From 77bd42075de481ae89f6a5b2bc8a79bf967d95cd Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jos=C3=A9=20Bollo?= Date: Wed, 15 May 2019 20:49:14 +0200 Subject: [PATCH] Introduce platform services MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The platform services are services that run at the global platform scope as opposite to services that run in the context of the user. Bug-AGL: SPEC-1015 Change-Id: I08c2d47715cbc7436e67781d5e638386be531520 Signed-off-by: José Bollo --- conf/system/CMakeLists.txt | 4 + conf/system/afm-system-setup.sh.in | 2 +- conf/unit/afm-unit | 26 ++++++- conf/unit/binder.inc | 4 +- conf/unit/macros.inc | 29 ++++++-- conf/unit/provided-api-platform.inc | 85 ++++++++++++++++++++++ .../{provided-api.inc => provided-api-user.inc} | 7 +- conf/unit/provided-binding-platform.inc | 48 ++++++++++++ ...vided-binding.inc => provided-binding-user.inc} | 4 +- conf/unit/service.inc | 71 +++++++++++++----- docs/3-permissions.md | 8 +- 11 files changed, 246 insertions(+), 42 deletions(-) create mode 100644 conf/unit/provided-api-platform.inc rename conf/unit/{provided-api.inc => provided-api-user.inc} (95%) create mode 100644 conf/unit/provided-binding-platform.inc rename conf/unit/{provided-binding.inc => provided-binding-user.inc} (88%) diff --git a/conf/system/CMakeLists.txt b/conf/system/CMakeLists.txt index eba8d42..a49d37f 100644 --- a/conf/system/CMakeLists.txt +++ b/conf/system/CMakeLists.txt @@ -18,6 +18,10 @@ cmake_minimum_required(VERSION 2.8) +if(AGL_DEVEL) + set(create_platform_debug "dodir ${afm_platform_rundir}/debug") +endif() + configure_file(afm-system-daemon.service.in afm-system-daemon.service) configure_file(afm-system-daemon.socket.in afm-system-daemon.socket) configure_file(afm-system-setup.service.in afm-system-setup.service) diff --git a/conf/system/afm-system-setup.sh.in b/conf/system/afm-system-setup.sh.in index 2af411c..65e75ed 100644 --- a/conf/system/afm-system-setup.sh.in +++ b/conf/system/afm-system-setup.sh.in @@ -13,4 +13,4 @@ dodir $pdir dodir $pdir/display dodir $pdir/apis dodir $pdir/apis/ws - +@create_platform_debug@ diff --git a/conf/unit/afm-unit b/conf/unit/afm-unit index 2a91067..342a048 100644 --- a/conf/unit/afm-unit +++ b/conf/unit/afm-unit @@ -88,21 +88,39 @@ divert(0)dnl {{#targets}} ;------------------------------------------------------------------------------- include(service.inc) +IF_PERM(:partner:scope-platform) ;------------------------------------------------------------------------------- -;---- F O R E A C H P R O V I D E D A P I S ---- +;---- F O R E A C H P R O V I D E D A P I S (PLATFORM) ---- ;------------------------------------------------------------------------------- {{#provided-api}} {{#value=ws|auto}} -include(provided-api.inc) +include(provided-api-platform.inc) {{/value=ws|auto}} {{/provided-api}} ;------------------------------------------------------------------------------- -;---- F O R E A C H P R O V I D E D B I N D I N G ---- +;---- F O R E A C H P R O V I D E D B I N D I N G (PLATFORM) ---- ;------------------------------------------------------------------------------- {{#provided-binding}} -include(provided-binding.inc) +include(provided-binding-platform.inc) {{/provided-binding}} ;------------------------------------------------------------------------------- +ELSE +;------------------------------------------------------------------------------- +;---- F O R E A C H P R O V I D E D A P I S (USER) ---- +;------------------------------------------------------------------------------- +{{#provided-api}} +{{#value=ws|auto}} +include(provided-api-user.inc) +{{/value=ws|auto}} +{{/provided-api}} +;------------------------------------------------------------------------------- +;---- F O R E A C H P R O V I D E D B I N D I N G (USER) ---- +;------------------------------------------------------------------------------- +{{#provided-binding}} +include(provided-binding-user.inc) +{{/provided-binding}} +;------------------------------------------------------------------------------- +ENDIF {{/targets}} ;------------------------------------------------------------------------------- ; End of file afm-unit.conf mode ON_AGL_DEVEL(DEVEL, RELEASE) diff --git a/conf/unit/binder.inc b/conf/unit/binder.inc index 30c25d5..58f877f 100644 --- a/conf/unit/binder.inc +++ b/conf/unit/binder.inc @@ -12,7 +12,7 @@ Type=notify ExecStart=/usr/bin/afb-daemon \ --name afbd-TARGET \ --rootdir={{:#metadata.install-dir}} \ - --workdir=APP_DATA_DIR/{{id}} \ + --workdir=APP_WORK_DIR \ IF_AGL_DEVEL \ --verbose \ --verbose \ @@ -48,4 +48,4 @@ ENDIF \ {{/provided-api}} \ ON_CONTENT(text/html, --exec /usr/bin/web-runtime http://localhost:@p/{{content.src}}?token=@t) \ ON_CONTENT(application/vnd.agl.native, --exec {{:#metadata.install-dir}}/{{content.src}} @p @t) - +%nl diff --git a/conf/unit/macros.inc b/conf/unit/macros.inc index a764765..ca72b95 100644 --- a/conf/unit/macros.inc +++ b/conf/unit/macros.inc @@ -25,6 +25,7 @@ define( `PERM', `@afm_prefix@permission:$1') define( `REQPERM', `required-permission.PERM($1)') define( `ON_PERM', `MUSTACH_ON(REQPERM($1),$2,$3)') +define( `ON_NOT_PERM', `MUSTACH_ON(REQPERM($1),$3,$2)') define( `IF_PERM', `MUSTACH_IF(REQPERM($1))') define( `IF_NOT_PERM', `MUSTACH_IF_NOT(REQPERM($1))') @@ -43,21 +44,36 @@ define( `IF_NOT_VALUE', `MUSTACH_IF_NOT(value=$1)') -- use TARGET={{:id}}--{{:ver}}--{{:#target}} -- instead of TARGET={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}} -------------------------------------------------------------------------------- +define( `SMACKLABEL', `User::App::{{:id}}') define( `TARGET', `{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}') define( `NEWTARGET', `{{:id}}--{{:ver}}--{{:#target}}') +define( `UNITSUFFIX', `ON_NOT_PERM(`:partner:scope-platform', `@%i')') define( `UNIT_NAME_BASE', `afm-ON_PERM(`:public:hidden', `service', `appli')-NEWTARGET') -define( `UNIT_NAME_SERVICE', `UNIT_NAME_BASE@%i.service') define( `UNIT_NAME_API_BASE', `afm-api-$1') -define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)@$2.service') -define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)@$2.socket') +define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)UNITSUFFIX.service') +define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)UNITSUFFIX.socket') define( `UNIT_NAME_BINDING_BASE', `afm-link-$1') -define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)@$2.service') -define( `APP_DATA_DIR', `/home/%i/app-data') +define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)UNITSUFFIX.service') + define( `USER_RUN_DIR', `@afm_users_rundir@/%i') define( `DEBUGGING_DIR', `@afm_platform_rundir@/debug') -define( `API_PATH', `USER_RUN_DIR/apis') +define( `PLATFORM_RUN_DIR', `@afm_platform_rundir@') + +define( `APP_DATA_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `/home/%i/app-data')') +define( `APP_WORK_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `APP_DATA_DIR/{{:id}}')') +define( `RUN_DIR', `ON_PERM(`:partner:scope-platform', `PLATFORM_RUN_DIR', `USER_RUN_DIR')') + +define( `API_PATH', `RUN_DIR/apis') define( `API_PATH_WS', `API_PATH/ws') define( `API_PATH_LINK', `API_PATH/link') + +define( `PLATFORM_API_PATH', `PLATFORM_RUN_DIR/apis') +define( `PLATFORM_API_PATH_WS', `PLATFORM_API_PATH/ws') +define( `PLATFORM_API_PATH_LINK', `PLATFORM_API_PATH/link') + +define( `USER_API_PATH', `USER_RUN_DIR/apis') +define( `USER_API_PATH_WS', `USER_API_PATH/ws') +define( `USER_API_PATH_LINK', `USER_API_PATH/link') -------------------------------------------------------------------------------- -- AGL_DEVEL SPECIFIC PARTS -------------------------------------------------------------------------------- @@ -65,3 +81,4 @@ define( `ON_AGL_DEVEL', `ifdef(`AGL_DEVEL', $1, $2)') define( `ON_NOT_AGL_DEVEL', `ifdef(`AGL_DEVEL', $2, $1)') define( `IF_AGL_DEVEL', `IF(ON_AGL_DEVEL(1,0))') define( `IF_NOT_AGL_DEVEL', `IF(ON_AGL_DEVEL(0,1))') +-------------------------------------------------------------------------------- diff --git a/conf/unit/provided-api-platform.inc b/conf/unit/provided-api-platform.inc new file mode 100644 index 0000000..d169d9a --- /dev/null +++ b/conf/unit/provided-api-platform.inc @@ -0,0 +1,85 @@ +dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4: +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E A P I (USER) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_API_BASE({{name}})@ + +[Unit] +Description=Provides api {{name}} for user %i +X-AFM-API-TYPE={{value}} + +Requires=afm-user-setup@%i.service +After=afm-user-setup@%i.service + +Requires=UNIT_NAME_API_BASE({{name}}).socket +After=UNIT_NAME_API_BASE({{name}}).socket + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ln -sf PLATFORM_API_PATH_WS/{{name}} USER_API_PATH_WS/{{name}} + +%end systemd-unit + +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E A P I (PLATFORM) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_API_BASE({{name}}) + +[Unit] +Description=Provides api {{name}} for platform +X-AFM-API-TYPE={{value}} + +Requires=afm-system-setup.service +After=afm-system-setup.service + +Requires=UNIT_NAME_API_BASE({{name}}).socket +After=UNIT_NAME_API_BASE({{name}}).socket + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/true + +%end systemd-unit + +;------------------------------------------------------------------------------- +;---- T H E S O C K E T O F T H E A P I (PLATFORM) ---- +;------------------------------------------------------------------------------- + +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit socket UNIT_NAME_API_BASE({{name}}) +[Unit] +Description=Provides websocket api {{name}} for platform +Requires=afm-system-setup.service +After=afm-system-setup.service +DefaultDependencies=no + +[Socket] +SmackLabel=* +SmackLabelIPIn=System +SmackLabelIPOut=System +ListenStream=PLATFORM_API_PATH_WS/{{name}} +FileDescriptorName={{name}} +Service=UNIT_NAME_BASE.service + +%end systemd-unit diff --git a/conf/unit/provided-api.inc b/conf/unit/provided-api-user.inc similarity index 95% rename from conf/unit/provided-api.inc rename to conf/unit/provided-api-user.inc index bdee6c9..77478c8 100644 --- a/conf/unit/provided-api.inc +++ b/conf/unit/provided-api-user.inc @@ -46,11 +46,8 @@ DefaultDependencies=no SmackLabel=* SmackLabelIPIn=System SmackLabelIPOut=System -ListenStream=API_PATH_WS/{{name}} +ListenStream=USER_API_PATH_WS/{{name}} FileDescriptorName={{name}} -Service=UNIT_NAME_SERVICE +Service=UNIT_NAME_BASE@%i.service %end systemd-unit - - - diff --git a/conf/unit/provided-binding-platform.inc b/conf/unit/provided-binding-platform.inc new file mode 100644 index 0000000..375a636 --- /dev/null +++ b/conf/unit/provided-binding-platform.inc @@ -0,0 +1,48 @@ +dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4: +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E B I N D I N G (USER) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})@ + +[Unit] +Description=Provides binding {{name}} for user %i + +Requires=afm-user-setup@%i.service +After=afm-user-setup@%i.service +Requires=UNIT_NAME_BINDING_BASE({{name}}).service +After=UNIT_NAME_BINDING_BASE({{name}}).service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ln -sf PLATFORM_API_PATH_LINK/{{name}} USER_API_PATH_LINK/{{name}} + +%end systemd-unit + +;------------------------------------------------------------------------------- +;---- T H E S E R V I C E O F T H E B I N D I N G (PLATFORM) ---- +;------------------------------------------------------------------------------- +%begin systemd-unit + +# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}} + +%systemd-unit system +%systemd-unit service UNIT_NAME_BINDING_BASE({{name}}) + +[Unit] +Description=Provides binding {{name}} for platform + +Requires=afm-system-setup.service +After=afm-system-setup.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} PLATFORM_API_PATH_LINK/{{name}} + +%end systemd-unit diff --git a/conf/unit/provided-binding.inc b/conf/unit/provided-binding-user.inc similarity index 88% rename from conf/unit/provided-binding.inc rename to conf/unit/provided-binding-user.inc index 3737126..5a53735 100644 --- a/conf/unit/provided-binding.inc +++ b/conf/unit/provided-binding-user.inc @@ -18,8 +18,6 @@ After=afm-user-setup@%i.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} API_PATH_LINK/{{name}} +ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} USER_API_PATH_LINK/{{name}} %end systemd-unit - - diff --git a/conf/unit/service.inc b/conf/unit/service.inc index 88c1454..bebf25a 100644 --- a/conf/unit/service.inc +++ b/conf/unit/service.inc @@ -8,7 +8,11 @@ dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4: %nl %systemd-unit system +IF_PERM(:partner:scope-platform) +%systemd-unit service UNIT_NAME_BASE +ELSE %systemd-unit service UNIT_NAME_BASE@ +ENDIF [Unit] Description={{description}} @@ -29,12 +33,19 @@ X-AFM--target-name={{:#target}} X-AFM--content={{content.src}} X-AFM--type={{content.type}} X-AFM--wgtdir={{:#metadata.install-dir}} -X-AFM--workdir=APP_DATA_DIR/{{:id}} +X-AFM--workdir=APP_WORK_DIR X-AFM--visibility=ON_PERM(`:public:hidden', `hidden', `visible') %nl +IF_PERM(:partner:scope-platform) +X-AFM--scope=platform +After=afm-system-setup.service +ELSE +X-AFM--scope=user Requires=afm-user-session@%i.target After=user@%i.service +ENDIF + After=Network.target # Adds check to smack @@ -44,56 +55,71 @@ ConditionSecurity=smack # Automatic bound to required api {{#required-binding}} {{#value=extern}} -BindsTo=UNIT_NAME_BINDING_SERVICE({{name}},%i) -After=UNIT_NAME_BINDING_SERVICE({{name}},%i) +BindsTo=UNIT_NAME_BINDING_SERVICE({{name}}) +After=UNIT_NAME_BINDING_SERVICE({{name}}) {{/value=extern}} {{/required-binding}} + {{#required-api}} {{#value=auto|ws}} -BindsTo=UNIT_NAME_API_SERVICE({{name}},%i) -After=UNIT_NAME_API_SERVICE({{name}},%i) +BindsTo=UNIT_NAME_API_SERVICE({{name}}) +After=UNIT_NAME_API_SERVICE({{name}}) {{/value=auto|ws}} {{/required-api}} + {{#provided-api}} {{#value=ws|auto}} -Requires=UNIT_NAME_API_SOCKET({{name}},%i) -After=UNIT_NAME_API_SOCKET({{name}},%i) +Requires=UNIT_NAME_API_SOCKET({{name}}) +After=UNIT_NAME_API_SOCKET({{name}}) {{/value=ws|auto}} {{/provided-api}} %nl [Service] + EnvironmentFile=-@afm_confdir@/unit.env.d/* EnvironmentFile=-@afm_confdir@/widget.env.d/{{:id}}/* -SmackProcessLabel=User::App::{{:id}} +SmackProcessLabel=SMACKLABEL SuccessExitStatus=0 SIGKILL - +UMask=0077 + +IF_PERM(:partner:scope-platform) +#DynamicUser=true +User=daemon +Group=nobody +Slice=platform.slice +ELSE User=%i Slice=user-%i.slice - +WorkingDirectory=-APP_WORK_DIR +ExecStartPre=/bin/mkdir -p APP_WORK_DIR +Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus +ENDIF +IF_PERM(:system:capability:keep-all) +CapabilityBoundingSet=~ +AmbientCapabilities=~ +ELSE CapabilityBoundingSet= -#AmbientCapabilities= +ENDIF ON_PERM(:platform:no-oom, OOMScoreAdjust=-500) ON_PERM(:partner:real-time, IOSchedulingClass=realtime) ON_PERM(:public:display, SupplementaryGroups=display) -ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock) +ON_PERM(:public:audio, SupplementaryGroups=audio) +ON_NOT_PERM(:public:syscall:clock, SystemCallFilter=~@clock) %nl -WorkingDirectory=-APP_DATA_DIR/{{:id}} -ExecStartPre=/bin/mkdir -p APP_DATA_DIR/{{:id}} Environment=AFM_ID=TARGET Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}} -Environment=AFM_WORKDIR=APP_DATA_DIR/{{:id}} +Environment=AFM_WORKDIR=APP_WORK_DIR Environment=AFM_WSAPI_DIR=API_PATH_WS Environment=PATH=/usr/sbin:/usr/bin:/sbin:/bin:{{:#metadata.install-dir}}/bin Environment=LD_LIBRARY_PATH={{:#metadata.install-dir}}/lib -Environment=XDG_DATA_HOME=APP_DATA_DIR/{{:id}} -Environment=XDG_CONFIG_HOME=APP_DATA_DIR/{{:id}} -Environment=XDG_CACHE_HOME=APP_DATA_DIR/{{:id}} -Environment=XDG_RUNTIME_DIR=USER_RUN_DIR -Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus +Environment=XDG_DATA_HOME=APP_WORK_DIR +Environment=XDG_CONFIG_HOME=APP_WORK_DIR +Environment=XDG_CACHE_HOME=APP_WORK_DIR +Environment=XDG_RUNTIME_DIR=RUN_DIR IF_AGL_DEVEL ; Needed to enable debug @@ -124,9 +150,14 @@ IF_PERM(:system:run-by-default) ; auto start ;------------------------------------------------------------------------------- [Install] +IF_PERM(:partner:scope-platform) +WantedBy=multi-user.target +%systemd-unit wanted-by multi-user.target +ELSE WantedBy=afm-user-session@.target %systemd-unit wanted-by afm-user-session@.target ENDIF +ENDIF %end systemd-unit diff --git a/docs/3-permissions.md b/docs/3-permissions.md index 957478e..fa65c5d 100644 --- a/docs/3-permissions.md +++ b/docs/3-permissions.md @@ -90,7 +90,7 @@ attachment of value to permission. ## Example of permissions Here is a list of some possible permissions. -These permissions are available the 17th of March 2017. +These permissions are available the 21th of May 2019. - urn:AGL:permission::platform:no-oom Set OOMScoreAdjust=-500 to keep the out-of-memory @@ -117,6 +117,12 @@ These permissions are available the 17th of March 2017. Forbids services to provide its API through D-Bus. - urn:AGL:permission::system:run-by-default Starts automatically the application. Example: home-screen. +- urn:AGL:permission::partner:scope-platform + Install the service at the scope of the platform. +- urn:AGL:permission::system:capability:keep-all + Keep all capabilities for the service. Note that implementing + that permission is not mandatory or can be adapted for the given + system. - Permission to use D-Bus. -- 2.16.6