1DBUS-DAEMON(1) User Commands DBUS-DAEMON(1)
2
3
4
6 dbus-daemon - Message bus daemon
7
9 dbus-daemon
10
11 dbus-daemon [--version] [--session] [--system] [--config-file=FILE]
12 [--print-address [=DESCRIPTOR]] [--print-pid [=DESCRIPTOR]]
13 [--fork] [--nosyslog] [--syslog] [--syslog-only]
14
15
17 dbus-daemon is the D-Bus message bus daemon. See
18 http://www.freedesktop.org/software/dbus/ for more information about
19 the big picture. D-Bus is first a library that provides one-to-one
20 communication between any two applications; dbus-daemon is an
21 application that uses this library to implement a message bus daemon.
22 Multiple programs connect to the message bus daemon and can exchange
23 messages with one another.
24
25 There are two standard message bus instances: the systemwide message
26 bus (installed on many systems as the "messagebus" init service) and
27 the per-user-login-session message bus (started each time a user logs
28 in). dbus-daemon is used for both of these instances, but with a
29 different configuration file.
30
31 The --session option is equivalent to
32 "--config-file=/usr/share/dbus-1/session.conf" and the --system option
33 is equivalent to "--config-file=/usr/share/dbus-1/system.conf". By
34 creating additional configuration files and using the --config-file
35 option, additional special-purpose message bus daemons could be
36 created.
37
38 The systemwide daemon is normally launched by an init script,
39 standardly called simply "messagebus".
40
41 The systemwide daemon is largely used for broadcasting system events,
42 such as changes to the printer queue, or adding/removing devices.
43
44 The per-session daemon is used for various interprocess communication
45 among desktop applications (however, it is not tied to X or the GUI in
46 any way).
47
48 SIGHUP will cause the D-Bus daemon to PARTIALLY reload its
49 configuration file and to flush its user/group information caches. Some
50 configuration changes would require kicking all apps off the bus; so
51 they will only take effect if you restart the daemon. Policy changes
52 should take effect with SIGHUP.
53
55 The following options are supported:
56
57 --config-file=FILE
58 Use the given configuration file.
59
60 --fork
61 Force the message bus to fork and become a daemon, even if the
62 configuration file does not specify that it should. In most
63 contexts the configuration file already gets this right, though.
64 This option is not supported on Windows.
65
66 --nofork
67 Force the message bus not to fork and become a daemon, even if the
68 configuration file specifies that it should. On Windows, the
69 dbus-daemon never forks, so this option is allowed but does
70 nothing.
71
72 --print-address[=DESCRIPTOR]
73 Print the address of the message bus to standard output, or to the
74 given file descriptor. This is used by programs that launch the
75 message bus.
76
77 --print-pid[=DESCRIPTOR]
78 Print the process ID of the message bus to standard output, or to
79 the given file descriptor. This is used by programs that launch the
80 message bus.
81
82 --session
83 Use the standard configuration file for the per-login-session
84 message bus.
85
86 --system
87 Use the standard configuration file for the systemwide message bus.
88
89 --version
90 Print the version of the daemon.
91
92 --introspect
93 Print the introspection information for all D-Bus internal
94 interfaces.
95
96 --address[=ADDRESS]
97 Set the address to listen on. This option overrides the address
98 configured in the configuration file via the <listen> directive.
99 See the documentation of that directive for more details.
100
101 --systemd-activation
102 Enable systemd-style service activation. Only useful in conjunction
103 with the systemd system and session manager on Linux.
104
105 --nopidfile
106 Don't write a PID file even if one is configured in the
107 configuration files.
108
109 --syslog
110 Force the message bus to use the system log for messages, in
111 addition to writing to standard error, even if the configuration
112 file does not specify that it should. On Unix, this uses the
113 syslog; on Windows, this uses OutputDebugString().
114
115 --syslog-only
116 Force the message bus to use the system log for messages, and not
117 duplicate them to standard error. On Unix, this uses the syslog; on
118 Windows, this uses OutputDebugString().
119
120 --nosyslog
121 Force the message bus to use only standard error for messages, even
122 if the configuration file specifies that it should use the system
123 log.
124
126 A message bus daemon has a configuration file that specializes it for a
127 particular application. For example, one configuration file might set
128 up the message bus to be a systemwide message bus, while another might
129 set it up to be a per-user-login-session bus.
130
131 The configuration file also establishes resource limits, security
132 parameters, and so forth.
133
134 The configuration file is not part of any interoperability
135 specification and its backward compatibility is not guaranteed; this
136 document is documentation, not specification.
137
138 The standard systemwide and per-session message bus setups are
139 configured in the files "/usr/share/dbus-1/system.conf" and
140 "/usr/share/dbus-1/session.conf". These files normally <include> a
141 system-local.conf or session-local.conf in /etc/dbus-1; you can put
142 local overrides in those files to avoid modifying the primary
143 configuration files.
