summaryrefslogtreecommitdiff
path: root/sys-auth
diff options
context:
space:
mode:
Diffstat (limited to 'sys-auth')
-rw-r--r--sys-auth/Manifest.gzbin9248 -> 9250 bytes
-rw-r--r--sys-auth/polkit/Manifest4
-rw-r--r--sys-auth/polkit/files/polkit-123-mozjs-JIT.patch36
-rw-r--r--sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch35
-rw-r--r--sys-auth/polkit/polkit-123.ebuild162
5 files changed, 237 insertions, 0 deletions
diff --git a/sys-auth/Manifest.gz b/sys-auth/Manifest.gz
index 4339696a38e4..e7f477eb305e 100644
--- a/sys-auth/Manifest.gz
+++ b/sys-auth/Manifest.gz
Binary files differ
diff --git a/sys-auth/polkit/Manifest b/sys-auth/polkit/Manifest
index 84ff3ddf92ef..9710d91bbec7 100644
--- a/sys-auth/polkit/Manifest
+++ b/sys-auth/polkit/Manifest
@@ -1,4 +1,8 @@
AUX polkit-122-libs-only-postinstall.patch 944 BLAKE2B bfd6dc47e477b80b3fc3b10a35f95fed5988a2ce07a1cb3b4df1e76fd364a7b456d28d2dab93acc84374653a7e433cb3151b7d82e34a0265525e62681045928b SHA512 3cd1d686db1125120d7bc493f871c027fc52599bde073b76287ed8c27c4f9e7b3516b23611dc7c0838519acce95cf2f01c40f0777e8527e012f1bcb4d0ac29c3
+AUX polkit-123-mozjs-JIT.patch 1000 BLAKE2B 8754b7647923280842f06228d93ad2d48381e1b72792f519eceaf8021176268e13b153e11e8fe7c6b231293bd0e7c5010235df15b4c52df7043f6ad0092617fe SHA512 0e892643e400e625f13fe6fe5255190c41bb6d4a6d2d8fa8e9e6d65a2749712f86e80c089d569dafb728dbf354b1861fb53b72b85983d4904c219634b0e66415
+AUX polkit-123-pkexec-uninitialized.patch 1118 BLAKE2B a6abfa5a67612c305823d43fc33332d4c58cef676a8e92f51e702861ac986092f50acc641b1fb0c0e020ce6ad33a971d9332b53f6db3cf7e49c1e580e3bec418 SHA512 90c62d553f84b4fa4f1a9fe30e12596b5214b7db52576b9de3fdb7ae2bd7299e38e8bf4a2eb2f43b23464f9750b31cd2e62d6185082fa24a25a4de1fdf4d038c
DIST polkit-122.tar.bz2 704972 BLAKE2B 601ed969de816d061a974b07490d64c144940898a75d4e1761462ee1ff0f00686b068298fa6fdc901879d8cd4bea4334c0187aa5bde50acf90728c37e73e21f4 SHA512 a7c0a951bbcdb09899adbc128296c74fc062441e996f4d6a782b214178f0936137e2fdc489eaa86a00599b988711735a5bd9b5c3b93bdb42fb915db9f9b04e26
+DIST polkit-123.tar.bz2 707480 BLAKE2B 27d8764606d8156118269fb4cd5eda1cfd0d56df219e4157cd78fd4c2a2d001c474271b7bb31e7e82ca376eacd26411418695058cc888700690606348b4d014a SHA512 4306363d3ed7311243de462832199bd10ddda35e36449104daff0895725d8189b07a4c88340f28607846fdf761c23470da2d43288199c46aa816426384124bb6
EBUILD polkit-122-r1.ebuild 4055 BLAKE2B bfec1bafa233c9f40d6416224b6f69cce2924092da83a213b7aa0565f93e2ba035016ba21ee2ebf88af5fb8815be23a311e4a05d9bfbac20c1afddcbe85f89db SHA512 175ffb9f05a563429d87993d0c8506d397373b8c2c3cf5038fa9fd8344427209237966416585c56d9b8df40c736ca7646dfecf88ca847cf14aeb8522054e96a6
+EBUILD polkit-123.ebuild 4110 BLAKE2B 65742a7ddfce482d87b77d07437b3a0d301d15ce14e807eab1c699ff987d5346f8cf8eb02523caa180bae83fdfc4a3a1c5b73ba74d6226e93bb2ce3b3fb44ed3 SHA512 e25d5eb7b64326fe49f6634c74bae404e5fc61b8424c6453addac1fd133155e9f52cf8174718a19a1d2ead1d7afcdabc9220ddee67550844fb94656ca14d6c0d
