Accepting request 997456 from home:luc14n0:branches:Base:System
Update to 121 stable release. OBS-URL: https://build.opensuse.org/request/show/997456 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=176
This commit is contained in:
parent
4f1639eb8f
commit
84c1181306
@ -1,83 +0,0 @@
|
|||||||
From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jan Rybar <jrybar@redhat.com>
|
|
||||||
Date: Mon, 21 Feb 2022 08:29:05 +0000
|
|
||||||
Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
|
|
||||||
|
|
||||||
---
|
|
||||||
src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
|
|
||||||
1 file changed, 34 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
|
|
||||||
index 8ed1363..2fbf5f1 100644
|
|
||||||
--- a/src/polkit/polkitsystembusname.c
|
|
||||||
+++ b/src/polkit/polkitsystembusname.c
|
|
||||||
@@ -62,6 +62,10 @@ enum
|
|
||||||
PROP_NAME,
|
|
||||||
};
|
|
||||||
|
|
||||||
+
|
|
||||||
+guint8 dbus_call_respond_fails; // has to be global because of callback
|
|
||||||
+
|
|
||||||
+
|
|
||||||
static void subject_iface_init (PolkitSubjectIface *subject_iface);
|
|
||||||
|
|
||||||
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
|
|
||||||
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
|
|
||||||
if (!v)
|
|
||||||
{
|
|
||||||
data->caught_error = TRUE;
|
|
||||||
+ dbus_call_respond_fails += 1;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
|
|
||||||
tmp_context = g_main_context_new ();
|
|
||||||
g_main_context_push_thread_default (tmp_context);
|
|
||||||
|
|
||||||
+ dbus_call_respond_fails = 0;
|
|
||||||
+
|
|
||||||
/* Do two async calls as it's basically as fast as one sync call.
|
|
||||||
*/
|
|
||||||
g_dbus_connection_call (connection,
|
|
||||||
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
|
|
||||||
on_retrieved_unix_uid_pid,
|
|
||||||
&data);
|
|
||||||
|
|
||||||
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
|
|
||||||
- g_main_context_iteration (tmp_context, TRUE);
|
|
||||||
+ while (TRUE)
|
|
||||||
+ {
|
|
||||||
+ /* If one dbus call returns error, we must wait until the other call
|
|
||||||
+ * calls _call_finish(), otherwise fd leak is possible.
|
|
||||||
+ * Resolves: GHSL-2021-077
|
|
||||||
+ */
|
|
||||||
|
|
||||||
- if (data.caught_error)
|
|
||||||
- goto out;
|
|
||||||
+ if ( (dbus_call_respond_fails > 1) )
|
|
||||||
+ {
|
|
||||||
+ // we got two faults, we can leave
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
|
|
||||||
+ {
|
|
||||||
+ // we got one fault and the other call finally finished, we can leave
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
|
|
||||||
+ {
|
|
||||||
+ g_main_context_iteration (tmp_context, TRUE);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (out_uid)
|
|
||||||
*out_uid = data.uid;
|
|
||||||
--
|
|
||||||
2.26.2
|
|
||||||
|
|
@ -1,65 +0,0 @@
|
|||||||
--- a/src/programs/pkcheck.c
|
|
||||||
+++ a/src/programs/pkcheck.c
|
|
||||||
@@ -363,6 +363,12 @@ main (int argc, char *argv[])
|
|
||||||
local_agent_handle = NULL;
|
|
||||||
ret = 126;
|
|
||||||
|
|
||||||
+ if (argc < 1)
|
|
||||||
+ {
|
|
||||||
+ help();
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Disable remote file access from GIO. */
|
|
||||||
setenv ("GIO_USE_VFS", "local", 1);
|
|
||||||
|
|
||||||
--- a/src/programs/pkexec.c
|
|
||||||
+++ a/src/programs/pkexec.c
|
|
||||||
@@ -488,6 +488,17 @@ main (int argc, char *argv[])
|
|
||||||
pid_t pid_of_caller;
|
|
||||||
gpointer local_agent_handle;
|
|
||||||
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * If 'pkexec' is called wrong, just show help and bail out.
