systemd: Prevent privilege escalation via polkit

Cherry-picked from upstream.  Also applied a fix for the CPUShares
configuration option while I'm at it.

CVE-2013-4327

pkgs/os-specific/linux/systemd/0001-Make-systemctl-daemon-reexec-do-the-right-thing-on-N.patch

@@ -1,7 +1,7 @@
 From 8f861550827e750fb56954c3f91a2f565abb42bb Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:44:33 +0100
-Subject: [PATCH 1/9] Make "systemctl daemon-reexec" do the right thing on
+Subject: [PATCH 01/11] Make "systemctl daemon-reexec" do the right thing on
  NixOS
 
 ---
@@ -22,5 +22,5 @@ index 7fc06be..7575223 100644
                                  args[i++] = "--switched-root";
                          args[i++] = arg_running_as == SYSTEMD_SYSTEM ? "--system" : "--user";
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0002-Ignore-duplicate-paths-in-systemctl-start.patch

@@ -1,7 +1,7 @@
 From 2afcee0b4da066fb5f8fc00b749d88f5bd9df3d3 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:45:01 +0100
-Subject: [PATCH 2/9] Ignore duplicate paths in "systemctl start"
+Subject: [PATCH 02/11] Ignore duplicate paths in "systemctl start"
 
 ---
  src/systemctl/systemctl.c | 2 +-
@@ -21,5 +21,5 @@ index 3cca861..16791a2 100644
                          return r;
                  }
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0003-Start-device-units-for-uninitialised-encrypted-devic.patch

@@ -1,7 +1,7 @@
 From b288ca7d376e3a78368a2b59529ebe5ba812babf Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:46:30 +0100
-Subject: [PATCH 3/9] Start device units for uninitialised encrypted devices
+Subject: [PATCH 03/11] Start device units for uninitialised encrypted devices
 
 This is necessary because the NixOS service that initialises the
 filesystem depends on the appearance of the device unit.  Also, this
@@ -28,5 +28,5 @@ index d17bdd9..040b10e 100644
  SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", TEST!="md/array_state", ENV{SYSTEMD_READY}="0"
  SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", ATTR{md/array_state}=="|clear|inactive", ENV{SYSTEMD_READY}="0"
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0004-Set-switch-to-configuration-hints-for-some-units.patch

@@ -1,7 +1,7 @@
 From 7a498e661f3d111fa09700a6cfa62cfd6733b1cc Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:48:19 +0100
-Subject: [PATCH 4/9] Set switch-to-configuration hints for some units
+Subject: [PATCH 04/11] Set switch-to-configuration hints for some units
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -70,5 +70,5 @@ index 0869e73..b6ed958 100644
 +# Restart kills all active sessions.
 +X-RestartIfChanged=no
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0005-sysinit.target-Drop-the-dependency-on-local-fs.targe.patch

@@ -1,7 +1,7 @@
 From e6bbe5fa858bd8196c8e1f264904679e6bda426d Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:56:03 +0100
-Subject: [PATCH 5/9] sysinit.target: Drop the dependency on local-fs.target
+Subject: [PATCH 05/11] sysinit.target: Drop the dependency on local-fs.target
  and swap.target
 
 Having all services with DefaultDependencies=yes depend on
@@ -29,5 +29,5 @@ index 8f4fb8f..e0f0147 100644
 +After=emergency.service emergency.target
  RefuseManualStart=yes
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0006-Don-t-call-plymouth-quit.patch

@@ -1,7 +1,7 @@
 From 4731a9074538e9e24d2b81fc737917b064e194e6 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 18:36:28 +0100
-Subject: [PATCH 6/9] Don't call "plymouth quit"
+Subject: [PATCH 06/11] Don't call "plymouth quit"
 
 NixOS doesn't use Plymouth (yet).
 ---
@@ -34,5 +34,5 @@ index 269797a..2c640f4 100644
  ExecStart=-/sbin/sulogin
  ExecStopPost=-@SYSTEMCTL@ --fail --no-block default
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0007-Ignore-IPv6-link-local-addresses.patch

