Hello community, here is the log from the commit of package polkit-default-privs for openSUSE:Factory checked in at 2020-11-06 23:44:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/polkit-default-privs (Old) and /work/SRC/openSUSE:Factory/.polkit-default-privs.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polkit-default-privs" Fri Nov 6 23:44:01 2020 rev:190 rq:845677 version:1550+20201103.994a5ed Changes: -------- --- /work/SRC/openSUSE:Factory/polkit-default-privs/polkit-default-privs.changes 2020-10-22 14:23:29.162815088 +0200 +++ /work/SRC/openSUSE:Factory/.polkit-default-privs.new.11331/polkit-default-privs.changes 2020-11-06 23:44:21.631348855 +0100 @@ -1,0 +2,17 @@ +Tue Nov 03 10:14:02 UTC 2020 - matthias.gerst...@suse.com + +- Update to version 1550+20201103.994a5ed: + * udisks2: rename of manage-led action to match upstream changes (bsc#1178321) + +------------------------------------------------------------------- +Mon Nov 02 08:34:41 UTC 2020 - matthias.gerst...@suse.com + +- Update to version 1550+20201030.d1b5d8b: + * whitelisting of GNOME malcontent parental controls (bsc#1177974) + * restrictive profile: fix conflicting duplicate action org.kde.powerdevil.backlighthelper.setbrightness + * restrictive profile: fix conflicting duplicate action org.freedesktop.color-manager.delete-profile + * profiles: fix conflicting duplicate action org.kde.powerdevil.backlighthelper.brightness + * profiles: remove duplicate actions with same authentication settings + * tools: new script to cleanly remove duplicate actions + +------------------------------------------------------------------- Old: ---- polkit-default-privs-1550+20201012.1df5a0d.tar.xz New: ---- polkit-default-privs-1550+20201103.994a5ed.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polkit-default-privs.spec ++++++ --- /var/tmp/diff_new_pack.RJYtoU/_old 2020-11-06 23:44:22.387347402 +0100 +++ /var/tmp/diff_new_pack.RJYtoU/_new 2020-11-06 23:44:22.387347402 +0100 @@ -23,7 +23,7 @@ %endif Name: polkit-default-privs -Version: 1550+20201012.1df5a0d +Version: 1550+20201103.994a5ed Release: 0 Summary: SUSE PolicyKit default permissions License: GPL-2.0-or-later ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.RJYtoU/_old 2020-11-06 23:44:22.427347325 +0100 +++ /var/tmp/diff_new_pack.RJYtoU/_new 2020-11-06 23:44:22.431347318 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/polkit-default-privs.git</param> - <param name="changesrevision">e08bbb1037fcb30224ed4f6a6fe1338fd264f2a6</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">994a5edb86a391614ecd0b8d52441c2da72f63a4</param></service></servicedata> \ No newline at end of file ++++++ polkit-default-privs-1550+20201012.1df5a0d.tar.xz -> polkit-default-privs-1550+20201103.994a5ed.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/etc/polkit-rules-whitelist.json new/polkit-default-privs-1550+20201103.994a5ed/etc/polkit-rules-whitelist.json --- old/polkit-default-privs-1550+20201012.1df5a0d/etc/polkit-rules-whitelist.json 2020-10-12 10:40:44.000000000 +0200 +++ new/polkit-default-privs-1550+20201103.994a5ed/etc/polkit-rules-whitelist.json 2020-11-03 10:43:56.000000000 +0100 @@ -84,5 +84,15 @@ } } } + }, + "malcontent": { + "audits": { + "bsc#1177974": { + "comment": "Allows wheel members to bypass parental controls. We allow this as an exception (granting implicit authorization to wheel) since this is not security relevant per se.", + "digests": { + "/usr/share/polkit-1/rules.d/com.endlessm.ParentalControls.rules": "sha256:4dca105e78ff95c2317386d4df4f959f0c055eec13e12c34c48084b9bbb385b4" + } + } + } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.easy new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.easy --- old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.easy 2020-10-12 10:40:44.000000000 +0200 +++ new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.easy 2020-11-03 10:43:56.000000000 +0100 @@ -226,7 +226,7 @@ org.freedesktop.udisks2.btrfs.manage-btrfs auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.filesystem-take-ownership auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.lvm2.manage-lvm auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.manage-led auth_admin:auth_admin:auth_admin_keep +org.freedesktop.udisks2.lsm.manage-led auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.zram.manage-zram auth_admin:auth_admin:auth_admin_keep # bsc#1123747 @@ -331,7 +331,7 @@ org.kde.kcontrol.kcmkdm.managethemes