From 40da59d00a7f0e7ec48c32cb1f8ef18e5c08f471 Mon Sep 17 00:00:00 2001 From: Marius Vlad Date: Thu, 11 Jun 2020 12:14:02 +0300 Subject: [PATCH] README: Add a few words about the deny-all policy engine Replaces the agl-shell-desktop mention that all clients can bind to the interface with a mention that that happens only if the policy engine allows. Bug-AGL: SPEC-3413 Signed-off-by: Marius Vlad Change-Id: Ieb6b9df1181cb7a0ad6da09519655ebd8f73a1a5 --- doc/README.md | 16 ++++++++++++---- protocol/agl-shell-desktop.xml | 4 ++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/doc/README.md b/doc/README.md index 5899d87..090b1ae 100644 --- a/doc/README.md +++ b/doc/README.md @@ -165,7 +165,14 @@ needed to activate applications. ## Policy The compositor contains an API useful for defining policy rules. It contains -the bare minimum and installs, by default, an allow-all kind of engine. +the bare minimum and installs, by default, an allow-all kind of engine. A +deny-all policy engine exists and can be switched to by using +`-Dpolicy-default=deny-all` build time option. + +For instance, in order to configure the compositor with that policy one could +issue: + + $ meson -Dprefix=/path/to/where/to/install/compositor -Dpolicy-default=deny-all build_directory Users wanting to create their own policy engine should create a specialized version and use `struct ivi_policy_api` where they can install their own @@ -186,9 +193,10 @@ control if policy rules (the next type) can be added or not. Finally, we have `ivi_policy_api::policy_rule_try_event()` which is executed for each policy rules currently added, by using the policy API `ivi_policy_add()`. -Users can customize the hooks by using some sort of database to retrieve -the application name to compare against, or incorporate some kind of policy -rule engine. +Users can customize the hooks by using some sort of database to retrieve the +application name to compare against, or incorporate some kind of policy rule +engine. Alternatively, one can use the deny-all policy engine which allows the +top panel applications to be used/displayed as permitted applications. ### Policy rules diff --git a/protocol/agl-shell-desktop.xml b/protocol/agl-shell-desktop.xml index e7b9493..e8ae153 100644 --- a/protocol/agl-shell-desktop.xml +++ b/protocol/agl-shell-desktop.xml @@ -28,8 +28,8 @@ to activate or switch to other running (regular) applications. The client is responsbile for filtering their own app_id when receiving application id. - Note that other (regular) applications can bind to this interface and there is - no mechanism to place to restrict or limit that. + The compositor will allow clients to bind to this interface only if the + policy engine allows it. -- 2.16.6