On Tue, Jul 14, 2020 at 07:20:40AM +0000, ilies bogdan via lists.automotivelinux.org wrote: > Hi, Hi, > I was trying to use agl_shell directly from my app in order to better understand the flow and the way wayland protocols work, but I am getting "client not authorized to use agl_shell" error. I see the error when I try to do agl_shell_activate_app.How can I change the list of authorized clients for testing purpose? Should I rather look into homescreen and rely on that? > I was trying to search on internet about security policy in wayland, but I did not find much yet. Do you have any links with such things? With https://gerrit.automotivelinux.org/gerrit/c/src/agl-compositor/+/24748 landing, only demo clients can (now) bind to (the) private extensions. The cluster platform also has this issue (https://gerrit.automotivelinux.org/gerrit/c/src/agl-compositor/+/24967), but these are demo applications. Most likely I'll amend that soon with a configuration file because I'm still missing a few AFM subtleties and I have ticket to look into that but at this point that seems unrealistic. Anyway, documentation, as much as it is (patches are welcome!), resides at shorturl.at/kqCNO. It explains a bit of the policy but hasn't this part included. It says a few words about the policies in general so that might be helpful. There's no security backed-in in the compositor, we are using the AFM from AGL that makes use of the SMACK labels. The compositor does basic checks against that and denies any bind to those private extensions. In order to bind to any of the protocols you'll need to rebuild the compositor: - manually modify the default policy and include your own SMACK labels. (see my previous MRs on how and where to do that) - create your dedicated policy engine -- this is easier than it sounds, and should ideally be done by anyone that wants to work only w/ downstream version of it: you copy-pasta the default, allow-all policy, and install that policy. Obviously you modify it as to your likings. An example on how that should work is also included with the deny-all policy in agl-compositor recipe. This allows for instance to switch between different policies. (rebuilding is not that hard if you clone the repository locally and use externalsrc from yocto). Lastly, I recommend taking a look at the cluster-dashboard and homescreen for using agl-shell. For agl-shell-desktop, launcher and alexa-viewer are examples on what you can achieve. See that README link as that explains a bit more. Hope this gets you started, > Regards,Bogdan Ilies > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8519): https://lists.automotivelinux.org/g/agl-dev-community/message/8519 Mute This Topic: https://lists.automotivelinux.org/mt/75494215/2167316 Group Owner: agl-dev-community+owner@xxxxxxxxxxxxxxxxxxxxxxxxx Unsubscribe: https://lists.automotivelinux.org/g/agl-dev-community/leave/4543822/883735764/xyzzy [list-automotive-discussions82@xxxxxxxxxxx] -=-=-=-=-=-=-=-=-=-=-=-
Attachment:
signature.asc
Description: PGP signature