Code Review / src / app-framework-main.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
afm-unit.conf: Removes capabilities of applications
[src/app-framework-main.git] / conf / afm-unit-debug.conf.in
1 ;---------------------------------------------------------------------------------
2 ; File:
3 ;
4 ;    afm-unit.conf
5 ;
6 ; Role:
7 ;
8 ;    Configure how installation of widget produces unit files for systemd
9 ;
10 ; Processing and format:
11 ;
12 ;    1. File load
13 ;
14 ;           Lines beginning with ; are firstly removed
15 ;
16 ;    2. File instantiation
17 ;
18 ;           Mustache (extended) substitutions are applied using JSON
19 ;           data deduced from config.xml file of the widget.
20 ;
21 ;    3. Extraction of units
22 ;
23 ;           Extract produced units, pack it (remove empty lines and directives)
24 ;
25 ; Directives:
26 ;
27 ;    Any directive occupy one whole line starting with %
28 ;
29 ;     - %nl
30 ;
31 ;             produce an empty line at the end
32 ;
33 ;     - %begin systemd-unit
34 ;     - %end systemd-unit
35 ;
36 ;             delimit the produced unit
37 ;
38 ;     - %systemd-unit user
39 ;     - %systemd-unit system
40 ;
41 ;             tells the kind of unit (user/system)
42 ;
43 ;     - %systemd-unit service NAME
44 ;     - %systemd-unit socket NAME
45 ;
46 ;             gives the name and type of the unit
47 ;
48 ;     - %systemd-unit wanted-by NAME
49 ;
50 ;             tells to install a link to unit in the wants of NAME
51 ;
52 ; Setting variables:
53 ;
54 ;    AFM uses the feature of systemd that completely ignores options prefixed
55 ;    with X-
56 ;
57 ;    Consequently, options starting with X-AFM- are recorded as public data
58 ;    about the application and options starting starting with X-AFM-- are
59 ;    recorded as private data.
60 ;
61 ;    Examples:
62 ;
63 ;        X-AFM-description={{description}}
64 ;
65 ;              Records the description of the unit in the field "description"
66 ;              of both the public and private object describing the unit.
67 ;
68 ;        X-AFM--wgtdir={{:#metadata.install-dir}}
69 ;
70 ;              Records the installation directory path in the field "wgtdir"
71 ;              of the private object only.
72 ;
73 ;---------------------------------------------------------------------------------
74 {{#targets}}
75
76 ;---------------------------------------------------------------------------------
77 ;----        P R O V I D E D   U N I T S                                      ----
78 ;---------------------------------------------------------------------------------
79 %begin systemd-unit
80
81 # auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
82 %nl
83
84 [Unit]
85 Description={{description}}
86 X-AFM-description={{description}}
87 X-AFM-name={{name.content}}
88 X-AFM-shortname={{name.short}}
89 #***************
90 # use X-AFM-id={{:id}}--{{:ver}}--{{:#target}}
91 # instead of:
92 X-AFM-id={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}
93 # when home screen will use real ids
94 #**************
95 X-AFM-version={{:version}}
96 X-AFM-author={{author.content}}
97 X-AFM-author-email={{author.email}}
98 X-AFM-width={{width}}
99 X-AFM-height={{height}}
100 {{#icon}}
101 X-AFM-icon={{:#metadata.install-dir}}/{{:src}}
102 {{/icon}}
103 X-AFM--ID={{:id}}
104 X-AFM--target-name={{:#target}}
105 X-AFM--content={{content.src}}
106 X-AFM--type={{content.type}}
107 X-AFM--wgtdir={{:#metadata.install-dir}}
108 X-AFM--workdir={{&#metadata.app-data-dir}}/{{:id}}
109 %nl
110
111 Wants=sockets.target
112
113 # Adds check to smack
114 ConditionSecurity=smack
115 %nl
116
117 # Automatic bound to required api
118 {{#required-api}}
119 {{#value=auto|ws}}
120 BindsTo=afm-api-ws-{{name}}@%i.socket
121 After=afm-api-ws-{{name}}@%i.socket
122 {{/value=auto|ws}}
123 {{/required-api}}
124 %nl
125
126 [Service]
127 EnvironmentFile=-@afm_confdir@/unit.env.d/*
128 SmackProcessLabel=User::App::{{:id}}
129 SuccessExitStatus=0 SIGKILL
130
131 PAMName=su
132 User=%i
133
134 CapabilityBoundingSet=
