mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH] dbus-broker: replacement dbus daemon
@ 2024-12-18  8:01 Robert Schwebel
  2025-01-17 16:36 ` Michael Olbrich
  0 siblings, 1 reply; 2+ messages in thread
From: Robert Schwebel @ 2024-12-18  8:01 UTC (permalink / raw)
  To: ptxdist; +Cc: Michael Olbrich, Robert Schwebel

From: Michael Olbrich <m.olbrich@pengutronix.de>

dbus-broker has meanwhile evolved as an alternative to the standard dbus
daemon. Since its beginning, it has for example been long used in
Fedora, and Debian has it as an alternative implementation. So let's try
it in ptxdist as well.

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
[various version bumps, added sysroot mechanics for newer versions]
Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
---
 .../usr/lib/systemd/system/dbus.socket        |   5 +
 projectroot/usr/share/dbus-1/system.conf      | 140 ++++++++++++++++++
 rules/dbus-broker.in                          |  17 +++
 rules/dbus-broker.make                        |  86 +++++++++++
 rules/dbus.in                                 |  10 ++
 rules/dbus.make                               |   6 +-
 6 files changed, 262 insertions(+), 2 deletions(-)
 create mode 100644 projectroot/usr/lib/systemd/system/dbus.socket
 create mode 100644 projectroot/usr/share/dbus-1/system.conf
 create mode 100644 rules/dbus-broker.in
 create mode 100644 rules/dbus-broker.make