144
145 The configuration file is an XML document. It must have the following
146 doctype declaration:
147
148
149 <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
150 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
151
152
153 The following elements may be present in the configuration file.
154
155 • <busconfig>
156
157 Root element.
158
159 • <type>
160
161 The well-known type of the message bus. Currently known values are
162 "system" and "session"; if other values are set, they should be either
163 added to the D-Bus specification, or namespaced. The last <type>
164 element "wins" (previous values are ignored). This element only
165 controls which message bus specific environment variables are set in
166 activated clients. Most of the policy that distinguishes a session bus
167 from the system bus is controlled from the other elements in the
168 configuration file.
169
170 If the well-known type of the message bus is "session", then the
171 DBUS_STARTER_BUS_TYPE environment variable will be set to "session" and
172 the DBUS_SESSION_BUS_ADDRESS environment variable will be set to the
173 address of the session bus. Likewise, if the type of the message bus is
174 "system", then the DBUS_STARTER_BUS_TYPE environment variable will be
175 set to "system" and the DBUS_SYSTEM_BUS_ADDRESS environment variable
176 will be set to the address of the system bus (which is normally well
177 known anyway).
178
179 Example: <type>session</type>
180
181 • <include>
182
183 Include a file <include>filename.conf</include> at this point. If the
184 filename is relative, it is located relative to the configuration file
185 doing the including.
186
187 <include> has an optional attribute "ignore_missing=(yes|no)" which
188 defaults to "no" if not provided. This attribute controls whether it's
189 a fatal error for the included file to be absent.
190
191 • <includedir>
192
193 Include all files in <includedir>foo.d</includedir> at this point.
194 Files in the directory are included in undefined order. Only files
195 ending in ".conf" are included.
196
197 This is intended to allow extension of the system bus by particular
198 packages. For example, if CUPS wants to be able to send out
199 notification of printer queue changes, it could install a file to
200 /usr/share/dbus-1/system.d or /etc/dbus-1/system.d that allowed all
201 apps to receive this message and allowed the printer daemon user to
202 send it.
203
204 • <user>
205
206 The user account the daemon should run as, as either a username or a
207 UID. If the daemon cannot change to this UID on startup, it will exit.
208 If this element is not present, the daemon will not change or care
209 about its UID.
210
211 The last <user> entry in the file "wins", the others are ignored.
212
213 The user is changed after the bus has completed initialization. So
214 sockets etc. will be created before changing user, but no data will be
215 read from clients before changing user. This means that sockets and PID
216 files can be created in a location that requires root privileges for
217 writing.
218
219 • <fork>
220
221 If present, the bus daemon becomes a real daemon (forks into the
222 background, etc.). This is generally used rather than the --fork
223 command line option.
224
225 • <keep_umask>
226
227 If present, the bus daemon keeps its original umask when forking. This
228 may be useful to avoid affecting the behavior of child processes.
229
230 • <syslog>
231
232 If present, the bus daemon will log to syslog. The --syslog,
233 --syslog-only and --nosyslog command-line options take precedence over
234 this setting.
235
236 • <pidfile>
237
238 If present, the bus daemon will write its pid to the specified file.
239 The --nopidfile command-line option takes precedence over this setting.
240
241 • <allow_anonymous>
242
243 If present, connections that authenticated using the ANONYMOUS
244 mechanism will be authorized to connect. This option has no practical
245 effect unless the ANONYMOUS mechanism has also been enabled using the
246 <auth> element, described below.
247
248 Using this directive in the configuration of the well-known system bus
249 or the well-known session bus will make that bus insecure and should
250 never be done. Similarly, on custom bus types, using this directive
251 will usually make the custom bus insecure, unless its configuration has
252 been specifically designed to prevent anonymous users from causing
253 damage or escalating privileges.
254
255 • <listen>
256
257 Add an address that the bus should listen on. The address is in the
258 standard D-Bus format that contains a transport name plus possible
259 parameters/options.
260
261 On platforms other than Windows, unix-based transports (unix, systemd,
262 launchd) are the default for both the well-known system bus and the
263 well-known session bus, and are strongly recommended.
264
265 On Windows, unix-based transports are not available, so TCP-based
266 transports must be used. Similar to remote X11, the tcp and nonce-tcp
267 transports have no integrity or confidentiality protection, so they
268 should normally only be used across the local loopback interface, for
269 example using an address like tcp:host=127.0.0.1 or
270 nonce-tcp:host=localhost. In particular, configuring the well-known
271 system bus or the well-known session bus to listen on a non-loopback
272 TCP address is insecure.
273
274 Developers are sometimes tempted to use remote TCP as a debugging tool.
275 However, if this functionality is left enabled in finished products,
276 the result will be dangerously insecure. Instead of using remote TCP,
277 developers should relay connections via Secure Shell or a similar
278 protocol[1].
