diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/polkit')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/polkit/default.nix | 204 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/libraries/polkit/system_bus.conf | 58 |
2 files changed, 262 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/polkit/default.nix b/nixpkgs/pkgs/development/libraries/polkit/default.nix new file mode 100644 index 000000000000..72907f7aedc8 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/polkit/default.nix @@ -0,0 +1,204 @@ +{ lib +, stdenv +, fetchFromGitLab +, pkg-config +, glib +, expat +, pam +, meson +, ninja +, perl +, rsync +, python3 +, fetchpatch +, gettext +, spidermonkey_78 +, gobject-introspection +, libxslt +, docbook-xsl-nons +, dbus +, docbook_xml_dtd_412 +, gtk-doc +, coreutils +, useSystemd ? stdenv.isLinux +, systemd +, elogind +# needed until gobject-introspection does cross-compile (https://github.com/NixOS/nixpkgs/pull/88222) +, withIntrospection ? (stdenv.buildPlatform == stdenv.hostPlatform) +# cross build fails on polkit-1-scan (https://github.com/NixOS/nixpkgs/pull/152704) +, withGtkDoc ? (stdenv.buildPlatform == stdenv.hostPlatform) +# A few tests currently fail on musl (polkitunixusertest, polkitunixgrouptest, polkitidentitytest segfault). +# Not yet investigated; it may be due to the "Make netgroup support optional" +# patch not updating the tests correctly yet, or doing something wrong, +# or being unrelated to that. +, doCheck ? (stdenv.isLinux && !stdenv.hostPlatform.isMusl) +}: + +let + system = "/run/current-system/sw"; + setuid = "/run/wrappers/bin"; +in +stdenv.mkDerivation rec { + pname = "polkit"; + version = "0.120"; + + outputs = [ "bin" "dev" "out" ]; # small man pages in $bin + + # Tarballs do not contain subprojects. + src = fetchFromGitLab { + domain = "gitlab.freedesktop.org"; + owner = "polkit"; + repo = "polkit"; + rev = version; + sha256 = "oEaRf1g13zKMD+cP1iwIA6jaCDwvNfGy2i8xY8vuVSo="; + }; + + patches = [ + # Allow changing base for paths in pkg-config file as before. + # https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/100 + (fetchpatch { + url = "https://gitlab.freedesktop.org/polkit/polkit/-/commit/7ba07551dfcd4ef9a87b8f0d9eb8b91fabcb41b3.patch"; + sha256 = "ebbLILncq1hAZTBMsLm+vDGw6j0iQ0crGyhzyLZQgKA="; + }) + # pkexec: local privilege escalation (CVE-2021-4034) + (fetchpatch { + url = "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch"; + sha256 = "162jkpg2myq0rb0s5k3nfr4pqwv9im13jf6vzj8p5l39nazg5i4s"; + }) + # File descriptor leak allows an unprivileged user to cause a crash (CVE-2021-4115) + (fetchpatch { + name = "CVE-2021-4115.patch"; + url = "https://src.fedoraproject.org/rpms/polkit/raw/0a203bd46a1e2ec8cc4b3626840e2ea9d0d13a9a/f/CVE-2021-4115.patch"; + sha256 = "sha256-BivHVVpYB4Ies1YbBDyKwUmNlqq2D1MpMipH9/dZM54="; + }) + ] ++ lib.optionals stdenv.hostPlatform.isMusl [ + # Make netgroup support optional (musl does not have it) + # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/10 + # We use the version of the patch that Alpine uses successfully. + (fetchpatch { + name = "make-innetgr-optional.patch"; + url = "https://git.alpinelinux.org/aports/plain/community/polkit/make-innetgr-optional.patch?id=424ecbb6e9e3a215c978b58c05e5c112d88dddfc"; + sha256 = "0iyiksqk29sizwaa4623bv683px1fny67639qpb1him89hza00wy"; + }) + ]; + + nativeBuildInputs = [ + glib + gtk-doc + pkg-config + gettext + meson + ninja + perl + rsync + (python3.withPackages (pp: with pp; [ + dbus-python + (python-dbusmock.overridePythonAttrs (attrs: { + # Avoid dependency cycle. + doCheck = false; + })) + ])) + + # man pages + libxslt + docbook-xsl-nons + docbook_xml_dtd_412 + ]; + + buildInputs = [ + expat + pam + spidermonkey_78 + ] ++ lib.optionals stdenv.isLinux [ + # On Linux, fall back to elogind when systemd support is off. + (if useSystemd then systemd else elogind) + ] ++ lib.optionals withIntrospection [ + gobject-introspection + ]; + + propagatedBuildInputs = [ + glib # in .pc Requires + ]; + + checkInputs = [ + dbus + ]; + + mesonFlags = [ + "--datadir=${system}/share" + "--sysconfdir=/etc" + "-Dsystemdsystemunitdir=${placeholder "out"}/etc/systemd/system" + "-Dpolkitd_user=polkituser" #TODO? <nixos> config.ids.uids.polkituser + "-Dos_type=redhat" # only affects PAM includes + "-Dintrospection=${lib.boolToString