From: Michael Olbrich <m.olbrich@pengutronix.de>
To: Robert Schwebel <r.schwebel@pengutronix.de>
Cc: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH] dbus-broker: replacement dbus daemon
Date: Fri, 17 Jan 2025 17:36:47 +0100 [thread overview]
Message-ID: <Z4qHHz6aewOSxNnC@pengutronix.de> (raw)
In-Reply-To: <20241218080159.2909891-1-r.schwebel@pengutronix.de>
On Wed, Dec 18, 2024 at 09:01:59AM +0100, Robert Schwebel wrote:
> From: Michael Olbrich <m.olbrich@pengutronix.de>
>
> dbus-broker has meanwhile evolved as an alternative to the standard dbus
> daemon. Since its beginning, it has for example been long used in
> Fedora, and Debian has it as an alternative implementation. So let's try
> it in ptxdist as well.
>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> [various version bumps, added sysroot mechanics for newer versions]
> Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
> ---
> .../usr/lib/systemd/system/dbus.socket | 5 +
> projectroot/usr/share/dbus-1/system.conf | 140 ++++++++++++++++++
Hmm, I'm pretty sure, that these files will be used by the dbus package as
well. And they are just copies, because the dbus-broker does not provide
its own versions, right?
We need a better solution for this.
> rules/dbus-broker.in | 17 +++
> rules/dbus-broker.make | 86 +++++++++++
> rules/dbus.in | 10 ++
> rules/dbus.make | 6 +-
> 6 files changed, 262 insertions(+), 2 deletions(-)
> create mode 100644 projectroot/usr/lib/systemd/system/dbus.socket
> create mode 100644 projectroot/usr/share/dbus-1/system.conf
> create mode 100644 rules/dbus-broker.in
> create mode 100644 rules/dbus-broker.make
>
> diff --git a/projectroot/usr/lib/systemd/system/dbus.socket b/projectroot/usr/lib/systemd/system/dbus.socket
> new file mode 100644
> index 000000000..0303bfbde
> --- /dev/null
> +++ b/projectroot/usr/lib/systemd/system/dbus.socket
> @@ -0,0 +1,5 @@
> +[Unit]
> +Description=D-Bus System Message Bus Socket
> +
> +[Socket]
> +ListenStream=/var/run/dbus/system_bus_socket
> diff --git a/projectroot/usr/share/dbus-1/system.conf b/projectroot/usr/share/dbus-1/system.conf
> new file mode 100644
> index 000000000..fb1526a4b
> --- /dev/null
> +++ b/projectroot/usr/share/dbus-1/system.conf
> @@ -0,0 +1,140 @@
> +<!-- This configuration file controls the systemwide message bus.
> + Add a system-local.conf and edit that rather than changing this
> + file directly. -->
> +
> +<!-- Note that there are any number of ways you can hose yourself
> + security-wise by screwing up this file; in particular, you
> + probably don't want to listen on any more addresses, add any more
> + auth mechanisms, run as a different user, etc. -->
> +
> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
> + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> +<busconfig>
> +
> + <!-- Our well-known bus type, do not change this -->
> + <type>system</type>
> +
> + <!-- Run as special user -->
> + <user>messagebus</user>
> +
> + <!-- Fork into daemon mode -->
> + <fork/>
> +
> + <!-- We use system service launching using a helper -->
> + <standard_system_servicedirs/>
> +
> + <!-- This is a setuid helper that is used to launch system services -->
> + <servicehelper>/usr/libexec/dbus-daemon-launch-helper</servicehelper>
> +
> + <!-- Write a pid file -->
> + <pidfile>/run/dbus/pid</pidfile>
> +
> + <!-- Enable logging to syslog -->
> + <syslog/>
> +
> + <!-- Only allow socket-credentials-based authentication -->
> + <auth>EXTERNAL</auth>
> +
> + <!-- Only listen on a local socket. (abstract=/path/to/socket
> + means use abstract namespace, don't really create filesystem
> + file; only Linux supports this. Use path=/whatever on other
> + systems.) -->
> + <listen>unix:path=/run/dbus/system_bus_socket</listen>
> +
> + <policy context="default">
> + <!-- All users can connect to system bus -->
> + <allow user="*"/>
> +
> + <!-- Holes must be punched in service configuration files for
> + name ownership and sending method calls -->
> + <deny own="*"/>
> + <deny send_type="method_call"/>
> +
> + <!-- Signals and reply messages (method returns, errors) are allowed
> + by default -->
> + <allow send_type="signal"/>
> + <allow send_requested_reply="true" send_type="method_return"/>
> + <allow send_requested_reply="true" send_type="error"/>
