From 1d9b82cd1023fa90495f94977cb3783e3d5b4fdb Mon Sep 17 00:00:00 2001 From: Jan-Simon Moeller Date: Mon, 18 Oct 2021 14:07:53 +0200 Subject: WIP: rm appfw Signed-off-by: Jan-Simon Moeller Change-Id: Icdaeadfb5d2193f3a4c535168c88da6073423e67 --- ...01-modules-add-new-access-seclabel-module.patch | 263 --------------------- .../pipewire/pipewire/pipewire.conf | 56 ----- .../pipewire/pipewire/pipewire.service | 24 -- .../pipewire/pipewire/pipewire.socket | 16 -- .../pipewire/pipewire/smack-pipewire | 8 - .../pipewire/pipewire_0.3.30.bbappend | 34 --- .../wireplumber-config-agl/50-access-agl.lua | 1 - .../wireplumber-config-agl/access-smack.lua | 17 -- .../wireplumber-config-agl_git.bbappend | 15 -- 9 files changed, 434 deletions(-) delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend (limited to 'meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia') diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch deleted file mode 100644 index 17cb6ec79..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch +++ /dev/null @@ -1,263 +0,0 @@ -From b6854927aaf5e5970178ed9b0c6647bb759f2092 Mon Sep 17 00:00:00 2001 -From: George Kiagiadakis -Date: Tue, 16 Feb 2021 17:26:20 +0200 -Subject: [PATCH] modules: add new access-seclabel module - -This module allows access control based on the security label -of the client. It is tailored for use with the semantics of SMACK - -Upstream-Status: Inappropriate [smack specific] - ---- - src/modules/meson.build | 10 ++ - src/modules/module-access-seclabel.c | 220 +++++++++++++++++++++++++++ - 2 files changed, 230 insertions(+) - create mode 100644 src/modules/module-access-seclabel.c - -diff --git a/src/modules/meson.build b/src/modules/meson.build -index f51aa29c..21b52d49 100644 ---- a/src/modules/meson.build -+++ b/src/modules/meson.build -@@ -56,6 +56,16 @@ pipewire_module_echo_cancel = shared_library('pipewire-module-echo-cancel', - dependencies : [mathlib, dl_lib, pipewire_dep, webrtc_dep], - ) - -+pipewire_module_access_seclabel = shared_library('pipewire-module-access-seclabel', -+ [ 'module-access-seclabel.c' ], -+ c_args : pipewire_module_c_args, -+ include_directories : [configinc, spa_inc], -+ install : true, -+ install_dir : modules_install_dir, -+ install_rpath: modules_install_dir, -+ dependencies : [mathlib, dl_lib, pipewire_dep], -+) -+ - pipewire_module_profiler = shared_library('pipewire-module-profiler', - [ 'module-profiler.c', - 'module-profiler/protocol-native.c', ], -diff --git a/src/modules/module-access-seclabel.c b/src/modules/module-access-seclabel.c -new file mode 100644 -index 00000000..3739f2e4 ---- /dev/null -+++ b/src/modules/module-access-seclabel.c -@@ -0,0 +1,220 @@ -+/* PipeWire -+ * -+ * Copyright © 2018 Wim Taymans -+ * Copyright © 2021 Collabora Ltd. -+ * @author George Kiagiadakis -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -+ * DEALINGS IN THE SOFTWARE. -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "config.h" -+ -+#include -+#include -+ -+#include -+#include -+ -+#define NAME "access-seclabel" -+ -+#define MODULE_USAGE "[ seclabel.allowed= ] " \ -+ "[ seclabel.rejected= ] " \ -+ "[ seclabel.restricted= ] " \ -+ -+static const struct spa_dict_item module_props[] = { -+ { PW_KEY_MODULE_AUTHOR, "George Kiagiadakis " }, -+ { PW_KEY_MODULE_DESCRIPTION, "Perform access check based on the security label" }, -+ { PW_KEY_MODULE_USAGE, MODULE_USAGE }, -+ { PW_KEY_MODULE_VERSION, PACKAGE_VERSION }, -+}; -+ -+struct impl { -+ struct pw_context *context; -+ struct pw_properties *properties; -+ -+ struct spa_hook context_listener; -+ struct spa_hook module_listener; -+}; -+ -+static int check_label(const char *label, const char *str) -+{ -+ char key[1024]; -+ int res = 0; -+ struct spa_json it[2]; -+ -+ spa_json_init(&it[0], str, strlen(str)); -+ if ((res = spa_json_enter_array(&it[0], &it[1])) <= 0) -+ goto exit; -+ -+ res = 0; -+ while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) { -+ if (strcmp(label, key) == 0) { -+ res = 1; -+ break; -+ } -+ } -+exit: -+ return res; -+} -+ -+static void -+context_check_access(void *data, struct pw_impl_client *client) -+{ -+ struct impl *impl = data; -+ struct pw_permission permissions[1]; -+ struct spa_dict_item items[2]; -+ const struct pw_properties *props; -+ const char *str, *access, *label = NULL; -+ int res; -+ -+ if ((props = pw_impl_client_get_properties(client)) != NULL) { -+ if ((str = pw_properties_get(props, PW_KEY_ACCESS)) != NULL) { -+ pw_log_info(NAME " client %p: has already access: '%s'", client, str); -+ return; -+ } -+ label = pw_properties_get(props, PW_KEY_SEC_LABEL); -+ } -+ -+ if (!label) { -+ pw_log_info(NAME " client %p: has no security label", client); -+ return; -+ } -+ -+ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.allowed")) != NULL) { -+ res = check_label(label, str); -+ if (res < 0) { -+ pw_log_warn(NAME" %p: client %p allowed check failed: %s", -+ impl, client, spa_strerror(res)); -+ } else if (res > 0) { -+ access = "allowed"; -+ goto granted; -+ } -+ } -+ -+ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.rejected")) != NULL) { -+ res = check_label(label, str); -+ if (res < 0) { -+ pw_log_warn(NAME" %p: client %p rejected check failed: %s", -+ impl, client, spa_strerror(res)); -+ } else if (res > 0) { -+ res = -EACCES; -+ access = "rejected"; -+ goto rejected; -+ } -+ } -+ -+ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.restricted")) != NULL) { -+ res = check_label(label, str); -+ if (res < 0) { -+ pw_log_warn(NAME" %p: client %p restricted check failed: %s", -+ impl, client, spa_strerror(res)); -+ } -+ else if (res > 0) { -+ pw_log_debug(NAME" %p: restricted client %p added", impl, client); -+ access = "restricted"; -+ goto wait_permissions; -+ } -+ } -+ -+ return; -+ -+granted: -+ pw_log_info(NAME" %p: client %p '%s' access granted", impl, client, access); -+ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access); -+ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1)); -+ -+ permissions[0] = PW_PERMISSION_INIT(PW_ID_ANY, PW_PERM_ALL); -+ pw_impl_client_update_permissions(client, 1, permissions); -+ return; -+ -+wait_permissions: -+ pw_log_info(NAME " %p: client %p wait for '%s' permissions", -+ impl, client, access); -+ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access); -+ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1)); -+ return; -+ -+rejected: -+ pw_resource_error(pw_impl_client_get_core_resource(client), res, access); -+ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access); -+ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1)); -+ return; -+} -+ -+static const struct pw_context_events context_events = { -+ PW_VERSION_CONTEXT_EVENTS, -+ .check_access = context_check_access, -+}; -+ -+static void module_destroy(void *data) -+{ -+ struct impl *impl = data; -+ -+ spa_hook_remove(&impl->context_listener); -+ spa_hook_remove(&impl->module_listener); -+ -+ if (impl->properties) -+ pw_properties_free(impl->properties); -+ -+ free(impl); -+} -+ -+static const struct pw_impl_module_events module_events = { -+ PW_VERSION_IMPL_MODULE_EVENTS, -+ .destroy = module_destroy, -+}; -+ -+SPA_EXPORT -+int pipewire__module_init(struct pw_impl_module *module, const char *args) -+{ -+ struct pw_context *context = pw_impl_module_get_context(module); -+ struct pw_properties *props; -+ struct impl *impl; -+ -+ impl = calloc(1, sizeof(struct impl)); -+ if (impl == NULL) -+ return -errno; -+ -+ pw_log_debug(NAME" module %p: new %s", impl, args); -+ -+ if (args) -+ props = pw_properties_new_string(args); -+ else -+ props = NULL; -+ -+ impl->context = context; -+ impl->properties = props; -+ -+ pw_context_add_listener(context, &impl->context_listener, &context_events, impl); -+ pw_impl_module_add_listener(module, &impl->module_listener, &module_events, impl); -+ -+ pw_impl_module_update_properties(module, &SPA_DICT_INIT_ARRAY(module_props)); -+ -+ return 0; -+} diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf deleted file mode 100644 index 5857c4861..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf +++ /dev/null @@ -1,56 +0,0 @@ -context.properties = { - core.daemon = true - core.name = pipewire-0 - support.dbus = false - link.max-buffers = 16 - - # 1=error, 2=warning, 3=info, 4=debug, 5=trace - log.level = 2 - - ## Properties for the DSP configuration. - default.clock.rate = 48000 - default.clock.quantum = 1024 - default.clock.min-quantum = 512 - default.clock.max-quantum = 8192 -} - -context.spa-libs = { - audio.convert.* = audioconvert/libspa-audioconvert - api.alsa.* = alsa/libspa-alsa - api.v4l2.* = v4l2/libspa-v4l2 - support.* = support/libspa-support -} - -context.modules = [ - { name = libpipewire-module-protocol-native } - { name = libpipewire-module-metadata } - { name = libpipewire-module-spa-device-factory } - { name = libpipewire-module-spa-node-factory } - { name = libpipewire-module-client-node } - { name = libpipewire-module-client-device } - { name = libpipewire-module-adapter } - { name = libpipewire-module-link-factory } - { name = libpipewire-module-session-manager } - - # allow clients with the "System" SMACK label - # such a client is also the session manager (wireplumber) - { - name = libpipewire-module-access-seclabel - args= { - seclabel.allowed = [ System ] - } - } - - # and restrict all other clients - { - name = libpipewire-module-access - args= { - access.force = restricted - } - } - - # The profile module. Allows application to access profiler - # and performance data. It provides an interface that is used - # by pw-top and pw-profiler. - #{ name = libpipewire-module-profiler } -] diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service deleted file mode 100644 index b37fe2551..