diff options
author | Alyssa Ross <hi@alyssa.is> | 2019-01-07 02:18:36 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2019-01-07 02:18:47 +0000 |
commit | 36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2 (patch) | |
tree | b3faaf573407b32aa645237a4d16b82778a39a92 /nixpkgs/pkgs/development/libraries/polkit | |
parent | 4e31070265257dc67d120c27e0f75c2344fdfa9a (diff) | |
parent | abf060725d7614bd3b9f96764262dfbc2f9c2199 (diff) | |
download | nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.tar nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.tar.gz nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.tar.bz2 nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.tar.lz nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.tar.xz nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.tar.zst nixlib-36f56d99fa0a0765c9f1de4a5f17a9b05830c3f2.zip |
Add 'nixpkgs/' from commit 'abf060725d7614bd3b9f96764262dfbc2f9c2199'
git-subtree-dir: nixpkgs git-subtree-mainline: 4e31070265257dc67d120c27e0f75c2344fdfa9a git-subtree-split: abf060725d7614bd3b9f96764262dfbc2f9c2199
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/polkit')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/polkit/default.nix | 98 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/libraries/polkit/system_bus.conf | 58 |
2 files changed, 156 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/polkit/default.nix b/nixpkgs/pkgs/development/libraries/polkit/default.nix new file mode 100644 index 000000000000..8093aec6bcc6 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/polkit/default.nix @@ -0,0 +1,98 @@ +{ stdenv, fetchurl, fetchpatch, autoreconfHook, pkgconfig, glib, expat, pam, perl +, intltool, spidermonkey_52 , gobject-introspection, libxslt, docbook_xsl, dbus +, docbook_xml_dtd_412, gtk-doc, coreutils +, useSystemd ? stdenv.isLinux, systemd +, doCheck ? stdenv.isLinux +}: + +let + + system = "/run/current-system/sw"; + setuid = "/run/wrappers/bin"; #TODO: from <nixos> config.security.wrapperDir; + +in + +stdenv.mkDerivation rec { + name = "polkit-0.115"; + + src = fetchurl { + url = "https://www.freedesktop.org/software/polkit/releases/${name}.tar.gz"; + sha256 = "0c91y61y4gy6p91cwbzg32dhavw4b7fflg370rimqhdxpzdfr1rg"; + }; + + patches = [ + # CVE-2018-19788 - high UID fixup + (fetchpatch { + url = "https://gitlab.freedesktop.org/polkit/polkit/commit/5230646dc6876ef6e27f57926b1bad348f636147.patch"; + name = "CVE-2018-19788.patch"; + sha256 = "1y3az4mlxx8k1zcss5qm7k102s7k1kqgcfnf11j9678fh7p008vp"; + }) + ]; + + postPatch = stdenv.lib.optionalString stdenv.isDarwin '' + sed -i -e "s/-Wl,--as-needed//" configure.ac + ''; + + outputs = [ "bin" "dev" "out" ]; # small man pages in $bin + + nativeBuildInputs = + [ gtk-doc pkgconfig autoreconfHook intltool gobject-introspection perl ] + ++ [ libxslt docbook_xsl docbook_xml_dtd_412 ]; # man pages + buildInputs = + [ glib expat pam spidermonkey_52 gobject-introspection ] + ++ stdenv.lib.optional useSystemd systemd; + + NIX_CFLAGS_COMPILE = " -Wno-deprecated-declarations "; # for polkit 0.114 and glib 2.56 + + preConfigure = '' + chmod +x test/mocklibc/bin/mocklibc{,-test}.in + patchShebangs . + + # ‘libpolkit-agent-1.so’ should call the setuid wrapper on + # NixOS. Hard-coding the path is kinda ugly. Maybe we can just + # call through $PATH, but that might have security implications. + substituteInPlace src/polkitagent/polkitagentsession.c \ + --replace 'PACKAGE_PREFIX "/lib/polkit-1/' '"${setuid}/' + substituteInPlace test/data/etc/polkit-1/rules.d/10-testing.rules \ + --replace /bin/true ${coreutils}/bin/true \ + --replace /bin/false ${coreutils}/bin/false + + '' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ '' + sed '/libsystemd autoconfigured/s/.*/:/' -i configure + ''; + + configureFlags = [ + "--datadir=${system}/share" + "--sysconfdir=/etc" + "--with-systemdsystemunitdir=$(out)/etc/systemd/system" + "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser + "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS + "--enable-introspection" + ] ++ stdenv.lib.optional (!doCheck) "--disable-test"; + + makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0"; + + # The following is required on grsecurity/PaX due to spidermonkey's JIT + postBuild = stdenv.lib.optionalString stdenv.isLinux '' + paxmark mr src/polkitbackend/.libs/polkitd + '' + stdenv.lib.optionalString (stdenv.isLinux && doCheck) '' + paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest + ''; + + installFlags=["datadir=$(out)/share" "sysconfdir=$(out)/etc"]; + + inherit doCheck; + checkInputs = [dbus]; + checkPhase = '' + # tests need access to the system bus + dbus-run-session --config-file=${./system_bus.conf} -- sh -c 'DBUS_SYSTEM_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS make check' + ''; + + meta = with stdenv.lib; { + homepage = http://www.freedesktop.org/wiki/Software/polkit; + description = "A toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes"; + license = licenses.gpl2; + platforms = platforms.unix; + maintainers = [ ]; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf new file mode 100644 index 000000000000..435b4740a2f7 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf @@ -0,0 +1,58 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <!-- Our well-known bus type, do not change this --> + <type>system</type> + + <!-- Fork into daemon mode --> + <fork/> + + <!-- Enable logging to syslog --> + <syslog/> + + <!-- Only allow socket-credentials-based authentication --> + <auth>EXTERNAL</auth> + + <!-- Only listen on a local socket. (abstract=/path/to/socket + means use abstract namespace, don't really create filesystem + file; only Linux supports this. Use path=/whatever on other + systems.) --> + <listen>unix:path=/tmp/system_bus_socket</listen> + + <policy context="default"> + <!-- All users can connect to system bus --> + <allow user="*"/> + + <!-- Holes must be punched in service configuration files for + name ownership and sending method calls --> + <deny own="*"/> + <deny send_type="method_call"/> + + <!-- Signals and reply messages (method returns, errors) are allowed + by default --> + <allow send_type="signal"/> + <allow send_requested_reply="true" send_type="method_return"/> + <allow send_requested_reply="true" send_type="error"/> + + <!-- All messages may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> + <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" /> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Introspectable"/> + <!-- But disallow some specific bus services --> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Debug.Stats"/> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + +</busconfig> |