blob: 447378c901d1e6ab5025a42651b5fdf21a32173d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
<!-- This configuration file controls the per-user-login-session message bus.
Add a session-local.conf and edit that rather than changing this
file directly. -->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Our well-known bus type, don't change this -->
<type>session</type>
<!-- If we fork, keep the user's original umask to avoid affecting
the behavior of child processes. -->
<keep_umask/>
<listen>unix:tmpdir=/tmp</listen>
<standard_session_servicedirs />
<policy context="default">
<!-- Deny everything then punch holes -->
<deny send_interface="*"/>
<deny receive_interface="*"/>
<deny own="*"/>
<allow user="@USER_ROLE@"/>
<allow user="@ADMIN_ROLE@"/>
<allow send_destination="org.freedesktop.DBus"/>
<allow receive_sender="org.freedesktop.DBus"/>
<!-- allow sending valid replies -->
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
<!-- allow receiving valid replies -->
<allow receive_requested_reply="true"/>
</policy>
<policy user="@LIGHTTPD_USER@">
<allow send_interface="*"/>
<allow receive_interface="*"/>
<!-- Allow everything to be sent -->
<allow send_destination="*" eavesdrop="true"/>
<!-- Allow everything to be received -->
<allow eavesdrop="true"/>
<!-- Allow anyone to own anything -->
<allow own="*"/>
</policy>
<policy user="@USER_ROLE@">
<allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloUser" />
<deny send_interface="com.pengutronix.jdb.Hello" send_member="HelloAdmin" />
<allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloWorld" />
</policy>
<policy user="@ADMIN_ROLE@">
<deny send_interface="com.pengutronix.jdb.Hello" send_member="HelloUser" />
<allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloAdmin" />
<allow send_interface="com.pengutronix.jdb.Hello" send_member="HelloWorld" />
</policy>
<!-- This is included last so local configuration can override what's
in this standard file -->
<include ignore_missing="yes">session-local.conf</include>
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
<!-- For the session bus, override the default relatively-low limits
with essentially infinite limits, since the bus is just running
as the user anyway, using up bus resources is not something we need
to worry about. In some cases, we do set the limits lower than
"all available memory" if exceeding the limit is almost certainly a bug,
having the bus enforce a limit is nicer than a huge memory leak. But the
intent is that these limits should never be hit. -->
<!-- the memory limits are 1G instead of say 4G because they can't exceed 32-bit signed int max -->
<limit name="max_incoming_bytes">1000000000</limit>
<limit name="max_outgoing_bytes">1000000000</limit>
<limit name="max_message_size">1000000000</limit>
<limit name="service_start_timeout">120000</limit>
<limit name="auth_timeout">240000</limit>
<limit name="max_completed_connections">100000</limit>
<limit name="max_incomplete_connections">10000</limit>
<limit name="max_connections_per_user">100000</limit>
<limit name="max_pending_service_starts">10000</limit>
<limit name="max_names_per_connection">50000</limit>
<limit name="max_match_rules_per_connection">50000</limit>
<limit name="max_replies_per_connection">50000</limit>
<limit name="reply_timeout">300000</limit>
</busconfig>
|
