From f9fb7b7457e636f4f7edff866cee1c1812aa9501 Mon Sep 17 00:00:00 2001 From: Jack Cummings Date: Tue, 8 Oct 2013 22:34:05 -0700 Subject: new systemd can't inhibit lid switches Conflicts (repos merge): modules/services/x11/display-managers/default.nix --- nixos/modules/services/x11/display-managers/default.nix | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index c4fce3706dcd..bb86786f0f2d 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -39,16 +39,6 @@ let exec > ~/.xsession-errors 2>&1 ''} - ${optionalString cfg.displayManager.desktopManagerHandlesLidAndPower '' - # Stop systemd from handling the power button and lid switch, - # since presumably the desktop environment will handle these. - if [ -z "$_INHIBITION_LOCK_TAKEN" ]; then - export _INHIBITION_LOCK_TAKEN=1 - exec ${config.systemd.package}/bin/systemd-inhibit --what=handle-lid-switch:handle-power-key "$0" "$sessionType" - fi - - ''} - ${optionalString cfg.startOpenSSHAgent '' if test -z "$SSH_AUTH_SOCK"; then # Restart this script as a child of the SSH agent. (It is -- cgit 1.4.1 From e790d27543ba9bd8fa89345b20094081451362e0 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Fri, 1 Nov 2013 10:54:29 +0100 Subject: polkit WIP: TESTED OK, only missing NM config testing/tweaking History: 7a29bd02 7cd5ff085 --- nixos/modules/security/polkit.nix | 79 ++++++++-------------- .../modules/services/networking/networkmanager.nix | 15 +++- .../interpreters/spidermonkey/185-1.0.0.nix | 6 +- pkgs/development/libraries/polkit/default.nix | 54 ++++++++------- pkgs/top-level/all-packages.nix | 4 +- 5 files changed, 78 insertions(+), 80 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index cafa9f82d5e4..e3cca533e548 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -18,35 +18,17 @@ in description = "Whether to enable PolKit."; }; - security.polkit.permissions = mkOption { + security.polkit.extraConfig = mkOption { type = types.lines; default = ""; example = '' - [Disallow Users To Suspend] - Identity=unix-group:users - Action=org.freedesktop.upower.* - ResultAny=no - ResultInactive=no - ResultActive=no - - [Allow Anybody To Eject Disks] - Identity=unix-user:* - Action=org.freedesktop.udisks.drive-eject - ResultAny=yes - ResultInactive=yes - ResultActive=yes - - [Allow Alice To Mount Filesystems After Admin Authentication] - Identity=unix-user:alice - Action=org.freedesktop.udisks.filesystem-mount - ResultAny=auth_admin - ResultInactive=auth_admin - ResultActive=auth_admin + TODO ''; description = '' - Allows the default permissions of privileged actions to be overridden. + Any polkit rules to be added to config (in JavaScript ;-). See: + http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules ''; }; @@ -71,29 +53,23 @@ in environment.systemPackages = [ pkgs.polkit ]; - # The polkit daemon reads action files - environment.pathsToLink = [ "/share/polkit-1/actions" ]; - - environment.etc = - [ # No idea what the "null backend" is, but it seems to need this. - { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d"; - target = "polkit-1/nullbackend.conf.d"; - } - - # This file determines what users are considered - # "administrators". - { source = pkgs.writeText "10-nixos.conf" - '' - [Configuration] - AdminIdentities=${cfg.adminIdentities} - ''; - target = "polkit-1/localauthority.conf.d/10-nixos.conf"; - } - - { source = pkgs.writeText "org.nixos.pkla" cfg.permissions; - target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla"; - } - ]; + systemd.packages = [ pkgs.polkit ]; + + # The polkit daemon reads action/rule files + environment.pathsToLink = [ "/share/polkit-1" ]; + + # PolKit rules for NixOS + environment.etc = [ { + source = pkgs.writeText "10-nixos.conf" + '' + polkit.addAdminRule(function(action, subject) { + return ["${cfg.adminIdentities}"]; + }); + + ${cfg.extraConfig} + ''; #TODO: validation on compilation (at least against typos) + target = "polkit-1/rules.d/10-nixos.conf"; + } ]; services.dbus.packages = [ pkgs.polkit ]; @@ -101,24 +77,25 @@ in security.setuidPrograms = [ "pkexec" ]; - security.setuidOwners = singleton + security.setuidOwners = [ { program = "polkit-agent-helper-1"; owner = "root"; group = "root"; setuid = true; - source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1"; - }; + source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1"; + } + ]; system.activationScripts.polkit = '' - mkdir -p /var/lib/polkit-1/localauthority - chmod 700 /var/lib/polkit-1{/localauthority,} + # Probably no more needed, clean up + rm -rf /var/lib/{polkit-1,PolicyKit} # Force polkitd to be restarted so that it reloads its # configuration. ${pkgs.procps}/bin/pkill -INT -u root -x polkitd ''; - }; } + diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index ad6f9858aaf6..1ed4e20b9a59 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -21,7 +21,7 @@ let level=WARN ''; - polkitConf = '' + /* [network-manager] Identity=unix-group:networkmanager Action=org.freedesktop.NetworkManager.