summaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
diff options
context:
space:
mode:
authorDenys Dmytriyenko <denys@konsulko.com>2022-10-03 17:33:19 +0000
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-11-10 17:15:59 +0000
commit0685fb25e839e1198356ea39c48907c8896a2d59 (patch)
treee95e020d3ce76dd3babae394d58b62338ea6399a /meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
parent3279287bd1943ba23d7a511109ea4ff053eaad8c (diff)
meta-app-framework: applaunchd: run under a separate user
Since applaunchd needs to start/stop systemd units, the user is granted elevated systemd unit-management permissions via PolKit policy. If applaunchd and all the apps run under the same agl-driver user, all the apps have these elevated systemd permissions too. Separating them into different users allows removing elevated systemd unit-management permission from individual apps, but leaving such permission for applaunchd, which enhances overall security of the system. - add new applaunchd user and group - switch applaunchd (gRPC) service to be started under new user - since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API, applaunchd-dbus gets activated by agl-session and runs under agl-driver - temporarily add agl-driver user into the applaunchd group and switch PolKit policy to check for applaunchd group, instead of the user - once D-Bus API is completely deprecated, agl-driver user can be removed from applaunchd group Bug-AGL: SPEC-4579 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> (cherry picked from commit 924b71fb656fec0925726174f65676ef6a8a9329) Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28137
Diffstat (limited to 'meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules')
-rw-r--r--meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules2
1 files changed, 1 insertions, 1 deletions
diff --git a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
index dd4b6940d..35b9559c5 100644
--- a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
+++ b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
@@ -1,7 +1,7 @@
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit").indexOf("agl-app") == 0 &&
- subject.user == "agl-driver") {
+ subject.isInGroup("applaunchd")) {
return polkit.Result.YES;
}
});