diff options
Diffstat (limited to 'sys-auth')
-rw-r--r-- | sys-auth/Manifest.gz | bin | 9248 -> 9250 bytes | |||
-rw-r--r-- | sys-auth/polkit/Manifest | 4 | ||||
-rw-r--r-- | sys-auth/polkit/files/polkit-123-mozjs-JIT.patch | 36 | ||||
-rw-r--r-- | sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch | 35 | ||||
-rw-r--r-- | sys-auth/polkit/polkit-123.ebuild | 162 |
5 files changed, 237 insertions, 0 deletions
diff --git a/sys-auth/Manifest.gz b/sys-auth/Manifest.gz Binary files differindex 4339696a38e4..e7f477eb305e 100644 --- a/sys-auth/Manifest.gz +++ b/sys-auth/Manifest.gz diff --git a/sys-auth/polkit/Manifest b/sys-auth/polkit/Manifest index 84ff3ddf92ef..9710d91bbec7 100644 --- a/sys-auth/polkit/Manifest +++ b/sys-auth/polkit/Manifest @@ -1,4 +1,8 @@ AUX polkit-122-libs-only-postinstall.patch 944 BLAKE2B bfd6dc47e477b80b3fc3b10a35f95fed5988a2ce07a1cb3b4df1e76fd364a7b456d28d2dab93acc84374653a7e433cb3151b7d82e34a0265525e62681045928b SHA512 3cd1d686db1125120d7bc493f871c027fc52599bde073b76287ed8c27c4f9e7b3516b23611dc7c0838519acce95cf2f01c40f0777e8527e012f1bcb4d0ac29c3 +AUX polkit-123-mozjs-JIT.patch 1000 BLAKE2B 8754b7647923280842f06228d93ad2d48381e1b72792f519eceaf8021176268e13b153e11e8fe7c6b231293bd0e7c5010235df15b4c52df7043f6ad0092617fe SHA512 0e892643e400e625f13fe6fe5255190c41bb6d4a6d2d8fa8e9e6d65a2749712f86e80c089d569dafb728dbf354b1861fb53b72b85983d4904c219634b0e66415 +AUX polkit-123-pkexec-uninitialized.patch 1118 BLAKE2B a6abfa5a67612c305823d43fc33332d4c58cef676a8e92f51e702861ac986092f50acc641b1fb0c0e020ce6ad33a971d9332b53f6db3cf7e49c1e580e3bec418 SHA512 90c62d553f84b4fa4f1a9fe30e12596b5214b7db52576b9de3fdb7ae2bd7299e38e8bf4a2eb2f43b23464f9750b31cd2e62d6185082fa24a25a4de1fdf4d038c DIST polkit-122.tar.bz2 704972 BLAKE2B 601ed969de816d061a974b07490d64c144940898a75d4e1761462ee1ff0f00686b068298fa6fdc901879d8cd4bea4334c0187aa5bde50acf90728c37e73e21f4 SHA512 a7c0a951bbcdb09899adbc128296c74fc062441e996f4d6a782b214178f0936137e2fdc489eaa86a00599b988711735a5bd9b5c3b93bdb42fb915db9f9b04e26 +DIST polkit-123.tar.bz2 707480 BLAKE2B 27d8764606d8156118269fb4cd5eda1cfd0d56df219e4157cd78fd4c2a2d001c474271b7bb31e7e82ca376eacd26411418695058cc888700690606348b4d014a SHA512 4306363d3ed7311243de462832199bd10ddda35e36449104daff0895725d8189b07a4c88340f28607846fdf761c23470da2d43288199c46aa816426384124bb6 EBUILD polkit-122-r1.ebuild 4055 BLAKE2B bfec1bafa233c9f40d6416224b6f69cce2924092da83a213b7aa0565f93e2ba035016ba21ee2ebf88af5fb8815be23a311e4a05d9bfbac20c1afddcbe85f89db SHA512 175ffb9f05a563429d87993d0c8506d397373b8c2c3cf5038fa9fd8344427209237966416585c56d9b8df40c736ca7646dfecf88ca847cf14aeb8522054e96a6 +EBUILD polkit-123.ebuild 4110 BLAKE2B 65742a7ddfce482d87b77d07437b3a0d301d15ce14e807eab1c699ff987d5346f8cf8eb02523caa180bae83fdfc4a3a1c5b73ba74d6226e93bb2ce3b3fb44ed3 SHA512 e25d5eb7b64326fe49f6634c74bae404e5fc61b8424c6453addac1fd133155e9f52cf8174718a19a1d2ead1d7afcdabc9220ddee67550844fb94656ca14d6c0d MISC metadata.xml 688 BLAKE2B 517529c1bf104b638fe33a10b0778ffe048713f9c437b38747eb1d65cf99a0080dfdd56f8c5174f60fec0b1c26f53d967a825760d5a1c8beaf2d048a2d43b7a3 SHA512 7f523ac0693b560e481fe4febeb3b3bc08bb84aa23cbfb99b77baf1399b11b6761493d47d014611ac8e31a4bde472ce536cf5531e9484924117574981f3fd3bb diff --git a/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch new file