> +
> + <!-- All messages may be received by default -->
> + <allow receive_type="method_call"/>
> + <allow receive_type="method_return"/>
> + <allow receive_type="error"/>
> + <allow receive_type="signal"/>
> +
> + <!-- Allow anyone to talk to the message bus -->
> + <allow send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus" />
> + <allow send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus.Introspectable"/>
> + <allow send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus.Properties"/>
> + <!-- But disallow some specific bus services -->
> + <deny send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus"
> + send_member="UpdateActivationEnvironment"/>
> + <deny send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus.Debug.Stats"/>
> + <deny send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.systemd1.Activator"/>
> + </policy>
> +
> + <!-- Only systemd, which runs as root, may report activation failures. -->
> + <policy user="root">
> + <allow send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.systemd1.Activator"/>
> + </policy>
> +
> + <!-- root may monitor the system bus. -->
> + <policy user="root">
> + <allow send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus.Monitoring"/>
> + </policy>
> +
> + <!-- If the Stats interface was enabled at compile-time, root may use it.
> + Copy this into system.local.conf or system.d/*.conf if you want to
> + enable other privileged users to view statistics and debug info -->
> + <policy user="root">
> + <allow send_destination="org.freedesktop.DBus"
> + send_interface="org.freedesktop.DBus.Debug.Stats"/>
> + </policy>
> +
> + <!-- Include legacy configuration location -->
> + <include ignore_missing="yes">/etc/dbus-1/system.conf</include>
> +
> + <!-- The defaults for these limits are hard-coded in dbus-daemon.
> + Some clarifications:
> + Times are in milliseconds (ms); 1000ms = 1 second
> + 133169152 bytes = 127 MiB
> + 33554432 bytes = 32 MiB
> + 150000ms = 2.5 minutes -->
> + <!-- <limit name="max_incoming_bytes">133169152</limit> -->
> + <!-- <limit name="max_incoming_unix_fds">64</limit> -->
> + <!-- <limit name="max_outgoing_bytes">133169152</limit> -->
> + <!-- <limit name="max_outgoing_unix_fds">64</limit> -->
> + <!-- <limit name="max_message_size">33554432</limit> -->
> + <!-- <limit name="max_message_unix_fds">16</limit> -->
> + <!-- <limit name="service_start_timeout">25000</limit> -->
> + <!-- <limit name="auth_timeout">5000</limit> -->
> + <!-- <limit name="pending_fd_timeout">150000</limit> -->
> + <!-- <limit name="max_completed_connections">2048</limit> -->
> + <!-- <limit name="max_incomplete_connections">64</limit> -->
> + <!-- <limit name="max_connections_per_user">256</limit> -->
> + <!-- <limit name="max_pending_service_starts">512</limit> -->
> + <!-- <limit name="max_names_per_connection">512</limit> -->
> + <!-- <limit name="max_match_rules_per_connection">512</limit> -->
> + <!-- <limit name="max_replies_per_connection">128</limit> -->
> +
> + <!-- Config files are placed here that among other things, punch
> + holes in the above policy for specific services. -->
> + <includedir>system.d</includedir>
> +
> + <includedir>/etc/dbus-1/system.d</includedir>
> +
> + <!-- This is included last so local configuration can override what's
> + in this standard file -->
> + <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include>
> +
> + <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
> +
> +</busconfig>
> diff --git a/rules/dbus-broker.in b/rules/dbus-broker.in
> new file mode 100644
> index 000000000..839a99246
> --- /dev/null
> +++ b/rules/dbus-broker.in
> @@ -0,0 +1,17 @@
> +## SECTION=middleware
> +
> +config DBUS_BROKER
> + tristate
> + depends on INITMETHOD_SYSTEMD
> + select HOST_MESON
> + select EXPAT
> + select SYSTEMD
> + select DBUS_NO_DAEMON if DBUS
> + prompt "dbus-broker"
> + help
> + The dbus-broker project is an implementation of a message bus as
> + defined by the D-Bus specification. Its aim is to provide high
> + performance and reliability, while keeping compatibility to the D-Bus
> + reference implementation. It is exclusively written for linux systems,
> + and makes use of many modern features provided by recent linux kernel
> + releases.
