Hello community,
here is the log from the commit of package polkit-default-privs for
openSUSE:Factory checked in at 2020-11-06 23:44:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/polkit-default-privs (Old)
and /work/SRC/openSUSE:Factory/.polkit-default-privs.new.11331 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polkit-default-privs"
Fri Nov 6 23:44:01 2020 rev:190 rq:845677 version:1550+20201103.994a5ed
Changes:
--------
---
/work/SRC/openSUSE:Factory/polkit-default-privs/polkit-default-privs.changes
2020-10-22 14:23:29.162815088 +0200
+++
/work/SRC/openSUSE:Factory/.polkit-default-privs.new.11331/polkit-default-privs.changes
2020-11-06 23:44:21.631348855 +0100
@@ -1,0 +2,17 @@
+Tue Nov 03 10:14:02 UTC 2020 - matthias.gerst...@suse.com
+
+- Update to version 1550+20201103.994a5ed:
+ * udisks2: rename of manage-led action to match upstream changes
(bsc#1178321)
+
+-------------------------------------------------------------------
+Mon Nov 02 08:34:41 UTC 2020 - matthias.gerst...@suse.com
+
+- Update to version 1550+20201030.d1b5d8b:
+ * whitelisting of GNOME malcontent parental controls (bsc#1177974)
+ * restrictive profile: fix conflicting duplicate action
org.kde.powerdevil.backlighthelper.setbrightness
+ * restrictive profile: fix conflicting duplicate action
org.freedesktop.color-manager.delete-profile
+ * profiles: fix conflicting duplicate action
org.kde.powerdevil.backlighthelper.brightness
+ * profiles: remove duplicate actions with same authentication settings
+ * tools: new script to cleanly remove duplicate actions
+
+-------------------------------------------------------------------
Old:
----
polkit-default-privs-1550+20201012.1df5a0d.tar.xz
New:
----
polkit-default-privs-1550+20201103.994a5ed.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ polkit-default-privs.spec ++++++
--- /var/tmp/diff_new_pack.RJYtoU/_old 2020-11-06 23:44:22.387347402 +0100
+++ /var/tmp/diff_new_pack.RJYtoU/_new 2020-11-06 23:44:22.387347402 +0100
@@ -23,7 +23,7 @@
%endif
Name: polkit-default-privs
-Version: 1550+20201012.1df5a0d
+Version: 1550+20201103.994a5ed
Release: 0
Summary: SUSE PolicyKit default permissions
License: GPL-2.0-or-later
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.RJYtoU/_old 2020-11-06 23:44:22.427347325 +0100
+++ /var/tmp/diff_new_pack.RJYtoU/_new 2020-11-06 23:44:22.431347318 +0100
@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/polkit-default-privs.git</param>
- <param
name="changesrevision">e08bbb1037fcb30224ed4f6a6fe1338fd264f2a6</param></service></servicedata>
\ No newline at end of file
+ <param
name="changesrevision">994a5edb86a391614ecd0b8d52441c2da72f63a4</param></service></servicedata>
\ No newline at end of file
++++++ polkit-default-privs-1550+20201012.1df5a0d.tar.xz ->
polkit-default-privs-1550+20201103.994a5ed.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/etc/polkit-rules-whitelist.json
new/polkit-default-privs-1550+20201103.994a5ed/etc/polkit-rules-whitelist.json
---
old/polkit-default-privs-1550+20201012.1df5a0d/etc/polkit-rules-whitelist.json
2020-10-12 10:40:44.000000000 +0200
+++
new/polkit-default-privs-1550+20201103.994a5ed/etc/polkit-rules-whitelist.json
2020-11-03 10:43:56.000000000 +0100
@@ -84,5 +84,15 @@
}
}
}
+ },
+ "malcontent": {
+ "audits": {
+ "bsc#1177974": {
+ "comment": "Allows wheel members to bypass
parental controls. We allow this as an exception (granting implicit
authorization to wheel) since this is not security relevant per se.",
+ "digests": {
+
"/usr/share/polkit-1/rules.d/com.endlessm.ParentalControls.rules":
"sha256:4dca105e78ff95c2317386d4df4f959f0c055eec13e12c34c48084b9bbb385b4"
+ }
+ }
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.easy
new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.easy
---
old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.easy
2020-10-12 10:40:44.000000000 +0200
+++
new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.easy
2020-11-03 10:43:56.000000000 +0100
@@ -226,7 +226,7 @@
org.freedesktop.udisks2.btrfs.manage-btrfs
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.filesystem-take-ownership
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.lvm2.manage-lvm
auth_admin:auth_admin:auth_admin_keep
-org.freedesktop.udisks2.manage-led
auth_admin:auth_admin:auth_admin_keep
+org.freedesktop.udisks2.lsm.manage-led
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.zram.manage-zram
auth_admin:auth_admin:auth_admin_keep
