meta-app-framework: applaunchd: run under a separate user

Since applaunchd needs to start/stop systemd units, the user is granted
elevated systemd unit-management permissions via PolKit policy. If applaunchd
and all the apps run under the same agl-driver user, all the apps have these
elevated systemd permissions too. Separating them into different users allows
removing elevated systemd unit-management permission from individual apps, but
leaving such permission for applaunchd, which enhances overall security of
the system.

- add new applaunchd user and group
- switch applaunchd (gRPC) service to be started under new user
- since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API,
  applaunchd-dbus gets activated by agl-session and runs under agl-driver
- temporarily add agl-driver user into the applaunchd group and switch
  PolKit policy to check for applaunchd group, instead of the user
- once D-Bus API is completely deprecated, agl-driver user can be removed
  from applaunchd group

Bug-AGL: SPEC-4579
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>

diff --git a/meta-agl-core/files/group b/meta-agl-core/files/group
index 10cec78..4496112 100644 (file)
--- a/meta-agl-core/files/group
+++ b/meta-agl-core/files/group
@@ -89,6 +89,7 @@ wayland::201:
 display::202:
 agl-driver::1001:
 agl-passenger::1002:
+applaunchd::1003:
 systemd-network::1005:
 systemd-resolve::1006:
 mosquitto::1007:

diff --git a/meta-agl-core/files/passwd b/meta-agl-core/files/passwd
index b97bf3b..1b24d27 100644 (file)
--- a/meta-agl-core/files/passwd
+++ b/meta-agl-core/files/passwd
@@ -23,6 +23,7 @@ sshd::996:996:::
 systemd-bus-proxy::995:995:::
 agl-driver::1001:1001:::
 agl-passenger::1002:1002:::
+applaunchd::1003:1003:::
 messagebus::994:994:::
 afm::992:992:::
 systemd-timesync::988:988:::

diff --git a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
index ecad161..067f2a6 100644 (file)
--- a/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
+++ b/meta-app-framework/recipes-config/agl-session/agl-session_0.1.bb
@@ -17,9 +17,13 @@ GROUPADD_PARAM:${PN} = "\
        --system video ; \
        --system pipewire ; \
        -g 1001 agl-driver ; \
+       -g 1003 applaunchd ; \
 "
+# agl-driver user needs to be part of applaunchd group for D-Bus activation to still work
+# should be removed after everything is converted to gRPC for enhanced security
 USERADD_PARAM:${PN} = "\
-  -g 1001 -u 1001 -G video,display,pipewire -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+  -g 1001 -u 1001 -G video,display,pipewire,applaunchd -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+  -g 1003 -u 1003 -o -d / -K PASS_MAX_DAYS=-1 applaunchd ; \
 "
 
 SYSTEMD_PACKAGES = "${PN}"

diff --git a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
index dd4b694..35b9559 100644 (file)
--- a/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
+++ b/meta-app-framework/recipes-config/polkit-rule-agl-app/files/50-agl-app.rules
@@ -1,7 +1,7 @@
 polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.systemd1.manage-units" &&
         action.lookup("unit").indexOf("agl-app") == 0 &&
-        subject.user == "agl-driver") {
+        subject.isInGroup("applaunchd")) {
         return polkit.Result.YES;
     }
 });

diff --git a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
index 95673e9..a5a2df5 100644 (file)
--- a/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
+++ b/meta-app-framework/recipes-core/applaunchd/applaunchd/applaunchd.service
@@ -3,7 +3,7 @@ Wants=network.target
 After=network.target
 
 [Service]
-User=agl-driver
+User=applaunchd
 Environment=XDG_DATA_DIRS=/usr/share
 ExecStart=/usr/bin/applaunchd
 Restart=on-failure