Merge pull request #661 from arnaldo2792/whippet

Add whippet

Author: arnaldo2792

packages/os/Cargo.toml

@@ -26,6 +26,7 @@ source-groups = [
     "bloodhound",
     "xfscli",
     "brush",
+    "whippet",
 ]
 
 [lib]

packages/os/dbus-1-system.toml

@@ -0,0 +1,22 @@
+[user.root]
+rules = [
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.systemd1.Activator", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Monitoring", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Debug.Stats", allow = true }
+]
+
+[default]
+rules = [
+    { user = "*", allow = true },
+    { own = "*", allow = false },
+    { send_type = "method-call", allow = false },
+    { send_type = "signal", allow = true },
+    { receive_type = "method-call", allow = true },
+    { receive_type = "signal", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Introspectable", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Properties", allow = true },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus", send_member = "UpdateActivationEnvironment", allow = false },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.DBus.Debug.Stats", allow = false },
+    { send_destination = "org.freedesktop.DBus", send_interface = "org.freedesktop.systemd1.Activator", allow = false }
+]

packages/os/os.spec

@@ -33,6 +33,7 @@ Source18: bootstrap-containers-toml
 Source19: host-containers-toml
 Source20: bottlerocket-fips-checks-metadata-json
 Source21: bootstrap-commands-toml
+Source22: dbus-1-system.toml
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -52,6 +53,7 @@ Source121: warm-pool-wait.service
 Source122: has-boot-ever-succeeded.service
 Source123: pluto.service
 Source124: bootstrap-commands.service
+Source125: whippet.service
 
 # 2xx sources: tmpfilesd configs
 Source200: migration-tmpfiles.conf
@@ -423,6 +425,13 @@ Conflicts: %{_cross_os}bash
 %description -n %{_cross_os}brush
 %{summary}.
 
+%package -n %{_cross_os}whippet
+Summary: Custom launcher for the D-Bus message broker
+Provides: %{_cross_os}dbus-broker(launcher) = 0:
+Conflicts: %{_cross_os}dbus-broker(launcher)
+%description -n %{_cross_os}whippet
+%{summary}.
+
 %prep
 %setup -T -c
 %cargo_prep
@@ -543,6 +552,7 @@ echo "** Output from non-static builds:"
     -p shibaken \
     -p driverdog \
     -p brush \
+    -p whippet \
     %{nil}
 
 # Wait for fips builds from the background, if they're not already done.
@@ -604,7 +614,7 @@ for p in \
   bottlerocket-cis-checks \
   bottlerocket-fips-checks \
   kubernetes-cis-checks \
-  shibaken driverdog brush \
+  shibaken driverdog brush whippet \
 ; do
   install -p -m 0755 %{__cargo_outdir}/${p} %{buildroot}%{_cross_bindir}
 done
@@ -710,6 +720,7 @@ install -p -m 0644 \
   %{S:100} %{S:102} %{S:103} %{S:105} \
   %{S:106} %{S:107} %{S:110} %{S:111} %{S:112} \
   %{S:113} %{S:114} %{S:120} %{S:122} %{S:123} %{S:124} \
+  %{S:125} \
   %{buildroot}%{_cross_unitdir}
 
 install -p -m 0644 %{S:10} %{buildroot}%{_cross_templatedir}
@@ -731,6 +742,9 @@ install -p -m 0644 %{S:300} %{buildroot}%{_cross_udevrulesdir}/80-ephemeral-stor
 install -p -m 0644 %{S:301} %{buildroot}%{_cross_udevrulesdir}/81-ebs-volumes.rules
 install -p -m 0644 %{S:302} %{buildroot}%{_cross_udevrulesdir}/82-supplemental-storage.rules
 
+install -d %{buildroot}%{_cross_datadir}/whippet/
+install -p -m 0644 %{S:22} %{buildroot}%{_cross_datadir}/whippet/system.toml
+
 %cross_scan_attribution --clarify %{_builddir}/sources/clarify.toml \
     cargo --offline --locked %{_builddir}/sources/Cargo.toml
 
@@ -932,4 +946,9 @@ install -p -m 0644 %{S:400} %{S:401} %{S:402} %{buildroot}%{_cross_licensedir}
 %{_cross_bindir}/sh
 %dir %{_cross_libexecdir}/brush/allowed-programs
 
+%files -n %{_cross_os}whippet
+%{_cross_bindir}/whippet
+%{_cross_datadir}/whippet/system.toml
+%{_cross_unitdir}/whippet.service
+
 %changelog

packages/os/whippet.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=D-Bus System Message Bus
+DefaultDependencies=false
+After=dbus.socket
+Before=basic.target shutdown.target
+Requires=dbus.socket
+Conflicts=shutdown.target
+
+[Service]
+Type=notify
+Sockets=dbus.socket
+OOMScoreAdjust=-900
+LimitNOFILE=16384
+ProtectSystem=full
+PrivateTmp=true
+PrivateDevices=true
+ExecStart=/usr/bin/whippet
+
+[Install]
+Alias=dbus.service
+WantedBy=preconfigured.target

packages/selinux-policy/fs.cil

@@ -50,6 +50,7 @@
 (filecon "/.*/usr(/fips)?/bin/cfsignal" file api_exec)
 (filecon "/.*/usr/bin/thar-be-settings" file api_exec)
 (filecon "/.*/usr/bin/dbus-broker.*" file bus_exec)
+(filecon "/.*/usr/bin/whippet" file bus_exec)
 (filecon "/.*/usr/sbin/chronyd" file clock_exec)
 (filecon "/.*/usr/lib/systemd/systemd-networkd.*" file network_exec)
 (filecon "/.*/usr(/fips)?/bin/containerd.*" file runtime_exec)