mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-09 05:29:32 +00:00
Code Issues Projects Releases Wiki Activity

weston-init: Stop running weston as root

Browse Source 
Running the weston compositor as the root user is an insecure default
behavior for OE-core. We can do much better, at least when using
systemd. Change the recipe to create a dedicated "weston" user and start
weston as this user. The systemd service and socket units are no longer
template units, as there were several inconsistencies in the templates.
Instead, there is now a global /run/wayland-0 socket that gets created,
and systemd will start weston on demand when a client connects to that
socket or when attempting to reach graphical.target, whichever comes
first. This also allows downstream users to easily change the behavior
so that weston *only* starts on demand by adding a drop file. Access to
the global socket is controlled by a "wayland" group; any user that is a
member of the group can use the socket to talk to the compositor. This
also satisfies another use case where another systemd service might
start a graphical application that needs to display with weston (e.g. a
single function device in kiosk mode). Finally, the udev rules for
starting weston with the existance of a DRM device have been removed.
Being WantedBy= a graphical target should eliminate the need for this
behavior, and having it present makes it difficult for downstream users
to start weston on demand (having to override the udev rules).

(From OE-Core rev: dd83fb40f76749c6689807afabc63b9d5c2a4065)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Joshua Watt
2020-11-19 16:58:53 -06:00
committed by Richard Purdie
parent 862a6937d5
commit ccdaab972e
5 changed files with 45 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-graphics/wayland/weston-init.bb
+21 -12
View File
@@ -7,9 +7,8 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
SRC_URI = "file://init \ SRC_URI = "file://init \
file://weston.env \ file://weston.env \
file://weston.ini \ file://weston.ini \
file://weston@.service \ file://weston.service \
file://weston@.socket \ file://weston.socket \
file://71-weston-drm.rules \
file://weston-autologin \ file://weston-autologin \
file://weston-start" file://weston-start"
@@ -36,17 +35,15 @@ do_install() {
install -Dm644 ${WORKDIR}/weston.env ${D}${sysconfdir}/default/weston install -Dm644 ${WORKDIR}/weston.env ${D}${sysconfdir}/default/weston
# Install Weston systemd service and accompanying udev rule # Install Weston systemd service and accompanying udev rule
install -D -p -m0644 ${WORKDIR}/weston@.service ${D}${systemd_system_unitdir}/weston@.service install -D -p -m0644 ${WORKDIR}/weston.service ${D}${systemd_system_unitdir}/weston.service
install -D -p -m0644 ${WORKDIR}/weston@.socket ${D}${systemd_system_unitdir}/weston@.socket install -D -p -m0644 ${WORKDIR}/weston.socket ${D}${systemd_system_unitdir}/weston.socket
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
install -D -p -m0644 ${WORKDIR}/weston-autologin ${D}${sysconfdir}/pam.d/weston-autologin install -D -p -m0644 ${WORKDIR}/weston-autologin ${D}${sysconfdir}/pam.d/weston-autologin
fi fi
sed -i -e s:/etc:${sysconfdir}:g \ sed -i -e s:/etc:${sysconfdir}:g \
-e s:/usr/bin:${bindir}:g \ -e s:/usr/bin:${bindir}:g \
-e s:/var:${localstatedir}:g \ -e s:/var:${localstatedir}:g \
${D}${systemd_unitdir}/system/weston@.service ${D}${systemd_unitdir}/system/weston.service
install -D -p -m0644 ${WORKDIR}/71-weston-drm.rules \
${D}${sysconfdir}/udev/rules.d/71-weston-drm.rules
# Install weston-start script # Install weston-start script
install -Dm755 ${WORKDIR}/weston-start ${D}${bindir}/weston-start install -Dm755 ${WORKDIR}/weston-start ${D}${bindir}/weston-start
sed -i 's,@DATADIR@,${datadir},g' ${D}${bindir}/weston-start sed -i 's,@DATADIR@,${datadir},g' ${D}${bindir}/weston-start
@@ -58,11 +55,15 @@ do_install() {
if [ "${@bb.utils.contains('PACKAGECONFIG', 'no-idle-timeout', 'yes', 'no', d)}" = "yes" ]; then if [ "${@bb.utils.contains('PACKAGECONFIG', 'no-idle-timeout', 'yes', 'no', d)}" = "yes" ]; then
sed -i -e "/^\[core\]/a idle-time=0" ${D}${sysconfdir}/xdg/weston/weston.ini sed -i -e "/^\[core\]/a idle-time=0" ${D}${sysconfdir}/xdg/weston/weston.ini
fi fi
install -dm 755 -o weston -g weston ${D}/home/weston
