polkit: major update 0.105 -> 0.112

- It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion.
2013-11-09 16:29:18 +01:00 · 2013-11-09 16:29:18 +01:00 · 8d14c7baa6
parent 35a3d07c4f
commit 8d14c7baa6
6 changed files with 81 additions and 77 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -140,7 +140,7 @@
      tape = 25;
      video = 26;
      dialout = 27;
-      polkituser = 28;
+      #polkituser = 28; # currently unused, polkitd doesn't need a group
      utmp = 29;
      davfs2 = 31;
      privoxy = 32;
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -18,35 +18,17 @@ in
      description = "Whether to enable PolKit.";
    };

-    security.polkit.permissions = mkOption {
+    security.polkit.extraConfig = mkOption {
      type = types.lines;
      default = "";
      example =
        ''
-          [Disallow Users To Suspend]
-          Identity=unix-group:users
-          Action=org.freedesktop.upower.*
-          ResultAny=no
-          ResultInactive=no
-          ResultActive=no
-
-          [Allow Anybody To Eject Disks]
-          Identity=unix-user:*
-          Action=org.freedesktop.udisks.drive-eject
-          ResultAny=yes
-          ResultInactive=yes
-          ResultActive=yes
-
-          [Allow Alice To Mount Filesystems After Admin Authentication]
-          Identity=unix-user:alice
-          Action=org.freedesktop.udisks.filesystem-mount
-          ResultAny=auth_admin
-          ResultInactive=auth_admin
-          ResultActive=auth_admin
+          TODO
        '';
      description =
        ''
-          Allows the default permissions of privileged actions to be overridden.
+          Any polkit rules to be added to config (in JavaScript ;-). See:
+          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
        '';
    };

@ -71,29 +53,23 @@ in

    environment.systemPackages = [ pkgs.polkit ];

-    # The polkit daemon reads action files
-    environment.pathsToLink = [ "/share/polkit-1/actions" ];
+    systemd.packages = [ pkgs.polkit ];

-    environment.etc =
-      [ # No idea what the "null backend" is, but it seems to need this.
-        { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
-          target = "polkit-1/nullbackend.conf.d";
-        }
+    # The polkit daemon reads action/rule files
+    environment.pathsToLink = [ "/share/polkit-1" ];

-        # This file determines what users are considered
-        # "administrators".
-        { source = pkgs.writeText "10-nixos.conf"
+    # PolKit rules for NixOS
+    environment.etc = [ {
+      source = pkgs.writeText "10-nixos.conf"
        ''
-              [Configuration]
-              AdminIdentities=${cfg.adminIdentities}
-            '';
-          target = "polkit-1/localauthority.conf.d/10-nixos.conf";
-        }
+          polkit.addAdminRule(function(action, subject) {
+            return ["${cfg.adminIdentities}"];
+          });

-        { source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
-          target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
-        }
-      ];
+          ${cfg.extraConfig}
+        ''; #TODO: validation on compilation (at least against typos)
+      target = "polkit-1/rules.d/10-nixos.conf";
+    } ];

    services.dbus.packages = [ pkgs.polkit ];

@ -101,24 +77,31 @@ in

    security.setuidPrograms = [ "pkexec" ];

-    security.setuidOwners = singleton
+    security.setuidOwners = [
      { program = "polkit-agent-helper-1";
        owner = "root";
        group = "root";
        setuid = true;
-        source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
-      };
+        source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
+      }
+    ];

    system.activationScripts.polkit =
      ''
-        mkdir -p /var/lib/polkit-1/localauthority
-        chmod 700 /var/lib/polkit-1{/localauthority,}
+        # Probably no more needed, clean up
+        rm -rf /var/lib/{polkit-1,PolicyKit}

        # Force polkitd to be restarted so that it reloads its
        # configuration.
        ${pkgs.procps}/bin/pkill -INT -u root -x polkitd
      '';

+    users.extraUsers.polkituser = {
+      description = "PolKit daemon";
+      uid = config.ids.uids.polkituser;
+    };
+
  };

 }
+
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -21,7 +21,7 @@ let
    level=WARN
  '';

-  polkitConf = ''
+  /*
    [network-manager]
    Identity=unix-group:networkmanager
    Action=org.freedesktop.NetworkManager.*
@ -35,6 +35,17 @@ let
    ResultAny=yes
    ResultInactive=no
    ResultActive=yes
+  */
+  polkitConf = ''
+    polkit.addRule(function(action, subject) {
+      if (
+        subject.isInGroup("networkmanager")
+        && subject.active
+        && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
+            || action.id.indexOf("org.freedesktop.ModemManager.")  == 0
+        ))
+          { return polkit.Result.YES; }
+    });
  '';

  ipUpScript = writeScript "01nixos-ip-up" ''
@ -179,7 +190,7 @@ in {
      systemctl restart NetworkManager
    '';

