diff options
| -rw-r--r-- | nixos/modules/misc/ids.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/security/polkit.nix | 83 | ||||
| -rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 15 | ||||
| -rw-r--r-- | pkgs/development/interpreters/spidermonkey/185-1.0.0.nix | 6 | ||||
| -rw-r--r-- | pkgs/development/libraries/polkit/default.nix | 54 | ||||
| -rw-r--r-- | pkgs/top-level/all-packages.nix | 4 |
6 files changed, 84 insertions, 80 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index e3edc9dda6b..29a29834e97 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -140,7 +140,7 @@ tape = 25; video = 26; dialout = 27; - polkituser = 28; + #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; davfs2 = 31; privoxy = 32; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index cafa9f82d5e..940e87e0b02 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -18,35 +18,17 @@ in description = "Whether to enable PolKit."; }; - security.polkit.permissions = mkOption { + security.polkit.extraConfig = mkOption { type = types.lines; default = ""; example = '' - [Disallow Users To Suspend] - Identity=unix-group:users - Action=org.freedesktop.upower.* - ResultAny=no - ResultInactive=no - ResultActive=no - - [Allow Anybody To Eject Disks] - Identity=unix-user:* - Action=org.freedesktop.udisks.drive-eject - ResultAny=yes - ResultInactive=yes - ResultActive=yes - - [Allow Alice To Mount Filesystems After Admin Authentication] - Identity=unix-user:alice - Action=org.freedesktop.udisks.filesystem-mount - ResultAny=auth_admin - ResultInactive=auth_admin - ResultActive=auth_admin + TODO ''; description = '' - Allows the default permissions of privileged actions to be overridden. + Any polkit rules to be added to config (in JavaScript ;-). See: + http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules ''; }; @@ -71,29 +53,23 @@ in environment.systemPackages = [ pkgs.polkit ]; - # The polkit daemon reads action files - environment.pathsToLink = [ "/share/polkit-1/actions" ]; - - environment.etc = - [ # No idea what the "null backend" is, but it seems to need this. - { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d"; - target = "polkit-1/nullbackend.conf.d"; - } - - # This file determines what users are considered - # "administrators". - { source = pkgs.writeText "10-nixos.conf" - '' - [Configuration] - AdminIdentities=${cfg.adminIdentities} - ''; - target = "polkit-1/localauthority.conf.d/10-nixos.conf"; - } - - { source = pkgs.writeText "org.nixos.pkla" cfg.permissions; - target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla"; - } - ]; + systemd.packages = [ pkgs.polkit ]; + + # The polkit daemon reads action/rule files + environment.pathsToLink = [ "/share/polkit-1" ]; + + # PolKit rules for NixOS + environment.etc = [ { + source = pkgs.writeText "10-nixos.conf" + '' + polkit.addAdminRule(function(action, subject) { + return ["${cfg.adminIdentities}"]; + }); + + ${cfg.extraConfig} + ''; #TODO: validation on compilation (at least against typos) + target = "polkit-1/rules.d/10-nixos.conf"; + } ]; services.dbus.packages = [ pkgs.polkit ]; @@ -101,24 +77,31 @@ in security.setuidPrograms = [ "pkexec" ]; - security.setuidOwners = singleton + security.setuidOwners = [ { program = "polkit-agent-helper-1"; owner = "root"; group = "root"; setuid = true; - source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1"; - }; + source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1"; + } + ]; system.activationScripts.polkit = '' - mkdir -p /var/lib/polkit-1/localauthority - chmod 700 /var/lib/polkit-1{/localauthority,} + # Probably no more needed, clean up + rm -rf /var/lib/{polkit-1,PolicyKit} # Force polkitd to be restarted so that it reloads its # configuration. ${pkgs.procps}/bin/pkill -INT -u root -x polkitd ''; + users.extraUsers.polkituser = { + description = "PolKit daemon"; + uid = config.ids.uids.polkituser; + }; + }; } + diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index ad6f9858aaf..2e8d17d872d 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -21,7 +21,7 @@ let level=WARN ''; - polkitConf = '' + /* [network-manager] Identity=unix-group:networkmanager Action=org.freedesktop.NetworkManager.