forked from mirrors/nixpkgs
polkit WIP: TESTED OK, only missing NM config testing/tweaking
History: 7a29bd02 7cd5ff085
This commit is contained in:
parent
743f767bc3
commit
e790d27543
|
@ -18,35 +18,17 @@ in
|
|||
description = "Whether to enable PolKit.";
|
||||
};
|
||||
|
||||
security.polkit.permissions = mkOption {
|
||||
security.polkit.extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
example =
|
||||
''
|
||||
[Disallow Users To Suspend]
|
||||
Identity=unix-group:users
|
||||
Action=org.freedesktop.upower.*
|
||||
ResultAny=no
|
||||
ResultInactive=no
|
||||
ResultActive=no
|
||||
|
||||
[Allow Anybody To Eject Disks]
|
||||
Identity=unix-user:*
|
||||
Action=org.freedesktop.udisks.drive-eject
|
||||
ResultAny=yes
|
||||
ResultInactive=yes
|
||||
ResultActive=yes
|
||||
|
||||
[Allow Alice To Mount Filesystems After Admin Authentication]
|
||||
Identity=unix-user:alice
|
||||
Action=org.freedesktop.udisks.filesystem-mount
|
||||
ResultAny=auth_admin
|
||||
ResultInactive=auth_admin
|
||||
ResultActive=auth_admin
|
||||
TODO
|
||||
'';
|
||||
description =
|
||||
''
|
||||
Allows the default permissions of privileged actions to be overridden.
|
||||
Any polkit rules to be added to config (in JavaScript ;-). See:
|
||||
http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
|
||||
'';
|
||||
};
|
||||
|
||||
|
@ -71,29 +53,23 @@ in
|
|||
|
||||
environment.systemPackages = [ pkgs.polkit ];
|
||||
|
||||
# The polkit daemon reads action files
|
||||
environment.pathsToLink = [ "/share/polkit-1/actions" ];
|
||||
systemd.packages = [ pkgs.polkit ];
|
||||
|
||||
environment.etc =
|
||||
[ # No idea what the "null backend" is, but it seems to need this.
|
||||
{ source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
|
||||
target = "polkit-1/nullbackend.conf.d";
|
||||
}
|
||||
# The polkit daemon reads action/rule files
|
||||
environment.pathsToLink = [ "/share/polkit-1" ];
|
||||
|
||||
# This file determines what users are considered
|
||||
# "administrators".
|
||||
{ source = pkgs.writeText "10-nixos.conf"
|
||||
''
|
||||
[Configuration]
|
||||
AdminIdentities=${cfg.adminIdentities}
|
||||
'';
|
||||
target = "polkit-1/localauthority.conf.d/10-nixos.conf";
|
||||
}
|
||||
# PolKit rules for NixOS
|
||||
environment.etc = [ {
|
||||
source = pkgs.writeText "10-nixos.conf"
|
||||
''
|
||||
polkit.addAdminRule(function(action, subject) {
|
||||
return ["${cfg.adminIdentities}"];
|
||||
});
|
||||
|
||||
{ source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
|
||||
target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
|
||||
}
|
||||
];
|
||||
${cfg.extraConfig}
|
||||
''; #TODO: validation on compilation (at least against typos)
|
||||
target = "polkit-1/rules.d/10-nixos.conf";
|
||||
} ];
|
||||
|
||||
services.dbus.packages = [ pkgs.polkit ];
|
||||
|
||||
|
@ -101,24 +77,25 @@ in
|
|||
|
||||
security.setuidPrograms = [ "pkexec" ];
|
||||
|
||||
security.setuidOwners = singleton
|
||||
security.setuidOwners = [
|
||||
{ program = "polkit-agent-helper-1";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
setuid = true;
|
||||
source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
|
||||
};
|
||||
source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
|
||||
}
|
||||
];
|
||||
|
||||
system.activationScripts.polkit =
|
||||
''
