[Buildroot] [PATCH 0/4 v4] dus-borker: new package (branch yem/dbus-broker)

[Buildroot] [PATCH 0/4 v4] dus-borker: new package (branch yem/dbus-broker)

[Yann E. MORIN]

Hello All!

This series is a rework of the original submission by Norbert, to add
dbus-broker and make use of it as a message us daemon for use with
systemd.

I (Yann) have reorganised the package, and fixed various issues, and
finally introduced run-time tests.

All the gory details necessary to make dbus-broker work are explained in
the first patch' commit log.


Regards,
Yann E. MORIN.


The following changes since commit bc80c9121b70b576695765ee009ac8325ea00f06

  package/live555: bump version to 2020.06.25 (2020-07-04 23:40:57 +0200)


are available in the git repository at:

  https://git.busybox.net/~ymorin/git/buildroot

for you to fetch changes up to 94085071b1b7f791c88674c1d419fe5c60b06de1

  support/run-test: add test for systemd using dbus-broker (2020-07-05 09:32:35 +0200)


----------------------------------------------------------------
Norbert Lange (1):
      package/dbus-broker: new package

Yann E. MORIN (3):
      package/systemd: do not force dbus if dbus-broker is available
      support/testsuite: de-duplicate the systemd runtime tests
      support/run-test: add test for systemd using dbus-broker

 .gitlab-ci.yml                             |   4 +
 DEVELOPERS                                 |   1 +
 package/Config.in                          |   1 +
 package/dbus-broker/Config.in              |  22 ++++++
 package/dbus-broker/dbus-broker.hash       |   3 +
 package/dbus-broker/dbus-broker.mk         |  78 +++++++++++++++++++
 package/dbus-broker/dbus-user.conf         |   2 +
 package/dbus-broker/dbus.socket            |   5 ++
 package/dbus-broker/session.conf           |  65 ++++++++++++++++
 package/dbus-broker/system.conf            | 120 +++++++++++++++++++++++++++++
 package/systemd/Config.in                  |   2 +-
 support/testing/tests/init/test_systemd.py |  69 ++++++++++++-----
 12 files changed, 351 insertions(+), 21 deletions(-)
 create mode 100644 package/dbus-broker/Config.in
 create mode 100644 package/dbus-broker/dbus-broker.hash
 create mode 100644 package/dbus-broker/dbus-broker.mk
 create mode 100644 package/dbus-broker/dbus-user.conf
 create mode 100644 package/dbus-broker/dbus.socket
 create mode 100644 package/dbus-broker/session.conf
 create mode 100644 package/dbus-broker/system.conf

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/4 v4] package/dbus-broker: new package

[Yann E. MORIN]

From: Norbert Lange <nolange79@gmail.com>

dbus-broker is an alternate implementation of a dbus dameon. It can be
used as a drop-in replacement for the system bus daemon, as well as the
session bus daemon.

dbus-broker is (basically, and as far as we're concerned in Buildroot)
split in two components:

  - the actual message bus daemon, that relays messages across clients

  - a launcher, which is responsible for setting various aspects of the
    bus, like setting the policy et al. and opening the socket(s) the
    message bus daemon will have to listen on...

The launcher can only be used in a systemd setup (it makes heavy use of
systemd facilities), while the message bus is generic. However, the
message bus daemon is useless without a launcher. There does not exist a
non-systemd launcher, which makes dbus-broker actually a systemd-only
package; this can be revisited when/if a non-systemd launcher appears.

There are two cases:

 1. original dbus disabled

    Here, we install the config files and systemd socket activation
    units; dbus-broker provides the system and sessions bus daemons.

 2. original dbus enabled

    In this case, we do not install the config files and systemd socket
    activation units, or define a user: they all are provided by the
    original dbus, and we piggy-back on those.

    In this situation, the default system and sessions message bus are
    the original dbus; dbus-broker is not enabled.

    However, users may opt-in to use dbus-broker in a few ways:
      - at build-time: provide drop-in units in an overlay;
      - at build-time: call systemctl enable/disable from a post-build
        script;
      - at runtime (on a RW filesystem): by calling systemctl
        enable/disable

Note about the user: the path to the system bus socket is a so-called
"well-known location": it is expected to be there, by spec. Moving it
elsewhere is going to break existing programs. So, the user running the
system bus daemon must be able to create that socket.

As we may have two packages providing a system bus daemon, they have to
be both able to create the socket, and thus must both be able to write
in the directory containing the socket. And since they can be switched
at runtime, they must be running as the same user.

We can't just reference the original dbus user, so we duplicate the
entry. What is important, is that the user be named 'dbus', as that's
what we use in both cases.

dbus-broker code does not have a provision, like the original dbus has,
to specify the user to run as, and does not interpret the <user>
directive in the system.conf file. Since running the bus daemon as root
is not so safe, we create a systemd unit drop-in to complement the unit
provided by the package and defione the user to run as.

As for that drop-in: systemd knows only about the 'dbus' service, which
is what dbus-broker impersonates, so the drop-in must be one for the
dbus service, not the dbus-broker service, which does not exist.

Note however that, as a consequence, when both the original dbus and
dbus-broker are installed, we can't install that drop-in, because the
default message bus dameon will be the original dbus, which already does
uid-switching internally. Thus we can't install the systemd drop-in to
the dbus service, which is not the one from dbus-broker but from the
original dbus. So, if the user wants to switch to dbus-broker in a
post-build script, or at runtime, they will have to take care of
providing that drop-in if they do not want the dbus-broker message bus
daemon to run as root.

Finally, the licensing terms are pretty trivial for dbus-broker itself,
but it makes use of third-party code that it inherits as git submodules
(that are bundled in the release archive). Thus the licensing is a bit
convoluted... The third-party codes claim to be licensed as "Apache-2.0
and LGP-2.1+" in their AUTHORS files, but at the same time claim
**Apache-2.0** OR **LGPL-2.1-or-later**" in their README files. The
individual source files (that are used) do not seem to have any
licensing header to clarify the situation. So we represent the situation
with "Apache-2.0 and/or LGPL-2.1+".

Signed-off-by: Norbert Lange <nolange79@gmail.com>
[yann.morin.1998 at free.fr:
  - don't select systemd; depend on it instead
  - only install config files and systemd units without original dbus
  - install a user to run the message bus as
  - fix licensing info
  - entirely reword and extend the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

---
Changes v3 -> v4  (Yann, respining after review by Norbert):
  - drop the non-systemd case
  - drop the launcher option
  - reinstate BR2_COREUTILS_HOST_DEPENDENCY and ln --relative
  - reinstate the user, explain it

Changes v2 -> v3  (Norbert, respinning after Yann):
  - add an own config entry for dbus-broker-launch
    enabled by default if systemd init is used
  - undo BR2_COREUTILS_HOST_DEPENDENCY
  - undo adding dbus user - never used by this package
  - add condtional audit dependency
  - cleanup conditional logic a bit

Changes v1 -> v2 (Yann):
  - make launcher conditional
  - don't select systemd; don't depend on it either
  - don't install systemd units without systemd
  - only install config files and systemd units wihtout original dbus
  - rename hooks with meaningful names
  - fix licensing info
  - entirely reword and extend the commit log
---
 DEVELOPERS                           |   1 +
 package/Config.in                    |   1 +
 package/dbus-broker/Config.in        |  22 +++++
 package/dbus-broker/dbus-broker.hash |   3 +
 package/dbus-broker/dbus-broker.mk   |  78 +++++++++++++++++
 package/dbus-broker/dbus-user.conf   |   2 +
 package/dbus-broker/dbus.socket      |   5 ++
 package/dbus-broker/session.conf     |  65 +++++++++++++++
 package/dbus-broker/system.conf      | 120 +++++++++++++++++++++++++++
 9 files changed, 297 insertions(+)
 create mode 100644 package/dbus-broker/Config.in
 create mode 100644 package/dbus-broker/dbus-broker.hash
 create mode 100644 package/dbus-broker/dbus-broker.mk
 create mode 100644 package/dbus-broker/dbus-user.conf
 create mode 100644 package/dbus-broker/dbus.socket
 create mode 100644 package/dbus-broker/session.conf
 create mode 100644 package/dbus-broker/system.conf

diff --git a/DEVELOPERS b/DEVELOPERS
index 4b6a346a05..0983b09ac9 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1890,6 +1890,7 @@ F:	package/tpm-tools/
 F:	package/trousers/
 
 N:	Norbert Lange <nolange79@gmail.com>
+F:	package/dbus-broker/
 F:	package/tcf-agent/
 
