Add whippet

packages/os/Cargo.toml

@@ -26,6 +26,7 @@ source-groups = [
     "bloodhound",
     "xfscli",
     "brush",
+    "whippet",
 ]
 
 [lib]

packages/os/dbus-1-system.toml

@@ -0,0 +1,40 @@
+[user.root]
+rules = [
+    # Allow activator interface
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.systemd1.Activator", allow = true },
+    # Allow monitoring
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Monitoring", allow = true },
+    # Allow stats interface
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Debug.Stats", allow = true }
+]
+
+[default]
+rules = [
+    # Allow all users to connect
+    { user = "*", allow = true },
+    # Deny owning names
+    { own = "*", allow = false },
+    { send_type = "method-call", allow = false },
+    # Allow signals
+    { send_type = "signal", allow = true },
+    # Allow replies
+    # This is a useless rule, it is dropped from the rules at runtime
+    # { send_type = "method_return", send_requested_reply = true, allow = true },
+    # This is a uselss rule, it is dropped from the rules at runtime
+    # { send_type = "error", send_requested_reply = true, allow = true },
+    # Allow all receives
+    { receive_type = "method-call", allow = true },
+    # This is a userless rule, it is dropped from the rules at runtime
+    # { receive_type = "method-return", allow = true },
+    # This is a userless rule, it is dropped from the rules at runtime
+    # { receive_type = "error", allow = true },
+    { receive_type = "signal", allow = true },
+    # Allow DBus interface access
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Introspectable", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Properties", allow = true },
+    # Deny specific bus services
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus", send_member = "UpdateActivationEnvironment", allow = false },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Debug.Stats", allow = false },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.systemd1.Activator", allow = false }
+]

packages/os/os.spec

@@ -33,6 +33,8 @@ Source18: bootstrap-containers-toml
 Source19: host-containers-toml
 Source20: bottlerocket-fips-checks-metadata-json
 Source21: bootstrap-commands-toml
+Source22: dbus-1-system.toml
+Source23: whippet.conf
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -423,6 +425,13 @@ Conflicts: %{_cross_os}bash
 %description -n %{_cross_os}brush
 %{summary}.
 
+%package -n %{_cross_os}whippet
+Summary: A simple dbus-broker launcher
+Provides: %{_cross_os}dbus-broker(launcher) = 0
+Conflicts: %{_cross_os}dbus-broker(launcher)
+%description -n %{_cross_os}whippet
+%{summary}.
+
 %prep
 %setup -T -c
 %cargo_prep
@@ -543,6 +552,7 @@ echo "** Output from non-static builds:"
     -p shibaken \
     -p driverdog \
     -p brush \
+    -p whippet \
     %{nil}
 
 # Wait for fips builds from the background, if they're not already done.
@@ -604,7 +614,7 @@ for p in \
   bottlerocket-cis-checks \
   bottlerocket-fips-checks \
   kubernetes-cis-checks \
-  shibaken driverdog brush \
+  shibaken driverdog brush whippet \
 ; do
   install -p -m 0755 %{__cargo_outdir}/${p} %{buildroot}%{_cross_bindir}
 done
@@ -731,6 +741,11 @@ install -p -m 0644 %{S:300} %{buildroot}%{_cross_udevrulesdir}/80-ephemeral-stor
 install -p -m 0644 %{S:301} %{buildroot}%{_cross_udevrulesdir}/81-ebs-volumes.rules
 install -p -m 0644 %{S:302} %{buildroot}%{_cross_udevrulesdir}/82-supplemental-storage.rules
 
+install -d %{buildroot}%{_cross_datadir}/whippet/
+install -p -m 0644 %{S:22} %{buildroot}%{_cross_datadir}/whippet/system.toml
+install -d %{buildroot}%{_cross_unitdir}/dbus-broker.service.d/
+install -p -m 0644 %{S:23} %{buildroot}%{_cross_unitdir}/dbus-broker.service.d/
+
 %cross_scan_attribution --clarify %{_builddir}/sources/clarify.toml \
     cargo --offline --locked %{_builddir}/sources/Cargo.toml
 
@@ -932,4 +947,9 @@ install -p -m 0644 %{S:400} %{S:401} %{S:402} %{buildroot}%{_cross_licensedir}
 %{_cross_bindir}/sh
 %dir %{_cross_libexecdir}/brush/allowed-programs
 
+%files -n %{_cross_os}whippet
+%{_cross_bindir}/whippet
+%{_cross_datadir}/whippet/system.toml
+%{_cross_unitdir}/dbus-broker.service.d/whippet.conf
+
 %changelog

packages/os/whippet.conf

@@ -0,0 +1,4 @@
+[Service]
+User=dbus
+ExecStart=
+ExecStart=/usr/bin/whippet

packages/selinux-policy/fs.cil

@@ -50,6 +50,7 @@
 (filecon "/.*/usr(/fips)?/bin/cfsignal" file api_exec)
 (filecon "/.*/usr/bin/thar-be-settings" file api_exec)
 (filecon "/.*/usr/bin/dbus-broker.*" file bus_exec)
+(filecon "/.*/usr/bin/whippet" file bus_exec)
 (filecon "/.*/usr/sbin/chronyd" file clock_exec)
 (filecon "/.*/usr/lib/systemd/systemd-networkd.*" file network_exec)
 (filecon "/.*/usr(/fips)?/bin/containerd.*" file runtime_exec)