summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-agl-core/files/group1
-rw-r--r--meta-agl-core/files/passwd1
-rw-r--r--meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb6
-rw-r--r--meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules2
-rw-r--r--meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service2
5 files changed, 9 insertions, 3 deletions
diff --git a/meta-agl-core/files/group b/meta-agl-core/files/group
index 10cec784e..4496112d6 100644
--- a/meta-agl-core/files/group
+++ b/meta-agl-core/files/group
@@ -89,6 +89,7 @@ wayland::201:
display::202:
agl-driver::1001:
agl-passenger::1002:
+applaunchd::1003:
systemd-network::1005:
systemd-resolve::1006:
mosquitto::1007:
diff --git a/meta-agl-core/files/passwd b/meta-agl-core/files/passwd
index b97bf3b47..1b24d2760 100644
--- a/meta-agl-core/files/passwd
+++ b/meta-agl-core/files/passwd
@@ -23,6 +23,7 @@ sshd::996:996:::
systemd-bus-proxy::995:995:::
agl-driver::1001:1001:::
agl-passenger::1002:1002:::
+applaunchd::1003:1003:::
messagebus::994:994:::
afm::992:992:::
systemd-timesync::988:988:::
diff --git a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
index ecad1615d..067f2a6e4 100644
--- a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
+++ b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
@@ -17,9 +17,13 @@ GROUPADD_PARAM:${PN} = "\
--system video ; \
--system pipewire ; \
-g 1001 agl-driver ; \
+ -g 1003 applaunchd ; \
"
+# agl-driver user needs to be part of applaunchd group for D-Bus activation to still work
+# should be removed after everything is converted to gRPC for enhanced security
USERADD_PARAM:${PN} = "\
- -g 1001 -u 1001 -G video,display,pipewire -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g 1001 -u 1001 -G video,display,pipewire,applaunchd -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g 1003 -u 1003 -o -d / -K PASS_MAX_DAYS=-1 applaunchd ; \
"
SYSTEMD_PACKAGES = "${PN}"
diff --git a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
index dd4b6940d..35b9559c5 100644
--- a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
+++ b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
@@ -1,7 +1,7 @@
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit").indexOf("agl-app") == 0 &&
- subject.user == "agl-driver") {
+ subject.isInGroup("applaunchd")) {
return polkit.Result.YES;
}
});
diff --git a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
index 95673e962..a5a2df53a 100644
--- a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
+++ b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
@@ -3,7 +3,7 @@ Wants=network.target
After=network.target
[Service]
-User=agl-driver
+User=applaunchd
Environment=XDG_DATA_DIRS=/usr/share
ExecStart=/usr/bin/applaunchd
Restart=on-failure