 N:	Nylon Chen <nylon7@andestech.com>
diff --git a/package/Config.in b/package/Config.in
index 6a34a895af..60f8ee478a 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -433,6 +433,7 @@ endmenu
 	source "package/dahdi-linux/Config.in"
 	source "package/dahdi-tools/Config.in"
 	source "package/dbus/Config.in"
+	source "package/dbus-broker/Config.in"
 	source "package/dbus-cpp/Config.in"
 	source "package/dbus-glib/Config.in"
 	source "package/dbus-python/Config.in"
diff --git a/package/dbus-broker/Config.in b/package/dbus-broker/Config.in
new file mode 100644
index 0000000000..30d8b27280
--- /dev/null
+++ b/package/dbus-broker/Config.in
@@ -0,0 +1,22 @@
+config BR2_PACKAGE_DBUS_BROKER
+	bool "dbus-broker"
+	depends on BR2_USE_MMU
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_PACKAGE_SYSTEMD
+	select BR2_PACKAGE_EXPAT
+	help
+	  Linux D-Bus Message Broker.
+
+	  The dbus-broker project is an implementation of a message bus
+	  as defined by the D-Bus specification. Its aim is to provide
+	  high performance and reliability, while keeping compatibility
+	  to the D-Bus reference implementation.
+
+	  It is exclusively written for Linux systems, and makes use of
+	  many modern features provided by recent linux kernel releases.
+
+	  https://github.com/bus1/dbus-broker/wiki
+
+comment "dbusbroker needs systemd and a toolchain w/ threads"
+	depends on BR2_USE_MMU
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_PACKAGE_SYSTEMD
diff --git a/package/dbus-broker/dbus-broker.hash b/package/dbus-broker/dbus-broker.hash
new file mode 100644
index 0000000000..b8d631767f
--- /dev/null
+++ b/package/dbus-broker/dbus-broker.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256  95adfde56bce898c3b69eee0524732365e802348dd8189a35d5d00c30990dc81  dbus-broker-23.tar.xz
+sha256  3cda3630283eda0eab825abe5ac84d191248c6b3fe1c232a118124959b96c6a4  LICENSE
diff --git a/package/dbus-broker/dbus-broker.mk b/package/dbus-broker/dbus-broker.mk
new file mode 100644
index 0000000000..9439b12c0d
--- /dev/null
+++ b/package/dbus-broker/dbus-broker.mk
@@ -0,0 +1,78 @@
+################################################################################
+#
+# dbus-broker
+#
+################################################################################
+
+DBUS_BROKER_VERSION = 23
+DBUS_BROKER_SOURCE = dbus-broker-$(DBUS_BROKER_VERSION).tar.xz
+DBUS_BROKER_SITE = https://github.com/bus1/dbus-broker/releases/download/v$(DBUS_BROKER_VERSION)
+
+# For the third-party code, the licensing legla-info is inconsistent between
+# the AUTHORS and README, so keep both
+DBUS_BROKER_LICENSE = \
+	Apache-2.0, \
+	Apache-2.0 and/or LGPL-2.1+ (c-dvar, c-ini, c-list, c-rbtree, c-shquote, c-stdaux, c-utf8)
+DBUS_BROKER_LICENSE_FILES = \
+	LICENSE \
+	subprojects/c-dvar/AUTHORS subprojects/c-dvar/README.md \
+	subprojects/c-ini/AUTHORS subprojects/c-ini/README.md \
+	subprojects/c-list/AUTHORS subprojects/c-list/README.md \
+	subprojects/c-rbtree/AUTHORS subprojects/c-rbtree/README.md \
+	subprojects/c-shquote/AUTHORS subprojects/c-shquote/README.md \
+	subprojects/c-stdaux/AUTHORS subprojects/c-stdaux/README.md \
+	subprojects/c-utf8/AUTHORS subprojects/c-utf8/README.md
+
+DBUS_BROKER_DEPENDENCIES = expat systemd
+DBUS_BROKER_CONF_OPTS = -Dlauncher=true
+
+ifeq ($(BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_17),y)
+DBUS_BROKER_CONF_OPTS += -Dlinux-4-17=true
+else
+DBUS_BROKER_CONF_OPTS += -Dlinux-4-17=false
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+DBUS_BROKER_DEPENDENCIES += audit
+DBUS_BROKER_CONF_OPTS += -Daudit=true
+else
+DBUS_BROKER_CONF_OPTS += -Daudit=false
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+DBUS_BROKER_DEPENDENCIES += libselinux
+DBUS_BROKER_CONF_OPTS += -Dselinux=true
+else
+DBUS_BROKER_CONF_OPTS += -Dselinux=false
+endif
+
+# Only install units for system bus daemon socket if original dbus is not present
+# Only install config and service files if original dbus is not present
+# Only define a user if the original dbus is not present
+#
+# Note: BR2_COREUTILS_HOST_DEPENDENCY to be able to use ln --relative
+ifeq ($(BR2_PACKAGE_DBUS),)
+DBUS_BROKER_DEPENDENCIES += $(BR2_COREUTILS_HOST_DEPENDENCY)
+
+# We msut be using the same user as the origian dbus, so we can share
+# the home directory and create a socket there.
+define DBUS_BROKER_USERS
+	dbus -1 dbus -1 * /var/run/dbus - dbus DBus messagebus user
+endef
+
+define DBUS_BROKER_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/session.conf \
+		$(TARGET_DIR)/usr/share/dbus-1/session.conf
+	$(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/system.conf \
+		$(TARGET_DIR)/usr/share/dbus-1/system.conf
+	$(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/dbus.socket \
+		$(TARGET_DIR)/usr/lib/systemd/system/dbus.socket
+	$(HOST_MAKE_ENV) ln -sf --relative \
+		$(TARGET_DIR)/usr/lib/systemd/system/dbus.socket \
+		$(TARGET_DIR)/usr/lib/systemd/system/sockets.target.wants/dbus.socket
+	$(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/dbus-user.conf \
+		$(TARGET_DIR)/etc/systemd/system/dbus.service.d/dbus-user.conf
+endef
+endif # !BR2_PACKAGE_DBUS
+
+$(eval $(meson-package))
diff --git a/package/dbus-broker/dbus-user.conf b/package/dbus-broker/dbus-user.conf
new file mode 100644
index 0000000000..f7bdc06cf5
--- /dev/null
+++ b/package/dbus-broker/dbus-user.conf
@@ -0,0 +1,2 @@
+[Service]
+User=dbus
diff --git a/package/dbus-broker/dbus.socket b/package/dbus-broker/dbus.socket
new file mode 100644
index 0000000000..5c373cf450
--- /dev/null
+++ b/package/dbus-broker/dbus.socket
@@ -0,0 +1,5 @@
+[Unit]
+Description=D-Bus System Message Bus Socket
+
+[Socket]
+ListenStream=/run/dbus/system_bus_socket
diff --git a/package/dbus-broker/session.conf b/package/dbus-broker/session.conf
new file mode 100644
index 0000000000..e4758fa218
--- /dev/null
+++ b/package/dbus-broker/session.conf
@@ -0,0 +1,65 @@
+<!-- This configuration file controls the per-user-login-session message bus.
+     Add a session-local.conf and edit that rather than changing this
+     file directly. -->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- Our well-known bus type, don't change this -->
+  <type>session</type>
+
+  <!-- If we fork, keep the user's original umask to avoid affecting
+       the behavior of child processes. -->
+  <keep_umask/>
+
+  <standard_session_servicedirs />
+
+  <policy context="default">
+    <!-- Allow everything to be sent -->
+    <allow send_destination="*" eavesdrop="true"/>
+    <!-- Allow everything to be received -->
+    <allow eavesdrop="true"/>
+    <!-- Allow anyone to own anything -->
+    <allow own="*"/>
+  </policy>
+
+  <!-- Config files are placed here that among other things,
+       further restrict the above policy for specific services. -->
+  <includedir>session.d</includedir>
+
+  <includedir>/etc/dbus-1/session.d</includedir>
+
+  <!-- This is included last so local configuration can override what's
+       in this standard file -->
+  <include ignore_missing="yes">/etc/dbus-1/session-local.conf</include>
+
+  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
+
+  <!-- For the session bus, override the default relatively-low limits
+       with essentially infinite limits, since the bus is just running
+       as the user anyway, using up bus resources is not something we need
+       to worry about. In some cases, we do set the limits lower than
+       "all available memory" if exceeding the limit is almost certainly a bug,
+       having the bus enforce a limit is nicer than a huge memory leak. But the
+       intent is that these limits should never be hit. -->
+
+  <!-- the memory limits are 1G instead of say 4G because they can't exceed 32-bit signed int max -->
+  <limit name="max_incoming_bytes">1000000000</limit>
+  <limit name="max_incoming_unix_fds">250000000</limit>
+  <limit name="max_outgoing_bytes">1000000000</limit>
+  <limit name="max_outgoing_unix_fds">250000000</limit>
+  <limit name="max_message_size">1000000000</limit>
+  <!-- We do not override max_message_unix_fds here since the in-kernel
+       limit is also relatively low -->
+  <limit name="service_start_timeout">120000</limit>
+  <limit name="auth_timeout">240000</limit>
+  <limit name="pending_fd_timeout">150000</limit>
+  <limit name="max_completed_connections">100000</limit>
+  <limit name="max_incomplete_connections">10000</limit>
+  <limit name="max_connections_per_user">100000</limit>
+  <limit name="max_pending_service_starts">10000</limit>
+  <limit name="max_names_per_connection">50000</limit>
+  <limit name="max_match_rules_per_connection">50000</limit>
+  <limit name="max_replies_per_connection">50000</limit>
+
+</busconfig>
diff --git a/package/dbus-broker/system.conf b/package/dbus-broker/system.conf
new file mode 100644
index 0000000000..a1e8df7367
--- /dev/null
+++ b/package/dbus-broker/system.conf
@@ -0,0 +1,120 @@
+<!-- This configuration file controls the systemwide message bus.
+     Add a system-local.conf and edit that rather than changing this
+     file directly. -->
+
+<!-- Note that there are any number of ways you can hose yourself
+     security-wise by screwing up this file; in particular, you
+     probably don't want to listen on any more addresses, add any more
+     auth mechanisms, run as a different user, etc. -->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+
+  <!-- Our well-known bus type, do not change this -->
+  <type>system</type>
+
+  <!-- Fork into daemon mode -->
+  <fork/>
+
+  <!-- We use system service launching using a helper -->
+  <standard_system_servicedirs/>
+
+  <!-- Enable logging to syslog -->
+  <syslog/>
+
+  <policy context="default">
+    <!-- All users can connect to system bus -->
+    <allow user="*"/>
+
+    <!-- Holes must be punched in service configuration files for
+         name ownership and sending method calls -->
+    <deny own="*"/>
+    <deny send_type="method_call"/>
+
+    <!-- Signals and reply messages (method returns, errors) are allowed
+         by default -->
+    <allow send_type="signal"/>
+    <allow send_requested_reply="true" send_type="method_return"/>
+    <allow send_requested_reply="true" send_type="error"/>
+
+    <!-- All messages may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+    <allow receive_type="signal"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus" />
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Properties"/>
+    <!-- But disallow some specific bus services -->
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus"
+          send_member="UpdateActivationEnvironment"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus.Debug.Stats"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+  <!-- Only systemd, which runs as root, may report activation failures. -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+  <!-- root may monitor the system bus. -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Monitoring"/>
+  </policy>
+
+  <!-- If the Stats interface was enabled@compile-time, root may use it.
+       Copy this into system.local.conf or system.d/*.conf if you want to
+       enable other privileged users to view statistics and debug info -->
+  <policy user="root">
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Debug.Stats"/>
+  </policy>
+
+
+  <!-- The defaults for these limits are hard-coded in dbus-daemon.
+       Some clarifications:
+       Times are in milliseconds (ms); 1000ms = 1 second
+       133169152 bytes = 127 MiB
+       33554432 bytes = 32 MiB
+       150000ms = 2.5 minutes -->
+  <!-- <limit name="max_incoming_bytes">133169152</limit> -->
+  <!-- <limit name="max_incoming_unix_fds">64</limit> -->
+  <!-- <limit name="max_outgoing_bytes">133169152</limit> -->
+  <!-- <limit name="max_outgoing_unix_fds">64</limit> -->
+  <!-- <limit name="max_message_size">33554432</limit> -->
+  <!-- <limit name="max_message_unix_fds">16</limit> -->
+  <!-- <limit name="service_start_timeout">25000</limit> -->
+  <!-- <limit name="auth_timeout">5000</limit> -->
+  <!-- <limit name="pending_fd_timeout">150000</limit> -->
+  <!-- <limit name="max_completed_connections">2048</limit> -->
+  <!-- <limit name="max_incomplete_connections">64</limit> -->
+  <!-- <limit name="max_connections_per_user">256</limit> -->
+  <!-- <limit name="max_pending_service_starts">512</limit> -->
+  <!-- <limit name="max_names_per_connection">512</limit> -->
+  <!-- <limit name="max_match_rules_per_connection">512</limit> -->
+  <!-- <limit name="max_replies_per_connection">128</limit> -->
+
+  <!-- Config files are placed here that among other things, punch
+       holes in the above policy for specific services. -->
+  <includedir>system.d</includedir>
+
+  <includedir>/etc/dbus-1/system.d</includedir>
+
+  <!-- This is included last so local configuration can override what's
+       in this standard file -->
+  <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include>
+
+  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
+
+</busconfig>
-- 
2.20.1