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Multimedia Service -Requires=pipewire.socket - -[Service] -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes -RestrictNamespaces=yes -SystemCallArchitectures=native -SystemCallFilter=@system-service -Type=simple -ExecStart=/usr/bin/pipewire -Restart=on-failure -RuntimeDirectory=pipewire -RuntimeDirectoryPreserve=yes -User=pipewire -Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire -SmackProcessLabel=System::Pipewire -UMask=0077 - -[Install] -Also=pipewire.socket -WantedBy=default.target diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket deleted file mode 100644 index a83435be4..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Multimedia System - -[Socket] -Priority=6 -Backlog=5 -ListenStream=%t/pipewire/pipewire-0 -SocketUser=pipewire -SocketGroup=pipewire -SocketMode=0666 -SmackLabel=* -SmackLabelIPIn=System -SmackLabelIPOut=System - -[Install] -WantedBy=sockets.target diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire deleted file mode 100644 index 8d5b541ff..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire +++ /dev/null @@ -1,8 +0,0 @@ -System System::Pipewire rwxa-- -System::Pipewire System -wx--- -System::Pipewire System::Shared r-x--- -System::Pipewire System::Run rwxat- -System::Pipewire System::Log rwxa-- -System::Pipewire _ r-x--l -System::Pipewire User::Home r-x--l -System::Pipewire User::App-Shared rwxat- diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend deleted file mode 100644 index d0d7e9d29..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend +++ /dev/null @@ -1,34 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/pipewire:" - -SRC_URI:append= "\ - file://0001-modules-add-new-access-seclabel-module.patch \ - file://pipewire.conf \ - file://pipewire.service \ - file://pipewire.socket \ - file://smack-pipewire \ -" - -do_install:append() { - # replace the original config with our smack-aware config - mkdir -p ${D}${sysconfdir}/pipewire/ - install -m 0644 ${WORKDIR}/pipewire.conf ${D}${sysconfdir}/pipewire/pipewire.conf - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - # remove the original unit files shipped by pipewire - rm -rf ${D}${systemd_system_unitdir}/pipewire.* - - # install our own system-level templates - mkdir -p ${D}${systemd_system_unitdir}/ - install -m 0644 ${WORKDIR}/pipewire.service ${D}${systemd_system_unitdir}/pipewire.service - install -m 0644 ${WORKDIR}/pipewire.socket ${D}${systemd_system_unitdir}/pipewire.socket - - # install smack rules - mkdir -p ${D}${sysconfdir}/smack/accesses.d - install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire - fi -} - -FILES:${PN}:append = "\ - ${sysconfdir}/smack/accesses.d/* \ - ${sysconfdir}/pipewire/pipewire.conf \ -" diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua deleted file mode 100644 index 10b3d7ae3..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua +++ /dev/null @@ -1 +0,0 @@ -load_access("smack") diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua deleted file mode 100644 index a662a0f20..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua +++ /dev/null @@ -1,17 +0,0 @@ -clients_om = ObjectManager { - Interest { - type = "client", - Constraint { "pipewire.access", "=", "restricted" }, - } -} - -clients_om:connect("object-added", function (om, client) - local smack_label = client["global-properties"]["pipewire.sec.label"] - - if smack_label:match("^User::App::.+") then - -- FIXME: apps can work with less permissions - client:update_permissions { ["any"] = "all" } - end -end) - -clients_om:activate() diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend deleted file mode 100644 index 6a40b5f35..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend +++ /dev/null @@ -1,15 +0,0 @@ -FILESEXTRAPATHS:prepend := "${THISDIR}/wireplumber-config-agl:" - -SRC_URI += "\ - file://50-access-agl.lua \ - file://access-smack.lua \ -" - -do_install:append() { - # install smack-specific config - config_dir="${D}${sysconfdir}/wireplumber/host.lua.d/" - access_dir="${D}${datadir}/wireplumber/scripts/access/" - install -d ${access_dir} - install -m 0644 ${WORKDIR}/50-access-agl.lua ${config_dir} - install -m 0644 ${WORKDIR}/access-smack.lua ${access_dir} -} -- cgit 1.2.3-korg