# bsc#1123747
@@ -331,7 +331,7 @@
org.kde.kcontrol.kcmkdm.managethemes auth_admin_keep
org.kde.kcontrol.kcmkdm.save auth_admin
# kde backlight helper (bnc#672145)
-org.kde.powerdevil.backlighthelper.brightness no:no:yes
+org.kde.powerdevil.backlighthelper.brightness no:yes:yes
org.kde.powerdevil.backlighthelper.setbrightness no:no:yes
# kde powerdevil gpu helper (bsc#1019644)
@@ -607,17 +607,8 @@
# libvirt (bsc#959297)
org.libvirt.api.connect.detect-storage-pools auth_admin_keep
-org.libvirt.api.connect.getattr auth_admin_keep
org.libvirt.api.connect.interface-transaction auth_admin_keep
org.libvirt.api.connect.pm-control auth_admin_keep
-org.libvirt.api.connect.read auth_admin_keep
-org.libvirt.api.connect.search-domains auth_admin_keep
-org.libvirt.api.connect.search-interfaces auth_admin_keep
-org.libvirt.api.connect.search-networks auth_admin_keep
-org.libvirt.api.connect.search-node-devices auth_admin_keep
-org.libvirt.api.connect.search-nwfilters auth_admin_keep
-org.libvirt.api.connect.search-secrets auth_admin_keep
-org.libvirt.api.connect.search-storage-pools auth_admin_keep
org.libvirt.api.connect.write auth_admin_keep
org.libvirt.api.domain.block-read auth_admin_keep
org.libvirt.api.domain.block-write auth_admin_keep
@@ -625,7 +616,6 @@
org.libvirt.api.domain.delete auth_admin_keep
org.libvirt.api.domain.fs-freeze auth_admin_keep
org.libvirt.api.domain.fs-trim auth_admin_keep
-org.libvirt.api.domain.getattr auth_admin_keep
org.libvirt.api.domain.hibernate auth_admin_keep
org.libvirt.api.domain.init-control auth_admin_keep
org.libvirt.api.domain.inject-nmi auth_admin_keep
@@ -635,7 +625,6 @@
org.libvirt.api.domain.open-graphics auth_admin_keep
org.libvirt.api.domain.open-namespace auth_admin_keep
org.libvirt.api.domain.pm-control auth_admin_keep
-org.libvirt.api.domain.read auth_admin_keep
org.libvirt.api.domain.read-secure auth_admin_keep
org.libvirt.api.domain.reset auth_admin_keep
org.libvirt.api.domain.save auth_admin_keep
@@ -650,40 +639,29 @@
org.libvirt.api.domain.suspend auth_admin_keep
org.libvirt.api.domain.write auth_admin_keep
org.libvirt.api.interface.delete auth_admin_keep
-org.libvirt.api.interface.getattr auth_admin_keep
-org.libvirt.api.interface.read auth_admin_keep
org.libvirt.api.interface.save auth_admin_keep
org.libvirt.api.interface.start auth_admin_keep
org.libvirt.api.interface.stop auth_admin_keep
org.libvirt.api.interface.write auth_admin_keep
org.libvirt.api.network.delete auth_admin_keep
-org.libvirt.api.network.getattr auth_admin_keep
-org.libvirt.api.network.read auth_admin_keep
org.libvirt.api.network.save auth_admin_keep
org.libvirt.api.network.start auth_admin_keep
org.libvirt.api.network.stop auth_admin_keep
org.libvirt.api.network.write auth_admin_keep
org.libvirt.api.node-device.detach auth_admin_keep
-org.libvirt.api.node-device.getattr auth_admin_keep
org.libvirt.api.node-device.read auth_admin_keep
org.libvirt.api.node-device.start auth_admin_keep
org.libvirt.api.node-device.stop auth_admin_keep
org.libvirt.api.node-device.write auth_admin_keep
org.libvirt.api.nwfilter.delete auth_admin_keep
-org.libvirt.api.nwfilter.getattr auth_admin_keep
-org.libvirt.api.nwfilter.read auth_admin_keep
org.libvirt.api.nwfilter.save auth_admin_keep
org.libvirt.api.nwfilter.write auth_admin_keep
org.libvirt.api.secret.delete auth_admin_keep
-org.libvirt.api.secret.getattr auth_admin_keep
-org.libvirt.api.secret.read auth_admin_keep
org.libvirt.api.secret.read-secure auth_admin_keep
org.libvirt.api.secret.save auth_admin_keep
org.libvirt.api.secret.write auth_admin_keep
org.libvirt.api.storage-pool.delete auth_admin_keep
org.libvirt.api.storage-pool.format auth_admin_keep
-org.libvirt.api.storage-pool.getattr auth_admin_keep
-org.libvirt.api.storage-pool.read auth_admin_keep
org.libvirt.api.storage-pool.refresh auth_admin_keep
org.libvirt.api.storage-pool.save auth_admin_keep
org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep
@@ -695,56 +673,8 @@
org.libvirt.api.storage-vol.data-write auth_admin_keep
org.libvirt.api.storage-vol.delete auth_admin_keep
org.libvirt.api.storage-vol.format auth_admin_keep
-org.libvirt.api.storage-vol.getattr auth_admin_keep
-org.libvirt.api.storage-vol.read auth_admin_keep
org.libvirt.api.storage-vol.resize auth_admin_keep
-org.libvirt.api.interface.save auth_admin_keep
-org.libvirt.api.interface.start auth_admin_keep
-org.libvirt.api.interface.stop auth_admin_keep
-org.libvirt.api.interface.write auth_admin_keep