[Buildroot] [PATCH 2/4 v4] package/systemd: do not force dbus if dbus-broker is available

[Yann E. MORIN]

dbus-broker fits the bill as a message bus daemon, so only enable the
original dbus if dbus-broker is not enabled.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/Config.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index dd3b8c534d..37f9d04850 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -25,7 +25,7 @@ menuconfig BR2_PACKAGE_SYSTEMD
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5
 	depends on BR2_HOST_GCC_AT_LEAST_5 # host-systemd
 	select BR2_PACKAGE_HAS_UDEV
-	select BR2_PACKAGE_DBUS # runtime dependency only
+	select BR2_PACKAGE_DBUS if !BR2_PACKAGE_DBUS_BROKER # runtime
 	select BR2_PACKAGE_LIBCAP
 	select BR2_PACKAGE_UTIL_LINUX
 	select BR2_PACKAGE_UTIL_LINUX_LIBBLKID
-- 
2.20.1

[Buildroot] [PATCH 3/4 v4] support/testsuite: de-duplicate the systemd runtime tests

[Yann E. MORIN]

Of all the systemd init tests, only one does some additional tests, and
for just this lone wolf, we duplicate the test function.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 support/testing/tests/init/test_systemd.py | 32 ++++++++--------------
 1 file changed, 12 insertions(+), 20 deletions(-)

diff --git a/support/testing/tests/init/test_systemd.py b/support/testing/tests/init/test_systemd.py
index 371be4ad7d..cf952bef44 100644
--- a/support/testing/tests/init/test_systemd.py
+++ b/support/testing/tests/init/test_systemd.py
@@ -21,8 +21,9 @@ class InitSystemSystemdBase(InitSystemBase):
         # BR2_TARGET_ROOTFS_TAR is not set
         """.format(infra.filepath("conf/binfmt-misc-kernel-fragment.config"))
 
-    def check_init(self):
-        super(InitSystemSystemdBase, self).check_init("/lib/systemd/systemd")
+    def check_systemd(self, fs):
+        self.start_emulator(fs, "zImage", "vexpress-v2p-ca9")
+        self.check_init("/lib/systemd/systemd")
 
         # Test all units are OK
         output, _ = self.emulator.run("systemctl --no-pager --failed --no-legend")
@@ -36,6 +37,9 @@ class InitSystemSystemdBase(InitSystemBase):
         output, _ = self.emulator.run("journalctl --no-pager --lines 1 --quiet")
         self.assertEqual(len(output), 1)
 
+        # Check the network is up
+        self.check_network("eth0")
+
 
 class TestInitSystemSystemdRoNetworkd(InitSystemSystemdBase):
     config = InitSystemSystemdBase.config + \
@@ -47,9 +51,7 @@ class TestInitSystemSystemdRoNetworkd(InitSystemSystemdBase):
         """.format(infra.filepath("tests/init/systemd-factory"))
 
     def test_run(self):
-        self.start_emulator("squashfs", "zImage", "vexpress-v2p-ca9")
-        self.check_init()
-        self.check_network("eth0")
+        self.check_systemd("squashfs")
 