|
|
||||||
+ */
|
|
||||||
+ if (argc<1)
|
|
||||||
+ {
|
|
||||||
+ clearenv();
|
|
||||||
+ usage(argc, argv);
|
|
||||||
+ exit(1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = 127;
|
|
||||||
authority = NULL;
|
|
||||||
subject = NULL;
|
|
||||||
@@ -614,10 +625,10 @@ main (int argc, char *argv[])
|
|
||||||
|
|
||||||
path = g_strdup (pwstruct.pw_shell);
|
|
||||||
if (!path)
|
|
||||||
- {
|
|
||||||
+ {
|
|
||||||
g_printerr ("No shell configured or error retrieving pw_shell\n");
|
|
||||||
goto out;
|
|
||||||
- }
|
|
||||||
+ }
|
|
||||||
/* If you change this, be sure to change the if (!command_line)
|
|
||||||
case below too */
|
|
||||||
command_line = g_strdup (path);
|
|
||||||
@@ -636,7 +647,15 @@ main (int argc, char *argv[])
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
g_free (path);
|
|
||||||
- argv[n] = path = s;
|
|
||||||
+ path = s;
|
|
||||||
+
|
|
||||||
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
|
|
||||||
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
|
|
||||||
+ */
|
|
||||||
+ if (argv[n] != NULL)
|
|
||||||
+ {
|
|
||||||
+ argv[n] = path;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
if (access (path, F_OK) != 0)
|
|
||||||
{
|
|
File diff suppressed because it is too large
Load Diff
68
pkexec.patch
68
pkexec.patch
@ -1,68 +0,0 @@
|
|||||||
From: Andreas Schwab <schwab@suse.de>
|
|
||||||
Subject: pkexec: allow --version and --help even if not setuid
|
|
||||||
|
|
||||||
Don't check for setuid invocation until after parsing command line, to allow
|
|
||||||
running uninstalled pkexec with --help or --version. This also helps
|
|
||||||
building packages that want to check for pkexec in an emulated environment
|
|
||||||
that does not support setuid invocation (eg. QEMU linux-user).
|
|
||||||
|
|
||||||
Index: polkit-0.116/src/programs/pkexec.c
|
|
||||||
===================================================================
|
|
||||||
--- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200
|
|
||||||
+++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200
|
|
||||||
@@ -504,27 +504,6 @@ main (int argc, char *argv[])
|
|
||||||
/* Disable remote file access from GIO. */
|
|
||||||
setenv ("GIO_USE_VFS", "local", 1);
|
|
||||||
|
|
||||||
- /* check for correct invocation */
|
|
||||||
- if (geteuid () != 0)
|
|
||||||
- {
|
|
||||||
- g_printerr ("pkexec must be setuid root\n");
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- original_user_name = g_strdup (g_get_user_name ());
|
|
||||||
- if (original_user_name == NULL)
|
|
||||||
- {
|
|
||||||
- g_printerr ("Error getting user name.\n");
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if ((original_cwd = g_get_current_dir ()) == NULL)
|
|
||||||
- {
|
|
||||||
- g_printerr ("Error getting cwd: %s\n",
|
|
||||||
- g_strerror (errno));
|
|
||||||
- goto out;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* First process options and find the command-line to invoke. Avoid using fancy library routines
|
|
||||||
* that depend on environtment variables since we haven't cleared the environment just yet.