auth_admin_keep org.kde.kcontrol.kcmkdm.save auth_admin # kde backlight helper (bnc#672145) -org.kde.powerdevil.backlighthelper.brightness no:no:yes +org.kde.powerdevil.backlighthelper.brightness no:yes:yes org.kde.powerdevil.backlighthelper.setbrightness no:no:yes # kde powerdevil gpu helper (bsc#1019644) @@ -607,17 +607,8 @@ # libvirt (bsc#959297) org.libvirt.api.connect.detect-storage-pools auth_admin_keep -org.libvirt.api.connect.getattr auth_admin_keep org.libvirt.api.connect.interface-transaction auth_admin_keep org.libvirt.api.connect.pm-control auth_admin_keep -org.libvirt.api.connect.read auth_admin_keep -org.libvirt.api.connect.search-domains auth_admin_keep -org.libvirt.api.connect.search-interfaces auth_admin_keep -org.libvirt.api.connect.search-networks auth_admin_keep -org.libvirt.api.connect.search-node-devices auth_admin_keep -org.libvirt.api.connect.search-nwfilters auth_admin_keep -org.libvirt.api.connect.search-secrets auth_admin_keep -org.libvirt.api.connect.search-storage-pools auth_admin_keep org.libvirt.api.connect.write auth_admin_keep org.libvirt.api.domain.block-read auth_admin_keep org.libvirt.api.domain.block-write auth_admin_keep @@ -625,7 +616,6 @@ org.libvirt.api.domain.delete auth_admin_keep org.libvirt.api.domain.fs-freeze auth_admin_keep org.libvirt.api.domain.fs-trim auth_admin_keep -org.libvirt.api.domain.getattr auth_admin_keep org.libvirt.api.domain.hibernate auth_admin_keep org.libvirt.api.domain.init-control auth_admin_keep org.libvirt.api.domain.inject-nmi auth_admin_keep @@ -635,7 +625,6 @@ org.libvirt.api.domain.open-graphics auth_admin_keep org.libvirt.api.domain.open-namespace auth_admin_keep org.libvirt.api.domain.pm-control auth_admin_keep -org.libvirt.api.domain.read auth_admin_keep org.libvirt.api.domain.read-secure auth_admin_keep org.libvirt.api.domain.reset auth_admin_keep org.libvirt.api.domain.save auth_admin_keep @@ -650,40 +639,29 @@ org.libvirt.api.domain.suspend auth_admin_keep org.libvirt.api.domain.write auth_admin_keep org.libvirt.api.interface.delete auth_admin_keep -org.libvirt.api.interface.getattr auth_admin_keep -org.libvirt.api.interface.read auth_admin_keep org.libvirt.api.interface.save auth_admin_keep org.libvirt.api.interface.start auth_admin_keep org.libvirt.api.interface.stop auth_admin_keep org.libvirt.api.interface.write auth_admin_keep org.libvirt.api.network.delete auth_admin_keep -org.libvirt.api.network.getattr auth_admin_keep -org.libvirt.api.network.read auth_admin_keep org.libvirt.api.network.save auth_admin_keep org.libvirt.api.network.start auth_admin_keep org.libvirt.api.network.stop auth_admin_keep org.libvirt.api.network.write auth_admin_keep org.libvirt.api.node-device.detach auth_admin_keep -org.libvirt.api.node-device.getattr auth_admin_keep org.libvirt.api.node-device.read auth_admin_keep org.libvirt.api.node-device.start auth_admin_keep org.libvirt.api.node-device.stop auth_admin_keep org.libvirt.api.node-device.write auth_admin_keep org.libvirt.api.nwfilter.delete auth_admin_keep -org.libvirt.api.nwfilter.getattr auth_admin_keep -org.libvirt.api.nwfilter.read auth_admin_keep org.libvirt.api.nwfilter.save auth_admin_keep org.libvirt.api.nwfilter.write auth_admin_keep org.libvirt.api.secret.delete auth_admin_keep -org.libvirt.api.secret.getattr auth_admin_keep -org.libvirt.api.secret.read auth_admin_keep org.libvirt.api.secret.read-secure auth_admin_keep org.libvirt.api.secret.save auth_admin_keep org.libvirt.api.secret.write auth_admin_keep org.libvirt.api.storage-pool.delete auth_admin_keep org.libvirt.api.storage-pool.format auth_admin_keep -org.libvirt.api.storage-pool.getattr auth_admin_keep -org.libvirt.api.storage-pool.read auth_admin_keep org.libvirt.api.storage-pool.refresh auth_admin_keep org.libvirt.api.storage-pool.save auth_admin_keep org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep @@ -695,56 +673,8 @@ org.libvirt.api.storage-vol.data-write auth_admin_keep org.libvirt.api.storage-vol.delete auth_admin_keep org.libvirt.api.storage-vol.format auth_admin_keep -org.libvirt.api.storage-vol.getattr auth_admin_keep -org.libvirt.api.storage-vol.read auth_admin_keep org.libvirt.api.storage-vol.resize auth_admin_keep -org.libvirt.api.interface.save auth_admin_keep -org.libvirt.api.interface.start auth_admin_keep -org.libvirt.api.interface.stop auth_admin_keep -org.libvirt.api.interface.write auth_admin_keep -org.libvirt.api.network.delete auth_admin_keep -org.libvirt.api.network.getattr auth_admin_keep -org.libvirt.api.network.read auth_admin_keep -org.libvirt.api.network.save auth_admin_keep -org.libvirt.api.network.start auth_admin_keep -org.libvirt.api.network.stop auth_admin_keep -org.libvirt.api.network.write auth_admin_keep -org.libvirt.api.node-device.detach auth_admin_keep -org.libvirt.api.node-device.getattr auth_admin_keep -org.libvirt.api.node-device.read auth_admin_keep -org.libvirt.api.node-device.start auth_admin_keep -org.libvirt.api.node-device.stop auth_admin_keep -org.libvirt.api.node-device.write auth_admin_keep -org.libvirt.api.nwfilter.delete auth_admin_keep -org.libvirt.api.nwfilter.getattr auth_admin_keep -org.libvirt.api.nwfilter.read auth_admin_keep -org.libvirt.api.nwfilter.save auth_admin_keep -org.libvirt.api.nwfilter.write auth_admin_keep -org.libvirt.api.secret.delete auth_admin_keep -org.libvirt.api.secret.getattr auth_admin_keep -org.libvirt.api.secret.read auth_admin_keep -org.libvirt.api.secret.read-secure auth_admin_keep -org.libvirt.api.secret.save auth_admin_keep -org.libvirt.api.secret.write auth_admin_keep -org.libvirt.api.storage-pool.delete auth_admin_keep -org.libvirt.api.storage-pool.format auth_admin_keep -org.libvirt.api.storage-pool.getattr auth_admin_keep -org.libvirt.api.storage-pool.read auth_admin_keep -org.libvirt.api.storage-pool.refresh auth_admin_keep -org.libvirt.api.storage-pool.save auth_admin_keep -org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep -org.libvirt.api.storage-pool.start auth_admin_keep -org.libvirt.api.storage-pool.stop auth_admin_keep -org.libvirt.api.storage-pool.write auth_admin_keep -org.libvirt.api.storage-vol.create auth_admin_keep -org.libvirt.api.storage-vol.data-read auth_admin_keep -org.libvirt.api.storage-vol.data-write auth_admin_keep -org.libvirt.api.storage-vol.delete auth_admin_keep -org.libvirt.api.storage-vol.format auth_admin_keep -org.libvirt.api.storage-vol.getattr auth_admin_keep -org.libvirt.api.storage-vol.read auth_admin_keep -org.libvirt.api.storage-vol.resize auth_admin_keep # libvirt (bsc#1100328) org.libvirt.api.connect.search-nwfilter-bindings auth_admin_keep @@ -829,9 +759,7 @@ org.kde.powerdevil.backlighthelper.setbrightnessvalue no:no:yes # powerdevil action-name changes (bnc#927275) -org.kde.powerdevil.backlighthelper.brightness no:yes:yes org.kde.powerdevil.backlighthelper.brightnessmax no:yes:yes -org.kde.powerdevil.backlighthelper.setbrightness no:no:yes # storaged (bnc#915770) @@ -1072,3 +1000,18 @@ # KDE smartctl helper (bsc#1176742) org.kde.kded.smart.smartctl auth_admin:auth_admin:yes + +# GNOME parental controls, accountservice extensions (bsc#1177974) +com.endlessm.ParentalControls.AccountInfo.ReadAny yes:yes:yes +com.endlessm.ParentalControls.AppFilter.ReadOwn yes:yes:yes +com.endlessm.ParentalControls.SessionLimits.ReadOwn yes:yes:yes +com.endlessm.ParentalControls.AccountInfo.ChangeAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AccountInfo.ChangeOwn auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ChangeAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ChangeOwn auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ReadAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ChangeAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ChangeOwn auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ReadAny auth_admin_keep:auth_admin_keep:auth_admin_keep +org.freedesktop.MalcontentControl.administration no:no:auth_admin_keep +com.endlessm.ParentalControls.AccountInfo.ReadOwn yes:yes:yes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.restrictive new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.restrictive --- old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.restrictive 2020-10-12 10:40:44.000000000 +0200 +++ new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.restrictive 2020-11-03 10:43:56.000000000 +0100 @@ -56,7 +56,6 @@ org.freedesktop.color-manager.create-profile no:no:yes org.freedesktop.color-manager.delete-device no:no:yes org.freedesktop.color-manager.delete-profile no:no:yes -org.freedesktop.color-manager.delete-profile auth_admin org.freedesktop.color-manager.modify-device auth_admin org.freedesktop.color-manager.modify-profile auth_admin org.freedesktop.color-manager.install-system-wide auth_admin @@ -213,7 +212,7 @@ org.freedesktop.udisks2.btrfs.manage-btrfs auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.filesystem-take-ownership auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.lvm2.manage-lvm auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.manage-led auth_admin:auth_admin:auth_admin_keep +org.freedesktop.udisks2.lsm.manage-led auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.zram.manage-zram auth_admin:auth_admin:auth_admin_keep # bsc#1123747 @@ -319,7 +318,6 @@ org.kde.kcontrol.kcmkdm.save auth_admin # kde backlight helper (bnc#672145) org.kde.powerdevil.backlighthelper.brightness auth_admin:auth_admin:yes -org.kde.powerdevil.backlighthelper.setbrightness auth_admin:auth_admin:yes # kde powerdevil gpu helper (bsc#1019644, bsc#1026038) org.kde.powerdevil.discretegpuhelper.hasdualgpu no:no:yes @@ -592,17 +590,8 @@ # libvirt (bsc#959297) org.libvirt.api.connect.detect-storage-pools auth_admin_keep -org.libvirt.api.connect.getattr auth_admin_keep org.libvirt.api.connect.interface-transaction auth_admin_keep org.libvirt.api.connect.pm-control auth_admin_keep -org.libvirt.api.connect.read auth_admin_keep -org.libvirt.api.connect.search-domains auth_admin_keep -org.libvirt.api.connect.search-interfaces auth_admin_keep -org.libvirt.api.connect.search-networks auth_admin_keep -org.libvirt.api.connect.search-node-devices auth_admin_keep -org.libvirt.api.connect.search-nwfilters auth_admin_keep -org.libvirt.api.connect.search-secrets auth_admin_keep -org.libvirt.api.connect.search-storage-pools auth_admin_keep org.libvirt.api.connect.write auth_admin_keep org.libvirt.api.domain.block-read auth_admin_keep org.libvirt.api.domain.block-write auth_admin_keep @@ -610,7 +599,6 @@ org.libvirt.api.domain.delete auth_admin_keep org.libvirt.api.domain.fs-freeze auth_admin_keep org.libvirt.api.domain.fs-trim auth_admin_keep -org.libvirt.api.domain.getattr auth_admin_keep org.libvirt.api.domain.hibernate auth_admin_keep org.libvirt.api.domain.init-control auth_admin_keep org.libvirt.api.domain.inject-nmi auth_admin_keep @@ -620,7 +608,6 @@ org.libvirt.api.domain.open-graphics auth_admin_keep org.libvirt.api.domain.open-namespace auth_admin_keep org.libvirt.api.domain.pm-control auth_admin_keep -org.libvirt.api.domain.read auth_admin_keep org.libvirt.api.domain.read-secure auth_admin_keep org.libvirt.api.domain.reset auth_admin_keep org.libvirt.api.domain.save auth_admin_keep @@ -635,40 +622,29 @@ org.libvirt.api.domain.suspend auth_admin_keep org.libvirt.api.domain.write auth_admin_keep org.libvirt.api.interface.delete auth_admin_keep -org.libvirt.api.interface.getattr auth_admin_keep -org.libvirt.api.interface.read auth_admin_keep org.libvirt.api.interface.save auth_admin_keep org.libvirt.api.interface.start auth_admin_keep org.libvirt.api.interface.stop auth_admin_keep org.libvirt.api.interface.write auth_admin_keep org.libvirt.api.network.delete auth_admin_keep -org.libvirt.api.network.getattr auth_admin_keep -org.libvirt.api.network.read auth_admin_keep org.libvirt.api.network.save auth_admin_keep org.libvirt.api.network.start auth_admin_keep org.libvirt.api.network.stop auth_admin_keep org.libvirt.api.network.write auth_admin_keep org.libvirt.api.node-device.detach auth_admin_keep -org.libvirt.api.node-device.getattr auth_admin_keep org.libvirt.api.node-device.read auth_admin_keep org.libvirt.api.node-device.start auth_admin_keep org.libvirt.api.node-device.stop auth_admin_keep org.libvirt.api.node-device.write auth_admin_keep org.libvirt.api.nwfilter.delete auth_admin_keep -org.libvirt.api.nwfilter.getattr auth_admin_keep -org.libvirt.api.nwfilter.read auth_admin_keep org.libvirt.api.nwfilter.save auth_admin_keep org.libvirt.api.nwfilter.write auth_admin_keep org.libvirt.api.secret.delete auth_admin_keep -org.libvirt.api.secret.getattr auth_admin_keep -org.libvirt.api.secret.read auth_admin_keep org.libvirt.api.secret.read-secure auth_admin_keep org.libvirt.api.secret.save auth_admin_keep org.libvirt.api.secret.write auth_admin_keep org.libvirt.api.storage-pool.delete auth_admin_keep org.libvirt.api.storage-pool.format auth_admin_keep -org.libvirt.api.storage-pool.getattr auth_admin_keep -org.libvirt.api.storage-pool.read auth_admin_keep org.libvirt.api.storage-pool.refresh auth_admin_keep org.libvirt.api.storage-pool.save auth_admin_keep org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep @@ -680,8 +656,6 @@ org.libvirt.api.storage-vol.data-write auth_admin_keep org.libvirt.api.storage-vol.delete auth_admin_keep org.libvirt.api.storage-vol.format auth_admin_keep -org.libvirt.api.storage-vol.getattr auth_admin_keep -org.libvirt.api.storage-vol.read auth_admin_keep org.libvirt.api.storage-vol.resize auth_admin_keep # libvirt (bsc#1100328) @@ -766,7 +740,6 @@ org.kde.powerdevil.backlighthelper.setbrightnessvalue no:no:yes # powerdevil action-name changes (bnc#927275) -org.kde.powerdevil.backlighthelper.brightness no:yes:yes org.kde.powerdevil.backlighthelper.brightnessmax no:yes:yes org.kde.powerdevil.backlighthelper.setbrightness no:no:yes @@ -1010,3 +983,18 @@ # KDE smartctl helper (bsc#1176742) org.kde.kded.smart.smartctl no:no:auth_admin + +# GNOME parental controls, accountservice extensions (bsc#1177974) +com.endlessm.ParentalControls.AccountInfo.ReadAny auth_admin:auth_admin:yes +com.endlessm.ParentalControls.AppFilter.ReadOwn auth_admin:auth_admin:yes +com.endlessm.ParentalControls.SessionLimits.ReadOwn auth_admin:auth_admin:yes +com.endlessm.ParentalControls.AccountInfo.ChangeAny no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.AccountInfo.ChangeOwn no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ChangeAny no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ChangeOwn no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ReadAny no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ChangeAny no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ChangeOwn no:auth_admin:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ReadAny no:auth_admin:auth_admin_keep +org.freedesktop.MalcontentControl.administration no:no:auth_admin +com.endlessm.ParentalControls.AccountInfo.ReadOwn auth_admin:auth_admin:yes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.standard new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.standard --- old/polkit-default-privs-1550+20201012.1df5a0d/profiles/polkit-default-privs.standard 2020-10-12 10:40:44.000000000 +0200 +++ new/polkit-default-privs-1550+20201103.994a5ed/profiles/polkit-default-privs.standard 2020-11-03 10:43:56.000000000 +0100 @@ -227,7 +227,7 @@ org.freedesktop.udisks2.btrfs.manage-btrfs auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.filesystem-take-ownership auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.lvm2.manage-lvm auth_admin:auth_admin:auth_admin_keep -org.freedesktop.udisks2.manage-led auth_admin:auth_admin:auth_admin_keep +org.freedesktop.udisks2.lsm.manage-led auth_admin:auth_admin:auth_admin_keep org.freedesktop.udisks2.zram.manage-zram auth_admin:auth_admin:auth_admin_keep # bsc#1123747 @@ -332,7 +332,7 @@ org.kde.kcontrol.kcmkdm.managethemes auth_admin_keep org.kde.kcontrol.kcmkdm.save auth_admin # kde backlight helper (bnc#672145) -org.kde.powerdevil.backlighthelper.brightness no:no:yes +org.kde.powerdevil.backlighthelper.brightness no:yes:yes org.kde.powerdevil.backlighthelper.setbrightness no:no:yes # kde powerdevil gpu helper (bsc#1019644) @@ -608,17 +608,8 @@ # libvirt (bsc#959297) org.libvirt.api.connect.detect-storage-pools auth_admin_keep -org.libvirt.api.connect.getattr auth_admin_keep org.libvirt.api.connect.interface-transaction auth_admin_keep org.libvirt.api.connect.pm-control auth_admin_keep -org.libvirt.api.connect.read auth_admin_keep -org.libvirt.api.connect.search-domains auth_admin_keep -org.libvirt.api.connect.search-interfaces auth_admin_keep -org.libvirt.api.connect.search-networks auth_admin_keep -org.libvirt.api.connect.search-node-devices auth_admin_keep -org.libvirt.api.connect.search-nwfilters auth_admin_keep -org.libvirt.api.connect.search-secrets auth_admin_keep -org.libvirt.api.connect.search-storage-pools auth_admin_keep org.libvirt.api.connect.write auth_admin_keep org.libvirt.api.domain.block-read auth_admin_keep org.libvirt.api.domain.block-write auth_admin_keep @@ -626,7 +617,6 @@ org.libvirt.api.domain.delete auth_admin_keep org.libvirt.api.domain.fs-freeze auth_admin_keep org.libvirt.api.domain.fs-trim auth_admin_keep -org.libvirt.api.domain.getattr auth_admin_keep org.libvirt.api.domain.hibernate auth_admin_keep org.libvirt.api.domain.init-control auth_admin_keep org.libvirt.api.domain.inject-nmi auth_admin_keep @@ -636,7 +626,6 @@ org.libvirt.api.domain.open-graphics auth_admin_keep org.libvirt.api.domain.open-namespace auth_admin_keep org.libvirt.api.domain.pm-control auth_admin_keep -org.libvirt.api.domain.read auth_admin_keep org.libvirt.api.domain.read-secure auth_admin_keep org.libvirt.api.domain.reset auth_admin_keep org.libvirt.api.domain.save auth_admin_keep @@ -651,40 +640,29 @@ org.libvirt.api.domain.suspend auth_admin_keep org.libvirt.api.domain.write