summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosé Bollo <jose.bollo@iot.bzh>2019-05-15 20:49:14 +0200
committerJosé Bollo <jose.bollo@iot.bzh>2019-06-14 11:17:53 +0200
commit77bd42075de481ae89f6a5b2bc8a79bf967d95cd (patch)
tree276904b4bc22397f56a6df883763f87fd68acc27
parent3284913fccd1a8b6e9993eb9676d8d28f02c2151 (diff)
Introduce platform services
The platform services are services that run at the global platform scope as opposite to services that run in the context of the user. Bug-AGL: SPEC-1015 Change-Id: I08c2d47715cbc7436e67781d5e638386be531520 Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-rw-r--r--conf/system/CMakeLists.txt4
-rw-r--r--conf/system/afm-system-setup.sh.in2
-rw-r--r--conf/unit/afm-unit26
-rw-r--r--conf/unit/binder.inc4
-rw-r--r--conf/unit/macros.inc29
-rw-r--r--conf/unit/provided-api-platform.inc85
-rw-r--r--conf/unit/provided-api-user.inc (renamed from conf/unit/provided-api.inc)7
-rw-r--r--conf/unit/provided-binding-platform.inc48
-rw-r--r--conf/unit/provided-binding-user.inc (renamed from conf/unit/provided-binding.inc)4
-rw-r--r--conf/unit/service.inc71
-rw-r--r--docs/3-permissions.md8
11 files changed, 246 insertions, 42 deletions
diff --git a/conf/system/CMakeLists.txt b/conf/system/CMakeLists.txt
index eba8d42..a49d37f 100644
--- a/conf/system/CMakeLists.txt
+++ b/conf/system/CMakeLists.txt
@@ -18,6 +18,10 @@
cmake_minimum_required(VERSION 2.8)
+if(AGL_DEVEL)
+ set(create_platform_debug "dodir ${afm_platform_rundir}/debug")
+endif()
+
configure_file(afm-system-daemon.service.in afm-system-daemon.service)
configure_file(afm-system-daemon.socket.in afm-system-daemon.socket)
configure_file(afm-system-setup.service.in afm-system-setup.service)
diff --git a/conf/system/afm-system-setup.sh.in b/conf/system/afm-system-setup.sh.in
index 2af411c..65e75ed 100644
--- a/conf/system/afm-system-setup.sh.in
+++ b/conf/system/afm-system-setup.sh.in
@@ -13,4 +13,4 @@ dodir $pdir
dodir $pdir/display
dodir $pdir/apis
dodir $pdir/apis/ws
-
+@create_platform_debug@
diff --git a/conf/unit/afm-unit b/conf/unit/afm-unit
index 2a91067..342a048 100644
--- a/conf/unit/afm-unit
+++ b/conf/unit/afm-unit
@@ -88,21 +88,39 @@ divert(0)dnl
{{#targets}}
;-------------------------------------------------------------------------------
include(service.inc)
+IF_PERM(:partner:scope-platform)
;-------------------------------------------------------------------------------
-;---- F O R E A C H P R O V I D E D A P I S ----
+;---- F O R E A C H P R O V I D E D A P I S (PLATFORM) ----
;-------------------------------------------------------------------------------
{{#provided-api}}
{{#value=ws|auto}}
-include(provided-api.inc)
+include(provided-api-platform.inc)
{{/value=ws|auto}}
{{/provided-api}}
;-------------------------------------------------------------------------------
-;---- F O R E A C H P R O V I D E D B I N D I N G ----
+;---- F O R E A C H P R O V I D E D B I N D I N G (PLATFORM) ----
;-------------------------------------------------------------------------------
{{#provided-binding}}
-include(provided-binding.inc)
+include(provided-binding-platform.inc)
{{/provided-binding}}
;-------------------------------------------------------------------------------
+ELSE
+;-------------------------------------------------------------------------------
