Configure option to disable traditional activation

Traditional activation could be disabled if all services use
SystemdService activation instead. Provide an example of a hardened
DBus systemd service drop-in file for such a setup.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

4 files changed, 93 insertions, 11 deletions

diff --git a/bus/Makefile.am b/bus/Makefile.am
index 0adc0c89..1595432c 100644
--- a/bus/Makefile.am
+++ b/bus/Makefile.am
@@ -67,6 +67,10 @@ examples_DATA = \
 	example-session-disable-stats.conf	\
 	$(NULL)
 
+dist_examples_DATA = \
+	example-system-hardening-without-traditional-activation.conf	\
+	$(NULL)
+
 if DBUS_ENABLE_LAUNCHD
 agentdir=$(LAUNCHD_AGENT_DIR)
 agent_DATA=org.freedesktop.dbus-session.plist
@@ -171,8 +175,10 @@ liblaunch_helper_internal_la_LIBADD = \
 noinst_PROGRAMS =
 dbus_daemon_exec_PROGRAMS = dbus-daemon
 if DBUS_UNIX
+if ENABLE_TRADITIONAL_ACTIVATION
 noinst_LTLIBRARIES += liblaunch-helper-internal.la
 libexec_PROGRAMS = dbus-daemon-launch-helper
+endif ENABLE_TRADITIONAL_ACTIVATION
 endif DBUS_UNIX
 
 install-data-hook:
@@ -199,6 +205,7 @@ if DBUS_ENABLE_USER_SESSION
 endif
 
 if DBUS_UNIX
+if ENABLE_TRADITIONAL_ACTIVATION
 install-exec-hook:
 	if test `id -u` -eq 0; then \
 		chown root:$(DBUS_USER) $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper$(EXEEXT); \
@@ -207,7 +214,8 @@ install-exec-hook:
 		echo "Not installing $(DESTDIR)$(libexecdir)/dbus-daemon-launch-helper binary setuid!"; \
 		echo "You'll need to manually set permissions to root:$(DBUS_USER) and permissions 4750"; \
 	fi
-endif
+endif ENABLE_TRADITIONAL_ACTIVATION
+endif DBUS_UNIX
 
 EXTRA_DIST += \
 	dbus.service.in \
diff --git a/bus/activation.c b/bus/activation.c
index 30950636..19ac869a 100644
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -36,7 +36,9 @@
 #include <dbus/dbus-hash.h>
 #include <dbus/dbus-list.h>
 #include <dbus/dbus-shell.h>
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 #include <dbus/dbus-spawn.h>
+#endif
 #include <dbus/dbus-timeout.h>
 #include <dbus/dbus-sysdeps.h>
 #include <dbus/dbus-test-tap.h>
@@ -106,7 +108,9 @@ typedef struct
   char *systemd_service;
   DBusList *entries;
   int n_entries;
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   DBusBabysitter *babysitter;
+#endif
   DBusTimeout *timeout;
   unsigned int timeout_added : 1;
 } BusPendingActivation;
@@ -187,6 +191,7 @@ bus_pending_activation_unref (BusPendingActivation *pending_activation)
   if (pending_activation->timeout)
     _dbus_timeout_unref (pending_activation->timeout);
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   if (pending_activation->babysitter)
     {
       if (!_dbus_babysitter_set_watch_functions (pending_activation->babysitter,
@@ -197,6 +202,7 @@ bus_pending_activation_unref (BusPendingActivation *pending_activation)
 
       _dbus_babysitter_unref (pending_activation->babysitter);
     }
+#endif
 
   dbus_free (pending_activation->service_name);
   dbus_free (pending_activation->exec);
@@ -1068,6 +1074,7 @@ bus_activation_unref (BusActivation *activation)
   dbus_free (activation);
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 static dbus_bool_t
 add_bus_environment (BusActivation *activation,
                      DBusError     *error)
@@ -1108,6 +1115,7 @@ add_bus_environment (BusActivation *activation,
 
   return TRUE;
 }
+#endif
 
 typedef struct
 {
@@ -1387,6 +1395,7 @@ pending_activation_failed (BusPendingActivation *pending_activation,
                                   pending_activation->service_name);
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 /**
  * Depending on the exit code of the helper, set the error accordingly
  */
@@ -1557,6 +1566,7 @@ toggle_babysitter_watch (DBusWatch      *watch,
   _dbus_loop_toggle_watch (bus_context_get_loop (pending_activation->activation->context),
                            watch);
 }
+#endif
 
 static dbus_bool_t
 pending_activation_timed_out (void *data)
@@ -1569,12 +1579,14 @@ pending_activation_timed_out (void *data)
   context = pending_activation->activation->context;
   timeout = bus_context_get_activation_timeout (context);
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   /* Kill the spawned process, since it sucks
    * (not sure this is what we want to do, but
    * may as well try it for now)
    */
   if (pending_activation->babysitter)
     _dbus_babysitter_kill_child (pending_activation->babysitter);
+#endif
 
   dbus_error_init (&error);
 
