D-Bus 配置相关(四)

旧时模样 提交于 2019-12-06 07:39:50

一个dbus daemon都一个配置文件来指定建立什么类型的dbus daemon,比如sysetm或者session类型,配置文件还会有一些资源限制,安全相关的参数设置等等


一.dbus daemon配置文件
我系统中的session的配置文件选项列出来

地址: /etc/dbus-1/session.conf

配置文件是xml格式

june@june:/etc/dbus-1$ cat session.conf 
<!-- This configuration file controls the per-user-login-session message bus.
     Add a session-local.conf and edit that rather than changing this 
     file directly. -->

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig> //root 元素
  <!-- Our well-known bus type, don't change this -->
  <type>session</type>    //dbus daemon bus类型(session or system)

  <!-- If we fork, keep the user's original umask to avoid affecting
       the behavior of child processes. -->
  <keep_umask/>     // 如果设置了--fork,或者<fork>, 父子进程mask保持一致

  <listen>unix:tmpdir=/tmp</listen>    //设置监听地址,与命令--address一样功能

  <standard_session_servicedirs />   //标准的dbus service目录,就是一些按需启动的一些服务,
                                        //添加在这个目录,在linux系统中目录/usr/share/dbus-1/service
  <policy context="default">            //设置一些全制策略
    <allow own="*"/>                    //允许所有own
    <!-- Allow everything to be sent -->   
    <allow send_destination="*" eavesdrop="true"/>  //发送
    <!-- Allow everything to be received -->        
    <allow eavesdrop="true"/>                        //接收
    <!-- Allow anyone to own anything -->
    <allow own="*"/>
    
    //这个是我手动添加的,无关紧要,就是为了体现配置, 允许所有类型的消息,dbus消息类型公有以下四种.
    <!-- All messages may be received by default -->
    <allow receive_type="method_call"/>
    <allow receive_type="method_return"/>
    <allow receive_type="error"/>
    <allow receive_type="signal"/>
  </policy>


  <!-- raise the service start timeout to 40 seconds as it can timeout
       on the live cd on slow machines -->
  <limit name="service_start_timeout">60000</limit>


  <!-- Config files are placed here that among other things, 
       further restrict the above policy for specific services. -->
  <includedir>session.d</includedir>    //这个指定目录,就是为添加配置所用,如果你想添加配置,即可在seesion.con添加//root 元素
  <!-- Our well-known bus type, don't change this -->
  <type>session</type>    //dbus daemon bus类型(session or system)

  <!-- If we fork, keep the user's original umask to avoid affecting
       the behavior of child processes. -->
  <keep_umask/>     // 如果设置了--fork,或者<fork>, 父子进程mask保持一致

  <listen>unix:tmpdir=/tmp</listen>    //设置监听地址,与命令--address一样功能

  <standard_session_servicedirs />   //标准的dbus service目录,就是一些按需启动的一些服务,
                                        //添加在这个目录,在linux系统中目录/usr/share/dbus-1/service
  <policy context="default">            //设置一些全制策略
    <allow own="*"/>                    //允许所有own
    <!-- Allow everything to be sent -->   
    <allow send_destination="*" eavesdrop="true"/>  //发送
    <!-- Allow everything to be received -->        
    <allow eavesdrop="true"/>                        //接收
    <!-- Allow anyone to own anything -->
    <allow own="*"/>
    
    //这个是我手动添加的,无关紧要,就是为了体现配置, 允许所有类型的消息,dbus消息类型公有以下四种.
    <!-- All messages may be received by default -->
    <allow receive_type="method_call"/>
    <allow receive_type="method_return"/>
    <allow receive_type="error"/>
    <allow receive_type="signal"/>
  </policy>


  <!-- raise the service start timeout to 40 seconds as it can timeout
       on the live cd on slow machines -->
  <limit name="service_start_timeout">60000</limit>


  <!-- Config files are placed here that among other things, 
       further restrict the above policy for specific services. -->
  <includedir>session.d</includedir>    //这个指定目录,就是为添加配置所用,如果你想添加配置,即可在seesion.con添加
                                      //也可以在这个目录下添加,建议在此,可以模块化管理,添加的文件必须以.conf结尾,否则不识别//也可以在这个目录下添加,建议在此,可以模块化管理,添加的文件必须以.conf结尾,否则不识别

  <!-- This is included last so local configuration can override what's 
       in this standard file -->
  <include ignore_missing="yes">session-local.conf</include> //session 配置文件,如果没有就跳过,不报错
                                                              //如果ignore_missing="no", 配置文件不存在,会报错.