@@ -1,7 +1,7 @@
 From f0c362873860526579bf9bda216005fd5a0936dd Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Mon, 4 Feb 2013 12:41:14 +0100
-Subject: [PATCH 7/9] Ignore IPv6 link-local addresses
+Subject: [PATCH 07/11] Ignore IPv6 link-local addresses
 
 Returning IPv6 link-local addresses is a bad idea, because they only
 work if an application connects specifically over the corresponding
@@ -33,5 +33,5 @@ index b1ef912..4f2ab5c 100644
                          continue;
  
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0008-Don-t-try-to-unmount-nix-or-nix-store.patch

@@ -1,7 +1,7 @@
 From 0112df74e576dd683c132ec33861b7099dc94454 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 12 Apr 2013 13:16:57 +0200
-Subject: [PATCH 8/9] Don't try to unmount /nix or /nix/store
+Subject: [PATCH 08/11] Don't try to unmount /nix or /nix/store
 
 They'll still be remounted read-only.
 
@@ -24,5 +24,5 @@ index 1e95ad7..9f0e471 100644
                      || path_equal(m->path, "/usr")
  #endif
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0009-Start-ctrl-alt-del.target-irreversibly.patch

@@ -1,7 +1,7 @@
 From ed7c22c76e1399861ec8e0216f08a7f9419eea50 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 7 May 2013 14:03:13 +0200
-Subject: [PATCH 9/9] Start ctrl-alt-del.target irreversibly
+Subject: [PATCH 09/11] Start ctrl-alt-del.target irreversibly
 
 This makes ctrl-alt-del reboots more robust, just like "systemctl
 reboot".
@@ -23,5 +23,5 @@ index c7f8f20..0508628 100644
                          }
  
 -- 
-1.8.2.1
+1.8.3.4
 

pkgs/os-specific/linux/systemd/0010-Fix-CPUShares-configuration-option.patch

@@ -0,0 +1,27 @@
+From 687e657cd320cb4d4ae442e3529ae9571108bb6e Mon Sep 17 00:00:00 2001
+From: Eelco Dolstra <eelco.dolstra@logicblox.com>
+Date: Fri, 24 May 2013 13:34:53 -0400
+Subject: [PATCH 10/11] Fix CPUShares configuration option
+
+This fixes the error message "Unknown or unsupported cgroup attribute
+CPUShares".
+---
+ src/core/cgroup-semantics.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/cgroup-semantics.c b/src/core/cgroup-semantics.c
+index 82b02bb..7df9d01 100644
+--- a/src/core/cgroup-semantics.c
++++ b/src/core/cgroup-semantics.c
+@@ -255,7 +255,7 @@ static int map_blkio(const CGroupSemantics *s, const char *value, char **ret) {
+ }
+ 
+ static const CGroupSemantics semantics[] = {
+-        { "cpu",     "cpu.shares",                 "CPUShare",              false, parse_cpu_shares,          NULL,       NULL },
++        { "cpu",     "cpu.shares",                 "CPUShares",             false, parse_cpu_shares,          NULL,       NULL },
+         { "memory",  "memory.soft_limit_in_bytes", "MemorySoftLimit",       false, parse_memory_limit,        NULL,       NULL },
+         { "memory",  "memory.limit_in_bytes",      "MemoryLimit",           false, parse_memory_limit,        NULL,       NULL },
+         { "devices", "devices.allow",              "DeviceAllow",           true,  parse_device,              map_device, NULL },
+-- 
+1.8.3.4
+

pkgs/os-specific/linux/systemd/0011-polkit-Avoid-race-condition-in-scraping-proc.patch