-org.libvirt.api.network.delete auth_admin_keep
-org.libvirt.api.network.getattr auth_admin_keep
-org.libvirt.api.network.read auth_admin_keep
-org.libvirt.api.network.save auth_admin_keep
-org.libvirt.api.network.start auth_admin_keep
-org.libvirt.api.network.stop auth_admin_keep
-org.libvirt.api.network.write auth_admin_keep
-org.libvirt.api.node-device.detach auth_admin_keep
-org.libvirt.api.node-device.getattr auth_admin_keep
-org.libvirt.api.node-device.read auth_admin_keep
-org.libvirt.api.node-device.start auth_admin_keep
-org.libvirt.api.node-device.stop auth_admin_keep
-org.libvirt.api.node-device.write auth_admin_keep
-org.libvirt.api.nwfilter.delete auth_admin_keep
-org.libvirt.api.nwfilter.getattr auth_admin_keep
-org.libvirt.api.nwfilter.read auth_admin_keep
-org.libvirt.api.nwfilter.save auth_admin_keep
-org.libvirt.api.nwfilter.write auth_admin_keep
-org.libvirt.api.secret.delete auth_admin_keep
-org.libvirt.api.secret.getattr auth_admin_keep
-org.libvirt.api.secret.read auth_admin_keep
-org.libvirt.api.secret.read-secure auth_admin_keep
-org.libvirt.api.secret.save auth_admin_keep
-org.libvirt.api.secret.write auth_admin_keep
-org.libvirt.api.storage-pool.delete auth_admin_keep
-org.libvirt.api.storage-pool.format auth_admin_keep
-org.libvirt.api.storage-pool.getattr auth_admin_keep
-org.libvirt.api.storage-pool.read auth_admin_keep
-org.libvirt.api.storage-pool.refresh auth_admin_keep
-org.libvirt.api.storage-pool.save auth_admin_keep
-org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep
-org.libvirt.api.storage-pool.start auth_admin_keep
-org.libvirt.api.storage-pool.stop auth_admin_keep
-org.libvirt.api.storage-pool.write auth_admin_keep
-org.libvirt.api.storage-vol.create auth_admin_keep
-org.libvirt.api.storage-vol.data-read auth_admin_keep
-org.libvirt.api.storage-vol.data-write auth_admin_keep
-org.libvirt.api.storage-vol.delete auth_admin_keep
-org.libvirt.api.storage-vol.format auth_admin_keep
-org.libvirt.api.storage-vol.getattr auth_admin_keep
-org.libvirt.api.storage-vol.read auth_admin_keep
-org.libvirt.api.storage-vol.resize auth_admin_keep
# libvirt (bsc#1100328)
org.libvirt.api.connect.search-nwfilter-bindings auth_admin_keep
@@ -829,9 +759,7 @@
org.kde.powerdevil.backlighthelper.setbrightnessvalue no:no:yes
# powerdevil action-name changes (bnc#927275)
-org.kde.powerdevil.backlighthelper.brightness no:yes:yes
org.kde.powerdevil.backlighthelper.brightnessmax no:yes:yes
-org.kde.powerdevil.backlighthelper.setbrightness no:no:yes
# storaged (bnc#915770)
@@ -1072,3 +1000,18 @@
# KDE smartctl helper (bsc#1176742)
org.kde.kded.smart.smartctl auth_admin:auth_admin:yes
+
+# GNOME parental controls, accountservice extensions (bsc#1177974)
+com.endlessm.ParentalControls.AccountInfo.ReadAny yes:yes:yes
+com.endlessm.ParentalControls.AppFilter.ReadOwn yes:yes:yes
+com.endlessm.ParentalControls.SessionLimits.ReadOwn yes:yes:yes
+com.endlessm.ParentalControls.AccountInfo.ChangeAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AccountInfo.ChangeOwn
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ChangeAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ChangeOwn
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ReadAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ChangeAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ChangeOwn
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ReadAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+org.freedesktop.MalcontentControl.administration no:no:auth_admin_keep
+com.endlessm.ParentalControls.AccountInfo.ReadOwn yes:yes:yes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.restrictive
new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.restrictive
---
old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.restrictive
2020-10-12 10:40:44.000000000 +0200
+++
new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.restrictive
2020-11-03 10:43:56.000000000 +0100
@@ -56,7 +56,6 @@
org.freedesktop.color-manager.create-profile no:no:yes
org.freedesktop.color-manager.delete-device no:no:yes
org.freedesktop.color-manager.delete-profile no:no:yes
-org.freedesktop.color-manager.delete-profile auth_admin
org.freedesktop.color-manager.modify-device auth_admin
org.freedesktop.color-manager.modify-profile auth_admin
org.freedesktop.color-manager.install-system-wide auth_admin
@@ -213,7 +212,7 @@
org.freedesktop.udisks2.btrfs.manage-btrfs
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.filesystem-take-ownership