  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> //安全相关的配置,类似与防火墙


  <!-- For the session bus, override the default relatively-low limits 
       with essentially infinite limits, since the bus is just running 
       as the user anyway, using up bus resources is not something we need 
       to worry about. In some cases, we do set the limits lower than 
       "all available memory" if exceeding the limit is almost certainly a bug, 
       having the bus enforce a limit is nicer than a huge memory leak. But the 
       intent is that these limits should never be hit. -->

    //下面这些是资源的一些限制
  <!-- the memory limits are 1G instead of say 4G because they can't exceed 32-bit signed int max -->
  <limit name="max_incoming_bytes">1000000000</limit>
  <limit name="max_incoming_unix_fds">250000000</limit>
  <limit name="max_outgoing_bytes">1000000000</limit>
  <limit name="max_outgoing_unix_fds">250000000</limit>
  <limit name="max_message_size">1000000000</limit>
  <!-- We do not override max_message_unix_fds here since the in-kernel
       limit is also relatively low -->
  <limit name="service_start_timeout">120000</limit>  
  <limit name="auth_timeout">240000</limit>
  <limit name="pending_fd_timeout">150000</limit>
  <limit name="max_completed_connections">100000</limit>  
  <limit name="max_incomplete_connections">10000</limit>
  <limit name="max_connections_per_user">100000</limit>
  <limit name="max_pending_service_starts">10000</limit>
  <limit name="max_names_per_connection">50000</limit>
  <limit name="max_match_rules_per_connection">50000</limit>
  <limit name="max_replies_per_connection">50000</limit>
</busconfig>

下面举例测试一些规则:

前提条件: 1.在自己电脑上安装好dbus,一般不用装,系统与ui交互都需要D-Bus

                2. 拷贝 DBus 实例 中的代码,然后编译
(最好看一下源代码的逻辑,做了什么,这样更有利于理解)

一.源代码编译:

june@june:~/document/comb$ gcc service.c -ldbus-1 -I/usr/include/dbus-1.0 -o service
june@june:~/document/comb$ 
june@june:~/document/comb$ gcc client.c -ldbus-1 -I/usr/include/dbus-1.0 -o client
june@june:~/document/comb$ ls
client  client.c  service  service.c
june@june:~/document/comb$ 

二.手动启动一个Dbus daemon

june@june:~/document/comb$ dbus-daemon --session --print-address --fork --print-pid
unix:abstract=/tmp/dbus-CSy0dphkTM,guid=24e009e82bece7928f58cc4b5b39c4f6
2900
june@june:~/document/comb$ 

三.关键的一步,需要把监听的address export出来(为什么要这么做呢,因为dbus_bus_get()获取连接的时候,会去找这个环境变量,来获取监听地址)

june@june:~/document/comb$ export  DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-CSy0dphkTM,guid=24e009e82bece7928f58cc4b5b39c4f6
june@june:~/document/comb$ 

四.运行,测试结果

 

june@june:~/document/comb$ ./service &        //放在后台做服务端
[1] 2903
june@june:~/document/comb$ path: /org/freedesktop/DBus
path: /org/freedesktop/DBus

june@june:~/document/comb$ ./client        //在前台运行,做请求端,client共做了两件事:
path: /org/freedesktop/DBus                //1. 发信号到 path=/hello interface=aa.bb.cc signal=alarm_test 且携带的信号内容为hello world!
path: /org/freedesktop/DBus                //2.调用add操作到bus name=hello.world.service path=/hello/world interface=hello.world method =add
path: /hello                                //? 为什么signal没有指定bus name呢,因为signal是广播,不过也有接口可以指定目的bus name的,那样就变为单播了.
recv param --: hello world!
path: /hello/world
service: add  function
 a(100) + b(99) = 199
june@june:~/document/comb$ //放在后台做服务端
[1] 2903
june@june:~/document/comb$ path: /org/freedesktop/DBus
path: /org/freedesktop/DBus

june@june:~/document/comb$ ./client        //在前台运行,做请求端,client共做了两件事:
path: /org/freedesktop/DBus                //1. 发信号到 path=/hello interface=aa.bb.cc signal=alarm_test 且携带的信号内容为hello world!
path: /org/freedesktop/DBus                //2.调用add操作到bus name=hello.world.service path=/hello/world interface=hello.world method =add
path: /hello                                //? 为什么signal没有指定bus name呢,因为signal是广播,不过也有接口可以指定目的bus name的,那样就变为单播了.
recv param --: hello world!
path: /hello/world
service: add  function
 a(100) + b(99) = 199
june@june:~/document/comb$

 

五.添加一个安全策略,禁止发送到特定的目的bus name

编写/etc/dbus-1/session.conf

   </policy>上面一行添加<deny send_destination="hello.world.service"/> 禁止发送消息hello.world.service

发送SIGHUP信号到dbus-daemon,可以其重新加载配置 ,在DBus daemon 启动中提到过

在这里禁止发送消息到hello.world.service,那不管是signal还是method都将失败.

june@june:~/document/comb$ kill -1 2900
june@june:~/document/comb$ ps
  PID TTY          TIME CMD
 2305 pts/0    00:00:00 bash
 2965 pts/0    00:00:00 service
 2979 pts/0    00:00:00 ps
june@june:~/document/comb$ ./client
paramter type error
 a(100) + b(99) = 159115060
june@june:~/document/comb$

如果想看spec文档,请访问:spec文档网址

 

 

 

 

 

 

 

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!