Move meta-agl-profile-graphical-html5 and meta-pipewire into the main layer

[AGL/meta-agl.git] / meta-pipewire / recipes-multimedia / pipewire / pipewire / 0005-module-access-add-same-sec-label-mode.patch

diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch b/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
new file mode 100644 (file)
index 0000000..07a1ec1
--- /dev/null
+++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
@@ -0,0 +1,94 @@
+From 19fad1a4fa8bdc4f02aac4e169e7ff9cab18bdcd Mon Sep 17 00:00:00 2001
+From: George Kiagiadakis <george.kiagiadakis@collabora.com>
+Date: Tue, 19 Nov 2019 17:09:07 +0200
+Subject: [PATCH] module-access: add same-sec-label-mode
+
+This is a mode where the access module allows all clients that have
+the same security label as the pipewire daemon, and every other
+client is put on the restricted state.
+
+In systems that use SMACK security labels, such as AGL, this allows
+the session manager (which is spawned by pipewire, inheriting the
+same smack label) to have full access to all objects, while every
+other client is restricted and the session manager must decide
+what to do with it
+
+Note that while this option is configurable, there is no loss of
+security if this option is not set in the configuration. Clients
+that don't have the same security context will be considered to
+be flatpak clients because pipewire will not be able to open
+/proc/pid/cmdline. This however results in some unwanted error
+messages that may be confusing.
+
+Upstream-Status: Inappropriate [agl/smack specific]
+---
+ src/modules/module-access.c | 45 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/module-access.c b/src/modules/module-access.c
+index 09dafa43..f75306d9 100644
+--- a/src/modules/module-access.c
++++ b/src/modules/module-access.c
+@@ -50,6 +50,30 @@ struct impl {
+       struct spa_hook module_listener;
+ };
+ 
++static int check_seclabel(const char *str)
++{
++      char attr[1024];
++      int fd, len;
++
++      fd = open("/proc/self/attr/current", O_RDONLY);
++      if (fd < 0)
++              return -errno;
++
++      if ((len = read(fd, attr, 1024)) <= 0) {
++              close(fd);
++              return -EIO;
++      }
++      attr[len] = '\0';
++
++      if (strcmp(attr, str) == 0) {
++              close(fd);
++              return 1;
++      }
++
++      close(fd);
++      return 0;
++}
++
+ static int check_cmdline(struct pw_client *client, int pid, const char *str)
+ {
+       char path[2048];
+@@ -121,8 +145,27 @@ core_check_access(void *data, struct pw_client *client)
+       const char *str;
+       int pid, res;
+ 
++      props = pw_client_get_properties(client);
++
++      if (impl->properties &&
++          (str = pw_properties_get(impl->properties, "same-sec-label-mode")) != NULL &&
++          strcmp(str, "1") == 0) {
++              if (props && (str = pw_properties_get(props, PW_KEY_SEC_LABEL)) != NULL) {
++                      res = check_seclabel(str);
++                      if (res == 1)
++                              goto granted;
++                      else if (res < 0)
++                              pw_log_warn("module %p: client %p seclabel check failed: %s",
++                                      impl, client, spa_strerror(res));
++              }
++              pw_log_debug("module %p: seclabel restricted client %p added",
++                      impl, client);
++              items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, "restricted");
++              goto wait_permissions;
++      }
++
+       pid = -EINVAL;
+-      if ((props = pw_client_get_properties(client)) != NULL) {
++      if (props != NULL) {
+               if ((str = pw_properties_get(props, PW_KEY_SEC_PID)) != NULL)
+                       pid = atoi(str);
+       }
+-- 
+2.24.0
+