[OE-core] [PATCH] xserver-nodm-init: Fix the start failure for non-root user
Kevin Hao
kexin.hao at windriver.com
Sat Feb 8 12:36:42 UTC 2020
In order to start the xserver, a non-root user should have the
cap_sys_admin capability to set the drm master. We try to get
the cap_sys_admin capability by setting it in both the thread
and file inheritable set. The side effect of this is that we
would have to add the "pam" to the distro features if we want
use the xserver-nodm-init for a non-root user.
[Yocto #11526]
Signed-off-by: Kevin Hao <kexin.hao at windriver.com>
---
.../x11-common/xserver-nodm-init/capability.conf | 2 ++
.../x11-common/xserver-nodm-init/xserver-nodm | 8 ++++++++
meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb | 7 +++++--
3 files changed, 15 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
new file mode 100644
index 000000000000..7ab7460816a8
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
@@ -0,0 +1,2 @@
+cap_sys_admin @USER@
+none *
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index 6c548551b870..116bb278bc9b 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -38,6 +38,14 @@ case "$1" in
if [ -e /dev/hidraw0 ]; then
chmod o+rw /dev/hidraw*
fi
+ # Make sure that the Xorg has the cap_sys_admin capability which is
+ # needed for setting the drm master
+ if ! grep -q "^auth.*pam_cap\.so" /etc/pam.d/su; then
+ echo "auth optional pam_cap.so" >>/etc/pam.d/su
+ fi
+ if ! /usr/sbin/getcap $XSERVER | grep -q cap_sys_admin; then
+ /usr/sbin/setcap cap_sys_admin+eip $XSERVER
+ fi
fi
# Using su rather than sudo as latest 1.8.1 cause failure [YOCTO #1211]
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
index 385fea5e8399..c2995f99ffe1 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
@@ -10,6 +10,7 @@ SRC_URI = "file://xserver-nodm \
file://gplv2-license.patch \
file://xserver-nodm.service.in \
file://xserver-nodm.conf.in \
+ file://capability.conf \
"
S = "${WORKDIR}"
@@ -19,7 +20,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
inherit update-rc.d systemd features_check
-REQUIRED_DISTRO_FEATURES = "x11"
+REQUIRED_DISTRO_FEATURES = "x11 ${@oe.utils.conditional('ROOTLESS_X', '1', 'pam', '', d)}"
PACKAGECONFIG ??= "blank"
# dpms and screen saver will be on only if 'blank' is in PACKAGECONFIG
@@ -40,6 +41,8 @@ do_install() {
if [ "${ROOTLESS_X}" = "1" ] ; then
XUSER_HOME="/home/xuser"
XUSER="xuser"
+ install -D capability.conf ${D}${sysconfdir}/security/capability.conf
+ sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf
else
XUSER_HOME=${ROOT_HOME}
XUSER="root"
@@ -60,7 +63,7 @@ do_install() {
fi
}
-RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account', '', d)}"
+RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}"
INITSCRIPT_NAME = "xserver-nodm"
INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."
--
2.21.1
More information about the Openembedded-core
mailing list