On 25.09.2015 13:14, Jussi Kukkonen wrote: > There are already "allow" rules for root and conditionally xuser to > send messages to connman: there should be no reason for a default > allow policy. > > Also, conditionally add a policy to allow xuser to send to the > connman vpn service (similar to main service). > > Signed-off-by: Jussi Kukkonen <[email protected]> > --- > meta/recipes-connectivity/connman/connman.inc | 6 ----- > .../connman/add_xuser_dbus_permission.patch | 28 > +++++++++++++++++++--- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/meta/recipes-connectivity/connman/connman.inc > b/meta/recipes-connectivity/connman/connman.inc > index 6c062ae..1712af3 100644 > --- a/meta/recipes-connectivity/connman/connman.inc > +++ b/meta/recipes-connectivity/connman/connman.inc > @@ -70,13 +70,7 @@ SYSTEMD_SERVICE_${PN} = "connman.service" > SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service" > SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup" > > -# This allows *everyone* to access ConnMan over DBus, without any access > -# control. Really the at_console flag should work, which would mean that > -# both this and the xuser patch can be dropped. > do_compile_append() { > - sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf > - sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf > - > sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" > ${B}/src/connman.service > } > > diff --git > a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch > b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch > index 707b3ca..15a191d 100644 > --- > a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch > +++ > b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch > @@ -1,9 +1,14 @@ > -Because Poky doesn't support at_console we need to special-case the session > -user. > +Because Poky doesn't support at_console we need to > +special-case the session user.
Here you can see that it really is poky's distro policy that slipped into OE-Core. How about removing ROOTLESS_X and xuser from OE-Core and putting it into a layer that actually sets the variable? Regards, Andreas > > Upstream-Status: Inappropriate [configuration] > > -Signed-off-by: Ross Burton <[email protected]> > +Signed-off-by: Jussi Kukkonen <[email protected]> > + > +--- > + src/connman-dbus.conf | 3 +++ > + vpn/vpn-dbus.conf | 3 +++ > + 2 files changed, 6 insertions(+) > > diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf > index 98a773e..466809c 100644 > @@ -19,3 +24,20 @@ index 98a773e..466809c 100644 > <policy at_console="true"> > <allow send_destination="net.connman"/> > </policy> > +diff --git a/vpn/vpn-dbus.conf b/vpn/vpn-dbus.conf > +index 0f0c8da..9ad05b9 100644 > +--- a/vpn/vpn-dbus.conf > ++++ b/vpn/vpn-dbus.conf > +@@ -6,6 +6,9 @@ > + <allow send_destination="net.connman.vpn"/> > + <allow send_interface="net.connman.vpn.Agent"/> > + </policy> > ++ <policy user="xuser"> > ++ <allow send_destination="net.connman.vpn"/> > ++ </policy> > + <policy at_console="true"> > + <allow send_destination="net.connman.vpn"/> > + </policy> > +-- > +2.1.4 > + > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