diff --git a/projectroot/usr/lib/systemd/system/dbus.socket b/projectroot/usr/lib/systemd/system/dbus.socket
new file mode 100644
index 000000000..0303bfbde
--- /dev/null
+++ b/projectroot/usr/lib/systemd/system/dbus.socket
@@ -0,0 +1,5 @@
+[Unit]
+Description=D-Bus System Message Bus Socket
+
+[Socket]
+ListenStream=/var/run/dbus/system_bus_socket
diff --git a/projectroot/usr/share/dbus-1/system.conf b/projectroot/usr/share/dbus-1/system.conf
new file mode 100644
index 000000000..fb1526a4b
--- /dev/null
+++ b/projectroot/usr/share/dbus-1/system.conf
@@ -0,0 +1,140 @@
+<!-- This configuration file controls the systemwide message bus.
+     Add a system-local.conf and edit that rather than changing this 
+     file directly. -->
+
+<!-- Note that there are any number of ways you can hose yourself
+     security-wise by screwing up this file; in particular, you
+     probably don't want to listen on any more addresses, add any more
+     auth mechanisms, run as a different user, etc. -->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+  <!-- Our well-known bus type, do not change this -->
+  <type>system</type>
+
+  <!-- Run as special user -->
+  <user>messagebus</user>
+
+  <!-- Fork into daemon mode -->
+  <fork/>
+
+  <!-- We use system service launching using a helper -->
+  <standard_system_servicedirs/>
+
+  <!-- This is a setuid helper that is used to launch system services -->
+  <servicehelper>/usr/libexec/dbus-daemon-launch-helper</servicehelper>
+
+  <!-- Write a pid file -->
+  <pidfile>/run/dbus/pid</pidfile>
+
+  <!-- Enable logging to syslog -->
+  <syslog/>
+
+  <!-- Only allow socket-credentials-based authentication -->
+  <auth>EXTERNAL</auth>
+
+  <!-- Only listen on a local socket. (abstract=/path/to/socket 
+       means use abstract namespace, don't really create filesystem 
+       file; only Linux supports this. Use path=/whatever on other 
+       systems.) -->
+  <listen>unix:path=/run/dbus/system_bus_socket</listen>
+
+  <policy context="default">
+    <!-- All users can connect to system bus -->
+    <allow user="*"/>
+
+    <!-- Holes must be punched in service configuration files for
+         name ownership and sending method calls -->
+    <deny own="*"/>
+    <deny send_type="method_call"/>
+
+    <!-- Signals and reply messages (method returns, errors) are allowed
+         by default -->
+    <allow send_type="signal"/>
+    <allow send_requested_reply="true" send_type="method_return"/>
+    <allow send_requested_reply="true" send_type="error"/>
+
+    <!-- All messages may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+    <allow receive_type="signal"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus" />
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Properties"/>
+    <!-- But disallow some specific bus services -->
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus"
+          send_member="UpdateActivationEnvironment"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus.Debug.Stats"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+  <!-- Only systemd, which runs as root, may report activation failures. -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+  <!-- root may monitor the system bus. -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Monitoring"/>
+  </policy>
+
+  <!-- If the Stats interface was enabled at compile-time, root may use it.
+       Copy this into system.local.conf or system.d/*.conf if you want to
+       enable other privileged users to view statistics and debug info -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Debug.Stats"/>
+  </policy>
+
+  <!-- Include legacy configuration location -->
+  <include ignore_missing="yes">/etc/dbus-1/system.conf</include>
+
+  <!-- The defaults for these limits are hard-coded in dbus-daemon.
+       Some clarifications:
+       Times are in milliseconds (ms); 1000ms = 1 second
+       133169152 bytes = 127 MiB
+       33554432 bytes = 32 MiB
+       150000ms = 2.5 minutes -->
+  <!-- <limit name="max_incoming_bytes">133169152</limit> -->
+  <!-- <limit name="max_incoming_unix_fds">64</limit> -->
+  <!-- <limit name="max_outgoing_bytes">133169152</limit> -->
+  <!-- <limit name="max_outgoing_unix_fds">64</limit> -->
+  <!-- <limit name="max_message_size">33554432</limit> -->
+  <!-- <limit name="max_message_unix_fds">16</limit> -->
+  <!-- <limit name="service_start_timeout">25000</limit> -->
+  <!-- <limit name="auth_timeout">5000</limit> -->
+  <!-- <limit name="pending_fd_timeout">150000</limit> -->
+  <!-- <limit name="max_completed_connections">2048</limit> -->
+  <!-- <limit name="max_incomplete_connections">64</limit> -->
+  <!-- <limit name="max_connections_per_user">256</limit> -->
+  <!-- <limit name="max_pending_service_starts">512</limit> -->
+  <!-- <limit name="max_names_per_connection">512</limit> -->
+  <!-- <limit name="max_match_rules_per_connection">512</limit> -->
+  <!-- <limit name="max_replies_per_connection">128</limit> -->
+
+  <!-- Config files are placed here that among other things, punch 
+       holes in the above policy for specific services. -->
+  <includedir>system.d</includedir>
+
+  <includedir>/etc/dbus-1/system.d</includedir>
+
+  <!-- This is included last so local configuration can override what's 
+       in this standard file -->
+  <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include>
+
+  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
+
+</busconfig>
diff --git a/rules/dbus-broker.in b/rules/dbus-broker.in
new file mode 100644
index 000000000..839a99246
--- /dev/null
+++ b/rules/dbus-broker.in
@@ -0,0 +1,17 @@
+## SECTION=middleware
+
+config DBUS_BROKER
+	tristate
+	depends on INITMETHOD_SYSTEMD
+	select HOST_MESON
+	select EXPAT
+	select SYSTEMD
+	select DBUS_NO_DAEMON		if DBUS
+	prompt "dbus-broker"
+	help
+	  The dbus-broker project is an implementation of a message bus as
+	  defined by the D-Bus specification. Its aim is to provide high
+	  performance and reliability, while keeping compatibility to the D-Bus
+	  reference implementation. It is exclusively written for linux systems,
+	  and makes use of many modern features provided by recent linux kernel
+	  releases.
diff --git a/rules/dbus-broker.make b/rules/dbus-broker.make
new file mode 100644
index 000000000..ffb9a9e9c
--- /dev/null
+++ b/rules/dbus-broker.make
@@ -0,0 +1,86 @@
+# -*-makefile-*-
+#
+# Copyright (C) 2018 by Michael Olbrich <m.olbrich@pengutronix.de>
+#
+# See CREDITS for details about who has contributed to this project.
+#
+# For further information about the PTXdist project and license conditions
+# see the README file.
+#
+
+#
+# We provide this package
+#
+PACKAGES-$(PTXCONF_DBUS_BROKER) += dbus-broker
+
+#
+# Paths and names
+#
+DBUS_BROKER_VERSION	:= 36
+DBUS_BROKER_MD5		:= 0398b41a250a6172e35750fc864ee33b
+DBUS_BROKER		:= dbus-broker-$(DBUS_BROKER_VERSION)
+DBUS_BROKER_SUFFIX	:= tar.xz
+DBUS_BROKER_URL		:= https://github.com/bus1/dbus-broker/releases/download/v$(DBUS_BROKER_VERSION)/$(DBUS_BROKER).$(DBUS_BROKER_SUFFIX)
+DBUS_BROKER_SOURCE	:= $(SRCDIR)/$(DBUS_BROKER).$(DBUS_BROKER_SUFFIX)
+DBUS_BROKER_DIR		:= $(BUILDDIR)/$(DBUS_BROKER)
+DBUS_BROKER_LICENSE	:= Apache-2.0
+
+# ----------------------------------------------------------------------------
+# Prepare
+# ----------------------------------------------------------------------------
+
+# host path leaks in if not set explicitly
+DBUS_BROKER_CONF_ENV	:= \
+	$(CROSS_ENV) \
+	PTXDIST_PKG_CONFIG_VAR_NO_SYSROOT="systemdsystemunitdir systemduserunitdir catalogdir"
+
+#
+# meson
+#
+DBUS_BROKER_CONF_TOOL	:= meson
+DBUS_BROKER_CONF_OPT	:= \
+	$(CROSS_MESON_USR) \
+	-Daudit=false \
+	-Dc-shquote:reference-test=false \
+	-Ddocs=false \
+	-Dlauncher=true \
+	-Dreference-test=false \
+	-Dselinux=false \
+	-Dsystem-console-users="[]"
+
+# ----------------------------------------------------------------------------
+# Target-Install
+# ----------------------------------------------------------------------------
+
+$(STATEDIR)/dbus-broker.targetinstall:
+	@$(call targetinfo)
+
+	@$(call install_init, dbus-broker)
+	@$(call install_fixup, dbus-broker,PRIORITY,optional)
+	@$(call install_fixup, dbus-broker,SECTION,base)
+	@$(call install_fixup, dbus-broker,AUTHOR,"Michael Olbrich <m.olbrich@pengutronix.de>")
+	@$(call install_fixup, dbus-broker,DESCRIPTION,missing)
+
+	@$(call install_copy, dbus-broker, 0, 0, 0755, -, \
+		/usr/bin/dbus-broker)
+	@$(call install_copy, dbus-broker, 0, 0, 0755, -, \
+		/usr/bin/dbus-broker-launch)
+
+	@$(call install_alternative, dbus-broker, 0, 0, 0644, \
+		/usr/share/dbus-1/system.conf)
+
+	@$(call install_copy, dbus-broker, 0, 0, 0644, -, \
+		/usr/lib/systemd/system/dbus-broker.service)
+	@$(call install_link, dbus-broker, dbus-broker.service, \
+		/usr/lib/systemd/system/dbus.service)
+
+	@$(call install_alternative, dbus-broker, 0, 0, 0644, \
+		/usr/lib/systemd/system/dbus.socket)
+	@$(call install_link, dbus-broker, ../dbus.socket, \
+		/usr/lib/systemd/system/sockets.target.wants/dbus.socket)
+
+	@$(call install_finish, dbus-broker)
+
+	@$(call touch)
+
+# vim: syntax=make
diff --git a/rules/dbus.in b/rules/dbus.in
index b205ee62f..c8b5f09be 100644
--- a/rules/dbus.in
+++ b/rules/dbus.in
@@ -32,6 +32,14 @@ config DBUS_SELINUX
 	depends on BROKEN
 	bool
 