* @@ -35,6 +35,16 @@ let ResultAny=yes ResultInactive=no ResultActive=yes + */ + polkitConf = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("networkmanager") + && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + || action.id.indexOf("org.freedesktop.ModemManager.") == 0 + )) + { return polkit.Result.YES; } #TODO: active/inactive + }); ''; ipUpScript = writeScript "01nixos-ip-up" '' @@ -179,7 +189,8 @@ in { systemctl restart NetworkManager ''; - security.polkit.permissions = polkitConf; + #TODO + #security.polkit.permissions = polkitConf; # openvpn plugin has only dbus interface services.dbus.packages = cfg.packages ++ [ diff --git a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix index 55e0dada71e0..1c0d77345b73 100644 --- a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix +++ b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, autoconf213, nspr, perl, python, readline, zip }: +{ stdenv, fetchurl, pkgconfig, autoconf213, nspr, perl, python, readline, zip }: stdenv.mkDerivation rec { version = "185-1.0.0"; @@ -9,7 +9,9 @@ stdenv.mkDerivation rec { sha256 = "5d12f7e1f5b4a99436685d97b9b7b75f094d33580227aa998c406bbae6f2a687"; }; - buildInputs = [ autoconf213 nspr perl python readline zip ]; + propagatedBuildInputs = [ nspr ]; + + buildInputs = [ pkgconfig autoconf213 perl python readline zip ]; postUnpack = "sourceRoot=\${sourceRoot}/js/src"; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index 9d1f0d18c1ad..821e66ea0b30 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -1,48 +1,59 @@ -{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, gettext -, gobjectIntrospection +{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, spidermonkey +, gobjectIntrospection, libxslt, docbook_xsl , useSystemd ? stdenv.isLinux, systemd }: let system = "/var/run/current-system/sw"; + setuid = "/var/setuid-wrappers"; #TODO: from config.security.wrapperDir; foolVars = { - LOCALSTATE = "/var"; SYSCONF = "/etc"; - LIB = "${system}/lib"; - DATA = "${system}/share"; + DATA = "${system}/share"; # to find share/polkit-1/actions of other apps at runtime }; in stdenv.mkDerivation rec { - name = "polkit-0.105"; + name = "polkit-0.112"; src = fetchurl { url = "http://www.freedesktop.org/software/polkit/releases/${name}.tar.gz"; - sha256 = "1pz1hn4z0f1wk4f7w8q1g6ygwan1b6kxmfad3b7gql27pb47rp4g"; + sha256 = "1xkary7yirdcjdva950nqyhmsz48qhrdsr78zciahj27p8yg95fn"; }; buildInputs = - [ pkgconfig glib expat pam intltool gobjectIntrospection ] + [ pkgconfig glib expat pam intltool spidermonkey gobjectIntrospection ] + ++ [ libxslt docbook_xsl ] # man pages ++ stdenv.lib.optional useSystemd systemd; - configureFlags = "--libexecdir=$(out)/libexec/polkit-1"; - # Ugly hack to overwrite hardcoded directories # TODO: investigate a proper patch which will be accepted upstream + # After update it's good to check the sources via: + # grep '\ config.ids.uids.polkituser + "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS + ]; makeFlags = '' @@ -50,12 +61,7 @@ stdenv.mkDerivation rec { INTROSPECTION_TYPELIBDIR=$(out)lib/girepository-1.0 ''; - postInstall = - '' - # Allow some files with paranoid permissions to be stripped in - # the fixup phase. - chmod a+rX -R $out - ''; + #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs meta = with stdenv.lib; { homepage = http://www.freedesktop.org/wiki/Software/polkit; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b5737918cff8..9a4118098a5f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5400,7 +5400,9 @@ let podofo = callPackage ../development/libraries/podofo { }; - polkit = callPackage ../development/libraries/polkit { }; + polkit = callPackage ../development/libraries/polkit { + spidermonkey = spidermonkey_185; + }; polkit_qt_1 = callPackage ../development/libraries/polkit-qt-1 { }; -- cgit 1.4.1 From cd49dfd335104a84aeeda2826af8ccfd41b2a5b9 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Sat, 2 Nov 2013 07:37:33 +0100 Subject: polkit WIP: resurrect the forgotten polkituser It needs no group anymore. I hope it won't clash with leftovers from previous usage