|
|
||||||
*/
|
|
||||||
@@ -580,6 +559,27 @@ main (int argc, char *argv[])
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* check for correct invocation */
|
|
||||||
+ if (geteuid () != 0)
|
|
||||||
+ {
|
|
||||||
+ g_printerr ("pkexec must be setuid root\n");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ original_user_name = g_strdup (g_get_user_name ());
|
|
||||||
+ if (original_user_name == NULL)
|
|
||||||
+ {
|
|
||||||
+ g_printerr ("Error getting user name.\n");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((original_cwd = g_get_current_dir ()) == NULL)
|
|
||||||
+ {
|
|
||||||
+ g_printerr ("Error getting cwd: %s\n",
|
|
||||||
+ g_strerror (errno));
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (opt_user == NULL)
|
|
||||||
opt_user = g_strdup ("root");
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:ee7a599a853117bf273548725719fa92fabd2f136915c7a4906cee98567aee03
|
|
||||||
size 1626659
|
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmFbBdIACgkQjOswMP/c
|
|
||||||
4ljEgQgAtj7WctCA7ZqOBAgcr+8NHSzxMJHbiNPDMg4bJB3xVipyQYCfyv8dNANd
|
|
||||||
33tTjDGjBN5Dn/Mp7FbxBHsTaUCcvnV11IeDq4AnVT1yrL3E1Tc4B08rQAEUSwZY
|
|
||||||
eIuO4GJTbIs79Qtj6tjILcKhKNBBezUyMRgRpq/XYZKlwdlPZkhec2tGtP3wVZCW
|
|
||||||
VlYliQfMvV4aJV2PRcVcITnFuWYvV28iI5nl466iE60MmaJOiPeJKFbXM73jiVeP
|
|
||||||
QGPljAeGWiZ9xa2a2EFbBbyyiKo1B1kvdp0wgYaeGElw/ulcbUAPpzsh4+aTaX6l
|
|
||||||
xJpnVpz9f+opD7/YpyAms4RRkQbMLQ==
|
|
||||||
=UyNU
|
|
||||||
-----END PGP SIGNATURE-----
|
|
BIN
polkit-121.tar.gz
(Stored with Git LFS)
Normal file
BIN
polkit-121.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
11
polkit-121.tar.gz.sign
Normal file
11
polkit-121.tar.gz.sign
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmLMIyMACgkQjOswMP/c
|
||||||
|
4ljnPggAirGfeho8FcKzvi8V7Gya8tHUf0eGqdlJUr8owSHx0FjTzBSATHxhFtFZ
|
||||||
|
pMPXXUkM0myKgqFQntL9ZYtM7l9MnCdS2rvEPkUg+uoJ4uJuuorsxkxaFdBOXFn9
|
||||||
|
xUSgLIpsVIVVTDLaChgbRvgZQXLO27fz3PVchLlqLIfyyiKvxBCftx+4EXZzQgor
|
||||||
|
HA0qpWFTdH1LxhhHrZibkNxBwI6uQum20fDzRiyIu5oUtRyZqRt+lBuimzFHrCLz
|
||||||
|
AOGZJANTxNVpZmpXEJqM/N93133852S2UJtCbgp4zmcnAWeBJSD5NodbVq65JzAs
|
||||||
|
4ZjD5iN/MumSAnQyKBknisT5UH5vwg==
|
||||||
|
=mLHt
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,7 +1,5 @@
|
|||||||
Index: polkit-0.118/src/polkitagent/polkitagentsession.c
|
--- a/src/polkitagent/polkitagentsession.c
|
||||||
===================================================================
|
+++ b/src/polkitagent/polkitagentsession.c
|
||||||
--- polkit-0.118.orig/src/polkitagent/polkitagentsession.c
|
|
||||||
+++ polkit-0.118/src/polkitagent/polkitagentsession.c
|
|
||||||
@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge
|
@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@ -11,3 +9,14 @@ Index: polkit-0.118/src/polkitagent/polkitagentsession.c
|
|||||||
helper_argv[1] = passwd->pw_name;
|
helper_argv[1] = passwd->pw_name;
|
||||||
helper_argv[2] = NULL;
|
helper_argv[2] = NULL;
|
||||||
|
|
||||||
|
--- a/meson.build
|
||||||
|
+++ b/meson.build
|
||||||
|
@@ -28,7 +28,7 @@ pk_sysconfdir = get_option('sysconfdir')
|
||||||
|
pk_pkgdatadir = pk_datadir / pk_api_name
|
||||||
|
pk_pkgincludedir = pk_includedir / pk_api_name
|
||||||
|
# note that this is always 'lib', not lib64 or lib/x86_64-linux-gnu
|
||||||
|
-pk_libprivdir = 'lib' / pk_api_name
|
||||||
|
+pk_libprivdir = 'libexec' / pk_api_name
|
||||||
|
pk_pkgsysconfdir = pk_sysconfdir / pk_api_name
|
||||||
|
|
||||||
|
pk_actiondir = pk_api_name / 'actions'
|
||||||
|
33
polkit-fix-pam-prefix.patch
Normal file
33
polkit-fix-pam-prefix.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/131
|
||||||
|
build: Honour pam_prefix meson option
|
||||||
|
|
||||||
|
Make the use of pam_prefix worth its while since, at the moment, its value
|
||||||
|
is not being used. Instead, a hard-coded path is being deployed when it
|
||||||
|
shouldn't anymore.
