From 1c3c06842ac1b9c089d0a08e91c60f44e4844fac Mon Sep 17 00:00:00 2001
From: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Date: Tue, 8 Dec 2020 11:12:45 +0100
Subject: SPEC-3723: restructure meta-agl

Goal is to reach a minimal meta-agl-core as base for IVI and IC work at the same time.
Trim dependencies and move most 'demo' related recipes to meta-agl-demo.

v2: changed to bbapend + .inc , added description
v3: testbuild of all images
v4: restore -test packagegroup and -qa images, compare manifests and adapt packagegroups.
v5: rebased
v6: merged meta-agl-distro into meta-agl-core,
    due to dependency on meta-oe, moved -test packagegroup and -qa images
      to own layer meta-agl-core-test
v7: Fixed comments from Paul Barker
v8: Update the markdown files
v9: restore wayland/weston/agl-compositor recipes/appends, reworked to
    move app f/w specific changes to bbappends in meta-app-framework and
    only demo specific weston-init changes to meta-agl-demo
v10: fix s/agldemo/aglcore/ missed in weston-init.bbappend

Description:

This patch is part 1 out of 2 large patches that implement the layer rework
discussed during the previous workshop. Essentially meta-agl-core is the
small but versatile new core layer of AGL serving as basis for
the work done by the IC and IVI EGs.
All demo related work is moved to meta-agl-demo in the 2nd patchset.
This should be applied together as atomic change.

The resulting meta-agl/* follows these guidelines:
- only bsp adaptations in meta-agl-bsp
- remove the agl-profile-* layers for simplicity
-- the packagegroup-agl(-profile)-graphical and so on
   have been kept in meta-agl-demo
- meta-agl-profile-core is now meta-agl-core
- meta-agl-core does pass yocto-check-layer
-- therefore use the bbappend + conditional + .inc file
   construct found in meta-virtualization
- meta-agl/meta-security has been merged into meta-agl/meta-app-framework
- meta-netboot does pass yocto-check-layer
- meta-pipewire does pass yocto-check-layer

Migration:
All packagegroups are preserved but they're now enabled by 'agl-demo'.

Bug-AGL: SPEC-3723

Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ia6c6e5e6ce2b4ffa69ea94959cdc57c310ba7c53
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/25769
---
 .../files/55-udev-smack-default.rules              | 27 ++++++++++++++++++++++
 .../files/systemd-journald.service.conf            | 16 +++++++++++++
 .../files/systemd-tmpfiles-setup.service.conf      |  2 ++
 .../smack-system-setup/files/tmp.mount.conf        | 12 ++++++++++
 4 files changed, 57 insertions(+)
 create mode 100644 meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules
 create mode 100644 meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf
 create mode 100644 meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf
 create mode 100644 meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf

(limited to 'meta-app-framework/recipes-core/smack-system-setup/files')

diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules b/meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules
new file mode 100644
index 000000000..eca65292f
--- /dev/null
+++ b/meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules
@@ -0,0 +1,27 @@
+# do not edit this file, it will be overwritten on update
+
+KERNEL=="null", SECLABEL{smack}="*"
+KERNEL=="zero", SECLABEL{smack}="*"
+KERNEL=="console", SECLABEL{smack}="*"
+KERNEL=="kmsg", SECLABEL{smack}="*"
+KERNEL=="video*", SECLABEL{smack}="*"
+KERNEL=="card*", SECLABEL{smack}="*"
+KERNEL=="ptmx", SECLABEL{smack}="*"
+KERNEL=="tty", SECLABEL{smack}="*"
+KERNEL=="rfkill", SECLABEL{smack}="*"
+
+SUBSYSTEM=="most_cdev_aim", SECLABEL{smack}="*"
+
+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="sound", GROUP="audio", SECLABEL{smack}="*"
+
+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
+
+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf
new file mode 100644
index 000000000..7035a1410
--- /dev/null
+++ b/meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf
@@ -0,0 +1,16 @@
+# Run systemd-journald with the hat ("^") Smack label.
+#
+# The journal daemon needs global read access to gather information
+# about the services spawned by systemd. The hat label is intended
+# for this purpose. The journal daemon is the only part of the
+# System domain that needs read access to the User domain. Giving
+# the journal daemon the hat label means that we can remove the
+# System domain's read access to the User domain and we can avoid
+# hard-coding a specific label name for that domain.
+#
+# Original author: Casey Schaufler <casey@schaufler-ca.com>
+#
+# This is considered a configuration change and thus distro specific.
+[Service]
+SmackProcessLabel=^
+
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf
new file mode 100644
index 000000000..db43c8c51
--- /dev/null
+++ b/meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf
new file mode 100644
index 000000000..388986e82
--- /dev/null
+++ b/meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf
@@ -0,0 +1,12 @@
+# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
+# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
+# but it was removed again (https://github.com/systemd/systemd/issues/1696) because
+# util-linux mount will ignore smackfsroot when Smack is not active. However,
+# busybox is not that intelligent.
+#
+# When using busybox mount, adding smackfsroot=* and booting without
+# Smack (i.e. security=none), tmp.mount will fail with an error about
+# "Bad mount option smackfsroot".
+[Mount]
+Options=smackfsroot=*
+
-- 
cgit 1.2.3-korg