[Service]
Type=notify
Environment="XDG_RUNTIME_DIR=@XDG_RUNTIME_DIR@"
-Environment="XDG_RUNTIMESHARE_DIR=@XDG_RUNTIME_DIR@/share"
-ExecStartPre=/bin/mkdir -p @XDG_RUNTIME_DIR@/share
-ExecStartPre=+/usr/bin/chsmack -a User::App-Shared -t @XDG_RUNTIME_DIR@/share
# Note that clearing PAMName (thus not having PAMName=login) disables
# logind support for the session, which allows setting XDG_RUNTIME_DIR
# to something other than /run/user/% (as is done above).
PAMName=
ExecStart=
ExecStart=@WESTONSTART@
+SmackProcessLabel=System::Weston
+++ /dev/null
-Add memfd-create option
-
-Add a meson build option, memfd-create, that controls whether the
-memfd_create system call support will be enabled. The default value
-is true so that it will be enabled, but it allows users like AGL
-that currently has issues with security labels and memfd to disable
-it.
-
-Upstream-Status: Pending
-
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-
-diff --git a/meson.build b/meson.build
-index 82107e1..9d042ca 100644
---- a/meson.build
-+++ b/meson.build
-@@ -78,8 +78,12 @@ elif cc.has_header_symbol('sys/mkdev.h', 'major')
- endif
-
- optional_libc_funcs = [
-- 'mkostemp', 'strchrnul', 'initgroups', 'posix_fallocate', 'memfd_create'
-+ 'mkostemp', 'strchrnul', 'initgroups', 'posix_fallocate'
- ]
-+if get_option('memfd-create')
-+ optional_libc_funcs += [ 'memfd_create' ]
-+endif
-+
- foreach func : optional_libc_funcs
- if cc.has_function(func)
- config_h.set('HAVE_' + func.to_upper(), 1)
-diff --git a/meson_options.txt b/meson_options.txt
-index 80a2ad7..4a93472 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -99,6 +99,13 @@ option(
- description: 'systemd service plugin: state notify, watchdog, socket activation'
- )
-
-+option(
-+ 'memfd-create',
-+ type: 'boolean',
-+ value: true,
-+ description: 'Use memfd_create system call'
-+)
-+
- option(
- 'remoting',
- type: 'boolean',
--- /dev/null
+System System::Weston rwxa--
+System::Weston System rwx---
+System::Weston System::Shared rwx---
+System::Weston System::Run rwxat-
+System::Weston System::Log rwxa--
+System::Weston _ r-x--l
+System::Weston User::Home r-x--l
+System::Weston User::App-Shared rwxat-
+++ /dev/null
-From 0ed62e1a0beb47e033f7632dbf6d2087366b7830 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Fri, 13 Oct 2017 14:05:56 +0200
-Subject: [PATCH] use XDG_RUNTIMESHARE_DIR
-
-When running with LSM Smack, the file returned by the
-function 'os_create_anonymous_file' is tagged with the
-security label of weston. That security label genrally doesn't
-allow sharing of files? Then passing the vreated file descriptor
-to the client application fails with EPERM.
-
-To allow file descriptors to be tagged with a security
-label that allows clients to receive and use it, that
-patch introduce the use of the environment variable
-XDG_RUNTIMESHARE_DIR that takes precedence over
-XDG_RUNTIME_DIR whe, creating anonymous file is needed.
-
-A correct setting of the shared directory using Smack's
-transmute mechanism allows set up file tag for sharing.
-
-This patch was submitted upstream for discussion but
-was rejected with the following reason (IIRC): "the
-function 'os_create_anonymous_file' and the sharing
-are obsolete and should not be used anymore. IVI was
-requiring it but newer version don't use it". Halas,
-even aligned with latest versions of IVI-shell and weston,
-the patch is needed. Because of its simplicity, it can
-remain maintained locally out of mainstream in the wait
-of further investigations.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-[Updated for Weston 8.0.0]
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-
-diff --git a/shared/os-compatibility.c b/shared/os-compatibility.c
-index 5e1ce47..9962588 100644
---- a/shared/os-compatibility.c
-+++ b/shared/os-compatibility.c
-@@ -184,7 +184,9 @@ os_create_anonymous_file(off_t size)
- } else
- #endif
- {
-- path = getenv("XDG_RUNTIME_DIR");
-+ path = getenv("XDG_RUNTIMESHARE_DIR");
-+ if (!path)
-+ path = getenv("XDG_RUNTIME_DIR");
- if (!path) {
- errno = ENOENT;
- return -1;
# and waltham can take a look and update it.
SRC_URI_append = "\
file://0001-Allow-regular-users-to-launch-Weston_7.0.0.patch \
- file://use-XDG_RUNTIMESHARE_DIR.patch \
file://0002-ivi-shell-Fix-crash-due-no-transmitter-screen.patch \
file://0001-libweston-Expose-weston_output_damage-in-libweston.patch \
file://0004-unconditionally-include-mman.h.patch \
- file://0005-add-memfd-create-option.patch \
+ file://smack-weston \
"
-EXTRA_OEMESON_append = " -Denable-user-start=true -Dmemfd-create=false"
+EXTRA_OEMESON_append = " -Denable-user-start=true"
+
+do_install_append() {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'smack', 'true', 'false', d)}; then
+ # Install SMACK rules
+ install -D -m 0644 ${WORKDIR}/smack-weston ${D}${sysconfdir}/smack/accesses.d/weston
+ fi
+}
+
+FILES_${PN} += "\
+ ${sysconfdir}/smack/accesses.d/* \
+"
--- /dev/null
+
+do_install_append() {
+ # Needed for wayland-0 socket access and memfd usage
+ echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+ echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+}
Code Review / AGL / meta-agl.git / commitdiff