[gentoo-commits] repo/gentoo:master commit in: sys-auth/polkit/files/, sys-auth/polkit/

Fri, 18 Aug 2023 03:37:34 -0700 

commit:     5c7a27dabebe91c15498ac0c652087576cac36ef
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 18 10:33:29 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Aug 18 10:33:29 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5c7a27da

sys-auth/polkit: add 123

Signed-off-by: Sam James <sam <AT> gentoo.org>

 sys-auth/polkit/Manifest                           |   1 +
 sys-auth/polkit/files/polkit-123-mozjs-JIT.patch   |  36 +++++
 .../files/polkit-123-pkexec-uninitialized.patch    |  35 +++++
 sys-auth/polkit/polkit-123.ebuild                  | 161 +++++++++++++++++++++
 4 files changed, 233 insertions(+)

diff --git a/sys-auth/polkit/Manifest b/sys-auth/polkit/Manifest
index bc135558b202..f4ec97d2f7df 100644
--- a/sys-auth/polkit/Manifest
+++ b/sys-auth/polkit/Manifest
@@ -1 +1,2 @@
 DIST polkit-122.tar.bz2 704972 BLAKE2B 
601ed969de816d061a974b07490d64c144940898a75d4e1761462ee1ff0f00686b068298fa6fdc901879d8cd4bea4334c0187aa5bde50acf90728c37e73e21f4
 SHA512 
a7c0a951bbcdb09899adbc128296c74fc062441e996f4d6a782b214178f0936137e2fdc489eaa86a00599b988711735a5bd9b5c3b93bdb42fb915db9f9b04e26
+DIST polkit-123.tar.bz2 707480 BLAKE2B 
27d8764606d8156118269fb4cd5eda1cfd0d56df219e4157cd78fd4c2a2d001c474271b7bb31e7e82ca376eacd26411418695058cc888700690606348b4d014a
 SHA512 
4306363d3ed7311243de462832199bd10ddda35e36449104daff0895725d8189b07a4c88340f28607846fdf761c23470da2d43288199c46aa816426384124bb6

diff --git a/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch 
b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch
new file mode 100644
index 000000000000..5b3f2c4a3641
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-123-mozjs-JIT.patch
@@ -0,0 +1,36 @@
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb
+
+From 4b7a5c35fb3dd439e490f8fd6b1265d17c6d4bcb Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry...@xry111.site>
+Date: Sat, 29 Jul 2023 17:44:58 +0800
+Subject: [PATCH] jsauthority: mozjs: Disable JIT
+
+The JIT compiling of mozjs needs W/X mapping, but our systemd hardening
+setting does not allow it.
+
+For polkit, security is much more important than the speed running
+Javascript code in rule files, so we should disable JIT.
+
+Fixes #199.
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -56,7 +56,16 @@
+ static class JsInitHelperType
+ {
+ public:
+-      JsInitHelperType() { JS_Init(); }
++      JsInitHelperType()
++      {
++        /* Disable JIT because it needs W/X mapping, which is not allowed by
++         * our systemd hardening setting.
++         */
++        JS::DisableJitBackend();
++
++        JS_Init();
++      }
++
+       ~JsInitHelperType() { JS_ShutDown(); }
+ } JsInitHelper;
+ 
+-- 
+GitLab

diff --git a/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch 
b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch
new file mode 100644
index 000000000000..f19560943c43
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-123-pkexec-uninitialized.patch
@@ -0,0 +1,35 @@
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/c79ee5595c8d397098978ad50eb521ba2ae8467d
+
+From c79ee5595c8d397098978ad50eb521ba2ae8467d Mon Sep 17 00:00:00 2001
+From: Vincent Mihalkovic <vmiha...@redhat.com>
+Date: Wed, 16 Aug 2023 08:59:55 +0000
+Subject: [PATCH] pkexec: fix uninitialized pointer warning
+
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -53,6 +53,7 @@
+ static gchar *original_user_name = NULL;
+ static gchar *original_cwd;
+ static gchar *command_line = NULL;
++static gchar *cmdline_short = NULL;
+ static struct passwd *pw;
+ 
+ #ifndef HAVE_CLEARENV
+@@ -508,6 +509,7 @@ main (int argc, char *argv[])
+   path = NULL;
+   exec_argv = NULL;
+   command_line = NULL;
++  cmdline_short = NULL;
+   opt_user = NULL;
+   local_agent_handle = NULL;
+ 
+@@ -802,7 +804,6 @@ main (int argc, char *argv[])
+   polkit_details_insert (details, "program", path);
+   polkit_details_insert (details, "command_line", command_line);
+ 
+-  gchar *cmdline_short = NULL;
+   cmdline_short = g_strdup(command_line);
+   if (strlen(command_line) > 80)
+       g_stpcpy(g_stpcpy( cmdline_short + 38, " ... " ),
+-- 
+GitLab