@@ -1599,8 +1611,10 @@ cancel_pending (void *data)
   _dbus_verbose ("Canceling pending activation of %s\n",
                  pending_activation->service_name);
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   if (pending_activation->babysitter)
     _dbus_babysitter_kill_child (pending_activation->babysitter);
+#endif
 
   _dbus_hash_table_remove_string (pending_activation->activation->pending_activations,
                                   pending_activation->service_name);
@@ -1696,11 +1710,13 @@ activation_find_entry (BusActivation *activation,
   return entry;
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 static char **
 bus_activation_get_environment (BusActivation *activation)
 {
   return _dbus_hash_table_to_array (activation->environment, '=');
 }
+#endif
 
 dbus_bool_t
 bus_activation_set_environment_variable (BusActivation     *activation,
@@ -1741,6 +1757,7 @@ out:
   return retval;
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 static void
 child_setup (void *user_data)
 {
@@ -1764,6 +1781,7 @@ child_setup (void *user_data)
     }
 #endif
 }
+#endif
 
 
 /*
@@ -1790,21 +1808,23 @@ bus_activation_activate_service (BusActivation  *activation,
                                  const char     *service_name,
                                  DBusError      *error)
 {
-  DBusError tmp_error;
   BusActivationEntry *entry;
   BusPendingActivation *pending_activation;
   BusPendingActivationEntry *pending_activation_entry;
   DBusMessage *message;
   DBusString service_str;
-  const char *servicehelper;
-  char **argv;
-  char **envp = NULL;
-  int argc;
   dbus_bool_t retval;
   dbus_bool_t was_pending_activation;
-  DBusString command;
   int limit;
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
+  DBusError tmp_error;
+  DBusString command;
+  char **argv;
+  char **envp = NULL;
+  int argc;
+  const char *servicehelper;
   DBusSpawnFlags flags = DBUS_SPAWN_NONE;
+#endif
 
   _dbus_assert (activation != NULL);
   _dbus_assert (transaction != NULL);
@@ -2174,6 +2194,7 @@ bus_activation_activate_service (BusActivation  *activation,
          proceed with traditional activation. */
     }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   /* If entry was NULL, it would be because we were doing systemd activation
    * and activating systemd itself; but we already handled that case with
    * an early-return */
@@ -2323,7 +2344,13 @@ bus_activation_activate_service (BusActivation  *activation,
     }
 
   return TRUE;
-
+#else /* !TRADITIONAL_ACTIVATION */
+    bus_context_log (activation->context,
+                     DBUS_SYSTEM_LOG_INFO, "Cannot activate service name='%s' requested by '%s' (%s): SystemdService not configured and dbus was compiled with --disable-traditional-activation",
+                     service_name,
+                     bus_connection_get_name (connection),
+                     bus_connection_get_loginfo (connection));
+#endif
 cancel_pending_activation:
   _DBUS_ASSERT_ERROR_IS_SET (error);
   _dbus_hash_table_remove_string (activation->pending_activations,
diff --git a/bus/dispatch.c b/bus/dispatch.c
index e91a8255..c3019b1e 100644
--- a/bus/dispatch.c
+++ b/bus/dispatch.c
@@ -639,6 +639,7 @@ pop_message_waiting_for_memory (DBusConnection *connection)
   return dbus_connection_pop_message (connection);
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 static DBusMessage*
 borrow_message_waiting_for_memory (DBusConnection *connection)
 {
@@ -648,6 +649,7 @@ borrow_message_waiting_for_memory (DBusConnection *connection)
 
   return dbus_connection_borrow_message (connection);
 }
+#endif
 
 static void
 warn_unexpected_real (DBusConnection *connection,
@@ -1156,6 +1158,7 @@ check_hello_message (BusContext     *context,
   return retval;
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 /* returns TRUE if the correct thing happens,
  * but the correct thing may include OOM errors.
  */
@@ -1552,6 +1555,7 @@ check_get_connection_unix_process_id (BusContext     *context,
 
   return retval;
 }
+#endif
 
 /* returns TRUE if the correct thing happens,
  * but the correct thing may include OOM errors.
@@ -1685,7 +1689,7 @@ check_add_match (BusContext     *context,
   return retval;
 }
 
-#ifdef DBUS_ENABLE_STATS
+#if defined(ENABLE_TRADITIONAL_ACTIVATION) && defined(DBUS_ENABLE_STATS)
 /* returns TRUE if the correct thing happens,
  * but the correct thing may include OOM errors.
  */
@@ -1863,6 +1867,7 @@ check_hello_connection (BusContext     *context,
 