|
||||
mkdir -p /var/lib/polkit-1/localauthority
|
||||
chmod 700 /var/lib/polkit-1{/localauthority,}
|
||||
# Probably no more needed, clean up
|
||||
rm -rf /var/lib/{polkit-1,PolicyKit}
|
||||
|
||||
# Force polkitd to be restarted so that it reloads its
|
||||
# configuration.
|
||||
${pkgs.procps}/bin/pkill -INT -u root -x polkitd
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ let
|
|||
level=WARN
|
||||
'';
|
||||
|
||||
polkitConf = ''
|
||||
/*
|
||||
[network-manager]
|
||||
Identity=unix-group:networkmanager
|
||||
Action=org.freedesktop.NetworkManager.*
|
||||
|
@ -35,6 +35,16 @@ let
|
|||
ResultAny=yes
|
||||
ResultInactive=no
|
||||
ResultActive=yes
|
||||
*/
|
||||
polkitConf = ''
|
||||
polkit.addRule(function(action, subject) {
|
||||
if (
|
||||
subject.isInGroup("networkmanager")
|
||||
&& (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
|
||||
|| action.id.indexOf("org.freedesktop.ModemManager.") == 0
|
||||
))
|
||||
{ return polkit.Result.YES; } #TODO: active/inactive
|
||||
});
|
||||
'';
|
||||
|
||||
ipUpScript = writeScript "01nixos-ip-up" ''
|
||||
|
@ -179,7 +189,8 @@ in {
|
|||
systemctl restart NetworkManager
|
||||
'';
|
||||
|
||||
security.polkit.permissions = polkitConf;
|
||||
#TODO
|
||||
#security.polkit.permissions = polkitConf;
|
||||
|
||||
# openvpn plugin has only dbus interface
|
||||
services.dbus.packages = cfg.packages ++ [
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ stdenv, fetchurl, autoconf213, nspr, perl, python, readline, zip }:
|
||||
{ stdenv, fetchurl, pkgconfig, autoconf213, nspr, perl, python, readline, zip }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
version = "185-1.0.0";
|
||||
|
@ -9,7 +9,9 @@ stdenv.mkDerivation rec {
|
|||
sha256 = "5d12f7e1f5b4a99436685d97b9b7b75f094d33580227aa998c406bbae6f2a687";
|
||||
};
|
||||
|
||||
buildInputs = [ autoconf213 nspr perl python readline zip ];
|
||||
propagatedBuildInputs = [ nspr ];
|
||||
|
||||
buildInputs = [ pkgconfig autoconf213 perl python readline zip ];
|
||||
|
||||
postUnpack = "sourceRoot=\${sourceRoot}/js/src";
|
||||
|
||||
|
|
|
@ -1,48 +1,59 @@
|
|||
{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, gettext
|
||||
, gobjectIntrospection
|
||||
{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, spidermonkey
|
||||
, gobjectIntrospection, libxslt, docbook_xsl
|
||||
, useSystemd ? stdenv.isLinux, systemd }:
|
||||
|
||||
let
|
||||
|
||||
system = "/var/run/current-system/sw";
|
||||
setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
|
||||
|
||||
foolVars = {
|
||||
LOCALSTATE = "/var";
|
||||
SYSCONF = "/etc";
|
||||
LIB = "${system}/lib";
|
||||
DATA = "${system}/share";
|
||||
DATA = "${system}/share"; # to find share/polkit-1/actions of other apps at runtime
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "polkit-0.105";
|
||||
name = "polkit-0.112";
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://www.freedesktop.org/software/polkit/releases/${name}.tar.gz";
|
||||
sha256 = "1pz1hn4z0f1wk4f7w8q1g6ygwan1b6kxmfad3b7gql27pb47rp4g";
|
||||
sha256 = "1xkary7yirdcjdva950nqyhmsz48qhrdsr78zciahj27p8yg95fn";
|
||||
};
|
||||
|
||||
buildInputs =
|
||||
[ pkgconfig glib expat pam intltool gobjectIntrospection ]
|
||||
[ pkgconfig glib expat pam intltool spidermonkey gobjectIntrospection ]
|
||||
++ [ libxslt docbook_xsl ] # man pages
|
||||
++ stdenv.lib.optional useSystemd systemd;
|
||||
|
||||
configureFlags = "--libexecdir=$(out)/libexec/polkit-1";
|
||||
|
||||
# Ugly hack to overwrite hardcoded directories
|
||||
# TODO: investigate a proper patch which will be accepted upstream
|
||||
# After update it's good to check the sources via:
|
||||
# grep '\<PACKAGE_' '--include=*.[ch]' -R
|
||||
CFLAGS = stdenv.lib.concatStringsSep " "
|
||||
( map (var: ''-DPACKAGE_${var}_DIR=\""${builtins.getAttr var foolVars}"\"'')
|
||||
(builtins.attrNames foolVars) );
|
||||
|
||||
preBuild =
|
||||
''
|
||||
# ‘libpolkit-agent-1.so’ should call the setuid wrapper on
|
||||
# NixOS. Hard-coding the path is kinda ugly. Maybe we can just
|
||||
# call through $PATH, but that might have security implications.
|
||||
substituteInPlace src/polkitagent/polkitagentsession.c \
|
||||
--replace PACKAGE_LIBEXEC_DIR '"/var/setuid-wrappers"'
|
||||
'';
|
||||
preConfigure = ''
|
||||
patchShebangs .
|
||||
'' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ ''
|
||||
sed '/libsystemd-login autoconfigured, but system does not appear to use systemd/s/.*/:/' -i configure
|
||||
''
|
||||
# ‘libpolkit-agent-1.so’ should call the setuid wrapper on
|
||||
# NixOS. Hard-coding the path is kinda ugly. Maybe we can just
|
||||
# call through $PATH, but that might have security implications.
|
||||
+ ''
|
||||
substituteInPlace src/polkitagent/polkitagentsession.c \
|
||||
--replace 'PACKAGE_PREFIX "/lib/polkit-1/' '"${setuid}/'
|
||||
'';
|
||||
|
||||
configureFlags = [
|
||||
#"--libexecdir=$(out)/libexec/polkit-1" # this and localstatedir are ignored by configure
|
||||
"--with-systemdsystemunitdir=$(out)/etc/systemd/system"
|
||||
"--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser
|
||||
"--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS
|
||||
];
|
||||
|
||||
makeFlags =
|
||||
''
|
||||
|
@ -50,12 +61,7 @@ stdenv.mkDerivation rec {
|
|||
INTROSPECTION_TYPELIBDIR=$(out)lib/girepository-1.0
|
||||
'';
|
||||
|
||||
postInstall =
|
||||
''
|
||||
# Allow some files with paranoid permissions to be stripped in
|
||||
# the fixup phase.
|
||||
chmod a+rX -R $out
|
||||
'';
|
||||
#doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
homepage = http://www.freedesktop.org/wiki/Software/polkit;
|
||||
|
|
|
@ -5400,7 +5400,9 @@ let
|
|||
|
||||
podofo = callPackage ../development/libraries/podofo { };
|
||||
|
||||
polkit = callPackage ../development/libraries/polkit { };
|
||||
polkit = callPackage ../development/libraries/polkit {
|
||||
spidermonkey = spidermonkey_185;
|
||||
};
|
||||
|
||||
polkit_qt_1 = callPackage ../development/libraries/polkit-qt-1 { };
|
||||
|
||||
|
|
Loading…
Reference in a new issue