* @@ -35,6 +35,17 @@ let ResultAny=yes ResultInactive=no ResultActive=yes + */ + polkitConf = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("networkmanager") + && subject.active + && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + || action.id.indexOf("org.freedesktop.ModemManager.") == 0 + )) + { return polkit.Result.YES; } + }); ''; ipUpScript = writeScript "01nixos-ip-up" '' @@ -179,7 +190,7 @@ in { systemctl restart NetworkManager ''; - security.polkit.permissions = polkitConf; + security.polkit.extraConfig = polkitConf; # openvpn plugin has only dbus interface services.dbus.packages = cfg.packages ++ [ diff --git a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix index 55e0dada71e..1c0d77345b7 100644 --- a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix +++ b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, autoconf213, nspr, perl, python, readline, zip }: +{ stdenv, fetchurl, pkgconfig, autoconf213, nspr, perl, python, readline, zip }: stdenv.mkDerivation rec { version = "185-1.0.0"; @@ -9,7 +9,9 @@ stdenv.mkDerivation rec { sha256 = "5d12f7e1f5b4a99436685d97b9b7b75f094d33580227aa998c406bbae6f2a687"; }; - buildInputs = [ autoconf213 nspr perl python readline zip ]; + propagatedBuildInputs = [ nspr ]; + + buildInputs = [ pkgconfig autoconf213 perl python readline zip ]; postUnpack = "sourceRoot=\${sourceRoot}/js/src"; diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix index 9d1f0d18c1a..821e66ea0b3 100644 --- a/pkgs/development/libraries/polkit/default.nix +++ b/pkgs/development/libraries/polkit/default.nix @@ -1,48 +1,59 @@ -{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, gettext -, gobjectIntrospection +{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, spidermonkey +, gobjectIntrospection, libxslt, docbook_xsl , useSystemd ? stdenv.isLinux, systemd }: let system = "/var/run/current-system/sw"; + setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir; foolVars = { - LOCALSTATE = "/var"; SYSCONF = "/etc"; - LIB = "${system}/lib"; - DATA = "${system}/share"; + DATA = "${system}/share"; # to find share/polkit-1/actions of other apps at runtime }; in stdenv.mkDerivation rec { - name = "polkit-0.105"; + name = "polkit-0.112"; src = fetchurl { url = "http://www.freedesktop.org/software/polkit/releases/${name}.tar.gz"; - sha256 = "1pz1hn4z0f1wk4f7w8q1g6ygwan1b6kxmfad3b7gql27pb47rp4g"; + sha256 = "1xkary7yirdcjdva950nqyhmsz48qhrdsr78zciahj27p8yg95fn"; }; buildInputs = - [ pkgconfig glib expat pam intltool gobjectIntrospection ] + [ pkgconfig glib expat pam intltool spidermonkey gobjectIntrospection ] + ++ [ libxslt docbook_xsl ] # man pages ++ stdenv.lib.optional useSystemd systemd; - configureFlags = "--libexecdir=$(out)/libexec/polkit-1"; - # Ugly hack to overwrite hardcoded directories # TODO: investigate a proper patch which will be accepted upstream + # After update it's good to check the sources via: + # grep '\<PACKAGE_' '--include=*.[ch]' -R CFLAGS = stdenv.lib.concatStringsSep " " ( map (var: ''-DPACKAGE_${var}_DIR=\""${builtins.getAttr var foolVars}"\"'') (builtins.attrNames foolVars) ); - preBuild = - '' - # ‘libpolkit-agent-1.so’ should call the setuid wrapper on - # NixOS. Hard-coding the path is kinda ugly. Maybe we can just - # call through $PATH, but that might have security implications. - substituteInPlace src/polkitagent/polkitagentsession.c \ - --replace PACKAGE_LIBEXEC_DIR '"/var/setuid-wrappers"' - ''; + preConfigure = '' + patchShebangs . + '' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ '' + sed '/libsystemd-login autoconfigured, but system does not appear to use systemd/s/.*/:/' -i configure + '' + # ‘libpolkit-agent-1.so’ should call the setuid wrapper on + # NixOS. Hard-coding the path is kinda ugly. Maybe we can just + # call through $PATH, but that might have security implications. + + '' + substituteInPlace src/polkitagent/polkitagentsession.c \ + --replace 'PACKAGE_PREFIX "/lib/polkit-1/' '"${setuid}/' + ''; + + configureFlags = [ + #"--libexecdir=$(out)/libexec/polkit-1" # this and localstatedir are ignored by configure + "--with-systemdsystemunitdir=$(out)/etc/systemd/system" + "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser + "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS + ]; makeFlags = '' @@ -50,12 +61,7 @@ stdenv.mkDerivation rec { INTROSPECTION_TYPELIBDIR=$(out)lib/girepository-1.0 ''; - postInstall = - '' - # Allow some files with paranoid permissions to be stripped in - # the fixup phase. - chmod a+rX -R $out - ''; + #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs meta = with stdenv.lib; { homepage = http://www.freedesktop.org/wiki/Software/polkit; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b5737918cff..9a4118098a5 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5400,7 +5400,9 @@ let podofo = callPackage ../development/libraries/podofo { }; - polkit = callPackage ../development/libraries/polkit { }; + polkit = callPackage ../development/libraries/polkit { + spidermonkey = spidermonkey_185; + }; polkit_qt_1 = callPackage ../development/libraries/polkit-qt-1 { }; |