diff options
| author |   Marius Vlad <marius.vlad@collabora.com> | 2020-06-11 12:14:02 +0300 |
|---|---|---|
| committer |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-06-26 15:00:49 +0000 |
| commit | 40da59d00a7f0e7ec48c32cb1f8ef18e5c08f471 (patch) | |
| tree | 7c8ce55d5b3382ec0b130598873f38d312282dd0 | |
| parent | 572d0eac44f115c6a97dae826afd4c6e43fbe4a7 (diff) | |
README: Add a few words about the deny-all policy enginejellyfish_9.99.1jellyfish/9.99.19.99.1
Replaces the agl-shell-desktop mention that all clients can bind to the
interface with a mention that that happens only if the policy engine
allows.
Bug-AGL: SPEC-3413
Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
Change-Id: Ieb6b9df1181cb7a0ad6da09519655ebd8f73a1a5
| -rw-r--r-- | doc/README.md | 16 | ||||
| -rw-r--r-- | protocol/agl-shell-desktop.xml | 4 |
2 files changed, 14 insertions, 6 deletions
diff --git a/doc/README.md b/doc/README.md index 5899d87..090b1ae 100644 --- a/doc/README.md +++ b/doc/README.md @@ -165,7 +165,14 @@ needed to activate applications. ## Policy The compositor contains an API useful for defining policy rules. It contains -the bare minimum and installs, by default, an allow-all kind of engine. +the bare minimum and installs, by default, an allow-all kind of engine. A +deny-all policy engine exists and can be switched to by using +`-Dpolicy-default=deny-all` build time option. + +For instance, in order to configure the compositor with that policy one could +issue: + + $ meson -Dprefix=/path/to/where/to/install/compositor -Dpolicy-default=deny-all build_directory Users wanting to create their own policy engine should create a specialized version and use `struct ivi_policy_api` where they can install their own @@ -186,9 +193,10 @@ control if policy rules (the next type) can be added or not. Finally, we have `ivi_policy_api::policy_rule_try_event()` which is executed for each policy rules currently added, by using the policy API `ivi_policy_add()`. -Users can customize the hooks by using some sort of database to retrieve -the application name to compare against, or incorporate some kind of policy -rule engine. +Users can customize the hooks by using some sort of database to retrieve the +application name to compare against, or incorporate some kind of policy rule +engine. Alternatively, one can use the deny-all policy engine which allows the +top panel applications to be used/displayed as permitted applications. ### Policy rules diff --git a/protocol/agl-shell-desktop.xml b/protocol/agl-shell-desktop.xml index e7b9493..e8ae153 100644 --- a/protocol/agl-shell-desktop.xml +++ b/protocol/agl-shell-desktop.xml @@ -28,8 +28,8 @@ to activate or switch to other running (regular) applications. The client is responsbile for filtering their own app_id when receiving application id. - Note that other (regular) applications can bind to this interface and there is - no mechanism to place to restrict or limit that. + The compositor will allow clients to bind to this interface only if the + policy engine allows it. </description> <enum name="app_role"> |