On Wed, Dec 18, 2024 at 09:01:59AM +0100, Robert Schwebel wrote: > From: Michael Olbrich <[email protected]> > > dbus-broker has meanwhile evolved as an alternative to the standard dbus > daemon. Since its beginning, it has for example been long used in > Fedora, and Debian has it as an alternative implementation. So let's try > it in ptxdist as well. > > Signed-off-by: Michael Olbrich <[email protected]> > [various version bumps, added sysroot mechanics for newer versions] > Signed-off-by: Robert Schwebel <[email protected]> > --- > .../usr/lib/systemd/system/dbus.socket | 5 + > projectroot/usr/share/dbus-1/system.conf | 140 ++++++++++++++++++
Hmm, I'm pretty sure, that these files will be used by the dbus package as well. And they are just copies, because the dbus-broker does not provide its own versions, right? We need a better solution for this. > rules/dbus-broker.in | 17 +++ > rules/dbus-broker.make | 86 +++++++++++ > rules/dbus.in | 10 ++ > rules/dbus.make | 6 +- > 6 files changed, 262 insertions(+), 2 deletions(-) > create mode 100644 projectroot/usr/lib/systemd/system/dbus.socket > create mode 100644 projectroot/usr/share/dbus-1/system.conf > create mode 100644 rules/dbus-broker.in > create mode 100644 rules/dbus-broker.make > > diff --git a/projectroot/usr/lib/systemd/system/dbus.socket > b/projectroot/usr/lib/systemd/system/dbus.socket > new file mode 100644 > index 000000000..0303bfbde > --- /dev/null > +++ b/projectroot/usr/lib/systemd/system/dbus.socket > @@ -0,0 +1,5 @@ > +[Unit] > +Description=D-Bus System Message Bus Socket > + > +[Socket] > +ListenStream=/var/run/dbus/system_bus_socket > diff --git a/projectroot/usr/share/dbus-1/system.conf > b/projectroot/usr/share/dbus-1/system.conf > new file mode 100644 > index 000000000..fb1526a4b > --- /dev/null > +++ b/projectroot/usr/share/dbus-1/system.conf > @@ -0,0 +1,140 @@ > +<!-- This configuration file controls the systemwide message bus. > + Add a system-local.conf and edit that rather than changing this > + file directly. --> > + > +<!-- Note that there are any number of ways you can hose yourself > + security-wise by screwing up this file; in particular, you > + probably don't want to listen on any more addresses, add any more > + auth mechanisms, run as a different user, etc. --> > + > +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration > 1.0//EN" > + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd";> > +<busconfig> > + > + <!-- Our well-known bus type, do not change this --> > + <type>system</type> > + > + <!-- Run as special user --> > + <user>messagebus</user> > + > + <!-- Fork into daemon mode --> > + <fork/> > + > + <!-- We use system service launching using a helper --> > + <standard_system_servicedirs/> > + > + <!-- This is a setuid helper that is used to launch system services --> > + <servicehelper>/usr/libexec/dbus-daemon-launch-helper</servicehelper> > + > + <!-- Write a pid file --> > + <pidfile>/run/dbus/pid</pidfile> > + > + <!-- Enable logging to syslog --> > + <syslog/> > + > + <!-- Only allow socket-credentials-based authentication --> > + <auth>EXTERNAL</auth> > + > + <!-- Only listen on a local socket. (abstract=/path/to/socket > + means use abstract namespace, don't really create filesystem > + file; only Linux supports this. Use path=/whatever on other > + systems.) --> > + <listen>unix:path=/run/dbus/system_bus_socket</listen> > + > + <policy context="default"> > + <!-- All users can connect to system bus --> > + <allow user="*"/> > + > + <!-- Holes must be punched in service configuration files for > + name ownership and sending method calls --> > + <deny own="*"/> > + <deny send_type="method_call"/> > + > + <!-- Signals and reply messages (method returns, errors) are allowed > + by default --> > + <allow send_type="signal"/> > + <allow send_requested_reply="true" send_type="method_return"/> > + <allow send_requested_reply="true" send_type="error"/> > + > + <!-- All messages may be received by default --> > + <allow receive_type="method_call"/> > + <allow receive_type="method_return"/> > + <allow receive_type="error"/> > + <allow receive_type="signal"/> > + > + <!-- Allow anyone to talk to the message bus --> > + <allow send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus" /> > + <allow send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus.Introspectable"/> > + <allow send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus.Properties"/> > + <!