auth_admin_keep org.libvirt.api.interface.delete auth_admin_keep -org.libvirt.api.interface.getattr auth_admin_keep -org.libvirt.api.interface.read auth_admin_keep org.libvirt.api.interface.save auth_admin_keep org.libvirt.api.interface.start auth_admin_keep org.libvirt.api.interface.stop auth_admin_keep org.libvirt.api.interface.write auth_admin_keep org.libvirt.api.network.delete auth_admin_keep -org.libvirt.api.network.getattr auth_admin_keep -org.libvirt.api.network.read auth_admin_keep org.libvirt.api.network.save auth_admin_keep org.libvirt.api.network.start auth_admin_keep org.libvirt.api.network.stop auth_admin_keep org.libvirt.api.network.write auth_admin_keep org.libvirt.api.node-device.detach auth_admin_keep -org.libvirt.api.node-device.getattr auth_admin_keep org.libvirt.api.node-device.read auth_admin_keep org.libvirt.api.node-device.start auth_admin_keep org.libvirt.api.node-device.stop auth_admin_keep org.libvirt.api.node-device.write auth_admin_keep org.libvirt.api.nwfilter.delete auth_admin_keep -org.libvirt.api.nwfilter.getattr auth_admin_keep -org.libvirt.api.nwfilter.read auth_admin_keep org.libvirt.api.nwfilter.save auth_admin_keep org.libvirt.api.nwfilter.write auth_admin_keep org.libvirt.api.secret.delete auth_admin_keep -org.libvirt.api.secret.getattr auth_admin_keep -org.libvirt.api.secret.read auth_admin_keep org.libvirt.api.secret.read-secure auth_admin_keep org.libvirt.api.secret.save auth_admin_keep org.libvirt.api.secret.write auth_admin_keep org.libvirt.api.storage-pool.delete auth_admin_keep org.libvirt.api.storage-pool.format auth_admin_keep -org.libvirt.api.storage-pool.getattr auth_admin_keep -org.libvirt.api.storage-pool.read auth_admin_keep org.libvirt.api.storage-pool.refresh auth_admin_keep org.libvirt.api.storage-pool.save auth_admin_keep org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep @@ -696,56 +674,8 @@ org.libvirt.api.storage-vol.data-write auth_admin_keep org.libvirt.api.storage-vol.delete auth_admin_keep org.libvirt.api.storage-vol.format auth_admin_keep -org.libvirt.api.storage-vol.getattr auth_admin_keep -org.libvirt.api.storage-vol.read auth_admin_keep org.libvirt.api.storage-vol.resize auth_admin_keep -org.libvirt.api.interface.save auth_admin_keep -org.libvirt.api.interface.start auth_admin_keep -org.libvirt.api.interface.stop auth_admin_keep -org.libvirt.api.interface.write auth_admin_keep -org.libvirt.api.network.delete auth_admin_keep -org.libvirt.api.network.getattr auth_admin_keep -org.libvirt.api.network.read auth_admin_keep -org.libvirt.api.network.save auth_admin_keep -org.libvirt.api.network.start auth_admin_keep -org.libvirt.api.network.stop auth_admin_keep -org.libvirt.api.network.write auth_admin_keep -org.libvirt.api.node-device.detach auth_admin_keep -org.libvirt.api.node-device.getattr auth_admin_keep -org.libvirt.api.node-device.read auth_admin_keep -org.libvirt.api.node-device.start auth_admin_keep -org.libvirt.api.node-device.stop auth_admin_keep -org.libvirt.api.node-device.write auth_admin_keep -org.libvirt.api.nwfilter.delete auth_admin_keep -org.libvirt.api.nwfilter.getattr auth_admin_keep -org.libvirt.api.nwfilter.read auth_admin_keep -org.libvirt.api.nwfilter.save auth_admin_keep -org.libvirt.api.nwfilter.write auth_admin_keep -org.libvirt.api.secret.delete auth_admin_keep -org.libvirt.api.secret.getattr auth_admin_keep -org.libvirt.api.secret.read auth_admin_keep -org.libvirt.api.secret.read-secure auth_admin_keep -org.libvirt.api.secret.save auth_admin_keep -org.libvirt.api.secret.write auth_admin_keep -org.libvirt.api.storage-pool.delete auth_admin_keep -org.libvirt.api.storage-pool.format auth_admin_keep -org.libvirt.api.storage-pool.getattr auth_admin_keep -org.libvirt.api.storage-pool.read auth_admin_keep -org.libvirt.api.storage-pool.refresh auth_admin_keep -org.libvirt.api.storage-pool.save auth_admin_keep -org.libvirt.api.storage-pool.search-storage-vols auth_admin_keep -org.libvirt.api.storage-pool.start auth_admin_keep -org.libvirt.api.storage-pool.stop auth_admin_keep -org.libvirt.api.storage-pool.write auth_admin_keep -org.libvirt.api.storage-vol.create auth_admin_keep -org.libvirt.api.storage-vol.data-read auth_admin_keep -org.libvirt.api.storage-vol.data-write auth_admin_keep -org.libvirt.api.storage-vol.delete auth_admin_keep -org.libvirt.api.storage-vol.format auth_admin_keep -org.libvirt.api.storage-vol.getattr auth_admin_keep -org.libvirt.api.storage-vol.read