是否可以以非 root 用户身份监控系统总线上的 D-Bus 调用?我想创建一个服务来捕获系统中的原始 D-Bus 调用,但出于安全原因,我更喜欢在没有 root 权限的情况下运行自定义服务。该服务将过滤掉不需要的消息,并在清理掉任何敏感内容值后为剩余消息创建一个日志文件。目标是创建一个日志流来补充特定服务的日志,以便我可以验证发送的每个配置和选择读取命令实际上都由提供 D-Bus 接口的自定义服务正确记录。
我创建了一个 system-local.conf 来为“dbusmonitor”组中的用户提供“BecomeMonitor”的能力,这会导致错误消息与不属于该组的用户略有不同,但不会导致所需的行为。
内容/etc/dbus-1/system-local.conf:
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy group="dbusmonitor">
<allow send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus.Monitoring"
send_member="BecomeMonitor"
send_type="method_call"/>
</policy>
</busconfig>
NetworkManager 目标的 dbus-monitor 的正常用户输出。当进行 dbus 调用时,输出中不会出现任何内容。
[test@localhost ~]$ groups
test
[test@localhost ~]$ dbus-monitor --system "destination='org.freedesktop.NetworkManager'"
dbus-monitor: unable to enable new-style monitoring: org.freedesktop.DBus.Error.AccessDenied: "Rejected send message, 1 matched rules; type="method_call", sender=":1.461" (uid=1002 pid=6471 comm="dbus-monitor --system destination='org.freedesktop" label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") interface="org.freedesktop.DBus.Monitoring" member="BecomeMonitor" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)". Falling back to eavesdropping.
signal time=1661974390.087332 sender=org.freedesktop.DBus -> destination=:1.461 serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
string ":1.461"
以下是特权组成员用户的相同 dbus-monitor 命令的输出;请注意,错误消息略有不同。同样,dbus 调用不会被捕获。
[admin@localhost ~]$ groups
admin wheel dbusmonitor
[admin@localhost ~]$ dbus-monitor --system "destination='org.freedesktop.NetworkManager'"
dbus-monitor: unable to enable new-style monitoring: org.freedesktop.DBus.Error.AccessDenied: "rejected attempt to call BecomeMonitor by connection :1.528 (uid=1000 pid=9157 comm="dbus-monitor --system destination='org.freedesktop" label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") with uid 1000". Falling back to eavesdropping.
signal time=1661978040.536692 sender=org.freedesktop.DBus -> destination=:1.528 serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
string ":1.528"
以下是 root 用户的相同 dbus-monitor 命令的输出。成功捕获对“org.freedesktop.NetworkManager.state”的 dbus 调用,这是所需的行为。
[root@localhost ~]# dbus-monitor --system "destination='org.freedesktop.NetworkManager'"
signal time=1661979771.623836 sender=org.freedesktop.DBus -> destination=:1.546 serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
string ":1.546"
signal time=1661979771.623861 sender=org.freedesktop.DBus -> destination=:1.546 serial=4 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost
string ":1.546"
method call time=1661979774.507096 sender=:1.547 -> destination=org.freedesktop.NetworkManager serial=2 path=/org/freedesktop/NetworkManager; interface=org.freedesktop.DBus.Introspectable; member=Introspect
method call time=1661979774.508390 sender=:1.547 -> destination=org.freedesktop.NetworkManager serial=3 path=/org/freedesktop/NetworkManager; interface=org.freedesktop.NetworkManager; member=state
如果有影响,我正在 RHEL8 上进行测试。请注意,将 SELinux 切换到 Permissive 模式对这个问题没有影响。
我是否需要为 system-local.conf 文件中的“dbusmonitor”组分配其他权限?或者这种能力在其他地方受到了二次限制?