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.lvm2.manage-lvm
auth_admin:auth_admin:auth_admin_keep
-org.freedesktop.udisks2.manage-led
auth_admin:auth_admin:auth_admin_keep
+org.freedesktop.udisks2.lsm.manage-led
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.zram.manage-zram
auth_admin:auth_admin:auth_admin_keep
# bsc#1123747
@@ -319,7 +318,6 @@
org.kde.kcontrol.kcmkdm.save auth_admin
# kde backlight helper (bnc#672145)
org.kde.powerdevil.backlighthelper.brightness
auth_admin:auth_admin:yes
-org.kde.powerdevil.backlighthelper.setbrightness
auth_admin:auth_admin:yes
# kde powerdevil gpu helper (bsc#1019644, bsc#1026038)
org.kde.powerdevil.discretegpuhelper.hasdualgpu
no:no:yes
@@ -592,17 +590,8 @@
# libvirt (bsc#959297)
org.libvirt.api.connect.detect-storage-pools auth_admin_keep
-org.libvirt.api.connect.getattr auth_admin_keep
org.libvirt.api.connect.interface-transaction auth_admin_keep
org.libvirt.api.connect.pm-control auth_admin_keep
-org.libvirt.api.connect.read auth_admin_keep
-org.libvirt.api.connect.search-domains auth_admin_keep
-org.libvirt.api.connect.search-interfaces auth_admin_keep
-org.libvirt.api.connect.search-networks auth_admin_keep
-org.libvirt.api.connect.search-node-devices auth_admin_keep
-org.libvirt.api.connect.search-nwfilters auth_admin_keep
-org.libvirt.api.connect.search-secrets auth_admin_keep
-org.libvirt.api.connect.search-storage-pools auth_admin_keep
org.libvirt.api.connect.write auth_admin_keep
org.libvirt.api.domain.block-read auth_admin_keep
org.libvirt.api.domain.block-write auth_admin_keep
@@ -610,7 +599,6 @@
org.libvirt.api.domain.delete auth_admin_keep
org.libvirt.api.domain.fs-freeze auth_admin_keep
org.libvirt.api.domain.fs-trim auth_admin_keep
-org.libvirt.api.domain.getattr auth_admin_keep
org.libvirt.api.domain.hibernate auth_admin_keep
org.libvirt.api.domain.init-control auth_admin_keep
org.libvirt.api.domain.inject-nmi auth_admin_keep
@@ -620,7 +608,6 @@
org.libvirt.api.domain.open-graphics auth_admin_keep
org.libvirt.api.domain.open-namespace auth_admin_keep
org.libvirt.api.domain.pm-control auth_admin_keep
-org.libvirt.api.domain.read auth_admin_keep
org.libvirt.api.domain.read-secure auth_admin_keep
org.libvirt.api.domain.reset auth_admin_keep
org.libvirt.api.domain.save auth_admin_keep
@@ -635,40 +622,29 @@
org.libvirt.api.domain.suspend auth_admin_keep
org.libvirt.api.domain.write auth_admin_keep
org.libvirt.api.interface.delete auth_admin_keep
-org.libvirt.api.interface.getattr auth_admin_keep
-org.libvirt.api.interface.read auth_admin_keep
org.libvirt.api.interface.save auth_admin_keep
org.libvirt.api.interface.start auth_admin_keep
org.libvirt.api.interface.stop auth_admin_keep
org.libvirt.api.interface.write auth_admin_keep
org.libvirt.api.network.delete auth_admin_keep
-org.libvirt.api.network.getattr auth_admin_keep
-org.libvirt.api.network.read auth_admin_keep
org.libvirt.api.network.save auth_admin_keep
org.libvirt.api.network.start auth_admin_keep
org.libvirt.api.network.stop auth_admin_keep
org.libvirt.api.network.write auth_admin_keep
org.libvirt.api.node-device.detach auth_admin_keep
-org.libvirt.api.node-device.getattr auth_admin_keep
org.libvirt.api.node-device.read auth_admin_keep
org.libvirt.api.node-device.start auth_admin_keep
org.libvirt.api.node-device.stop auth_admin_keep
org.libvirt.api.node-device.write auth_admin_keep
org.libvirt.api.nwfilter.delete auth_admin_keep
-org.libvirt.api.nwfilter.getattr auth_admin_keep
-org.libvirt.api.nwfilter.read auth_admin_keep
org.libvirt.api.nwfilter.save auth_admin_keep
org.libvirt.api.nwfilter.write auth_admin_keep
org.libvirt.api.secret.delete auth_admin_keep
-org.libvirt.api.secret.getattr auth_admin_keep
-org.libvirt.api.secret.read auth_admin_keep
org.libvirt.api.secret.read-secure auth_admin_keep
org.libvirt.api.secret.save auth_admin_keep
org.libvirt.api.secret.write auth_admin_keep
org.libvirt.api.storage-pool.delete auth_admin_keep
org.libvirt.api.storage-pool.format auth_admin_keep
-org.libvirt.api.storage-pool.getattr auth_admin_keep
-org.libvirt.api.storage-pool.read auth_admin_keep
org.libvirt.api.storage-pool.refresh auth_admin_keep
org.libvirt.api.storage-pool.save auth_admin_keep
org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep
@@ -680,8 +656,6 @@
org.libvirt.api.storage-vol.data-write auth_admin_keep
org.libvirt.api.storage-vol.delete auth_admin_keep
org.libvirt.api.storage-vol.format auth_admin_keep
