From fdbf7dc8b38cd523804d342d2c153dfeb10cc83d Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sat, 26 Nov 2016 02:52:41 +0100
Subject: [PATCH] gradm: fix using gradm while the RBAC system is active

The built-in ACL prevents the gradm binary from loading dynamic
libraries from the Nix store.  Thus, once the RBAC system is activated,
the gradm binary cannot be used.

Fix by patching in rules to allow references to the Nix store where
appropriate.
---
 pkgs/os-specific/linux/gradm/default.nix      |  2 ++
 .../linux/gradm/gradm_nix_store.patch         | 31 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 pkgs/os-specific/linux/gradm/gradm_nix_store.patch

diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix
index 7f64ed227719..2beb07094697 100644
--- a/pkgs/os-specific/linux/gradm/default.nix
+++ b/pkgs/os-specific/linux/gradm/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "0y5565rhil5ciprwz7nx4s4ah7dsxx7zrkg42dbq0mcg8m316xrb";
   };
 
+  patches = [ ./gradm_nix_store.patch ];
+
   nativeBuildInputs = [ bison flex ];
   buildInputs = [ pam ];
 
diff --git a/pkgs/os-specific/linux/gradm/gradm_nix_store.patch b/pkgs/os-specific/linux/gradm/gradm_nix_store.patch
new file mode 100644
index 000000000000..c1b7047324b1
--- /dev/null
+++ b/pkgs/os-specific/linux/gradm/gradm_nix_store.patch
@@ -0,0 +1,31 @@
+diff -ruN a/gradm_adm.c b/gradm_adm.c
+--- a/gradm_adm.c	2016-08-13 18:56:45.000000000 +0200
++++ b/gradm_adm.c	2016-11-26 02:47:05.829718770 +0100
+@@ -166,6 +166,8 @@
+ 	ADD_OBJ("/usr/libx32", "rx");
+ 	ADD_OBJ("/lib64", "rx");
+ 	ADD_OBJ("/usr/lib64", "rx");
++	ADD_OBJ("/nix/store", "h");
++	ADD_OBJ("/nix/store/*/lib", "rx");
+ 	ADD_OBJ(gradm_name, "x");
+ 	ADD_OBJ(grpam_path, "x");
+ 
+@@ -286,6 +288,8 @@
+ 	ADD_OBJ("/usr/lib32", "rx");
+ 	ADD_OBJ("/lib64", "rx");
+ 	ADD_OBJ("/usr/lib64", "rx");
++	ADD_OBJ("/nix/store", "h");
++	ADD_OBJ("/nix/store/*/lib", "rx");
+ 	ADD_OBJ("/tmp", "");
+ 	ADD_OBJ("/tmp/krb5cc_pam*", "rwcd");
+ 	ADD_OBJ(grpam_path, "x");
+@@ -369,6 +373,9 @@
+ 	ADD_OBJ("/lib", "rx");
+ 	ADD_OBJ("/lib32", "rx");
+ 	ADD_OBJ("/lib64", "rx");
++	ADD_OBJ("/nix/store", "h");
++	ADD_OBJ("/nix/store/*/bin", "rx");
++	ADD_OBJ("/nix/store/*/lib", "rx");
+ 	ADD_OBJ("/usr", "rx");
+ 	ADD_OBJ("/proc", "r");
+ 	ADD_OBJ("/boot", "h");