} }
INHIBIT_UPDATERCD_BBCLASS = "${@oe.utils.conditional('VIRTUAL-RUNTIME_init_manager', 'systemd', '1', '', d)}" INHIBIT_UPDATERCD_BBCLASS = "${@oe.utils.conditional('VIRTUAL-RUNTIME_init_manager', 'systemd', '1', '', d)}"
inherit update-rc.d features_check systemd inherit update-rc.d features_check systemd useradd
USERADD_PACKAGES = "${PN}"
# rdepends on weston which depends on virtual/egl # rdepends on weston which depends on virtual/egl
# requires pam enabled if started via systemd # requires pam enabled if started via systemd
@@ -73,10 +74,18 @@ RDEPENDS_${PN} = "weston kbd"
INITSCRIPT_NAME = "weston" INITSCRIPT_NAME = "weston"
INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ." INITSCRIPT_PARAMS = "start 9 5 2 . stop 20 0 1 6 ."
FILES_${PN} += "${sysconfdir}/xdg/weston/weston.ini ${systemd_system_unitdir}/weston@.service ${systemd_system_unitdir}/weston@.socket ${sysconfdir}/default/weston ${sysconfdir}/pam.d/" FILES_${PN} += "\
${sysconfdir}/xdg/weston/weston.ini \
${systemd_system_unitdir}/weston.service \
${systemd_system_unitdir}/weston.socket \
${sysconfdir}/default/weston \
${sysconfdir}/pam.d/ \
/home/weston \
"
CONFFILES_${PN} += "${sysconfdir}/xdg/weston/weston.ini ${sysconfdir}/default/weston" CONFFILES_${PN} += "${sysconfdir}/xdg/weston/weston.ini ${sysconfdir}/default/weston"
SYSTEMD_SERVICE_${PN} = "weston@%i.service" SYSTEMD_SERVICE_${PN} = "weston.service weston.socket"
SYSTEMD_AUTO_ENABLE = "disable" USERADD_PARAM_${PN} = "--home /home/weston --shell /bin/sh --user-group -G video,input weston"
GROUPADD_PARAM_${PN} = "-r wayland"
meta/recipes-graphics/wayland/weston-init/71-weston-drm.rules
-2
View File
@@ -1,2 +0,0 @@
ACTION=="add", SUBSYSTEM=="graphics", KERNEL=="fb0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="weston@root.service"
ACTION=="add", SUBSYSTEM=="drm", KERNEL=="card0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="weston@root.service"
meta/recipes-graphics/wayland/weston-init/weston@.service → meta/recipes-graphics/wayland/weston-init/weston.service
+10 -4
View File
@@ -9,6 +9,7 @@ Documentation=man:weston(1) man:weston.ini(5)
Documentation=http://wayland.freedesktop.org/ Documentation=http://wayland.freedesktop.org/
# Make sure we are started after logins are permitted. # Make sure we are started after logins are permitted.
Requires=systemd-user-sessions.service
After=systemd-user-sessions.service After=systemd-user-sessions.service
# If Plymouth is used, we want to start when it is on its way out. # If Plymouth is used, we want to start when it is on its way out.
@@ -18,6 +19,9 @@ After=plymouth-quit-wait.service
Wants=dbus.socket Wants=dbus.socket
After=dbus.socket After=dbus.socket
# Ensure the socket is present
Requires=weston.socket
# Since we are part of the graphical session, make sure we are started before # Since we are part of the graphical session, make sure we are started before
# it is complete. # it is complete.
Before=graphical.target Before=graphical.target
@@ -37,10 +41,11 @@ TimeoutStartSec=60
WatchdogSec=20 WatchdogSec=20
# The user to run Weston as. # The user to run Weston as.
User=%I User=weston
Group=weston
# Make sure working directory is users home directory # Make sure the working directory is the users home directory
WorkingDirectory=/home/%i WorkingDirectory=/home/weston
# Set up a full user session for the user, required by Weston. # Set up a full user session for the user, required by Weston.
PAMName=weston-autologin PAMName=weston-autologin
@@ -61,5 +66,6 @@ UtmpIdentifier=tty7
UtmpMode=user UtmpMode=user
[Install] [Install]
# Note: If you only want weston to start on-demand, remove this line with a
# service drop file
WantedBy=graphical.target WantedBy=graphical.target
DefaultInstance=tty7
meta/recipes-graphics/wayland/weston-init/weston.socket
+14
View File
@@ -0,0 +1,14 @@
[Unit]
Description=Weston socket
RequiresMountsFor=/run
[Socket]
ListenStream=/run/wayland-0
SocketMode=0775
SocketUser=weston
SocketGroup=wayland
RemoveOnStop=yes
[Install]
WantedBy=sockets.target
meta/recipes-graphics/wayland/weston-init/weston@.socket
-10
View File
@@ -1,10 +0,0 @@
[Unit]
Description=Weston Wayland socket
After=user-runtime-dir@1000.service
[Socket]
ListenStream=/run/user/1000/wayland-%I
[Install]
WantedBy=sockets.target