summaryrefslogtreecommitdiffstats
path: root/meta-app-framework
diff options
context:
space:
mode:
authorDenys Dmytriyenko <denys@konsulko.com>2022-10-03 17:33:19 +0000
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>2022-11-10 17:15:59 +0000
commit0685fb25e839e1198356ea39c48907c8896a2d59 (patch)
treee95e020d3ce76dd3babae394d58b62338ea6399a /meta-app-framework
parent3279287bd1943ba23d7a511109ea4ff053eaad8c (diff)
meta-app-framework: applaunchd: run under a separate user
Since applaunchd needs to start/stop systemd units, the user is granted elevated systemd unit-management permissions via PolKit policy. If applaunchd and all the apps run under the same agl-driver user, all the apps have these elevated systemd permissions too. Separating them into different users allows removing elevated systemd unit-management permission from individual apps, but leaving such permission for applaunchd, which enhances overall security of the system. - add new applaunchd user and group - switch applaunchd (gRPC) service to be started under new user - since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API, applaunchd-dbus gets activated by agl-session and runs under agl-driver - temporarily add agl-driver user into the applaunchd group and switch PolKit policy to check for applaunchd group, instead of the user - once D-Bus API is completely deprecated, agl-driver user can be removed from applaunchd group Bug-AGL: SPEC-4579 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> (cherry picked from commit 924b71fb656fec0925726174f65676ef6a8a9329) Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28137
Diffstat (limited to 'meta-app-framework')
-rw-r--r--meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb6
-rw-r--r--meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules2
-rw-r--r--meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service2
3 files changed, 7 insertions, 3 deletions
diff --git a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
index ecad1615d..067f2a6e4 100644
--- a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
+++ b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
@@ -17,9 +17,13 @@ GROUPADD_PARAM:${PN} = "\
--system video ; \
--system pipewire ; \
-g 1001 agl-driver ; \
+ -g 1003 applaunchd ; \
"
+# agl-driver user needs to be part of applaunchd group for D-Bus activation to still work
+# should be removed after everything is converted to gRPC for enhanced security
USERADD_PARAM:${PN} = "\
- -g 1001 -u 1001 -G video,display,pipewire -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g 1001 -u 1001 -G video,display,pipewire,applaunchd -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g 1003 -u 1003 -o -d / -K PASS_MAX_DAYS=-1 applaunchd ; \
"
SYSTEMD_PACKAGES = "${PN}"
diff --git a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
index dd4b6940d..35b9559c5 100644
--- a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
+++ b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
@@ -1,7 +1,7 @@
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit").indexOf("agl-app") == 0 &&
- subject.user == "agl-driver") {
+ subject.isInGroup("applaunchd")) {
return polkit.Result.YES;
}
});
diff --git a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
index 95673e962..a5a2df53a 100644
--- a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
+++ b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
@@ -3,7 +3,7 @@ Wants=network.target
After=network.target
[Service]
-User=agl-driver
+User=applaunchd
Environment=XDG_DATA_DIRS=/usr/share
ExecStart=/usr/bin/applaunchd
Restart=on-failure