Hello Jose, Thank you for the comment and sorry for the late reply. I carefully read the smack document you shared, the following patch worked in our case. --- a/meta-agl/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston +++ b/meta-agl/meta-agl-profile-graphical/recipes-graphics/wayland/weston/smack-weston @@ -3,6 +3,6 @@ System::Weston System rwx--- System::Weston System::Shared rwx--- System::Weston System::Run rwxat- System::Weston System::Log rwxa-- -System::Weston _ r-x--l +System::Weston _ rwx--l System::Weston User::Home r-x--l System::Weston User::App-Shared rwxat- Best regards Kenji Hosokawa -----Original Message----- From: agl-dev-community@xxxxxxxxxxxxxxxxxxxxxxxxx <agl-dev-community@xxxxxxxxxxxxxxxxxxxxxxxxx> On Behalf Of Jose Bollo Sent: Saturday, February 27, 2021 3:06 AM To: agl-dev-community@xxxxxxxxxxxxxxxxxxxxxxxxx; Casey Schaufler <casey@xxxxxxxxxxxxxxxx> Subject: Re: mq_open in agl-compositor gets Permission denied On Fri, 26 Feb 2021 06:57:45 +0000 "Hosokawa, Kenji (ADITJ/SWG)" <khosokawa@xxxxxxxxxxxxxx> wrote: Hi, I had no time to instigate the case today and I'm off next week. I would suggest to try to remount mqueue with option smackfsdef=*. But I am sure of the result. Here is the link to the documentation on Smack: https://www.kernel.org/doc/html/latest/admin-guide/LSM/Smack.html As root you are able to add rules that could unlock you. Best regards José Bollo > Hello everyone, > > We are implementing one of PoC using AGL v10.0.0. > It requires to use mqueue in agl-compositor. This idea is not good, it > will be considered later on, but we don’t have time to do so. > agl-compositor calls mq_open, but it returns errno:13 Permission > denied, then the following log is observed in dmesg. > > Jun 29 03:06:51 h3ulcb audit[3634]: AVC lsm=SMACK > fn=smack_inode_permission action=denied subject="System::Weston" > object="_" requested=wx pid=3634 comm="agl-compositor" name="/" > dev="mqueue" ino=7460 Jun 29 03:06:51 h3ulcb audit[3634]: SYSCALL > arch=c00000b7 syscall=180 success=no exit=-13 a0=ffff88000db1 > a1=80040 a2=1b6 a3=ffff974e9418 items=0 ppid=1 pid=3634 > auid=4294967295 uid=200 gid=200 euid=200 suid=200 fsuid=200 egid=200 > sgid=200 fsgid=200 tty=tty7 ses=4294967295 comm="agl-compositor" > exe="/usr/bin/agl-compositor" subj=System::Weston key=(null) Jun 29 > 03:06:51 h3ulcb kernel: audit: type=1400 audit(1593400011.767:4): > lsm=SMACK fn=smack_inode_permission action=denied > subject="System::Weston" object="_" requested=wx pid=3634 > comm="agl-compositor" name="/" dev="mqueue" ino=7460 Jun 29 03:06:51 > h3ulcb kernel: audit: type=1300 audit(1593400011.767:4): > arch=c00000b7 syscall=180 success=no exit=-13 a0=ffff88000db1 > a1=80040 a2=1b6 a3=ffff974e9418 items=0 ppid=1 pid=3634 > auid=4294967295 uid=200 gid=200 euid=200 suid=200 fsuid=200 egid=200 > sgid=200 fsgid=200 tty=tty7 ses=4294967295 comm="agl-compositor" > exe="/usr/bin/agl-compositor" subj=System::Weston key=(null) > > It seems like hitting security issue. Could you tell us how to resolve > it? This is just a PoC, so a dirty hack is fine. Thank you. > > Best regards > Kenji Hosokawa > > ------------------------------------------------ > Hosokawa Kenji (細川 健児) > Advanced Driver Information Technology Corp. > Software Group (ADITJ/SWG) > 1-1 Showa-cho, Kariya-shi > Aichi-ken 448-8661, Japan > Tel. +81-566-61-4555 > Fax +81-566-25-4774 > khosokawa@xxxxxxxxxxxxxx<mailto:khosokawa@xxxxxxxxxxxxxx> > www.adit-jv.com<http://www.adit-jv.com> > ------------------------------------------------ > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9087): https://lists.automotivelinux.org/g/agl-dev-community/message/9087 Mute This Topic: https://lists.automotivelinux.org/mt/80922059/2167316 Group Owner: agl-dev-community+owner@xxxxxxxxxxxxxxxxxxxxxxxxx Unsubscribe: https://lists.automotivelinux.org/g/agl-dev-community/leave/4543822/2167316/883735764/xyzzy [list-automotive-discussions82@xxxxxxxxxxx] -=-=-=-=-=-=-=-=-=-=-=-