|
||||||
|
|
||||||
|
The pam_prefix Meson option was designed to allow us to choose where pam
|
||||||
|
configuration files should end up. But at the moment it is not being used at
|
||||||
|
all where it should be.
|
||||||
|
|
||||||
|
--- a/meson.build
|
||||||
|
+++ b/meson.build
|
||||||
|
@@ -241,7 +241,7 @@ if enable_pam
|
||||||
|
|
||||||
|
pam_prefix = get_option('pam_prefix')
|
||||||
|
if pam_prefix == ''
|
||||||
|
- pam_prefix = pk_sysconfdir
|
||||||
|
+ pam_prefix = pk_sysconfdir / 'pam.d'
|
||||||
|
else
|
||||||
|
message('PAM files will be installed in prefix ' + pam_prefix)
|
||||||
|
endif
|
||||||
|
--- a/data/meson.build
|
||||||
|
+++ b/data/meson.build
|
||||||
|
@@ -22,7 +22,7 @@ if enable_pam
|
||||||
|
output: '@BASENAME@',
|
||||||
|
configuration: pam_conf,
|
||||||
|
install: true,
|
||||||
|
- install_dir: pk_sysconfdir / 'pam.d',
|
||||||
|
+ install_dir: pam_prefix,
|
||||||
|
)
|
||||||
|
endif
|
||||||
|
|
@ -1,7 +1,5 @@
|
|||||||
Index: polkit-0.116/src/polkitbackend/50-default.rules
|
--- a/src/polkitbackend/50-default.rules
|
||||||
===================================================================
|
+++ b/src/polkitbackend/50-default.rules
|
||||||
--- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200
|
|
||||||
+++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200
|
|
||||||
@@ -8,5 +8,5 @@
|
@@ -8,5 +8,5 @@
|
||||||
// about configuring polkit.
|
// about configuring polkit.
|
||||||
|
|
||||||
|
@ -1,3 +1,43 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 9 06:11:08 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>
|
||||||
|
|
||||||
|
- Update to version 121:
|
||||||
|
+ Addition of duktape as a JS engine backend.
|
||||||
|
+ Other small fixes and improvements. For more details, visit:
|
||||||
|
gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md
|
||||||
|
+ Updated translations.
|
||||||
|
- Drop merged-upstream patches:
|
||||||
|
+ CVE-2021-4034-pkexec-fix.patch;
|
||||||
|
+ 0001-CVE-2021-4115-GHSL-2021-077-fix.patch;
|
||||||
|
+ duktape-support.patch;
|
||||||
|
+ pkexec.patch.
|
||||||
|
- Replace Intltool with Gettext as a build requirement following
|
||||||
|
the migration from last release (0.120).
|
||||||
|
- Add Meson as a build requirement while dropping Libtool and
|
||||||
|
replace all Autotools macros with Meson ones. And pass the
|
||||||
|
following options to Meson: session_tracking=libsystemd-login;
|
||||||
|
systemdsystemunitdir=%{_unitdir}; os_type=suse;
|
||||||
|
pam_module_dir=%{_pam_moduledir}; pam_prefix=%{_pam_vendordir};
|
||||||
|
examples=true; tests=true; gtk_doc=true; man=true and
|
||||||
|
js_engine=duktape.
|
||||||
|
- Drop no longer needed Libtool as a build requirement, following
|
||||||
|
Autotools replacement.
|
||||||
|
- Add explicit pkgconfig module build requirements for glib-2.0 and
|
||||||
|
gobject-2.0 that are searched by the build scripts. They were
|
||||||
|
already being pulled by their siblings [pkgconfig(gio-2.0) and
|
||||||
|
pkgconfig(gio-unix-2.0)].
|
||||||
|
- Drop conditional macro, which was wrapping "BuildArch: noarch"
|
||||||
|
for the doc subpackage, based on long gone EOLed (open)SUSE
|
||||||
|
release (11.2).
|
||||||
|
- Add missing 'Requires(post): permissions' for the pkexec
|
||||||
|
subpackage.
|
||||||
|
- Add python3-dbus-python and python3-python-dbusmock as build
|
||||||
|
requirements in order to run test in the check section.
|
||||||
|
- Add polkit-fix-pam-prefix.patch to use the value of pam_prefix
|
||||||
|
Meson option, like it was designed to, rather than hard-coded
|
||||||
|
path for pam configuration files.