+;---- F O R E A C H P R O V I D E D A P I S (USER) ----
+;-------------------------------------------------------------------------------
+{{#provided-api}}
+{{#value=ws|auto}}
+include(provided-api-user.inc)
+{{/value=ws|auto}}
+{{/provided-api}}
+;-------------------------------------------------------------------------------
+;---- F O R E A C H P R O V I D E D B I N D I N G (USER) ----
+;-------------------------------------------------------------------------------
+{{#provided-binding}}
+include(provided-binding-user.inc)
+{{/provided-binding}}
+;-------------------------------------------------------------------------------
+ENDIF
{{/targets}}
;-------------------------------------------------------------------------------
; End of file afm-unit.conf mode ON_AGL_DEVEL(DEVEL, RELEASE)
diff --git a/conf/unit/binder.inc b/conf/unit/binder.inc
index 30c25d5..58f877f 100644
--- a/conf/unit/binder.inc
+++ b/conf/unit/binder.inc
@@ -12,7 +12,7 @@ Type=notify
ExecStart=/usr/bin/afb-daemon \
--name afbd-TARGET \
--rootdir={{:#metadata.install-dir}} \
- --workdir=APP_DATA_DIR/{{id}} \
+ --workdir=APP_WORK_DIR \
IF_AGL_DEVEL \
--verbose \
--verbose \
@@ -48,4 +48,4 @@ ENDIF \
{{/provided-api}} \
ON_CONTENT(text/html, --exec /usr/bin/web-runtime http://localhost:@p/{{content.src}}?token=@t) \
ON_CONTENT(application/vnd.agl.native, --exec {{:#metadata.install-dir}}/{{content.src}} @p @t)
-
+%nl
diff --git a/conf/unit/macros.inc b/conf/unit/macros.inc
index a764765..ca72b95 100644
--- a/conf/unit/macros.inc
+++ b/conf/unit/macros.inc
@@ -25,6 +25,7 @@ define( `PERM', `@afm_prefix@permission:$1')
define( `REQPERM', `required-permission.PERM($1)')
define( `ON_PERM', `MUSTACH_ON(REQPERM($1),$2,$3)')
+define( `ON_NOT_PERM', `MUSTACH_ON(REQPERM($1),$3,$2)')
define( `IF_PERM', `MUSTACH_IF(REQPERM($1))')
define( `IF_NOT_PERM', `MUSTACH_IF_NOT(REQPERM($1))')
@@ -43,21 +44,36 @@ define( `IF_NOT_VALUE', `MUSTACH_IF_NOT(value=$1)')
-- use TARGET={{:id}}--{{:ver}}--{{:#target}}
-- instead of TARGET={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}
--------------------------------------------------------------------------------
+define( `SMACKLABEL', `User::App::{{:id}}')
define( `TARGET', `{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}')
define( `NEWTARGET', `{{:id}}--{{:ver}}--{{:#target}}')
+define( `UNITSUFFIX', `ON_NOT_PERM(`:partner:scope-platform', `@%i')')
define( `UNIT_NAME_BASE', `afm-ON_PERM(`:public:hidden', `service', `appli')-NEWTARGET')
-define( `UNIT_NAME_SERVICE', `UNIT_NAME_BASE@%i.service')
define( `UNIT_NAME_API_BASE', `afm-api-$1')
-define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)@$2.service')
-define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)@$2.socket')
+define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)UNITSUFFIX.service')
+define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)UNITSUFFIX.socket')
define( `UNIT_NAME_BINDING_BASE', `afm-link-$1')
-define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)@$2.service')
-define( `APP_DATA_DIR', `/home/%i/app-data')
+define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)UNITSUFFIX.service')
+
define( `USER_RUN_DIR', `@afm_users_rundir@/%i')
define( `DEBUGGING_DIR', `@afm_platform_rundir@/debug')
-define( `API_PATH', `USER_RUN_DIR/apis')