MISC metadata.xml 688 BLAKE2B 517529c1bf104b638fe33a10b0778ffe048713f9c437b38747eb1d65cf99a0080dfdd56f8c5174f60fec0b1c26f53d967a825760d5a1c8beaf2d048a2d43b7a3 SHA512 7f523ac0693b560e481fe4febeb3b3bc08bb84aa23cbfb99b77baf1399b11b6761493d47d014611ac8e31a4bde472ce536cf5531e9484924117574981f3fd3bb
diff --git a/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch
new file mode 100644
index 000000000000..5b3f2c4a3641
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch
@@ -0,0 +1,36 @@
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb
+
+From 4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@xry111.site>
+Date: Sat, 29 Jul 2023 17:44:58 +0800
+Subject: [PATCH] jsauthority: mozjs: Disable JIT
+
+The JIT compiling of mozjs needs W/X mapping, but our systemd hardening
+setting does not allow it.
+
+For polkit, security is much more important than the speed running
+Javascript code in rule files, so we should disable JIT.
+
+Fixes #199.
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -56,7 +56,16 @@
+ static class JsInitHelperType
+ {
+ public:
+- JsInitHelperType() { JS_Init(); }
++ JsInitHelperType()
++ {
++ /* Disable JIT because it needs W/X mapping, which is not allowed by
++ * our systemd hardening setting.
++ */
++ JS::DisableJitBackend();
++
++ JS_Init();
++ }
++
+ ~JsInitHelperType() { JS_ShutDown(); }
+ } JsInitHelper;
+
+--
+GitLab
diff --git a/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch
new file mode 100644
index 000000000000..f19560943c43
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch
@@ -0,0 +1,35 @@
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/c79ee5595c8d397098978ad50eb521ba2ae8467d
+
+From c79ee5595c8d397098978ad50eb521ba2ae8467d Mon Sep 17 00:00:00 2001
+From: Vincent Mihalkovic <vmihalko@redhat.com>
+Date: Wed, 16 Aug 2023 08:59:55 +0000
+Subject: [PATCH] pkexec: fix uninitialized pointer warning
+
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -53,6 +53,7 @@
+ static gchar *original_user_name = NULL;
+ static gchar *original_cwd;
+ static gchar *command_line = NULL;
++static gchar *cmdline_short = NULL;
+ static struct passwd *pw;
+
+ #ifndef HAVE_CLEARENV
+@@ -508,6 +509,7 @@ main (int argc, char *argv[])
+ path = NULL;
+ exec_argv = NULL;
+ command_line = NULL;
++ cmdline_short = NULL;
+ opt_user = NULL;
+ local_agent_handle = NULL;
+
+@@ -802,7 +804,6 @@ main (int argc, char *argv[])
+ polkit_details_insert (details, "program", path);
+ polkit_details_insert (details, "command_line", command_line);
+
+- gchar *cmdline_short = NULL;
+ cmdline_short = g_strdup(command_line);
+ if (strlen(command_line) > 80)
+ g_stpcpy(g_stpcpy( cmdline_short + 38, " ... " ),
+--
+GitLab
diff --git a/sys-auth/polkit/polkit-123.ebuild b/sys-auth/polkit/polkit-123.ebuild
new file mode 100644
index 000000000000..10339bf91bae
--- /dev/null
+++ b/sys-auth/polkit/polkit-123.ebuild
@@ -0,0 +1,162 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..11} )
+inherit meson pam pax-utils python-any-r1 systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+if [[ ${PV} == *_p* ]] ; then
+ # Upstream don't make releases very often. Test snapshots throughly
+ # and review commits, but don't shy away if there's useful stuff there
+ # we want.
