原 D-Bus 配置相關(四)
一個dbus daemon都一個配置檔案來指定建立什麼型別的dbus daemon,比如sysetm或者session型別,配置檔案還會有一些資源限制,安全相關的引數設定等等
一.dbus daemon配置檔案
我係統中的session的配置檔案選項列出來
地址: /etc/dbus-1/session.conf
配置檔案是xml格式
[email protected]:/etc/dbus-1$ cat session.conf <!-- This configuration file controls the per-user-login-session message bus. Add a session-local.conf and edit that rather than changing this file directly. --> <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> <busconfig> <span style="color:#ff0000;">//root 元素</span> <!-- Our well-known bus type, don't change this --> <type>session</type> <span style="color:#ff0000;">//dbus daemon bus型別(session or system)</span> <!-- If we fork, keep the user's original umask to avoid affecting the behavior of child processes. --> <keep_umask/> <span style="color:#ff0000;">// 如果設定了--fork,或者<fork>, 父子程序mask保持一致</span> <listen>unix:tmpdir=/tmp</listen> <span style="color:#ff0000;">//設定監聽地址,與命令--address一樣功能</span> <standard_session_servicedirs /> <span style="color:#ff0000;">//標準的dbus service目錄,就是一些按需啟動的一些服務,</span> <span style="color:#ff0000;">//新增在這個目錄,在linux系統中目錄/usr/share/dbus-1/service</span> <policy context="default"> <span style="color:#ff0000;">//設定一些全制策略</span> <allow own="*"/> <span style="color:#ff0000;">//允許所有own</span> <!-- Allow everything to be sent --> <allow send_destination="*" eavesdrop="true"/> <span style="color:#ff0000;"> //傳送</span> <!-- Allow everything to be received --> <allow eavesdrop="true"/> <span style="color:#ff0000;">//接收</span> <!-- Allow anyone to own anything --> <allow own="*"/> <span style="color:#ff0000;">//這個是我手動新增的,無關緊要,就是為了體現配置, 允許所有型別的訊息,dbus訊息型別公有以下四種.</span> <!-- All messages may be received by default --> <allow receive_type="method_call"/> <allow receive_type="method_return"/> <allow receive_type="error"/> <allow receive_type="signal"/> </policy> <!-- raise the service start timeout to 40 seconds as it can timeout on the live cd on slow machines --> <limit name="service_start_timeout">60000</limit> <!-- Config files are placed here that among other things, further restrict the above policy for specific services. --> <includedir>session.d</includedir> <span style="color:#ff0000;">//這個指定目錄,就是為新增配置所用,如果你想新增配置,即可在seesion.con新增</span> //root 元素 <!-- Our well-known bus type, don't change this --> <type>session</type> //dbus daemon bus型別(session or system) <!-- If we fork, keep the user's original umask to avoid affecting the behavior of child processes. --> <keep_umask/> // 如果設定了--fork,或者<fork>, 父子程序mask保持一致 <listen>unix:tmpdir=/tmp</listen> //設定監聽地址,與命令--address一樣功能 <standard_session_servicedirs /> //標準的dbus service目錄,就是一些按需啟動的一些服務, //新增在這個目錄,在linux系統中目錄/usr/share/dbus-1/service <policy context="default"> //設定一些全制策略 <allow own="*"/> //允許所有own <!-- Allow everything to be sent --> <allow send_destination="*" eavesdrop="true"/> //傳送 <!-- Allow everything to be received --> <allow eavesdrop="true"/> //接收 <!-- Allow anyone to own anything --> <allow own="*"/> //這個是我手動新增的,無關緊要,就是為了體現配置, 允許所有型別的訊息,dbus訊息型別公有以下四種. <!-- All messages may be received by default --> <allow receive_type="method_call"/> <allow receive_type="method_return"/> <allow receive_type="error"/> <allow receive_type="signal"/> </policy> <!-- raise the service start timeout to 40 seconds as it can timeout on the live cd on slow machines --> <limit name="service_start_timeout">60000</limit> <!-- Config files are placed here that among other things, further restrict the above policy for specific services. --> <includedir>session.d</includedir> //這個指定目錄,就是為新增配置所用,如果你想新增配置,即可在seesion.con新增
//root 元素
<!-- Our well-known bus type, don't change this -->
<type>session</type> //dbus daemon bus型別(session or system)
<!-- If we fork, keep the user's original umask to avoid affecting
the behavior of child processes. -->
<keep_umask/> // 如果設定了--fork,或者<fork>, 父子程序mask保持一致
<listen>unix:tmpdir=/tmp</listen> //設定監聽地址,與命令--address一樣功能
<standard_session_servicedirs /> //標準的dbus service目錄,就是一些按需啟動的一些服務,
//新增在這個目錄,在linux系統中目錄/usr/share/dbus-1/service
<policy context="default"> //設定一些全制策略
<allow own="*"/> //允許所有own
<!-- Allow everything to be sent -->
<allow send_destination="*" eavesdrop="true"/> //傳送
<!-- Allow everything to be received -->
<allow eavesdrop="true"/> //接收
<!-- Allow anyone to own anything -->
<allow own="*"/>
//這個是我手動新增的,無關緊要,就是為了體現配置, 允許所有型別的訊息,dbus訊息型別公有以下四種.