of the user. --- nixos/modules/misc/ids.nix | 2 +- nixos/modules/security/polkit.nix | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'nixos') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index e3edc9dda6b6..29a29834e973 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -140,7 +140,7 @@ tape = 25; video = 26; dialout = 27; - polkituser = 28; + #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; davfs2 = 31; privoxy = 32; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index e3cca533e548..940e87e0b024 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -95,6 +95,12 @@ in # configuration. ${pkgs.procps}/bin/pkill -INT -u root -x polkitd ''; + + users.extraUsers.polkituser = { + description = "PolKit daemon"; + uid = config.ids.uids.polkituser; + }; + }; } -- cgit 1.4.1 From 1c0fdf2309fec2c1734cffdf5cdfd8f15c99cbff Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Sat, 2 Nov 2013 12:59:47 +0100 Subject: polkit WIP: enable forgotten config for NetworkManager and only authorize "active" sessions. --- nixos/modules/services/networking/networkmanager.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 1ed4e20b9a59..2e8d17d872d2 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -40,10 +40,11 @@ let polkit.addRule(function(action, subject) { if ( subject.isInGroup("networkmanager") + && subject.active && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 || action.id.indexOf("org.freedesktop.ModemManager.") == 0 )) - { return polkit.Result.YES; } #TODO: active/inactive + { return polkit.Result.YES; } }); ''; @@ -189,8 +190,7 @@ in { systemctl restart NetworkManager ''; - #TODO - #security.polkit.permissions = polkitConf; + security.polkit.extraConfig = polkitConf; # openvpn plugin has only dbus interface services.dbus.packages = cfg.packages ++ [ -- cgit 1.4.1 From 8e0d77632e02720a8adf8126f126990501299191 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Sat, 16 Nov 2013 20:25:38 +0100 Subject: Revert "new systemd can't inhibit lid switches" This reverts commit f9fb7b7457e636f4f7edff866cee1c1812aa9501. Cf. https://github.com/jcumming/nixos/commit/da2c160471f73af --- nixos/modules/services/x11/display-managers/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'nixos') diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index bb86786f0f2d..c4fce3706dcd 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -39,6 +39,16 @@ let exec > ~/.xsession-errors 2>&1 ''} + ${optionalString cfg.displayManager.desktopManagerHandlesLidAndPower '' + # Stop systemd from handling the power button and lid switch, + # since presumably the desktop environment will handle these. + if [ -z "$_INHIBITION_LOCK_TAKEN" ]; then + export _INHIBITION_LOCK_TAKEN=1 + exec ${config.systemd.package}/bin/systemd-inhibit --what=handle-lid-switch:handle-power-key "$0" "$sessionType" + fi + + ''} + ${optionalString cfg.startOpenSSHAgent '' if test -z "$SSH_AUTH_SOCK"; then # Restart this script as a child of the SSH agent. (It is -- cgit 1.4.1 From c33c2e68e461a7c244aaf3d50f579a069e4b3f12 Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Mon, 18 Nov 2013 21:08:25 +0100 Subject: xfce4notifyd: minor update, add to the default installation --- nixos/modules/services/x11/desktop-managers/xfce.nix | 3 ++- pkgs/desktops/xfce/applications/xfce4-notifyd.nix | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/x11/desktop-managers/xfce.nix b/nixos/modules/services/x11/desktop-managers/xfce.nix index d20010c70a61..f06544fecc75 100644 --- a/nixos/modules/services/x11/desktop-managers/xfce.nix +++ b/nixos/modules/services/x11/desktop-managers/xfce.nix @@ -72,7 +72,8 @@ in pkgs.xfce.thunar_volman pkgs.xfce.gvfs pkgs.xfce.xfce4_appfinder - pkgs.xfce.tumbler + pkgs.xfce.tumbler # found via dbus + pkgs.xfce.xfce4notifyd # found via dbus ] ++ optional config.powerManagement.enable pkgs.xfce.xfce4_power_manager; diff --git a/pkgs/desktops/xfce/applications/xfce4-notifyd.nix b/pkgs/desktops/xfce/applications/xfce4-notifyd.nix index 5873ef9cd68e..ace7aa7a2c77 100644 --- a/pkgs/desktops/xfce/applications/xfce4-notifyd.nix +++ b/pkgs/desktops/xfce/applications/xfce4-notifyd.nix @@ -4,11 +4,11 @@ stdenv.mkDerivation rec { p_name = "xfce4-notifyd"; ver_maj = "0.2"; - ver_min = "3"; + ver_min = "4"; src = fetchurl { url = "mirror://xfce/src/apps/${p_name}/${ver_maj}/${name}.tar.bz2"; - sha256 = "0fx6z89rxs6ypb8bb6l1pg8fdbxn995fgs413sbhnaxjkm6gch6x"; + sha256 = "1l6fpfk0fkizdx7vwbyjdyzzj5i2ng8pf7r8j49nv0cnjhpxczlc"; }; name = "${p_name}-${ver_maj}.${ver_min}"; -- cgit 1.4.1