aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Murray <scott.murray@konsulko.com>2020-05-05 15:04:46 -0400
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2020-05-12 23:34:44 +0000
commit8b1baf589ebad0862791c32c7a9b953071dec20a (patch)
treeeb1f281db04fa89f0b5fba0b1ff27042fc5a824f
parent07663d068cfaddb8ba4287a1c8cf4a8456873cb6 (diff)
meta-agl-profile-graphical: add SMACK labelling for weston
The initial patch to allow disabling memfd usage in weston has proven to be naive, as the v7 wayland seat resource changes in Weston 8.0.0 are dependent on them. To avoid needing to make more invasive changes such as forcing the seat resource version back to v6, drop the patch in favor of having Weston run under a System::Weston SMACK label and adding the rules required to have it work. As well, use-XDG_RUNTIMESHARE_DIR.patch and the associated service unit changes have been removed since they are not required now with explicit labelling in place. Bug-AGL: SPEC-3305, SPEC-3350 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I8aef287219a7f95992a82f4ec2ee8e1822ca4ce8
-rw-r--r--meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in4
-rw-r--r--meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch48
-rw-r--r--meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston8
-rw-r--r--meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch49
-rw-r--r--meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend16
-rw-r--r--meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend6
6 files changed, 28 insertions, 103 deletions
diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in b/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in
index 211136cc9..9c3df052d 100644
--- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in
+++ b/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in
@@ -1,9 +1,6 @@
[Service]
Type=notify
Environment="XDG_RUNTIME_DIR=@XDG_RUNTIME_DIR@"
-Environment="XDG_RUNTIMESHARE_DIR=@XDG_RUNTIME_DIR@/share"
-ExecStartPre=/bin/mkdir -p @XDG_RUNTIME_DIR@/share
-ExecStartPre=+/usr/bin/chsmack -a User::App-Shared -t @XDG_RUNTIME_DIR@/share
# Note that clearing PAMName (thus not having PAMName=login) disables
# logind support for the session, which allows setting XDG_RUNTIME_DIR
# to something other than /run/user/% (as is done above).
@@ -12,3 +9,4 @@ ExecStartPre=+/usr/bin/chsmack -a User::App-Shared -t @XDG_RUNTIME_DIR@/share
PAMName=
ExecStart=
ExecStart=@WESTONSTART@
+SmackProcessLabel=System::Weston
diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch
deleted file mode 100644
index f4ea60130..000000000
--- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Add memfd-create option
-
-Add a meson build option, memfd-create, that controls whether the
-memfd_create system call support will be enabled. The default value
-is true so that it will be enabled, but it allows users like AGL
-that currently has issues with security labels and memfd to disable
-it.
-
-Upstream-Status: Pending
-
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-
-diff --git a/meson.build b/meson.build
-index 82107e1..9d042ca 100644
---- a/meson.build
-+++ b/meson.build
-@@ -78,8 +78,12 @@ elif cc.has_header_symbol('sys/mkdev.h', 'major')
- endif
-
- optional_libc_funcs = [
-- 'mkostemp', 'strchrnul', 'initgroups', 'posix_fallocate', 'memfd_create'
-+ 'mkostemp', 'strchrnul', 'initgroups', 'posix_fallocate'
- ]
-+if get_option('memfd-create')
-+ optional_libc_funcs += [ 'memfd_create' ]
-+endif
-+
- foreach func : optional_libc_funcs
- if cc.has_function(func)
- config_h.set('HAVE_' + func.to_upper(), 1)
-diff --git a/meson_options.txt b/meson_options.txt
-index 80a2ad7..4a93472 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -99,6 +99,13 @@ option(
- description: 'systemd service plugin: state notify, watchdog, socket activation'
- )
-
-+option(
-+ 'memfd-create',
-+ type: 'boolean',
-+ value: true,
-+ description: 'Use memfd_create system call'
-+)
-+
- option(
- 'remoting',
- type: 'boolean',
diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston
new file mode 100644
index 000000000..63a32405a
--- /dev/null
+++ b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston
@@ -0,0 +1,8 @@
+System System::Weston rwxa--
+System::Weston System rwx---
+System::Weston System::Shared rwx---
+System::Weston System::Run rwxat-
+System::Weston System::Log rwxa--
+System::Weston _ r-x--l
+System::Weston User::Home r-x--l
+System::Weston User::App-Shared rwxat-
diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch
deleted file mode 100644
index 0e5d7cdf9..000000000
--- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 0ed62e1a0beb47e033f7632dbf6d2087366b7830 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Fri, 13 Oct 2017 14:05:56 +0200
-Subject: [PATCH] use XDG_RUNTIMESHARE_DIR
-
-When running with LSM Smack, the file returned by the
-function 'os_create_anonymous_file' is tagged with the
-security label of weston. That security label genrally doesn't
-allow sharing of files? Then passing the vreated file descriptor
-to the client application fails with EPERM.
