From e47aed13ef44805a8423b728ab29132e81c43b95 Mon Sep 17 00:00:00 2001
From: Francesco Pham <francesco.pham@huawei.com>
Date: Mon, 6 Feb 2023 14:45:13 +0100
Subject: [PATCH] openharmony-standard_3.0: add user, run system services as
 system user

OpenHarmony init system, is responsible for creation of some directories, handling
permissions and running services with appropriate UIDs/GIDs. Currently in
meta-openharmony we have everything run as root, which causes some issues.

Adding system user with UID 1000.
Run system services as system user.

Signed-off-by: Francesco Pham <francesco.pham@huawei.com>
---
 .../openharmony/files/openharmony-preinit     | 20 +++++++++----------
 .../openharmony/openharmony-standard_3.0.bb   |  5 +++++
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/recipes-openharmony/openharmony/files/openharmony-preinit b/recipes-openharmony/openharmony/files/openharmony-preinit
index 08f34262..974f3881 100644
--- a/recipes-openharmony/openharmony/files/openharmony-preinit
+++ b/recipes-openharmony/openharmony/files/openharmony-preinit
@@ -182,7 +182,7 @@ fi
 # "uid" : "system",
 # "gid" : ["system", "shell"]
 if systemctl -q is-enabled huks.service; then
-	/system/bin/sa_main /system/profile/huks_service.xml & # SA: 3510
+	su system -c '/system/bin/sa_main /system/profile/huks_service.xml &' # SA: 3510
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -192,7 +192,7 @@ fi
 # "uid" : "system",
 # "gid" : ["system", "shell"]
 if systemctl -q is-enabled deviceauth.service; then
-	/system/bin/deviceauth_service & # SA: 4701 | Required SA: 3510
+	su system -c '/system/bin/deviceauth_service &' # SA: 4701 | Required SA: 3510
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -207,7 +207,7 @@ fi
 # "/dev/blkio/foreground/tasks"
 # ]
 if systemctl -q is-enabled accountmgr.service; then
-	/system/bin/sa_main /system/profile/accountmgr.xml & # SA: 200
+	su system -c '/system/bin/sa_main /system/profile/accountmgr.xml &' # SA: 200
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -217,7 +217,7 @@ fi
 # "uid" : "system",
 # "gid" : ["system", "shell"]
 if systemctl -q is-enabled dsoftbus.service; then
-	/system/bin/sa_main /system/profile/softbus_server.xml & # SA: 1401 4700 | Required SA: 3299
+	su system -c '/system/bin/sa_main /system/profile/softbus_server.xml &' # SA: 1401 4700 | Required SA: 3299
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -231,7 +231,7 @@ fi
 # "uid" : "system",
 # "gid" : ["system", "shell"]
 if systemctl -q is-enabled distributedsched.service; then
-	/system/bin/sa_main /system/profile/distributedsched.xml & # SA: 1401
+	su system -c '/system/bin/sa_main /system/profile/distributedsched.xml &' # SA: 1401
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -247,7 +247,7 @@ fi
 # "/dev/blkio/foreground/tasks"
 # ]
 if systemctl -q is-enabled distributed_data.service; then
-	/system/bin/sa_main /system/profile/distributeddata.xml & # SA: 1301
+	su system -c '/system/bin/sa_main /system/profile/distributeddata.xml &' # SA: 1301
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -258,7 +258,7 @@ fi
 # "gid" : ["system", "shell"],
 # "caps" : ["SYS_TIME", "WAKE_ALARM"]
 if systemctl -q is-enabled time.service; then
-	/system/bin/sa_main /system/profile/time_service.xml & # SA: 1401 180 3702
+	su system -c '/system/bin/sa_main /system/profile/time_service.xml &' # SA: 1401 180 3702
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -270,7 +270,7 @@ fi
 # "gid" : ["system"],
 # "caps" : ["SYS_PTRACE", "KILL"]
 if systemctl -q is-enabled foundation.service; then
-	/system/bin/sa_main /system/profile/foundation.xml & # SA: 180 182 3203 3299 3301 3308 3501 4010 | Required SA: 4700
+	su system -c '/system/bin/sa_main /system/profile/foundation.xml &' # SA: 180 182 3203 3299 3301 3308 3501 4010 | Required SA: 4700
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -280,7 +280,7 @@ fi
 # "uid" : "system",
 # "gid" : ["media_rw", "system"]
 if systemctl -q is-enabled media.service; then
-	/system/bin/sa_main /system/profile/media_service.xml &
+	su system -c '/system/bin/sa_main /system/profile/media_service.xml &'
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
@@ -291,7 +291,7 @@ fi
 # "gid" : ["system", "shell"],
 # "caps" : ["SYS_TIME"]
 if systemctl -q is-enabled inputmethod.service; then
-	/system/bin/sa_main /system/profile/inputmethod_service.xml & # SA: 180 1401 3703
+	su system -c '/system/bin/sa_main /system/profile/inputmethod_service.xml &' # SA: 180 1401 3703
 	sleep "$STARTUP_CMD_SLEEP"
 fi
 
diff --git a/recipes-openharmony/openharmony/openharmony-standard_3.0.bb b/recipes-openharmony/openharmony/openharmony-standard_3.0.bb
index 8d97f14b..ce61b6d1 100644
--- a/recipes-openharmony/openharmony/openharmony-standard_3.0.bb
+++ b/recipes-openharmony/openharmony/openharmony-standard_3.0.bb
@@ -1969,3 +1969,8 @@ EXCLUDE_FROM_SHLIBS = "1"
 
 # To avoid excessive diskspace blowup, we are stripping our executables
 INSANE_SKIP:${PN} += "already-stripped"
+
+inherit useradd
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "-u 1000 -U -s /bin/sh system"
\ No newline at end of file
-- 
GitLab