Support system services correctly

[Thaodan]

Description

Hey, I create a new bug for this to track the process on this a little easier since the other bug contain quite much of a mess.

First off all I got pantalaimon as system service service working.

I plan to pick this up later so I want to track my changes here and discuss any further steps.

My changes:

• In pantalaimon and panctl import SystemBus() instead of SessionBus()
• Provide dbus config to configure how can touch the service and how can spawn under the name.

dbus busconfig:

<!DOCTYPE busconfig PUBLIC
          "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
          "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root or user avahi can own the Pantalaimon service -->
  <policy user="pantalaimon">
    <allow own="org.pantalaimon1"/>
  </policy>
  <policy user="root">
    <allow own="org.pantalaimon1"/>
  </policy>

    <allow send_destination="org.pantalaimon1"/>
    <allow receive_sender="org.pantalaimon1"/>
  </policy>
  <policy user="root">
    <allow send_destination="org.pantalaimon1"/>
    <allow receive_sender="org.pantalaimon1"/>
  </policy>
</busconfig>

systemd system service

I created this service to reduce the permissions that the system service has:

# /usr/lib/systemd/system/pantalaimon.service
[Unit]
Description=Pantalaimon E2E Matrix reverse proxy
Requires=dbus.socket

[Service]
ExecStart=/usr/bin/pantalaimon -c /etc/pantalaimon.conf
Type=simple
User=pantalaimon
Group=pantalaimon
DynamicUser=true
DynamicUser=true
SyslogIdentifier=pantalaimon
StateDirectory=pantalaimon
RuntimeDirectory=pantalaimon
Environment=LC_ALL=en_US.UTF-8
Environment=HOME=/var/lib/pantalaimon
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
Restart=always
RestartSec=10
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=true
#SecureBits=
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=false
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallFilter=@system-service
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

What is left

The issue is now how to determine how pantalaimon should decide on which bus it spawns.

• An option would be to provide switches for either mode for the daemon and panctl
• let panctl see if it connect first to the user or system session with the dbus service