From: José Bollo <jose.bollo@iot.bzh>
Date: Wed, 28 Feb 2018 19:07:23 +0000 (+0100)
Subject: Refactor user session management
X-Git-Tag: flounder_5.99.1~8
X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?p=src%2Fapp-framework-main.git;a=commitdiff_plain;h=ae33f9100e3b67a8ce07e5ad8b1f0ee73867df6a

Refactor user session management

Change-Id: Ib6ba886df110d8a23e3760e1818263ec757b9c7c
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---

diff --git a/conf/README.md b/conf/README.md
new file mode 100644
index 0000000..e983328
--- /dev/null
+++ b/conf/README.md
@@ -0,0 +1,47 @@
+Configuration of af-main using systemd
+======================================
+
+Mechanism to start user sessions
+--------------------------------
+
+The mechanism to start a session for the user of **UID** is
+to start the service **afm-user-session@UID.service**.
+
+This has the effect of starting a session.
+
+To achieve that goal the first is to start the user session.
+This is done using the 2 systemd directives [1]:
+
+    User=%i
+    PAMName=afm-user-session
+
+The first tells what is the user. %i is replaced by the parameter
+of the service: UID. So the user is referenced here by its number.
+
+For this user, the PAM script **afm-user-session** is evaluated.
+It is implmented by the file */etc/pam.d/afm-user-session*.
+That script MUST refer to *pam_systemd.so* for opening the session
+with systemd. It often takes the form of a line of the form:
+
+    session     optional      pam_systemd.so
+
+that is directly or indirectly (through includes) activated by
+**afm-user-session**. [2] [3]
+
+The effect of starting a systemd user session is to start the
+user services and the most important one: dbus.
+
+When the user session is started, the service
+**afm-user-session@UID.service** enters its second phase:
+activation of the user session for the framework.
+
+This is achieved by activating the target **afm-user-session@.target**.
+But activating a *system* unit from a *user* session is a
+thing that has to be safe. This is done by the program
+**afm-user-session**. This program runs as rot (with the set-uid)
+and simply execute *systemctl --wait start afm-user-session@UID.target*.
+Where *UID* is the user id of the calling process.
+
+[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+[2] https://www.freedesktop.org/software/systemd/man/pam_systemd.html
+[3] https://linux.die.net/man/5/pam.conf
diff --git a/conf/system/CMakeLists.txt b/conf/system/CMakeLists.txt
index 2f1b209..c36128f 100644
--- a/conf/system/CMakeLists.txt
+++ b/conf/system/CMakeLists.txt
@@ -32,9 +32,10 @@ if(NOT USE_SDK)
 		FILES
 			${CMAKE_CURRENT_BINARY_DIR}/afm-system-daemon.service
 			${CMAKE_CURRENT_BINARY_DIR}/afm-system-daemon.socket
-			${CMAKE_CURRENT_SOURCE_DIR}/afm-system-daemon.conf
+			${CMAKE_CURRENT_SOURCE_DIR}/afm-system-setup.service
 			${CMAKE_CURRENT_SOURCE_DIR}/afm-user-session@.service
 			${CMAKE_CURRENT_SOURCE_DIR}/afm-user-session@.target
+			${CMAKE_CURRENT_SOURCE_DIR}/afm-user-setup@.service
 		DESTINATION
 			${UNITDIR_SYSTEM}
 	)
diff --git a/conf/system/afm-system-daemon.service.in b/conf/system/afm-system-daemon.service.in
index ca4ca1d..593f007 100644
--- a/conf/system/afm-system-daemon.service.in
+++ b/conf/system/afm-system-daemon.service.in
@@ -1,5 +1,6 @@
 [Unit]
 Description=Application Framework Master, system side
+Require=afm-system-setup.service
 