@@ -0,0 +1,75 @@
+From ab7707b4a9b1b7615bfe2e30e4a2bc9cb5261766 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 22 Aug 2013 13:55:21 -0400
+Subject: [PATCH 11/11] polkit: Avoid race condition in scraping /proc
+
+If a calling process execve()s a setuid program, it can appear to be
+uid 0.  Since we're receiving requests over DBus, avoid this by simply
+passing system-bus-name as a subject.
+---
+ src/shared/polkit.c | 31 +++++--------------------------
+ 1 file changed, 5 insertions(+), 26 deletions(-)
+
+diff --git a/src/shared/polkit.c b/src/shared/polkit.c
+index cea7074..1c5e9e3 100644
+--- a/src/shared/polkit.c
++++ b/src/shared/polkit.c
+@@ -38,12 +38,8 @@ int verify_polkit(
+ 
+ #ifdef ENABLE_POLKIT
+         DBusMessage *m = NULL, *reply = NULL;
+-        const char *unix_process = "unix-process", *pid = "pid", *starttime = "start-time", *cancel_id = "";
++        const char *system_bus_name = "system-bus-name", *name = "name", *cancel_id = "";
+         uint32_t flags = interactive ? 1 : 0;
+-        pid_t pid_raw;
+-        uint32_t pid_u32;
+-        unsigned long long starttime_raw;
+-        uint64_t starttime_u64;
+         DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
+         int r;
+         dbus_bool_t authorized = FALSE, challenge = FALSE;
+@@ -68,14 +64,6 @@ int verify_polkit(
+ 
+ #ifdef ENABLE_POLKIT
+ 
+-        pid_raw = bus_get_unix_process_id(c, sender, error);
+-        if (pid_raw == 0)
+-                return -EINVAL;
+-
+-        r = get_starttime_of_pid(pid_raw, &starttime_raw);
+-        if (r < 0)
+-                return r;
+-
+         m = dbus_message_new_method_call(
+                         "org.freedesktop.PolicyKit1",
+                         "/org/freedesktop/PolicyKit1/Authority",
+@@ -86,22 +74,13 @@ int verify_polkit(
+ 
+         dbus_message_iter_init_append(m, &iter_msg);
+ 
+-        pid_u32 = (uint32_t) pid_raw;
+-        starttime_u64 = (uint64_t) starttime_raw;
+-
+         if (!dbus_message_iter_open_container(&iter_msg, DBUS_TYPE_STRUCT, NULL, &iter_struct) ||
+-            !dbus_message_iter_append_basic(&iter_struct, DBUS_TYPE_STRING, &unix_process) ||
++            !dbus_message_iter_append_basic(&iter_struct, DBUS_TYPE_STRING, &system_bus_name) ||
+             !dbus_message_iter_open_container(&iter_struct, DBUS_TYPE_ARRAY, "{sv}", &iter_array) ||
+             !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
+-            !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &pid) ||
+-            !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant) ||
+-            !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &pid_u32) ||
+-            !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
+-            !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
+-            !dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict) ||
+-            !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &starttime) ||
+-            !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "t", &iter_variant) ||
+-            !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT64, &starttime_u64) ||
++            !dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &name) ||
++            !dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "s", &iter_variant) ||
++            !dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_STRING, &sender) ||
+             !dbus_message_iter_close_container(&iter_dict, &iter_variant) ||
+             !dbus_message_iter_close_container(&iter_array, &iter_dict) ||
+             !dbus_message_iter_close_container(&iter_struct, &iter_array) ||
+-- 
+1.8.3.4
+

pkgs/os-specific/linux/systemd/default.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
       ./0007-Ignore-IPv6-link-local-addresses.patch
       ./0008-Don-t-try-to-unmount-nix-or-nix-store.patch
       ./0009-Start-ctrl-alt-del.target-irreversibly.patch
+      ./0010-Fix-CPUShares-configuration-option.patch
+      ./0011-polkit-Avoid-race-condition-in-scraping-proc.patch
     ] ++ stdenv.lib.optional stdenv.isArm ./libc-bug-accept4-arm.patch;
 
   buildInputs =