rpms
/
polkit
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f38-riscv64
rpms:main
rpms:f38
rpms:f37
rpms:f36
rpms:f34
rpms:f35
rpms:f33
rpms:f32
rpms:f30
rpms:f31
rpms:f28
rpms:f29
rpms:f27
rpms:f25
rpms:f26
rpms:f24
rpms:f21
rpms:f22
rpms:f23
rpms:f20
rpms:f18
rpms:f19
rpms:f17
rpms:f16
rpms:f15
rpms:f13
rpms:f14
rpms:f12
rpms:polkit-0.113-16.fc27
rpms:polkit-0.115-1.fc29
rpms:polkit-0.115-1.fc28
rpms:polkit-0.113-12.fc27
rpms:polkit-0.113-11.fc27
rpms:polkit-0.113-7.fc26
rpms:polkit-0.113-4.fc23
rpms:polkit-0.113-4.fc22
rpms:polkit-0.113-4.fc21
rpms:polkit-0.113-3.fc22
rpms:polkit-0.113-2.fc23
rpms:polkit-0.113-2.fc22
rpms:polkit-0.113-2.fc21
rpms:polkit-0.113-1.fc21
rpms:polkit-0.113-1.fc23
rpms:polkit-0.113-1.fc22
rpms:polkit-0.112-11.fc23
rpms:polkit-0.112-7.fc21.1
rpms:polkit-0.112-7.fc20.1
rpms:polkit-0.112-9.fc22
rpms:polkit-0.112-3.fc21
rpms:polkit-0.112-2.fc21
rpms:polkit-0.112-2.fc20
rpms:polkit-0.107-6.fc18
rpms:polkit-0.112-1.fc21
rpms:polkit-0.112-1.fc20
rpms:polkit-0.112-1.fc19
rpms:polkit-0.111-1.fc20
rpms:polkit-0.111-1.fc19
rpms:polkit-0.110-4.fc20
rpms:polkit-0.110-4.fc19
rpms:polkit-0.110-3.fc19
rpms:polkit-0.110-2.fc19
rpms:polkit-0_96-1_fc14
rpms:polkit-0_96-1_fc13
rpms:F-13-start
rpms:F-13-split
rpms:polkit-0_95-2_fc13
rpms:polkit-0_95-2_fc12
rpms:polkit-0_95-1_fc12
rpms:polkit-0_95-0_git20090913_3_fc12
rpms:polkit-0_95-0_git20090913_2_fc12
rpms:F-12-start
rpms:F-12-split
rpms:polkit-0_95-0_git20090913_1_fc12
rpms:polkit-0_95-0_git20090913_fc12
rpms:polkit-0_94-4_fc12
rpms:polkit-0_94-3_fc12
rpms:polkit-0_94-2_fc12
rpms:polkit-0_94-1_fc12
rpms:polkit-0_93-3_fc12
rpms:polkit-0_93-2_fc12
rpms:polkit-0_93-1_fc12
rpms:polkit-0_92-3_fc12
rpms:polkit-0_92-2_fc12
rpms:polkit-0_92-1_fc12
..
compare: rpms:f16
Branches Tags
rpms:f38-riscv64
rpms:main
rpms:rawhide
rpms:f38
rpms:f37
rpms:f36
rpms:f34
rpms:f35
rpms:f33
rpms:f32
rpms:f30
rpms:f31
rpms:f28
rpms:f29
rpms:f27
rpms:f25
rpms:f26
rpms:f24
rpms:f21
rpms:f22
rpms:f23
rpms:f20
rpms:f18
rpms:f19
rpms:f17
rpms:f16
rpms:f15
rpms:f13
rpms:f14
rpms:f12
rpms:polkit-0.113-16.fc27
rpms:polkit-0.115-1.fc29
rpms:polkit-0.115-1.fc28
rpms:polkit-0.113-12.fc27
rpms:polkit-0.113-11.fc27
rpms:polkit-0.113-7.fc26
rpms:polkit-0.113-4.fc23
rpms:polkit-0.113-4.fc22
rpms:polkit-0.113-4.fc21
rpms:polkit-0.113-3.fc22
rpms:polkit-0.113-2.fc23
rpms:polkit-0.113-2.fc22
rpms:polkit-0.113-2.fc21
rpms:polkit-0.113-1.fc21
rpms:polkit-0.113-1.fc23
rpms:polkit-0.113-1.fc22
rpms:polkit-0.112-11.fc23
rpms:polkit-0.112-7.fc21.1
rpms:polkit-0.112-7.fc20.1
rpms:polkit-0.112-9.fc22
rpms:polkit-0.112-3.fc21
rpms:polkit-0.112-2.fc21
rpms:polkit-0.112-2.fc20
rpms:polkit-0.107-6.fc18
rpms:polkit-0.112-1.fc21
rpms:polkit-0.112-1.fc20
rpms:polkit-0.112-1.fc19
rpms:polkit-0.111-1.fc20
rpms:polkit-0.111-1.fc19
rpms:polkit-0.110-4.fc20
rpms:polkit-0.110-4.fc19
rpms:polkit-0.110-3.fc19
rpms:polkit-0.110-2.fc19
rpms:polkit-0_96-1_fc14
rpms:polkit-0_96-1_fc13
rpms:F-13-start
rpms:F-13-split
rpms:polkit-0_95-2_fc13
rpms:polkit-0_95-2_fc12
rpms:polkit-0_95-1_fc12
rpms:polkit-0_95-0_git20090913_3_fc12
rpms:polkit-0_95-0_git20090913_2_fc12
rpms:F-12-start
rpms:F-12-split
rpms:polkit-0_95-0_git20090913_1_fc12
rpms:polkit-0_95-0_git20090913_fc12
rpms:polkit-0_94-4_fc12
rpms:polkit-0_94-3_fc12
rpms:polkit-0_94-2_fc12
rpms:polkit-0_94-1_fc12
rpms:polkit-0_93-3_fc12
rpms:polkit-0_93-2_fc12
rpms:polkit-0_93-1_fc12
rpms:polkit-0_92-3_fc12
rpms:polkit-0_92-2_fc12
rpms:polkit-0_92-1_fc12

3 Commits
rawhide ... f16

Author SHA1 Message Date
David Zeuthen 7388c81762 Update to upstream release 0.103 
Drop upstreamed patch
Drop Fedora-specific policy, it is now upstream (fdo #41008)
 2012-03-29 17:21:09 +01:00
Dennis Gilmore 0fa9052b9a - Rebuilt for glibc bug#747377 2011-10-26 20:27:07 -05:00
David Zeuthen 107fe94316 Add patch to neuter the annoying systemd behavior where stdout/stderr 
is sent to the system logs

Signed-off-by: David Zeuthen <davidz@redhat.com>
 2011-10-18 13:29:14 -04:00
7 changed files with 57 additions and 809 deletions
Show Stats Expand all files Collapse all files

31
.gitignore vendored
View File

@ -1,4 +1,3 @@
/.project
polkit-0.92.tar.gz
polkit-0.93.tar.gz
polkit-0.94.tar.gz
@ -11,33 +10,3 @@ polkit-0.98.tar.gz
/polkit-0.101.tar.gz
/polkit-0.102.tar.gz
/polkit-0.103.tar.gz
/polkit-0.104.tar.gz
/polkit-0.105.tar.gz
/polkit-0.106.tar.gz
/polkit-0.107.tar.gz
/polkit-0.108.tar.gz
/polkit-0.109.tar.gz
/polkit-0.110.tar.gz
/polkit-0.111.tar.gz
/polkit-0.111.tar.gz.sign
/polkit-0.112.tar.gz
/polkit-0.112.tar.gz.sign
/polkit-0.113.tar.gz
/polkit-0.113.tar.gz.sign
/polkit-0.114.tar.gz
/polkit-0.114.tar.gz.sign
/polkit-0.115.tar.gz
/polkit-0.115.tar.gz.sign
/polkit-0.116.tar.gz
/polkit-0.116.tar.gz.sign
/polkit-0.117.tar.gz
/polkit-0.117.tar.gz.sign
/polkit-0.118.tar.gz
/polkit-0.118.tar.gz.sign
/polkit-0.120.tar.gz
/polkit-0.120.tar.gz.sign
/polkit-121.tar.gz
/polkit-121.tar.gz.sign
/polkit-121.tar.xz
/polkit-121.tar.xz.sign
/polkit-122.tar.gz

103
92.patch
View File

@ -1,103 +0,0 @@
From 4910132853ad68dbe8f4e7710dd098120d1b9b95 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@mengyan1223.wang>
Date: Tue, 25 Jan 2022 19:19:30 +0800
Subject: [PATCH 1/3] jsauthority: ensure to call JS_Init() and JS_ShutDown()
exactly once
Before this commit, we were calling JS_Init() in
polkit_backend_js_authority_class_init and never called JS_ShutDown.
This is actually a misusage of SpiderMonkey API. Quote from a comment
in js/Initialization.h (both mozjs-78 and mozjs-91):
It is currently not possible to initialize SpiderMonkey multiple
times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
order, then doing so again).
This misusage does not cause severe issues with mozjs-78. However, when
we eventually port jsauthority to use mozjs-91, bad thing will happen:
see the test failure mentioned in #150.
This commit is tested with both mozjs-78 and mozjs-91, all tests pass
with it.
---
src/polkitbackend/polkitbackendjsauthority.cpp | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index ca17108..b22c34e 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -75,6 +75,13 @@
/* ---------------------------------------------------------------------------------------------------- */
+static class JsInitHelperType
+{
+public:
+ JsInitHelperType() { JS_Init(); }
+ ~JsInitHelperType() { JS_ShutDown(); }
+} JsInitHelper;
+
struct _PolkitBackendJsAuthorityPrivate
{
gchar **rules_dirs;
@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
delete authority->priv->js_polkit;
JS_DestroyContext (authority->priv->cx);
- /* JS_ShutDown (); */
G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
}
@@ -666,7 +672,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
- JS_Init ();
}
/* ---------------------------------------------------------------------------------------------------- */
--
GitLab
From 2b5f49a4e4266d2c327ef55e6df121511e23236b Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@mengyan1223.wang>
Date: Tue, 25 Jan 2022 19:20:58 +0800
Subject: [PATCH 2/3] jsauthority: port to mozjs-91
---
configure.ac | 2 +-
meson.build | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index e434ca2..6783ee7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+PKG_CHECK_MODULES(LIBJS, [mozjs-91])
AC_SUBST(LIBJS_CFLAGS)
AC_SUBST(LIBJS_CXXFLAGS)
--
diff --git a/meson.build b/meson.build
index 858078d..09cce0f 100644
--- a/meson.build
+++ b/meson.build
@@ -133,7 +133,7 @@ expat_dep = dependency('expat')
assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
-mozjs_dep = dependency('mozjs-78')
+mozjs_dep = dependency('mozjs-91')
dbus_dep = dependency('dbus-1', required: false)
dbus_policydir = pk_prefix / pk_datadir / 'dbus-1/system.d'
--
GitLab

71
CVE-2021-4115.patch
View File

@ -1,71 +0,0 @@
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 8ed1363..2fbf5f1 100644
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
PROP_NAME,
};
+
+guint8 dbus_call_respond_fails; // has to be global because of callback
+
+
static void subject_iface_init (PolkitSubjectIface *subject_iface);
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
if (!v)
{
data->caught_error = TRUE;
+ dbus_call_respond_fails += 1;
}
else
{
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
tmp_context = g_main_context_new ();
g_main_context_push_thread_default (tmp_context);
+ dbus_call_respond_fails = 0;
+
/* Do two async calls as it's basically as fast as one sync call.
*/
g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
on_retrieved_unix_uid_pid,
&data);
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
- g_main_context_iteration (tmp_context, TRUE);
+ while (TRUE)
+ {
+ /* If one dbus call returns error, we must wait until the other call
+ * calls _call_finish(), otherwise fd leak is possible.
+ * Resolves: GHSL-2021-077
+ */
- if (data.caught_error)
- goto out;
+ if ( (dbus_call_respond_fails > 1) )
+ {
+ // we got two faults, we can leave
+ goto out;
+ }
+
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+ {
+ // we got one fault and the other call finally finished, we can leave
+ goto out;
+ }
+
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
+ {
+ g_main_context_iteration (tmp_context, TRUE);
+ }
+ else
+ {
+ break;
+ }
+ }
if (out_uid)
*out_uid = data.uid;

79
a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
View File

@ -1,79 +0,0 @@
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Tue, 25 Jan 2022 17:21:46 +0000
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
---
src/programs/pkcheck.c | 5 +++++
src/programs/pkexec.c | 23 ++++++++++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
--
GitLab

90
mozjs78.patch
View File

@ -1,90 +0,0 @@
diff --git a/configure.ac b/configure.ac
index eea70fc..c4569f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -34,7 +34,7 @@ AC_PROG_LN_S
AC_SYS_LARGEFILE
AM_PROG_CC_C_O
AC_PROG_CXX
-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
+AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
# Taken from dbus
AC_ARG_ENABLE(ansi, [ --enable-ansi enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
+PKG_CHECK_MODULES(LIBJS, [mozjs-78])
AC_SUBST(LIBJS_CFLAGS)
AC_SUBST(LIBJS_CXXFLAGS)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index 25bd1f9..ca17108 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -49,6 +49,7 @@
#include <js/Realm.h>
#include <js/SourceText.h>
#include <js/Warnings.h>
+#include <js/Array.h>
#include <jsapi.h>
#include "initjs.h" /* init.js */
@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority *authority)
static void
reload_scripts (PolkitBackendJsAuthority *authority)
{
- JS::AutoValueArray<1> args(authority->priv->cx);
+ JS::RootedValueArray<1> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
if (!JS::InitSelfHostedCode (authority->priv->cx))
goto fail;
- JS::ContextOptionsRef (authority->priv->cx)
- .setIon (TRUE)
- .setBaseline (TRUE)
- .setAsmJS (TRUE);
JS::SetWarningReporter(authority->priv->cx, report_error);
JS_SetContextPrivate (authority->priv->cx, authority);
@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority *authority,
elems[n].setNull ();
}
- JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
+ JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
value_jsval = JS::ObjectValue (*array_object);
JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
GList *ret = NULL;
- JS::AutoValueArray<2> args(authority->priv->cx);
+ JS::RootedValueArray<2> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
guint n;
GError *error = NULL;
@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
PolkitImplicitAuthorization ret = implicit;
- JS::AutoValueArray<2> args(authority->priv->cx);
+ JS::RootedValueArray<2> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
GError *error = NULL;
JS::RootedString ret_jsstr (authority->priv->cx);
@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext *cx,
JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
array_object = &args[0].toObject();
- if (!JS_GetArrayLength (cx, array_object, &array_len))
+ if (!JS::GetArrayLength (cx, array_object, &array_len))
{
JS_ReportErrorUTF8 (cx, "Failed to get array length");
goto out;

490
polkit.spec
View File

@ -1,34 +1,20 @@
# Only enable if using patches that touches configure.ac,
# Makefile.am or other build system related files
#
Summary: An authorization framework
Summary: PolicyKit Authorization Framework
Name: polkit
Version: 122
Release: 4%{?dist}
Version: 0.103
Release: 1%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit
Source0: https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/%{name}-%{version}.tar.gz
BuildRequires: gcc-c++
BuildRequires: glib2-devel >= 2.30.0
URL: http://www.freedesktop.org/wiki/Software/PolicyKit
Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.gz
Group: System Environment/Libraries
BuildRequires: glib2-devel >= 2.28.0
BuildRequires: expat-devel
BuildRequires: pam-devel
BuildRequires: gtk-doc
BuildRequires: gettext-devel
BuildRequires: intltool
BuildRequires: gobject-introspection-devel
BuildRequires: systemd, systemd-devel
BuildRequires: dbus-devel
BuildRequires: pkgconfig(duktape)
BuildRequires: meson
BuildRequires: git
Requires: dbus, polkit-pkla-compat
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(pre): shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires: ConsoleKit
Requires: dbus
Obsoletes: PolicyKit <= 0.10
Provides: PolicyKit = 0.11
@ -40,468 +26,104 @@ Conflicts: polkit-gnome < 0.97
Obsoletes: polkit-desktop-policy < 0.103
Provides: polkit-desktop-policy = 0.103
Obsoletes: polkit-js-engine < 0.120-5
Provides: polkit-js-engine = %{version}-%{release}
# when -libs was split out, handle multilib upgrade path -- rex
Obsoletes: polkit < 0.113-3
%description
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
%package devel
Summary: Development files for polkit
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: Development files for PolicyKit
Group: Development/Libraries
Requires: %name = %{version}-%{release}
Requires: %name-docs = %{version}-%{release}
Requires: glib2-devel
Obsoletes: PolicyKit-devel <= 0.10
Provides: PolicyKit-devel = 0.11
%description devel
Development files for polkit.
Development files for PolicyKit.
%package docs
Summary: Development documentation for polkit
Summary: Development documentation for PolicyKit
Group: Development/Libraries
Requires: %name-devel = %{version}-%{release}
Obsoletes: PolicyKit-docs <= 0.10
Provides: PolicyKit-docs = 0.11
BuildArch: noarch
%description docs
Development documentation for polkit.
%package libs
Summary: Libraries for polkit
%description libs
Libraries files for polkit.
Development documentation for PolicyKit.
%prep
%autosetup -S git
%setup -q
%build
%meson -D authfw=pam \
-D examples=false \
-D gtk_doc=true \
-D introspection=true \
-D man=true \
-D session_tracking=libsystemd-login \
-D tests=false
%meson_build
%configure --enable-gtk-doc \
--disable-static \
--libexecdir=%{_libexecdir}/polkit-1 \
--enable-introspection \
--enable-examples
make
%install
%meson_install
make install DESTDIR=$RPM_BUILD_ROOT
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/polkit-1/extensions/*.la
%find_lang polkit-1
%pre
getent group polkitd >/dev/null || groupadd -r -g 114 polkitd
getent passwd polkitd >/dev/null || useradd -r -u 114 -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd
exit 0
%post -p /sbin/ldconfig
%post
# The implied (systemctl preset) will fail and complain, but the macro hides
# and ignores the fact. This is in fact what we want, polkit.service does not
# have an [Install] section and it is always started on demand.
%systemd_post polkit.service
%preun
%systemd_preun polkit.service
%postun
%systemd_postun_with_restart polkit.service
%postun -p /sbin/ldconfig
%files -f polkit-1.lang
%doc COPYING NEWS.md README.md
%defattr(-,root,root,-)
%doc COPYING
%{_libdir}/lib*.so.*
%dir %{_libdir}/polkit-1
%dir %{_libdir}/polkit-1/extensions
%{_libdir}/polkit-1/extensions/*.so
%{_datadir}/man/man1/*
%{_datadir}/man/man8/*
%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%{_datadir}/dbus-1/system-services/*
%{_unitdir}/polkit.service
%dir %{_datadir}/polkit-1/
%dir %{_datadir}/polkit-1/actions
%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%{_datadir}/polkit-1/policyconfig-1.dtd
%dir %{_sysconfdir}/polkit-1
%{_datadir}/polkit-1/rules.d/50-default.rules
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%{_sysconfdir}/pam.d/polkit-1
%{_sysconfdir}/polkit-1
%{_bindir}/pkaction
%{_bindir}/pkcheck
%{_bindir}/pkttyagent
%dir %{_prefix}/lib/polkit-1
%{_prefix}/lib/polkit-1/polkitd
%dir %{_libexecdir}/polkit-1
%{_libexecdir}/polkit-1/polkitd
%{_libdir}/girepository-1.0/*.typelib
# see upstream docs for why these permissions are necessary
%attr(4755,root,root) %{_bindir}/pkexec
%attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1
%attr(4755,root,root) %{_libexecdir}/polkit-1/polkit-agent-helper-1
%attr(0700,root,root) %dir %{_localstatedir}/lib/polkit-1/
%dir %{_localstatedir}/lib/polkit-1/localauthority
%dir %{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/20-org.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/30-site.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/50-local.d
%dir %{_localstatedir}/lib/polkit-1/localauthority/90-mandatory.d
%files devel
%defattr(-,root,root,-)
%{_libdir}/lib*.so
%{_libdir}/pkgconfig/*.pc
%{_datadir}/gir-1.0/*.gir
%{_includedir}/*
%{_datadir}/gettext/its/polkit.its
%{_datadir}/gettext/its/polkit.loc
%{_bindir}/pk-example-frobnicate
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
%files docs
%defattr(-,root,root,-)
%{_datadir}/gtk-doc
%ldconfig_scriptlets libs
%files libs
%{_libdir}/lib*.so.*
%{_libdir}/girepository-1.0/*.typelib
%changelog
* Wed Feb 08 2023 Jan Rybar <jrybar@redhat.com> - 122-4
- Switch 'polkitd' to static UID/GID (fpc#1189) (on behalf of lucab)
- Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2104615
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 122-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 16 2022 František Zatloukal <fzatlouk@redhat.com> - 122-2
- Rebuilt for duktape 2.7.0
* Wed Oct 26 2022 Vincent Mihalkovic <vmihalko@redhat.com> - 122-1
- rebase to 122
* Mon Aug 15 2022 Jan Rybar <jrybar@redhat.com> - 121-4
- duktape re-enabled
* Tue Aug 02 2022 Jan Rybar <jrybar@redhat.com> - 121-3
- switched back to mozjs until problems with duktape are fixed
- Related: bz#2109145
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 121-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jul 12 2022 Jan Rybar <jrybar@redhat.com> - 121-1
- Rebase to v.121
* Sun Feb 20 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 0.120-5
- switch to mozjs91
* Wed Feb 16 2022 Jan Rybar <jrybar@redhat.com> - 0.120-4
- file descriptor exhaustion (GHSL-2021-077)
- Resolves: CVE-2021-4115
* Wed Jan 26 2022 Timothée Ravier <tim@siosm.fr> - 0.120-3
- Fix for CVE-2021-4034
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.120-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Oct 06 2021 Pete Walter <pwalter@fedoraproject.org> - 0.120-1
- Update to 0.120
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.118-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Thu May 20 2021 Jan Rybar <jrybar@redhat.com> - 0.118-2
- CVE-2021-3560 mitigation
- Resolves: CVE-2021-3560
* Mon Apr 26 2021 Jan Rybar <jrybar@redhat.com> - 0.118-1
- rebase to 0.118
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.117-4
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.117-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Aug 12 2020 Jan Rybar <jrybar@redhat.com> - 0.117-2
- update dependency to mozjs78
* Fri Jul 31 2020 Jan Rybar <jrybar@redhat.com> - 0.117-1
- Rebased to polkit-0.117
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Tom Stellard <tstellar@redhat.com> - 0.116-8
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Oct 25 2019 Jan Rybar <jrybar@redhat.com> - 0.116-6
- jsauthority memleak fix
* Fri Sep 27 2019 Jan Rybar <jrybar@redhat.com> - 0.116-5
- pkttyagent: unread input flushed on terminal restore
* Sun Sep 08 2019 Kalev Lember <klember@redhat.com> - 0.116-4
- Rebuilt for mozjs60 s390x fixes
* Fri Aug 02 2019 Jan Rybar <jrybar@redhat.com> - 0.116-3
- pkttyagent: backport patch, get SIGTTOU in background job
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 02 2019 Pete Walter <pwalter@fedoraproject.org> - 0.116-1
- Update to 0.116
* Thu Feb 14 2019 Jan Rybar <jrybar@redhat.com> - 0.115-11
- pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM
* Fri Feb 08 2019 Pete Walter <pwalter@fedoraproject.org> - 0.115-10
- Move to mozjs60
* Tue Feb 05 2019 Jan Rybar <jrybar@redhat.com> - 0.115-9
- Allow uid=-1 for PolkitUnixProcess
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jan 08 2019 Colin Walters <walters@verbum.org> - 0.115-7
- Add security fix for
https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
* Fri Dec 07 2018 Jan Rybar <jrybar@redhat.com> - 0.115-6
- Fix of CVE-2018-19788, priv escalation with high UIDs
- Resolves: rhbz#1655926
* Thu Sep 27 2018 Owen Taylor <otaylor@redhat.com> - 0.115-5
- Fix installation with prefix != /usr
* Mon Aug 13 2018 Jan Rybar <jrybar@redhat.com> - 0.115-4
- Leaking zombie processess started by rules
* Fri Jul 20 2018 Jan Rybar <jrybar@redhat.com> - 0.115-3
- Warning raised by polkit when disconnected from ssh
- polkitagentlistener: resource leak - pointer to 'server'
- Error message raised on every 'systemctl start' in emergency.target
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 10 2018 Miloslav Trmač <mitr@redhat.com> - 0.115-1
- Update to 0.115 (CVE-2018-1116)
* Tue Apr 03 2018 Ray Strode <rstrode@redhat.com> - 0.114-1
- Update to 0.114
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Apr 13 2017 Richard Hughes <rhughes@redhat.com> - 0.113-13
- Add the its files from upstream.
* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-12
- Fix a memory leak in PolkitPermission.
Patch by Rui Matos <tiagomatos@gmail.com>
Resolves: #1433915
* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-11
- Revert back to the state in 0.113-7, undoing the untested changes.
* Tue Apr 4 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-10
- Move to an upstream snapshot, rebase patches
* Fri Mar 31 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.113-9
- restore Provides: polkit-desktop-policy polkit-js-engine
* Thu Mar 30 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-8
- Use %%license, license needs to be in -libs as it's the only guaranteed installed package
- Move to mozjs38
- Other upstream fixes
- Spec cleanups
* Mon Feb 13 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-7
- Fix memory leaks when calling authentication agents
Resolves: #1380166
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jul 14 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-4
- Bump the Obsoletes: to < 0.113-3 to account for the non-split 0.113-2.fc21
Resolves: #1243004
* Sun Jul 12 2015 Rex Dieter <rdieter@fedoraproject.org> 0.113-3
- Obsoletes: polkit < 0.112-8 (handle multilib upgrade path)
* Fri Jul 10 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-2
- Add a fully versioned dependency from polkit to polkit-libs
Resolves: #1241759
- Require polkit-libs, not polkit, in polkit-devel
* Thu Jul 2 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-1
- Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256,
CVE-2015-4625)
Resolves: #910262, #1175061, #1177930, #1194391, #1228739, #1233810
* Fri Jun 19 2015 Miloslav Trmač <mitr@redhat.com> - 0.112-11
- Add BuildRequires: systemd so that %%{_unitdir} is defined, to fix the build.
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sun Jan 25 2015 Rex Dieter <rdieter@fedoraproject.org> - 0.112-9
- polkit doesn't release reference counters of GVariant data (#1180886)
- fix ldconfig scriptlets (move to -libs subpkg)
* Sat Nov 08 2014 Colin Walters <walters@redhat.com> - 0.112-8
- Split separate -libs package, so that NetworkManager can just depend on
that, without dragging in the daemon (as well as libmozjs17). This
allows the creation of more minimal systems that want programs like NM,
but do not need the configurability of the daemon; it would be ok if only
root is authorized.
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jul 22 2014 Kalev Lember <kalevlember@gmail.com> - 0.112-6
- Rebuilt for gobject-introspection 1.41.4
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Jun 5 2014 Kay Sievers <kay@redhat.com> - 0.112-4
- backport upstream D-Bus "user bus" changes
* Mon Feb 10 2014 Miloslav Trmač <mitr@redhat.com> - 0.112-3
- Fix a PolkitAgentSession race condition
Resolves: #1063193
* Sat Dec 7 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-2
- Workaround pam_systemd setting broken XDG_RUNTIME_DIR
Resolves: #1033774
- Always use mozjs-17.0 even if js-devel is installed
* Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-1
- Update to polkit-0.112
- Resolves: #1009538, CVE-2013-4288
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.111-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed May 29 2013 Tomas Bzatek <tbzatek@redhat.com> - 0.111-2
- Fix a race on PolkitSubject type registration (#866718)
* Wed May 15 2013 Miloslav Trmač <mitr@redhat.com> - 0.111-1
- Update to polkit-0.111
Resolves: #917888
- Use SpiderMonkey from mozjs17 instead of js
- Ship the signature in the srpm
- Try to preserve timestamps in (make install)
* Fri May 10 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-4
- Shut up rpmlint about Summary:
- Build with V=1
- Use %%{_unitdir} instead of hard-coding the path
- Use the new systemd macros, primarily to run (systemctl daemon-reload)
Resolves: #857382
* Fri May 10 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-4
