3
0
Fork 0
forked from mirrors/nixpkgs

polkit WIP: TESTED OK, only missing NM config testing/tweaking

History: 7a29bd02 7cd5ff085
This commit is contained in:
Vladimír Čunát 2013-11-01 10:54:29 +01:00
parent 743f767bc3
commit e790d27543
5 changed files with 75 additions and 77 deletions

View file

@ -18,35 +18,17 @@ in
description = "Whether to enable PolKit.";
};
security.polkit.permissions = mkOption {
security.polkit.extraConfig = mkOption {
type = types.lines;
default = "";
example =
''
[Disallow Users To Suspend]
Identity=unix-group:users
Action=org.freedesktop.upower.*
ResultAny=no
ResultInactive=no
ResultActive=no
[Allow Anybody To Eject Disks]
Identity=unix-user:*
Action=org.freedesktop.udisks.drive-eject
ResultAny=yes
ResultInactive=yes
ResultActive=yes
[Allow Alice To Mount Filesystems After Admin Authentication]
Identity=unix-user:alice
Action=org.freedesktop.udisks.filesystem-mount
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin
TODO
'';
description =
''
Allows the default permissions of privileged actions to be overridden.
Any polkit rules to be added to config (in JavaScript ;-). See:
http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
'';
};
@ -71,29 +53,23 @@ in
environment.systemPackages = [ pkgs.polkit ];
# The polkit daemon reads action files
environment.pathsToLink = [ "/share/polkit-1/actions" ];
systemd.packages = [ pkgs.polkit ];
environment.etc =
[ # No idea what the "null backend" is, but it seems to need this.
{ source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
target = "polkit-1/nullbackend.conf.d";
}
# The polkit daemon reads action/rule files
environment.pathsToLink = [ "/share/polkit-1" ];
# This file determines what users are considered
# "administrators".
{ source = pkgs.writeText "10-nixos.conf"
''
[Configuration]
AdminIdentities=${cfg.adminIdentities}
'';
target = "polkit-1/localauthority.conf.d/10-nixos.conf";
}
# PolKit rules for NixOS
environment.etc = [ {
source = pkgs.writeText "10-nixos.conf"
''
polkit.addAdminRule(function(action, subject) {
return ["${cfg.adminIdentities}"];
});
{ source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
}
];
${cfg.extraConfig}
''; #TODO: validation on compilation (at least against typos)
target = "polkit-1/rules.d/10-nixos.conf";
} ];
services.dbus.packages = [ pkgs.polkit ];
@ -101,24 +77,25 @@ in
security.setuidPrograms = [ "pkexec" ];
security.setuidOwners = singleton
security.setuidOwners = [
{ program = "polkit-agent-helper-1";
owner = "root";
group = "root";
setuid = true;
source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
};
source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
}
];
system.activationScripts.polkit =
''
mkdir -p /var/lib/polkit-1/localauthority
chmod 700 /var/lib/polkit-1{/localauthority,}
# Probably no more needed, clean up
rm -rf /var/lib/{polkit-1,PolicyKit}
# Force polkitd to be restarted so that it reloads its
# configuration.
${pkgs.procps}/bin/pkill -INT -u root -x polkitd
'';
};
}

View file

@ -21,7 +21,7 @@ let
level=WARN
'';
polkitConf = ''
/*
[network-manager]
Identity=unix-group:networkmanager
Action=org.freedesktop.NetworkManager.*
@ -35,6 +35,16 @@ let
ResultAny=yes
ResultInactive=no
ResultActive=yes
*/
polkitConf = ''
polkit.addRule(function(action, subject) {
if (
subject.isInGroup("networkmanager")
&& (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
|| action.id.indexOf("org.freedesktop.ModemManager.") == 0
))
{ return polkit.Result.YES; } #TODO: active/inactive
});
'';
ipUpScript = writeScript "01nixos-ip-up" ''
@ -179,7 +189,8 @@ in {
systemctl restart NetworkManager
'';
security.polkit.permissions = polkitConf;
#TODO
#security.polkit.permissions = polkitConf;
# openvpn plugin has only dbus interface
services.dbus.packages = cfg.packages ++ [