-- But disallow some specific bus services --> > + <deny send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus" > + send_member="UpdateActivationEnvironment"/> > + <deny send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus.Debug.Stats"/> > + <deny send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.systemd1.Activator"/> > + </policy> > + > + <!-- Only systemd, which runs as root, may report activation failures. --> > + <policy user="root"> > + <allow send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.systemd1.Activator"/> > + </policy> > + > + <!-- root may monitor the system bus. --> > + <policy user="root"> > + <allow send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus.Monitoring"/> > + </policy> > + > + <!-- If the Stats interface was enabled at compile-time, root may use it. > + Copy this into system.local.conf or system.d/*.conf if you want to > + enable other privileged users to view statistics and debug info --> > + <policy user="root"> > + <allow send_destination="org.freedesktop.DBus" > + send_interface="org.freedesktop.DBus.Debug.Stats"/> > + </policy> > + > + <!-- Include legacy configuration location --> > + <include ignore_missing="yes">/etc/dbus-1/system.conf</include> > + > + <!-- The defaults for these limits are hard-coded in dbus-daemon. > + Some clarifications: > + Times are in milliseconds (ms); 1000ms = 1 second > + 133169152 bytes = 127 MiB > + 33554432 bytes = 32 MiB > + 150000ms = 2.5 minutes --> > + <!-- <limit name="max_incoming_bytes">133169152</limit> --> > + <!-- <limit name="max_incoming_unix_fds">64</limit> --> > + <!-- <limit name="max_outgoing_bytes">133169152</limit> --> > + <!-- <limit name="max_outgoing_unix_fds">64</limit> --> > + <!-- <limit name="max_message_size">33554432</limit> --> > + <!-- <limit name="max_message_unix_fds">16</limit> --> > + <!-- <limit name="service_start_timeout">25000</limit> --> > + <!-- <limit name="auth_timeout">5000</limit> --> > + <!-- <limit name="pending_fd_timeout">150000</limit> --> > + <!-- <limit name="max_completed_connections">2048</limit> --> > + <!-- <limit name="max_incomplete_connections">64</limit> --> > + <!-- <limit name="max_connections_per_user">256</limit> --> > + <!-- <limit name="max_pending_service_starts">512</limit> --> > + <!-- <limit name="max_names_per_connection">512</limit> --> > + <!-- <limit name="max_match_rules_per_connection">512</limit> --> > + <!-- <limit name="max_replies_per_connection">128</limit> --> > + > + <!-- Config files are placed here that among other things, punch > + holes in the above policy for specific services. --> > + <includedir>system.d</includedir> > + > + <includedir>/etc/dbus-1/system.d</includedir> > + > + <!-- This is included last so local configuration can override what's > + in this standard file --> > + <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include> > + > + <include if_selinux_enabled="yes" > selinux_root_relative="yes">contexts/dbus_contexts</include> > + > +</busconfig> > diff --git a/rules/dbus-broker.in b/rules/dbus-broker.in > new file mode 100644 > index 000000000..839a99246 > --- /dev/null > +++ b/rules/dbus-broker.in > @@ -0,0 +1,17 @@ > +## SECTION=middleware > + > +config DBUS_BROKER > + tristate > + depends on INITMETHOD_SYSTEMD > + select HOST_MESON > + select EXPAT > + select SYSTEMD > + select DBUS_NO_DAEMON if DBUS > + prompt "dbus-broker" > + help > + The dbus-broker project is an implementation of a message bus as > + defined by the D-Bus specification. Its aim is to provide high > + performance and reliability, while keeping compatibility to the D-Bus > + reference implementation. It is exclusively written for linux systems, > + and makes use of many modern features provided by recent linux kernel > + releases. > diff --git a/rules/dbus-broker.make b/rules/dbus-broker.make > new file mode 100644 > index 000000000..ffb9a9e9c > --- /dev/null > +++ b/rules/dbus-broker.make > @@ -0,0 +1,86 @@ > +# -*-makefile-*- > +# > +# Copyright (C) 2018 by Michael Olbrich <[email protected]> > +# > +# See CREDITS for details about who has contributed to this project. > +# > +# For further information about the PTXdist project and license conditions > +# see the README file. > +# > + > +# > +# We provide this package > +# > +PACKAGES-$(PTXCONF_DBUS_BROKER) += dbus-broker > + > +# > +# Paths and names > +# > +DBUS_BROKER_VERSION := 36 > +DBUS_BROKER_MD5 := 0398b41a250a6172e35750fc864ee33b > +DBUS_BROKER := dbus-broker-$(DBUS_BROKER_VERSION) > +DBUS_BROKER_SUFFIX := tar.xz > +DBUS_BROKER_URL := > https://github.com/bus1/dbus-broker/releases/download/v$(DBUS_BROKER_VERSION)/$(DBUS_BROKER).