cmake_minimum_required(VERSION 2.8)
+if(AGL_DEVEL)
+ set(create_platform_debug "dodir ${afm_platform_rundir}/debug")
+endif()
+
configure_file(afm-system-daemon.service.in afm-system-daemon.service)
configure_file(afm-system-daemon.socket.in afm-system-daemon.socket)
configure_file(afm-system-setup.service.in afm-system-setup.service)
dodir $pdir/display
dodir $pdir/apis
dodir $pdir/apis/ws
-
+@create_platform_debug@
{{#targets}}
;-------------------------------------------------------------------------------
include(service.inc)
+IF_PERM(:partner:scope-platform)
;-------------------------------------------------------------------------------
-;---- F O R E A C H P R O V I D E D A P I S ----
+;---- F O R E A C H P R O V I D E D A P I S (PLATFORM) ----
;-------------------------------------------------------------------------------
{{#provided-api}}
{{#value=ws|auto}}
-include(provided-api.inc)
+include(provided-api-platform.inc)
{{/value=ws|auto}}
{{/provided-api}}
;-------------------------------------------------------------------------------
-;---- F O R E A C H P R O V I D E D B I N D I N G ----
+;---- F O R E A C H P R O V I D E D B I N D I N G (PLATFORM) ----
;-------------------------------------------------------------------------------
{{#provided-binding}}
-include(provided-binding.inc)
+include(provided-binding-platform.inc)
{{/provided-binding}}
;-------------------------------------------------------------------------------
+ELSE
+;-------------------------------------------------------------------------------
+;---- F O R E A C H P R O V I D E D A P I S (USER) ----
+;-------------------------------------------------------------------------------
+{{#provided-api}}
+{{#value=ws|auto}}
+include(provided-api-user.inc)
+{{/value=ws|auto}}
+{{/provided-api}}
+;-------------------------------------------------------------------------------
+;---- F O R E A C H P R O V I D E D B I N D I N G (USER) ----
+;-------------------------------------------------------------------------------
+{{#provided-binding}}
+include(provided-binding-user.inc)
+{{/provided-binding}}
+;-------------------------------------------------------------------------------
+ENDIF
{{/targets}}
;-------------------------------------------------------------------------------
; End of file afm-unit.conf mode ON_AGL_DEVEL(DEVEL, RELEASE)
ExecStart=/usr/bin/afb-daemon \
--name afbd-TARGET \
--rootdir={{:#metadata.install-dir}} \
- --workdir=APP_DATA_DIR/{{id}} \
+ --workdir=APP_WORK_DIR \
IF_AGL_DEVEL \
--verbose \
--verbose \
{{/provided-api}} \
ON_CONTENT(text/html, --exec /usr/bin/web-runtime http://localhost:@p/{{content.src}}?token=@t) \
ON_CONTENT(application/vnd.agl.native, --exec {{:#metadata.install-dir}}/{{content.src}} @p @t)
-
+%nl
define( `REQPERM', `required-permission.PERM($1)')
define( `ON_PERM', `MUSTACH_ON(REQPERM($1),$2,$3)')
+define( `ON_NOT_PERM', `MUSTACH_ON(REQPERM($1),$3,$2)')
define( `IF_PERM', `MUSTACH_IF(REQPERM($1))')
define( `IF_NOT_PERM', `MUSTACH_IF_NOT(REQPERM($1))')
-- use TARGET={{:id}}--{{:ver}}--{{:#target}}
-- instead of TARGET={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}
--------------------------------------------------------------------------------
+define( `SMACKLABEL', `User::App::{{:id}}')
define( `TARGET', `{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}')
define( `NEWTARGET', `{{:id}}--{{:ver}}--{{:#target}}')
+define( `UNITSUFFIX', `ON_NOT_PERM(`:partner:scope-platform', `@%i')')
define( `UNIT_NAME_BASE', `afm-ON_PERM(`:public:hidden', `service', `appli')-NEWTARGET')
-define( `UNIT_NAME_SERVICE', `UNIT_NAME_BASE@%i.service')
define( `UNIT_NAME_API_BASE', `afm-api-$1')
-define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)@$2.service')
-define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)@$2.socket')
+define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)UNITSUFFIX.service')
+define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)UNITSUFFIX.socket')
define( `UNIT_NAME_BINDING_BASE', `afm-link-$1')
-define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)@$2.service')
-define( `APP_DATA_DIR', `/home/%i/app-data')
+define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)UNITSUFFIX.service')
+