diff --git a/sys-auth/polkit/polkit-123.ebuild 
b/sys-auth/polkit/polkit-123.ebuild
new file mode 100644
index 000000000000..4e688c0a4f23
--- /dev/null
+++ b/sys-auth/polkit/polkit-123.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..11} )
+inherit meson pam pax-utils python-any-r1 systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide 
services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit 
https://gitlab.freedesktop.org/polkit/polkit";
+if [[ ${PV} == *_p* ]] ; then
+       # Upstream don't make releases very often. Test snapshots throughly
+       # and review commits, but don't shy away if there's useful stuff there
+       # we want.
+       MY_COMMIT=""
+       
SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${MY_COMMIT}/polkit-${MY_COMMIT}.tar.bz2
 -> ${P}.tar.bz2"
+
+       S="${WORKDIR}"/${PN}-${MY_COMMIT}
+else
+       
SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${PV}/${P}.tar.bz2";
+fi
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 
~riscv ~s390 ~sparc ~x86"
+IUSE="+daemon +duktape examples gtk +introspection kde pam selinux systemd 
test"
+# https://gitlab.freedesktop.org/polkit/polkit/-/issues/181 for test 
restriction
+RESTRICT="!test? ( test ) test"
+
+# This seems to be fixed with 121?
+#if [[ ${PV} == *_p* ]] ; then
+#      RESTRICT="!test? ( test )"
+#else
+#      # Tests currently don't work with meson in the dist tarballs. See
+#      #  https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+#      RESTRICT="test"
+#fi
+
+BDEPEND="
+       acct-user/polkitd
+       app-text/docbook-xml-dtd:4.1.2
+       app-text/docbook-xsl-stylesheets
+       dev-libs/glib
+       dev-libs/gobject-introspection-common
+       dev-libs/libxslt
+       dev-util/glib-utils
+       sys-devel/gettext
+       virtual/pkgconfig
+       introspection? ( dev-libs/gobject-introspection )
+       test? (
+               $(python_gen_any_dep '
+                       dev-python/dbus-python[${PYTHON_USEDEP}]
+                       dev-python/python-dbusmock[${PYTHON_USEDEP}]
+               ')
+       )
+"
+DEPEND="
+       dev-libs/glib:2
+       dev-libs/expat
+       daemon? (
+               duktape? ( dev-lang/duktape:= )
+               !duktape? ( dev-lang/spidermonkey:102[-debug] )
+       )
+       pam? (
+               sys-auth/pambase
+               sys-libs/pam
+       )
+       !pam? ( virtual/libcrypt:= )
+       systemd? ( sys-apps/systemd:0=[policykit] )
+       !systemd? ( sys-auth/elogind )
+"
+RDEPEND="${DEPEND}
+       acct-user/polkitd
+       selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+       gtk? ( || (
+               >=gnome-extra/polkit-gnome-0.105
+               >=lxde-base/lxsession-0.5.2
+       ) )
+       kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING.md NEWS.md README.md )
+
+QA_MULTILIB_PATHS="
+       usr/lib/polkit-1/polkit-agent-helper-1
+       usr/lib/polkit-1/polkitd
+"
+
+PATCHES=(
+       "${FILESDIR}"/${P}-mozjs-JIT.patch
+       "${FILESDIR}"/${P}-pkexec-uninitialized.patch
+)
+
+python_check_deps() {
+       python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" &&
+       python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+       use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+       default
+
+       # bug #401513
+       sed -i -e 's|unix-group:wheel|unix-user:0|' 
src/polkitbackend/*-default.rules || die
+}
+
+src_configure() {
+       xdg_environment_reset
+
+       local emesonargs=(
+               --localstatedir="${EPREFIX}"/var
+               -Dauthfw="$(usex pam pam shadow)"
+               -Dexamples=false
+               -Dgtk_doc=false
+               -Dman=true
+               -Dos_type=gentoo
+               -Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+               -Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+               -Djs_engine=$(usex duktape duktape mozjs)
+               $(meson_use !daemon libs-only)
+               $(meson_use introspection)
+               $(meson_use test tests)
+               $(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+       )
+       meson_src_configure
+}
+
+src_compile() {
+       meson_src_compile
+
+       # Required for polkitd on hardened/PaX due to spidermonkey's JIT
+       pax-mark mr src/polkitbackend/.libs/polkitd 
test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+       meson_src_install
+
+       if use examples ; then
+               docinto examples
+               dodoc src/examples/{*.c,*.policy*}
+       fi
+
+       if use daemon; then
+               if [[ ${EUID} == 0 ]]; then
+                       diropts -m 0700 -o polkitd
+               fi
+               keepdir /etc/polkit-1/rules.d
+       fi
+}
+
+pkg_postinst() {
+       if use daemon && [[ ${EUID} == 0 ]]; then
+               chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+               chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+       fi
+}

Reply via email to