Age | Commit message (Collapse) | Author | Files | Lines |
|
Users should not be able to read other user content.
Use Umask to enforce that.
Bug-AGL: SPEC-1016
Change-Id: Ibb61b7a6a7617117a499650c5bd70bdd5af3c328
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
/usr/local should point to ../var/local (and not ../../var/local)
Thanks to Vasyl Vavrychuk <vvavrychuk@gmail.com>
Bug-AGL: SPEC-1844
Change-Id: I700065290deff979db2e74cb68eae78ef55cda9c
Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
|
|
smack user space library is provided by meta-security
Change-Id: Ifb5e88e5f5a1aab3e695ab91a56d8c55c33fd004
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
Using the OVERRIDE "smack" came with the use of
the layer meta-intel-iot-security.
When switching to meta-security, it conflicts with the
package name 'smack' that provide the smack user library.
Yocto was reporting the following error:
ERROR: .../meta-security/recipes-security/smack/smack_1.3.0.bb:
QA Issue: Recipe .../meta-security/recipes-security/smack/smack_1.3.0.bb
has PN of "smack" which is in OVERRIDES, this can result
in unexpected behaviour. [pn-overrides]
Change-Id: Id71b283bf1ce5682bd94bf96595eb32506acb1d5
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
|
|
While dealing with systemd as a launcher, it appeared
a limitation. If the template argument of units is used
to designate the user it can not be different that the
UID as a number because systemd enforce XDG_RUNTIME_DIR
to be /run/user/<UID>.
Thus using UID is the way to go to use template mechanic
of systemd and use systemd as launcher. This is of
importance because we don't expect systemd user to have
full capabilities. Instead the framework will continue
to leverage systemd launching mechanism but at a system
level, with full capabilities but wil only allow user
applications to deal with systemd --user. This impose to
use UID as template parameters.
The problem is then to set the user directory to the
correct value knowing only the UID and using only
possibilities of units. The only way is to have user
home directories of the form /SOMETHING/<UID> (where
SOMETHING is merely "home").
This can be achieved either by setting a symbolic link
(hard link tto directories are forbidden) or by simply
using the scheme /home/UID in all cases.
At the end, users within AGL will not receive nick names
but will receive allocated UID. So, at the end, it is
not a problem to use the regular naming scheme /home/UID,
a scheme that will probably never be seen except by tools
or experts.
This patch implement this choice.
Change-Id: I225958fa627894cb966f52a06ebd8a914058d429
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/12137
Tested-by: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org>
ci-image-build: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org>
Reviewed-by: Stéphane Desneux <stephane.desneux@iot.bzh>
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
* Since yocto pyro we need to declare PACKAGE_WRITE_DEPS, dependency
for post install script
http://www.yoctoproject.org/docs/2.3/mega-manual/mega-manual.html#var-PACKAGE_WRITE_DEPS
* we alsa need to explicit exit 1 if post script failed
Bug-AGL: SPEC-646
Bug-AGL: SPEC-825
Change-Id: Ic15f8af884895fecacceb9886de5bebe591a2be0
Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/10883
Reviewed-by: Stéphane Desneux <stephane.desneux@iot.bzh>
Reviewed-by: Thomas Rini <trini@konsulko.com>
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
This provides a link from /usr/local to ../../var/local
that enforces file hierarchy local to the machine
to be in a directory frankly separated from /usr.
This is important for SOTA/OSTree that must not manage
the locally installed files. But this is also important
for correctly separating layers of the target. For
this reason, the change is not conditionnal to SOTA.
Bug-AGL: SPEC-359
Bug-AGL: SPEC-533
Change-Id: I0a709ba15582a011a43f3a3b68d4230bae11b658
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/9071
Tested-by: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org>
ci-image-build: Jenkins Job builder account <agl-jobbuilder@automotivelinux.org>
Reviewed-by: Stéphane Desneux <stephane.desneux@iot.bzh>
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
|
|
This setting is introduced primarily to allow the
recipe agl-users to run in a correct environment.
Change-Id: Ib0bd7c8e6520bd87dbb26d9c011f5cb4672f44c7
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
|