Age | Commit message (Collapse) | Author | Files | Lines |
|
Since applaunchd needs to start/stop systemd units, the user is granted
elevated systemd unit-management permissions via PolKit policy. If applaunchd
and all the apps run under the same agl-driver user, all the apps have these
elevated systemd permissions too. Separating them into different users allows
removing elevated systemd unit-management permission from individual apps, but
leaving such permission for applaunchd, which enhances overall security of
the system.
- add new applaunchd user and group
- switch applaunchd (gRPC) service to be started under new user
- since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API,
applaunchd-dbus gets activated by agl-session and runs under agl-driver
- temporarily add agl-driver user into the applaunchd group and switch
PolKit policy to check for applaunchd group, instead of the user
- once D-Bus API is completely deprecated, agl-driver user can be removed
from applaunchd group
Bug-AGL: SPEC-4579
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Add a kuksa user and group to the static passwd and group files to
facilitate running the KUKSA.val Vehicle Information Service (VIS)
server as non-root and control access to some of its configuration
files.
Bug-AGL: SPEC-4405
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: I199d79df42a6e5ea032ccfa084a1d38625b508f0
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27557
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
(cherry picked from commit 9363f1c67fe97a0c47cf44985ce0fb7f879bf7ac)
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27538
|
|
Tweak agl-driver user definition in agl-session recipe to ensure
it is a member of the video and display groups (the latter has
been added back to the static group file). This is required to
avoid agl-compositor startup failures on rcar3. The display
group membership potentially could be dropped if we were to
bbappend rcar3's gles-user-module recipe to tweak its udev rules.
For now, take the most straightforward approach.
Bug-AGL: SPEC-4161
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: I7237ade5d8680655f17716ac048349a476eb5f29
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27060
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
|
|
Changes/rework to get weston and agl-compositor starting again:
- Since an upgrade to a newer Yocto release is in the near future,
update weston-init and associated files to effectively backport
the new weston startup behavior added in 3.3/Hardknott as our
new base. The changes mean weston or agl-compositor will by
default start as a "weston" user that replaces the "display"
user that had been added previously in AGL. The goal is that
any new work done on top of this base should hopefully work
on 3.5/Kirkstone without further substantial rework.
- Add new agl-compositor-init recipe that replaces the previous
weston-init bbappend in meta-agl-demo. Having it as a separate
recipe in core so weston or agl-compositor "just work" in simple
test images seems like a better approach.
- As part of the above, drop the --log option to agl-compositor
in its command-line to address SPEC-4112.
- Add SYSTEMD_DEFAULT_TARGET definition to agl-image-weston and
in a new core-image-weston bbappend to result in agl-compositor
and weston starting automatically in the corresponding images.
This is required with the new weston-init behavior until we
upgrade past 3.3/Hardknott, when "weston" in IMAGE_FEATURES
can be used instead.
Bug-AGL: SPEC-4121, SPEC-4112
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia64894416846569abf8e744006ef26637279a895
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26782
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Bug-AGL: SPEC-3844
Change-Id: Ie32bfa43bf078c7d218d3150dc616501b8848bd0
Signed-off-by: George Kiagiadakis <george.kiagiadakis@collabora.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26094
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time.
Trim dependencies and move most 'demo' related recipes to meta-agl-demo.
v2: changed to bbapend + .inc , added description
v3: testbuild of all images
v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups.
v5: rebased
v6: merged meta-agl-distro into meta-agl-core,
due to dependency on meta-oe, moved -test packagegroup and -qa images
to own layer meta-agl-core-test
v7: Fixed comments from Paul Barker
v8: Update the markdown files
v9: restore wayland/weston/agl-compositor recipes/appends, reworked to
move app f/w specific changes to bbappends in meta-app-framework and
only demo specific weston-init changes to meta-agl-demo
v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend
Description:
This patch is part 1 out of 2 large patches that implement the layer rework
discussed during the previous workshop. Essentially meta-agl-core is the
small but versatile new core layer of AGL serving as basis for
the work done by the IC and IVI EGs.
All demo related work is moved to meta-agl-demo in the 2nd patchset.
This should be applied together as atomic change.
The resulting meta-agl/* follows these guidelines:
- only bsp adaptations in meta-agl-bsp
- remove the agl-profile-* layers for simplicity
-- the packagegroup-agl(-profile)-graphical and so on
have been kept in meta-agl-demo
- meta-agl-profile-core is now meta-agl-core
- meta-agl-core does pass yocto-check-layer
-- therefore use the bbappend + conditional + .inc file
construct found in meta-virtualization
- meta-agl/meta-security has been merged into meta-agl/meta-app-framework
- meta-netboot does pass yocto-check-layer
- meta-pipewire does pass yocto-check-layer
Migration:
All packagegroups are preserved but they're now enabled by 'agl-demo'.
Bug-AGL: SPEC-3723
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
|