+config DBUS_NO_DAEMON
+	bool
+
+comment "D-Bus daemon is provided by dbus-broker"
+	depends on DBUS_NO_DAEMON
+
+if !DBUS_NO_DAEMON
+
 config DBUS_SYSTEMD
 	bool
 	default INITMETHOD_SYSTEMD
@@ -60,3 +68,5 @@ config DBUS_SYSTEMD_USER_UNIT
 	depends on SYSTEMD_UNITS_USER && DBUS_SYSTEMD_UNIT
 
 endif
+
+endif
diff --git a/rules/dbus.make b/rules/dbus.make
index f2bc7b552..dffa0ab6f 100644
--- a/rules/dbus.make
+++ b/rules/dbus.make
@@ -89,6 +89,7 @@ $(STATEDIR)/dbus.targetinstall:
 	@$(call install_fixup, dbus,AUTHOR,"Roland Hostettler <r.hostettler@gmx.ch>")
 	@$(call install_fixup, dbus,DESCRIPTION,missing)
 
+ifndef PTXCONF_DBUS_NO_DAEMON
 	@$(call install_copy, dbus, 0, 0, 0755, -, \
 		/usr/bin/dbus-daemon)
 	@$(call install_copy, dbus, 0, 0, 0755, -, \
@@ -105,14 +106,17 @@ $(STATEDIR)/dbus.targetinstall:
 		/usr/bin/dbus-uuidgen)
 	@$(call install_copy, dbus, 0, 104, 4754, -, \
 		/usr/libexec/dbus-daemon-launch-helper)
+endif
 
 	@$(call install_lib, dbus, 0, 0, 0644, libdbus-1)
 
 #	#
 #	# install config files
 #	#
+ifndef PTXCONF_DBUS_NO_DAEMON
 	@$(call install_alternative, dbus, 0, 0, 0644, /usr/share/dbus-1/system.conf)
 	@$(call install_alternative, dbus, 0, 0, 0644, /usr/share/dbus-1/session.conf)
+endif
 
 #	#
 #	# busybox init: start script
@@ -132,8 +136,6 @@ ifdef PTXCONF_DBUS_SYSTEMD_UNIT
 		/usr/lib/systemd/system/dbus.socket)
 	@$(call install_link, dbus, ../dbus.socket, \
 		/usr/lib/systemd/system/sockets.target.wants/dbus.socket)
-	@$(call install_link, dbus, ../dbus.socket, \
-		/usr/lib/systemd/system/dbus.target.wants/dbus.socket)
 
 	@$(call install_copy, dbus, 0, 0, 0644, -, \
 		/usr/lib/systemd/system/dbus.service)
-- 
2.39.5




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-01-17 16:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-12-18  8:01 [ptxdist] [PATCH] dbus-broker: replacement dbus daemon Robert Schwebel
2025-01-17 16:36 ` Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox