Add an attribute for user applications to run other applications #381
Conversation
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps
branch
from
7fb55b6
to
629600d
Compare
|
I'm not sure where you are with this due to the weird github timestamping, but at a minimum, there are CI errors. |
I have a lot of local work that I haven't pushed yet. It will likely be a little bit more time before I think it is ready for review, so I am OK with closing this until then if you'd like. |
|
You can set the PR to draft and leave it open. |
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps
branch
from
629600d
to
e8f4ee0
Compare
0xC0ncord
changed the title
|
This is at the point now where every As an aside, |
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps
branch
from
e8f4ee0
to
28deb83
Compare
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps
branch
from
28deb83
to
7e06fb7
Compare
|
After some discussion, I have decided to split this PR into two parts. This PR will address the infrastructure needed to support this feature, and the upcoming second will support actually hooking up this infrastructure into the applications. I think this part is finally ready for review. |
0xC0ncord
changed the title
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps
branch
from
7e06fb7
to
7d23af5
Compare
child processes The 'systemd_user_app_status' interface is intended to be used by any interfaces or templates that grant run access to a user domain. These rules are to support a situation in which an app run by a systemd user instance runs another, and to allow that app to have its status and output captured by the systemd user instance (i.e. to journald) without explicitly granting permissions for the systemd user instance to run that application. Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <me@concord.sh>
0xC0ncord
force-pushed
the
bugfix/systemd-user-exec-apps
branch
from
7d23af5
to
b91c606
Compare
|
Sorry, I forgot to change |
This addresses the issue raised in #365. With the advent of
systemd --usersupport, we should support users running various applications through user units and other means. The problem is that any other such applications normally started by a user that transition to their own domain (i.e.user_systemd_t) do not have the proper permissions to run other applications.Many applications' policies have their own way of granting run access to users. Some policies grant access directly with
myapp_domtrans,myapp_run, or by granting an attribute. I think the best way to do this would be to streamline all such interfaces and templates to take exactly 3 parameters: the role prefix, the role, and the type of the user domain. This way we can have a single "proper" way to declare interfaces and templates like this, and we can ensure that calls to things likescreen_role_templatehave everything they need.In this PR I have only modifiedapacheandscreento use this approach, and they are now using the proposed attribute for user application run access. I am opening this PR to hopefully get some early feedback on this approach, as the final result of this effort may be quite large.This is a two-part PR. This PR addresses adding the required infrastructure for this feature, while the upcoming second PR will hook up this infrastructure into the application policies to support it.
This PR only adds the aforementioned attribute, the interfaces required to support it, and assigns it to the
$1_systemd_tand$1_wm_tdomains.