auth_admin_keep -org.libvirt.api.storage-vol.resize auth_admin_keep # libvirt (bsc#1100328) org.libvirt.api.connect.search-nwfilter-bindings auth_admin_keep @@ -830,9 +760,7 @@ org.kde.powerdevil.backlighthelper.setbrightnessvalue no:no:yes # powerdevil action-name changes (bnc#927275) -org.kde.powerdevil.backlighthelper.brightness no:yes:yes org.kde.powerdevil.backlighthelper.brightnessmax no:yes:yes -org.kde.powerdevil.backlighthelper.setbrightness no:no:yes # storaged (bnc#915770) @@ -1073,3 +1001,18 @@ # KDE smartctl helper (bsc#1176742) org.kde.kded.smart.smartctl no:auth_admin:yes + +# GNOME parental controls, accountservice extensions (bsc#1177974) +com.endlessm.ParentalControls.AccountInfo.ReadAny yes:yes:yes +com.endlessm.ParentalControls.AppFilter.ReadOwn yes:yes:yes +com.endlessm.ParentalControls.SessionLimits.ReadOwn yes:yes:yes +com.endlessm.ParentalControls.AccountInfo.ChangeAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AccountInfo.ChangeOwn auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ChangeAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ChangeOwn auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.AppFilter.ReadAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ChangeAny auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ChangeOwn auth_admin_keep:auth_admin_keep:auth_admin_keep +com.endlessm.ParentalControls.SessionLimits.ReadAny auth_admin_keep:auth_admin_keep:auth_admin_keep +org.freedesktop.MalcontentControl.administration no:no:auth_admin_keep +com.endlessm.ParentalControls.AccountInfo.ReadOwn yes:yes:yes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/tools/add_polkit_action.py new/polkit-default-privs-1550+20201103.994a5ed/tools/add_polkit_action.py --- old/polkit-default-privs-1550+20201012.1df5a0d/tools/add_polkit_action.py 2020-10-12 10:40:44.000000000 +0200 +++ new/polkit-default-privs-1550+20201103.994a5ed/tools/add_polkit_action.py 2020-11-03 10:43:56.000000000 +0100 @@ -4,11 +4,8 @@ import os, sys import argparse -from pathlib import Path -def printerr(*args, **kwargs): - kwargs["file"] = sys.stderr - print(*args, **kwargs) +from pkcommon import * epilog = """Example invocation: @@ -24,15 +21,12 @@ class PolkitActionHandler: # existing default profiles in increasing order of security - PROFILES = ("easy", "standard", "restrictive") # existing authentication type settings in increasing order of security AUTH_TYPES = ("yes", "auth_self_keep", "auth_self", "auth_admin_keep", "auth_admin", "no") AUTH_CATEGORIES = ("any-user", "inactive-session", "active-session") def __init__(self): - self.m_profile_dir = Path(__file__).parent.with_name("profiles") - self.m_parser = argparse.ArgumentParser( description = "Adds a new action with associated authentication settings to the polkit profiles managed by polkit-default-privs", formatter_class = argparse.RawTextHelpFormatter, @@ -53,7 +47,7 @@ type = self.parseAction ) - for profile in self.PROFILES: + for profile in PROFILES: self.m_parser.add_argument( "--" + profile, @@ -130,15 +124,11 @@ return s - def getProfilePath(self, which): - base = "polkit-default-privs.{}".format(which) - return self.m_profile_dir / base - def run(self): self.m_args = self.m_parser.parse_args() # tuple of auth types matching the profiles - self.m_auth_types = tuple( getattr(self.m_args, profile) for profile in self.PROFILES ) + self.m_auth_types = tuple( getattr(self.m_args, profile) for profile in PROFILES ) if not self.sanityCheck(): printerr("Not adding new action since sanity check(s) failed") @@ -162,28 +152,24 @@ ret = True - for profile in self.PROFILES: + for profile in PROFILES: - path = self.getProfilePath(profile) + path = getProfilePath(profile) - with open(path) as fd: + for entry in parseProfile(path): + if not self.checkDuplicate(entry): + ret = False - nr = 0 - for line in fd.readlines(): - nr += 1 - line = line.strip() - if not line or line.startswith('#'): - continue - - action = line.split()[0] - if action == self.m_args.action: - printerr("ERROR: action to be added already exists in {}:{}".format( - path, nr - )) - ret = False + return ret + def checkDuplicate(self, entry): + if entry.action == self.m_args.action: + printerr("ERROR: action to be added already exists in {}:{}".format( + entry.path, entry.linenr + )) + return False - return ret + return True def checkProfileAuthTypeOrder(self): """Checks that authentication types are not getting weaker in stronger @@ -192,14 +178,14 @@ ret = True strongest = [ self.AUTH_TYPES[0] ] * 3 - for profile, auth_types in zip( self.PROFILES, self.m_auth_types ): + for profile, auth_types in zip( PROFILES, self.m_auth_types ): for nr, old, new in zip( range(len(strongest)), strongest, auth_types ): if self.AUTH_TYPES.index(old) > self.AUTH_TYPES.index(new): printerr("ERROR: Auth type for {} in profile {} is weaker than in profile {}".format( self.AUTH_CATEGORIES[nr], profile, - self.PROFILES[ self.PROFILES.index(profile) - 1] + PROFILES[ PROFILES.index(profile) - 1] )) ret = False @@ -242,9 +228,9 @@ def addAction(self): - for profile, auth_settings in zip(self.PROFILES, self.m_auth_types): + for profile, auth_settings in zip(PROFILES, self.m_auth_types): - path = self.getProfilePath(profile) + path = getProfilePath(profile) with open(path, 'a') as fd: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/tools/pkcommon.py new/polkit-default-privs-1550+20201103.994a5ed/tools/pkcommon.py --- old/polkit-default-privs-1550+20201012.1df5a0d/tools/pkcommon.py 1970-01-01 01:00:00.000000000 +0100 +++ new/polkit-default-privs-1550+20201103.994a5ed/tools/pkcommon.py 2020-11-03 10:43:56.000000000 +0100 @@ -0,0 +1,55 @@ +# vim: ts=4 et sw=4 sts=4 : +import sys +from pathlib import Path + +PROFILES = ("easy", "standard", "restrictive") +profile_dir = Path(__file__).parent.with_name("profiles") + +def printerr(*args, **kwargs): + kwargs["file"] = sys.stderr + print(*args, **kwargs) + + +def getProfilePath(which): + base = "polkit-default-privs.{}".format(which) + return profile_dir / base + + +class ProfileEntry: + + path = "" + line = "" + linenr = 0 + action = "" + settings = tuple() + + +def parseProfile(path): + """Parses the profile found in @path and yields each parsed entry as a + ProfileEntry instance.""" + + with open(path) as fd: + + nr = 0 + + for line in fd.readlines(): + nr += 1 + line = line.strip() + if not line or line.startswith('#'): + continue + + parts = line.split() + # there can be trailing comments + action, settings = parts[:2] + settings = settings.split(':') + if len(settings) == 1: + settings = settings * 3 + + entry = ProfileEntry() + entry.path = path + entry.line = line + entry.linenr = nr + entry.action = action + entry.settings = settings + + yield entry diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/polkit-default-privs-1550+20201012.1df5a0d/tools/remove_duplicate_entries.py new/polkit-default-privs-1550+20201103.994a5ed/tools/remove_duplicate_entries.py --- old/polkit-default-privs-1550+20201012.1df5a0d/tools/remove_duplicate_entries.py 1970-01-01 01:00:00.000000000 +0100 +++ new/polkit-default-privs-1550+20201103.994a5ed/tools/remove_duplicate_entries.py 2020-11-03 10:43:56.000000000 +0100 @@ -0,0 +1,76 @@ +#!/usr/bin/python3 + +# vim: ts=4 et sw=4 sts=4 : + +import argparse + +from pkcommon import * + +class DuplicateEntryRemover: + + def __init__(self): + self.m_parser = argparse.ArgumentParser( + description = "Removes superfluous duplicate entries from polkit profiles or warns about conflicting ones." + ) + + + def run(self): + self.m_args = self.m_parser.parse_args() + + for profile in PROFILES: + + self.m_lines_to_drop = set() + self.m_actions_seen = {} + + path = getProfilePath(profile) + for entry in parseProfile(path): + self.checkDuplicate(entry) + + if self.m_lines_to_drop: + self.rewriteProfile(path, self.m_lines_to_drop) + else: + print("{}: no entries removed".format(path.name.ljust(35))) + + + def checkDuplicate(self, entry): + seen = self.m_actions_seen.get(entry.action, None) + if not seen: + self.m_actions_seen[entry.action] = entry + else: + if entry.settings == seen.settings: + self.m_lines_to_drop.add(entry.linenr) + print("{}:{}: removing redundant entry with same settings as in line {}".format( + entry.path.name.ljust(35), + str(entry.linenr).rjust(3), + seen.linenr + )) + else: + printerr("{}:{}: {}: conflicting duplicate entry ({}), previously seen in line {} ({})".format( + seen.path.name.ljust(35), + str(entry.linenr).rjust(3), + seen.action, + ':'.join(entry.settings), + seen.linenr, + ':'.join(seen.settings) + + )) + + + def rewriteProfile(self, path, lines_to_drop): + + lines = [] + + with open(path) as fd: + + for linenr, line in enumerate(fd.readlines(), start = 1): + + if linenr not in lines_to_drop: + lines.append(line) + + with open(path, 'w') as fd: + fd.write(''.join(lines)) + + +if __name__ == '__main__': + main = DuplicateEntryRemover() + main.run()