-
-To allow file descriptors to be tagged with a security
-label that allows clients to receive and use it, that
-patch introduce the use of the environment variable
-XDG_RUNTIMESHARE_DIR that takes precedence over
-XDG_RUNTIME_DIR whe, creating anonymous file is needed.
-
-A correct setting of the shared directory using Smack's
-transmute mechanism allows set up file tag for sharing.
-
-This patch was submitted upstream for discussion but
-was rejected with the following reason (IIRC): "the
-function 'os_create_anonymous_file' and the sharing
-are obsolete and should not be used anymore. IVI was
-requiring it but newer version don't use it". Halas,
-even aligned with latest versions of IVI-shell and weston,
-the patch is needed. Because of its simplicity, it can
-remain maintained locally out of mainstream in the wait
-of further investigations.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-[Updated for Weston 8.0.0]
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-
-diff --git a/shared/os-compatibility.c b/shared/os-compatibility.c
-index 5e1ce47..9962588 100644
---- a/shared/os-compatibility.c
-+++ b/shared/os-compatibility.c
-@@ -184,7 +184,9 @@ os_create_anonymous_file(off_t size)
- } else
- #endif
- {
-- path = getenv("XDG_RUNTIME_DIR");
-+ path = getenv("XDG_RUNTIMESHARE_DIR");
-+ if (!path)
-+ path = getenv("XDG_RUNTIME_DIR");
- if (!path) {
- errno = ENOENT;
- return -1;
diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend b/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend
index 03626abe8..bafd6bbcf 100644
--- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend
+++ b/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend
@@ -6,11 +6,21 @@ FILESEXTRAPATHS_append := ":${THISDIR}/${PN}"
# and waltham can take a look and update it.
SRC_URI_append = "\
file://0001-Allow-regular-users-to-launch-Weston_7.0.0.patch \
- file://use-XDG_RUNTIMESHARE_DIR.patch \
file://0002-ivi-shell-Fix-crash-due-no-transmitter-screen.patch \
file://0001-libweston-Expose-weston_output_damage-in-libweston.patch \
file://0004-unconditionally-include-mman.h.patch \
- file://0005-add-memfd-create-option.patch \
+ file://smack-weston \
"
-EXTRA_OEMESON_append = " -Denable-user-start=true -Dmemfd-create=false"
+EXTRA_OEMESON_append = " -Denable-user-start=true"
+
+do_install_append() {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'smack', 'true', 'false', d)}; then
+ # Install SMACK rules
+ install -D -m 0644 ${WORKDIR}/smack-weston ${D}${sysconfdir}/smack/accesses.d/weston
+ fi
+}
+
+FILES_${PN} += "\
+ ${sysconfdir}/smack/accesses.d/* \
+"
diff --git a/meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend b/meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend
new file mode 100644
index 000000000..d6fcb40af
--- /dev/null
+++ b/meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend
@@ -0,0 +1,6 @@
+
+do_install_append() {
+ # Needed for wayland-0 socket access and memfd usage
+ echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+ echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+}