summaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-config/polkit-rule-agl-app
AgeCommit message (Collapse)AuthorFilesLines
2023-06-16polkit-rule-agl-app: add useradd class and USERADD_PARAMpike_15.91.0pike/15.91.015.91.0Jan-Simon Moeller1-1/+4
The only diff left to e.g. polkit and systemd is the USERADD_PARAM. Add it into the recipe. Bug-AGL: SPEC-4824 Change-Id: I7eb2862dc5c40577a1c3311ac9b7a7cc43c5be2a Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/29023
2023-06-14polkit-rule-agl-app: try to prevent transaction errorJan-Simon Moeller1-3/+5
While creating the final filesystem we see this error in CI: Running transaction test Error: Transaction test error: file /etc/polkit-1/rules.d conflicts between attempted installs of polkit-rule-agl-app-1.0-r0.11.corei7_64 and polkit-0.119-r0.11.corei7_64 ERROR: Logfile of failure stored in: /w/workspace/release-jjb-pike-snapshot/MACHINE/qemux86-64/label/agl-test-slave/repoclone/output/tmp/work/qemux86_64-agl-linux/agl-demo-platform-crosssdk/1.0-r0/temp/log.do_rootfs.44779 NOTE: recipe agl-demo-platform-crosssdk-1.0-r0: task do_rootfs: Failed Try to work this around. Bug-AGL: SPEC-4837 Change-Id: I855bfe88651cc5e738630936639e599523eb811c Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/29016 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account
2022-10-08meta-app-framework: applaunchd: run under a separate userDenys Dmytriyenko1-1/+1
Since applaunchd needs to start/stop systemd units, the user is granted elevated systemd unit-management permissions via PolKit policy. If applaunchd and all the apps run under the same agl-driver user, all the apps have these elevated systemd permissions too. Separating them into different users allows removing elevated systemd unit-management permission from individual apps, but leaving such permission for applaunchd, which enhances overall security of the system. - add new applaunchd user and group - switch applaunchd (gRPC) service to be started under new user - since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API, applaunchd-dbus gets activated by agl-session and runs under agl-driver - temporarily add agl-driver user into the applaunchd group and switch PolKit policy to check for applaunchd group, instead of the user - once D-Bus API is completely deprecated, agl-driver user can be removed from applaunchd group Bug-AGL: SPEC-4579 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-07-29meta-app-framework: Update app template schemeScott Murray1-1/+1
Changes to support the move to systemd unit based app enumeration in applaunchd: - Bump applaunchd SRCREV to pick up enumeration changes. - Tweak the polkit rule to match agl-app* instead of agl-app@* to allow more flexibility with respect to different app templates. - Tweak the Description field definition in the agl-app service template to just use the instance name, as that field is now used for the application display name by applaunchd. - Add a agl-app-web service template for web apps. - Add a agl-app.bbclass for use in application recipes to simplify installation of the now required systemd template instances and potential generation of override files to tweak application configuration. - Split the agl-app and agl-app-web templates into their own packages in the applaunchd recipe so they can be depended on by applications as required. - Move applaunchd installed systemd units and override files to /lib/systemd/system since that matches the upstream recommendation for units installed as part of the system installation. Bug-AGL: SPEC-4466 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I32ff6c9624850662856b79a2b14b33a05e7f9a65 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27835 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jose Dapena Paz <jdapena@igalia.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-07-13polkit: add rule to allow agl-driver to control agl-app@ systemd servicesDenys Dmytriyenko2-0/+23
Bug-AGL: SPEC-4466 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I8007aacc12f8b6bdfbca660c994d321ef1b5eca7 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27751 Reviewed-by: Scott Murray <scott.murray@konsulko.com> Reviewed-by: Marius Vlad <marius.vlad@collabora.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>