diff options
6 files changed, 28 insertions, 103 deletions
diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in b/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in index 211136cc9..9c3df052d 100644 --- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in +++ b/meta-agl-profile-graphical/recipes-graphics/wayland/weston-init/weston.conf.in @@ -1,9 +1,6 @@ [Service] Type=notify Environment="XDG_RUNTIME_DIR=@XDG_RUNTIME_DIR@" -Environment="XDG_RUNTIMESHARE_DIR=@XDG_RUNTIME_DIR@/share" -ExecStartPre=/bin/mkdir -p @XDG_RUNTIME_DIR@/share -ExecStartPre=+/usr/bin/chsmack -a User::App-Shared -t @XDG_RUNTIME_DIR@/share # Note that clearing PAMName (thus not having PAMName=login) disables # logind support for the session, which allows setting XDG_RUNTIME_DIR # to something other than /run/user/% (as is done above). @@ -12,3 +9,4 @@ ExecStartPre=+/usr/bin/chsmack -a User::App-Shared -t @XDG_RUNTIME_DIR@/share PAMName= ExecStart= ExecStart=@WESTONSTART@ +SmackProcessLabel=System::Weston diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch deleted file mode 100644 index f4ea60130..000000000 --- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/0005-add-memfd-create-option.patch +++ /dev/null @@ -1,48 +0,0 @@ -Add memfd-create option - -Add a meson build option, memfd-create, that controls whether the -memfd_create system call support will be enabled. The default value -is true so that it will be enabled, but it allows users like AGL -that currently has issues with security labels and memfd to disable -it. - -Upstream-Status: Pending - -Signed-off-by: Scott Murray <scott.murray@konsulko.com> - -diff --git a/meson.build b/meson.build -index 82107e1..9d042ca 100644 ---- a/meson.build -+++ b/meson.build -@@ -78,8 +78,12 @@ elif cc.has_header_symbol('sys/mkdev.h', 'major') - endif - - optional_libc_funcs = [ -- 'mkostemp', 'strchrnul', 'initgroups', 'posix_fallocate', 'memfd_create' -+ 'mkostemp', 'strchrnul', 'initgroups', 'posix_fallocate' - ] -+if get_option('memfd-create') -+ optional_libc_funcs += [ 'memfd_create' ] -+endif -+ - foreach func : optional_libc_funcs - if cc.has_function(func) - config_h.set('HAVE_' + func.to_upper(), 1) -diff --git a/meson_options.txt b/meson_options.txt -index 80a2ad7..4a93472 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -99,6 +99,13 @@ option( - description: 'systemd service plugin: state notify, watchdog, socket activation' - ) - -+option( -+ 'memfd-create', -+ type: 'boolean', -+ value: true, -+ description: 'Use memfd_create system call' -+) -+ - option( - 'remoting', - type: 'boolean', diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston new file mode 100644 index 000000000..63a32405a --- /dev/null +++ b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston @@ -0,0 +1,8 @@ +System System::Weston rwxa-- +System::Weston System rwx--- +System::Weston System::Shared rwx--- +System::Weston System::Run rwxat- +System::Weston System::Log rwxa-- +System::Weston _ r-x--l +System::Weston User::Home r-x--l +System::Weston User::App-Shared rwxat- diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch b/meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch deleted file mode 100644 index 0e5d7cdf9..000000000 --- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston/use-XDG_RUNTIMESHARE_DIR.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0ed62e1a0beb47e033f7632dbf6d2087366b7830 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh> -Date: Fri, 13 Oct 2017 14:05:56 +0200 -Subject: [PATCH] use XDG_RUNTIMESHARE_DIR - -When running with LSM Smack, the file returned by the -function 'os_create_anonymous_file' is tagged with the -security label of weston. That security label genrally doesn't -allow sharing of files? Then passing the vreated file descriptor -to the client application fails with EPERM. - -To allow file descriptors to be tagged with a security -label that allows clients to receive and use it, that -patch introduce the use of the environment variable -XDG_RUNTIMESHARE_DIR that takes precedence over -XDG_RUNTIME_DIR whe, creating anonymous file is needed. - -A correct setting of the shared directory using Smack's -transmute mechanism allows set up file tag for sharing. - -This patch was submitted upstream for discussion but -was rejected with the following reason (IIRC): "the -function 'os_create_anonymous_file' and the sharing -are obsolete and should not be used anymore. IVI was -requiring it but newer version don't use it". Halas, -even aligned with latest versions of IVI-shell and weston, -the patch is needed. Because of its simplicity, it can -remain maintained locally out of mainstream in the wait -of further investigations. - -Signed-off-by: José Bollo <jose.bollo@iot.bzh> -[Updated for Weston 8.0.0] -Signed-off-by: Scott Murray <scott.murray@konsulko.com> - -diff --git a/shared/os-compatibility.c b/shared/os-compatibility.c -index 5e1ce47..9962588 100644 ---- a/shared/os-compatibility.c -+++ b/shared/os-compatibility.c -@@ -184,7 +184,9 @@ os_create_anonymous_file(off_t size) - } else - #endif - { -- path = getenv("XDG_RUNTIME_DIR"); -+ path = getenv("XDG_RUNTIMESHARE_DIR"); -+ if (!path) -+ path = getenv("XDG_RUNTIME_DIR"); - if (!path) { - errno = ENOENT; - return -1; diff --git a/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend b/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend index 03626abe8..bafd6bbcf 100644 --- a/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend +++ b/meta-agl-profile-graphical/recipes-graphics/wayland/weston_8.0.0.bbappend @@ -6,11 +6,21 @@ FILESEXTRAPATHS_append := ":${THISDIR}/${PN}" # and waltham can take a look and update it. SRC_URI_append = "\ file://0001-Allow-regular-users-to-launch-Weston_7.0.0.patch \ - file://use-XDG_RUNTIMESHARE_DIR.patch \ file://0002-ivi-shell-Fix-crash-due-no-transmitter-screen.patch \ file://0001-libweston-Expose-weston_output_damage-in-libweston.patch \ file://0004-unconditionally-include-mman.h.patch \ - file://0005-add-memfd-create-option.patch \ + file://smack-weston \ " -EXTRA_OEMESON_append = " -Denable-user-start=true -Dmemfd-create=false" +EXTRA_OEMESON_append = " -Denable-user-start=true" + +do_install_append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'smack', 'true', 'false', d)}; then + # Install SMACK rules + install -D -m 0644 ${WORKDIR}/smack-weston ${D}${sysconfdir}/smack/accesses.d/weston + fi +} + +FILES_${PN} += "\ + ${sysconfdir}/smack/accesses.d/* \ +" diff --git a/meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend b/meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend new file mode 100644 index 000000000..d6fcb40af --- /dev/null +++ b/meta-agl-profile-graphical/recipes-security/security-manager/security-manager_%.bbappend @@ -0,0 +1,6 @@ + +do_install_append() { + # Needed for wayland-0 socket access and memfd usage + echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack + echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack +} |