+ MY_COMMIT=""
+ SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${MY_COMMIT}/polkit-${MY_COMMIT}.tar.bz2 -> ${P}.tar.bz2"
+
+ S="${WORKDIR}"/${PN}-${MY_COMMIT}
+else
+ SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${PV}/${P}.tar.bz2"
+fi
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="+daemon +duktape examples gtk +introspection kde pam selinux systemd test"
+# https://gitlab.freedesktop.org/polkit/polkit/-/issues/181 for test restriction
+RESTRICT="!test? ( test ) test"
+
+# This seems to be fixed with 121?
+#if [[ ${PV} == *_p* ]] ; then
+# RESTRICT="!test? ( test )"
+#else
+# # Tests currently don't work with meson in the dist tarballs. See
+# # https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+# RESTRICT="test"
+#fi
+
+BDEPEND="
+ acct-user/polkitd
+ app-text/docbook-xml-dtd:4.1.2
+ app-text/docbook-xsl-stylesheets
+ dev-libs/glib
+ dev-libs/gobject-introspection-common
+ dev-libs/libxslt
+ dev-util/glib-utils
+ sys-devel/gettext
+ virtual/pkgconfig
+ introspection? ( >=dev-libs/gobject-introspection-0.6.2 )
+ test? (
+ $(python_gen_any_dep '
+ dev-python/dbus-python[${PYTHON_USEDEP}]
+ dev-python/python-dbusmock[${PYTHON_USEDEP}]
+ ')
+ )
+"
+DEPEND="
+ >=dev-libs/glib-2.32:2
+ dev-libs/expat
+ daemon? (
+ duktape? ( dev-lang/duktape:= )
+ !duktape? ( dev-lang/spidermonkey:102[-debug] )
+ )
+ pam? (
+ sys-auth/pambase
+ sys-libs/pam
+ )
+ !pam? ( virtual/libcrypt:= )
+ systemd? ( sys-apps/systemd:0=[policykit] )
+ !systemd? ( sys-auth/elogind )
+"
+RDEPEND="
+ ${DEPEND}
+ acct-user/polkitd
+ selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+ gtk? ( || (
+ >=gnome-extra/polkit-gnome-0.105
+ >=lxde-base/lxsession-0.5.2
+ ) )
+ kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING.md NEWS.md README.md )
+
+QA_MULTILIB_PATHS="
+ usr/lib/polkit-1/polkit-agent-helper-1
+ usr/lib/polkit-1/polkitd
+"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-mozjs-JIT.patch
+ "${FILESDIR}"/${P}-pkexec-uninitialized.patch
+)
+
+python_check_deps() {
+ python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" &&
+ python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+ use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+ default
+
+ # bug #401513
+ sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die
+}
+
+src_configure() {
+ xdg_environment_reset
+
+ local emesonargs=(
+ --localstatedir="${EPREFIX}"/var
+ -Dauthfw="$(usex pam pam shadow)"
+ -Dexamples=false
+ -Dgtk_doc=false
+ -Dman=true
+ -Dos_type=gentoo
+ -Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+ -Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+ -Djs_engine=$(usex duktape duktape mozjs)
+ $(meson_use !daemon libs-only)
+ $(meson_use introspection)
+ $(meson_use test tests)
+ $(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+ )
+ meson_src_configure
+}
+
+src_compile() {
+ meson_src_compile
+
+ # Required for polkitd on hardened/PaX due to spidermonkey's JIT
+ pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+ meson_src_install
+
+ if use examples ; then
+ docinto examples
+ dodoc src/examples/{*.c,*.policy*}
+ fi
+
+ if use daemon; then
+ if [[ ${EUID} == 0 ]]; then
+ diropts -m 0700 -o polkitd
+ fi
+ keepdir /etc/polkit-1/rules.d
+ fi
+}
+
+pkg_postinst() {
+ if use daemon && [[ ${EUID} == 0 ]]; then
+ chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+ chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+ fi
+}