|
||||||
|
- Remove unneeded executable bit from 50-default.rules file.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
|
Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
|
||||||
|
|
||||||
|
114
polkit.spec
114
polkit.spec
@ -16,8 +16,12 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
|
%define _polkit_rulesdir %{_datadir}/polkit-1/rules.d
|
||||||
|
%define glib_br_version 2.30.0
|
||||||
|
%define run_tests 1
|
||||||
|
|
||||||
Name: polkit
|
Name: polkit
|
||||||
Version: 0.120
|
Version: 121
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: PolicyKit Authorization Framework
|
Summary: PolicyKit Authorization Framework
|
||||||
License: LGPL-2.1-or-later
|
License: LGPL-2.1-or-later
|
||||||
@ -28,50 +32,58 @@ Source1: https://www.freedesktop.org/software/polkit/releases/%{name}-%{v
|
|||||||
Source2: %{name}.keyring
|
Source2: %{name}.keyring
|
||||||
Source3: system-user-polkitd.conf
|
Source3: system-user-polkitd.conf
|
||||||
Source99: baselibs.conf
|
Source99: baselibs.conf
|
||||||
|
|
||||||
|
# Upstream First - Policy:
|
||||||
|
# Never add any patches to this package without the upstream commit id
|
||||||
|
# in the patch. Any patches added here without a very good reason to make
|
||||||
|
# an exception will be silently removed with the next version update.
|
||||||
|
|
||||||
# PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin
|
# PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin
|
||||||
Patch0: polkit-no-wheel-group.patch
|
Patch0: polkit-no-wheel-group.patch
|
||||||
# PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
|
# PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
|
||||||
|
# polkit-use-gettext-as-fallback.patch
|
||||||
Patch1: polkit-gettext.patch
|
Patch1: polkit-gettext.patch
|
||||||
# PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid
|
|
||||||
Patch2: pkexec.patch
|
|
||||||
# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
|
# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
|
||||||
Patch3: polkit-keyinit.patch
|
Patch3: polkit-keyinit.patch
|
||||||
# adjust path to polkit-agent-helper-1 (bsc#1180474)
|
# PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474)
|
||||||
Patch4: polkit-adjust-libexec-path.patch
|
Patch4: polkit-adjust-libexec-path.patch
|
||||||
# PATCH-FIX-UPSTREAM CVE-2021-4034-pkexec-fix.patch meissner@ -- bsc#1194568 VUL-0: CVE-2021-4034: polkit: pkexec Local Privilege Escalation aka pwnkit
|
# PATCH-FIX-UPSTREAM polkit-fix-pam-prefix.patch luc14n0@opensuse.org -- Make
|
||||||
Patch5: CVE-2021-4034-pkexec-fix.patch
|
# intended use of pam_prefix meson option rather than hard-coded path
|
||||||
# PATCH-FIX-UPSTREAM https://gitlab.freedesktop.org/polkit/polkit/-/commit/c7fc4e1b61f0fd82fc697c19c604af7e9fb291a2.patch, without .gitlab-ci.yml (not in the tarball)
|
Patch5: polkit-fix-pam-prefix.patch
|
||||||
Patch6: duktape-support.patch
|
|
||||||
# PATCH-FIX-UPSTREAM 0001-CVE-2021-4115-GHSL-2021-077-fix.patch meissner@ -- bsc#1195542 VUL-0: CVE-2021-4115: polkit: denial of service via file descriptor leak
|
|
||||||
Patch7: 0001-CVE-2021-4115-GHSL-2021-077-fix.patch
|
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: gettext
|
||||||
BuildRequires: gtk-doc
|
BuildRequires: gtk-doc
|
||||||
BuildRequires: intltool
|
|
||||||
BuildRequires: libexpat-devel
|
BuildRequires: libexpat-devel
|
||||||
# needed for patch1 and 2
|
BuildRequires: meson >= 0.50
|
||||||
BuildRequires: libtool
|
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
BuildRequires: sysuser-tools
|
BuildRequires: sysuser-tools
|
||||||
BuildRequires: pkgconfig(duktape) >= 2.2.0
|
BuildRequires: pkgconfig(duktape) >= 2.2.0
|
||||||
BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0
|
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_br_version}