+define( `PLATFORM_RUN_DIR', `@afm_platform_rundir@')
+
+define( `APP_DATA_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `/home/%i/app-data')')
+define( `APP_WORK_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `APP_DATA_DIR/{{:id}}')')
+define( `RUN_DIR', `ON_PERM(`:partner:scope-platform', `PLATFORM_RUN_DIR', `USER_RUN_DIR')')
+
+define( `API_PATH', `RUN_DIR/apis')
define( `API_PATH_WS', `API_PATH/ws')
define( `API_PATH_LINK', `API_PATH/link')
+
+define( `PLATFORM_API_PATH', `PLATFORM_RUN_DIR/apis')
+define( `PLATFORM_API_PATH_WS', `PLATFORM_API_PATH/ws')
+define( `PLATFORM_API_PATH_LINK', `PLATFORM_API_PATH/link')
+
+define( `USER_API_PATH', `USER_RUN_DIR/apis')
+define( `USER_API_PATH_WS', `USER_API_PATH/ws')
+define( `USER_API_PATH_LINK', `USER_API_PATH/link')
--------------------------------------------------------------------------------
-- AGL_DEVEL SPECIFIC PARTS
--------------------------------------------------------------------------------
@@ -65,3 +81,4 @@ define( `ON_AGL_DEVEL', `ifdef(`AGL_DEVEL', $1, $2)')
define( `ON_NOT_AGL_DEVEL', `ifdef(`AGL_DEVEL', $2, $1)')
define( `IF_AGL_DEVEL', `IF(ON_AGL_DEVEL(1,0))')
define( `IF_NOT_AGL_DEVEL', `IF(ON_AGL_DEVEL(0,1))')
+--------------------------------------------------------------------------------
diff --git a/conf/unit/provided-api-platform.inc b/conf/unit/provided-api-platform.inc
new file mode 100644
index 0000000..d169d9a
--- /dev/null
+++ b/conf/unit/provided-api-platform.inc
@@ -0,0 +1,85 @@
+dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E A P I (USER) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_API_BASE({{name}})@
+
+[Unit]
+Description=Provides api {{name}} for user %i
+X-AFM-API-TYPE={{value}}
+
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
+
+Requires=UNIT_NAME_API_BASE({{name}}).socket
+After=UNIT_NAME_API_BASE({{name}}).socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf PLATFORM_API_PATH_WS/{{name}} USER_API_PATH_WS/{{name}}
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E A P I (PLATFORM) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_API_BASE({{name}})
+
+[Unit]
+Description=Provides api {{name}} for platform
+X-AFM-API-TYPE={{value}}
+
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+
+Requires=UNIT_NAME_API_BASE({{name}}).socket
+After=UNIT_NAME_API_BASE({{name}}).socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S O C K E T O F T H E A P I (PLATFORM) ----
+;-------------------------------------------------------------------------------
+
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit socket UNIT_NAME_API_BASE({{name}})
+[Unit]
+Description=Provides websocket api {{name}} for platform
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+DefaultDependencies=no
+
+[Socket]
+SmackLabel=*
+SmackLabelIPIn=System
+SmackLabelIPOut=System
+ListenStream=PLATFORM_API_PATH_WS/{{name}}
+FileDescriptorName={{name}}
+Service=UNIT_NAME_BASE.service
+
+%end systemd-unit
diff --git a/conf/unit/provided-api.inc b/conf/unit/provided-api-user.inc
index bdee6c9..77478c8 100644
--- a/conf/unit/provided-api.inc
+++ b/conf/unit/provided-api-user.inc
@@ -46,11 +46,8 @@ DefaultDependencies=no
SmackLabel=*
SmackLabelIPIn=System
SmackLabelIPOut=System
-ListenStream=API_PATH_WS/{{name}}
