diff --git a/etc/pam.d/wayland b/etc/pam.d/wayland new file mode 100644 index 00000000..57faa2e2 --- /dev/null +++ b/etc/pam.d/wayland @@ -0,0 +1,12 @@ +#%PAM-1.0 +auth substack system-auth +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +session required pam_loginuid.so +session required pam_namespace.so +session optional pam_keyinit.so force revoke +session include system-auth +session include postlogin +-session optional pam_ck_connector.so diff --git a/etc/systemd/session-active.container b/etc/systemd/session-active.container new file mode 100644 index 00000000..b0a5c32c --- /dev/null +++ b/etc/systemd/session-active.container @@ -0,0 +1,19 @@ +[Unit] +Description=session-activate container + +[Container] +ContainerName=session-activate +Environment=XDG_RUNTIME_DIR=/run/user/0 +Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket +Exec=/usr/bin/entrypoint.sh +Image=session-activate:latest +SecurityLabelType=qm_container_wayland_t +Volume=/run/systemd:/run/systemd:ro +Volume=/run/dbus/system_bus_socket:/run/dbus/system_bus_socket +Volume=/run/user/0:/run/user/0 + +[Install] +WantedBy=multi-user.target + +[Service] +Restart=always diff --git a/etc/systemd/system/qm-dbus.socket b/etc/systemd/system/qm-dbus.socket new file mode 100644 index 00000000..70806184 --- /dev/null +++ b/etc/systemd/system/qm-dbus.socket @@ -0,0 +1,9 @@ +[Unit] +Description=QM D-Bus User Message Bus Socket +After=dbus.socket + +[Socket] +ListenStream=%t/dbus/qm_bus_socket + +[Install] +WantedBy=sockets.target diff --git a/etc/systemd/system/wayland-session.service b/etc/systemd/system/wayland-session.service new file mode 100644 index 00000000..865fce0e --- /dev/null +++ b/etc/systemd/system/wayland-session.service @@ -0,0 +1,37 @@ +[Unit] +Description=Wayland Session Creation Handling +After=systemd-user-sessions.service + +[Service] +Type=simple +Environment=XDG_SESSION_TYPE=wayland +UnsetEnvironment=TERM +ExecStart=/bin/sleep infinity +Restart=no + +# Run the session as root (required by PAMName) +User=0 +Group=0 + +# Set up a full user session for the user, required by Wayland. +PAMName=login + +# Fail to start if not controlling the tty. +StandardInput=tty-fail + +# Defaults to journal. +StandardError=journal +StandardOutput=journal + +# A virtual terminal is needed. +TTYPath=/dev/tty7 +TTYReset=yes +TTYVHangup=yes +TTYVTDisallocate=yes + +# Log this user with utmp. +UtmpIdentifier=tty7 +UtmpMode=user + +[Install] +WantedBy=graphical.target diff --git a/rpm/qm.spec b/rpm/qm.spec index d40f376d..01f04451 100644 --- a/rpm/qm.spec +++ b/rpm/qm.spec @@ -4,6 +4,8 @@ %global selinuxtype targeted %global moduletype services %global modulenames qm +%global rootfs_qm /usr/lib/qm/rootfs/ + %global seccomp_json /usr/share/%{modulenames}/seccomp.json %global setup_tool %{_prefix}/share/%{modulenames}/setup @@ -22,8 +24,6 @@ %bcond_without copr %endif - - %if 0%{?fedora} %global podman_epoch 5 %else @@ -58,6 +58,12 @@ BuildRequires: pkgconfig(systemd) BuildRequires: selinux-policy >= %_selinux_policy_version BuildRequires: selinux-policy-devel >= %_selinux_policy_version +%if %{defined enable_window_manager} +Requires: %{enable_window_manager} +Requires: weston +Requires: dbus-tools +%endif + Requires: parted Requires: containers-common Requires: selinux-policy >= %_selinux_policy_version @@ -141,11 +147,30 @@ fi %ghost %dir %{_datadir}/containers/systemd %{_datadir}/containers/systemd/qm.container %ghost %{_sysconfdir}/containers/systemd/qm.container + %{_mandir}/man8/* %ghost %dir %{_installscriptdir} %ghost %dir %{_installscriptdir}/rootfs %ghost %{_installscriptdir}/rootfs/* +%package windowmanager +Summary: Optional Window Manager deployed in QM environment (Experimental) +Requires: weston +Requires: dbus-tools +Requires: qm +%description windowmanager +The optional window manager deployed in QM environment as nested container. + +%files windowmanager +%{rootfs_qm}/%{_sysconfdir}/pam.d/wayland +%{rootfs_qm}/%{_sysconfdir}/systemd/system/wayland-session.service +%{rootfs_qm}/%{_sysconfdir}/systemd/system/qm-dbus.socket +%{rootfs_qm}/%{_sysconfdir}/systemd/session-active.container +%{rootfs_qm}/%{_libdir}/tmpfiles.d/etc/containers/systemd/gnome_mutter.container +%{rootfs_qm}/%{_libdir}/tmpfiles.d/etc/containers/systemd/weston_terminal.container +%config(noreplace) %{rootfs_qm}/%{_libdir}/tmpfiles.d/wayland-xdg-directory.conf +%config(noreplace) %{rootfs_qm}/%{_libdir}/tmpfiles.d/etc/containers/systemd/qm.container.d/wayland-extra-devices.conf + %changelog %if %{defined autochangelog} %autochangelog diff --git a/tools/comment-pam-selinux-systemd-user b/tools/comment-pam-selinux-systemd-user new file mode 100755 index 00000000..f3956d82 --- /dev/null +++ b/tools/comment-pam-selinux-systemd-user @@ -0,0 +1,27 @@ +#!