withIntrospection}" + "-Dtests=${lib.boolToString doCheck}" + "-Dgtk_doc=${lib.boolToString withGtkDoc}" + "-Dman=true" + ] ++ lib.optionals stdenv.isLinux [ + "-Dsession_tracking=${if useSystemd then "libsystemd-login" else "libelogind"}" + ]; + + # HACK: We want to install policy files files to $out/share but polkit + # should read them from /run/current-system/sw/share on a NixOS system. + # Similarly for config files in /etc. + # With autotools, it was possible to override Make variables + # at install time but Meson does not support this + # so we need to convince it to install all files to a temporary + # location using DESTDIR and then move it to proper one in postInstall. + DESTDIR = "${placeholder "out"}/dest"; + + inherit doCheck; + + postPatch = '' + patchShebangs test/polkitbackend/polkitbackendjsauthoritytest-wrapper.py + + # ‘libpolkit-agent-1.so’ should call the setuid wrapper on + # NixOS. Hard-coding the path is kinda ugly. Maybe we can just + # call through $PATH, but that might have security implications. + substituteInPlace src/polkitagent/polkitagentsession.c \ + --replace 'PACKAGE_PREFIX "/lib/polkit-1/' '"${setuid}/' + substituteInPlace test/data/etc/polkit-1/rules.d/10-testing.rules \ + --replace /bin/true ${coreutils}/bin/true \ + --replace /bin/false ${coreutils}/bin/false + ''; + + postConfigure = '' + # Unpacked by meson + chmod +x subprojects/mocklibc-1.0/bin/mocklibc + patchShebangs subprojects/mocklibc-1.0/bin/mocklibc + ''; + + checkPhase = '' + runHook preCheck + + # tests need access to the system bus + dbus-run-session --config-file=${./system_bus.conf} -- sh -c 'DBUS_SYSTEM_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS meson test --print-errorlogs' + + runHook postCheck + ''; + + postInstall = '' + # Move stuff from DESTDIR to proper location. + # We use rsync to merge the directories. + rsync --archive "${DESTDIR}/etc" "$out" + rm --recursive "${DESTDIR}/etc" + rsync --archive "${DESTDIR}${system}"/* "$out" + rm --recursive "${DESTDIR}${system}"/* + rmdir --parents --ignore-fail-on-non-empty "${DESTDIR}${system}" + for o in $outputs; do + rsync --archive "${DESTDIR}/''${!o}" "$(dirname "''${!o}")" + rm --recursive "${DESTDIR}/''${!o}" + done + # Ensure the DESTDIR is removed. + destdirContainer="$(dirname "${DESTDIR}")" + pushd "$destdirContainer"; rmdir --parents "''${DESTDIR##$destdirContainer/}${builtins.storeDir}"; popd + ''; + + meta = with lib; { + homepage = "http://www.freedesktop.org/wiki/Software/polkit"; + description = "A toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes"; + license = licenses.lgpl2Plus; + platforms = platforms.unix; + maintainers = teams.freedesktop.members ++ (with maintainers; [ ]); + }; +} diff --git a/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf new file mode 100644 index 000000000000..435b4740a2f7 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf @@ -0,0 +1,58 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <!-- Our well-known bus type, do not change this --> + <type>system</type> + + <!-- Fork into daemon mode --> + <fork/> + + <!-- Enable logging to syslog --> + <syslog/> + + <!-- Only allow socket-credentials-based authentication --> + <auth>EXTERNAL</auth> + + <!-- Only listen on a local socket. (abstract=/path/to/socket + means use abstract namespace, don't really create filesystem + file; only Linux supports this. Use path=/whatever on other + systems.) --> + <listen>unix:path=/tmp/system_bus_socket</listen> + + <policy context="default"> + <!-- All users can connect to system bus --> + <allow user="*"/> + + <!-- Holes must be punched in service configuration files for + name ownership and sending method calls --> + <deny own="*"/> + <deny send_type="method_call"/> + + <!-- Signals and reply messages (method returns, errors) are allowed + by default --> + <allow send_type="signal"/> + <allow send_requested_reply="true" send_type="method_return"/> + <allow send_requested_reply="true" send_type="error"/> + + <!-- All messages may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> + <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" /> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Introspectable"/> + <!-- But disallow some specific bus services --> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Debug.Stats"/> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + +</busconfig> |