<!-- All messages may be received by default -->
<allow receive_type="method_call"/>
<allow receive_type="method_return"/>
<allow receive_type="error"/>
<allow receive_type="signal"/>
</policy>
<!-- raise the service start timeout to 40 seconds as it can timeout
on the live cd on slow machines -->
<limit name="service_start_timeout">60000</limit>
<!-- Config files are placed here that among other things,
further restrict the above policy for specific services. -->
<includedir>session.d</includedir> //這個指定目錄,就是為新增配置所用,如果你想新增配置,即可在seesion.con新增
<span style="color:#ff0000;">//也可以在這個目錄下新增,建議在此,可以模組化管理,新增的檔案必須以.conf結尾,否則不識別</span>
//也可以在這個目錄下新增,建議在此,可以模組化管理,新增的檔案必須以.conf結尾,否則不識別
//也可以在這個目錄下新增,建議在此,可以模組化管理,新增的檔案必須以.conf結尾,否則不識別
<!-- This is included last so local configuration can override what's
in this standard file -->
<include ignore_missing="yes">session-local.conf</include> //session 配置檔案,如果沒有就跳過,不報錯
//如果ignore_missing="no", 配置檔案不存在,會報錯.
<include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> //安全相關的配置,類似與防火牆
<!-- For the session bus, override the default relatively-low limits
with essentially infinite limits, since the bus is just running
as the user anyway, using up bus resources is not something we need
to worry about. In some cases, we do set the limits lower than
"all available memory" if exceeding the limit is almost certainly a bug,
having the bus enforce a limit is nicer than a huge memory leak. But the
intent is that these limits should never be hit. -->
//下面這些是資源的一些限制
<!-- the memory limits are 1G instead of say 4G because they can't exceed 32-bit signed int max -->
<limit name="max_incoming_bytes">1000000000</limit>
<limit name="max_incoming_unix_fds">250000000</limit>
<limit name="max_outgoing_bytes">1000000000</limit>
<limit name="max_outgoing_unix_fds">250000000</limit>
<limit name="max_message_size">1000000000</limit>
<!-- We do not override max_message_unix_fds here since the in-kernel
limit is also relatively low -->
<limit name="service_start_timeout">120000</limit>
<limit name="auth_timeout">240000</limit>
<limit name="pending_fd_timeout">150000</limit>
<limit name="max_completed_connections">100000</limit>
<limit name="max_incomplete_connections">10000</limit>
<limit name="max_connections_per_user">100000</limit>
<limit name="max_pending_service_starts">10000</limit>
<limit name="max_names_per_connection">50000</limit>
<limit name="max_match_rules_per_connection">50000</limit>
<limit name="max_replies_per_connection">50000</limit>
</busconfig>
下面舉例測試一些規則:
前提條件: 1.在自己電腦上安裝好dbus,一般不用裝,系統與ui互動都需要D-Bus
2. 拷貝 DBus 例項 中的程式碼,然後編譯
(最好看一下原始碼的邏輯,做了什麼,這樣更有利於理解)
一.原始碼編譯:
[email protected]:~/document/comb$ gcc service.c -ldbus-1 -I/usr/include/dbus-1.0 -o service
[email protected]:~/document/comb$
[email protected]:~/document/comb$ gcc client.c -ldbus-1 -I/usr/include/dbus-1.0 -o client
[email protected]:~/document/comb$ ls
client client.c service service.c
[email protected]:~/document/comb$
二.手動啟動一個Dbus daemon
[email protected]:~/document/comb$ dbus-daemon --session --print-address --fork --print-pid
