diff options
author | Denys Dmytriyenko <denys@konsulko.com> | 2022-10-03 17:33:19 +0000 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2022-11-10 17:15:59 +0000 |
commit | 0685fb25e839e1198356ea39c48907c8896a2d59 (patch) | |
tree | e95e020d3ce76dd3babae394d58b62338ea6399a /meta-app-framework | |
parent | 3279287bd1943ba23d7a511109ea4ff053eaad8c (diff) |
meta-app-framework: applaunchd: run under a separate user
Since applaunchd needs to start/stop systemd units, the user is granted
elevated systemd unit-management permissions via PolKit policy. If applaunchd
and all the apps run under the same agl-driver user, all the apps have these
elevated systemd permissions too. Separating them into different users allows
removing elevated systemd unit-management permission from individual apps, but
leaving such permission for applaunchd, which enhances overall security of
the system.
- add new applaunchd user and group
- switch applaunchd (gRPC) service to be started under new user
- since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API,
applaunchd-dbus gets activated by agl-session and runs under agl-driver
- temporarily add agl-driver user into the applaunchd group and switch
PolKit policy to check for applaunchd group, instead of the user
- once D-Bus API is completely deprecated, agl-driver user can be removed
from applaunchd group
Bug-AGL: SPEC-4579
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
(cherry picked from commit 924b71fb656fec0925726174f65676ef6a8a9329)
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28137
Diffstat (limited to 'meta-app-framework')
3 files changed, 7 insertions, 3 deletions
diff --git a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb index ecad1615d..067f2a6e4 100644 --- a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb +++ b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb @@ -17,9 +17,13 @@ GROUPADD_PARAM:${PN} = "\ --system video ; \ --system pipewire ; \ -g 1001 agl-driver ; \ + -g 1003 applaunchd ; \ " +# agl-driver user needs to be part of applaunchd group for D-Bus activation to still work +# should be removed after everything is converted to gRPC for enhanced security USERADD_PARAM:${PN} = "\ - -g 1001 -u 1001 -G video,display,pipewire -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \ + -g 1001 -u 1001 -G video,display,pipewire,applaunchd -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \ + -g 1003 -u 1003 -o -d / -K PASS_MAX_DAYS=-1 applaunchd ; \ " SYSTEMD_PACKAGES = "${PN}" diff --git a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules index dd4b6940d..35b9559c5 100644 --- a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules +++ b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules @@ -1,7 +1,7 @@ polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit").indexOf("agl-app") == 0 && - subject.user == "agl-driver") { + subject.isInGroup("applaunchd")) { return polkit.Result.YES; } }); diff --git a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service index 95673e962..a5a2df53a 100644 --- a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service +++ b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service @@ -3,7 +3,7 @@ Wants=network.target After=network.target [Service] -User=agl-driver +User=applaunchd Environment=XDG_DATA_DIRS=/usr/share ExecStart=/usr/bin/applaunchd Restart=on-failure |