> diff --git a/rules/dbus-broker.make b/rules/dbus-broker.make
> new file mode 100644
> index 000000000..ffb9a9e9c
> --- /dev/null
> +++ b/rules/dbus-broker.make
> @@ -0,0 +1,86 @@
> +# -*-makefile-*-
> +#
> +# Copyright (C) 2018 by Michael Olbrich <m.olbrich@pengutronix.de>
> +#
> +# See CREDITS for details about who has contributed to this project.
> +#
> +# For further information about the PTXdist project and license conditions
> +# see the README file.
> +#
> +
> +#
> +# We provide this package
> +#
> +PACKAGES-$(PTXCONF_DBUS_BROKER) += dbus-broker
> +
> +#
> +# Paths and names
> +#
> +DBUS_BROKER_VERSION := 36
> +DBUS_BROKER_MD5 := 0398b41a250a6172e35750fc864ee33b
> +DBUS_BROKER := dbus-broker-$(DBUS_BROKER_VERSION)
> +DBUS_BROKER_SUFFIX := tar.xz
> +DBUS_BROKER_URL := https://github.com/bus1/dbus-broker/releases/download/v$(DBUS_BROKER_VERSION)/$(DBUS_BROKER).$(DBUS_BROKER_SUFFIX)
> +DBUS_BROKER_SOURCE := $(SRCDIR)/$(DBUS_BROKER).$(DBUS_BROKER_SUFFIX)
> +DBUS_BROKER_DIR := $(BUILDDIR)/$(DBUS_BROKER)
> +DBUS_BROKER_LICENSE := Apache-2.0
> +
> +# ----------------------------------------------------------------------------
> +# Prepare
> +# ----------------------------------------------------------------------------
> +
> +# host path leaks in if not set explicitly
> +DBUS_BROKER_CONF_ENV := \
> + $(CROSS_ENV) \
> + PTXDIST_PKG_CONFIG_VAR_NO_SYSROOT="systemdsystemunitdir systemduserunitdir catalogdir"
> +
> +#
> +# meson
> +#
> +DBUS_BROKER_CONF_TOOL := meson
> +DBUS_BROKER_CONF_OPT := \
> + $(CROSS_MESON_USR) \
> + -Daudit=false \
> + -Dc-shquote:reference-test=false \
> + -Ddocs=false \
> + -Dlauncher=true \
> + -Dreference-test=false \
> + -Dselinux=false \
> + -Dsystem-console-users="[]"
> +
> +# ----------------------------------------------------------------------------
> +# Target-Install
> +# ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/dbus-broker.targetinstall:
> + @$(call targetinfo)
> +
> + @$(call install_init, dbus-broker)
> + @$(call install_fixup, dbus-broker,PRIORITY,optional)
> + @$(call install_fixup, dbus-broker,SECTION,base)
> + @$(call install_fixup, dbus-broker,AUTHOR,"Michael Olbrich <m.olbrich@pengutronix.de>")
> + @$(call install_fixup, dbus-broker,DESCRIPTION,missing)
> +
> + @$(call install_copy, dbus-broker, 0, 0, 0755, -, \
> + /usr/bin/dbus-broker)
> + @$(call install_copy, dbus-broker, 0, 0, 0755, -, \
> + /usr/bin/dbus-broker-launch)
> +
> + @$(call install_alternative, dbus-broker, 0, 0, 0644, \
> + /usr/share/dbus-1/system.conf)
> +
> + @$(call install_copy, dbus-broker, 0, 0, 0644, -, \
> + /usr/lib/systemd/system/dbus-broker.service)
> + @$(call install_link, dbus-broker, dbus-broker.service, \
> + /usr/lib/systemd/system/dbus.service)
> +
> + @$(call install_alternative, dbus-broker, 0, 0, 0644, \
> + /usr/lib/systemd/system/dbus.socket)
> + @$(call install_link, dbus-broker, ../dbus.socket, \
> + /usr/lib/systemd/system/sockets.target.wants/dbus.socket)
> +
> + @$(call install_finish, dbus-broker)
> +
> + @$(call touch)
> +
> +# vim: syntax=make
> diff --git a/rules/dbus.in b/rules/dbus.in
> index b205ee62f..c8b5f09be 100644
> --- a/rules/dbus.in
> +++ b/rules/dbus.in
> @@ -32,6 +32,14 @@ config DBUS_SELINUX
> depends on BROKEN
> bool
>
> +config DBUS_NO_DAEMON
> + bool
> +
> +comment "D-Bus daemon is provided by dbus-broker"
> + depends on DBUS_NO_DAEMON
> +
> +if !DBUS_NO_DAEMON
> +
> config DBUS_SYSTEMD
> bool
> default INITMETHOD_SYSTEMD
> @@ -60,3 +68,5 @@ config DBUS_SYSTEMD_USER_UNIT
> depends on SYSTEMD_UNITS_USER && DBUS_SYSTEMD_UNIT
>
> endif
> +
> +endif
> diff --git a/rules/dbus.make b/rules/dbus.make
> index f2bc7b552..dffa0ab6f 100644
> --- a/rules/dbus.make
> +++ b/rules/dbus.make
> @@ -89,6 +89,7 @@ $(STATEDIR)/dbus.targetinstall:
> @$(call install_fixup, dbus,AUTHOR,"Roland Hostettler <r.hostettler@gmx.ch>")
> @$(call install_fixup, dbus,DESCRIPTION,missing)
>
> +ifndef PTXCONF_DBUS_NO_DAEMON
dbus has a -Dmessage_bus= option to disable the daemon. And we can probably
disable tools as well.
> @$(call install_copy, dbus, 0, 0, 0755, -, \
> /usr/bin/dbus-daemon)
> @$(call install_copy, dbus, 0, 0, 0755, -, \
> @@ -105,14 +106,17 @@ $(STATEDIR)/dbus.targetinstall:
> /usr/bin/dbus-uuidgen)
> @$(call install_copy, dbus, 0, 104, 4754, -, \
> /usr/libexec/dbus-daemon-launch-helper)
> +endif
>
> @$(call install_lib, dbus, 0, 0, 0644, libdbus-1)
>
> # #
> # # install config files
> # #
> +ifndef PTXCONF_DBUS_NO_DAEMON
> @$(call install_alternative, dbus, 0, 0, 0644, /usr/share/dbus-1/system.conf)
> @$(call install_alternative, dbus, 0, 0, 0644, /usr/share/dbus-1/session.conf)
> +endif
>
> # #
> # # busybox init: start script
> @@ -132,8 +136,6 @@ ifdef PTXCONF_DBUS_SYSTEMD_UNIT
> /usr/lib/systemd/system/dbus.socket)
> @$(call install_link, dbus, ../dbus.socket, \
> /usr/lib/systemd/system/sockets.target.wants/dbus.socket)
> - @$(call install_link, dbus, ../dbus.socket, \
> - /usr/lib/systemd/system/dbus.target.wants/dbus.socket)
This looks strange, why is this hunk here?
Michael
>
> @$(call install_copy, dbus, 0, 0, 0644, -, \
> /usr/lib/systemd/system/dbus.service)
> --
> 2.39.5
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
prev parent reply other threads:[~2025-01-17 16:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-18 8:01 Robert Schwebel
2025-01-17 16:36 ` Michael Olbrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z4qHHz6aewOSxNnC@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
--cc=r.schwebel@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox