polkit: switch 'polkitd' to static UID/GID (rhbz#2104615 - fpc#1189)

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2104615

.gitignore

@@ -1,3 +1,4 @@
+/.project
 polkit-0.92.tar.gz
 polkit-0.93.tar.gz
 polkit-0.94.tar.gz
@@ -11,3 +12,32 @@ polkit-0.98.tar.gz
 /polkit-0.102.tar.gz
 /polkit-0.103.tar.gz
 /polkit-0.104.tar.gz
+/polkit-0.105.tar.gz
+/polkit-0.106.tar.gz
+/polkit-0.107.tar.gz
+/polkit-0.108.tar.gz
+/polkit-0.109.tar.gz
+/polkit-0.110.tar.gz
+/polkit-0.111.tar.gz
+/polkit-0.111.tar.gz.sign
+/polkit-0.112.tar.gz
+/polkit-0.112.tar.gz.sign
+/polkit-0.113.tar.gz
+/polkit-0.113.tar.gz.sign
+/polkit-0.114.tar.gz
+/polkit-0.114.tar.gz.sign
+/polkit-0.115.tar.gz
+/polkit-0.115.tar.gz.sign
+/polkit-0.116.tar.gz
+/polkit-0.116.tar.gz.sign
+/polkit-0.117.tar.gz
+/polkit-0.117.tar.gz.sign
+/polkit-0.118.tar.gz
+/polkit-0.118.tar.gz.sign
+/polkit-0.120.tar.gz
+/polkit-0.120.tar.gz.sign
+/polkit-121.tar.gz
+/polkit-121.tar.gz.sign
+/polkit-121.tar.xz
+/polkit-121.tar.xz.sign
+/polkit-122.tar.gz

0001-PolkitUnixSession-Set-error-if-we-cannot-find-a-sess.patch

@@ -1,68 +0,0 @@
-From 579eb3b0f9addb832ab6aab319b5d9f7d71f2eb8 Mon Sep 17 00:00:00 2001
-From: David Zeuthen <davidz@redhat.com>
-Date: Mon, 6 Feb 2012 11:24:53 -0500
-Subject: [PATCH 1/2] PolkitUnixSession: Set error if we cannot find a session
- for the given pid
-
-Also, don't treat the integer returned by sd_pid_get_session() as a
-boolean because that's just confusing. Also, don't confuse memory
-supposed to be freed by g_free() and free(3) with each other. See
-
- https://bugzilla.redhat.com/show_bug.cgi?id=787222
-
-for more details.
-
-Signed-off-by: David Zeuthen <davidz@redhat.com>
----
- src/polkit/polkitunixsession-systemd.c |   21 ++++++++++++++++-----
- 1 files changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/src/polkit/polkitunixsession-systemd.c b/src/polkit/polkitunixsession-systemd.c
-index e7e913f..94a7ee4 100644
---- a/src/polkit/polkitunixsession-systemd.c
-+++ b/src/polkit/polkitunixsession-systemd.c
-@@ -23,6 +23,7 @@
- #  include "config.h"
- #endif
- 
-+#include <stdlib.h>
- #include <string.h>
- #include "polkitunixsession.h"
- #include "polkitsubject.h"
-@@ -450,9 +451,8 @@ polkit_unix_session_initable_init (GInitable     *initable,
-                                    GError       **error)
- {
-   PolkitUnixSession *session = POLKIT_UNIX_SESSION (initable);
--  gboolean ret;
--
--  ret = FALSE;
-+  gboolean ret = FALSE;
-+  char *s;
- 
-   if (session->session_id != NULL)
-     {
-@@ -461,8 +461,19 @@ polkit_unix_session_initable_init (GInitable     *initable,
-       goto out;
-     }
- 
--  if (!sd_pid_get_session (session->pid, &session->session_id))
--    ret = TRUE;
-+  if (sd_pid_get_session (session->pid, &s) == 0)
-+    {
-+      session->session_id = g_strdup (s);
-+      free (s);
-+      ret = TRUE;
-+      goto out;
-+    }
-+
-+  g_set_error (error,
-+               POLKIT_ERROR,
-+               POLKIT_ERROR_FAILED,
-+               "No session for pid %d",
-+               (gint) session->pid);
- 
- out:
-   return ret;
--- 
-1.7.8.4
-

0002-PolkitUnixSession-Actually-return-TRUE-if-a-session-.patch

@@ -1,44 +0,0 @@
-From 414f38ee69155eef8badd6f938953c98ce0c1e76 Mon Sep 17 00:00:00 2001
-From: David Zeuthen <davidz@redhat.com>
-Date: Mon, 6 Feb 2012 11:26:06 -0500
-Subject: [PATCH 2/2] PolkitUnixSession: Actually return TRUE if a session
- exists
-
-Also, don't treat the integer returned by sd_session_get_uid() as a
-boolean because that's just confusing.
-
-Signed-off-by: David Zeuthen <davidz@redhat.com>
----
- src/polkit/polkitunixsession-systemd.c |   12 +++++-------
- 1 files changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/src/polkit/polkitunixsession-systemd.c b/src/polkit/polkitunixsession-systemd.c
-index 94a7ee4..8a8bf65 100644
---- a/src/polkit/polkitunixsession-systemd.c
-+++ b/src/polkit/polkitunixsession-systemd.c
-@@ -361,17 +361,15 @@ polkit_unix_session_to_string (PolkitSubject *subject)
- 
- static gboolean
- polkit_unix_session_exists_sync (PolkitSubject   *subject,
--                                    GCancellable    *cancellable,
--                                    GError         **error)
-+                                 GCancellable    *cancellable,
-+                                 GError         **error)
- {
-   PolkitUnixSession *session = POLKIT_UNIX_SESSION (subject);
--  gboolean ret;
-+  gboolean ret = FALSE;
-   uid_t uid;
- 
--  ret = FALSE;
--
--  if (!sd_session_get_uid (session->session_id, &uid))
--    ret = FALSE;
-+  if (sd_session_get_uid (session->session_id, &uid) == 0)
-+    ret = TRUE;
- 
-   return ret;
- }
--- 
-1.7.8.4
-

92.patch

@@ -0,0 +1,103 @@
+From 4910132853ad68dbe8f4e7710dd098120d1b9b95 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@mengyan1223.wang>
+Date: Tue, 25 Jan 2022 19:19:30 +0800
+Subject: [PATCH 1/3] jsauthority: ensure to call JS_Init() and JS_ShutDown()
+ exactly once
+
+Before this commit, we were calling JS_Init() in
+polkit_backend_js_authority_class_init and never called JS_ShutDown.
+This is actually a misusage of SpiderMonkey API.  Quote from a comment
+in js/Initialization.h (both mozjs-78 and mozjs-91):
+
+    It is currently not possible to initialize SpiderMonkey multiple
+    times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
+    order, then doing so again).
+
+This misusage does not cause severe issues with mozjs-78.  However, when
+we eventually port jsauthority to use mozjs-91, bad thing will happen:
+see the test failure mentioned in #150.
+
+This commit is tested with both mozjs-78 and mozjs-91, all tests pass
+with it.
+---
+ src/polkitbackend/polkitbackendjsauthority.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index ca17108..b22c34e 100644
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -75,6 +75,13 @@
+
+ /* ---------------------------------------------------------------------------------------------------- */
+
++static class JsInitHelperType
++{
++public:
++	JsInitHelperType() { JS_Init(); }
++	~JsInitHelperType() { JS_ShutDown(); }
++} JsInitHelper;
++
+ struct _PolkitBackendJsAuthorityPrivate
+ {
+   gchar **rules_dirs;
+@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
+   delete authority->priv->js_polkit;
+
+   JS_DestroyContext (authority->priv->cx);
+-  /* JS_ShutDown (); */
+
+   G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
+ }
+@@ -666,7 +672,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
+
+   g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
+
+-  JS_Init ();
+ }
+
+ /* ---------------------------------------------------------------------------------------------------- */
+--
+GitLab
+
+
+From 2b5f49a4e4266d2c327ef55e6df121511e23236b Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@mengyan1223.wang>
+Date: Tue, 25 Jan 2022 19:20:58 +0800
+Subject: [PATCH 2/3] jsauthority: port to mozjs-91
+
+---
+ configure.ac   | 2 +-
+ meson.build    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index e434ca2..6783ee7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+
+-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
++PKG_CHECK_MODULES(LIBJS, [mozjs-91])
+
+ AC_SUBST(LIBJS_CFLAGS)
+ AC_SUBST(LIBJS_CXXFLAGS)
+--
+diff --git a/meson.build b/meson.build
+index 858078d..09cce0f 100644
+--- a/meson.build
++++ b/meson.build
+@@ -133,7 +133,7 @@ expat_dep = dependency('expat')
+ assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
+ assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
+
+-mozjs_dep = dependency('mozjs-78')
++mozjs_dep = dependency('mozjs-91')
+
+ dbus_dep = dependency('dbus-1', required: false)
+ dbus_policydir = pk_prefix / pk_datadir / 'dbus-1/system.d'
+--
+GitLab
+

CVE-2021-4115.patch

@@ -0,0 +1,71 @@
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+   PROP_NAME,
+ };
+ 
++
++guint8 dbus_call_respond_fails;      // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+ 
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
+   if (!v)
+     {
+       data->caught_error = TRUE;
++      dbus_call_respond_fails += 1;
+     }
+   else
+     {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   tmp_context = g_main_context_new ();
+   g_main_context_push_thread_default (tmp_context);
+ 
++  dbus_call_respond_fails = 0;
++
+   /* Do two async calls as it's basically as fast as one sync call.
+    */
+   g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+ 			  on_retrieved_unix_uid_pid,
+ 			  &data);
+ 
+-  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+-    g_main_context_iteration (tmp_context, TRUE);
++  while (TRUE)
++  {
++    /* If one dbus call returns error, we must wait until the other call
++     * calls _call_finish(), otherwise fd leak is possible.
++     * Resolves: GHSL-2021-077
++    */
+ 
+-  if (data.caught_error)
+-    goto out;
++    if ( (dbus_call_respond_fails > 1) )
++    {
++      // we got two faults, we can leave
++      goto out;
++    }
++
++    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++    {
++      // we got one fault and the other call finally finished, we can leave
++      goto out;
++    }
++
++    if ( !(data.retrieved_uid && data.retrieved_pid) )
++    {
++      g_main_context_iteration (tmp_context, TRUE);
++    }
++    else
++    {
++      break;
++    }
++  }
+ 
+   if (out_uid)
+     *out_uid = data.uid;

a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch

@@ -0,0 +1,79 @@
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+---
+ src/programs/pkcheck.c |  5 +++++
+ src/programs/pkexec.c  | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+-- 
+GitLab
+

mozjs78.patch

@@ -0,0 +1,90 @@
+diff --git a/configure.ac b/configure.ac
+index eea70fc..c4569f1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -34,7 +34,7 @@ AC_PROG_LN_S
+ AC_SYS_LARGEFILE
+ AM_PROG_CC_C_O
+ AC_PROG_CXX
+-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
++AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
+ 
+ # Taken from dbus
+ AC_ARG_ENABLE(ansi,             [  --enable-ansi           enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
+@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+ 
+-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
++PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+ 
+ AC_SUBST(LIBJS_CFLAGS)
+ AC_SUBST(LIBJS_CXXFLAGS)
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index 25bd1f9..ca17108 100644
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -49,6 +49,7 @@
+ #include <js/Realm.h>
+ #include <js/SourceText.h>
+ #include <js/Warnings.h>
++#include <js/Array.h>
+ #include <jsapi.h>
+ 
+ #include "initjs.h" /* init.js */
+@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority  *authority)
+ static void
+ reload_scripts (PolkitBackendJsAuthority *authority)
+ {
+-  JS::AutoValueArray<1> args(authority->priv->cx);
++  JS::RootedValueArray<1> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+ 
+   JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
+@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
+   if (!JS::InitSelfHostedCode (authority->priv->cx))
+     goto fail;
+ 
+-  JS::ContextOptionsRef (authority->priv->cx)
+-      .setIon (TRUE)
+-      .setBaseline (TRUE)
+-      .setAsmJS (TRUE);
+   JS::SetWarningReporter(authority->priv->cx, report_error);
+   JS_SetContextPrivate (authority->priv->cx, authority);
+ 
+@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority  *authority,
+         elems[n].setNull ();
+     }
+ 
+-  JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
++  JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
+ 
+   value_jsval = JS::ObjectValue (*array_object);
+   JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
+@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
+ {
+   PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
+   GList *ret = NULL;
+-  JS::AutoValueArray<2> args(authority->priv->cx);
++  JS::RootedValueArray<2> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+   guint n;
+   GError *error = NULL;
+@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
+ {
+   PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
+   PolkitImplicitAuthorization ret = implicit;
+-  JS::AutoValueArray<2> args(authority->priv->cx);
++  JS::RootedValueArray<2> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+   GError *error = NULL;
+   JS::RootedString ret_jsstr (authority->priv->cx);
+@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext  *cx,
+   JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
+   array_object = &args[0].toObject();
+ 
+-  if (!JS_GetArrayLength (cx, array_object, &array_len))
++  if (!JS::GetArrayLength (cx, array_object, &array_len))
+     {
+       JS_ReportErrorUTF8 (cx, "Failed to get array length");
+       goto out;

polkit.spec

@@ -1,20 +1,34 @@
-Summary: PolicyKit Authorization Framework
+# Only enable if using patches that touches configure.ac,
+# Makefile.am or other build system related files
+#
+Summary: An authorization framework
 Name: polkit
-Version: 0.104
+Version: 122
 Release: 4%{?dist}
 License: LGPLv2+
-URL: http://www.freedesktop.org/wiki/Software/PolicyKit
-Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.gz
-Group: System Environment/Libraries
-BuildRequires: glib2-devel >= 2.28.0
+URL: http://www.freedesktop.org/wiki/Software/polkit
+Source0: https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/%{name}-%{version}.tar.gz
+
+BuildRequires: gcc-c++
+BuildRequires: glib2-devel >= 2.30.0
 BuildRequires: expat-devel
 BuildRequires: pam-devel
 BuildRequires: gtk-doc
-BuildRequires: intltool
+BuildRequires: gettext-devel
 BuildRequires: gobject-introspection-devel
-BuildRequires: systemd-devel
+BuildRequires: systemd, systemd-devel
+BuildRequires: dbus-devel
+BuildRequires: pkgconfig(duktape)
+BuildRequires: meson
+BuildRequires: git
 
-Requires: dbus
+Requires: dbus, polkit-pkla-compat
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+Requires(pre): shadow-utils
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
 
 Obsoletes: PolicyKit <= 0.10
 Provides: PolicyKit = 0.11
@@ -26,110 +40,455 @@ Conflicts: polkit-gnome < 0.97
 Obsoletes: polkit-desktop-policy < 0.103
 Provides: polkit-desktop-policy = 0.103
 
-Patch0: 0001-PolkitUnixSession-Set-error-if-we-cannot-find-a-sess.patch
-Patch1: 0002-PolkitUnixSession-Actually-return-TRUE-if-a-session-.patch
+Obsoletes: polkit-js-engine < 0.120-5
+Provides: polkit-js-engine = %{version}-%{release}
+
+# when -libs was split out, handle multilib upgrade path -- rex
+Obsoletes: polkit < 0.113-3
 
 %description
-PolicyKit is a toolkit for defining and handling authorizations.
-It is used for allowing unprivileged processes to speak to privileged
+polkit is a toolkit for defining and handling authorizations.  It is
+used for allowing unprivileged processes to speak to privileged
 processes.
 
 %package devel
-Summary: Development files for PolicyKit
-Group: Development/Libraries
-Requires: %name = %{version}-%{release}
+Summary: Development files for polkit
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: %name-docs = %{version}-%{release}
 Requires: glib2-devel
 Obsoletes: PolicyKit-devel <= 0.10
 Provides: PolicyKit-devel = 0.11
 
 %description devel
-Development files for PolicyKit.
+Development files for polkit.
 
 %package docs
-Summary: Development documentation for PolicyKit
-Group: Development/Libraries
+Summary: Development documentation for polkit
 Requires: %name-devel = %{version}-%{release}
 Obsoletes: PolicyKit-docs <= 0.10
 Provides: PolicyKit-docs = 0.11
+BuildArch: noarch
 
 %description docs
-Development documentation for PolicyKit.
+Development documentation for polkit.
+
+%package libs
+Summary: Libraries for polkit
+
+%description libs
+Libraries files for polkit.
+
 
 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
+%autosetup -S git
 
 %build
-%configure --enable-gtk-doc \
-        --disable-static \
-        --libexecdir=%{_libexecdir}/polkit-1 \
-        --enable-introspection \
-        --enable-examples \
-        --enable-systemd=yes
-make
+%meson -D authfw=pam \
+       -D examples=false \
+       -D gtk_doc=true \
+       -D introspection=true \
+       -D man=true \
+       -D session_tracking=libsystemd-login \
+       -D tests=false
+
+%meson_build
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT
+%meson_install
 
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
-rm -f $RPM_BUILD_ROOT%{_libdir}/polkit-1/extensions/*.la
 
 %find_lang polkit-1
 
-%post -p /sbin/ldconfig
+%pre
+getent group polkitd >/dev/null || groupadd -r -g 114 polkitd
+getent passwd polkitd >/dev/null || useradd -r -u 114 -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd
+exit 0
 
-%postun -p /sbin/ldconfig
+%post
+# The implied (systemctl preset) will fail and complain, but the macro hides
+# and ignores the fact.  This is in fact what we want, polkit.service does not
+# have an [Install] section and it is always started on demand.
+%systemd_post polkit.service
+
+%preun
+%systemd_preun polkit.service
+
+%postun
+%systemd_postun_with_restart polkit.service
 
 %files -f polkit-1.lang
-%defattr(-,root,root,-)
-%doc COPYING
-%{_libdir}/lib*.so.*
-%dir %{_libdir}/polkit-1
-%dir %{_libdir}/polkit-1/extensions
-%{_libdir}/polkit-1/extensions/*.so
+%doc COPYING NEWS.md README.md
 %{_datadir}/man/man1/*
 %{_datadir}/man/man8/*
+%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
 %{_datadir}/dbus-1/system-services/*
+%{_unitdir}/polkit.service
 %dir %{_datadir}/polkit-1/
 %dir %{_datadir}/polkit-1/actions
+%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
 %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
+%{_datadir}/polkit-1/policyconfig-1.dtd
+%dir %{_sysconfdir}/polkit-1
+%{_datadir}/polkit-1/rules.d/50-default.rules
+%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
 %{_sysconfdir}/pam.d/polkit-1
-%{_sysconfdir}/polkit-1
 %{_bindir}/pkaction
 %{_bindir}/pkcheck
-%dir %{_libexecdir}/polkit-1
-%{_libexecdir}/polkit-1/polkitd
-%{_libdir}/girepository-1.0/*.typelib
+%{_bindir}/pkttyagent
+%dir %{_prefix}/lib/polkit-1
+%{_prefix}/lib/polkit-1/polkitd
 
 # see upstream docs for why these permissions are necessary
 %attr(4755,root,root) %{_bindir}/pkexec
-%attr(4755,root,root) %{_libexecdir}/polkit-1/polkit-agent-helper-1
-
-%attr(0700,root,root) %dir %{_localstatedir}/lib/polkit-1/
-%dir %{_localstatedir}/lib/polkit-1/localauthority
-%dir %{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d
-%dir %{_localstatedir}/lib/polkit-1/localauthority/20-org.d
-%dir %{_localstatedir}/lib/polkit-1/localauthority/30-site.d
-%dir %{_localstatedir}/lib/polkit-1/localauthority/50-local.d
-%dir %{_localstatedir}/lib/polkit-1/localauthority/90-mandatory.d
+%attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1
 
 %files devel
-%defattr(-,root,root,-)
 %{_libdir}/lib*.so
 %{_libdir}/pkgconfig/*.pc
 %{_datadir}/gir-1.0/*.gir
 %{_includedir}/*
-%{_bindir}/pk-example-frobnicate
-%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
+%{_datadir}/gettext/its/polkit.its
+%{_datadir}/gettext/its/polkit.loc
 
 %files docs
-%defattr(-,root,root,-)
 %{_datadir}/gtk-doc
 
+%ldconfig_scriptlets libs
+
+%files libs
+%{_libdir}/lib*.so.*
+%{_libdir}/girepository-1.0/*.typelib
+
 %changelog
+* Wed Feb 08 2023 Jan Rybar <jrybar@redhat.com> - 122-4
+- Switch 'polkitd' to static UID/GID (fpc#1189) (on behalf of lucab)
+- Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2104615
+
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 122-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 16 2022 František Zatloukal <fzatlouk@redhat.com> - 122-2
+- Rebuilt for duktape 2.7.0
+
+* Wed Oct 26 2022 Vincent Mihalkovic <vmihalko@redhat.com> - 122-1
+- rebase to 122
+
+* Mon Aug 15 2022 Jan Rybar <jrybar@redhat.com> - 121-4
+- duktape re-enabled
+
+* Tue Aug 02 2022 Jan Rybar <jrybar@redhat.com> - 121-3
+- switched back to mozjs until problems with duktape are fixed
+- Related: bz#2109145
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 121-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 12 2022 Jan Rybar <jrybar@redhat.com> - 121-1
+- Rebase to v.121
+
+* Sun Feb 20 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 0.120-5
+- switch to mozjs91
+
+* Wed Feb 16 2022 Jan Rybar <jrybar@redhat.com> - 0.120-4
+- file descriptor exhaustion (GHSL-2021-077)
+- Resolves: CVE-2021-4115
+
+* Wed Jan 26 2022 Timothée Ravier <tim@siosm.fr> - 0.120-3
+- Fix for CVE-2021-4034
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.120-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Oct 06 2021 Pete Walter <pwalter@fedoraproject.org> - 0.120-1
+- Update to 0.120
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.118-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu May 20 2021 Jan Rybar <jrybar@redhat.com> - 0.118-2
+- CVE-2021-3560 mitigation
+- Resolves: CVE-2021-3560
+
+* Mon Apr 26 2021 Jan Rybar <jrybar@redhat.com> - 0.118-1
+- rebase to 0.118
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.117-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.117-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Aug 12 2020 Jan Rybar <jrybar@redhat.com> - 0.117-2
+- update dependency to mozjs78
+
+* Fri Jul 31 2020 Jan Rybar <jrybar@redhat.com> - 0.117-1
+- Rebased to polkit-0.117
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Tom Stellard <tstellar@redhat.com> - 0.116-8
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Oct 25 2019 Jan Rybar <jrybar@redhat.com> - 0.116-6
+- jsauthority memleak fix
+
+* Fri Sep 27 2019 Jan Rybar <jrybar@redhat.com> - 0.116-5
+- pkttyagent: unread input flushed on terminal restore
+
+* Sun Sep 08 2019 Kalev Lember <klember@redhat.com> - 0.116-4
+- Rebuilt for mozjs60 s390x fixes
+
+* Fri Aug 02 2019 Jan Rybar <jrybar@redhat.com> - 0.116-3
+- pkttyagent: backport patch, get SIGTTOU in background job
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 02 2019 Pete Walter <pwalter@fedoraproject.org> - 0.116-1
+- Update to 0.116
+
+* Thu Feb 14 2019 Jan Rybar <jrybar@redhat.com> - 0.115-11
+- pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM
+
+* Fri Feb 08 2019 Pete Walter <pwalter@fedoraproject.org> - 0.115-10
+- Move to mozjs60
+
+* Tue Feb 05 2019 Jan Rybar <jrybar@redhat.com> - 0.115-9
+- Allow uid=-1 for PolkitUnixProcess
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Jan 08 2019 Colin Walters <walters@verbum.org> - 0.115-7
+- Add security fix for
+  https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
+
+* Fri Dec 07 2018 Jan Rybar <jrybar@redhat.com> - 0.115-6
+- Fix of CVE-2018-19788, priv escalation with high UIDs
+- Resolves: rhbz#1655926
+
+* Thu Sep 27 2018 Owen Taylor <otaylor@redhat.com> - 0.115-5
+- Fix installation with prefix != /usr
+
+* Mon Aug 13 2018 Jan Rybar <jrybar@redhat.com> - 0.115-4
+- Leaking zombie processess started by rules
+
+* Fri Jul 20 2018 Jan Rybar <jrybar@redhat.com> - 0.115-3
+- Warning raised by polkit when disconnected from ssh
+- polkitagentlistener: resource leak - pointer to 'server'
+- Error message raised on every 'systemctl start' in emergency.target
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018 Miloslav Trmač <mitr@redhat.com> - 0.115-1
+- Update to 0.115 (CVE-2018-1116)
+
+* Tue Apr 03 2018 Ray Strode <rstrode@redhat.com> - 0.114-1
+- Update to 0.114
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Apr 13 2017 Richard Hughes <rhughes@redhat.com> - 0.113-13
+- Add the its files from upstream.
+
+* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-12
+- Fix a memory leak in PolkitPermission.
+  Patch by Rui Matos <tiagomatos@gmail.com>
+  Resolves: #1433915
+
+* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-11
+- Revert back to the state in 0.113-7, undoing the untested changes.
+
+* Tue Apr  4 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-10
+- Move to an upstream snapshot, rebase patches
+
+* Fri Mar 31 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.113-9
+- restore Provides: polkit-desktop-policy polkit-js-engine
+
+* Thu Mar 30 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-8
+- Use %%license, license needs to be in -libs as it's the only guaranteed installed package
+- Move to mozjs38
+- Other upstream fixes
+- Spec cleanups
+
+* Mon Feb 13 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-7
+- Fix memory leaks when calling authentication agents
+  Resolves: #1380166
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Jul 14 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-4
+- Bump the Obsoletes: to < 0.113-3 to account for the non-split 0.113-2.fc21
+  Resolves: #1243004
+
+* Sun Jul 12 2015 Rex Dieter <rdieter@fedoraproject.org> 0.113-3
+- Obsoletes: polkit < 0.112-8 (handle multilib upgrade path)
+
+* Fri Jul 10 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-2
+- Add a fully versioned dependency from polkit to polkit-libs
+  Resolves: #1241759
+- Require polkit-libs, not polkit, in polkit-devel
+
+* Thu Jul 2 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-1
+- Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256,
+  CVE-2015-4625)
+  Resolves: #910262, #1175061, #1177930, #1194391, #1228739, #1233810
+
+* Fri Jun 19 2015 Miloslav Trmač <mitr@redhat.com> - 0.112-11
+- Add BuildRequires: systemd so that %%{_unitdir} is defined, to fix the build.
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sun Jan 25 2015 Rex Dieter <rdieter@fedoraproject.org>  - 0.112-9
+- polkit doesn't release reference counters of GVariant data (#1180886)
+- fix ldconfig scriptlets (move to -libs subpkg)
+
+* Sat Nov 08 2014 Colin Walters <walters@redhat.com> - 0.112-8
+- Split separate -libs package, so that NetworkManager can just depend on
+  that, without dragging in the daemon (as well as libmozjs17).  This
+  allows the creation of more minimal systems that want programs like NM,
+  but do not need the configurability of the daemon; it would be ok if only
+  root is authorized.
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Jul 22 2014 Kalev Lember <kalevlember@gmail.com> - 0.112-6
+- Rebuilt for gobject-introspection 1.41.4
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Jun  5 2014 Kay Sievers <kay@redhat.com> - 0.112-4
+- backport upstream D-Bus "user bus" changes
+
+* Mon Feb 10 2014 Miloslav Trmač <mitr@redhat.com> - 0.112-3
+- Fix a PolkitAgentSession race condition
+  Resolves: #1063193
+
+* Sat Dec  7 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-2
+- Workaround pam_systemd setting broken XDG_RUNTIME_DIR
+  Resolves: #1033774
+- Always use mozjs-17.0 even if js-devel is installed
+
+* Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-1
+- Update to polkit-0.112
+- Resolves: #1009538, CVE-2013-4288
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.111-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed May 29 2013 Tomas Bzatek <tbzatek@redhat.com> - 0.111-2
+- Fix a race on PolkitSubject type registration (#866718)
+
+* Wed May 15 2013 Miloslav Trmač <mitr@redhat.com> - 0.111-1
+- Update to polkit-0.111
+  Resolves: #917888
+- Use SpiderMonkey from mozjs17 instead of js
+- Ship the signature in the srpm
+- Try to preserve timestamps in (make install)
+
+* Fri May 10 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-4
+- Shut up rpmlint about Summary:
+- Build with V=1
+- Use %%{_unitdir} instead of hard-coding the path
+- Use the new systemd macros, primarily to run (systemctl daemon-reload)
+  Resolves: #857382
+
+* Fri May 10 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-4
+- Make the JavaScript engine mandatory.  The polkit-js-engine package has been
+  removed, main polkit package Provides:polkit-js-engine for compatibility.
+- Add Requires: polkit-pkla-compat
+  Resolves: #908808
+
+* Wed Feb 13 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-3
+- Don't ship pk-example-frobnicate in the "live" configuration
+  Resolves: #878112
+
+* Fri Feb  8 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-2
+- Own %%{_docdir}/polkit-js-engine-*
+  Resolves: #907668
+
+* Wed Jan  9 2013 David Zeuthen <davidz@redhat.com> - 0.110-1%{?dist}
+- Update to upstream release 0.110
+
+* Mon Jan  7 2013 Matthias Clasen <mclasen@redhat.com> - 0.109-2%{?dist}
+- Build with pie and stuff
+
+* Wed Dec 19 2012 David Zeuthen <davidz@redhat.com> 0.109-1%{?dist}
+- Update to upstream release 0.109
+- Drop upstreamed patches
+
+* Thu Nov 15 2012 David Zeuthen <davidz@redhat.com> 0.108-3%{?dist}
+- Attempt to open the correct libmozjs185 library, otherwise polkit
+  authz rules will not work unless js-devel is installed (fdo #57146)
+
+* Wed Nov 14 2012 David Zeuthen <davidz@redhat.com> 0.108-2%{?dist}
+- Include gmodule-2.0 to avoid build error
+
+* Wed Nov 14 2012 David Zeuthen <davidz@redhat.com> 0.108-1%{?dist}
+- Update to upstream release 0.108
+- Drop upstreamed patches
+- This release dynamically loads the JavaScript interpreter and can
+  cope with it not being available. In this case, polkit authorization
+  rules are not processed and the defaults for an action - as defined
+  in its .policy file - are used for authorization decisions.
+- Add new meta-package, polkit-js-engine, that pulls in the required
+  JavaScript bits to make polkit authorization rules work. The default
+  install - not the minimal install - should include this package
+
+* Wed Oct 10 2012 Adam Jackson <ajax@redhat.com> 0.107-4
+- Don't crash if initializing the server object fails
+
+* Tue Sep 18 2012 David Zeuthen <davidz@redhat.com> 0.107-3%{?dist}
+- Authenticate as root if e.g. the wheel group is empty (#834494)
+
+* Fri Jul 27 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.107-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jul 11 2012 David Zeuthen <davidz@redhat.com> 0.107-1%{?dist}
+- Update to upstream release 0.107
+
+* Fri Jun 29 2012 David Zeuthen <davidz@redhat.com> 0.106-2%{?dist}
+- Add forgotten Requires(pre): shadow-utils
+
+* Thu Jun 07 2012 David Zeuthen <davidz@redhat.com> 0.106-1%{?dist}
+- Update to upstream release 0.106
+- Authorizations are no longer controlled by .pkla files - from now
+  on, use the new .rules files described in the polkit(8) man page
+
+* Tue Apr 24 2012 David Zeuthen <davidz@redhat.com> 0.105-1%{?dist}
+- Update to upstream release 0.105
+- Nuke patches that are now upstream
+- Change 'PolicyKit' to 'polkit' in summary and descriptions
+
+* Thu Mar 08 2012 David Zeuthen <davidz@redhat.com> 0.104-6%{?dist}
+- Don't leak file descriptors (bgo #671486)
+
+* Mon Feb 13 2012 Matthias Clasen <mclasen@redhat.com> - 0.104-5%{?dist}
+- Make the -docs subpackage noarch
+
 * Mon Feb 06 2012 David Zeuthen <davidz@redhat.com> 0.104-4%{?dist}
 - Set error if we cannot obtain a PolkitUnixSession for a given PID (#787222)
 
@@ -155,7 +514,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/polkit-1/extensions/*.la
 - Add patch to neuter the annoying systemd behavior where stdout/stderr
   is sent to the system logs
 
-* Fri Aug 04 2011 David Zeuthen <davidz@redhat.com> 0.102-1
+* Thu Aug 04 2011 David Zeuthen <davidz@redhat.com> 0.102-1
 - Update to 0.102 release
 
 * Fri May 13 2011 Bastien Nocera <bnocera@redhat.com> 0.101-7
@@ -192,7 +551,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/polkit-1/extensions/*.la
 * Fri Jan 28 2011 Matthias Clasen <mclasen@redhat.com> - 0.98-6
 - Own /usr/libexec/polkit-1
 
-* Fri Nov 14 2010 Matthias Clasen <mclasen@redhat.com> - 0.98-5
+* Fri Nov 12 2010 Matthias Clasen <mclasen@redhat.com> - 0.98-5
 - Enable introspection
 
 * Thu Sep 02 2010 David Zeuthen <davidz@redhat.com> - 0.98-4

sources

@@ -1 +1 @@
-e380b4c6fb1e7bccf854e92edc0a8ce1  polkit-0.104.tar.gz
+SHA512 (polkit-122.tar.gz) = 6f537b218133777c1a9ef6b38296b4e17263d86b783acce4ce895ef3b507bb1b482d4b88bc410ab8846ce7cc7b84e82c4109f80f535190a351d7d2683b8608f3