mode 100644 index 000000000000..5b3f2c4a3641 --- /dev/null +++ b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch @@ -0,0 +1,36 @@ +https://gitlab.freedesktop.org/polkit/polkit/-/commit/4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb + +From 4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao <xry111@xry111.site> +Date: Sat, 29 Jul 2023 17:44:58 +0800 +Subject: [PATCH] jsauthority: mozjs: Disable JIT + +The JIT compiling of mozjs needs W/X mapping, but our systemd hardening +setting does not allow it. + +For polkit, security is much more important than the speed running +Javascript code in rule files, so we should disable JIT. + +Fixes #199. +--- a/src/polkitbackend/polkitbackendjsauthority.cpp ++++ b/src/polkitbackend/polkitbackendjsauthority.cpp +@@ -56,7 +56,16 @@ + static class JsInitHelperType + { + public: +- JsInitHelperType() { JS_Init(); } ++ JsInitHelperType() ++ { ++ /* Disable JIT because it needs W/X mapping, which is not allowed by ++ * our systemd hardening setting. ++ */ ++ JS::DisableJitBackend(); ++ ++ JS_Init(); ++ } ++ + ~JsInitHelperType() { JS_ShutDown(); } + } JsInitHelper; + +-- +GitLab diff --git a/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch new file mode 100644 index 000000000000..f19560943c43 --- /dev/null +++ b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch @@ -0,0 +1,35 @@ +https://gitlab.freedesktop.org/polkit/polkit/-/commit/c79ee5595c8d397098978ad50eb521ba2ae8467d + +From c79ee5595c8d397098978ad50eb521ba2ae8467d Mon Sep 17 00:00:00 2001 +From: Vincent Mihalkovic <vmihalko@redhat.com> +Date: Wed, 16 Aug 2023 08:59:55 +0000 +Subject: [PATCH] pkexec: fix uninitialized pointer warning + +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -53,6 +53,7 @@ + static gchar *original_user_name = NULL; + static gchar *original_cwd; + static gchar *command_line = NULL; ++static gchar *cmdline_short = NULL; + static struct passwd *pw; + + #ifndef HAVE_CLEARENV +@@ -508,6 +509,7 @@ main (int argc, char *argv[]) + path = NULL; + exec_argv = NULL; + command_line = NULL; ++ cmdline_short = NULL; + opt_user = NULL; + local_agent_handle = NULL; + +@@ -802,7 +804,6 @@ main (int argc, char *argv[]) + polkit_details_insert (details, "program", path); + polkit_details_insert (details, "command_line", command_line); + +- gchar *cmdline_short = NULL; + cmdline_short = g_strdup(command_line); + if (strlen(command_line) > 80) + g_stpcpy(g_stpcpy( cmdline_short + 38, " ... " ), +-- +GitLab diff --git a/sys-auth/polkit/polkit-123.ebuild b/sys-auth/polkit/polkit-123.ebuild new file mode 100644 index 000000000000..10339bf91bae --- /dev/null +++ b/sys-auth/polkit/polkit-123.ebuild @@ -0,0 +1,162 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..11} ) +inherit meson pam pax-utils python-any-r1 systemd xdg-utils + +DESCRIPTION="Policy framework for controlling privileges for system-wide services" +HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit" +if [[ ${PV} == *_p* ]] ; then + # Upstream don't make releases very often. Test snapshots throughly + # and review commits, but don't shy away if there's useful stuff there + # we want. + MY_COMMIT="" + SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${MY_COMMIT}/polkit-${MY_COMMIT}.tar.bz2 -> ${P}.tar.bz2" + + S="${WORKDIR}"/${PN}-${MY_COMMIT} +else + SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${PV}/${P}.tar.bz2" +fi + +LICENSE="LGPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="+daemon +duktape examples gtk +introspection kde pam selinux systemd test" +# https://gitlab.freedesktop.org/polkit/polkit/-/issues/181 for test restriction +RESTRICT="!test? ( test ) test" + +# This seems to be fixed with 121? +#if [[ ${PV} == *_p* ]] ; then +# RESTRICT="!test? ( test )" +#else +# # Tests currently don't work with meson in the dist tarballs. See +# # https://gitlab.freedesktop.org/polkit/polkit/-/issues/144 +# RESTRICT="test" +#fi + +BDEPEND=" + acct-user/polkitd + app-text/docbook-xml-dtd:4.1.2 + app-text/docbook-xsl-stylesheets + dev-libs/glib + dev-libs/gobject-introspection-common + dev-libs/libxslt + dev-util/glib-utils + sys-devel/gettext + virtual/pkgconfig + introspection? ( >=dev-libs/gobject-introspection-0.6.2 ) + test? ( + $(python_gen_any_dep ' + dev-python/dbus-python[${PYTHON_USEDEP}] + dev-python/python-dbusmock[${PYTHON_USEDEP}] + ') + ) +" +DEPEND=" + >=dev-libs/glib-2.32:2 + dev-libs/expat + daemon? ( + duktape? ( dev-lang/duktape:= ) + !duktape? ( dev-lang/spidermonkey:102[-debug] ) + ) + pam? ( + sys-auth/pambase + sys-libs/pam + ) + !pam? ( virtual/libcrypt:= ) + systemd? ( sys-apps/systemd:0=[policykit] ) + !systemd? ( sys-auth/elogind ) +" +RDEPEND=" + ${DEPEND} + acct-user/polkitd + selinux? ( sec-policy/selinux-policykit ) +" +PDEPEND=" + gtk? ( || ( + >=gnome-extra/polkit-gnome-0.105 + >=lxde-base/lxsession-0.5.2 + ) ) + kde? ( kde-plasma/polkit-kde-agent ) +" + +DOCS=( docs/TODO HACKING.md NEWS.md README.md ) + +QA_MULTILIB_PATHS=" + usr/lib/polkit-1/polkit-agent-helper-1 + usr/lib/polkit-1/polkitd +" + +PATCHES=( + "${FILESDIR}"/${P}-mozjs-JIT.patch + "${FILESDIR}"/${P}-pkexec-uninitialized.patch +) + +python_check_deps() { + python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" && + python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]" +} + +pkg_setup() { + use test && python-any-r1_pkg_setup +} + +src_prepare() { + default + + # bug #401513 + sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die +} + +src_configure() { + xdg_environment_reset + + local emesonargs=( + --localstatedir="${EPREFIX}"/var + -Dauthfw="$(usex pam pam shadow)" + -Dexamples=false + -Dgtk_doc=false + -Dman=true + -Dos_type=gentoo + -Dsession_tracking="$(usex systemd libsystemd-login libelogind)" + -Dsystemdsystemunitdir="$(systemd_get_systemunitdir)" + -Djs_engine=$(usex duktape duktape mozjs) + $(meson_use !daemon libs-only) + $(meson_use introspection) + $(meson_use test tests) + $(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '') + ) + meson_src_configure +} + +src_compile() { + meson_src_compile + + # Required for polkitd on hardened/PaX due to spidermonkey's JIT + pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest +} + +src_install() { + meson_src_install + + if use examples ; then + docinto examples + dodoc src/examples/{*.c,*.policy*} + fi + + if use daemon; then + if [[ ${EUID} == 0 ]]; then + diropts -m 0700 -o polkitd + fi + keepdir /etc/polkit-1/rules.d + fi +} + +pkg_postinst() { + if use daemon && [[ ${EUID} == 0 ]]; then + chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d + chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d + fi +} |