about summary refs log tree commit diff
path: root/nixos/modules/security/polkit.nix
diff options
context:
space:
mode:
authorVladimír Čunát <vcunat@gmail.com>2013-11-09 16:29:18 +0100
committerVladimír Čunát <vcunat@gmail.com>2013-11-09 16:29:18 +0100
commit8d14c7baa6b293b3b48741b203400116ed9882ab (patch)
tree96a4dffa07593420db661783f34ebbfb9ebc3222 /nixos/modules/security/polkit.nix
parent35a3d07c4f1cc2772e35decb348a71651056c057 (diff)
downloadnixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.tar
nixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.tar.gz
nixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.tar.bz2
nixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.tar.lz
nixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.tar.xz
nixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.tar.zst
nixlib-8d14c7baa6b293b3b48741b203400116ed9882ab.zip
polkit: major update 0.105 -> 0.112
- It now uses JavaScript for configuration (only),
  so I had to "convert" config for NetworkManager.
- I tested suspend/restart/(un)mount on KDE/Xfce,
  Phreedom tested NetworkManager config conversion.
Diffstat (limited to 'nixos/modules/security/polkit.nix')
-rw-r--r--nixos/modules/security/polkit.nix83
1 files changed, 33 insertions, 50 deletions
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index cafa9f82d5e4..940e87e0b024 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -18,35 +18,17 @@ in
       description = "Whether to enable PolKit.";
     };
 
-    security.polkit.permissions = mkOption {
+    security.polkit.extraConfig = mkOption {
       type = types.lines;
       default = "";
       example =
         ''
-          [Disallow Users To Suspend]
-          Identity=unix-group:users
-          Action=org.freedesktop.upower.*
-          ResultAny=no
-          ResultInactive=no
-          ResultActive=no
-
-          [Allow Anybody To Eject Disks]
-          Identity=unix-user:*
-          Action=org.freedesktop.udisks.drive-eject
-          ResultAny=yes
-          ResultInactive=yes
-          ResultActive=yes
-
-          [Allow Alice To Mount Filesystems After Admin Authentication]
-          Identity=unix-user:alice
-          Action=org.freedesktop.udisks.filesystem-mount
-          ResultAny=auth_admin
-          ResultInactive=auth_admin
-          ResultActive=auth_admin
+          TODO
         '';
       description =
         ''
-          Allows the default permissions of privileged actions to be overridden.
+          Any polkit rules to be added to config (in JavaScript ;-). See:
+          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
         '';
     };
 
@@ -71,29 +53,23 @@ in
 
     environment.systemPackages = [ pkgs.polkit ];
 
-    # The polkit daemon reads action files
-    environment.pathsToLink = [ "/share/polkit-1/actions" ];
-
-    environment.etc =
-      [ # No idea what the "null backend" is, but it seems to need this.
-        { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
-          target = "polkit-1/nullbackend.conf.d";
-        }
-
-        # This file determines what users are considered
-        # "administrators".
-        { source = pkgs.writeText "10-nixos.conf"
-            ''
-              [Configuration]
-              AdminIdentities=${cfg.adminIdentities}
-            '';
-          target = "polkit-1/localauthority.conf.d/10-nixos.conf";
-        }
-
-        { source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
-          target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
-        }
-      ];
+    systemd.packages = [ pkgs.polkit ];
+
+    # The polkit daemon reads action/rule files
+    environment.pathsToLink = [ "/share/polkit-1" ];
+
+    # PolKit rules for NixOS
+    environment.etc = [ {
+      source = pkgs.writeText "10-nixos.conf"
+        ''
+          polkit.addAdminRule(function(action, subject) {
+            return ["${cfg.adminIdentities}"];
+          });
+
+          ${cfg.extraConfig}
+        ''; #TODO: validation on compilation (at least against typos)
+      target = "polkit-1/rules.d/10-nixos.conf";
+    } ];
 
     services.dbus.packages = [ pkgs.polkit ];
 
@@ -101,24 +77,31 @@ in
 
     security.setuidPrograms = [ "pkexec" ];
 
-    security.setuidOwners = singleton
+    security.setuidOwners = [
       { program = "polkit-agent-helper-1";
         owner = "root";
         group = "root";
         setuid = true;
-        source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
-      };
+        source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
+      }
+    ];
 
     system.activationScripts.polkit =
       ''
-        mkdir -p /var/lib/polkit-1/localauthority
-        chmod 700 /var/lib/polkit-1{/localauthority,}
+        # Probably no more needed, clean up
+        rm -rf /var/lib/{polkit-1,PolicyKit}
 
         # Force polkitd to be restarted so that it reloads its
         # configuration.
         ${pkgs.procps}/bin/pkill -INT -u root -x polkitd
       '';
 
+    users.extraUsers.polkituser = {
+      description = "PolKit daemon";
+      uid = config.ids.uids.polkituser;
+    };
+
   };
 
 }
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-02 19:53:15 +0000