279
280 Remote TCP connections were historically sometimes used to share a
281 single session bus between login sessions of the same user on different
282 machines within a trusted local area network, in conjunction with
283 unencrypted remote X11, a NFS-shared home directory and NIS (YP)
284 authentication. This is insecure against an attacker on the same LAN
285 and should be considered strongly deprecated; more specifically, it is
286 insecure in the same ways and for the same reasons as unencrypted
287 remote X11 and NFSv2/NFSv3. The D-Bus maintainers recommend using a
288 separate session bus per (user, machine) pair, only accessible from
289 within that machine.
290
291 Example: <listen>unix:path=/tmp/foo</listen>
292
293 Example: <listen>tcp:host=localhost,port=1234</listen>
294
295 If there are multiple <listen> elements, then the bus listens on
296 multiple addresses. The bus will pass its address to started services
297 or other interested parties with the last address given in <listen>
298 first. That is, apps will try to connect to the last <listen> address
299 first.
300
301 tcp sockets can accept IPv4 addresses, IPv6 addresses or hostnames. If
302 a hostname resolves to multiple addresses, the server will bind to all
303 of them. The family=ipv4 or family=ipv6 options can be used to force it
304 to bind to a subset of addresses
305
306 Example: <listen>tcp:host=localhost,port=0,family=ipv4</listen>
307
308 A special case is using a port number of zero (or omitting the port),
309 which means to choose an available port selected by the operating
310 system. The port number chosen can be obtained with the --print-address
311 command line parameter and will be present in other cases where the
312 server reports its own address, such as when DBUS_SESSION_BUS_ADDRESS
313 is set.
314
315 Example: <listen>tcp:host=localhost,port=0</listen>
316
317 tcp/nonce-tcp addresses also allow a bind=hostname option, used in a
318 listenable address to configure the interface on which the server will
319 listen: either the hostname is the IP address of one of the local
320 machine's interfaces (most commonly 127.0.0.1), a DNS name that
321 resolves to one of those IP addresses, '0.0.0.0' to listen on all IPv4
322 interfaces simultaneously, or '::' to listen on all IPv4 and IPv6
323 interfaces simultaneously (if supported by the OS). If not specified,
324 the default is the same value as "host".
325
326 Example: <listen>tcp:host=localhost,bind=0.0.0.0,port=0</listen>
327
328 • <auth>
329
330 Lists permitted authorization mechanisms. If this element doesn't
331 exist, then all known mechanisms are allowed. If there are multiple
332 <auth> elements, all the listed mechanisms are allowed. The order in
333 which mechanisms are listed is not meaningful.
334
335 On non-Windows operating systems, allowing only the EXTERNAL
336 authentication mechanism is strongly recommended. This is the default
337 for the well-known system bus and for the well-known session bus.
338
339 Example: <auth>EXTERNAL</auth>
340
341 Example: <auth>DBUS_COOKIE_SHA1</auth>
342
343 • <servicedir>
344
345 Adds a directory to search for .service files, which tell the
346 dbus-daemon how to start a program to provide a particular well-known
347 bus name. See the D-Bus Specification for more details about the
348 contents of .service files.
349
350 If a particular service is found in more than one <servicedir>, the
351 first directory listed in the configuration file takes precedence. If
352 two service files providing the same well-known bus name are found in
353 the same directory, it is arbitrary which one will be chosen (this can
354 only happen if at least one of the service files does not have the
355 recommended name, which is its well-known bus name followed by
356 ".service").
357
358 • <standard_session_servicedirs/>
359
360 <standard_session_servicedirs/> requests a standard set of session
361 service directories. Its effect is similar to specifying a series of
362 <servicedir/> elements for each of the data directories, in the order
363 given here. It is not exactly equivalent, because there is currently no
364 way to disable directory monitoring or enforce strict service file
365 naming for a <servicedir/>.
366
367 As with <servicedir/> elements, if a particular service is found in
368 more than one service directory, the first directory takes precedence.
369 If two service files providing the same well-known bus name are found
370 in the same directory, it is arbitrary which one will be chosen (this
371 can only happen if at least one of the service files does not have the
372 recommended name, which is its well-known bus name followed by
373 ".service").
374
375 On Unix, the standard session service directories are:
376
377 • $XDG_RUNTIME_DIR/dbus-1/services, if XDG_RUNTIME_DIR is set (see
378 the XDG Base Directory Specification for details of
379 XDG_RUNTIME_DIR): this location is suitable for transient services
380 created at runtime by systemd generators (see
381 systemd.generator(7)), session managers or other session
382 infrastructure. It is an extension provided by the reference
383 implementation of dbus-daemon, and is not standardized in the D-Bus
384 Specification.
385
386 Unlike the other standard session service directories, this
387 directory enforces strict naming for the service files: the
388 filename must be exactly the well-known bus name of the service,
389 followed by ".service".