-org.libvirt.api.storage-vol.getattr auth_admin_keep
-org.libvirt.api.storage-vol.read auth_admin_keep
org.libvirt.api.storage-vol.resize auth_admin_keep
# libvirt (bsc#1100328)
@@ -766,7 +740,6 @@
org.kde.powerdevil.backlighthelper.setbrightnessvalue no:no:yes
# powerdevil action-name changes (bnc#927275)
-org.kde.powerdevil.backlighthelper.brightness no:yes:yes
org.kde.powerdevil.backlighthelper.brightnessmax no:yes:yes
org.kde.powerdevil.backlighthelper.setbrightness no:no:yes
@@ -1010,3 +983,18 @@
# KDE smartctl helper (bsc#1176742)
org.kde.kded.smart.smartctl no:no:auth_admin
+
+# GNOME parental controls, accountservice extensions (bsc#1177974)
+com.endlessm.ParentalControls.AccountInfo.ReadAny auth_admin:auth_admin:yes
+com.endlessm.ParentalControls.AppFilter.ReadOwn auth_admin:auth_admin:yes
+com.endlessm.ParentalControls.SessionLimits.ReadOwn auth_admin:auth_admin:yes
+com.endlessm.ParentalControls.AccountInfo.ChangeAny
no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.AccountInfo.ChangeOwn
no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ChangeAny no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ChangeOwn no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ReadAny no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ChangeAny
no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ChangeOwn
no:auth_admin:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ReadAny
no:auth_admin:auth_admin_keep
+org.freedesktop.MalcontentControl.administration no:no:auth_admin
+com.endlessm.ParentalControls.AccountInfo.ReadOwn auth_admin:auth_admin:yes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.standard
new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.standard
---
old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.standard
2020-10-12 10:40:44.000000000 +0200
+++
new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.standard
2020-11-03 10:43:56.000000000 +0100
@@ -227,7 +227,7 @@
org.freedesktop.udisks2.btrfs.manage-btrfs
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.filesystem-take-ownership
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.lvm2.manage-lvm
auth_admin:auth_admin:auth_admin_keep
-org.freedesktop.udisks2.manage-led
auth_admin:auth_admin:auth_admin_keep
+org.freedesktop.udisks2.lsm.manage-led
auth_admin:auth_admin:auth_admin_keep
org.freedesktop.udisks2.zram.manage-zram
auth_admin:auth_admin:auth_admin_keep
# bsc#1123747
@@ -332,7 +332,7 @@
org.kde.kcontrol.kcmkdm.managethemes auth_admin_keep
org.kde.kcontrol.kcmkdm.save auth_admin
# kde backlight helper (bnc#672145)
-org.kde.powerdevil.backlighthelper.brightness no:no:yes
+org.kde.powerdevil.backlighthelper.brightness no:yes:yes
org.kde.powerdevil.backlighthelper.setbrightness no:no:yes
# kde powerdevil gpu helper (bsc#1019644)
@@ -608,17 +608,8 @@
# libvirt (bsc#959297)
org.libvirt.api.connect.detect-storage-pools auth_admin_keep
-org.libvirt.api.connect.getattr auth_admin_keep
org.libvirt.api.connect.interface-transaction auth_admin_keep
org.libvirt.api.connect.pm-control auth_admin_keep
-org.libvirt.api.connect.read auth_admin_keep
-org.libvirt.api.connect.search-domains auth_admin_keep
-org.libvirt.api.connect.search-interfaces auth_admin_keep
-org.libvirt.api.connect.search-networks auth_admin_keep
-org.libvirt.api.connect.search-node-devices auth_admin_keep
-org.libvirt.api.connect.search-nwfilters auth_admin_keep
-org.libvirt.api.connect.search-secrets auth_admin_keep
-org.libvirt.api.connect.search-storage-pools auth_admin_keep
org.libvirt.api.connect.write auth_admin_keep
org.libvirt.api.domain.block-read auth_admin_keep
org.libvirt.api.domain.block-write auth_admin_keep
@@ -626,7 +617,6 @@
org.libvirt.api.domain.delete auth_admin_keep
org.libvirt.api.domain.fs-freeze auth_admin_keep
org.libvirt.api.domain.fs-trim auth_admin_keep
-org.libvirt.api.domain.getattr auth_admin_keep
org.libvirt.api.domain.hibernate auth_admin_keep
org.libvirt.api.domain.init-control auth_admin_keep
org.libvirt.api.domain.inject-nmi auth_admin_keep
@@ -636,7 +626,6 @@
org.libvirt.api.domain.open-graphics auth_admin_keep
org.libvirt.api.domain.open-namespace auth_admin_keep
org.libvirt.api.domain.pm-control auth_admin_keep
-org.libvirt.api.domain.read auth_admin_keep
org.libvirt.api.domain.read-secure auth_admin_keep
org.libvirt.api.domain.reset auth_admin_keep
org.libvirt.api.domain.save auth_admin_keep
@@ -651,40 +640,29 @@
org.libvirt.api.domain.suspend auth_admin_keep