|
||||||
BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0
|
BuildRequires: pkgconfig(glib-2.0) >= %{glib_br_version}
|
||||||
|
BuildRequires: pkgconfig(gmodule-2.0) >= %{glib_br_version}
|
||||||
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
|
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
|
||||||
BuildRequires: pkgconfig(libsystemd)
|
BuildRequires: pkgconfig(libsystemd)
|
||||||
BuildRequires: pkgconfig(systemd)
|
BuildRequires: pkgconfig(systemd)
|
||||||
|
%if 0%{?run_tests}
|
||||||
|
#################################################################
|
||||||
|
# python3-dbus-python and python3-python-dbusmock are needed for
|
||||||
|
# test-polkitbackendjsauthority test:
|
||||||
|
BuildRequires: python3-dbus-python
|
||||||
|
BuildRequires: python3-python-dbusmock
|
||||||
|
#################################################################
|
||||||
|
%endif
|
||||||
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
|
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
|
||||||
#!BuildIgnore: ruby
|
#!BuildIgnore: ruby
|
||||||
|
|
||||||
Requires: dbus-1
|
Requires: dbus-1
|
||||||
Requires: libpolkit-agent-1-0 = %{version}-%{release}
|
Requires: libpolkit-agent-1-0 = %{version}-%{release}
|
||||||
Requires: libpolkit-gobject-1-0 = %{version}-%{release}
|
Requires: libpolkit-gobject-1-0 = %{version}-%{release}
|
||||||
Requires(post): permissions
|
Requires(post): permissions
|
||||||
%sysusers_requires
|
%sysusers_requires
|
||||||
%systemd_ordering
|
%systemd_ordering
|
||||||
# Upstream First - Policy:
|
|
||||||
# Never add any patches to this package without the upstream commit id
|
|
||||||
# in the patch. Any patches added here without a very good reason to make
|
|
||||||
# an exception will be silently removed with the next version update.
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
PolicyKit is a toolkit for defining and handling authorizations.
|
PolicyKit is a toolkit for defining and handling authorizations.
|
||||||
@ -91,9 +103,10 @@ Requires: typelib-1_0-Polkit-1_0 = %{version}
|
|||||||
Development files for PolicyKit Authorization Framework.
|
Development files for PolicyKit Authorization Framework.
|
||||||
|
|
||||||
%package -n pkexec
|
%package -n pkexec
|
||||||
Summary: pkexec component of polkit
|
Summary: Pkexec component of polkit
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
Requires: %{name} = %{version}-%{release}
|
Requires: %{name} = %{version}-%{release}
|
||||||
|
Requires(post): permissions
|
||||||
Provides: polkit:/usr/bin/pkexec
|
Provides: polkit:/usr/bin/pkexec
|
||||||
|
|
||||||
%description -n pkexec
|
%description -n pkexec
|
||||||
@ -102,9 +115,7 @@ This package contains the pkexec setuid root binary part of polkit.
|
|||||||
%package doc
|
%package doc
|
||||||
Summary: Development documentation for PolicyKit
|
Summary: Development documentation for PolicyKit
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
%if 0%{?suse_version} >= 1120
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
%endif
|
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
Development documentation for PolicyKit Authorization Framework.
|
Development documentation for PolicyKit Authorization Framework.
|
||||||
@ -147,39 +158,49 @@ processes.
|
|||||||
This package provides the GObject Introspection bindings for PolicyKit.
|
This package provides the GObject Introspection bindings for PolicyKit.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%autosetup -p1 -n polkit-v.%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Needed for patch1 and patch2
|
%meson \
|
||||||
autoreconf -fi
|
-D session_tracking=libsystemd-login \
|
||||||
export SUID_CFLAGS="-fPIE"
|
-D systemdsystemunitdir="%{_unitdir}" \
|
||||||
export SUID_LDFLAGS="-z now -pie"