         # This one must be executed on the target, to check that
         # the factory feature works as expected
@@ -66,9 +68,7 @@ class TestInitSystemSystemdRwNetworkd(InitSystemSystemdBase):
         """
 
     def test_run(self):
-        self.start_emulator("ext2", "zImage", "vexpress-v2p-ca9")
-        self.check_init()
-        self.check_network("eth0")
+        self.check_systemd("ext2")
 
 
 class TestInitSystemSystemdRoIfupdown(InitSystemSystemdBase):
@@ -81,9 +81,7 @@ class TestInitSystemSystemdRoIfupdown(InitSystemSystemdBase):
         """
 
     def test_run(self):
-        self.start_emulator("squashfs", "zImage", "vexpress-v2p-ca9")
-        self.check_init()
-        self.check_network("eth0")
+        self.check_systemd("squashfs")
 
 
 class TestInitSystemSystemdRwIfupdown(InitSystemSystemdBase):
@@ -96,9 +94,7 @@ class TestInitSystemSystemdRwIfupdown(InitSystemSystemdBase):
         """
 
     def test_run(self):
-        self.start_emulator("ext2", "zImage", "vexpress-v2p-ca9")
-        self.check_init()
-        self.check_network("eth0")
+        self.check_systemd("ext2")
 
 
 class TestInitSystemSystemdRoFull(InitSystemSystemdBase):
@@ -127,9 +123,7 @@ class TestInitSystemSystemdRoFull(InitSystemSystemdBase):
         """
 
     def test_run(self):
-        self.start_emulator("squashfs", "zImage", "vexpress-v2p-ca9")
-        self.check_init()
-        self.check_network("eth0")
+        self.check_systemd("squashfs")
 
 
 class TestInitSystemSystemdRwFull(InitSystemSystemdBase):
@@ -157,6 +151,4 @@ class TestInitSystemSystemdRwFull(InitSystemSystemdBase):
         """
 
     def test_run(self):
-        self.start_emulator("ext2", "zImage", "vexpress-v2p-ca9")
-        self.check_init()
-        self.check_network("eth0")
+        self.check_systemd("ext2")
-- 
2.20.1

[Buildroot] [PATCH 4/4 v4] support/run-test: add test for systemd using dbus-broker

[Yann E. MORIN]

Add four new tests for systemd (rw and ro in each case):
  - use dbus-broker instead of the original dbus
  - use the original dbus, with dbus-broker installed

The first two extend the existing IfUpDown test cases by just enabling
dbus-broker; the second ones extend this further, by explicitly enabling
the original dbus.

For one of the tests, we overload the test_run() function to test that
the dbus-broker daemon is indeed running as root. We need not replicate
that check in the other dbus-broker-only test, and it does not make
sense to test that in tests that have the original dbus enabled.

Presence of the original dbus and dbus-broker on the same system is
valid: the original dbus is used as the default system bus daemon. We do
not test switching between the two at runtime, though as this is really
too corner-case specific. We just test to ensure the original dbus
system bus daemon is not impacted by the presence of dbus-broker.

Note: the 'full' test-case enables all systemd options, and some of them
do pull the original dbus package, so we can't use that to test the
integration of dbus-broker; instead, we extend the ifupdown case, which
does not enable the original dbus.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Norbert Lange <nolange79@gmail.com>
---
 .gitlab-ci.yml                             |  4 +++
 support/testing/tests/init/test_systemd.py | 37 ++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ac4c826fb7..23da723e9e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -394,9 +394,13 @@ tests.init.test_openrc.TestInitSystemOpenrcRoFull: { extends: .runtime_test }
 tests.init.test_openrc.TestInitSystemOpenrcRwFull: { extends: .runtime_test }
 tests.init.test_systemd.TestInitSystemSystemdRoFull: { extends: .runtime_test }
 tests.init.test_systemd.TestInitSystemSystemdRoIfupdown: { extends: .runtime_test }
+tests.init.test_systemd.TestInitSystemSystemdRoIfupdownDbusbroker: { extends: .runtime_test }
+tests.init.test_systemd.TestInitSystemSystemdRoIfupdownDbusbrokerDbus: { extends: .runtime_test }
 tests.init.test_systemd.TestInitSystemSystemdRoNetworkd: { extends: .runtime_test }
 tests.init.test_systemd.TestInitSystemSystemdRwFull: { extends: .runtime_test }
 tests.init.test_systemd.TestInitSystemSystemdRwIfupdown: { extends: .runtime_test }
+tests.init.test_systemd.TestInitSystemSystemdRwIfupdownDbusbroker: { extends: .runtime_test }
+tests.init.test_systemd.TestInitSystemSystemdRwIfupdownDbusbrokerDbus: { extends: .runtime_test }
 tests.init.test_systemd.TestInitSystemSystemdRwNetworkd: { extends: .runtime_test }
 tests.package.test_atop.TestAtop: { extends: .runtime_test }
 tests.package.test_crudini.TestCrudiniPy2: { extends: .runtime_test }
diff --git a/support/testing/tests/init/test_systemd.py b/support/testing/tests/init/test_systemd.py
index cf952bef44..276165f742 100644
--- a/support/testing/tests/init/test_systemd.py
+++ b/support/testing/tests/init/test_systemd.py
@@ -84,6 +84,29 @@ class TestInitSystemSystemdRoIfupdown(InitSystemSystemdBase):
         self.check_systemd("squashfs")
 
 
+class TestInitSystemSystemdRoIfupdownDbusbroker(TestInitSystemSystemdRoIfupdown):
+    config = TestInitSystemSystemdRoIfupdown.config + \
+        """
+        BR2_PACKAGE_DBUS_BROKER=y
+        """
+
+    def test_run(self):
+        # Parent class' test_run() method does exactly that, no more:
+        self.check_systemd("squashfs")
+
+        # Check that the dbus-broker daemon is running as non-root
+        cmd = "find /proc/$(pidof dbus-broker) -maxdepth 1 -name exe -user dbus"
+        out, _ = self.emulator.run(cmd)
+        self.assertEqual(len(out), 1)
+
+
+class TestInitSystemSystemdRoIfupdownDbusbrokerDbus(TestInitSystemSystemdRoIfupdownDbusbroker):
+    config = TestInitSystemSystemdRoIfupdownDbusbroker.config + \
+        """
+        BR2_PACKAGE_DBUS=y
+        """
+
+
 class TestInitSystemSystemdRwIfupdown(InitSystemSystemdBase):
     config = InitSystemSystemdBase.config + \
         """
@@ -97,6 +120,20 @@ class TestInitSystemSystemdRwIfupdown(InitSystemSystemdBase):
         self.check_systemd("ext2")
 
 
+class TestInitSystemSystemdRwIfupdownDbusbroker(TestInitSystemSystemdRwIfupdown):
+    config = TestInitSystemSystemdRwIfupdown.config + \
+        """
+        BR2_PACKAGE_DBUS_BROKER=y
+        """
+
+
+class TestInitSystemSystemdRwIfupdownDbusbrokerDbus(TestInitSystemSystemdRwIfupdownDbusbroker):
+    config = TestInitSystemSystemdRwIfupdownDbusbroker.config + \
+        """
+        BR2_PACKAGE_DBUS=y
+        """
+
+
 class TestInitSystemSystemdRoFull(InitSystemSystemdBase):
     config = InitSystemSystemdBase.config + \
         """
-- 
2.20.1

[Buildroot] [PATCH 1/4 v4] package/dbus-broker: new package

[Norbert Lange]

Am So., 5. Juli 2020 um 12:23 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> From: Norbert Lange <nolange79@gmail.com>
>
> dbus-broker is an alternate implementation of a dbus dameon. It can be
> used as a drop-in replacement for the system bus daemon, as well as the
> session bus daemon.
>
> dbus-broker is (basically, and as far as we're concerned in Buildroot)
> split in two components:
>
>   - the actual message bus daemon, that relays messages across clients
>
>   - a launcher, which is responsible for setting various aspects of the
>     bus, like setting the policy et al. and opening the socket(s) the
>     message bus daemon will have to listen on...
>
> The launcher can only be used in a systemd setup (it makes heavy use of
> systemd facilities), while the message bus is generic. However, the
> message bus daemon is useless without a launcher. There does not exist a
> non-systemd launcher, which makes dbus-broker actually a systemd-only
> package; this can be revisited when/if a non-systemd launcher appears.

I'd guess that one day systemd will incorporate the launcher portion.
(bit offtopic)

>
> There are two cases:
>
>  1. original dbus disabled
>
>     Here, we install the config files and systemd socket activation
>     units; dbus-broker provides the system and sessions bus daemons.
>
>  2. original dbus enabled
>
>     In this case, we do not install the config files and systemd socket
>     activation units, or define a user: they all are provided by the
>     original dbus, and we piggy-back on those.
>
>     In this situation, the default system and sessions message bus are
>     the original dbus; dbus-broker is not enabled.
>
>     However, users may opt-in to use dbus-broker in a few ways:
>       - at build-time: provide drop-in units in an overlay;

Adding a preset would be the most direct method.

