2 files changed, 179 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/polkit/default.nix b/nixpkgs/pkgs/development/libraries/polkit/default.nix
new file mode 100644
index 000000000000..7e8e95ef1eac
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/polkit/default.nix
@@ -0,0 +1,121 @@
+{ lib, stdenv, fetchurl, pkg-config, glib, expat, pam, perl, fetchpatch
+, intltool, spidermonkey_78, gobject-introspection, libxslt, docbook_xsl, dbus
+, docbook_xml_dtd_412, gtk-doc, coreutils
+, useSystemd ? (stdenv.isLinux && !stdenv.hostPlatform.isMusl), systemd, elogind
+# needed until gobject-introspection does cross-compile (https://github.com/NixOS/nixpkgs/pull/88222)
+, withIntrospection ? (stdenv.buildPlatform == stdenv.hostPlatform)
+# A few tests currently fail on musl (polkitunixusertest, polkitunixgrouptest, polkitidentitytest segfault).
+# Not yet investigated; it may be due to the "Make netgroup support optional"
+# patch not updating the tests correctly yet, or doing something wrong,
+# or being unrelated to that.
+, doCheck ? (stdenv.isLinux && !stdenv.hostPlatform.isMusl)
+}:
+
+let
+
+  system = "/run/current-system/sw";
+  setuid = "/run/wrappers/bin";
+
+in
+
+stdenv.mkDerivation rec {
+  pname = "polkit";
+  version = "0.118";
+
+  src = fetchurl {
+    url = "https://www.freedesktop.org/software/${pname}/releases/${pname}-${version}.tar.gz";
+    sha256 = "0swmg37jsxsxfsd2b3qm0l3zxr9ldvhpjw8lsgq3j8q7wy2fjm3d";
+  };
+
+  patches = [
+    # Don't use etc/dbus-1/system.d
+    # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/11
+    (fetchpatch {
+      url = "https://gitlab.freedesktop.org/polkit/polkit/commit/5dd4e22efd05d55833c4634b56e473812b5acbf2.patch";
+      sha256 = "17lv7xj5ksa27iv4zpm4zwd4iy8zbwjj4ximslfq3sasiz9kxhlp";
+    })
+  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
+    # Make netgroup support optional (musl does not have it)
+    # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/10
+    # We use the version of the patch that Alpine uses successfully.
+    (fetchpatch {
+      name = "make-innetgr-optional.patch";
+      url = "https://git.alpinelinux.org/aports/plain/main/polkit/make-innetgr-optional.patch?id=391e7de6ced1a96c2dac812e0b12f1d7e0ea705e";
+      sha256 = "1p9qqqhnrfyjvvd50qh6vpl256kyfblm1qnhz5pm09klrl1bh1n4";
+    })
+  ];
+
+  postPatch = lib.optionalString stdenv.isDarwin ''
+    sed -i -e "s/-Wl,--as-needed//" configure.ac
+  '';
+
+  outputs = [ "bin" "dev" "out" ]; # small man pages in $bin
+
+  nativeBuildInputs =
+    [ glib gtk-doc pkg-config intltool perl ]
+    ++ [ libxslt docbook_xsl docbook_xml_dtd_412 ]; # man pages
+  buildInputs =
+    [ expat pam spidermonkey_78 ]
+    # On Linux, fall back to elogind when systemd support is off.
+    ++ lib.optional stdenv.isLinux (if useSystemd then systemd else elogind)
+    ++ lib.optional withIntrospection gobject-introspection;
+
+  propagatedBuildInputs = [
+    glib # in .pc Requires
+  ];
+
+  preConfigure = ''
+    chmod +x test/mocklibc/bin/mocklibc{,-test}.in
+    patchShebangs .
+
+    # ‘libpolkit-agent-1.so’ should call the setuid wrapper on
+    # NixOS.  Hard-coding the path is kinda ugly.  Maybe we can just
+    # call through $PATH, but that might have security implications.
