diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2013-11-09 18:41:42 +0100 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2013-11-09 18:41:42 +0100 |
commit | 619a1f561480a300ce28f0f471e73fecda85fd60 (patch) | |
tree | c9e3906af08d9dd70e5b400cb70a52f8422b0724 /nixos | |
parent | a131ce533d98eb587d76dd8e2afc6e19568cd7e1 (diff) | |
parent | 8d14c7baa6b293b3b48741b203400116ed9882ab (diff) | |
download | nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.tar nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.tar.gz nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.tar.bz2 nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.tar.lz nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.tar.xz nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.tar.zst nixpkgs-619a1f561480a300ce28f0f471e73fecda85fd60.zip |
changes proposed for 13-10 update
One feature change: polkit update 8d14c7ba
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
-rw-r--r-- | nixos/modules/misc/version.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/polkit.nix | 83 | ||||
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 15 |
4 files changed, 48 insertions, 54 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 73134414138..0b4274b13e6 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -141,7 +141,7 @@ tape = 25; video = 26; dialout = 27; - polkituser = 28; + #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; davfs2 = 31; privoxy = 32; diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index ae9fb5fb2a0..41f75483f95 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -33,7 +33,7 @@ with pkgs.lib; system.defaultChannel = mkOption { internal = true; type = types.str; - default = https://nixos.org/channels/nixos-unstable; + default = https://nixos.org/channels/nixos-13.10; description = "Default NixOS channel to which the root user is subscribed."; }; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index cafa9f82d5e..940e87e0b02 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -18,35 +18,17 @@ in description = "Whether to enable PolKit."; }; - security.polkit.permissions = mkOption { + security.polkit.extraConfig = mkOption { type = types.lines; default = ""; example = '' - [Disallow Users To Suspend] - Identity=unix-group:users - Action=org.freedesktop.upower.* - ResultAny=no - ResultInactive=no - ResultActive=no - - [Allow Anybody To Eject Disks] - Identity=unix-user:* - Action=org.freedesktop.udisks.drive-eject - ResultAny=yes - ResultInactive=yes - ResultActive=yes - - [Allow Alice To Mount Filesystems After Admin Authentication] - Identity=unix-user:alice - Action=org.freedesktop.udisks.filesystem-mount - ResultAny=auth_admin - ResultInactive=auth_admin - ResultActive=auth_admin + TODO ''; description = '' - Allows the default permissions of privileged actions to be overridden. + Any polkit rules to be added to config (in JavaScript ;-). See: + http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules ''; }; @@ -71,29 +53,23 @@ in environment.systemPackages = [ pkgs.polkit ]; - # The polkit daemon reads action files - environment.pathsToLink = [ "/share/polkit-1/actions" ]; - - environment.etc = - [ # No idea what the "null backend" is, but it seems to need this. - { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d"; - target = "polkit-1/nullbackend.conf.d"; - } - - # This file determines what users are considered - # "administrators". - { source = pkgs.writeText "10-nixos.conf" - '' - [Configuration] - AdminIdentities=${cfg.adminIdentities} - ''; - target = "polkit-1/localauthority.conf.d/10-nixos.conf"; - } - - { source = pkgs.writeText "org.nixos.pkla" cfg.permissions; - target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla"; - } - ]; + systemd.packages = [ pkgs.polkit ]; + + # The polkit daemon reads action/rule files + environment.pathsToLink = [ "/share/polkit-1" ]; + + # PolKit rules for NixOS + environment.etc = [ { + source = pkgs.writeText "10-nixos.conf" + '' + polkit.addAdminRule(function(action, subject) { + return ["${cfg.adminIdentities}"]; + }); + + ${cfg.extraConfig} + ''; #TODO: validation on compilation (at least against typos) + target = "polkit-1/rules.d/10-nixos.conf"; + } ]; services.dbus.packages = [ pkgs.polkit ]; @@ -101,24 +77,31 @@ in security.setuidPrograms = [ "pkexec" ]; - security.setuidOwners = singleton + security.setuidOwners = [ { program = "polkit-agent-helper-1"; owner = "root"; group = "root"; setuid = true; - source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1"; - }; + source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1"; + } + ]; system.activationScripts.polkit = '' - mkdir -p /var/lib/polkit-1/localauthority - chmod 700 /var/lib/polkit-1{/localauthority,} + # Probably no more needed, clean up + rm -rf /var/lib/{polkit-1,PolicyKit} # Force polkitd to be restarted so that it reloads its # configuration. ${pkgs.procps}/bin/pkill -INT -u root -x polkitd ''; + users.extraUsers.polkituser = { + description = "PolKit daemon"; + uid = config.ids.uids.polkituser; + }; + }; } + diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index ad6f9858aaf..2e8d17d872d 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -21,7 +21,7 @@ let level=WARN ''; - polkitConf = '' + /* [network-manager] Identity=unix-group:networkmanager Action=org.freedesktop.NetworkManager.* @@ -35,6 +35,17 @@ let ResultAny=yes ResultInactive=no ResultActive=yes + */ + polkitConf = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("networkmanager") + && subject.active + && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + || action.id.indexOf("org.freedesktop.ModemManager.") == 0 + )) + { return polkit.Result.YES; } + }); ''; ipUpScript = writeScript "01nixos-ip-up" '' @@ -179,7 +190,7 @@ in { systemctl restart NetworkManager ''; - security.polkit.permissions = polkitConf; + security.polkit.extraConfig = polkitConf; # openvpn plugin has only dbus interface services.dbus.packages = cfg.packages ++ [ |