>       - at build-time: call systemctl enable/disable from a post-build
>         script;
>       - at runtime (on a RW filesystem): by calling systemctl
>         enable/disable
>
> Note about the user: the path to the system bus socket is a so-called
> "well-known location": it is expected to be there, by spec. Moving it
> elsewhere is going to break existing programs. So, the user running the
> system bus daemon must be able to create that socket.
>
> As we may have two packages providing a system bus daemon, they have to
> be both able to create the socket, and thus must both be able to write
> in the directory containing the socket. And since they can be switched
> at runtime, they must be running as the same user.
>
> We can't just reference the original dbus user, so we duplicate the
> entry. What is important, is that the user be named 'dbus', as that's
> what we use in both cases.
>
> dbus-broker code does not have a provision, like the original dbus has,
> to specify the user to run as, and does not interpret the <user>
> directive in the system.conf file. Since running the bus daemon as root
> is not so safe, we create a systemd unit drop-in to complement the unit
> provided by the package and defione the user to run as.

I thought we both agreed last time that dbus-broker does read the config and
switch to the uid  (you did convince me of that ! ;) ) ? see [1]
Note that the facilities are a bit different, the reference dbus had a
dbus-daemon-launch-helper that setuids as root.

with dbus-broker, systemd does handle the socket (still as root),
the launcher connects to it and then drops privileges.

1) I am not sure if dbus-broker-launch is completely ok being started
as non-root
2) this also affects dbus-daemon-launch-helper/reference dbus, as you use the
   dbus.service.d directory for the .conf file (instead of
dbus-broker.service.d)
3) for dbus broker the dbus user has no external references.
4) the only external reference to dbus user is with dbus-daemon-launch-helper,
    and this is only used for ?D-BUS System Activation?. I believe
that's completely
    unused with systemd services.

dropping to the dbus user is AFAIK just a matter of isolation.

I dont claim to understand the specifics well enough, but such a
dropin is not used
elsewhere, including Fedora which considers making dbus-broker the default.
ie. that would be a grave mistake of upstream to leave the setting out.

>
> As for that drop-in: systemd knows only about the 'dbus' service, which
> is what dbus-broker impersonates, so the drop-in must be one for the
> dbus service, not the dbus-broker service, which does not exist.

dbus-broker.service has an alias to dbus.service, if enabled it will take the
place of that service aswell (and bc of the conflict with dbus, there
is just one
dbus.service enabled at any point)

also you use dbus.service.d as place for the dropin, this will affect the
reference dbus too?

systemctl show dbus.service
systemctl show dbus-broker.service

> Note however that, as a consequence, when both the original dbus and
> dbus-broker are installed, we can't install that drop-in, because the
> default message bus dameon will be the original dbus, which already does
> uid-switching internally. Thus we can't install the systemd drop-in to
> the dbus service, which is not the one from dbus-broker but from the
> original dbus. So, if the user wants to switch to dbus-broker in a
> post-build script, or at runtime, they will have to take care of
> providing that drop-in if they do not want the dbus-broker message bus
> daemon to run as root.

Ok, seems to reinstate my last point.

>
> Finally, the licensing terms are pretty trivial for dbus-broker itself,
> but it makes use of third-party code that it inherits as git submodules
> (that are bundled in the release archive). Thus the licensing is a bit
> convoluted... The third-party codes claim to be licensed as "Apache-2.0
> and LGP-2.1+" in their AUTHORS files, but at the same time claim
> **Apache-2.0** OR **LGPL-2.1-or-later**" in their README files. The
> individual source files (that are used) do not seem to have any
> licensing header to clarify the situation. So we represent the situation
> with "Apache-2.0 and/or LGPL-2.1+".
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> [yann.morin.1998 at free.fr:
>   - don't select systemd; depend on it instead
>   - only install config files and systemd units without original dbus
>   - install a user to run the message bus as
>   - fix licensing info
>   - entirely reword and extend the commit log
> ]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
>
> ---
> Changes v3 -> v4  (Yann, respining after review by Norbert):
>   - drop the non-systemd case
>   - drop the launcher option
>   - reinstate BR2_COREUTILS_HOST_DEPENDENCY and ln --relative
>   - reinstate the user, explain it
>
> Changes v2 -> v3  (Norbert, respinning after Yann):
>   - add an own config entry for dbus-broker-launch
>     enabled by default if systemd init is used
>   - undo BR2_COREUTILS_HOST_DEPENDENCY
>   - undo adding dbus user - never used by this package
>   - add condtional audit dependency
>   - cleanup conditional logic a bit
>
> Changes v1 -> v2 (Yann):
>   - make launcher conditional
>   - don't select systemd; don't depend on it either
>   - don't install systemd units without systemd
>   - only install config files and systemd units wihtout original dbus
>   - rename hooks with meaningful names
>   - fix licensing info
>   - entirely reword and extend the commit log
> ---
>  DEVELOPERS                           |   1 +
>  package/Config.in                    |   1 +
>  package/dbus-broker/Config.in        |  22 +++++
>  package/dbus-broker/dbus-broker.hash |   3 +
>  package/dbus-broker/dbus-broker.mk   |  78 +++++++++++++++++
>  package/dbus-broker/dbus-user.conf   |   2 +
>  package/dbus-broker/dbus.socket      |   5 ++
>  package/dbus-broker/session.conf     |  65 +++++++++++++++
>  package/dbus-broker/system.conf      | 120 +++++++++++++++++++++++++++
>  9 files changed, 297 insertions(+)
>  create mode 100644 package/dbus-broker/Config.in
>  create mode 100644 package/dbus-broker/dbus-broker.hash
>  create mode 100644 package/dbus-broker/dbus-broker.mk
>  create mode 100644 package/dbus-broker/dbus-user.conf
>  create mode 100644 package/dbus-broker/dbus.socket
>  create mode 100644 package/dbus-broker/session.conf
>  create mode 100644 package/dbus-broker/system.conf
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 4b6a346a05..0983b09ac9 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1890,6 +1890,7 @@ F:        package/tpm-tools/
>  F:     package/trousers/
>
>  N:     Norbert Lange <nolange79@gmail.com>
> +F:     package/dbus-broker/
>  F:     package/tcf-agent/
>
>  N:     Nylon Chen <nylon7@andestech.com>

Might add yourself here too.

> diff --git a/package/Config.in b/package/Config.in
> index 6a34a895af..60f8ee478a 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -433,6 +433,7 @@ endmenu
>         source "package/dahdi-linux/Config.in"
>         source "package/dahdi-tools/Config.in"
>         source "package/dbus/Config.in"
> +       source "package/dbus-broker/Config.in"
>         source "package/dbus-cpp/Config.in"
>         source "package/dbus-glib/Config.in"
>         source "package/dbus-python/Config.in"
> diff --git a/package/dbus-broker/Config.in b/package/dbus-broker/Config.in
> new file mode 100644
> index 0000000000..30d8b27280
> --- /dev/null
> +++ b/package/dbus-broker/Config.in
> @@ -0,0 +1,22 @@
> +config BR2_PACKAGE_DBUS_BROKER
> +       bool "dbus-broker"
> +       depends on BR2_USE_MMU
> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> +       depends on BR2_PACKAGE_SYSTEMD
> +       select BR2_PACKAGE_EXPAT
> +       help
> +         Linux D-Bus Message Broker.
> +
> +         The dbus-broker project is an implementation of a message bus
> +         as defined by the D-Bus specification. Its aim is to provide
> +         high performance and reliability, while keeping compatibility
> +         to the D-Bus reference implementation.
> +
> +         It is exclusively written for Linux systems, and makes use of
> +         many modern features provided by recent linux kernel releases.
> +
> +         https://github.com/bus1/dbus-broker/wiki
> +
> +comment "dbusbroker needs systemd and a toolchain w/ threads"
> +       depends on BR2_USE_MMU
> +       depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_PACKAGE_SYSTEMD
> diff --git a/package/dbus-broker/dbus-broker.hash b/package/dbus-broker/dbus-broker.hash
> new file mode 100644
> index 0000000000..b8d631767f
> --- /dev/null
> +++ b/package/dbus-broker/dbus-broker.hash
> @@ -0,0 +1,3 @@
> +# Locally calculated
> +sha256  95adfde56bce898c3b69eee0524732365e802348dd8189a35d5d00c30990dc81  dbus-broker-23.tar.xz
> +sha256  3cda3630283eda0eab825abe5ac84d191248c6b3fe1c232a118124959b96c6a4  LICENSE
> diff --git a/package/dbus-broker/dbus-broker.mk b/package/dbus-broker/dbus-broker.mk
> new file mode 100644
> index 0000000000..9439b12c0d
> --- /dev/null
> +++ b/package/dbus-broker/dbus-broker.mk
> @@ -0,0 +1,78 @@
> +################################################################################
> +#
> +# dbus-broker
> +#
> +################################################################################
> +
> +DBUS_BROKER_VERSION = 23
> +DBUS_BROKER_SOURCE = dbus-broker-$(DBUS_BROKER_VERSION).tar.xz
> +DBUS_BROKER_SITE = https://github.com/bus1/dbus-broker/releases/download/v$(DBUS_BROKER_VERSION)
> +
> +# For the third-party code, the licensing legla-info is inconsistent between
> +# the AUTHORS and README, so keep both
> +DBUS_BROKER_LICENSE = \
> +       Apache-2.0, \
> +       Apache-2.0 and/or LGPL-2.1+ (c-dvar, c-ini, c-list, c-rbtree, c-shquote, c-stdaux, c-utf8)
> +DBUS_BROKER_LICENSE_FILES = \
> +       LICENSE \
> +       subprojects/c-dvar/AUTHORS subprojects/c-dvar/README.md \
> +       subprojects/c-ini/AUTHORS subprojects/c-ini/README.md \
> +       subprojects/c-list/AUTHORS subprojects/c-list/README.md \
> +       subprojects/c-rbtree/AUTHORS subprojects/c-rbtree/README.md \
> +       subprojects/c-shquote/AUTHORS subprojects/c-shquote/README.md \
> +       subprojects/c-stdaux/AUTHORS subprojects/c-stdaux/README.md \
> +       subprojects/c-utf8/AUTHORS subprojects/c-utf8/README.md
> +
> +DBUS_BROKER_DEPENDENCIES = expat systemd
> +DBUS_BROKER_CONF_OPTS = -Dlauncher=true
> +
> +ifeq ($(BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_17),y)
> +DBUS_BROKER_CONF_OPTS += -Dlinux-4-17=true
> +else
> +DBUS_BROKER_CONF_OPTS += -Dlinux-4-17=false
> +endif
> +
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +DBUS_BROKER_DEPENDENCIES += audit
> +DBUS_BROKER_CONF_OPTS += -Daudit=true
> +else
> +DBUS_BROKER_CONF_OPTS += -Daudit=false
> +endif
> +
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +DBUS_BROKER_DEPENDENCIES += libselinux
> +DBUS_BROKER_CONF_OPTS += -Dselinux=true
> +else
> +DBUS_BROKER_CONF_OPTS += -Dselinux=false
> +endif
> +
> +# Only install units for system bus daemon socket if original dbus is not present
> +# Only install config and service files if original dbus is not present
> +# Only define a user if the original dbus is not present
> +#
> +# Note: BR2_COREUTILS_HOST_DEPENDENCY to be able to use ln --relative
> +ifeq ($(BR2_PACKAGE_DBUS),)
> +DBUS_BROKER_DEPENDENCIES += $(BR2_COREUTILS_HOST_DEPENDENCY)
> +
> +# We msut be using the same user as the origian dbus, so we can share
> +# the home directory and create a socket there.
> +define DBUS_BROKER_USERS
> +       dbus -1 dbus -1 * /var/run/dbus - dbus DBus messagebus user
> +endef

