systemd: start as the D-Bus user/group, rather than root

When starting as root files in /proc/self/fdinfo/ will be owned as root
and set to 400, so we cannot read them. Nowadays it is not necessary to
start as root when running under systemd, so just add User/Group with
the configured user to the system unit.

If libaudit support is enabled, add AmbientCapabilities=CAP_AUDIT_WRITE
so that we can still write to the audit log.

Signed-off-by: Luca Boccassi <bluca@debian.org>

bus/dbus.service.in

@@ -9,3 +9,6 @@ NotifyAccess=main
 ExecStart=@EXPANDED_BINDIR@/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
 ExecReload=@EXPANDED_BINDIR@/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
 OOMScoreAdjust=-900
+User=@DBUS_USER@
+Group=@DBUS_USER@
+@AMBIENT_CAPS@

configure.ac

@@ -956,6 +956,9 @@ AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes)
 if test x$have_libaudit = xyes ; then
     SELINUX_LIBS="$SELINUX_LIBS -laudit -lcap-ng"
     AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support])
+    # For the systemd system unit
+    AMBIENT_CAPS="AmbientCapabilities=CAP_AUDIT_WRITE"
+    AC_SUBST(AMBIENT_CAPS)
 fi
 
 AC_SUBST([SELINUX_LIBS])

meson.build

@@ -549,6 +549,8 @@ else
     if get_option('libaudit').enabled() and not have_libaudit
         error('libaudit support requested but not found')
     endif
+    # For the systemd system unit
+    data_config.set('AMBIENT_CAPS', 'AmbientCapabilities=CAP_AUDIT_WRITE')
 endif
 config.set('HAVE_LIBAUDIT', have_libaudit)