Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2022-11-10 | meta-app-framework: applaunchd: run under a separate user | Denys Dmytriyenko | 1 | -1/+1 | |
Since applaunchd needs to start/stop systemd units, the user is granted elevated systemd unit-management permissions via PolKit policy. If applaunchd and all the apps run under the same agl-driver user, all the apps have these elevated systemd permissions too. Separating them into different users allows removing elevated systemd unit-management permission from individual apps, but leaving such permission for applaunchd, which enhances overall security of the system. - add new applaunchd user and group - switch applaunchd (gRPC) service to be started under new user - since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API, applaunchd-dbus gets activated by agl-session and runs under agl-driver - temporarily add agl-driver user into the applaunchd group and switch PolKit policy to check for applaunchd group, instead of the user - once D-Bus API is completely deprecated, agl-driver user can be removed from applaunchd group Bug-AGL: SPEC-4579 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> (cherry picked from commit 924b71fb656fec0925726174f65676ef6a8a9329) Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28137 | |||||
2022-07-29 | meta-app-framework: Update app template scheme | Scott Murray | 1 | -1/+1 | |
Changes to support the move to systemd unit based app enumeration in applaunchd: - Bump applaunchd SRCREV to pick up enumeration changes. - Tweak the polkit rule to match agl-app* instead of agl-app@* to allow more flexibility with respect to different app templates. - Tweak the Description field definition in the agl-app service template to just use the instance name, as that field is now used for the application display name by applaunchd. - Add a agl-app-web service template for web apps. - Add a agl-app.bbclass for use in application recipes to simplify installation of the now required systemd template instances and potential generation of override files to tweak application configuration. - Split the agl-app and agl-app-web templates into their own packages in the applaunchd recipe so they can be depended on by applications as required. - Move applaunchd installed systemd units and override files to /lib/systemd/system since that matches the upstream recommendation for units installed as part of the system installation. Bug-AGL: SPEC-4466 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I32ff6c9624850662856b79a2b14b33a05e7f9a65 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27835 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jose Dapena Paz <jdapena@igalia.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | |||||
2022-07-13 | polkit: add rule to allow agl-driver to control agl-app@ systemd services | Denys Dmytriyenko | 1 | -0/+7 | |
Bug-AGL: SPEC-4466 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I8007aacc12f8b6bdfbca660c994d321ef1b5eca7 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27751 Reviewed-by: Scott Murray <scott.murray@konsulko.com> Reviewed-by: Marius Vlad <marius.vlad@collabora.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> |