aboutsummaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-config
AgeCommit message (Collapse)AuthorFilesLines
2022-10-08meta-app-framework: applaunchd: run under a separate userDenys Dmytriyenko2-2/+6
Since applaunchd needs to start/stop systemd units, the user is granted elevated systemd unit-management permissions via PolKit policy. If applaunchd and all the apps run under the same agl-driver user, all the apps have these elevated systemd permissions too. Separating them into different users allows removing elevated systemd unit-management permission from individual apps, but leaving such permission for applaunchd, which enhances overall security of the system. - add new applaunchd user and group - switch applaunchd (gRPC) service to be started under new user - since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API, applaunchd-dbus gets activated by agl-session and runs under agl-driver - temporarily add agl-driver user into the applaunchd group and switch PolKit policy to check for applaunchd group, instead of the user - once D-Bus API is completely deprecated, agl-driver user can be removed from applaunchd group Bug-AGL: SPEC-4579 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-07-29meta-app-framework: Update app template schemeScott Murray1-1/+1
Changes to support the move to systemd unit based app enumeration in applaunchd: - Bump applaunchd SRCREV to pick up enumeration changes. - Tweak the polkit rule to match agl-app* instead of agl-app@* to allow more flexibility with respect to different app templates. - Tweak the Description field definition in the agl-app service template to just use the instance name, as that field is now used for the application display name by applaunchd. - Add a agl-app-web service template for web apps. - Add a agl-app.bbclass for use in application recipes to simplify installation of the now required systemd template instances and potential generation of override files to tweak application configuration. - Split the agl-app and agl-app-web templates into their own packages in the applaunchd recipe so they can be depended on by applications as required. - Move applaunchd installed systemd units and override files to /lib/systemd/system since that matches the upstream recommendation for units installed as part of the system installation. Bug-AGL: SPEC-4466 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I32ff6c9624850662856b79a2b14b33a05e7f9a65 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27835 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jose Dapena Paz <jdapena@igalia.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-07-13polkit: add rule to allow agl-driver to control agl-app@ systemd servicesDenys Dmytriyenko2-0/+23
Bug-AGL: SPEC-4466 Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Change-Id: I8007aacc12f8b6bdfbca660c994d321ef1b5eca7 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27751 Reviewed-by: Scott Murray <scott.murray@konsulko.com> Reviewed-by: Marius Vlad <marius.vlad@collabora.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2022-01-30meta-app-framework: add agl-driver to pipewire groupAshok Sidipotu1-1/+2
- Update agl-session recipe to add agl-driver to pipewire group - Apps in the new framework can access pipewire services if agl-driver is a part of pipewire group. Bug-AGL: SPEC-4210 Signed-off-by: Ashok Sidipotu <ashok.sidipotu@collabora.com> Change-Id: Iba3856006b36c0182aaa0e36e8e98f85d9c49af3 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27100 Reviewed-by: Georgios Kiagiadakis <george.kiagiadakis@collabora.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account
2021-12-22meta-app-framework: tweak agl-driver definitionScott Murray1-1/+3
Tweak agl-driver user definition in agl-session recipe to ensure it is a member of the video and display groups (the latter has been added back to the static group file). This is required to avoid agl-compositor startup failures on rcar3. The display group membership potentially could be dropped if we were to bbappend rcar3's gles-user-module recipe to tweak its udev rules. For now, take the most straightforward approach. Bug-AGL: SPEC-4161 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I7237ade5d8680655f17716ac048349a476eb5f29 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27060 Tested-by: Jenkins Job builder account ci-image-build: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account
2021-12-21meta-app-framework: agl-session: Ensure XDG_DATA_DIRS is setScott Murray2-1/+16
Add installation of a systemd user-environment-generator scriptlet to the agl-session recipe to ensure that XDG_DATA_DIRS is set to a reasonable default value. This is required for locating D-Bus activation .service files and icons. Bug-AGL: SPEC-4182 Signed-off-by: Scott Murray <scott.murray@konsulko.com> Change-Id: I5d1a72022ca97f25a915b64205bf70ab33516ec6 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27048 Reviewed-by: Arnaud Ferraris <arnaud.ferraris@collabora.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2021-12-17meta-app-framework: add new agl-session recipeArnaud Ferraris3-0/+64
For the new App FW, we want to create a systemd user session, to be started on boot, which will be used to start the compositor and all user background services. This commit adds the corresponding target and service file (enabled by default) so the session is started on boot. Bug-AGL: SPEC-4161 Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com> Change-Id: I51ca7e0c1a994c6798b20b2592bec56a07f41c98 Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26974 ci-image-build: Jenkins Job builder account Tested-by: Jenkins Job builder account ci-image-boot-test: Jenkins Job builder account Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2018-05-313rd part of the layer/profile rework [1/2]Jan-Simon Möller3-51/+0