$(DBUS_BROKER_SUFFIX) > +DBUS_BROKER_SOURCE := $(SRCDIR)/$(DBUS_BROKER).$(DBUS_BROKER_SUFFIX) > +DBUS_BROKER_DIR := $(BUILDDIR)/$(DBUS_BROKER) > +DBUS_BROKER_LICENSE := Apache-2.0 > + > +# > ---------------------------------------------------------------------------- > +# Prepare > +# > ---------------------------------------------------------------------------- > + > +# host path leaks in if not set explicitly > +DBUS_BROKER_CONF_ENV := \ > + $(CROSS_ENV) \ > + PTXDIST_PKG_CONFIG_VAR_NO_SYSROOT="systemdsystemunitdir > systemduserunitdir catalogdir" > + > +# > +# meson > +# > +DBUS_BROKER_CONF_TOOL := meson > +DBUS_BROKER_CONF_OPT := \ > + $(CROSS_MESON_USR) \ > + -Daudit=false \ > + -Dc-shquote:reference-test=false \ > + -Ddocs=false \ > + -Dlauncher=true \ > + -Dreference-test=false \ > + -Dselinux=false \ > + -Dsystem-console-users="[]" > + > +# > ---------------------------------------------------------------------------- > +# Target-Install > +# > ---------------------------------------------------------------------------- > + > +$(STATEDIR)/dbus-broker.targetinstall: > + @$(call targetinfo) > + > + @$(call install_init, dbus-broker) > + @$(call install_fixup, dbus-broker,PRIORITY,optional) > + @$(call install_fixup, dbus-broker,SECTION,base) > + @$(call install_fixup, dbus-broker,AUTHOR,"Michael Olbrich > <[email protected]>") > + @$(call install_fixup, dbus-broker,DESCRIPTION,missing) > + > + @$(call install_copy, dbus-broker, 0, 0, 0755, -, \ > + /usr/bin/dbus-broker) > + @$(call install_copy, dbus-broker, 0, 0, 0755, -, \ > + /usr/bin/dbus-broker-launch) > + > + @$(call install_alternative, dbus-broker, 0, 0, 0644, \ > + /usr/share/dbus-1/system.conf) > + > + @$(call install_copy, dbus-broker, 0, 0, 0644, -, \ > + /usr/lib/systemd/system/dbus-broker.service) > + @$(call install_link, dbus-broker, dbus-broker.service, \ > + /usr/lib/systemd/system/dbus.service) > + > + @$(call install_alternative, dbus-broker, 0, 0, 0644, \ > + /usr/lib/systemd/system/dbus.socket) > + @$(call install_link, dbus-broker, ../dbus.socket, \ > + /usr/lib/systemd/system/sockets.target.wants/dbus.socket) > + > + @$(call install_finish, dbus-broker) > + > + @$(call touch) > + > +# vim: syntax=make > diff --git a/rules/dbus.in b/rules/dbus.in > index b205ee62f..c8b5f09be 100644 > --- a/rules/dbus.in > +++ b/rules/dbus.in > @@ -32,6 +32,14 @@ config DBUS_SELINUX > depends on BROKEN > bool > > +config DBUS_NO_DAEMON > + bool > + > +comment "D-Bus daemon is provided by dbus-broker" > + depends on DBUS_NO_DAEMON > + > +if !DBUS_NO_DAEMON > + > config DBUS_SYSTEMD > bool > default INITMETHOD_SYSTEMD > @@ -60,3 +68,5 @@ config DBUS_SYSTEMD_USER_UNIT > depends on SYSTEMD_UNITS_USER && DBUS_SYSTEMD_UNIT > > endif > + > +endif > diff --git a/rules/dbus.make b/rules/dbus.make > index f2bc7b552..dffa0ab6f 100644 > --- a/rules/dbus.make > +++ b/rules/dbus.make > @@ -89,6 +89,7 @@ $(STATEDIR)/dbus.targetinstall: > @$(call install_fixup, dbus,AUTHOR,"Roland Hostettler > <[email protected]>") > @$(call install_fixup, dbus,DESCRIPTION,missing) > > +ifndef PTXCONF_DBUS_NO_DAEMON dbus has a -Dmessage_bus= option to disable the daemon. And we can probably disable tools as well. > @$(call install_copy, dbus, 0, 0, 0755, -, \ > /usr/bin/dbus-daemon) > @$(call install_copy, dbus, 0, 0, 0755, -, \ > @@ -105,14 +106,17 @@ $(STATEDIR)/dbus.targetinstall: > /usr/bin/dbus-uuidgen) > @$(call install_copy, dbus, 0, 104, 4754, -, \ > /usr/libexec/dbus-daemon-launch-helper) > +endif > > @$(call install_lib, dbus, 0, 0, 0644, libdbus-1) > > # # > # # install config files > # # > +ifndef PTXCONF_DBUS_NO_DAEMON > @$(call install_alternative, dbus, 0, 0, 0644, > /usr/share/dbus-1/system.conf) > @$(call install_alternative, dbus, 0, 0, 0644, > /usr/share/dbus-1/session.conf) > +endif > > # # > # # busybox init: start script > @@ -132,8 +136,6 @@ ifdef PTXCONF_DBUS_SYSTEMD_UNIT > /usr/lib/systemd/system/dbus.socket) > @$(call install_link, dbus, ../dbus.socket, \ > /usr/lib/systemd/system/sockets.target.wants/dbus.socket) > - @$(call install_link, dbus, ../dbus.socket, \ > - /usr/lib/systemd/system/dbus.target.wants/dbus.socket) This looks strange, why is this hunk here? Michael > > @$(call install_copy, dbus, 0, 0, 0644, -, \ > /usr/lib/systemd/system/dbus.service) > -- > 2.39.5 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