 [Service]
 #User=afm
diff --git a/conf/system/afm-system-setup.service b/conf/system/afm-system-setup.service
index 260975c..d624aeb 100644
--- a/conf/system/afm-system-setup.service
+++ b/conf/system/afm-system-setup.service
@@ -1,9 +1,9 @@
 [Unit]
 Description=Initiate afm-system-setup
-Before=weston.service
+Before=weston.service afs-supervisor.service afm-system-daemon.service
 [Service]
-Type=one-shot
-ExecStart=-/bin/sh -c "/bin/mkdir -m 755 -Z '*' /run/platform"
-ExecStart=-/bin/sh -c "/bin/mkdir -m 755 -Z '*' /run/platform/display"
-ExecStart=-/bin/sh -c "/bin/mkdir -m 755 -Z '*' /run/platform/apis"
-ExecStart=-/bin/sh -c "/bin/mkdir -m 755 -Z '*' /run/platform/apis/ws"
+Type=oneshot
+ExecStart=-/bin/sh -c "/bin/mkdir -m 755 /run/platform; /usr/bin/chsmack -a '*' /run/platform"
+ExecStart=-/bin/sh -c "/bin/mkdir -m 755 /run/platform/display; /usr/bin/chsmack -a '*' /run/platform/display"
+ExecStart=-/bin/sh -c "/bin/mkdir -m 755 /run/platform/apis; /usr/bin/chsmack -a '*' /run/platform/apis"
+ExecStart=-/bin/sh -c "/bin/mkdir -m 755 /run/platform/apis/ws; /usr/bin/chsmack -a '*' /run/platform/apis/ws"
diff --git a/conf/system/afm-user-session@.service b/conf/system/afm-user-session@.service
index 5bedf94..93f9d86 100644
--- a/conf/system/afm-user-session@.service
+++ b/conf/system/afm-user-session@.service
@@ -5,4 +5,4 @@ After=systemd-user-sessions.service
 [Service]
 User=%i
 PAMName=afm-user-session
-ExecStart=/bin/systemctl --wait start afm-user-session@%i.target
+ExecStart=/usr/bin/afm-user-session
diff --git a/conf/system/afm-user-setup@.service b/conf/system/afm-user-setup@.service
index 2cc4214..40c3427 100644
--- a/conf/system/afm-user-setup@.service
+++ b/conf/system/afm-user-setup@.service
@@ -2,7 +2,10 @@
 Description=Initiate afm-user-setup %i
 After=user@%i.service
 [Service]
-Type=one-shot
-ExecStart=-/bin/sh -c "/bin/mkdir -Z '*' /run/user/%i && /bin/chown %i:%i /run/user/%i"
-ExecStart=-/bin/sh -c "/bin/mkdir -Z '*' /run/user/%i/apis && /bin/chown %i:%i /run/user/%i/apis"
-ExecStart=-/bin/sh -c "/bin/mkdir -Z '*' /run/user/%i/apis/ws && /bin/chown %i:%i /run/user/%i/apis/ws"
+Type=oneshot
+ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i; /bin/chown %i:%i /run/user/%i; /usr/bin/chsmack -a '*' /run/user/%i"
+ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i/apis; /bin/chown %i:%i /run/user/%i/apis; /usr/bin/chsmack -a '*' /run/user/%i/apis"
+ExecStart=-/bin/sh -c "/bin/mkdir /run/user/%i/apis/ws; /bin/chown %i:%i /run/user/%i/apis/ws; /usr/bin/chsmack -a '*' /run/user/%i/apis/ws"
+ExecStart=-/bin/sh -c "/bin/ln -sf /run/platform/display/wayland-0 /run/user/%i/wayland-0; /bin/chown %i:%i /run/user/%i/wayland-0; /usr/bin/chsmack -a '*' /run/user/%i/wayland-0"
+
+
diff --git a/conf/unit/afm-unit-debug.conf.in b/conf/unit/afm-unit-debug.conf.in
index ba42ea4..05881fa 100644
--- a/conf/unit/afm-unit-debug.conf.in
+++ b/conf/unit/afm-unit-debug.conf.in
@@ -211,7 +211,8 @@ WantedBy=afm-user-session@.target
 %systemd-unit socket afm-api-ws-{{name}}@
 [Unit]
 Description=Provides api {{name}} for user %i
-After=user@%i.service
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
 DefaultDependencies=no
 [Socket]
 SmackLabel=*
diff --git a/conf/unit/afm-unit.conf.in b/conf/unit/afm-unit.conf.in
index f9bf8bc..20a3b50 100644
--- a/conf/unit/afm-unit.conf.in
+++ b/conf/unit/afm-unit.conf.in
@@ -211,7 +211,8 @@ WantedBy=afm-user-session@.target
 %systemd-unit socket afm-api-ws-{{name}}@
 [Unit]
 Description=Provides api {{name}} for user %i
-After=user@%i.service
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
 DefaultDependencies=no
 [Socket]
 SmackLabel=*
diff --git a/conf/unit/generate-unit-conf/provided.inc b/conf/unit/generate-unit-conf/provided.inc
index 5a43ed7..ead1983 100644
--- a/conf/unit/generate-unit-conf/provided.inc
+++ b/conf/unit/generate-unit-conf/provided.inc
@@ -14,7 +14,8 @@ dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
 %systemd-unit socket afm-api-ws-{{name}}@
 [Unit]
 Description=Provides api {{name}} for user %i
-After=user@%i.service
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
 DefaultDependencies=no
 
 [Socket]