390
391 Also unlike the other standard session service directories, this
392 directory is never monitored with inotify(7) or similar APIs.
393 Programs that create service files in this directory while a
394 dbus-daemon is running are expected to call the dbus-daemon's
395 ReloadConfig() method after they have made changes.
396
397 • $XDG_DATA_HOME/dbus-1/services, where XDG_DATA_HOME defaults to
398 ~/.local/share (see the XDG Base Directory Specification): this
399 location is specified by the D-Bus Specification, and is suitable
400 for per-user, locally-installed software.
401
402 • directory/dbus-1/services for each directory in XDG_DATA_DIRS,
403 where XDG_DATA_DIRS defaults to /usr/local/share:/usr/share (see
404 the XDG Base Directory Specification): these locations are
405 specified by the D-Bus Specification. The defaults are suitable for
406 software installed locally by a system administrator
407 (/usr/local/share) or for software installed from operating system
408 packages (/usr/share). Per-user or system-wide configuration that
409 sets the XDG_DATA_DIRS environment variable can extend this search
410 path to cover installations in other locations, for example
411 ~/.local/share/flatpak/exports/share/ and
412 /var/lib/flatpak/exports/share/ when flatpak(1) is used.
413
414 • ${datadir}/dbus-1/services for the ${datadir} that was specified
415 when dbus was compiled, typically /usr/share: this location is an
416 extension provided by the reference dbus-daemon implementation, and
417 is suitable for software stacks installed alongside dbus-daemon.
418
419 The "XDG Base Directory Specification" can be found at
420 http://freedesktop.org/wiki/Standards/basedir-spec if it hasn't moved,
421 otherwise try your favorite search engine.
422
423 On Windows, the standard session service directories are:
424
425 • %CommonProgramFiles%/dbus-1/services if %CommonProgramFiles% is
426 set: this location is suitable for system-wide installed software
427 packages
428
429 • A share/dbus-1/services directory found in the same directory
430 hierarchy (prefix) as the dbus-daemon: this location is suitable
431 for software stacks installed alongside dbus-daemon
432
433 The <standard_session_servicedirs/> option is only relevant to the
434 per-user-session bus daemon defined in /etc/dbus-1/session.conf.
435 Putting it in any other configuration file would probably be nonsense.
436
437 • <standard_system_servicedirs/>
438
439 <standard_system_servicedirs/> specifies the standard system-wide
440 activation directories that should be searched for service files. As
441 with session services, the first directory listed has highest
442 precedence.
443
444 On Unix, the standard session service directories are:
445
446 • /usr/local/share/dbus-1/system-services: this location is specified
447 by the D-Bus Specification, and is suitable for software installed
448 locally by the system administrator
449
450 • /usr/share/dbus-1/system-services: this location is specified by
451 the D-Bus Specification, and is suitable for software installed by
452 operating system packages
453
454 • ${datadir}/dbus-1/system-services for the ${datadir} that was
455 specified when dbus was compiled, typically /usr/share: this
456 location is an extension provided by the reference dbus-daemon
457 implementation, and is suitable for software stacks installed
458 alongside dbus-daemon
459
460 • /lib/dbus-1/system-services: this location is specified by the
461 D-Bus Specification, and was intended for software installed by
462 operating system packages and used during early boot (but it should
463 be considered deprecated, because the reference dbus-daemon is not
464 designed to be available during early boot)
465
466 On Windows, there is no standard system bus, so there are no standard
467 system bus directories either.
468
469 The <standard_system_servicedirs/> option is only relevant to the
470 per-system bus daemon defined in /usr/share/dbus-1/system.conf. Putting
471 it in any other configuration file would probably be nonsense.
472
473 • <servicehelper/>
474
475 <servicehelper/> specifies the setuid helper that is used to launch
476 system daemons with an alternate user. Typically this should be the
477 dbus-daemon-launch-helper executable in located in libexec.
478
479 The <servicehelper/> option is only relevant to the per-system bus
480 daemon defined in /usr/share/dbus-1/system.conf. Putting it in any
481 other configuration file would probably be nonsense.