Out of scope of this patch, but pls have a look at [2] and [3].

> +
> +define DBUS_BROKER_INSTALL_INIT_SYSTEMD
> +       $(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/session.conf \
> +               $(TARGET_DIR)/usr/share/dbus-1/session.conf
> +       $(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/system.conf \
> +               $(TARGET_DIR)/usr/share/dbus-1/system.conf
> +       $(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/dbus.socket \
> +               $(TARGET_DIR)/usr/lib/systemd/system/dbus.socket
> +       $(HOST_MAKE_ENV) ln -sf --relative \
> +               $(TARGET_DIR)/usr/lib/systemd/system/dbus.socket \
> +               $(TARGET_DIR)/usr/lib/systemd/system/sockets.target.wants/dbus.socket
> +       $(INSTALL) -D -m 0644 $(DBUS_BROKER_PKGDIR)/dbus-user.conf \
> +               $(TARGET_DIR)/etc/systemd/system/dbus.service.d/dbus-user.conf

Should not be necessary

> +endef
> +endif # !BR2_PACKAGE_DBUS
> +
> +$(eval $(meson-package))
> diff --git a/package/dbus-broker/dbus-user.conf b/package/dbus-broker/dbus-user.conf
> new file mode 100644
> index 0000000000..f7bdc06cf5
> --- /dev/null
> +++ b/package/dbus-broker/dbus-user.conf
> @@ -0,0 +1,2 @@
> +[Service]
> +User=dbus

Should not be necessary

> diff --git a/package/dbus-broker/dbus.socket b/package/dbus-broker/dbus.socket
> new file mode 100644
> index 0000000000..5c373cf450
> --- /dev/null
> +++ b/package/dbus-broker/dbus.socket
> @@ -0,0 +1,5 @@
> +[Unit]
> +Description=D-Bus System Message Bus Socket
> +
> +[Socket]
> +ListenStream=/run/dbus/system_bus_socket
> diff --git a/package/dbus-broker/session.conf b/package/dbus-broker/session.conf
> new file mode 100644
> index 0000000000..e4758fa218
> --- /dev/null
> +++ b/package/dbus-broker/session.conf
> @@ -0,0 +1,65 @@
> +<!-- This configuration file controls the per-user-login-session message bus.
> +     Add a session-local.conf and edit that rather than changing this
> +     file directly. -->
> +
> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
> + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> +<busconfig>
> +  <!-- Our well-known bus type, don't change this -->
> +  <type>session</type>
> +
> +  <!-- If we fork, keep the user's original umask to avoid affecting
> +       the behavior of child processes. -->
> +  <keep_umask/>
> +
> +  <standard_session_servicedirs />
> +
> +  <policy context="default">
> +    <!-- Allow everything to be sent -->
> +    <allow send_destination="*" eavesdrop="true"/>
> +    <!-- Allow everything to be received -->
> +    <allow eavesdrop="true"/>
> +    <!-- Allow anyone to own anything -->
> +    <allow own="*"/>
> +  </policy>
> +
> +  <!-- Config files are placed here that among other things,
> +       further restrict the above policy for specific services. -->
> +  <includedir>session.d</includedir>
> +
> +  <includedir>/etc/dbus-1/session.d</includedir>
> +
> +  <!-- This is included last so local configuration can override what's
> +       in this standard file -->
> +  <include ignore_missing="yes">/etc/dbus-1/session-local.conf</include>
> +
> +  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
> +
> +  <!-- For the session bus, override the default relatively-low limits
> +       with essentially infinite limits, since the bus is just running
> +       as the user anyway, using up bus resources is not something we need
> +       to worry about. In some cases, we do set the limits lower than
> +       "all available memory" if exceeding the limit is almost certainly a bug,
> +       having the bus enforce a limit is nicer than a huge memory leak. But the
> +       intent is that these limits should never be hit. -->
> +
> +  <!-- the memory limits are 1G instead of say 4G because they can't exceed 32-bit signed int max -->
> +  <limit name="max_incoming_bytes">1000000000</limit>
> +  <limit name="max_incoming_unix_fds">250000000</limit>
> +  <limit name="max_outgoing_bytes">1000000000</limit>
> +  <limit name="max_outgoing_unix_fds">250000000</limit>
> +  <limit name="max_message_size">1000000000</limit>
> +  <!-- We do not override max_message_unix_fds here since the in-kernel
> +       limit is also relatively low -->
> +  <limit name="service_start_timeout">120000</limit>
> +  <limit name="auth_timeout">240000</limit>
> +  <limit name="pending_fd_timeout">150000</limit>
> +  <limit name="max_completed_connections">100000</limit>
> +  <limit name="max_incomplete_connections">10000</limit>
> +  <limit name="max_connections_per_user">100000</limit>
> +  <limit name="max_pending_service_starts">10000</limit>
> +  <limit name="max_names_per_connection">50000</limit>
> +  <limit name="max_match_rules_per_connection">50000</limit>
> +  <limit name="max_replies_per_connection">50000</limit>
> +
> +</busconfig>
> diff --git a/package/dbus-broker/system.conf b/package/dbus-broker/system.conf
> new file mode 100644
> index 0000000000..a1e8df7367
> --- /dev/null
> +++ b/package/dbus-broker/system.conf
> @@ -0,0 +1,120 @@
> +<!-- This configuration file controls the systemwide message bus.
> +     Add a system-local.conf and edit that rather than changing this
> +     file directly. -->
> +
> +<!-- Note that there are any number of ways you can hose yourself
> +     security-wise by screwing up this file; in particular, you
> +     probably don't want to listen on any more addresses, add any more
> +     auth mechanisms, run as a different user, etc. -->
> +
> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
> + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> +<busconfig>
> +
> +  <!-- Our well-known bus type, do not change this -->
> +  <type>system</type>
> +

Add this here instead of using the dbus-user.conf file:

