ConnectedPlugSnippet, PermanendSlotSnippet and PermanentSlotSnippet methods and replaced them with per-security backend methods such as AppArmorConnectedSlot, AppArmorConnectedPlug, AppArmorPermanentSlot, AppArmorPermanentPlug (sames goes for SecComp, KMod, DBus, UDev, Systemd, Mount backends). These methods receive a Specification object of a respective backend and call its Add* method to define/add new snippets or policy definitions (e.g. for apparmor it’s AddSnippet(string) method; for kmod backend it is AddModule(string)).
Below is a short depiction of the difference between the old and new approach:
Old approach - four methods for permanent plug/slot snippet and connected plug/slot snippet, serving different security backends via switch/case statements inside the methods (all four methods need to be present even if not needed by given interface):
func (iface *FooBarInterface) ConnectedPlugSnippet(
plug *interfaces.Plug,
slot *interfaces.Slot,
securitySystem interfaces.SecuritySystem) ([]byte, error) {
switch securitySystem {
case interfaces.SecurityAppArmor:
...
return apparmorSnippet, nil
case interfaces.SecurityDBus:
....
return dbusSnippet, nil
}
return nil, nil
}
New approach - separate methods for each security backend and permanent/connected plug/slot as needed (unused backend do not need to be defined!):
func (iface *FooBarInterface) AppArmorConnectedPlug(
spec *apparmor.Specification,
plug *interfaces.Plug,
slot *interfaces.Slot) error {
spec.AddSnippet(snippet)
return nil
}
func (iface *FooBarInterface) DBusPermanentSlot(
spec *apparmor.Specification,
slot *interfaces.Slot) error {
spec.AddSnippet(snippet)
return nil
}
The other methods of interface definition (ValidatePlug, ValidateSlot, AutoConnect etc. remain in the new API and are not affected by the changes).
This topic is meant to collect any discussions around these changes, including potential tweaks or bugs found. Possible enhancements we will consider in near future is making some of the specifications strongly-typed, e.g. UDev specification could take a typed rule rather than a string snippet.