+    substituteInPlace src/polkitagent/polkitagentsession.c \
+      --replace   'PACKAGE_PREFIX "/lib/polkit-1/'   '"${setuid}/'
+    substituteInPlace test/data/etc/polkit-1/rules.d/10-testing.rules \
+      --replace   /bin/true ${coreutils}/bin/true \
+      --replace   /bin/false ${coreutils}/bin/false
+
+  '' + lib.optionalString useSystemd /* bogus chroot detection */ ''
+    sed '/libsystemd autoconfigured/s/.*/:/' -i configure
+  '';
+
+  configureFlags = [
+    "--datadir=${system}/share"
+    "--sysconfdir=/etc"
+    "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
+    "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser
+    "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS
+    (if withIntrospection then "--enable-introspection" else "--disable-introspection")
+  ] ++ lib.optional (!doCheck) "--disable-test";
+
+  makeFlags = [
+    "INTROSPECTION_GIRDIR=${placeholder "out"}/share/gir-1.0"
+    "INTROSPECTION_TYPELIBDIR=${placeholder "out"}/lib/girepository-1.0"
+  ];
+
+  installFlags = [
+    "datadir=${placeholder "out"}/share"
+    "sysconfdir=${placeholder "out"}/etc"
+  ];
+
+  inherit doCheck;
+  checkInputs = [ dbus ];
+  checkPhase = ''
+    # unfortunately this test needs python-dbusmock, but python-dbusmock needs polkit,
+    # leading to a circular dependency
+    substituteInPlace test/Makefile --replace polkitbackend ""
+
+    # tests need access to the system bus
+    dbus-run-session --config-file=${./system_bus.conf} -- sh -c 'DBUS_SYSTEM_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS make check'
+  '';
+
+  meta = with lib; {
+    homepage = "http://www.freedesktop.org/wiki/Software/polkit";
+    description = "A toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes";
+    license = licenses.gpl2;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ worldofpeace ];
+  };
+}
diff --git a/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf
new file mode 100644
index 000000000000..435b4740a2f7
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf
@@ -0,0 +1,58 @@
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+<busconfig>
+  <!-- Our well-known bus type, do not change this -->
+  <type>system</type>
+
+  <!-- Fork into daemon mode -->
+  <fork/>
+
+  <!-- Enable logging to syslog -->
+  <syslog/>
+
+  <!-- Only allow socket-credentials-based authentication -->
+  <auth>EXTERNAL</auth>
+
+  <!-- Only listen on a local socket. (abstract=/path/to/socket 
+       means use abstract namespace, don't really create filesystem 
+       file; only Linux supports this. Use path=/whatever on other 
+       systems.) -->
+  <listen>unix:path=/tmp/system_bus_socket</listen>
+
+  <policy context="default">
+    <!-- All users can connect to system bus -->
+    <allow user="*"/>
+
+    <!-- Holes must be punched in service configuration files for
+         name ownership and sending method calls -->
+    <deny own="*"/>
+    <deny send_type="method_call"/>
+
+    <!-- Signals and reply messages (method returns, errors) are allowed
+         by default -->
+    <allow send_type="signal"/>
+    <allow send_requested_reply="true" send_type="method_return"/>
+    <allow send_requested_reply="true" send_type="error"/>
+
+    <!-- All messages may be received by default -->
+    <allow receive_type="method_call"/>
+    <allow receive_type="method_return"/>
+    <allow receive_type="error"/>
+    <allow receive_type="signal"/>
+
+    <!-- Allow anyone to talk to the message bus -->
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus" />
+    <allow send_destination="org.freedesktop.DBus"
+           send_interface="org.freedesktop.DBus.Introspectable"/>
+    <!-- But disallow some specific bus services -->
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus"
+          send_member="UpdateActivationEnvironment"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.DBus.Debug.Stats"/>
+    <deny send_destination="org.freedesktop.DBus"
+          send_interface="org.freedesktop.systemd1.Activator"/>
+  </policy>
+
+</busconfig>