7e7715af59
Do not run as root user OBS-URL: https://build.opensuse.org/request/show/96378 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/colord?expand=0&rev=25
355 lines
13 KiB
Diff
355 lines
13 KiB
Diff
commit 9f088d598187b1bddd0ce4fb97a56d61564d8381
|
|
Author: Vincent Untz <vuntz@gnome.org>
|
|
Date: Tue Dec 6 10:40:21 2011 +0100
|
|
|
|
Add org.freedesktop.policykit.owner annotations to .policy file
|
|
|
|
We only add those annotations when the daemon is configured to run as
|
|
non-root.
|
|
|
|
diff --git a/policy/Makefile.am b/policy/Makefile.am
|
|
index 85e3ecc..272675b 100644
|
|
--- a/policy/Makefile.am
|
|
+++ b/policy/Makefile.am
|
|
@@ -1,9 +1,16 @@
|
|
+org.freedesktop.color.policy.in: org.freedesktop.color.policy.in.in Makefile.am
|
|
+ $(AM_V_GEN)if test "x$(daemon_user)" != "xroot"; then \
|
|
+ sed -e "s|<@ANNOTATE_OWNER@/>|<annotate key=\"org.freedesktop.policykit.owner\">unix-user:$(daemon_user)</annotate>|g" $< > $@ ; \
|
|
+ else \
|
|
+ sed -e "/^\s*<@ANNOTATE_OWNER@\/>\s*$$/d;s|<@ANNOTATE_OWNER@/>||g" $< > $@ ; \
|
|
+ fi
|
|
+
|
|
@INTLTOOL_POLICY_RULE@
|
|
polkit_policydir = $(datadir)/polkit-1/actions
|
|
-dist_polkit_policy_DATA = \
|
|
+polkit_policy_DATA = \
|
|
org.freedesktop.color.policy
|
|
|
|
-EXTRA_DIST = org.freedesktop.color.policy.in
|
|
-DISTCLEANFILES = org.freedesktop.color.policy
|
|
+EXTRA_DIST = org.freedesktop.color.policy.in.in
|
|
+DISTCLEANFILES = org.freedesktop.color.policy org.freedesktop.color.policy.in
|
|
|
|
-include $(top_srcdir)/git.mk
|
|
diff --git a/policy/org.freedesktop.color.policy.in b/policy/org.freedesktop.color.policy.in
|
|
deleted file mode 100644
|
|
index a5bcfaf..0000000
|
|
--- a/policy/org.freedesktop.color.policy.in
|
|
+++ /dev/null
|
|
@@ -1,150 +0,0 @@
|
|
-<?xml version="1.0" encoding="UTF-8"?>
|
|
-<!DOCTYPE policyconfig PUBLIC
|
|
- "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
|
- "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
|
-<policyconfig>
|
|
-
|
|
- <!--
|
|
- Policy definitions for System Color Manager actions.
|
|
- Copyright (c) 2010 Richard Hughes <richard@hughsie.com>
|
|
- -->
|
|
-
|
|
- <vendor>System Color Manager</vendor>
|
|
- <vendor_url>http://www.freedesktop.org/projects/system-color-manager/</vendor_url>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.create-device">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to add devices
|
|
- -->
|
|
- <_description>Create a color managed device</_description>
|
|
- <_message>Authentication is required to create a color managed device</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.create-profile">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to add profiles
|
|
- -->
|
|
- <_description>Create a color profile</_description>
|
|
- <_message>Authentication is required to create a color profile</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.delete-device">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to delete devices
|
|
- -->
|
|
- <_description>Remove a color managed device</_description>
|
|
- <_message>Authentication is required to remove a color managed device</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.delete-profile">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to delete profiles
|
|
- -->
|
|
- <_description>Remove a color profile</_description>
|
|
- <_message>Authentication is required to remove a color profile</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.modify-device">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to modify devices
|
|
- -->
|
|
- <_description>Modify color settings for a device</_description>
|
|
- <_message>Authentication is required to modify the color settings for a device</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.modify-profile">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to modify profiles
|
|
- -->
|
|
- <_description>Modify a color profile</_description>
|
|
- <_message>Authentication is required to modify a color profile</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.install-system-wide">
|
|
- <!-- SECURITY:
|
|
- - Normal users require admin authentication to install files system
|
|
- wide to apply color profiles for sessions that have not explicitly
|
|
- chosen profiles to apply.
|
|
- - This should not be set to 'yes' as unprivileged users could then
|
|
- set a profile set to all-white or all-black and thus make the
|
|
- other sessions unusable.
