Add 'nixpkgs/' from commit 'abf060725d7614bd3b9f96764262dfbc2f9c2199'

git-subtree-dir: nixpkgs
git-subtree-mainline: 4e31070265257dc67d120c27e0f75c2344fdfa9a
git-subtree-split: abf060725d7614bd3b9f96764262dfbc2f9c2199

2 files changed, 156 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/development/libraries/polkit/default.nix b/nixpkgs/pkgs/development/libraries/polkit/default.nix
new file mode 100644
index 000000000000..8093aec6bcc6
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/polkit/default.nix
@@ -0,0 +1,98 @@
+{ stdenv, fetchurl, fetchpatch, autoreconfHook, pkgconfig, glib, expat, pam, perl
+, intltool, spidermonkey_52 , gobject-introspection, libxslt, docbook_xsl, dbus
+, docbook_xml_dtd_412, gtk-doc, coreutils
+, useSystemd ? stdenv.isLinux, systemd
+, doCheck ? stdenv.isLinux
+}:
+
+let
+
+  system = "/run/current-system/sw";
+  setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir;
+
+in
+
+stdenv.mkDerivation rec {
+  name = "polkit-0.115";
+
+  src = fetchurl {
+    url = "https://www.freedesktop.org/software/polkit/releases/${name}.tar.gz";
+    sha256 = "0c91y61y4gy6p91cwbzg32dhavw4b7fflg370rimqhdxpzdfr1rg";
+  };
+
+  patches = [
+    # CVE-2018-19788 - high UID fixup
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/polkit/polkit/commit/5230646dc6876ef6e27f57926b1bad348f636147.patch";
+      name = "CVE-2018-19788.patch";
+      sha256 = "1y3az4mlxx8k1zcss5qm7k102s7k1kqgcfnf11j9678fh7p008vp";
+    })
+  ];
+
+  postPatch = stdenv.lib.optionalString stdenv.isDarwin ''
+    sed -i -e "s/-Wl,--as-needed//" configure.ac
+  '';
+
+  outputs = [ "bin" "dev" "out" ]; # small man pages in $bin
+
+  nativeBuildInputs =
+    [ gtk-doc pkgconfig autoreconfHook intltool gobject-introspection perl ]
+    ++ [ libxslt docbook_xsl docbook_xml_dtd_412 ]; # man pages
+  buildInputs =
+    [ glib expat pam spidermonkey_52 gobject-introspection ]
+    ++ stdenv.lib.optional useSystemd systemd;
+
+  NIX_CFLAGS_COMPILE = " -Wno-deprecated-declarations "; # for polkit 0.114 and glib 2.56
+
+  preConfigure = ''
+    chmod +x test/mocklibc/bin/mocklibc{,-test}.in
+    patchShebangs .
+
+    # ‘libpolkit-agent-1.so’ should call the setuid wrapper on
+    # NixOS.  Hard-coding the path is kinda ugly.  Maybe we can just
+    # call through $PATH, but that might have security implications.
+    substituteInPlace src/polkitagent/polkitagentsession.c \
+      --replace   'PACKAGE_PREFIX "/lib/polkit-1/'   '"${setuid}/'
+    substituteInPlace test/data/etc/polkit-1/rules.d/10-testing.rules \
+      --replace   /bin/true ${coreutils}/bin/true \
+      --replace   /bin/false ${coreutils}/bin/false
+
+  '' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ ''
+    sed '/libsystemd autoconfigured/s/.*/:/' -i configure
+  '';
+
+  configureFlags = [
+    "--datadir=${system}/share"
+    "--sysconfdir=/etc"
+    "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
+    "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser
+    "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS
+    "--enable-introspection"
+  ] ++ stdenv.lib.optional (!doCheck) "--disable-test";
+
+  makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
+
+  # The following is required on grsecurity/PaX due to spidermonkey's JIT
+  postBuild = stdenv.lib.optionalString stdenv.isLinux ''
+    paxmark mr src/polkitbackend/.libs/polkitd
+  '' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) ''
+    paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
+  '';
+
+  installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"];
+
+  inherit doCheck;
+  checkInputs = [dbus];
+  checkPhase = ''
+    # tests need access to the system bus
+    dbus-run-session --config-file=${./system_bus.conf} -- sh -c 'DBUS_SYSTEM_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS make check'
+  '';
+
+  meta = with stdenv.lib; {
+    homepage = http://www.freedesktop.org/wiki/Software/polkit;
+    description = "A toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes";
+    license = licenses.gpl2;
+    platforms = platforms.unix;
+    maintainers = [ ];
+  };
+}
diff --git a/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf
new file mode 100644
index 000000000000..435b4740a2f7
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf
@@ -0,0 +1,58 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- Our well-known bus type, do not change this -->
+  <type>system</type>
+
+  <!-- Fork into daemon mode -->
+  <fork/>
+
+  <!-- Enable logging to syslog -->
+  <syslog/>
+
+  <!-- Only allow socket-credentials-based authentication -->
+  <auth>EXTERNAL</auth>
+
+  <!-- Only listen on a local socket. (abstract=/path/to/socket 
+       means use abstract namespace, don't really create filesystem 
+       file; only Linux supports this. Use path=/whatever on other 
+       systems.) -->
+  <listen>unix:path=/tmp/system_bus_socket</listen>
+
+  <policy context="default">
+    <!-- All users can connect to system bus -->
+    <allow user="*"/>
+
+    <!-- Holes must be punched in service configuration files for
+         name ownership and sending method calls -->
+    <deny own="*"/>
+    <deny send_type="method_call"/>
+
+    <!-- Signals and reply messages (method returns, errors) are allowed
+         by default -->
+    <allow send_type="signal"/>
+    <allow send_requested_reply="true" send_type="method_return"/>
+    <allow send_requested_reply="true" send_type="error"/>
+
+    <!-- All messages may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+    <allow receive_type="signal"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus" />
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+    <!-- But disallow some specific bus services -->
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus"
+          send_member="UpdateActivationEnvironment"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus.Debug.Stats"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+</busconfig>