-    security.polkit.permissions = polkitConf;
+    security.polkit.extraConfig = polkitConf;

    # openvpn plugin has only dbus interface
    services.dbus.packages = cfg.packages ++ [
--- a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
+++ b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoconf213, nspr, perl, python, readline, zip }:
+{ stdenv, fetchurl, pkgconfig, autoconf213, nspr, perl, python, readline, zip }:

 stdenv.mkDerivation rec {
  version = "185-1.0.0";
@ -9,7 +9,9 @@ stdenv.mkDerivation rec {
    sha256 = "5d12f7e1f5b4a99436685d97b9b7b75f094d33580227aa998c406bbae6f2a687";
  };

-  buildInputs = [ autoconf213 nspr perl python readline zip ];
+  propagatedBuildInputs = [ nspr ];
+
+  buildInputs = [ pkgconfig autoconf213 perl python readline zip ];

  postUnpack = "sourceRoot=\${sourceRoot}/js/src";

--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@ -1,61 +1,67 @@
-{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, gettext
-, gobjectIntrospection
+{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, spidermonkey
+, gobjectIntrospection, libxslt, docbook_xsl
 , useSystemd ? stdenv.isLinux, systemd }:

 let

  system = "/var/run/current-system/sw";
+  setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;

  foolVars = {
-    LOCALSTATE = "/var";
    SYSCONF = "/etc";
-    LIB = "${system}/lib";
-    DATA = "${system}/share";
+    DATA = "${system}/share"; # to find share/polkit-1/actions of other apps at runtime
  };

 in

 stdenv.mkDerivation rec {
-  name = "polkit-0.105";
+  name = "polkit-0.112";

  src = fetchurl {
    url = "http://www.freedesktop.org/software/polkit/releases/${name}.tar.gz";
-    sha256 = "1pz1hn4z0f1wk4f7w8q1g6ygwan1b6kxmfad3b7gql27pb47rp4g";
+    sha256 = "1xkary7yirdcjdva950nqyhmsz48qhrdsr78zciahj27p8yg95fn";
  };

  buildInputs =
-    [ pkgconfig glib expat pam intltool gobjectIntrospection ]
+    [ pkgconfig glib expat pam intltool spidermonkey gobjectIntrospection ]
+    ++ [ libxslt docbook_xsl ] # man pages
    ++ stdenv.lib.optional useSystemd systemd;

-  configureFlags = "--libexecdir=$(out)/libexec/polkit-1";
-
  # Ugly hack to overwrite hardcoded directories
  # TODO: investigate a proper patch which will be accepted upstream
+  # After update it's good to check the sources via:
+  #   grep '\<PACKAGE_' '--include=*.[ch]' -R
  CFLAGS = stdenv.lib.concatStringsSep " "
    ( map (var: ''-DPACKAGE_${var}_DIR=\""${builtins.getAttr var foolVars}"\"'')
        (builtins.attrNames foolVars) );

-  preBuild =
+  preConfigure = ''
+    patchShebangs .
+  '' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ ''
+    sed '/libsystemd-login autoconfigured, but system does not appear to use systemd/s/.*/:/' -i configure
  ''
    # ‘libpolkit-agent-1.so’ should call the setuid wrapper on
    # NixOS.  Hard-coding the path is kinda ugly.  Maybe we can just
    # call through $PATH, but that might have security implications.
+  + ''
    substituteInPlace src/polkitagent/polkitagentsession.c \
-        --replace PACKAGE_LIBEXEC_DIR '"/var/setuid-wrappers"'
+      --replace   'PACKAGE_PREFIX "/lib/polkit-1/'   '"${setuid}/'
  '';

+  configureFlags = [
+    #"--libexecdir=$(out)/libexec/polkit-1" # this and localstatedir are ignored by configure
+    "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
+    "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser
+    "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS
+  ];
+
  makeFlags =
    ''
      INTROSPECTION_GIRDIR=$(out)/share/gir-1.0
      INTROSPECTION_TYPELIBDIR=$(out)lib/girepository-1.0
    '';

-  postInstall =
-    ''
-      # Allow some files with paranoid permissions to be stripped in
-      # the fixup phase.
-      chmod a+rX -R $out
-    '';
+  #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs

  meta = with stdenv.lib; {
    homepage = http://www.freedesktop.org/wiki/Software/polkit;
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -5400,7 +5400,9 @@ let

  podofo = callPackage ../development/libraries/podofo { };

-  polkit = callPackage ../development/libraries/polkit { };
+  polkit = callPackage ../development/libraries/polkit {
+    spidermonkey = spidermonkey_185;
+  };

  polkit_qt_1 = callPackage ../development/libraries/polkit-qt-1 { };