This is the last larger commit in this series and deals with the graphical part. We introduce the graphical profiles: - meta-agl-profile-graphical -- meta-agl-profile-graphical-html5 -- meta-agl-profile-graphical-qt5 Notable changes: - weston-ini-conf moved to the meta-agl-bsp layer. Most BSPs have bbappends, so we need to have the recipes present (but unused) even in the console images. - new image: agl-image-boot = terminal-only + network + package-manaager. Ready for using package-feeds - new image/sdk: agl-image-minimal-crosssdk - agl-service-mediaplayer has a dependency on weston, thus it cannot be in the 'core'. Moved it to profile-graphical. - The wayland-ivi-extension moved to the agl-demo-platform. - The app-framework layer included and pulled 'web-runtime' as dependency. This broke console-only images. This has been moved to be in meta-agl-demo only for now. - added and massaged the agl-features. - found and added a useful script 'oe-depends-dot' that helps to work with the dot files (produced with bitbake -g) Todo: - we'll need another pass through the packagegroups. The dependencies for the layers/profiles are now sorted-out but we might have to add/shuffle a few packages. For further details, see meta-agl/docs/profiles.md. v2: fix meta-agl/meta-security/conf/layer.conf - the immediate expansion previously used in there caused some recipes not being added to BBFILES. v3: fix packagegroup renaming (packagegroup-agl-devel -> packagegroup-agl-core-devel) v4: fix missing packagegroup inclusion (tnx Jose, Scott, Stephane) v5: fix missing packagegroup inclusion v6: explicitely put profile-graphical-qt5 on-top of profile-graphical v7: re-add 'procps' when agl-devel feature is on Bug-AGL: SPEC-145 Change-Id: I24cdcd1118932758d0c55d333338238f2a770877 Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
2018-01-25Provides default dev-mapping.conf file in imagesRomain Forlot2-0/+24
Bug-AGL: SPEC-1121 Change-Id: Id31e34af1276682dbe39457a145889f0d0c7e7c3 Signed-off-by: Romain Forlot <romain.forlot@iot.bzh>
2017-11-30agl-users: Use UID for HOME directories and loginsJosé Bollo1-3/+10
While dealing with systemd as a launcher, it appeared a limitation. If the template argument of units is used to designate the user it can not be different that the UID as a number because systemd enforce XDG_RUNTIME_DIR to be /run/user/<UID>. Thus using UID is the way to go to use template mechanic of systemd and use systemd as launcher. This is of importance because we don't expect systemd user to have full capabilities. Instead the framework will continue to leverage systemd launching mechanism but at a system level, with full capabilities but wil only allow user applications to deal with systemd --user. This impose to use UID as template parameters. The problem is then to set the user directory to the correct value knowing only the UID and using only possibilities of units. The only way is to have user home directories of the form /SOMETHING/<UID> (where SOMETHING is merely "home"). This can be achieved either by setting a symbolic link (hard link tto directories are forbidden) or by simply using the scheme /home/UID in all cases. At the end, users within AGL will not receive nick names but will receive allocated UID. So, at the end, it is not a problem to use the regular naming scheme /home/UID, a scheme that will probably never be seen except by tools or experts. This patch implement this choice. Change-Id: I225958fa627894cb966f52a06ebd8a914058d429 Signed-off-by: José Bollo <jose.bollo@iot.bzh> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/12137 Tested-by: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> ci-image-build: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> Reviewed-by: Stéphane Desneux <stephane.desneux@iot.bzh> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2017-06-02agl-login-manager,agl-desktop-config: Move layer to meta-aglChanghyeok Bae5-84/+0
agl-ivi-image is using agl-login-manager and agl-desktop-config. However, those aren't included in meta-agl layer. So agl-ivi-image isn't built only with meta-agl layer. Bug-AGL: SPEC-625 Change-Id: Ied4bbec9c72d2f7cac5b01c2465fe395c2e5497c Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/9587 Reviewed-by: Martin Kelly <mkelly@xevo.com> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> Tested-by: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> ci-image-build: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> ci-image-boot-test: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org>
2017-05-16Run weston with dedicated 'display' user and groupRonan Le Martret6-6/+89
* Create a user/group display * Allow weston to start without mandatory root user * start weston-terminal for each user Bug-AGL: SPEC-546 Change-Id: Id50acdbf5f7c07d5e0440575d42998b8819b5547 Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh> Reviewed-on: https://gerrit.automotivelinux.org/gerrit/9135 Tested-by: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> ci-image-build: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> ci-image-boot-test: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org> Reviewed-by: Dominig ar Foll <dominig.arfoll@fridu.net> Reviewed-by: José Bollo <jobol@nonadev.net> Reviewed-by: Stéphane Desneux <stephane.desneux@iot.bzh> Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
2017-03-27base-files for the frameworkJosé Bollo1-44/+0
This setting is introduced primarily to allow the recipe agl-users to run in a correct environment. Change-Id: Ib0bd7c8e6520bd87dbb26d9c011f5cb4672f44c7 Signed-off-by: José Bollo <jose.bollo@iot.bzh> Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2017-03-27add layer meta-app-frameworkStephane Desneux1-0/+65
meta-app-framework is a layer containing the AGL App Framework recipes 4 new layers are added for application framework: * meta-intel-iot-security/meta-security-smack * meta-intel-iot-security/meta-security-framework * meta-agl/meta-agl-security * meta-agl/meta-app-framework Configuration file changes to support AppFw: * activation of Smack and Cynara * modify the tar command to be used to support Smack extended attributes Change-Id: Idc8abdc8869787feb4b534ee45bf7b5d3dde3632 Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2016-06-24Revert "add meta-app-framework to meta-agl"Stephane DESNEUX1-65/+0
This reverts commit 80f4d503fc5bb2564b72b72daedebf74612c30f3. Change-Id: I94605d4c0ef80433fa6eaa05e63a9c6cf69baea4 Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
2016-06-19add meta-app-framework to meta-aglStephane Desneux1-0/+65
meta-app-framework is a layer containing the AGL App Framework recipes 4 new layers are added for application framework: * meta-intel-iot-security/meta-security-smack * meta-intel-iot-security/meta-security-framework * meta-agl/meta-agl-security * meta-agl/meta-app-framework In the templates files, the following changes were done: * activation of Smack and Cynara * modify the tar command to be used to support Smack extended attributes Change-Id: If369221ca7614fe0072f2a0f99a5051ef2af831d Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>