+ListenStream=USER_API_PATH_WS/{{name}}
FileDescriptorName={{name}}
-Service=UNIT_NAME_SERVICE
+Service=UNIT_NAME_BASE@%i.service
%end systemd-unit
-
-
-
diff --git a/conf/unit/provided-binding-platform.inc b/conf/unit/provided-binding-platform.inc
new file mode 100644
index 0000000..375a636
--- /dev/null
+++ b/conf/unit/provided-binding-platform.inc
@@ -0,0 +1,48 @@
+dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E B I N D I N G (USER) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})@
+
+[Unit]
+Description=Provides binding {{name}} for user %i
+
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
+Requires=UNIT_NAME_BINDING_BASE({{name}}).service
+After=UNIT_NAME_BINDING_BASE({{name}}).service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf PLATFORM_API_PATH_LINK/{{name}} USER_API_PATH_LINK/{{name}}
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E B I N D I N G (PLATFORM) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})
+
+[Unit]
+Description=Provides binding {{name}} for platform
+
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} PLATFORM_API_PATH_LINK/{{name}}
+
+%end systemd-unit
diff --git a/conf/unit/provided-binding.inc b/conf/unit/provided-binding-user.inc
index 3737126..5a53735 100644
--- a/conf/unit/provided-binding.inc
+++ b/conf/unit/provided-binding-user.inc
@@ -18,8 +18,6 @@ After=afm-user-setup@%i.service
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} API_PATH_LINK/{{name}}
+ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} USER_API_PATH_LINK/{{name}}
%end systemd-unit
-
-
diff --git a/conf/unit/service.inc b/conf/unit/service.inc
index 88c1454..bebf25a 100644
--- a/conf/unit/service.inc
+++ b/conf/unit/service.inc
@@ -8,7 +8,11 @@ dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
%nl
%systemd-unit system
+IF_PERM(:partner:scope-platform)
+%systemd-unit service UNIT_NAME_BASE
+ELSE
%systemd-unit service UNIT_NAME_BASE@
+ENDIF
[Unit]
Description={{description}}
@@ -29,12 +33,19 @@ X-AFM--target-name={{:#target}}
X-AFM--content={{content.src}}
X-AFM--type={{content.type}}
X-AFM--wgtdir={{:#metadata.install-dir}}
-X-AFM--workdir=APP_DATA_DIR/{{:id}}
+X-AFM--workdir=APP_WORK_DIR
X-AFM--visibility=ON_PERM(`:public:hidden', `hidden', `visible')
%nl
+IF_PERM(:partner:scope-platform)
+X-AFM--scope=platform
+After=afm-system-setup.service
+ELSE
+X-AFM--scope=user
Requires=afm-user-session@%i.target
After=user@%i.service
+ENDIF
+
After=Network.target
# Adds check to smack
@@ -44,56 +55,71 @@ ConditionSecurity=smack
# Automatic bound to required api
{{#required-binding}}
{{#value=extern}}
-BindsTo=UNIT_NAME_BINDING_SERVICE({{name}},%i)
-After=UNIT_NAME_BINDING_SERVICE({{name}},%i)
+BindsTo=UNIT_NAME_BINDING_SERVICE({{name}})
+After=UNIT_NAME_BINDING_SERVICE({{name}})
{{/value=extern}}
{{/required-binding}}
+
{{#required-api}}
{{#value=auto|ws}}
-BindsTo=UNIT_NAME_API_SERVICE({{name}},%i)
-After=UNIT_NAME_API_SERVICE({{name}},%i)
+BindsTo=UNIT_NAME_API_SERVICE({{name}})
+After=UNIT_NAME_API_SERVICE({{name}})
{{/value=auto|ws}}
{{/required-api}}
+
{{#provided-api}}
{{#value=ws|auto}}
-Requires=UNIT_NAME_API_SOCKET({{name}},%i)
-After=UNIT_NAME_API_SOCKET({{name}},%i)
+Requires=UNIT_NAME_API_SOCKET({{name}})
+After=UNIT_NAME_API_SOCKET({{name}})
{{/value=ws|auto}}
{{/provided-api}}
%nl
[Service]
+