unix:abstract=/tmp/dbus-CSy0dphkTM,guid=24e009e82bece7928f58cc4b5b39c4f6
2900
[email protected]:~/document/comb$
三.關鍵的一步,需要把監聽的address export出來(為什麼要這麼做呢,因為dbus_bus_get()獲取連線的時候,會去找這個環境變數,來獲取監聽地址)
[email protected]:~/document/comb$ export DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-CSy0dphkTM,guid=24e009e82bece7928f58cc4b5b39c4f6
[email protected]:~/document/comb$
四.執行,測試結果
[email protected]:~/document/comb$ ./service & <span style="color:#ff0000;"> //放在後臺做服務端</span>
[1] 2903
[email protected]:~/document/comb$ path: /org/freedesktop/DBus
path: /org/freedesktop/DBus
[email protected]:~/document/comb$ ./client <span style="color:#ff0000;"> //在前臺執行,做請求端,client共做了兩件事:</span>
path: /org/freedesktop/DBus <span style="color:#ff0000;"> //1. 發訊號到 path=/hello interface=aa.bb.cc signal=alarm_test 且攜帶的訊號內容為hello world!</span>
path: /org/freedesktop/DBus <span style="color:#ff0000;">//2.呼叫add操作到bus name=hello.world.service path=/hello/world interface=hello.world method =add</span>
path: /hello <span style="color:#ff0000;">//? 為什麼signal沒有指定bus name呢,因為signal是廣播,不過也有介面可以指定目的bus name的,那樣就變為單播了</span>.
recv param --: <span style="color:#ff0000;">hello world!</span>
path: /hello/world
service: add function
<span style="color:#ff0000;"> a(100) + b(99) = 199</span>
[email protected]:~/document/comb$
//放在後臺做服務端
[1] 2903
[email protected]:~/document/comb$ path: /org/freedesktop/DBus
path: /org/freedesktop/DBus
[email protected]:~/document/comb$ ./client //在前臺執行,做請求端,client共做了兩件事:
path: /org/freedesktop/DBus //1. 發訊號到 path=/hello interface=aa.bb.cc signal=alarm_test 且攜帶的訊號內容為hello world!
path: /org/freedesktop/DBus //2.呼叫add操作到bus name=hello.world.service path=/hello/world interface=hello.world method =add
path: /hello //? 為什麼signal沒有指定bus name呢,因為signal是廣播,不過也有介面可以指定目的bus name的,那樣就變為單播了.
recv param --: hello world!
path: /hello/world
service: add function
a(100) + b(99) = 199
[email protected]:~/document/comb$ //放在後臺做服務端
[1] 2903
[email protected]:~/document/comb$ path: /org/freedesktop/DBus
path: /org/freedesktop/DBus
[email protected]:~/document/comb$ ./client //在前臺執行,做請求端,client共做了兩件事:
path: /org/freedesktop/DBus //1. 發訊號到 path=/hello interface=aa.bb.cc signal=alarm_test 且攜帶的訊號內容為hello world!
path: /org/freedesktop/DBus //2.呼叫add操作到bus name=hello.world.service path=/hello/world interface=hello.world method =add
path: /hello //? 為什麼signal沒有指定bus name呢,因為signal是廣播,不過也有介面可以指定目的bus name的,那樣就變為單播了.
recv param --: hello world!
path: /hello/world
service: add function
a(100) + b(99) = 199
五.新增一個安全策略,禁止傳送到特定的目的bus name
編寫/etc/dbus-1/session.conf
</policy>上面一行新增<deny send_destination="hello.world.service"/> 禁止傳送訊息hello.world.service
傳送SIGHUP訊號到dbus-daemon,可以其重新載入配置 ,在DBus daemon 啟動中提到過
在這裡禁止傳送訊息到hello.world.service,那不管是signal還是method都將失敗.
[email protected]:~/document/comb$ kill -1 2900
[email protected]:~/document/comb$ ps
PID TTY TIME CMD
2305 pts/0 00:00:00 bash
2965 pts/0 00:00:00 service
2979 pts/0 00:00:00 ps
[email protected]:~/document/comb$ ./client
paramter type error
a(100) + b(99) = 159115060
[email protected]:~/document/comb$
如果想看spec文件,請訪問:spec文件網址