482
483 • <limit>
484
485 <limit> establishes a resource limit. For example:
486
487 <limit name="max_message_size">64</limit>
488 <limit name="max_completed_connections">512</limit>
489
490 The name attribute is mandatory. Available limit names are:
491
492 "max_incoming_bytes" : total size in bytes of messages
493 incoming from a single connection
494 "max_incoming_unix_fds" : total number of unix fds of messages
495 incoming from a single connection
496 "max_outgoing_bytes" : total size in bytes of messages
497 queued up for a single connection
498 "max_outgoing_unix_fds" : total number of unix fds of messages
499 queued up for a single connection
500 "max_message_size" : max size of a single message in
501 bytes
502 "max_message_unix_fds" : max unix fds of a single message
503 "service_start_timeout" : milliseconds (thousandths) until
504 a started service has to connect
505 "auth_timeout" : milliseconds (thousandths) a
506 connection is given to
507 authenticate
508 "pending_fd_timeout" : milliseconds (thousandths) a
509 fd is given to be transmitted to
510 dbus-daemon before disconnecting the
511 connection
512 "max_completed_connections" : max number of authenticated connections
513 "max_incomplete_connections" : max number of unauthenticated
514 connections
515 "max_connections_per_user" : max number of completed connections from
516 the same user
517 "max_pending_service_starts" : max number of service launches in
518 progress at the same time
519 "max_names_per_connection" : max number of names a single
520 connection can own
521 "max_match_rules_per_connection": max number of match rules for a single
522 connection
523 "max_replies_per_connection" : max number of pending method
524 replies per connection
525 (number of calls-in-progress)
526 "reply_timeout" : milliseconds (thousandths)
527 until a method call times out
528
529 The max incoming/outgoing queue sizes allow a new message to be queued
530 if one byte remains below the max. So you can in fact exceed the max by
531 max_message_size.
532
533 max_completed_connections divided by max_connections_per_user is the
534 number of users that can work together to denial-of-service all other
535 users by using up all connections on the systemwide bus.
536
537 Limits are normally only of interest on the systemwide bus, not the
538 user session buses.
539
540 • <policy>
541
542 The <policy> element defines a security policy to be applied to a
543 particular set of connections to the bus. A policy is made up of
544 <allow> and <deny> elements. Policies are normally used with the
545 systemwide bus; they are analogous to a firewall in that they allow
546 expected traffic and prevent unexpected traffic.
547
548 Currently, the system bus has a default-deny policy for sending method
549 calls and owning bus names, and a default-allow policy for receiving
550 messages, sending signals, and sending a single success or error reply
551 for each method call that does not have the NO_REPLY flag. Sending more
552 than the expected number of replies is not allowed.
553
554 In general, it is best to keep system services as small, targeted
555 programs which run in their own process and provide a single bus name.
556 Then, all that is needed is an <allow> rule for the "own" permission to
557 let the process claim the bus name, and a "send_destination" rule to
558 allow traffic from some or all uids to your service.
559
560 The <policy> element has one of four attributes:
561
562 context="(default|mandatory)"
563 at_console="(true|false)"
564 user="username or userid"
565 group="group name or gid"
566
567 Policies are applied to a connection as follows:
568
569 - all context="default" policies are applied
570 - all group="connection's user's group" policies are applied
571 in undefined order
572 - all user="connection's auth user" policies are applied
573 in undefined order
574 - all at_console="true" policies are applied
575 - all at_console="false" policies are applied
576 - all context="mandatory" policies are applied
577
578 Policies applied later will override those applied earlier, when the
579 policies overlap. Multiple policies with the same user/group/context
580 are applied in the order they appear in the config file.
581
582 <deny>
583 <allow>
584
585 A <deny> element appears below a <policy> element and prohibits some
586 action. The <allow> element makes an exception to previous <deny>
587 statements, and works just like <deny> but with the inverse meaning.
588
589 The possible attributes of these elements are:
590
591 send_interface="interface_name" | "*"
592 send_member="method_or_signal_name" | "*"
593 send_error="error_name" | "*"
594 send_broadcast="true" | "false"
595 send_destination="name" | "*"
596 send_type="method_call" | "method_return" | "signal" | "error" | "*"
597 send_path="/path/name" | "*"
598
599 receive_interface="interface_name" | "*"
600 receive_member="method_or_signal_name" | "*"
601 receive_error="error_name" | "*"
602 receive_sender="name" | "*"
603 receive_type="method_call" | "method_return" | "signal" | "error" | "*"
604 receive_path="/path/name" | "*"
605
606 send_requested_reply="true" | "false"
607 receive_requested_reply="true" | "false"
608
609 eavesdrop="true" | "false"
610
611 own="name" | "*"
612 own_prefix="name"
613 user="username" | "*"
614 group="groupname" | "*"
615
616 Examples:
617
618 <deny send_destination="org.freedesktop.Service" send_interface="org.freedesktop.System" send_member="Reboot"/>
619 <deny send_destination="org.freedesktop.System"/>
620 <deny receive_sender="org.freedesktop.System"/>
621 <deny user="john"/>
622 <deny group="enemies"/>
623
624 The <deny> element's attributes determine whether the deny "matches" a
625 particular action. If it matches, the action is denied (unless later
626 rules in the config file allow it).