EnvironmentFile=-@afm_confdir@/unit.env.d/*
EnvironmentFile=-@afm_confdir@/widget.env.d/{{:id}}/*
-SmackProcessLabel=User::App::{{:id}}
+SmackProcessLabel=SMACKLABEL
SuccessExitStatus=0 SIGKILL
-
+UMask=0077
+
+IF_PERM(:partner:scope-platform)
+#DynamicUser=true
+User=daemon
+Group=nobody
+Slice=platform.slice
+ELSE
User=%i
Slice=user-%i.slice
-
+WorkingDirectory=-APP_WORK_DIR
+ExecStartPre=/bin/mkdir -p APP_WORK_DIR
+Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus
+ENDIF
+IF_PERM(:system:capability:keep-all)
+CapabilityBoundingSet=~
+AmbientCapabilities=~
+ELSE
CapabilityBoundingSet=
-#AmbientCapabilities=
+ENDIF
ON_PERM(:platform:no-oom, OOMScoreAdjust=-500)
ON_PERM(:partner:real-time, IOSchedulingClass=realtime)
ON_PERM(:public:display, SupplementaryGroups=display)
-ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock)
+ON_PERM(:public:audio, SupplementaryGroups=audio)
+ON_NOT_PERM(:public:syscall:clock, SystemCallFilter=~@clock)
%nl
-WorkingDirectory=-APP_DATA_DIR/{{:id}}
-ExecStartPre=/bin/mkdir -p APP_DATA_DIR/{{:id}}
Environment=AFM_ID=TARGET
Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}}
-Environment=AFM_WORKDIR=APP_DATA_DIR/{{:id}}
+Environment=AFM_WORKDIR=APP_WORK_DIR
Environment=AFM_WSAPI_DIR=API_PATH_WS
Environment=PATH=/usr/sbin:/usr/bin:/sbin:/bin:{{:#metadata.install-dir}}/bin
Environment=LD_LIBRARY_PATH={{:#metadata.install-dir}}/lib
-Environment=XDG_DATA_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_CONFIG_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_CACHE_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_RUNTIME_DIR=USER_RUN_DIR
-Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus
+Environment=XDG_DATA_HOME=APP_WORK_DIR
+Environment=XDG_CONFIG_HOME=APP_WORK_DIR
+Environment=XDG_CACHE_HOME=APP_WORK_DIR
+Environment=XDG_RUNTIME_DIR=RUN_DIR
IF_AGL_DEVEL
; Needed to enable debug
@@ -124,9 +150,14 @@ IF_PERM(:system:run-by-default)
; auto start
;-------------------------------------------------------------------------------
[Install]
+IF_PERM(:partner:scope-platform)
+WantedBy=multi-user.target
+%systemd-unit wanted-by multi-user.target
+ELSE
WantedBy=afm-user-session@.target
%systemd-unit wanted-by afm-user-session@.target
ENDIF
+ENDIF
%end systemd-unit
diff --git a/docs/3-permissions.md b/docs/3-permissions.md
index 957478e..fa65c5d 100644
--- a/docs/3-permissions.md
+++ b/docs/3-permissions.md
@@ -90,7 +90,7 @@ attachment of value to permission.
## Example of permissions
Here is a list of some possible permissions.
-These permissions are available the 17th of March 2017.
+These permissions are available the 21th of May 2019.
- urn:AGL:permission::platform:no-oom
Set OOMScoreAdjust=-500 to keep the out-of-memory
@@ -117,6 +117,12 @@ These permissions are available the 17th of March 2017.
Forbids services to provide its API through D-Bus.
- urn:AGL:permission::system:run-by-default
Starts automatically the application. Example: home-screen.
+- urn:AGL:permission::partner:scope-platform
+ Install the service at the scope of the platform.
+- urn:AGL:permission::system:capability:keep-all
+ Keep all capabilities for the service. Note that implementing
+ that permission is not mandatory or can be adapted for the given
+ system.
- <http://tizen.org/privilege/internal/dbus>
Permission to use D-Bus.