 #define NONEXISTENT_SERVICE_NAME "test.this.service.does.not.exist.ewuoiurjdfxcvn"
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 /* returns TRUE if the correct thing happens,
  * but the correct thing may include OOM errors.
  */
@@ -3190,10 +3195,12 @@ check_segfault_service_auto_start (BusContext     *context,
 
   return retval;
 }
+#endif
 
 #define TEST_ECHO_MESSAGE "Test echo message"
 #define TEST_RUN_HELLO_FROM_SELF_MESSAGE "Test sending message to self"
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 /* returns TRUE if the correct thing happens,
  * but the correct thing may include OOM errors.
  */
@@ -3708,8 +3715,9 @@ check_launch_service_file_missing (BusContext     *context,
 
   return retval;
 }
+#endif
 
-#ifndef DBUS_WIN
+#if defined(ENABLE_TRADITIONAL_ACTIVATION) && !defined(DBUS_WIN)
 
 #define SERVICE_USER_MISSING_NAME "org.freedesktop.DBus.TestSuiteNoUser"
 
@@ -4018,6 +4026,7 @@ check_launch_service_service_missing (BusContext     *context,
 
 #define SHELL_FAIL_SERVICE_NAME "org.freedesktop.DBus.TestSuiteShellEchoServiceFail"
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 /* returns TRUE if the correct thing happens,
  * but the correct thing may include OOM errors.
  */
@@ -4701,6 +4710,7 @@ check_list_services (BusContext     *context,
 
   return retval;
 }
+#endif
 
 typedef struct
 {
@@ -4751,6 +4761,7 @@ check2_try_iterations (BusContext     *context,
     _dbus_test_fatal ("%s failed during oom", description);
 }
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
 static dbus_bool_t
 setenv_TEST_LAUNCH_HELPER_CONFIG(const DBusString *test_data_dir,
                                  const char       *filename)
@@ -4912,6 +4923,7 @@ bus_dispatch_test_conf (const DBusString *test_data_dir,
                          check_shell_fail_service_auto_start);
   _dbus_test_ok ("%s:%s - check_shell_fail_service_auto_start", _DBUS_FUNCTION_NAME, filename);
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   /* specific to launcher */
   if (use_launcher)
     {
@@ -4920,6 +4932,7 @@ bus_dispatch_test_conf (const DBusString *test_data_dir,
 
       _dbus_test_ok ("%s:%s - check_launch_service_file_missing", _DBUS_FUNCTION_NAME, filename);
     }
+#endif
 
 #if 0
   /* Note: need to resolve some issues with the testing code in order to run
@@ -4955,8 +4968,9 @@ bus_dispatch_test_conf (const DBusString *test_data_dir,
   _dbus_test_ok ("%s:%s", _DBUS_FUNCTION_NAME, filename);
   return TRUE;
 }
+#endif
 
-#ifndef DBUS_WIN
+#if defined(ENABLE_TRADITIONAL_ACTIVATION) && !defined(DBUS_WIN)
 static dbus_bool_t
 bus_dispatch_test_conf_fail (const DBusString *test_data_dir,
 		             const char       *filename)
@@ -5029,6 +5043,7 @@ bus_dispatch_test (const char *test_data_dir_cstr)
 
   _dbus_string_init_const (&test_data_dir, test_data_dir_cstr);
 
+#ifdef ENABLE_TRADITIONAL_ACTIVATION
   /* run normal activation tests */
   _dbus_verbose ("Normal activation tests\n");
   if (!bus_dispatch_test_conf (&test_data_dir,
@@ -5047,6 +5062,7 @@ bus_dispatch_test (const char *test_data_dir_cstr)
   			            "valid-config-files-system/debug-allow-all-fail.conf"))
     return FALSE;
 #endif
+#endif
 
   return TRUE;
 }
diff --git a/bus/example-system-hardening-without-traditional-activation.conf b/bus/example-system-hardening-without-traditional-activation.conf
new file mode 100644
index 00000000..2665c9a8
--- /dev/null
+++ b/bus/example-system-hardening-without-traditional-activation.conf
@@ -0,0 +1,31 @@
+# Example drop-in file (dbus.service.d/override.conf) for systemd
+# service.  This version has many hardening options enabled and thus
+# it is only suitable for cases where only systemd activation is used
+# or traditional activation disabled by compiling dbus with
+# --disable-traditional-activation.
+
+[Service]
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_RESOURCE CAP_AUDIT_WRITE
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/urandom r
+DevicePolicy=strict
+IPAddressDeny=any
+LimitMEMLOCK=0
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadOnlyPaths=-/
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap memfd_create mincore mlock mlockall personality
+UMask=0077