From 8d14c7baa6b293b3b48741b203400116ed9882ab Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Sat, 9 Nov 2013 16:29:18 +0100 Subject: polkit: major update 0.105 -> 0.112 - It now uses JavaScript for configuration (only), so I had to "convert" config for NetworkManager. - I tested suspend/restart/(un)mount on KDE/Xfce, Phreedom tested NetworkManager config conversion. --- nixos/modules/misc/ids.nix | 2 +- nixos/modules/security/polkit.nix | 83 +++++++++------------- .../modules/services/networking/networkmanager.nix | 15 +++- 3 files changed, 47 insertions(+), 53 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index e3edc9dda6b..29a29834e97 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -140,7 +140,7 @@ tape = 25; video = 26; dialout = 27; - polkituser = 28; + #polkituser = 28; # currently unused, polkitd doesn't need a group utmp = 29; davfs2 = 31; privoxy = 32; diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index cafa9f82d5e..940e87e0b02 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -18,35 +18,17 @@ in description = "Whether to enable PolKit."; }; - security.polkit.permissions = mkOption { + security.polkit.extraConfig = mkOption { type = types.lines; default = ""; example = '' - [Disallow Users To Suspend] - Identity=unix-group:users - Action=org.freedesktop.upower.* - ResultAny=no - ResultInactive=no - ResultActive=no - - [Allow Anybody To Eject Disks] - Identity=unix-user:* - Action=org.freedesktop.udisks.drive-eject - ResultAny=yes - ResultInactive=yes - ResultActive=yes - - [Allow Alice To Mount Filesystems After Admin Authentication] - Identity=unix-user:alice - Action=org.freedesktop.udisks.filesystem-mount - ResultAny=auth_admin - ResultInactive=auth_admin - ResultActive=auth_admin + TODO ''; description = '' - Allows the default permissions of privileged actions to be overridden. + Any polkit rules to be added to config (in JavaScript ;-). See: + http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules ''; }; @@ -71,29 +53,23 @@ in environment.systemPackages = [ pkgs.polkit ]; - # The polkit daemon reads action files - environment.pathsToLink = [ "/share/polkit-1/actions" ]; - - environment.etc = - [ # No idea what the "null backend" is, but it seems to need this. - { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d"; - target = "polkit-1/nullbackend.conf.d"; - } - - # This file determines what users are considered - # "administrators". - { source = pkgs.writeText "10-nixos.conf" - '' - [Configuration] - AdminIdentities=${cfg.adminIdentities} - ''; - target = "polkit-1/localauthority.conf.d/10-nixos.conf"; - } - - { source = pkgs.writeText "org.nixos.pkla" cfg.permissions; - target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla"; - } - ]; + systemd.packages = [ pkgs.polkit ]; + + # The polkit daemon reads action/rule files + environment.pathsToLink = [ "/share/polkit-1" ]; + + # PolKit rules for NixOS + environment.etc = [ { + source = pkgs.writeText "10-nixos.conf" + '' + polkit.addAdminRule(function(action, subject) { + return ["${cfg.adminIdentities}"]; + }); + + ${cfg.extraConfig} + ''; #TODO: validation on compilation (at least against typos) + target = "polkit-1/rules.d/10-nixos.conf"; + } ]; services.dbus.packages = [ pkgs.polkit ]; @@ -101,24 +77,31 @@ in security.setuidPrograms = [ "pkexec" ]; - security.setuidOwners = singleton + security.setuidOwners = [ { program = "polkit-agent-helper-1"; owner = "root"; group = "root"; setuid = true; - source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1"; - }; + source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1"; + } + ]; system.activationScripts.polkit = '' - mkdir -p /var/lib/polkit-1/localauthority - chmod 700 /var/lib/polkit-1{/localauthority,} + # Probably no more needed, clean up + rm -rf /var/lib/{polkit-1,PolicyKit} # Force polkitd to be restarted so that it reloads its # configuration. ${pkgs.procps}/bin/pkill -INT -u root -x polkitd ''; + users.extraUsers.polkituser = { + description = "PolKit daemon"; + uid = config.ids.uids.polkituser; + }; + }; } + diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index ad6f9858aaf..2e8d17d872d 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -21,7 +21,7 @@ let level=WARN ''; - polkitConf = '' + /* [network-manager] Identity=unix-group:networkmanager Action=org.freedesktop.NetworkManager.* @@ -35,6 +35,17 @@ let ResultAny=yes ResultInactive=no ResultActive=yes + */ + polkitConf = '' + polkit.addRule(function(action, subject) { + if ( + subject.isInGroup("networkmanager") + && subject.active + && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 + || action.id.indexOf("org.freedesktop.ModemManager.") == 0 + )) + { return polkit.Result.YES; } + }); ''; ipUpScript = writeScript "01nixos-ip-up" '' @@ -179,7 +190,7 @@ in { systemctl restart NetworkManager ''; - security.polkit.permissions = polkitConf; + security.polkit.extraConfig = polkitConf; # openvpn plugin has only dbus interface services.dbus.packages = cfg.packages ++ [ -- cgit 1.4.1