627
628 Rules with one or more of the send_* family of attributes are checked
629 in order when a connection attempts to send a message. The last rule
630 that matches the message determines whether it may be sent. The
631 well-known session bus normally allows sending any message. The
632 well-known system bus normally allows sending any signal, selected
633 method calls to the dbus-daemon, and exactly one reply to each
634 previously-sent method call (either success or an error). Either of
635 these can be overridden by configuration; on the system bus, services
636 that will receive method calls must install configuration that allows
637 them to do so, usually via rules of the form <policy
638 context="default"><allow send_destination="..."/><policy>.
639
640 Rules with one or more of the receive_* family of attributes, or with
641 the eavesdrop attribute and no others, are checked for each recipient
642 of a message (there might be more than one recipient if the message is
643 a broadcast or a connection is eavesdropping). The last rule that
644 matches the message determines whether it may be received. The
645 well-known session bus normally allows receiving any message, including
646 eavesdropping. The well-known system bus normally allows receiving any
647 message that was not eavesdropped (any unicast message addressed to the
648 recipient, and any broadcast message).
649
650 The eavesdrop, min_fds and max_fds attributes are modifiers that can be
651 applied to either send_* or receive_* rules, and are documented below.
652
653 send_destination and receive_sender rules mean that messages may not be
654 sent to or received from the *owner* of the given name, not that they
655 may not be sent *to that name*. That is, if a connection owns services
656 A, B, C, and sending to A is denied, sending to B or C will not work
657 either. As a special case, send_destination="*" matches any message
658 (whether it has a destination specified or not), and receive_sender="*"
659 similarly matches any message.
660
661 Rules with send_broadcast="true" match signal messages with no
662 destination (broadcasts). Rules with send_broadcast="false" are the
663 inverse: they match any unicast destination (unicast signals, together
664 with all method calls, replies and errors) but do not match messages
665 with no destination (broadcasts). This is not the same as
666 send_destination="*", which matches any sent message, regardless of
667 whether it has a destination or not.
668
669 The other send_* and receive_* attributes are purely textual/by-value
670 matches against the given field in the message header, except that for
671 the attributes where it is allowed, * matches any message (whether it
672 has the relevant header field or not). For example, send_interface="*"
673 matches any sent message, even if it does not contain an interface
674 header field. More complex glob matching such as foo.bar.* is not
675 allowed.
676
677 "Eavesdropping" occurs when an application receives a message that was
678 explicitly addressed to a name the application does not own, or is a
679 reply to such a message. Eavesdropping thus only applies to messages
680 that are addressed to services and replies to such messages (i.e. it
681 does not apply to signals).
682
683 For <allow>, eavesdrop="true" indicates that the rule matches even when
684 eavesdropping. eavesdrop="false" is the default and means that the rule
685 only allows messages to go to their specified recipient. For <deny>,
686 eavesdrop="true" indicates that the rule matches only when
687 eavesdropping. eavesdrop="false" is the default for <deny> also, but
688 here it means that the rule applies always, even when not
689 eavesdropping. The eavesdrop attribute can only be combined with send
690 and receive rules (with send_* and receive_* attributes).
691
692 The [send|receive]_requested_reply attribute works similarly to the
693 eavesdrop attribute. It controls whether the <deny> or <allow> matches
694 a reply that is expected (corresponds to a previous method call
695 message). This attribute only makes sense for reply messages (errors
696 and method returns), and is ignored for other message types.
697
698 For <allow>, [send|receive]_requested_reply="true" is the default and
699 indicates that only requested replies are allowed by the rule.
700 [send|receive]_requested_reply="false" means that the rule allows any
701 reply even if unexpected.
702
703 For <deny>, [send|receive]_requested_reply="false" is the default but
704 indicates that the rule matches only when the reply was not requested.
705 [send|receive]_requested_reply="true" indicates that the rule applies
706 always, regardless of pending reply state.
707
708 The min_fds and max_fds attributes modify either send_* or receive_*
709 rules. A rule with the min_fds attribute only matches messages if they
710 have at least that many Unix file descriptors attached. Conversely, a
711 rule with the max_fds attribute only matches messages if they have no
712 more than that many file descriptors attached. In practice, rules with
713 these attributes will most commonly take the form <allow
714 send_destination="..." max_fds="0"/>, <deny send_destination="..."
715 min_fds="1"/> or <deny receive_sender="*" min_fds="1"/>.
716
717 Rules with the user or group attribute are checked when a new
718 connection to the message bus is established, and control whether the
719 connection can continue. Each of these attributes cannot be combined
720 with any other attribute. As a special case, both user="*" and
721 group="*" match any connection. If there are no rules of this form, the
722 default is to allow connections from the same user ID that owns the
723 dbus-daemon process. The well-known session bus normally uses that
724 default behaviour, while the well-known system bus normally allows any
725 connection.