View file

@ -1,4 +1,4 @@
{ stdenv, fetchurl, autoconf213, nspr, perl, python, readline, zip }:
{ stdenv, fetchurl, pkgconfig, autoconf213, nspr, perl, python, readline, zip }:
stdenv.mkDerivation rec {
version = "185-1.0.0";
@ -9,7 +9,9 @@ stdenv.mkDerivation rec {
sha256 = "5d12f7e1f5b4a99436685d97b9b7b75f094d33580227aa998c406bbae6f2a687";
};
buildInputs = [ autoconf213 nspr perl python readline zip ];
propagatedBuildInputs = [ nspr ];
buildInputs = [ pkgconfig autoconf213 perl python readline zip ];
postUnpack = "sourceRoot=\${sourceRoot}/js/src";

View file

@ -1,48 +1,59 @@
{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, gettext
, gobjectIntrospection
{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, spidermonkey
, gobjectIntrospection, libxslt, docbook_xsl
, useSystemd ? stdenv.isLinux, systemd }:
let
system = "/var/run/current-system/sw";
setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
foolVars = {
LOCALSTATE = "/var";
SYSCONF = "/etc";
LIB = "${system}/lib";
DATA = "${system}/share";
DATA = "${system}/share"; # to find share/polkit-1/actions of other apps at runtime
};
in
stdenv.mkDerivation rec {
name = "polkit-0.105";
name = "polkit-0.112";
src = fetchurl {
url = "http://www.freedesktop.org/software/polkit/releases/${name}.tar.gz";
sha256 = "1pz1hn4z0f1wk4f7w8q1g6ygwan1b6kxmfad3b7gql27pb47rp4g";
sha256 = "1xkary7yirdcjdva950nqyhmsz48qhrdsr78zciahj27p8yg95fn";
};
buildInputs =
[ pkgconfig glib expat pam intltool gobjectIntrospection ]
[ pkgconfig glib expat pam intltool spidermonkey gobjectIntrospection ]
++ [ libxslt docbook_xsl ] # man pages
++ stdenv.lib.optional useSystemd systemd;
configureFlags = "--libexecdir=$(out)/libexec/polkit-1";
# Ugly hack to overwrite hardcoded directories
# TODO: investigate a proper patch which will be accepted upstream
# After update it's good to check the sources via:
# grep '\<PACKAGE_' '--include=*.[ch]' -R
CFLAGS = stdenv.lib.concatStringsSep " "
( map (var: ''-DPACKAGE_${var}_DIR=\""${builtins.getAttr var foolVars}"\"'')
(builtins.attrNames foolVars) );
preBuild =
''
# libpolkit-agent-1.so should call the setuid wrapper on
# NixOS. Hard-coding the path is kinda ugly. Maybe we can just
# call through $PATH, but that might have security implications.
substituteInPlace src/polkitagent/polkitagentsession.c \
--replace PACKAGE_LIBEXEC_DIR '"/var/setuid-wrappers"'
'';
preConfigure = ''
patchShebangs .
'' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ ''
sed '/libsystemd-login autoconfigured, but system does not appear to use systemd/s/.*/:/' -i configure
''
# libpolkit-agent-1.so should call the setuid wrapper on
# NixOS. Hard-coding the path is kinda ugly. Maybe we can just
# call through $PATH, but that might have security implications.
+ ''
substituteInPlace src/polkitagent/polkitagentsession.c \
--replace 'PACKAGE_PREFIX "/lib/polkit-1/' '"${setuid}/'
'';
configureFlags = [
#"--libexecdir=$(out)/libexec/polkit-1" # this and localstatedir are ignored by configure
"--with-systemdsystemunitdir=$(out)/etc/systemd/system"
"--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser
"--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS
];
makeFlags =
''
@ -50,12 +61,7 @@ stdenv.mkDerivation rec {
INTROSPECTION_TYPELIBDIR=$(out)lib/girepository-1.0
'';
postInstall =
''
# Allow some files with paranoid permissions to be stripped in
# the fixup phase.
chmod a+rX -R $out
'';
#doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
meta = with stdenv.lib; {
homepage = http://www.freedesktop.org/wiki/Software/polkit;

View file

@ -5400,7 +5400,9 @@ let
podofo = callPackage ../development/libraries/podofo { };
polkit = callPackage ../development/libraries/polkit { };
polkit = callPackage ../development/libraries/polkit {
spidermonkey = spidermonkey_185;
};
polkit_qt_1 = callPackage ../development/libraries/polkit-qt-1 { };