|
-D os_type=suse \
|
||||||
%configure \
|
-D pam_module_dir="%{_pam_moduledir}" \
|
||||||
--with-os-type=suse \
|
-D pam_prefix="%{_pam_vendordir}" \
|
||||||
--enable-gtk-doc \
|
-D examples=true \
|
||||||
--disable-static \
|
-D tests=true \
|
||||||
--enable-introspection \
|
-D gtk_doc=true \
|
||||||
--enable-examples \
|
-D man=true \
|
||||||
--enable-libsystemd-login \
|
-D js_engine=duktape \
|
||||||
--with-duktape \
|
%{nil}
|
||||||
%{nil}
|
%meson_build
|
||||||
%make_build libprivdir=%{_libexecdir}/polkit-1
|
|
||||||
%sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf
|
%sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf
|
||||||
|
|
||||||
|
%if 0%{?run_tests}
|
||||||
|
%check
|
||||||
|
%meson_test
|
||||||
|
%endif
|
||||||
|
|
||||||
%install
|
%install
|
||||||
# install explicitly into libexec. upstream has some unflexible logic for
|
# install explicitly into libexec. upstream has some unflexible logic for
|
||||||
# this executable at the moment, but there is a PR# open to fix this:
|
# this executable at the moment, but there is a PR# open to fix this:
|
||||||
# https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63
|
# https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63
|
||||||
# once this has been resolved upstream and we update to a new release we can
|
# once this has been resolved upstream and we update to a new release we can
|
||||||
# remove this and also patch4 above.
|
# remove this and also patch4 above.
|
||||||
%make_install libprivdir=%{_libexecdir}/polkit-1
|
#
|
||||||
find %{buildroot} -type f -name "*.la" -delete -print
|
# Additional note: Upstream turned down the MR above, preferring to stick to
|
||||||
|
# using ${prefix}/lib/polkit-1 and non-distro-configurable.
|
||||||
|
%meson_install
|
||||||
|
%find_lang polkit-1
|
||||||
|
|
||||||
# create $HOME for polkit user
|
# create $HOME for polkit user
|
||||||
install -d %{buildroot}%{_localstatedir}/lib/polkit
|
install -d %{buildroot}%{_localstatedir}/lib/polkit
|
||||||
%find_lang polkit-1
|
|
||||||
mkdir -p %{buildroot}%{_pam_vendordir}
|
# We use /usr/share as prefix for the rules.d directory
|
||||||
mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
|
mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules \
|
||||||
mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules %{buildroot}%{_datadir}/polkit-1/rules.d/50-default.rules
|
%{buildroot}%{_polkit_rulesdir}/50-default.rules
|
||||||
|
|
||||||
|
# Install the polkitd user creation file:
|
||||||
mkdir -p %{buildroot}%{_sysusersdir}
|
mkdir -p %{buildroot}%{_sysusersdir}
|
||||||
install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
|
install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
|
||||||
|
|
||||||
@ -221,6 +242,7 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
|
|||||||
%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
|
%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
|
||||||
|
|
||||||
%files -f polkit-1.lang
|
%files -f polkit-1.lang
|
||||||
|
%doc NEWS.md README.md
|
||||||
%license COPYING
|
%license COPYING
|
||||||
|
|
||||||
%{_mandir}/man1/pkaction.1%{?ext_man}
|
%{_mandir}/man1/pkaction.1%{?ext_man}
|
||||||
@ -234,10 +256,11 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
|
|||||||
%dir %{_datadir}/dbus-1/system.d
|
%dir %{_datadir}/dbus-1/system.d
|
||||||
%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
|
%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
|
||||||
%dir %{_datadir}/polkit-1
|
%dir %{_datadir}/polkit-1
|
||||||
|
%{_datadir}/polkit-1/policyconfig-1.dtd
|
||||||
%dir %{_datadir}/polkit-1/actions
|
%dir %{_datadir}/polkit-1/actions
|
||||||
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
|
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
|
||||||
%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
|
%attr(0700,polkitd,root) %dir %{_polkit_rulesdir}
|
||||||
%attr(0700,polkitd,root) %{_datadir}/polkit-1/rules.d/50-default.rules
|
%attr(0600,polkitd,root) %{_polkit_rulesdir}/50-default.rules
|
||||||
%{_pam_vendordir}/polkit-1
|
%{_pam_vendordir}/polkit-1
|
||||||
%dir %{_sysconfdir}/polkit-1
|
%dir %{_sysconfdir}/polkit-1
|
||||||
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
|
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
|
||||||
@ -269,7 +292,6 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
|
|||||||
%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
|
%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
|
||||||
|
|
||||||
%files doc
|
%files doc
|
||||||
%doc NEWS
|
|
||||||
%doc %{_datadir}/gtk-doc/html/polkit-1/
|
%doc %{_datadir}/gtk-doc/html/polkit-1/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Loading…
Reference in New Issue
Block a user