726
727 Rules with the own or own_prefix attribute are checked when a
728 connection attempts to own a well-known bus names. As a special case,
729 own="*" matches any well-known bus name. The well-known session bus
730 normally allows any connection to own any name, while the well-known
731 system bus normally does not allow any connection to own any name,
732 except where allowed by further configuration. System services that
733 will own a name must install configuration that allows them to do so,
734 usually via rules of the form <policy user="some-system-user"><allow
735 own="..."/></policy>.
736
737 <allow own_prefix="a.b"/> allows you to own the name "a.b" or any name
738 whose first dot-separated elements are "a.b": in particular, you can
739 own "a.b.c" or "a.b.c.d", but not "a.bc" or "a.c". This is useful when
740 services like Telepathy and ReserveDevice define a meaning for subtrees
741 of well-known names, such as
742 org.freedesktop.Telepathy.ConnectionManager.(anything) and
743 org.freedesktop.ReserveDevice1.(anything).
744
745 It does not make sense to deny a user or group inside a <policy> for a
746 user or group; user/group denials can only be inside context="default"
747 or context="mandatory" policies.
748
749 A single <deny> rule may specify combinations of attributes such as
750 send_destination and send_interface and send_type. In this case, the
751 denial applies only if both attributes match the message being denied.
752 e.g. <deny send_interface="foo.bar" send_destination="foo.blah"/> would
753 deny messages with the given interface AND the given bus name. To get
754 an OR effect you specify multiple <deny> rules.
755
756 You can't include both send_ and receive_ attributes on the same rule,
757 since "whether the message can be sent" and "whether it can be
758 received" are evaluated separately.
759
760 Be careful with send_interface/receive_interface, because the interface
761 field in messages is optional. In particular, do NOT specify <deny
762 send_interface="org.foo.Bar"/>! This will cause no-interface messages
763 to be blocked for all services, which is almost certainly not what you
764 intended. Always use rules of the form: <deny
765 send_interface="org.foo.Bar" send_destination="org.foo.Service"/>
766
767 • <selinux>
768
769 The <selinux> element contains settings related to Security Enhanced
770 Linux. More details below.
771
772 • <associate>
773
774 An <associate> element appears below an <selinux> element and creates a
775 mapping. Right now only one kind of association is possible:
776
777 <associate own="org.freedesktop.Foobar" context="foo_t"/>
778
779 This means that if a connection asks to own the name
780 "org.freedesktop.Foobar" then the source context will be the context of
781 the connection and the target context will be "foo_t" - see the short
782 discussion of SELinux below.
783
784 Note, the context here is the target context when requesting a name,
785 NOT the context of the connection owning the name.
786
787 There's currently no way to set a default for owning any name, if we
788 add this syntax it will look like:
789
790 <associate own="*" context="foo_t"/>
791
792 If you find a reason this is useful, let the developers know. Right now
793 the default will be the security context of the bus itself.
794
795 If two <associate> elements specify the same name, the element
796 appearing later in the configuration file will be used.
797
798 • <apparmor>
799
800 The <apparmor> element is used to configure AppArmor mediation on the
801 bus. It can contain one attribute that specifies the mediation mode:
802
803 <apparmor mode="(enabled|disabled|required)"/>
804
805 The default mode is "enabled". In "enabled" mode, AppArmor mediation
806 will be performed if AppArmor support is available in the kernel. If it
807 is not available, dbus-daemon will start but AppArmor mediation will
808 not occur. In "disabled" mode, AppArmor mediation is disabled. In
809 "required" mode, AppArmor mediation will be enabled if AppArmor support
810 is available, otherwise dbus-daemon will refuse to start.
811
812 The AppArmor mediation mode of the bus cannot be changed after the bus
813 starts. Modifying the mode in the configuration file and sending a
814 SIGHUP signal to the daemon has no effect on the mediation mode.
815
817 See http://www.nsa.gov/selinux/ for full details on SELinux. Some
818 useful excerpts:
819
820 Every subject (process) and object (e.g. file, socket, IPC object, etc)
821 in the system is assigned a collection of security attributes, known as
822 a security context. A security context contains all of the security
823 attributes associated with a particular subject or object that are
824 relevant to the security policy.
825
826 In order to better encapsulate security contexts and to provide greater
827 efficiency, the policy enforcement code of SELinux typically handles
828 security identifiers (SIDs) rather than security contexts. A SID is an
829 integer that is mapped by the security server to a security context at
830 runtime.
831
832 When a security decision is required, the policy enforcement code
833 passes a pair of SIDs (typically the SID of a subject and the SID of an
834 object, but sometimes a pair of subject SIDs or a pair of object SIDs),
835 and an object security class to the security server. The object
836 security class indicates the kind of object, e.g. a process, a regular
837 file, a directory, a TCP socket, etc.