org.libvirt.api.domain.write auth_admin_keep
org.libvirt.api.interface.delete auth_admin_keep
-org.libvirt.api.interface.getattr auth_admin_keep
-org.libvirt.api.interface.read auth_admin_keep
org.libvirt.api.interface.save auth_admin_keep
org.libvirt.api.interface.start auth_admin_keep
org.libvirt.api.interface.stop auth_admin_keep
org.libvirt.api.interface.write auth_admin_keep
org.libvirt.api.network.delete auth_admin_keep
-org.libvirt.api.network.getattr auth_admin_keep
-org.libvirt.api.network.read auth_admin_keep
org.libvirt.api.network.save auth_admin_keep
org.libvirt.api.network.start auth_admin_keep
org.libvirt.api.network.stop auth_admin_keep
org.libvirt.api.network.write auth_admin_keep
org.libvirt.api.node-device.detach auth_admin_keep
-org.libvirt.api.node-device.getattr auth_admin_keep
org.libvirt.api.node-device.read auth_admin_keep
org.libvirt.api.node-device.start auth_admin_keep
org.libvirt.api.node-device.stop auth_admin_keep
org.libvirt.api.node-device.write auth_admin_keep
org.libvirt.api.nwfilter.delete auth_admin_keep
-org.libvirt.api.nwfilter.getattr auth_admin_keep
-org.libvirt.api.nwfilter.read auth_admin_keep
org.libvirt.api.nwfilter.save auth_admin_keep
org.libvirt.api.nwfilter.write auth_admin_keep
org.libvirt.api.secret.delete auth_admin_keep
-org.libvirt.api.secret.getattr auth_admin_keep
-org.libvirt.api.secret.read auth_admin_keep
org.libvirt.api.secret.read-secure auth_admin_keep
org.libvirt.api.secret.save auth_admin_keep
org.libvirt.api.secret.write auth_admin_keep
org.libvirt.api.storage-pool.delete auth_admin_keep
org.libvirt.api.storage-pool.format auth_admin_keep
-org.libvirt.api.storage-pool.getattr auth_admin_keep
-org.libvirt.api.storage-pool.read auth_admin_keep
org.libvirt.api.storage-pool.refresh auth_admin_keep
org.libvirt.api.storage-pool.save auth_admin_keep
org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep
@@ -696,56 +674,8 @@
org.libvirt.api.storage-vol.data-write auth_admin_keep
org.libvirt.api.storage-vol.delete auth_admin_keep
org.libvirt.api.storage-vol.format auth_admin_keep
-org.libvirt.api.storage-vol.getattr auth_admin_keep
-org.libvirt.api.storage-vol.read auth_admin_keep
org.libvirt.api.storage-vol.resize auth_admin_keep
-org.libvirt.api.interface.save auth_admin_keep
-org.libvirt.api.interface.start auth_admin_keep
-org.libvirt.api.interface.stop auth_admin_keep
-org.libvirt.api.interface.write auth_admin_keep
-org.libvirt.api.network.delete auth_admin_keep
-org.libvirt.api.network.getattr auth_admin_keep
-org.libvirt.api.network.read auth_admin_keep
-org.libvirt.api.network.save auth_admin_keep
-org.libvirt.api.network.start auth_admin_keep
-org.libvirt.api.network.stop auth_admin_keep
-org.libvirt.api.network.write auth_admin_keep
-org.libvirt.api.node-device.detach auth_admin_keep
-org.libvirt.api.node-device.getattr auth_admin_keep
-org.libvirt.api.node-device.read auth_admin_keep
-org.libvirt.api.node-device.start auth_admin_keep
-org.libvirt.api.node-device.stop auth_admin_keep
-org.libvirt.api.node-device.write auth_admin_keep
-org.libvirt.api.nwfilter.delete auth_admin_keep
-org.libvirt.api.nwfilter.getattr auth_admin_keep
-org.libvirt.api.nwfilter.read auth_admin_keep
-org.libvirt.api.nwfilter.save auth_admin_keep
-org.libvirt.api.nwfilter.write auth_admin_keep
-org.libvirt.api.secret.delete auth_admin_keep
-org.libvirt.api.secret.getattr auth_admin_keep
-org.libvirt.api.secret.read auth_admin_keep
-org.libvirt.api.secret.read-secure auth_admin_keep
-org.libvirt.api.secret.save auth_admin_keep
-org.libvirt.api.secret.write auth_admin_keep
-org.libvirt.api.storage-pool.delete auth_admin_keep
-org.libvirt.api.storage-pool.format auth_admin_keep
-org.libvirt.api.storage-pool.getattr auth_admin_keep
-org.libvirt.api.storage-pool.read auth_admin_keep
-org.libvirt.api.storage-pool.refresh auth_admin_keep
-org.libvirt.api.storage-pool.save auth_admin_keep
-org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep
-org.libvirt.api.storage-pool.start auth_admin_keep
-org.libvirt.api.storage-pool.stop auth_admin_keep
-org.libvirt.api.storage-pool.write auth_admin_keep
-org.libvirt.api.storage-vol.create auth_admin_keep
-org.libvirt.api.storage-vol.data-read auth_admin_keep
-org.libvirt.api.storage-vol.data-write auth_admin_keep
-org.libvirt.api.storage-vol.delete auth_admin_keep
-org.libvirt.api.storage-vol.format auth_admin_keep
-org.libvirt.api.storage-vol.getattr auth_admin_keep
-org.libvirt.api.storage-vol.read auth_admin_keep