/bin/bash +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +FILE="/etc/pam.d/systemd-user" + +# Check if the file exists +if [[ -f "$FILE" ]]; then + # Use sed to comment out lines containing pam_selinux + sed -i '/pam_selinux/ s/^/# /' "$FILE" + echo "Lines containing pam_selinux have been commented out in $FILE." +else + echo "File $FILE not found!" + exit 1 +fi diff --git a/usr/lib/tmpfiles.d/etc/containers/systemd/gnome_mutter.container b/usr/lib/tmpfiles.d/etc/containers/systemd/gnome_mutter.container new file mode 100644 index 00000000..aba6a439 --- /dev/null +++ b/usr/lib/tmpfiles.d/etc/containers/systemd/gnome_mutter.container @@ -0,0 +1,39 @@ +[Unit] +After=qm-dbus.socket +Description=mutter container +Requires=qm-dbus.socket + +[Container] +ContainerName=mutter +Environment=XDG_RUNTIME_DIR=/run/user/0 +Environment=XDG_SESSION_TYPE=wayland +Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/dbus/qm_bus_socket +Exec=mutter --no-x11 --wayland --sm-disable --wayland-display=wayland-0 +Image=mutter:latest +SecurityLabelType=qm_container_wayland_t +Volume=/run/systemd:/run/systemd:ro +Volume=/run/udev:/run/udev:ro +Volume=/run/dbus/qm_bus_socket:/run/dbus/qm_bus_socket +Volume=/run/dbus/system_bus_socket:/run/dbus/system_bus_socket +Volume=/run/user/0:/run/user/0 +AddDevice=/dev/dri/renderD128 +AddDevice=/dev/dri/card0 +AddDevice=/dev/tty0 +AddDevice=/dev/tty1 +AddDevice=/dev/tty2 +AddDevice=/dev/tty3 +AddDevice=/dev/tty4 +AddDevice=/dev/tty5 +AddDevice=/dev/tty6 +AddDevice=/dev/tty7 +AddDevice=/dev/input/event0 +AddDevice=/dev/input/event1 +AddDevice=/dev/input/event2 +AddDevice=/dev/input/event3 +AddDevice=/dev/input/event4 + +[Install] +WantedBy=multi-user.target + +[Service] +Restart=always diff --git a/usr/lib/tmpfiles.d/etc/containers/systemd/qm.container.d/wayland-extra-devices.conf b/usr/lib/tmpfiles.d/etc/containers/systemd/qm.container.d/wayland-extra-devices.conf new file mode 100644 index 00000000..ca367c1f --- /dev/null +++ b/usr/lib/tmpfiles.d/etc/containers/systemd/qm.container.d/wayland-extra-devices.conf @@ -0,0 +1,17 @@ +[Container] +AddDevice=/dev/dri/renderD128 +AddDevice=/dev/dri/card0 +AddDevice=/dev/tty0 +AddDevice=/dev/tty1 +AddDevice=/dev/tty2 +AddDevice=/dev/tty3 +AddDevice=/dev/tty4 +AddDevice=/dev/tty5 +AddDevice=/dev/tty6 +AddDevice=/dev/tty7 +AddDevice=/dev/input/event0 +AddDevice=/dev/input/event1 +AddDevice=/dev/input/event2 +AddDevice=/dev/input/event3 +AddDevice=/dev/input/event4 +Volume=/run/udev:/run/udev:ro,Z diff --git a/usr/lib/tmpfiles.d/etc/containers/systemd/weston_terminal.container b/usr/lib/tmpfiles.d/etc/containers/systemd/weston_terminal.container new file mode 100644 index 00000000..1663c806 --- /dev/null +++ b/usr/lib/tmpfiles.d/etc/containers/systemd/weston_terminal.container @@ -0,0 +1,19 @@ +[Unit] +After=mutter.service +Description=weston_terminal container +Requires=mutter.service + +[Container] +ContainerName=weston_terminal +Environment=XDG_RUNTIME_DIR=/run/user/0 +Environment=WAYLAND_DISPLAY=wayland-0 +Exec=/usr/bin/weston-terminal +Image=localhost/weston_terminal:latest +SecurityLabelType=qm_container_wayland_t +Volume=/run/user/0:/run/user/0 + +[Install] +WantedBy=multi-user.target + +[Service] +Restart=always diff --git a/usr/lib/tmpfiles.d/wayland-xdg-directory.conf b/usr/lib/tmpfiles.d/wayland-xdg-directory.conf new file mode 100644 index 00000000..0c5c7f83 --- /dev/null +++ b/usr/lib/tmpfiles.d/wayland-xdg-directory.conf @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +d /run/user/0 0700 0 0 - -