define( `USER_RUN_DIR', `@afm_users_rundir@/%i')
define( `DEBUGGING_DIR', `@afm_platform_rundir@/debug')
-define( `API_PATH', `USER_RUN_DIR/apis')
+define( `PLATFORM_RUN_DIR', `@afm_platform_rundir@')
+
+define( `APP_DATA_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `/home/%i/app-data')')
+define( `APP_WORK_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `APP_DATA_DIR/{{:id}}')')
+define( `RUN_DIR', `ON_PERM(`:partner:scope-platform', `PLATFORM_RUN_DIR', `USER_RUN_DIR')')
+
+define( `API_PATH', `RUN_DIR/apis')
define( `API_PATH_WS', `API_PATH/ws')
define( `API_PATH_LINK', `API_PATH/link')
+
+define( `PLATFORM_API_PATH', `PLATFORM_RUN_DIR/apis')
+define( `PLATFORM_API_PATH_WS', `PLATFORM_API_PATH/ws')
+define( `PLATFORM_API_PATH_LINK', `PLATFORM_API_PATH/link')
+
+define( `USER_API_PATH', `USER_RUN_DIR/apis')
+define( `USER_API_PATH_WS', `USER_API_PATH/ws')
+define( `USER_API_PATH_LINK', `USER_API_PATH/link')
--------------------------------------------------------------------------------
-- AGL_DEVEL SPECIFIC PARTS
--------------------------------------------------------------------------------
define( `ON_NOT_AGL_DEVEL', `ifdef(`AGL_DEVEL', $2, $1)')
define( `IF_AGL_DEVEL', `IF(ON_AGL_DEVEL(1,0))')
define( `IF_NOT_AGL_DEVEL', `IF(ON_AGL_DEVEL(0,1))')
+--------------------------------------------------------------------------------
--- /dev/null
+dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E A P I (USER) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_API_BASE({{name}})@
+
+[Unit]
+Description=Provides api {{name}} for user %i
+X-AFM-API-TYPE={{value}}
+
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
+
+Requires=UNIT_NAME_API_BASE({{name}}).socket
+After=UNIT_NAME_API_BASE({{name}}).socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf PLATFORM_API_PATH_WS/{{name}} USER_API_PATH_WS/{{name}}
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E A P I (PLATFORM) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_API_BASE({{name}})
+
+[Unit]
+Description=Provides api {{name}} for platform
+X-AFM-API-TYPE={{value}}
+
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+
+Requires=UNIT_NAME_API_BASE({{name}}).socket
+After=UNIT_NAME_API_BASE({{name}}).socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S O C K E T O F T H E A P I (PLATFORM) ----
+;-------------------------------------------------------------------------------
+
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit socket UNIT_NAME_API_BASE({{name}})
+[Unit]
+Description=Provides websocket api {{name}} for platform
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+DefaultDependencies=no
+
+[Socket]
+SmackLabel=*
+SmackLabelIPIn=System
+SmackLabelIPOut=System
+ListenStream=PLATFORM_API_PATH_WS/{{name}}
+FileDescriptorName={{name}}
+Service=UNIT_NAME_BASE.service
+
+%end systemd-unit
SmackLabel=*
SmackLabelIPIn=System
SmackLabelIPOut=System
-ListenStream=API_PATH_WS/{{name}}
+ListenStream=USER_API_PATH_WS/{{name}}
FileDescriptorName={{name}}
-Service=UNIT_NAME_SERVICE
+Service=UNIT_NAME_BASE@%i.service
%end systemd-unit
-
-
-
--- /dev/null
+dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E B I N D I N G (USER) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})@
+
+[Unit]
+Description=Provides binding {{name}} for user %i
+
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
+Requires=UNIT_NAME_BINDING_BASE({{name}}).service
+After=UNIT_NAME_BINDING_BASE({{name}}).service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf PLATFORM_API_PATH_LINK/{{name}} USER_API_PATH_LINK/{{name}}
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E B I N D I N G (PLATFORM) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})
+
+[Unit]
+Description=Provides binding {{name}} for platform
+
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} PLATFORM_API_PATH_LINK/{{name}}
+
+%end systemd-unit
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} API_PATH_LINK/{{name}}
+ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} USER_API_PATH_LINK/{{name}}
%end systemd-unit
-
-
%nl
%systemd-unit system
+IF_PERM(:partner:scope-platform)
+%systemd-unit service UNIT_NAME_BASE
+ELSE
%systemd-unit service UNIT_NAME_BASE@
+ENDIF
[Unit]
Description={{description}}
X-AFM--content={{content.src}}