135 AmbientCapabilities=
136 SecureBits=no-setuid-fixup-locked
137
138 {{#required-permission}}
139   {{#urn:AGL:permission::platform:no-oom}}      OOMScoreAdjust=-500             {{/urn:AGL:permission::platform:no-oom}}
140   {{#urn:AGL:permission::partner:real-time}}    IOSchedulingClass=realtime      {{/urn:AGL:permission::partner:real-time}}
141 #  {{^urn:AGL:permission::partner:real-time}}    RestrictRealtime=on             {{/urn:AGL:permission::partner:real-time}}
142   {{#urn:AGL:permission::public:display}}       SupplementaryGroups=display     {{/urn:AGL:permission::public:display}}
143   {{^urn:AGL:permission::public:syscall:clock}} SystemCallFilter=~@clock        {{/urn:AGL:permission::public:syscall:clock}}
144 {{/required-permission}}
145 %nl
146
147 WorkingDirectory=-{{&#metadata.app-data-dir}}/{{:id}}
148 ExecStartPre=/bin/mkdir -p {{&#metadata.app-data-dir}}/{{:id}}
149 Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}}
150 Environment=PATH=/usr/sbin:/usr/bin:/sbin:/bin:{{:#metadata.install-dir}}
151
152 ; Needed to enable debug
153 Environment=AFM_ID={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}
154 EnvironmentFile=-/var/run/afm-debug/{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}.env
155
156 %systemd-unit system
157 {{#required-permission.urn:AGL:permission::public:hidden}}\
158 %systemd-unit service afm-service-{{:id}}--{{:ver}}--{{:#target}}@
159 {{/required-permission.urn:AGL:permission::public:hidden}}\
160 {{^required-permission.urn:AGL:permission::public:hidden}}\
161 %systemd-unit service afm-appli-{{:id}}--{{:ver}}--{{:#target}}@
162 {{/required-permission.urn:AGL:permission::public:hidden}}\
163
164 Environment=LD_LIBRARY_PATH=$ORIGIN/lib
165
166 SyslogIdentifier=afbd-{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}
167 StandardInput=null
168 StandardOutput=journal
169 StandardError=journal
170
171 ;---------------------------------------------------------------------------------
172 ;----   text/html  application/vnd.agl.native  application/vnd.agl.service    ----
173 ;---------------------------------------------------------------------------------
174 {{#content.type=text/html|application/vnd.agl.native|application/vnd.agl.service}}
175
176 X-AFM--http-port={{:#metadata.http-port}}
177
178 ExecStart=/usr/bin/afb-daemon \
179         --name afbd-{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}} \
180         --rootdir={{:#metadata.install-dir}} \
181         --workdir={{&#metadata.app-data-dir}}/{{id}} \
182         --port={{:#metadata.http-port}} \
183         --token=HELLO \
184         --verbose \
185         --monitoring \
186         {{^content.type=application/vnd.agl.service}} \
187                 {{#required-permission.urn:AGL:permission::public:no-htdocs}}\
188                         --roothttp=. \
189                 {{/required-permission.urn:AGL:permission::public:no-htdocs}}\
190                 {{^required-permission.urn:AGL:permission::public:no-htdocs}}\
191                         --roothttp=htdocs \
192                 {{/required-permission.urn:AGL:permission::public:no-htdocs}}\
193         {{/content.type=application/vnd.agl.service}} \
194         {{#content.type=application/vnd.agl.service}} \
195                 --roothttp=. \
196         {{/content.type=application/vnd.agl.service}} \
197         {{#required-permission.urn:AGL:permission::public:applications:read}}\
198                 --alias=/icons:{{:#metadata.icons-dir}} \
199         {{/required-permission.urn:AGL:permission::public:applications:read}}\
200         {{#required-api}}\
201                 {{#value=auto}}\
202                         --ws-client=unix:%t/apis/ws/{{name}} \
203                 {{/value=auto}}\
204                 {{#value=ws}}\
205                         --ws-client=unix:%t/apis/ws/{{name}} \
206                 {{/value=ws}}\
207                 {{#value=dbus}}\
208                         --dbus-client={{name}} \
209                 {{/value=dbus}}\
210                 {{#value=link}}\