- Make the JavaScript engine mandatory. The polkit-js-engine package has been
removed, main polkit package Provides:polkit-js-engine for compatibility.
- Add Requires: polkit-pkla-compat
Resolves: #908808
* Wed Feb 13 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-3
- Don't ship pk-example-frobnicate in the "live" configuration
Resolves: #878112
* Fri Feb 8 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-2
- Own %%{_docdir}/polkit-js-engine-*
Resolves: #907668
* Wed Jan 9 2013 David Zeuthen <davidz@redhat.com> - 0.110-1%{?dist}
- Update to upstream release 0.110
* Mon Jan 7 2013 Matthias Clasen <mclasen@redhat.com> - 0.109-2%{?dist}
- Build with pie and stuff
* Wed Dec 19 2012 David Zeuthen <davidz@redhat.com> 0.109-1%{?dist}
- Update to upstream release 0.109
- Drop upstreamed patches
* Thu Nov 15 2012 David Zeuthen <davidz@redhat.com> 0.108-3%{?dist}
- Attempt to open the correct libmozjs185 library, otherwise polkit
authz rules will not work unless js-devel is installed (fdo #57146)
* Wed Nov 14 2012 David Zeuthen <davidz@redhat.com> 0.108-2%{?dist}
- Include gmodule-2.0 to avoid build error
* Wed Nov 14 2012 David Zeuthen <davidz@redhat.com> 0.108-1%{?dist}
- Update to upstream release 0.108
- Drop upstreamed patches
- This release dynamically loads the JavaScript interpreter and can
cope with it not being available. In this case, polkit authorization
rules are not processed and the defaults for an action - as defined
in its .policy file - are used for authorization decisions.
- Add new meta-package, polkit-js-engine, that pulls in the required
JavaScript bits to make polkit authorization rules work. The default
install - not the minimal install - should include this package
* Wed Oct 10 2012 Adam Jackson <ajax@redhat.com> 0.107-4
- Don't crash if initializing the server object fails
* Tue Sep 18 2012 David Zeuthen <davidz@redhat.com> 0.107-3%{?dist}
- Authenticate as root if e.g. the wheel group is empty (#834494)
* Fri Jul 27 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.107-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jul 11 2012 David Zeuthen <davidz@redhat.com> 0.107-1%{?dist}
- Update to upstream release 0.107
* Fri Jun 29 2012 David Zeuthen <davidz@redhat.com> 0.106-2%{?dist}
- Add forgotten Requires(pre): shadow-utils
* Thu Jun 07 2012 David Zeuthen <davidz@redhat.com> 0.106-1%{?dist}
- Update to upstream release 0.106
- Authorizations are no longer controlled by .pkla files - from now
on, use the new .rules files described in the polkit(8) man page
* Tue Apr 24 2012 David Zeuthen <davidz@redhat.com> 0.105-1%{?dist}
- Update to upstream release 0.105
- Nuke patches that are now upstream
- Change 'PolicyKit' to 'polkit' in summary and descriptions
* Thu Mar 08 2012 David Zeuthen <davidz@redhat.com> 0.104-6%{?dist}
- Don't leak file descriptors (bgo #671486)
* Mon Feb 13 2012 Matthias Clasen <mclasen@redhat.com> - 0.104-5%{?dist}
- Make the -docs subpackage noarch
* Mon Feb 06 2012 David Zeuthen <davidz@redhat.com> 0.104-4%{?dist}
- Set error if we cannot obtain a PolkitUnixSession for a given PID (#787222)
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.104-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Jan 03 2012 David Zeuthen <davidz@redhat.com> 0.104-2%{?dist}
- Nuke the ConsoleKit run-time requirement
* Tue Jan 03 2012 David Zeuthen <davidz@redhat.com> 0.104-1%{?dist}
- Update to upstream release 0.104
- Force usage of systemd (instead of ConsoleKit) for session tracking
* Tue Dec 06 2011 David Zeuthen <davidz@redhat.com> 0.103-1%{?dist}
- Update to upstream release 0.103
- Drop upstreamed patch
@ -514,7 +136,7 @@ exit 0
- Add patch to neuter the annoying systemd behavior where stdout/stderr
is sent to the system logs
* Thu Aug 04 2011 David Zeuthen <davidz@redhat.com> 0.102-1
* Fri Aug 04 2011 David Zeuthen <davidz@redhat.com> 0.102-1
- Update to 0.102 release
* Fri May 13 2011 Bastien Nocera <bnocera@redhat.com> 0.101-7
@ -551,7 +173,7 @@ exit 0
* Fri Jan 28 2011 Matthias Clasen <mclasen@redhat.com> - 0.98-6
- Own /usr/libexec/polkit-1
* Fri Nov 12 2010 Matthias Clasen <mclasen@redhat.com> - 0.98-5
* Fri Nov 14 2010 Matthias Clasen <mclasen@redhat.com> - 0.98-5
- Enable introspection
* Thu Sep 02 2010 David Zeuthen <davidz@redhat.com> - 0.98-4

2
sources
View File

@ -1 +1 @@
SHA512 (polkit-122.tar.gz) = 6f537b218133777c1a9ef6b38296b4e17263d86b783acce4ce895ef3b507bb1b482d4b88bc410ab8846ce7cc7b84e82c4109f80f535190a351d7d2683b8608f3
aaacf2ef18774ea8a825a426a7cfe763 polkit-0.103.tar.gz