X-AFM--type={{content.type}}
X-AFM--wgtdir={{:#metadata.install-dir}}
-X-AFM--workdir=APP_DATA_DIR/{{:id}}
+X-AFM--workdir=APP_WORK_DIR
X-AFM--visibility=ON_PERM(`:public:hidden', `hidden', `visible')
%nl
+IF_PERM(:partner:scope-platform)
+X-AFM--scope=platform
+After=afm-system-setup.service
+ELSE
+X-AFM--scope=user
Requires=afm-user-session@%i.target
After=user@%i.service
+ENDIF
+
After=Network.target
# Adds check to smack
# Automatic bound to required api
{{#required-binding}}
{{#value=extern}}
-BindsTo=UNIT_NAME_BINDING_SERVICE({{name}},%i)
-After=UNIT_NAME_BINDING_SERVICE({{name}},%i)
+BindsTo=UNIT_NAME_BINDING_SERVICE({{name}})
+After=UNIT_NAME_BINDING_SERVICE({{name}})
{{/value=extern}}
{{/required-binding}}
+
{{#required-api}}
{{#value=auto|ws}}
-BindsTo=UNIT_NAME_API_SERVICE({{name}},%i)
-After=UNIT_NAME_API_SERVICE({{name}},%i)
+BindsTo=UNIT_NAME_API_SERVICE({{name}})
+After=UNIT_NAME_API_SERVICE({{name}})
{{/value=auto|ws}}
{{/required-api}}
+
{{#provided-api}}
{{#value=ws|auto}}
-Requires=UNIT_NAME_API_SOCKET({{name}},%i)
-After=UNIT_NAME_API_SOCKET({{name}},%i)
+Requires=UNIT_NAME_API_SOCKET({{name}})
+After=UNIT_NAME_API_SOCKET({{name}})
{{/value=ws|auto}}
{{/provided-api}}
%nl
[Service]
+
EnvironmentFile=-@afm_confdir@/unit.env.d/*
EnvironmentFile=-@afm_confdir@/widget.env.d/{{:id}}/*
-SmackProcessLabel=User::App::{{:id}}
+SmackProcessLabel=SMACKLABEL
SuccessExitStatus=0 SIGKILL
-
+UMask=0077
+
+IF_PERM(:partner:scope-platform)
+#DynamicUser=true
+User=daemon
+Group=nobody
+Slice=platform.slice
+ELSE
User=%i
Slice=user-%i.slice
-
+WorkingDirectory=-APP_WORK_DIR
+ExecStartPre=/bin/mkdir -p APP_WORK_DIR
+Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus
+ENDIF
+IF_PERM(:system:capability:keep-all)
+CapabilityBoundingSet=~
+AmbientCapabilities=~
+ELSE
CapabilityBoundingSet=
-#AmbientCapabilities=
+ENDIF
ON_PERM(:platform:no-oom, OOMScoreAdjust=-500)
ON_PERM(:partner:real-time, IOSchedulingClass=realtime)
ON_PERM(:public:display, SupplementaryGroups=display)
-ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock)
+ON_PERM(:public:audio, SupplementaryGroups=audio)
+ON_NOT_PERM(:public:syscall:clock, SystemCallFilter=~@clock)
%nl
-WorkingDirectory=-APP_DATA_DIR/{{:id}}
-ExecStartPre=/bin/mkdir -p APP_DATA_DIR/{{:id}}
Environment=AFM_ID=TARGET
Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}}
-Environment=AFM_WORKDIR=APP_DATA_DIR/{{:id}}
+Environment=AFM_WORKDIR=APP_WORK_DIR
Environment=AFM_WSAPI_DIR=API_PATH_WS
Environment=PATH=/usr/sbin:/usr/bin:/sbin:/bin:{{:#metadata.install-dir}}/bin
Environment=LD_LIBRARY_PATH={{:#metadata.install-dir}}/lib
-Environment=XDG_DATA_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_CONFIG_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_CACHE_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_RUNTIME_DIR=USER_RUN_DIR
-Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus
+Environment=XDG_DATA_HOME=APP_WORK_DIR
+Environment=XDG_CONFIG_HOME=APP_WORK_DIR
+Environment=XDG_CACHE_HOME=APP_WORK_DIR
+Environment=XDG_RUNTIME_DIR=RUN_DIR
IF_AGL_DEVEL
; Needed to enable debug
; auto start
;-------------------------------------------------------------------------------
[Install]
+IF_PERM(:partner:scope-platform)
+WantedBy=multi-user.target
+%systemd-unit wanted-by multi-user.target
+ELSE
WantedBy=afm-user-session@.target
%systemd-unit wanted-by afm-user-session@.target
ENDIF
+ENDIF
%end systemd-unit
## Example of permissions
Here is a list of some possible permissions.
-These permissions are available the 17th of March 2017.
+These permissions are available the 21th of May 2019.
- urn:AGL:permission::platform:no-oom
Set OOMScoreAdjust=-500 to keep the out-of-memory
Forbids services to provide its API through D-Bus.
- urn:AGL:permission::system:run-by-default
Starts automatically the application. Example: home-screen.
+- urn:AGL:permission::partner:scope-platform
+ Install the service at the scope of the platform.
+- urn:AGL:permission::system:capability:keep-all
+ Keep all capabilities for the service. Note that implementing
+ that permission is not mandatory or can be adapted for the given
+ system.
- <http://tizen.org/privilege/internal/dbus>
Permission to use D-Bus.
Code Review / src / app-framework-main.git / commitdiff