838
839 Access decisions specify whether or not a permission is granted for a
840 given pair of SIDs and class. Each object class has a set of associated
841 permissions defined to control operations on objects with that class.
842
843 D-Bus performs SELinux security checks in two places.
844
845 First, any time a message is routed from one connection to another
846 connection, the bus daemon will check permissions with the security
847 context of the first connection as source, security context of the
848 second connection as target, object class "dbus" and requested
849 permission "send_msg".
850
851 If a security context is not available for a connection (impossible
852 when using UNIX domain sockets), then the target context used is the
853 context of the bus daemon itself. There is currently no way to change
854 this default, because we're assuming that only UNIX domain sockets will
855 be used to connect to the systemwide bus. If this changes, we'll
856 probably add a way to set the default connection context.
857
858 Second, any time a connection asks to own a name, the bus daemon will
859 check permissions with the security context of the connection as
860 source, the security context specified for the name in the config file
861 as target, object class "dbus" and requested permission "acquire_svc".
862
863 The security context for a bus name is specified with the <associate>
864 element described earlier in this document. If a name has no security
865 context associated in the configuration file, the security context of
866 the bus daemon itself will be used.
867
869 The AppArmor confinement context is stored when applications connect to
870 the bus. The confinement context consists of a label and a confinement
871 mode. When a security decision is required, the daemon uses the
872 confinement context to query the AppArmor policy to determine if the
873 action should be allowed or denied and if the action should be audited.
874
875 The daemon performs AppArmor security checks in three places.
876
877 First, any time a message is routed from one connection to another
878 connection, the bus daemon will check permissions with the label of the
879 first connection as source, label and/or connection name of the second
880 connection as target, along with the bus name, the path name, the
881 interface name, and the member name. Reply messages, such as
882 method_return and error messages, are implicitly allowed if they are in
883 response to a message that has already been allowed.
884
885 Second, any time a connection asks to own a name, the bus daemon will
886 check permissions with the label of the connection as source, the
887 requested name as target, along with the bus name.
888
889 Third, any time a connection attempts to eavesdrop, the bus daemon will
890 check permissions with the label of the connection as the source, along
891 with the bus name.
892
893 AppArmor rules for bus mediation are not stored in the bus
894 configuration files. They are stored in the application's AppArmor
895 profile. Please see apparmor.d(5) for more details.
896
898 If you're trying to figure out where your messages are going or why you
899 aren't getting messages, there are several things you can try.
900
901 Remember that the system bus is heavily locked down and if you haven't
902 installed a security policy file to allow your message through, it
903 won't work. For the session bus, this is not a concern.
904
905 The simplest way to figure out what's happening on the bus is to run
906 the dbus-monitor program, which comes with the D-Bus package. You can
907 also send test messages with dbus-send. These programs have their own
908 man pages.
909
910 If you want to know what the daemon itself is doing, you might consider
911 running a separate copy of the daemon to test against. This will allow
912 you to put the daemon under a debugger, or run it with verbose output,
913 without messing up your real session and system daemons.
914
915 To run a separate test copy of the daemon, for example you might open a
916 terminal and type:
917
918 DBUS_VERBOSE=1 dbus-daemon --session --print-address
919
920 The test daemon address will be printed when the daemon starts. You
921 will need to copy-and-paste this address and use it as the value of the
922 DBUS_SESSION_BUS_ADDRESS environment variable when you launch the
923 applications you want to test. This will cause those applications to
924 connect to your test bus instead of the DBUS_SESSION_BUS_ADDRESS of
925 your real session bus.
926
927 DBUS_VERBOSE=1 will have NO EFFECT unless your copy of D-Bus was
928 compiled with verbose mode enabled. This is not recommended in
929 production builds due to performance impact. You may need to rebuild
930 D-Bus if your copy was not built with debugging in mind. (DBUS_VERBOSE
931 also affects the D-Bus library and thus applications using D-Bus; it
932 may be useful to see verbose output on both the client side and from
933 the daemon.)
934
935 If you want to get fancy, you can create a custom bus configuration for
936 your test bus (see the session.conf and system.conf files that define
937 the two default configurations for example). This would allow you to
938 specify a different directory for .service files, for example.
939
941 See http://www.freedesktop.org/software/dbus/doc/AUTHORS
942
944 Please send bug reports to the D-Bus mailing list or bug tracker, see
945 http://www.freedesktop.org/software/dbus/
946
948 1. relay connections via Secure Shell or a similar protocol
949 https://lists.freedesktop.org/archives/dbus/2018-April/017447.html
950
951
952
953D-Bus 1.12.20 10/01/2021 DBUS-DAEMON(1)