1<!-- This configuration file controls the systemwide message bus. 2 Add a system-local.conf and edit that rather than changing this 3 file directly. --> 4 5<!-- Note that there are any number of ways you can hose yourself 6 security-wise by screwing up this file; in particular, you 7 probably don't want to listen on any more addresses, add any more 8 auth mechanisms, run as a different user, etc. --> 9 10<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" 11 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> 12<busconfig> 13 14 <!-- Our well-known bus type, do not change this --> 15 <type>system</type> 16 17 <!-- Run as special user --> 18 <user>dbus</user> 19 20 <!-- Fork into daemon mode --> 21 <fork/> 22 23 <!-- We use system service launching using a helper --> 24 <standard_system_servicedirs/> 25 26 <!-- This is a setuid helper that is used to launch system services --> 27 <servicehelper>/usr/libexec/dbus-daemon-launch-helper</servicehelper> 28 29 <!-- Write a pid file --> 30 <pidfile>/run/messagebus.pid</pidfile> 31 32 <!-- Enable logging to syslog --> 33 <syslog/> 34 35 <!-- Only allow socket-credentials-based authentication --> 36 <auth>EXTERNAL</auth> 37 38 <!-- Only listen on a local socket. (abstract=/path/to/socket 39 means use abstract namespace, don't really create filesystem 40 file; only Linux supports this. Use path=/whatever on other 41 systems.) --> 42 <listen>unix:path=/run/dbus/system_bus_socket</listen> 43 44 <policy context="default"> 45 <!-- All users can connect to system bus --> 46 <allow user="*"/> 47 48 <!-- Holes must be punched in service configuration files for 49 name ownership and sending method calls --> 50 <deny own="*"/> 51 <deny send_type="method_call"/> 52 53 <!-- Signals and reply messages (method returns, errors) are allowed 54 by default --> 55 <allow send_type="signal"/> 56 <allow send_requested_reply="true" send_type="method_return"/> 57 <allow send_requested_reply="true" send_type="error"/> 58 59 <!-- All messages may be received by default --> 60 <allow receive_type="method_call"/> 61 <allow receive_type="method_return"/> 62 <allow receive_type="error"/> 63 <allow receive_type="signal"/> 64 65 <!-- Allow anyone to talk to the message bus --> 66 <allow send_destination="org.freedesktop.DBus" 67 send_interface="org.freedesktop.DBus" /> 68 <allow send_destination="org.freedesktop.DBus" 69 send_interface="org.freedesktop.DBus.Introspectable"/> 70 <allow send_destination="org.freedesktop.DBus" 71 send_interface="org.freedesktop.DBus.Properties"/> 72 <allow send_destination="org.freedesktop.DBus" 73 send_interface="org.freedesktop.DBus.Containers1"/> 74 <!-- But disallow some specific bus services --> 75 <deny send_destination="org.freedesktop.DBus" 76 send_interface="org.freedesktop.DBus" 77 send_member="UpdateActivationEnvironment"/> 78 <deny send_destination="org.freedesktop.DBus" 79 send_interface="org.freedesktop.DBus.Debug.Stats"/> 80 <deny send_destination="org.freedesktop.DBus" 81 send_interface="org.freedesktop.systemd1.Activator"/> 82 </policy> 83 84 <!-- Only systemd, which runs as root, may report activation failures. --> 85 <policy user="root"> 86 <allow send_destination="org.freedesktop.DBus" 87 send_interface="org.freedesktop.systemd1.Activator"/> 88 </policy> 89 90 <!-- root may monitor the system bus. --> 91 <policy user="root"> 92 <allow send_destination="org.freedesktop.DBus" 93 send_interface="org.freedesktop.DBus.Monitoring"/> 94 </policy> 95 96 <!-- If the Stats interface was enabled at compile-time, root may use it. 97 Copy this into system.local.conf or system.d/*.conf if you want to 98 enable other privileged users to view statistics and debug info --> 99 <policy user="root"> 100 <allow send_destination="org.freedesktop.DBus" 101 send_interface="org.freedesktop.DBus.Debug.Stats"/> 102 </policy> 103 104 <!-- Include legacy configuration location --> 105 <include ignore_missing="yes">/etc/dbus-1/system.conf</include> 106 107 <!-- The defaults for these limits are hard-coded in dbus-daemon. 108 Some clarifications: 109 Times are in milliseconds (ms); 1000ms = 1 second 110 133169152 bytes = 127 MiB 111 33554432 bytes = 32 MiB 112 150000ms = 2.5 minutes --> 113 <!-- <limit name="max_incoming_bytes">133169152</limit> --> 114 <!-- <limit name="max_incoming_unix_fds">64</limit> --> 115 <!-- <limit name="max_outgoing_bytes">133169152</limit> --> 116 <!-- <limit name="max_outgoing_unix_fds">64</limit> --> 117 <!-- <limit name="max_message_size">33554432</limit> --> 118 <!-- <limit name="max_message_unix_fds">16</limit> --> 119 <!-- <limit name="service_start_timeout">25000</limit> --> 120 <!-- <limit name="auth_timeout">5000</limit> --> 121 <!-- <limit name="pending_fd_timeout">150000</limit> --> 122 <!-- <limit name="max_completed_connections">2048</limit> --> 123 <!-- <limit name="max_incomplete_connections">64</limit> --> 124 <!-- <limit name="max_connections_per_user">256</limit> --> 125 <!-- <limit name="max_pending_service_starts">512</limit> --> 126 <!-- <limit name="max_names_per_connection">512</limit> --> 127 <!-- <limit name="max_match_rules_per_connection">512</limit> --> 128 <!-- <limit name="max_replies_per_connection">128</limit> --> 129 130 <!-- Config files are placed here that among other things, punch 131 holes in the above policy for specific services. --> 132 <includedir>system.d</includedir> 133 134 <includedir>/etc/dbus-1/system.d</includedir> 135 136 <!-- This is included last so local configuration can override what's 137 in this standard file --> 138 <include ignore_missing="yes">/etc/dbus-1/system-local.conf</include> 139 140 <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include> 141 142</busconfig> 143