211                         --binding=%t/apis/lib/{{name}} \
212                 {{/value=link}}\
213                 {{#value=cloud}}\
214                         --cloud-client={{name}} \
215                 {{/value=cloud}}\
216                 {{#value=local}}\
217                         --binding={{:#metadata.install-dir}}/{{name}} \
218                 {{/value=local}}\
219         {{/required-api}}\
220         {{#provided-api}}\
221                 {{#value=auto}}\
222                         {{^required-permission.urn:AGL:permission::partner:service:no-ws}}\
223                                 --ws-server=sd:{{name}} \
224                         {{/required-permission.urn:AGL:permission::partner:service:no-ws}}\
225                         {{^required-permission.urn:AGL:permission::partner:service:no-dbus}}\
226                                 --dbus-server={{name}} \
227                         {{/required-permission.urn:AGL:permission::partner:service:no-dbus}}\
228                 {{/value=auto}}\
229                 {{#value=ws}}\
230                         --ws-server=sd:{{name}} \
231                 {{/value=ws}}\
232                 {{#value=dbus}}\
233                         --dbus-server={{name}} \
234                 {{/value=dbus}}\
235         {{/provided-api}}\
236         {{#content.type=text/html}}\
237                 --exec /usr/bin/web-runtime http://localhost:@p/{{content.src}}?token=@t
238         {{/content.type=text/html}}\
239         {{#content.type=application/vnd.agl.native}}\
240                 --exec {{:#metadata.install-dir}}/{{content.src}} @p @t
241         {{/content.type=application/vnd.agl.native}}
242
243 {{/content.type=text/html|application/vnd.agl.native|application/vnd.agl.service}}
244
245
246 ;---------------------------------------------------------------------------------
247 ;----                 application/x-executable                                ----
248 ;---------------------------------------------------------------------------------
249 {{#content.type=application/x-executable}}
250
251 ExecStart={{:#metadata.install-dir}}/{{content.src}}
252
253 {{/content.type=application/x-executable}}
254
255 ;---------------------------------------------------------------------------------
256 ; auto start
257 ;---------------------------------------------------------------------------------
258 {{#required-permission.urn:AGL:permission::system:run-by-default}}
259 %nl
260 [Install]
261 WantedBy=default.target
262 %systemd-unit wanted-by default.target
263 {{/required-permission.urn:AGL:permission::system:run-by-default}}
264
265 %end systemd-unit
266
267
268 ;---------------------------------------------------------------------------------
269 ;----        P R O V I D E D   A P I S                                        ----
270 ;---------------------------------------------------------------------------------
271
272 {{#provided-api}}
273 {{#value=ws|auto}}
274
275 %begin systemd-unit
276
277 # auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
278 #
279 %systemd-unit system
280 %systemd-unit socket afm-api-ws-{{name}}@
281
282 [Socket]
283 SmackLabel=*
284 ListenStream=%t/apis/ws/{{name}}
285 FileDescriptorName={{name}}
286
287 {{#required-permission.urn:AGL:permission::public:hidden}}\
288 Service=afm-service-{{:id}}--{{:ver}}--{{:#target}}@%i.service
289 {{/required-permission.urn:AGL:permission::public:hidden}}\
290 {{^required-permission.urn:AGL:permission::public:hidden}}\
291 Service=afm-appli-{{:id}}--{{:ver}}--{{:#target}}@%i.service
292 {{/required-permission.urn:AGL:permission::public:hidden}}\
293
294 ;---------------------------------------------------------------------------------
295 %nl
296 [Install]
297 WantedBy=sockets.target
298 %systemd-unit wanted-by sockets.target
299 ;---------------------------------------------------------------------------------
300
301 %end systemd-unit
302
303 {{/value=ws|auto}}
304 {{/provided-api}}
305
306 {{/targets}}
307
Application Framework main service, maintained by iot.bzh team