|
|
- -->
|
|
- <_description>Install system color profiles</_description>
|
|
- <_message>Authentication is required to install the color profile for all users</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>auth_admin_keep</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.device-inhibit">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to profile
|
|
- devices.
|
|
- -->
|
|
- <_description>Inhibit color profile selection</_description>
|
|
- <_message>Authentication is required to disable profile matching for a device</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
- <action id="org.freedesktop.color-manager.sensor-lock">
|
|
- <!-- SECURITY:
|
|
- - Normal users should not have to authenticate to use the
|
|
- colorimeter device.
|
|
- -->
|
|
- <_description>Use color sensor</_description>
|
|
- <_message>Authentication is required to use the color sensor</_message>
|
|
- <icon_name>application-vnd.iccprofile</icon_name>
|
|
- <defaults>
|
|
- <allow_any>no</allow_any>
|
|
- <allow_inactive>no</allow_inactive>
|
|
- <allow_active>yes</allow_active>
|
|
- </defaults>
|
|
- </action>
|
|
-
|
|
-</policyconfig>
|
|
-
|
|
diff --git a/policy/org.freedesktop.color.policy.in.in b/policy/org.freedesktop.color.policy.in.in
|
|
new file mode 100644
|
|
index 0000000..4570f8f
|
|
--- /dev/null
|
|
+++ b/policy/org.freedesktop.color.policy.in.in
|
|
@@ -0,0 +1,159 @@
|
|
+<?xml version="1.0" encoding="UTF-8"?>
|
|
+<!DOCTYPE policyconfig PUBLIC
|
|
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
|
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
|
+<policyconfig>
|
|
+
|
|
+ <!--
|
|
+ Policy definitions for System Color Manager actions.
|
|
+ Copyright (c) 2010 Richard Hughes <richard@hughsie.com>
|
|
+ -->
|
|
+
|
|
+ <vendor>System Color Manager</vendor>
|
|
+ <vendor_url>http://www.freedesktop.org/projects/system-color-manager/</vendor_url>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.create-device">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to add devices
|
|
+ -->
|
|
+ <_description>Create a color managed device</_description>
|
|
+ <_message>Authentication is required to create a color managed device</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.create-profile">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to add profiles
|
|
+ -->
|
|
+ <_description>Create a color profile</_description>
|
|
+ <_message>Authentication is required to create a color profile</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.delete-device">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to delete devices
|
|
+ -->
|
|
+ <_description>Remove a color managed device</_description>
|
|
+ <_message>Authentication is required to remove a color managed device</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.delete-profile">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to delete profiles
|
|
+ -->
|
|
+ <_description>Remove a color profile</_description>
|
|
+ <_message>Authentication is required to remove a color profile</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.modify-device">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to modify devices
|
|
+ -->
|
|
+ <_description>Modify color settings for a device</_description>
|
|
+ <_message>Authentication is required to modify the color settings for a device</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.modify-profile">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to modify profiles
|
|
+ -->
|
|
+ <_description>Modify a color profile</_description>
|
|
+ <_message>Authentication is required to modify a color profile</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.install-system-wide">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users require admin authentication to install files system
|
|
+ wide to apply color profiles for sessions that have not explicitly
|
|
+ chosen profiles to apply.
|
|
+ - This should not be set to 'yes' as unprivileged users could then
|
|
+ set a profile set to all-white or all-black and thus make the
|
|
+ other sessions unusable.
|
|
+ -->
|
|
+ <_description>Install system color profiles</_description>
|
|
+ <_message>Authentication is required to install the color profile for all users</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>auth_admin_keep</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.device-inhibit">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to profile
|
|
+ devices.
|
|
+ -->
|
|
+ <_description>Inhibit color profile selection</_description>
|
|
+ <_message>Authentication is required to disable profile matching for a device</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+ <action id="org.freedesktop.color-manager.sensor-lock">
|
|
+ <!-- SECURITY:
|
|
+ - Normal users should not have to authenticate to use the
|
|
+ colorimeter device.
|
|
+ -->
|
|
+ <_description>Use color sensor</_description>
|
|
+ <_message>Authentication is required to use the color sensor</_message>
|
|
+ <icon_name>application-vnd.iccprofile</icon_name>
|
|
+ <defaults>
|
|
+ <allow_any>no</allow_any>
|
|
+ <allow_inactive>no</allow_inactive>
|
|
+ <allow_active>yes</allow_active>
|
|
+ </defaults>
|
|
+ <@ANNOTATE_OWNER@/>
|
|
+ </action>
|
|
+
|
|
+</policyconfig>
|
|
+
|