From d219d210bbee90b7300dda3a8197b504c59dc88a Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Tue, 26 Nov 2019 19:51:47 +0100
Subject: pipewire: Rework of security settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This changes is mainly focussed on shifting
from cynara to cynagora permission database.
But it also changes how setting is done
in the hope to make it simpler.

Bug-AGL: SPEC-2993

Change-Id: Ie9085e11560724baf4194fc6d17651d40523bab7
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 .../recipes-security/cynagora/cynagora_%.bbappend  |  5 +++++
 ...ck-rules-to-allow-connections-to-pipewire.patch | 25 ---------------------
 .../0002-Grant-dbus-privilege-to-pipewire.patch    | 26 ----------------------
 .../security-manager/security-manager_%.bbappend   |  9 ++++----
 4 files changed, 9 insertions(+), 56 deletions(-)
 create mode 100644 meta-pipewire/recipes-security/cynagora/cynagora_%.bbappend
 delete mode 100644 meta-pipewire/recipes-security/security-manager/security-manager/0001-Adapt-smack-rules-to-allow-connections-to-pipewire.patch
 delete mode 100644 meta-pipewire/recipes-security/security-manager/security-manager/0002-Grant-dbus-privilege-to-pipewire.patch

(limited to 'meta-pipewire/recipes-security')

diff --git a/meta-pipewire/recipes-security/cynagora/cynagora_%.bbappend b/meta-pipewire/recipes-security/cynagora/cynagora_%.bbappend
new file mode 100644
index 00000000..9395c90c
--- /dev/null
+++ b/meta-pipewire/recipes-security/cynagora/cynagora_%.bbappend
@@ -0,0 +1,5 @@
+
+do_install_append() {
+   echo "System::Pipewire * * http://tizen.org/privilege/internal/dbus yes forever" >> ${D}${sysconfdir}/security/cynagora.initial
+}
+
diff --git a/meta-pipewire/recipes-security/security-manager/security-manager/0001-Adapt-smack-rules-to-allow-connections-to-pipewire.patch b/meta-pipewire/recipes-security/security-manager/security-manager/0001-Adapt-smack-rules-to-allow-connections-to-pipewire.patch
deleted file mode 100644
index 821c1e1d..00000000
--- a/meta-pipewire/recipes-security/security-manager/security-manager/0001-Adapt-smack-rules-to-allow-connections-to-pipewire.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From cc5cbaddad6fe559e9e482467266fb18fb00c6a7 Mon Sep 17 00:00:00 2001
-From: George Kiagiadakis <george.kiagiadakis@collabora.com>
-Date: Wed, 26 Jun 2019 16:02:13 +0300
-Subject: [PATCH] Adapt smack rules to allow connections to pipewire
-
-Signed-off-by: George Kiagiadakis <george.kiagiadakis@collabora.com>
----
- policy/app-rules-template.smack | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
-index 910f40c..78b75de 100644
---- a/policy/app-rules-template.smack
-+++ b/policy/app-rules-template.smack
-@@ -4,6 +4,7 @@ System ~PKG~ rwxat
- ~APP~ System::Shared rx
- ~APP~ System::Run rwxat
- ~APP~ System::Log rwxa
-+~APP~ System::Pipewire rw
- ~APP~ _ l
- ~APP~ User::Home rxl
- ~APP~ User::App-Shared rwxat
--- 
-2.20.1
-
diff --git a/meta-pipewire/recipes-security/security-manager/security-manager/0002-Grant-dbus-privilege-to-pipewire.patch b/meta-pipewire/recipes-security/security-manager/security-manager/0002-Grant-dbus-privilege-to-pipewire.patch
deleted file mode 100644
index fbf9ca6f..00000000
--- a/meta-pipewire/recipes-security/security-manager/security-manager/0002-Grant-dbus-privilege-to-pipewire.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From f95469247c182b3c4b527af04b1ae50658461e85 Mon Sep 17 00:00:00 2001
-From: George Kiagiadakis <george.kiagiadakis@collabora.com>
-Date: Tue, 3 Sep 2019 16:24:49 +0300
-Subject: [PATCH] Grant dbus privilege to pipewire
-
----
- policy/security-manager-policy-reload | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
-index 274c49c..a883048 100755
---- a/policy/security-manager-policy-reload
-+++ b/policy/security-manager-policy-reload
-@@ -59,6 +59,9 @@ do
-     cyad --set-policy --bucket=MANIFESTS --client="$client" --user="*" --privilege="*" --type=ALLOW
- done
- 
-+# PipeWire needs to get access to dbus
-+cyad --set-policy --bucket=MANIFESTS --client="System::Pipewire" --user="*" --privilege="http://tizen.org/privilege/internal/dbus" --type=ALLOW
-+
- # Load privilege-group mappings
- (
- echo "BEGIN;"
--- 
-2.23.0.rc1
-
diff --git a/meta-pipewire/recipes-security/security-manager/security-manager_%.bbappend b/meta-pipewire/recipes-security/security-manager/security-manager_%.bbappend
index 97d01822..59449446 100644
--- a/meta-pipewire/recipes-security/security-manager/security-manager_%.bbappend
+++ b/meta-pipewire/recipes-security/security-manager/security-manager_%.bbappend
@@ -1,5 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
-SRC_URI += "\
-    file://0001-Adapt-smack-rules-to-allow-connections-to-pipewire.patch \
-    file://0002-Grant-dbus-privilege-to-pipewire.patch \
-    "
+
+do_install_append() {
+   echo "~APP~ System::Pipewire rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+}
-- 
cgit 1.2.3-korg