-org.libvirt.api.storage-vol.resize auth_admin_keep
# libvirt (bsc#1100328)
org.libvirt.api.connect.search-nwfilter-bindings auth_admin_keep
@@ -830,9 +760,7 @@
org.kde.powerdevil.backlighthelper.setbrightnessvalue no:no:yes
# powerdevil action-name changes (bnc#927275)
-org.kde.powerdevil.backlighthelper.brightness no:yes:yes
org.kde.powerdevil.backlighthelper.brightnessmax no:yes:yes
-org.kde.powerdevil.backlighthelper.setbrightness no:no:yes
# storaged (bnc#915770)
@@ -1073,3 +1001,18 @@
# KDE smartctl helper (bsc#1176742)
org.kde.kded.smart.smartctl no:auth_admin:yes
+
+# GNOME parental controls, accountservice extensions (bsc#1177974)
+com.endlessm.ParentalControls.AccountInfo.ReadAny yes:yes:yes
+com.endlessm.ParentalControls.AppFilter.ReadOwn yes:yes:yes
+com.endlessm.ParentalControls.SessionLimits.ReadOwn yes:yes:yes
+com.endlessm.ParentalControls.AccountInfo.ChangeAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AccountInfo.ChangeOwn
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ChangeAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ChangeOwn
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.AppFilter.ReadAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ChangeAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ChangeOwn
auth_admin_keep:auth_admin_keep:auth_admin_keep
+com.endlessm.ParentalControls.SessionLimits.ReadAny
auth_admin_keep:auth_admin_keep:auth_admin_keep
+org.freedesktop.MalcontentControl.administration no:no:auth_admin_keep
+com.endlessm.ParentalControls.AccountInfo.ReadOwn yes:yes:yes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/tools/add_polkit_action.py
new/polkit-default-privs-1550+20201103.994a5ed/tools/add_polkit_action.py
--- old/polkit-default-privs-1550+20201012.1df5a0d/tools/add_polkit_action.py
2020-10-12 10:40:44.000000000 +0200
+++ new/polkit-default-privs-1550+20201103.994a5ed/tools/add_polkit_action.py
2020-11-03 10:43:56.000000000 +0100
@@ -4,11 +4,8 @@
import os, sys
import argparse
-from pathlib import Path
-def printerr(*args, **kwargs):
- kwargs["file"] = sys.stderr
- print(*args, **kwargs)
+from pkcommon import *
epilog = """Example invocation:
@@ -24,15 +21,12 @@
class PolkitActionHandler:
# existing default profiles in increasing order of security
- PROFILES = ("easy", "standard", "restrictive")
# existing authentication type settings in increasing order of security
AUTH_TYPES = ("yes", "auth_self_keep", "auth_self", "auth_admin_keep",
"auth_admin", "no")
AUTH_CATEGORIES = ("any-user", "inactive-session", "active-session")
def __init__(self):
- self.m_profile_dir = Path(__file__).parent.with_name("profiles")
-
self.m_parser = argparse.ArgumentParser(
description = "Adds a new action with associated authentication
settings to the polkit profiles managed by polkit-default-privs",
formatter_class = argparse.RawTextHelpFormatter,
@@ -53,7 +47,7 @@
type = self.parseAction
)
- for profile in self.PROFILES:
+ for profile in PROFILES:
self.m_parser.add_argument(
"--" + profile,
@@ -130,15 +124,11 @@
return s
- def getProfilePath(self, which):
- base = "polkit-default-privs.{}".format(which)
- return self.m_profile_dir / base
-
def run(self):
self.m_args = self.m_parser.parse_args()
# tuple of auth types matching the profiles
- self.m_auth_types = tuple( getattr(self.m_args, profile) for profile
in self.PROFILES )
+ self.m_auth_types = tuple( getattr(self.m_args, profile) for profile
in PROFILES )
if not self.sanityCheck():
printerr("Not adding new action since sanity check(s) failed")
@@ -162,28 +152,24 @@
ret = True
- for profile in self.PROFILES:
+ for profile in PROFILES:
- path = self.getProfilePath(profile)
+ path = getProfilePath(profile)
- with open(path) as fd:
+ for entry in parseProfile(path):
+ if not self.checkDuplicate(entry):
+ ret = False
- nr = 0
- for line in fd.readlines():
- nr += 1
- line = line.strip()
- if not line or line.startswith('#'):
- continue
-
- action = line.split()[0]
- if action == self.m_args.action:
- printerr("ERROR: action to be added already exists in
{}:{}".format(
- path, nr
- ))
- ret = False
+ return ret
+ def checkDuplicate(self, entry):
+ if entry.action == self.m_args.action:
+ printerr("ERROR: action to be added already exists in
{}:{}".format(
+ entry.path, entry.linenr
+ ))
+ return False
- return ret
+ return True
def checkProfileAuthTypeOrder(self):
"""Checks that authentication types are not getting weaker in stronger
@@ -192,14 +178,14 @@
