diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/polkit')
-rw-r--r-- | nixpkgs/pkgs/development/libraries/polkit/default.nix | 121 | ||||
-rw-r--r-- | nixpkgs/pkgs/development/libraries/polkit/system_bus.conf | 58 |
2 files changed, 179 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/polkit/default.nix b/nixpkgs/pkgs/development/libraries/polkit/default.nix new file mode 100644 index 000000000000..7e8e95ef1eac --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/polkit/default.nix @@ -0,0 +1,121 @@ +{ lib, stdenv, fetchurl, pkg-config, glib, expat, pam, perl, fetchpatch +, intltool, spidermonkey_78, gobject-introspection, libxslt, docbook_xsl, dbus +, docbook_xml_dtd_412, gtk-doc, coreutils +, useSystemd ? (stdenv.isLinux && !stdenv.hostPlatform.isMusl), systemd, elogind +# needed until gobject-introspection does cross-compile (https://github.com/NixOS/nixpkgs/pull/88222) +, withIntrospection ? (stdenv.buildPlatform == stdenv.hostPlatform) +# A few tests currently fail on musl (polkitunixusertest, polkitunixgrouptest, polkitidentitytest segfault). +# Not yet investigated; it may be due to the "Make netgroup support optional" +# patch not updating the tests correctly yet, or doing something wrong, +# or being unrelated to that. +, doCheck ? (stdenv.isLinux && !stdenv.hostPlatform.isMusl) +}: + +let + + system = "/run/current-system/sw"; + setuid = "/run/wrappers/bin"; + +in + +stdenv.mkDerivation rec { + pname = "polkit"; + version = "0.118"; + + src = fetchurl { + url = "https://www.freedesktop.org/software/${pname}/releases/${pname}-${version}.tar.gz"; + sha256 = "0swmg37jsxsxfsd2b3qm0l3zxr9ldvhpjw8lsgq3j8q7wy2fjm3d"; + }; + + patches = [ + # Don't use etc/dbus-1/system.d + # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/11 + (fetchpatch { + url = "https://gitlab.freedesktop.org/polkit/polkit/commit/5dd4e22efd05d55833c4634b56e473812b5acbf2.patch"; + sha256 = "17lv7xj5ksa27iv4zpm4zwd4iy8zbwjj4ximslfq3sasiz9kxhlp"; + }) + ] ++ lib.optionals stdenv.hostPlatform.isMusl [ + # Make netgroup support optional (musl does not have it) + # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/10 + # We use the version of the patch that Alpine uses successfully. + (fetchpatch { + name = "make-innetgr-optional.patch"; + url = "https://git.alpinelinux.org/aports/plain/main/polkit/make-innetgr-optional.patch?id=391e7de6ced1a96c2dac812e0b12f1d7e0ea705e"; + sha256 = "1p9qqqhnrfyjvvd50qh6vpl256kyfblm1qnhz5pm09klrl1bh1n4"; + }) + ]; + + postPatch = lib.optionalString stdenv.isDarwin '' + sed -i -e "s/-Wl,--as-needed//" configure.ac + ''; + + outputs = [ "bin" "dev" "out" ]; # small man pages in $bin + + nativeBuildInputs = + [ glib gtk-doc pkg-config intltool perl ] + ++ [ libxslt docbook_xsl docbook_xml_dtd_412 ]; # man pages + buildInputs = + [ expat pam spidermonkey_78 ] + # On Linux, fall back to elogind when systemd support is off. + ++ lib.optional stdenv.isLinux (if useSystemd then systemd else elogind) + ++ lib.optional withIntrospection gobject-introspection; + + propagatedBuildInputs = [ + glib # in .pc Requires + ]; + + preConfigure = '' + chmod +x test/mocklibc/bin/mocklibc{,-test}.in + patchShebangs . + + # ‘libpolkit-agent-1.so’ should call the setuid wrapper on + # NixOS. Hard-coding the path is kinda ugly. Maybe we can just + # call through $PATH, but that might have security implications. + substituteInPlace src/polkitagent/polkitagentsession.c \ + --replace 'PACKAGE_PREFIX "/lib/polkit-1/' '"${setuid}/' + substituteInPlace test/data/etc/polkit-1/rules.d/10-testing.rules \ + --replace /bin/true ${coreutils}/bin/true \ + --replace /bin/false ${coreutils}/bin/false + + '' + lib.optionalString useSystemd /* bogus chroot detection */ '' + sed '/libsystemd autoconfigured/s/.*/:/' -i configure + ''; + + configureFlags = [ + "--datadir=${system}/share" + "--sysconfdir=/etc" + "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system" + "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser + "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS + (if withIntrospection then "--enable-introspection" else "--disable-introspection") + ] ++ lib.optional (!doCheck) "--disable-test"; + + makeFlags = [ + "INTROSPECTION_GIRDIR=${placeholder "out"}/share/gir-1.0" + "INTROSPECTION_TYPELIBDIR=${placeholder "out"}/lib/girepository-1.0" + ]; + + installFlags = [ + "datadir=${placeholder "out"}/share" + "sysconfdir=${placeholder "out"}/etc" + ]; + + inherit doCheck; + checkInputs = [ dbus ]; + checkPhase = '' + # unfortunately this test needs python-dbusmock, but python-dbusmock needs polkit, + # leading to a circular dependency + substituteInPlace test/Makefile --replace polkitbackend "" + + # tests need access to the system bus + dbus-run-session --config-file=${./system_bus.conf} -- sh -c 'DBUS_SYSTEM_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS make check' + ''; + + meta = with lib; { + homepage = "http://www.freedesktop.org/wiki/Software/polkit"; + description = "A toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes"; + license = licenses.gpl2; + platforms = platforms.unix; + maintainers = with maintainers; [ worldofpeace ]; + }; +} diff --git a/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf new file mode 100644 index 000000000000..435b4740a2f7 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/polkit/system_bus.conf @@ -0,0 +1,58 @@ +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> +<busconfig> + <!-- Our well-known bus type, do not change this --> + <type>system</type> + + <!-- Fork into daemon mode --> + <fork/> + + <!-- Enable logging to syslog --> + <syslog/> + + <!-- Only allow socket-credentials-based authentication --> + <auth>EXTERNAL</auth> + + <!-- Only listen on a local socket. (abstract=/path/to/socket + means use abstract namespace, don't really create filesystem + file; only Linux supports this. Use path=/whatever on other + systems.) --> + <listen>unix:path=/tmp/system_bus_socket</listen> + + <policy context="default"> + <!-- All users can connect to system bus --> + <allow user="*"/> + + <!-- Holes must be punched in service configuration files for + name ownership and sending method calls --> + <deny own="*"/> + <deny send_type="method_call"/> + + <!-- Signals and reply messages (method returns, errors) are allowed + by default --> + <allow send_type="signal"/> + <allow send_requested_reply="true" send_type="method_return"/> + <allow send_requested_reply="true" send_type="error"/> + + <!-- All messages may be received by default --> + <allow receive_type="method_call"/> + <allow receive_type="method_return"/> + <allow receive_type="error"/> + <allow receive_type="signal"/> + + <!-- Allow anyone to talk to the message bus --> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" /> + <allow send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Introspectable"/> + <!-- But disallow some specific bus services --> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus" + send_member="UpdateActivationEnvironment"/> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.DBus.Debug.Stats"/> + <deny send_destination="org.freedesktop.DBus" + send_interface="org.freedesktop.systemd1.Activator"/> + </policy> + +</busconfig> |