1 files changed, 86 insertions, 0 deletions

diff --git a/web-gui/login/dbus-session.conf.in b/web-gui/login/dbus-session.conf.in
new file mode 100644
index 0000000..447378c
--- /dev/null
+++ b/web-gui/login/dbus-session.conf.in
@@ -0,0 +1,86 @@
+<!-- This configuration file controls the per-user-login-session message bus.
+     Add a session-local.conf and edit that rather than changing this
+     file directly. -->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- Our well-known bus type, don't change this -->
+  <type>session</type>
+
+  <!-- If we fork, keep the user's original umask to avoid affecting
+       the behavior of child processes. -->
+  <keep_umask/>
+
+  <listen>unix:tmpdir=/tmp</listen>
+
+  <standard_session_servicedirs />
+
+  <policy context="default">
+    <!-- Deny everything then punch holes -->
+    <deny send_interface="*"/>
+    <deny receive_interface="*"/>
+    <deny own="*"/>
+    <allow user="@USER_ROLE@"/>
+    <allow user="@ADMIN_ROLE@"/>
+
+    <allow send_destination="org.freedesktop.DBus"/>
+    <allow receive_sender="org.freedesktop.DBus"/>
+    <!-- allow sending valid replies -->
+    <allow send_requested_reply="true" send_type="method_return"/>
+    <allow send_requested_reply="true" send_type="error"/>
+    <!-- allow receiving valid replies -->
+    <allow receive_requested_reply="true"/>
+  </policy>
+  <policy user="@LIGHTTPD_USER@">
+    <allow send_interface="*"/>
+    <allow receive_interface="*"/>
+    <!-- Allow everything to be sent -->
+    <allow send_destination="*" eavesdrop="true"/>
+    <!-- Allow everything to be received -->
+    <allow eavesdrop="true"/>
+    <!-- Allow anyone to own anything -->
+    <allow own="*"/>
+  </policy>
+
+  <policy user="@USER_ROLE@">
+    <allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloUser" />
+    <deny send_interface="com.pengutronix.jdb.Hello" send_member="HelloAdmin" />
+    <allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloWorld" />
+  </policy>
+  <policy user="@ADMIN_ROLE@">
+    <deny send_interface="com.pengutronix.jdb.Hello" send_member="HelloUser" />
+    <allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloAdmin" />
+    <allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloWorld" />
+  </policy>
+
+  <!-- This is included last so local configuration can override what's
+       in this standard file -->
+  <include ignore_missing="yes">session-local.conf</include>
+
+  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
+
+  <!-- For the session bus, override the default relatively-low limits
+       with essentially infinite limits, since the bus is just running
+       as the user anyway, using up bus resources is not something we need
+       to worry about. In some cases, we do set the limits lower than
+       "all available memory" if exceeding the limit is almost certainly a bug,
+       having the bus enforce a limit is nicer than a huge memory leak. But the
+       intent is that these limits should never be hit. -->
+
+  <!-- the memory limits are 1G instead of say 4G because they can't exceed 32-bit signed int max -->
+  <limit name="max_incoming_bytes">1000000000</limit>
+  <limit name="max_outgoing_bytes">1000000000</limit>
+  <limit name="max_message_size">1000000000</limit>
+  <limit name="service_start_timeout">120000</limit>
+  <limit name="auth_timeout">240000</limit>
+  <limit name="max_completed_connections">100000</limit>
+  <limit name="max_incomplete_connections">10000</limit>
+  <limit name="max_connections_per_user">100000</limit>
+  <limit name="max_pending_service_starts">10000</limit>
+  <limit name="max_names_per_connection">50000</limit>
+  <limit name="max_match_rules_per_connection">50000</limit>
+  <limit name="max_replies_per_connection">50000</limit>
+  <limit name="reply_timeout">300000</limit>
+
+</busconfig>