Since applaunchd needs to start/stop systemd units, the user is granted
elevated systemd unit-management permissions via PolKit policy. If applaunchd
and all the apps run under the same agl-driver user, all the apps have these
elevated systemd permissions too. Separating them into different users allows
removing elevated systemd unit-management permission from individual apps, but
leaving such permission for applaunchd, which enhances overall security of
the system.
- add new applaunchd user and group
- switch applaunchd (gRPC) service to be started under new user
- since HTML5 apps haven't migrated to gRPC yet and still use D-Bus API,
applaunchd-dbus gets activated by agl-session and runs under agl-driver
- temporarily add agl-driver user into the applaunchd group and switch
PolKit policy to check for applaunchd group, instead of the user
- once D-Bus API is completely deprecated, agl-driver user can be removed
from applaunchd group
Bug-AGL: SPEC-4579
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Change-Id: I75384177578bba6cb458a81df6a9dc1738c972e0
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28039
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
display::202:
agl-driver::1001:
agl-passenger::1002:
+applaunchd::1003:
systemd-network::1005:
systemd-resolve::1006:
mosquitto::1007:
systemd-bus-proxy::995:995:::
agl-driver::1001:1001:::
agl-passenger::1002:1002:::
+applaunchd::1003:1003:::
messagebus::994:994:::
afm::992:992:::
systemd-timesync::988:988:::
--system video ; \
--system pipewire ; \
-g 1001 agl-driver ; \
+ -g 1003 applaunchd ; \
"
+# agl-driver user needs to be part of applaunchd group for D-Bus activation to still work
+# should be removed after everything is converted to gRPC for enhanced security
USERADD_PARAM:${PN} = "\
- -g 1001 -u 1001 -G video,display,pipewire -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g 1001 -u 1001 -G video,display,pipewire,applaunchd -o -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g 1003 -u 1003 -o -d / -K PASS_MAX_DAYS=-1 applaunchd ; \
"
SYSTEMD_PACKAGES = "${PN}"
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit").indexOf("agl-app") == 0 &&
- subject.user == "agl-driver") {
+ subject.isInGroup("applaunchd")) {
return polkit.Result.YES;
}
});
After=network.target
[Service]
-User=agl-driver
+User=applaunchd
Environment=XDG_DATA_DIRS=/usr/share
ExecStart=/usr/bin/applaunchd
Restart=on-failure