Thank you very much. This is a good starting point. I will have a look and give it a try.
In case that I get stuck I might be getting back to you on this email thread.
Regards,
Bogdan Ilies
On Tue, 14 Jul 2020 at 9:54, Marius Vlad<marius.vlad@xxxxxxxxxxxxx> wrote:On Tue, Jul 14, 2020 at 07:20:40AM +0000, ilies bogdan via lists.automotivelinux.org wrote:
> Hi,
Hi,
> I was trying to use agl_shell directly from my app in order to better understand the flow and the way wayland protocols work, but I am getting "client not authorized to use agl_shell" error. I see the error when I try to do agl_shell_activate_app.How can I change the list of authorized clients for testing purpose? Should I rather look into homescreen and rely on that?
> I was trying to search on internet about security policy in wayland, but I did not find much yet. Do you have any links with such things?
With https://gerrit.automotivelinux.org/gerrit/c/src/agl-compositor/+/24748
landing, only demo clients can (now) bind to (the) private extensions.
The cluster platform also has this issue
(https://gerrit.automotivelinux.org/gerrit/c/src/agl-compositor/+/24967),
but these are demo applications.
Most likely I'll amend that soon with a configuration file because I'm
still missing a few AFM subtleties and I have ticket to look into that
but at this point that seems unrealistic.
Anyway, documentation, as much as it is (patches are welcome!), resides
at shorturl.at/kqCNO. It explains a bit of the policy but hasn't this
part included. It says a few words about the policies in general so that
might be helpful.
There's no security backed-in in the compositor, we are using the AFM
from AGL that makes use of the SMACK labels. The compositor does
basic checks against that and denies any bind to those private
extensions.
In order to bind to any of the protocols you'll need to rebuild the
compositor:
- manually modify the default policy and include your own SMACK labels.
(see my previous MRs on how and where to do that)
- create your dedicated policy engine -- this is easier than it sounds,
and should ideally be done by anyone that wants to work only w/
downstream version of it: you copy-pasta the default, allow-all
policy, and install that policy. Obviously you modify it as to your
likings. An example on how that should work is also included
with the deny-all policy in agl-compositor recipe. This allows for
instance to switch between different policies.
(rebuilding is not that hard if you clone the repository locally and
use externalsrc from yocto).
Lastly, I recommend taking a look at the cluster-dashboard and
homescreen for using agl-shell. For agl-shell-desktop, launcher and
alexa-viewer are examples on what you can achieve. See that README link
as that explains a bit more.
Hope this gets you started,
> Regards,Bogdan Ilies
>
>
>