ret = True
strongest = [ self.AUTH_TYPES[0] ] * 3
- for profile, auth_types in zip( self.PROFILES, self.m_auth_types ):
+ for profile, auth_types in zip( PROFILES, self.m_auth_types ):
for nr, old, new in zip( range(len(strongest)), strongest,
auth_types ):
if self.AUTH_TYPES.index(old) > self.AUTH_TYPES.index(new):
printerr("ERROR: Auth type for {} in profile {} is weaker
than in profile {}".format(
self.AUTH_CATEGORIES[nr],
profile,
- self.PROFILES[ self.PROFILES.index(profile) - 1]
+ PROFILES[ PROFILES.index(profile) - 1]
))
ret = False
@@ -242,9 +228,9 @@
def addAction(self):
- for profile, auth_settings in zip(self.PROFILES, self.m_auth_types):
+ for profile, auth_settings in zip(PROFILES, self.m_auth_types):
- path = self.getProfilePath(profile)
+ path = getProfilePath(profile)
with open(path, 'a') as fd:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/tools/pkcommon.py
new/polkit-default-privs-1550+20201103.994a5ed/tools/pkcommon.py
--- old/polkit-default-privs-1550+20201012.1df5a0d/tools/pkcommon.py
1970-01-01 01:00:00.000000000 +0100
+++ new/polkit-default-privs-1550+20201103.994a5ed/tools/pkcommon.py
2020-11-03 10:43:56.000000000 +0100
@@ -0,0 +1,55 @@
+# vim: ts=4 et sw=4 sts=4 :
+import sys
+from pathlib import Path
+
+PROFILES = ("easy", "standard", "restrictive")
+profile_dir = Path(__file__).parent.with_name("profiles")
+
+def printerr(*args, **kwargs):
+ kwargs["file"] = sys.stderr
+ print(*args, **kwargs)
+
+
+def getProfilePath(which):
+ base = "polkit-default-privs.{}".format(which)
+ return profile_dir / base
+
+
+class ProfileEntry:
+
+ path = ""
+ line = ""
+ linenr = 0
+ action = ""
+ settings = tuple()
+
+
+def parseProfile(path):
+ """Parses the profile found in @path and yields each parsed entry as a
+ ProfileEntry instance."""
+
+ with open(path) as fd:
+
+ nr = 0
+
+ for line in fd.readlines():
+ nr += 1
+ line = line.strip()
+ if not line or line.startswith('#'):
+ continue
+
+ parts = line.split()
+ # there can be trailing comments
+ action, settings = parts[:2]
+ settings = settings.split(':')
+ if len(settings) == 1:
+ settings = settings * 3
+
+ entry = ProfileEntry()
+ entry.path = path
+ entry.line = line
+ entry.linenr = nr
+ entry.action = action
+ entry.settings = settings
+
+ yield entry
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/polkit-default-privs-1550+20201012.1df5a0d/tools/remove_duplicate_entries.py
new/polkit-default-privs-1550+20201103.994a5ed/tools/remove_duplicate_entries.py
---
old/polkit-default-privs-1550+20201012.1df5a0d/tools/remove_duplicate_entries.py
1970-01-01 01:00:00.000000000 +0100
+++
new/polkit-default-privs-1550+20201103.994a5ed/tools/remove_duplicate_entries.py
2020-11-03 10:43:56.000000000 +0100
@@ -0,0 +1,76 @@
+#!/usr/bin/python3
+
+# vim: ts=4 et sw=4 sts=4 :
+
+import argparse
+
+from pkcommon import *
+
+class DuplicateEntryRemover:
+
+ def __init__(self):
+ self.m_parser = argparse.ArgumentParser(
+ description = "Removes superfluous duplicate entries from
polkit profiles or warns about conflicting ones."
+ )
+
+
+ def run(self):
+ self.m_args = self.m_parser.parse_args()
+
+ for profile in PROFILES:
+
+ self.m_lines_to_drop = set()
+ self.m_actions_seen = {}
+
+ path = getProfilePath(profile)
+ for entry in parseProfile(path):
+ self.checkDuplicate(entry)
+
+ if self.m_lines_to_drop:
+ self.rewriteProfile(path, self.m_lines_to_drop)
+ else:
+ print("{}: no entries removed".format(path.name.ljust(35)))
+
+
+ def checkDuplicate(self, entry):
+ seen = self.m_actions_seen.get(entry.action, None)
+ if not seen:
+ self.m_actions_seen[entry.action] = entry
+ else:
+ if entry.settings == seen.settings:
+ self.m_lines_to_drop.add(entry.linenr)
+ print("{}:{}: removing redundant entry with same settings as
in line {}".format(
+ entry.path.name.ljust(35),
+ str(entry.linenr).rjust(3),
+ seen.linenr
+ ))
+ else:
+ printerr("{}:{}: {}: conflicting duplicate entry ({}),
previously seen in line {} ({})".format(
+ seen.path.name.ljust(35),
+ str(entry.linenr).rjust(3),
+ seen.action,
+ ':'.join(entry.settings),
+ seen.linenr,
+ ':'.join(seen.settings)
+
+ ))
+
+
+ def rewriteProfile(self, path, lines_to_drop):
+
+ lines = []
+
+ with open(path) as fd:
+
+ for linenr, line in enumerate(fd.readlines(), start = 1):
+
+ if linenr not in lines_to_drop:
+ lines.append(line)
+
+ with open(path, 'w') as fd:
+ fd.write(''.join(lines))
+
+
+if __name__ == '__main__':
+ main = DuplicateEntryRemover()
+ main.run()
