dbus: run as regular user rather than as root

Running as a dedicated dbus users is better from both a security and an
isolation perspective than running as root.

Build system: x86/64
Build-tested: x86/64-glibc
Run-tested: x86/64-glibc

Signed-off-by: John Audia <therealgraysky@proton.me>

utils/dbus/Makefile

@@ -33,6 +33,7 @@ define Package/dbus/Default
   CATEGORY:=Utilities
   TITLE:=Simple interprocess messaging system
   URL:=https://dbus.freedesktop.org/
+  USERID:=dbus=91:dbus=91
 endef
 
 define Package/dbus/Default/description
@@ -146,6 +147,8 @@ define Package/dbus/install
 	$(INSTALL_BIN) ./files/dbus.init $(1)/etc/init.d/dbus
 	$(INSTALL_DIR) $(1)/usr/share/dbus-1
 	$(CP) $(PKG_INSTALL_DIR)/usr/share/dbus-1 $(1)/usr/share/
+	$(INSTALL_DIR) $(1)/etc/capabilities
+	$(INSTALL_DATA) ./files/dbus.json $(1)/etc/capabilities
 endef
 
 define Package/dbus-utils/install

utils/dbus/files/dbus.init

@@ -14,6 +14,7 @@ PROG=/usr/bin/dbus-daemon
 start_service() {
 	mkdir -m 0755 -p /var/lib/dbus
 	mkdir -m 0755 -p /var/run/dbus
+	chown dbus:dbus /var/lib/dbus /var/run/dbus
 
 	[ -x /usr/bin/dbus-uuidgen ] && /usr/bin/dbus-uuidgen --ensure
 
@@ -24,6 +25,12 @@ start_service() {
 	[ -n "$DEBUG" ] && procd_set_param env DBUS_VERBOSE=1
 	procd_set_param stdout 1
 	procd_set_param stderr 1
+	[ -x /sbin/ujail -a -e /etc/capabilities/dbus.json ] && {
+		procd_add_jail dbus
+		procd_set_param user dbus
+		procd_set_param group dbus
+		procd_set_param capabilities /etc/capabilities/dbus.json
+	}
 	procd_close_instance
 }
 

utils/dbus/files/dbus.json

@@ -0,0 +1,27 @@
+{
+	"bounding": [
+		"CAP_SETPCAP",
+		"CAP_SETUID",
+		"CAP_SETGID"
+	],
+	"effective": [
+		"CAP_SETPCAP",
+		"CAP_SETUID",
+		"CAP_SETGID"
+	],
+	"ambient": [
+		"CAP_SETPCAP",
+		"CAP_SETUID",
+		"CAP_SETGID"
+	],
+	"permitted": [
+		"CAP_SETPCAP",
+		"CAP_SETUID",
+		"CAP_SETGID"
+	],
+	"inheritable": [
+		"CAP_SETPCAP",
+		"CAP_SETUID",
+		"CAP_SETGID"
+	]
+}