From: Bartosz Golaszewski <brgl@bgdev.pl>
To: Linus Walleij <linus.walleij@linaro.org>,
Kent Gibson <warthog618@gmail.com>,
Erik Schilling <erik.schilling@linaro.org>,
Phil Howard <phil@gadgetoid.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Viresh Kumar <viresh.kumar@linaro.org>,
Dan Carpenter <dan.carpenter@linaro.org>,
Philip Withnall <philip@tecnocode.co.uk>
Cc: linux-gpio@vger.kernel.org,
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>,
Alexander Sverdlin <alexander.sverdlin@siemens.com>
Subject: [PATCH libgpiod v4 12/18] dbus: add data files
Date: Wed, 07 Aug 2024 11:10:43 +0200 [thread overview]
Message-ID: <20240807-dbus-v4-12-64ea80169e51@linaro.org> (raw)
In-Reply-To: <20240807-dbus-v4-0-64ea80169e51@linaro.org>
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Add the default service configuration file for the DBus GPIO API and
a systemd unit file that allows to start up the gpio-manager.
Tested-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
dbus/data/90-gpio.rules | 4 ++++
dbus/data/gpio-manager.service | 50 ++++++++++++++++++++++++++++++++++++++++++
dbus/data/io.gpiod1.conf | 41 ++++++++++++++++++++++++++++++++++
3 files changed, 95 insertions(+)
diff --git a/dbus/data/90-gpio.rules b/dbus/data/90-gpio.rules
new file mode 100644
index 0000000..ef27949
--- /dev/null
+++ b/dbus/data/90-gpio.rules
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2023 Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+SUBSYSTEM=="gpio", KERNEL=="gpiochip[0-9]*", GROUP="gpio", MODE="0660"
diff --git a/dbus/data/gpio-manager.service b/dbus/data/gpio-manager.service
new file mode 100644
index 0000000..f93a6fa
--- /dev/null
+++ b/dbus/data/gpio-manager.service
@@ -0,0 +1,50 @@
+# SPDX-License-Identifier: CC0-1.0
+# SPDX-FileCopyrightText: 2023-2024 Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[Unit]
+Description=Centralized GPIO manager daemon
+
+[Service]
+Type=dbus
+BusName=io.gpiod1
+ExecStart=/usr/bin/gpio-manager
+Restart=always
+User=gpio-manager
+
+CapabilityBoundingSet=
+ReadOnlyDirectories=/
+NoNewPrivileges=yes
+RemoveIPC=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ProtectClock=yes
+Delegate=no
+IPAddressDeny=any
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NotifyAccess=main
+PrivateMounts=no
+PrivateNetwork=no
+ProtectHostname=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@swap
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dbus/data/io.gpiod1.conf b/dbus/data/io.gpiod1.conf
new file mode 100644
index 0000000..99b470f
--- /dev/null
+++ b/dbus/data/io.gpiod1.conf
@@ -0,0 +1,41 @@
+<!-- SPDX-License-Identifier: CC-BY-SA-4.0.txt -->
+<!-- SPDX-FileCopyrightText: 2022-2024 Bartosz Golaszewski <bartosz.golaszewski@linaro.org> -->
+
+<!-- This configuration file specifies the required security policies
+ for the gpio-dbus daemon to work. -->
+
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<busconfig>
+
+ <!-- Everyone can list GPIO devices and see their properties. -->
+ <policy context="default">
+ <allow send_destination="io.gpiod1"
+ send_interface="org.freedesktop.DBus.Peer"
+ send_member="Ping"/>
+ <allow send_destination="io.gpiod1"
+ send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="io.gpiod1"
+ send_interface="org.freedesktop.DBus.Properties"/>
+ <allow send_destination="io.gpiod1"
+ send_interface="org.freedesktop.DBus.ObjectManager"/>
+ </policy>
+
+ <!-- Daemon must run as the `gpio-manager` user. -->
+ <policy user="gpio-manager">
+ <allow own="io.gpiod1"/>
+ </policy>
+
+ <!-- Members of the `gpio` group can request and manipulate GPIO lines. -->
+ <policy group="gpio">
+ <allow send_destination="io.gpiod1"/>
+ </policy>
+
+ <!-- Root can do anything. -->
+ <policy user="root">
+ <allow own="io.gpiod1"/>
+ <allow send_destination="io.gpiod1"/>
+ </policy>
+
+</busconfig>
--
2.43.0
next prev parent reply other threads:[~2024-08-07 9:11 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-07 9:10 [PATCH libgpiod v4 00/18] dbus: add GLib-based D-Bus daemon and command-line client Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 01/18] tests: split out reusable test code into a local static library Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 02/18] tests: split out the common test code for bash scripts Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 03/18] bindings: glib: add build files Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 04/18] bindings: glib: add public headers Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 05/18] bindings: glib: add core code Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 06/18] bindings: glib: add examples Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 07/18] bindings: glib: add tests Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 08/18] README: document GLib bindings Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 09/18] dbus: add build files Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 10/18] dbus: add the API definitions Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 11/18] dbus: add a wrapper around the gdbus-codegen generated header Bartosz Golaszewski
2024-08-07 9:10 ` Bartosz Golaszewski [this message]
2024-08-07 9:10 ` [PATCH libgpiod v4 13/18] dbus: add gpio-manager code Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 14/18] dbus: add tests Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 15/18] dbus: add a command-line client Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 16/18] dbus: client: add tests Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 17/18] README: document the DBus API Bartosz Golaszewski
2024-08-07 9:10 ` [PATCH libgpiod v4 18/18] TODO: drop the DBus daemon from the list Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240807-dbus-v4-12-64ea80169e51@linaro.org \
--to=brgl@bgdev.pl \
--cc=alexander.sverdlin@siemens.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bartosz.golaszewski@linaro.org \
--cc=dan.carpenter@linaro.org \
--cc=erik.schilling@linaro.org \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=phil@gadgetoid.com \
--cc=philip@tecnocode.co.uk \
--cc=viresh.kumar@linaro.org \
--cc=warthog618@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).