From 4ce8411bb9c47a59d67ffe431f43cc4bc408dce1 Mon Sep 17 00:00:00 2001
From: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Date: Thu, 25 Jun 2020 19:47:24 +0200
Subject: Move meta-agl-profile-graphical-html5 and meta-pipewire into the main
 layer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reasoning:
- the profile-graphical-html5 belongs in the main layer
- meta-pipewire is enabled by default

For reference - the original location is:
https://gerrit.automotivelinux.org/gerrit/gitweb?p=AGL%2Fmeta-agl-devel.git;a=commit;h=8479cd0c37e5e5e207a16f21c864610103e4f20f

Bug-AGL: SPEC-3453
Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
Change-Id: Ib475331bb6f84437020728fbb3f17b4acaab0106
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/24875
Reviewed-by: Scott Murray <scott.murray@konsulko.com>
---
 ...005-module-access-add-same-sec-label-mode.patch | 94 ++++++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch

(limited to 'meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch')

diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch b/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
new file mode 100644
index 000000000..07a1ec114
--- /dev/null
+++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
@@ -0,0 +1,94 @@
+From 19fad1a4fa8bdc4f02aac4e169e7ff9cab18bdcd Mon Sep 17 00:00:00 2001
+From: George Kiagiadakis <george.kiagiadakis@collabora.com>
+Date: Tue, 19 Nov 2019 17:09:07 +0200
+Subject: [PATCH] module-access: add same-sec-label-mode
+
+This is a mode where the access module allows all clients that have
+the same security label as the pipewire daemon, and every other
+client is put on the restricted state.
+
+In systems that use SMACK security labels, such as AGL, this allows
+the session manager (which is spawned by pipewire, inheriting the
+same smack label) to have full access to all objects, while every
+other client is restricted and the session manager must decide
+what to do with it
+
+Note that while this option is configurable, there is no loss of
+security if this option is not set in the configuration. Clients
+that don't have the same security context will be considered to
+be flatpak clients because pipewire will not be able to open
+/proc/pid/cmdline. This however results in some unwanted error
+messages that may be confusing.
+
+Upstream-Status: Inappropriate [agl/smack specific]
+---
+ src/modules/module-access.c | 45 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/module-access.c b/src/modules/module-access.c
+index 09dafa43..f75306d9 100644
+--- a/src/modules/module-access.c
++++ b/src/modules/module-access.c
+@@ -50,6 +50,30 @@ struct impl {
+ 	struct spa_hook module_listener;
+ };
+ 
++static int check_seclabel(const char *str)
++{
++	char attr[1024];
++	int fd, len;
++
++	fd = open("/proc/self/attr/current", O_RDONLY);
++	if (fd < 0)
++		return -errno;
++
++	if ((len = read(fd, attr, 1024)) <= 0) {
++		close(fd);
++		return -EIO;
++	}
++	attr[len] = '\0';
++
++	if (strcmp(attr, str) == 0) {
++		close(fd);
++		return 1;
++	}
++
++	close(fd);
++	return 0;
++}
++
+ static int check_cmdline(struct pw_client *client, int pid, const char *str)
+ {
+ 	char path[2048];
+@@ -121,8 +145,27 @@ core_check_access(void *data, struct pw_client *client)
+ 	const char *str;
+ 	int pid, res;
+ 
++	props = pw_client_get_properties(client);
++
++	if (impl->properties &&
++	    (str = pw_properties_get(impl->properties, "same-sec-label-mode")) != NULL &&
++	    strcmp(str, "1") == 0) {
++		if (props && (str = pw_properties_get(props, PW_KEY_SEC_LABEL)) != NULL) {
++			res = check_seclabel(str);
++			if (res == 1)
++				goto granted;
++			else if (res < 0)
++				pw_log_warn("module %p: client %p seclabel check failed: %s",
++					impl, client, spa_strerror(res));
++		}
++		pw_log_debug("module %p: seclabel restricted client %p added",
++			impl, client);
++		items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, "restricted");
++		goto wait_permissions;
++	}
++
+ 	pid = -EINVAL;
+-	if ((props = pw_client_get_properties(client)) != NULL) {
++	if (props != NULL) {
+ 		if ((str = pw_properties_get(props, PW_KEY_SEC_PID)) != NULL)
+ 			pid = atoi(str);
+ 	}
+-- 
+2.24.0
+
-- 
cgit 1.2.3-korg