+  <!-- Run as special user -->
+  <user>dbus</user>
+

> +  <!-- Fork into daemon mode -->
> +  <fork/>
> +
> +  <!-- We use system service launching using a helper -->
> +  <standard_system_servicedirs/>
> +
> +  <!-- Enable logging to syslog -->
> +  <syslog/>
> +
> +  <policy context="default">
> +    <!-- All users can connect to system bus -->
> +    <allow user="*"/>
> +
> +    <!-- Holes must be punched in service configuration files for
> +         name ownership and sending method calls -->
> +    <deny own="*"/>
> +    <deny send_type="method_call"/>
> +
> +    <!-- Signals and reply messages (method returns, errors) are allowed
> +         by default -->
> +    <allow send_type="signal"/>
> +    <allow send_requested_reply="true" send_type="method_return"/>
> +    <allow send_requested_reply="true" send_type="error"/>
> +
> +    <!-- All messages may be received by default -->
> +    <allow receive_type="method_call"/>
> +    <allow receive_type="method_return"/>
> +    <allow receive_type="error"/>
> +    <allow receive_type="signal"/>
> +
> +    <!-- Allow anyone to talk to the message bus -->
> +    <allow send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.DBus" />
> +    <allow send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.DBus.Introspectable"/>
> +    <allow send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.DBus.Properties"/>
> +    <!-- But disallow some specific bus services -->
> +    <deny send_destination="org.freedesktop.DBus"
> +          send_interface="org.freedesktop.DBus"
> +          send_member="UpdateActivationEnvironment"/>
> +    <deny send_destination="org.freedesktop.DBus"
> +          send_interface="org.freedesktop.DBus.Debug.Stats"/>
> +    <deny send_destination="org.freedesktop.DBus"
> +          send_interface="org.freedesktop.systemd1.Activator"/>
> +  </policy>
> +
> +  <!-- Only systemd, which runs as root, may report activation failures. -->
> +  <policy user="root">
> +    <allow send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.systemd1.Activator"/>
> +  </policy>
> +
> +  <!-- root may monitor the system bus. -->
> +  <policy user="root">
> +    <allow send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.DBus.Monitoring"/>
> +  </policy>
> +
> +  <!-- If the Stats interface was enabled@compile-time, root may use it.
> +       Copy this into system.local.conf or system.d/*.conf if you want to
> +       enable other privileged users to view statistics and debug info -->
> +  <policy user="root">
> +    <allow send_destination="org.freedesktop.DBus"
> +           send_interface="org.freedesktop.DBus.Debug.Stats"/>
> +  </policy>
> +
> +
> +  <!-- The defaults for these limits are hard-coded in dbus-daemon.
> +       Some clarifications:
> +       Times are in milliseconds (ms); 1000ms = 1 second
> +       133169152 bytes = 127 MiB
> +       33554432 bytes = 32 MiB
> +       150000ms = 2.5 minutes -->
> +  <!-- <limit name="max_incoming_bytes">133169152</limit> -->
> +  <!-- <limit name="max_incoming_unix_fds">64</limit> -->
> +  <!-- <limit name="max_outgoing_bytes">133169152</limit> -->
> +  <!-- <limit name="max_outgoing_unix_fds">64</limit> -->
> +  <!-- <limit name="max_message_size">33554432</limit> -->
> +  <!-- <limit name="max_message_unix_fds">16</limit> -->
> +  <!-- <limit name="service_start_timeout">25000</limit> -->
> +  <!-- <limit name="auth_timeout">5000</limit> -->
> +  <!-- <limit name="pending_fd_timeout">150000</limit> -->
> +  <!-- <limit name="max_completed_connections">2048</limit> -->
> +  <!-- <limit name="max_incomplete_connections">64</limit> -->
> +  <!-- <limit name="max_connections_per_user">256</limit> -->
> +  <!-- <limit name="max_pending_service_starts">512</limit> -->
> +  <!-- <limit name="max_names_per_connection">512</limit> -->
> +  <!-- <limit name="max_match_rules_per_connection">512</limit> -->
> +  <!-- <limit name="max_replies_per_connection">128</limit> -->
> +
> +  <!-- Config files are placed here that among other things, punch
> +       holes in the above policy for specific services. -->
> +  <includedir>system.d</includedir>
> +
> +  <includedir>/etc/dbus-1/system.d</includedir>
> +
> +  <!-- This is included last so local configuration can override what's
> +       in this standard file -->
> +  <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include>
> +
> +  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
> +
> +</busconfig>
> --
> 2.20.1
>

Regards, Norbert

[1] - https://github.com/bus1/dbus-broker/blob/de03b7098bce71095673c21042a8f4b4f7c8c988/src/launch/launcher.c#L1393
[2] - https://patchwork.ozlabs.org/project/buildroot/list/?series=186339
[3] - https://patchwork.ozlabs.org/project/buildroot/patch/20200605224858.12870-2-nolange79 at gmail.com/

[Buildroot] [PATCH 1/4 v4] package/dbus-broker: new package

[Yann E. MORIN]

Norbert, All,

On 2020-07-06 01:21 +0200, Norbert Lange spake thusly:
> Am So., 5. Juli 2020 um 12:23 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
[--SNIP--]
> >     However, users may opt-in to use dbus-broker in a few ways:
> >       - at build-time: provide drop-in units in an overlay;
> Adding a preset would be the most direct method.

Probably whay I meant, indeed. Whatever they are called. ;-)

[--SNIP--]
> > dbus-broker code does not have a provision, like the original dbus has,
> > to specify the user to run as, and does not interpret the <user>
> > directive in the system.conf file. Since running the bus daemon as root
> > is not so safe, we create a systemd unit drop-in to complement the unit
> > provided by the package and defione the user to run as.
> 
> I thought we both agreed last time that dbus-broker does read the config and
> switch to the uid  (you did convince me of that ! ;) ) ? see [1]

So I too was pretty much surprised by this, because that was indeed what
I remembered. But the run time test did not work. Maybe it was too late
in the night again, so I'll double check once more to be extra sure.

> Note that the facilities are a bit different, the reference dbus had a
> dbus-daemon-launch-helper that setuids as root.
> 
> with dbus-broker, systemd does handle the socket (still as root),
> the launcher connects to it and then drops privileges.



> 1) I am not sure if dbus-broker-launch is completely ok being started
> as non-root

As-is., the runtime tests in patch 4 do work flawlessly. That's exactly
why I added runtime tests: to validate the use of dbus-broker instead of
the original dbus.

> 2) this also affects dbus-daemon-launch-helper/reference dbus, as you use the
>    dbus.service.d directory for the .conf file (instead of
> dbus-broker.service.d)

No, because the drop-in is not installed when the original dbus is
enabled, i.e. when BR2_PACKAGE_DBUS=y

> 3) for dbus broker the dbus user has no external references.

Not sure I understand that...

> 4) the only external reference to dbus user is with dbus-daemon-launch-helper,
>     and this is only used for ?D-BUS System Activation?. I believe
> that's completely
>     unused with systemd services.
> 
> dropping to the dbus user is AFAIK just a matter of isolation.

Isolation of a system-level daemon is always good, IMHO.

> I dont claim to understand the specifics well enough, but such a
> dropin is not used
> elsewhere, including Fedora which considers making dbus-broker the default.
> ie. that would be a grave mistake of upstream to leave the setting out.

Yeah, as I said above, I'm not sure what's going on. I may have just
looked at the wrong line in my logs...

I'll double check.

> > As for that drop-in: systemd knows only about the 'dbus' service, which
> > is what dbus-broker impersonates, so the drop-in must be one for the
> > dbus service, not the dbus-broker service, which does not exist.
> 
> dbus-broker.service has an alias to dbus.service, if enabled it will take the
> place of that service aswell (and bc of the conflict with dbus, there
> is just one
> dbus.service enabled at any point)
> 
> also you use dbus.service.d as place for the dropin, this will affect the
> reference dbus too?

Nope: drop-in not installed when original dbus is enabled in the
configuration.

[--SNIP--]
> > +# We msut be using the same user as the origian dbus, so we can share
> > +# the home directory and create a socket there.
> > +define DBUS_BROKER_USERS
> > +       dbus -1 dbus -1 * /var/run/dbus - dbus DBus messagebus user
> > +endef
> Out of scope of this patch, but pls have a look at [2] and [3].

I've duplicated the definition of the user for the original dbus, so at
least we're on-par with the issues that one has. Woops. ;-)

[2] has been opened in a tab in my browser for a while, yes.
I need to take a closer look at [3], though...

[--SNIP--]
> > diff --git a/package/dbus-broker/system.conf b/package/dbus-broker/system.conf
> > new file mode 100644
> > index 0000000000..a1e8df7367
> > --- /dev/null
> > +++ b/package/dbus-broker/system.conf
> > @@ -0,0 +1,120 @@
> > +<!-- This configuration file controls the systemwide message bus.
> > +     Add a system-local.conf and edit that rather than changing this
> > +     file directly. -->
> > +
> > +<!-- Note that there are any number of ways you can hose yourself
> > +     security-wise by screwing up this file; in particular, you
> > +     probably don't want to listen on any more addresses, add any more
> > +     auth mechanisms, run as a different user, etc. -->
> > +
> > +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
> > + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> > +<busconfig>
> > +
> > +  <!-- Our well-known bus type, do not change this -->
> > +  <type>system</type>
> > +
> Add this here instead of using the dbus-user.conf file:
> +  <!-- Run as special user -->
> +  <user>dbus</user>

Yeah, I had tried it. Maybe I just forgot to reisntall it before running
the tests? Meh... I'd need a good night's sleep one of those days...

> [2] - https://patchwork.ozlabs.org/project/buildroot/list/?series=186339
> [3] - https://patchwork.ozlabs.org/project/buildroot/patch/20200605224858.12870-2-nolange79 at gmail.com/

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/4 v4] package/dbus-broker: new package

[Yann E. MORIN]

Norbert, All,

On 2020-07-06 19:34 +0200, Yann E. MORIN spake thusly:
> On 2020-07-06 01:21 +0200, Norbert Lange spake thusly:
> > Am So., 5. Juli 2020 um 12:23 Uhr schrieb Yann E. MORIN
> > <yann.morin.1998@free.fr>:
[--SNIP--]
> > > dbus-broker code does not have a provision, like the original dbus has,
> > > to specify the user to run as, and does not interpret the <user>
> > > directive in the system.conf file. Since running the bus daemon as root
> > > is not so safe, we create a systemd unit drop-in to complement the unit
> > > provided by the package and defione the user to run as.
> > I thought we both agreed last time that dbus-broker does read the config and
> > switch to the uid  (you did convince me of that ! ;) ) ? see [1]
> So I too was pretty much surprised by this, because that was indeed what
> I remembered. But the run time test did not work. Maybe it was too late
> in the night again, so I'll double check once more to be extra sure.

So thanks for having me double-and-triple check: this drop-in to specify
the user is not needed, indeed. I'll drop it in a followup respin.

Not sure what hapenned; probably late-at-night hacking is not good
anymore for me...

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/4 v4] package/dbus-broker: new package

[Norbert Lange]

Am Mo., 6. Juli 2020 um 19:34 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> > 1) I am not sure if dbus-broker-launch is completely ok being started
> > as non-root
>
> As-is., the runtime tests in patch 4 do work flawlessly. That's exactly
> why I added runtime tests: to validate the use of dbus-broker instead of
> the original dbus.

Tests are always good, but how much is covered here?
might be only a problem with apparmor,selinux or when "instantiating"
over the dbus.

>
> > 2) this also affects dbus-daemon-launch-helper/reference dbus, as you use the
> >    dbus.service.d directory for the .conf file (instead of
> > dbus-broker.service.d)
>
> No, because the drop-in is not installed when the original dbus is
> enabled, i.e. when BR2_PACKAGE_DBUS=y
>
> > 3) for dbus broker the dbus user has no external references.
>
> Not sure I understand that...

kinda the same thing with ephemeral ports vs known server-ports.
anything non-root is enough for dropping privileges, you don't have
the users uid showing up anywhere.

>
> > 4) the only external reference to dbus user is with dbus-daemon-launch-helper,
> >     and this is only used for ?D-BUS System Activation?. I believe
> > that's completely
> >     unused with systemd services.
> >
> > dropping to the dbus user is AFAIK just a matter of isolation.
>
> Isolation of a system-level daemon is always good, IMHO.

The point being that's it is probably enough to use the "nobody"
user, unless you have some setuid launcher.

>
> > I dont claim to understand the specifics well enough, but such a
> > dropin is not used
> > elsewhere, including Fedora which considers making dbus-broker the default.
> > ie. that would be a grave mistake of upstream to leave the setting out.
>
> Yeah, as I said above, I'm not sure what's going on. I may have just
> looked at the wrong line in my logs...
>
> I'll double check.
>
> > > As for that drop-in: systemd knows only about the 'dbus' service, which
> > > is what dbus-broker impersonates, so the drop-in must be one for the
> > > dbus service, not the dbus-broker service, which does not exist.
> >
> > dbus-broker.service has an alias to dbus.service, if enabled it will take the
> > place of that service aswell (and bc of the conflict with dbus, there
> > is just one
> > dbus.service enabled at any point)
> >
> > also you use dbus.service.d as place for the dropin, this will affect the
> > reference dbus too?
>
> Nope: drop-in not installed when original dbus is enabled in the
> configuration.
>
> [--SNIP--]
> > > +# We msut be using the same user as the origian dbus, so we can share
> > > +# the home directory and create a socket there.
> > > +define DBUS_BROKER_USERS
> > > +       dbus -1 dbus -1 * /var/run/dbus - dbus DBus messagebus user
> > > +endef
> > Out of scope of this patch, but pls have a look at [2] and [3].
>
> I've duplicated the definition of the user for the original dbus, so at
> least we're on-par with the issues that one has. Woops. ;-)

Had to read that like 3 times till I got what you mean. Good old
copypasta.

Norbert

>
> [2] has been opened in a tab in my browser for a while, yes.
> I need to take a closer look at [3], though...
>
> [--SNIP--]
> > > diff --git a/package/dbus-broker/system.conf b/package/dbus-broker/system.conf
> > > new file mode 100644
> > > index 0000000000..a1e8df7367
> > > --- /dev/null
> > > +++ b/package/dbus-broker/system.conf
> > > @@ -0,0 +1,120 @@
> > > +<!-- This configuration file controls the systemwide message bus.
> > > +     Add a system-local.conf and edit that rather than changing this
> > > +     file directly. -->
> > > +
> > > +<!-- Note that there are any number of ways you can hose yourself
> > > +     security-wise by screwing up this file; in particular, you
> > > +     probably don't want to listen on any more addresses, add any more
> > > +     auth mechanisms, run as a different user, etc. -->
> > > +
> > > +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
> > > + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
> > > +<busconfig>
> > > +
> > > +  <!-- Our well-known bus type, do not change this -->
> > > +  <type>system</type>
> > > +
> > Add this here instead of using the dbus-user.conf file:
> > +  <!-- Run as special user -->
> > +  <user>dbus</user>
>
> Yeah, I had tried it. Maybe I just forgot to reisntall it before running
> the tests? Meh... I'd need a good night's sleep one of those days...
>
> > [2] - https://patchwork.ozlabs.org/project/buildroot/list/?series=186339
> > [3] - https://patchwork.ozlabs.org/project/buildroot/patch/20200605224858.12870-2-nolange79 at gmail.com/
>
> Regards,
> Yann E. MORIN.
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/4 v4] package/dbus-broker: new package

[Yann E. MORIN]

Norbert, All,

On 2020-07-06 22:46 +0200, Norbert Lange spake thusly:
> Am Mo., 6. Juli 2020 um 19:34 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
> > > 1) I am not sure if dbus-broker-launch is completely ok being started
> > > as non-root
> > As-is., the runtime tests in patch 4 do work flawlessly. That's exactly
> > why I added runtime tests: to validate the use of dbus-broker instead of
> > the original dbus.
> Tests are always good, but how much is covered here?

You can check by yourself, they are in the tree:

    support/testing/tests/init/test_systemd.py

Basically, for systemd, we check:

  - that we can login
  - that pid 1 is systemd (/lib/systemd/systemd)
  - that there is no failed unit
  - that we can connect and list the bus
  - that we can read the journal
  - that the network is up

all of that ina comobination of read-only or read-write filesystem (*).

The new tests check the same, but with dbus-broker, and that the bus
runs as user 'dbus'.

(*) I need to investigate a potential issue with our read-write test
cases, though, but this is out of scope for this patch...

> might be only a problem with apparmor,selinux or when "instantiating"
> over the dbus.

Adding new tests would be awesome! ;-)0

> > > 3) for dbus broker the dbus user has no external references.
> > Not sure I understand that...
> kinda the same thing with ephemeral ports vs known server-ports.
> anything non-root is enough for dropping privileges, you don't have
> the users uid showing up anywhere.

Sure.

> > > dropping to the dbus user is AFAIK just a matter of isolation.
> > Isolation of a system-level daemon is always good, IMHO.
> The point being that's it is probably enough to use the "nobody"
> user, unless you have some setuid launcher.

But what if there are other daemons that must drop priviledge? Having
them all run as 'nobody' would not isolate them from each others. So
it is better that each service runs as its own user; hence we use a
dedicated user for dbus. Whether we can make that a transient user is
a refinement for the future, maybe.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'