sys-auth/polkit: sync with ::gentoo

Ref-Commit: 4dbf4f80da2ee7c5e3325d4f25512dc0ed1a4b48

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/Manifest

@@ -1 +1,3 @@
+DIST polkit-0.117.tar.gz 1554536 BLAKE2B 1cf7e0ff9db19a29be626f4bea96c9e2ef8b1eab4b8287a5f1f4d2a818b86d58c1c4c4a41849d95e31559dba1b18853a31e934ebbadd8e07f94dfd58b45240e0 SHA512 c10ea984f2386fe436e58a2866e5323afc80d24f744f0ee61d966941259aa491bd96b07d911434aa731b300c3cca25b647804b396501175ab5b3c53384e94c70
 DIST polkit-0.119.tar.gz 1387409 BLAKE2B aeb605598393d1cab40f7c77954008a0392600584c5fe8cc9acaa0e122418ee48b9cce0b6839189ea415277ff0ae4dbd5b7c71cb910aa349dcaf7e1f3f70ef06 SHA512 0260fb15da1c4c1f429e8223260981e64e297f1be8ced42f6910f09ea6581b8205aca06c9c601eb4a128acba2f468de0223118f96862ba769f95721894cf1578
+DIST polkit-0.120.tar.gz 1626659 BLAKE2B 745727445b4946d44b8ea470d21ac131ca7706e83f5dbaf85cf3541ac60a1bbe23b3bf3172a62d9256ebb3dae02d2b2d476e3e0f7fe79a80c47864a120e62ed9 SHA512 db072769439d5e17d0eed681e7b94251b77828c1474b40fe40b94293903a64333e7fa17515a3270648691f04a1374d8b404405ead6abf292a8eb8483164adc46

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch

@@ -0,0 +1,29 @@
+https://bugs.gentoo.org/794052
+
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+     g_main_context_iteration (tmp_context, TRUE);
+ 
++  if (data.caught_error)
++    goto out;
++
+   if (out_uid)
+     *out_uid = data.uid;
+   if (out_pid)
+-- 
+GitLab
+

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch

@@ -0,0 +1,72 @@
+https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+https://bugs.gentoo.org/832057
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
+
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+GitLab

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120-meson.patch

@@ -0,0 +1,42 @@
+From e7f3d9e8341df64e2abc3910dafb1113a84bff07 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Mon, 25 Oct 2021 20:21:27 +0100
+Subject: [PATCH] Don't pass positional parameters to i18n.merge_file
+
+These were always ignored, and Meson 0.60.0 disallowed them.
+
+Resolves: https://gitlab.freedesktop.org/polkit/polkit/-/issues/160
+Reference: https://github.com/mesonbuild/meson/pull/9445
+Signed-off-by: Simon McVittie <smcv@debian.org>
+---
+ actions/meson.build      | 1 -
+ src/examples/meson.build | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/actions/meson.build b/actions/meson.build
+index 2abaaf3..1e3f370 100644
+--- a/actions/meson.build
++++ b/actions/meson.build
+@@ -1,7 +1,6 @@
+ policy = 'org.freedesktop.policykit.policy'
+ 
+ i18n.merge_file(
+-  policy,
+   input: policy + '.in',
+   output: '@BASENAME@',
+   po_dir: po_dir,
+diff --git a/src/examples/meson.build b/src/examples/meson.build
+index c6305ab..8c18de5 100644
+--- a/src/examples/meson.build
++++ b/src/examples/meson.build
+@@ -1,7 +1,6 @@
+ policy = 'org.freedesktop.policykit.examples.pkexec.policy'
+ 
+ i18n.merge_file(
+-  policy,
+   input: policy + '.in',
+   output: '@BASENAME@',
+   po_dir: po_dir,
+-- 
+GitLab
+

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit.conf

@@ -1,3 +0,0 @@
-d   /etc/polkit-1           -       -       -       -   -
-d   /etc/polkit-1/rules.d   0700    polkitd root    -   -
-d   /var/lib/polkit-1       0700    polkitd polkitd -   -

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/metadata.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>freedesktop-bugs@gentoo.org</email>

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.117-r2.ebuild

@@ -0,0 +1,133 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 arm ~arm64 ~hppa ~ia64 ~mips ppc ~ppc64 ~s390 sparc ~x86"
+IUSE="elogind examples gtk +introspection kde nls pam selinux systemd test"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="^^ ( elogind systemd )"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	dev-util/gtk-doc-am
+	dev-util/intltool
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:68[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	elogind? ( sys-auth/elogind )
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+PATCHES=(
+	# bug 660880
+	"${FILESDIR}"/polkit-0.115-elogind.patch
+)
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+
+	# Workaround upstream hack around standard gtk-doc behavior, bug #552170
+	sed -i -e 's/@ENABLE_GTK_DOC_TRUE@\(TARGET_DIR\)/\1/' \
+		-e '/install-data-local:/,/uninstall-local:/ s/@ENABLE_GTK_DOC_TRUE@//' \
+		-e 's/@ENABLE_GTK_DOC_FALSE@install-data-local://' \
+		docs/polkit/Makefile.in || die
+
+	# disable broken test - bug #624022
+	sed -i -e "/^SUBDIRS/s/polkitbackend//" test/Makefile.am || die
+
+	# Fix cross-building, bug #590764, elogind patch, bug #598615
+	eautoreconf
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local myeconfargs=(
+		--localstatedir="${EPREFIX}"/var
+		--disable-static
+		--enable-man-pages
+		--disable-gtk-doc
+		--disable-examples
+		$(use_enable elogind libelogind)
+		$(use_enable introspection)
+		$(use_enable nls)
+		$(usex pam "--with-pam-module-dir=$(getpam_mod_dir)" '')
+		--with-authfw=$(usex pam pam shadow)
+		$(use_enable systemd libsystemd-login)
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(use_enable test)
+		--with-os-type=gentoo
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	default
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	default
+
+	if use examples; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.117-r3.ebuild

@@ -0,0 +1,136 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="elogind examples gtk +introspection kde nls pam selinux systemd test"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="^^ ( elogind systemd )"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	dev-util/gtk-doc-am
+	dev-util/intltool
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:68[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	elogind? ( sys-auth/elogind )
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+PATCHES=(
+	# bug 660880
+	"${FILESDIR}"/polkit-0.115-elogind.patch
+
+	"${FILESDIR}"/polkit-0.117-CVE-2021-3560.patch
+	"${FILESDIR}"/polkit-0.120-CVE-2021-4043.patch
+)
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+
+	# Workaround upstream hack around standard gtk-doc behavior, bug #552170
+	sed -i -e 's/@ENABLE_GTK_DOC_TRUE@\(TARGET_DIR\)/\1/' \
+		-e '/install-data-local:/,/uninstall-local:/ s/@ENABLE_GTK_DOC_TRUE@//' \
+		-e 's/@ENABLE_GTK_DOC_FALSE@install-data-local://' \
+		docs/polkit/Makefile.in || die
+
+	# disable broken test - bug #624022
+	sed -i -e "/^SUBDIRS/s/polkitbackend//" test/Makefile.am || die
+
+	# Fix cross-building, bug #590764, elogind patch, bug #598615
+	eautoreconf
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local myeconfargs=(
+		--localstatedir="${EPREFIX}"/var
+		--disable-static
+		--enable-man-pages
+		--disable-gtk-doc
+		--disable-examples
+		$(use_enable elogind libelogind)
+		$(use_enable introspection)
+		$(use_enable nls)
+		$(usex pam "--with-pam-module-dir=$(getpam_mod_dir)" '')
+		--with-authfw=$(usex pam pam shadow)
+		$(use_enable systemd libsystemd-login)
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(use_enable test)
+		--with-os-type=gentoo
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	default
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	default
+
+	if use examples; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild

@@ -3,8 +3,7 @@
 
 EAPI=7
 
-TMPFILES_OPTIONAL=1
+inherit autotools pam pax-utils systemd xdg-utils
-inherit autotools pam pax-utils systemd xdg-utils tmpfiles
 
 DESCRIPTION="Policy framework for controlling privileges for system-wide services"
 HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
@@ -33,7 +32,7 @@ BDEPEND="
 	introspection? ( dev-libs/gobject-introspection )
 "
 DEPEND="
-	dev-lang/duktape
+	dev-lang/spidermonkey:78[-debug]
 	dev-libs/glib:2
 	dev-libs/expat
 	elogind? ( sys-auth/elogind )
@@ -60,9 +59,6 @@ DOCS=( docs/TODO HACKING NEWS README )
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-0.115-elogind.patch # bug 660880
-
-	# from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
-	"${FILESDIR}"/35_WIP_Add_duktape_as_javascript_engine.patch
 )
 
 QA_MULTILIB_PATHS="
@@ -96,7 +92,6 @@ src_configure() {
 		--enable-man-pages
 		--disable-gtk-doc
 		--disable-examples
-		--with-duktape
 		$(use_enable elogind libelogind)
 		$(use_enable introspection)
 		$(use_enable nls)
@@ -120,16 +115,6 @@ src_compile() {
 src_install() {
 	default
 
-	dodir /usr/share/polkit-1/rules.d
-	dodir /usr/lib/pam.d
-
-	mv "${D}"/{etc,usr/share}/polkit-1/rules.d/50-default.rules || die
-	mv "${D}"/{etc,usr/lib}/pam.d/polkit-1 || die
-	rmdir "${D}"/etc/polkit-1/rules.d "${D}"/etc/polkit-1 || die
-	rmdir "${D}"/etc/pam.d || die
-
-	dotmpfiles "${FILESDIR}/polkit.conf"
-
 	if use examples; then
 		docinto examples
 		dodoc src/examples/{*.c,*.policy*}
@@ -140,3 +125,8 @@ src_install() {
 
 	find "${ED}" -name '*.la' -delete || die
 }
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.120-r1.ebuild

@@ -0,0 +1,119 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm arm64 ~mips ppc64 ~riscv ~s390 x86"
+IUSE="examples gtk +introspection kde pam selinux systemd test"
+#RESTRICT="!test? ( test )"
+# Tests currently don't work with meson. See
+#   https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+RESTRICT="test"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:78[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+	!systemd? ( sys-auth/elogind )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/polkit-0.120-meson.patch"
+	)
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local emesonargs=(
+		--localstatedir="${EPREFIX}"/var
+		-Dauthfw="$(usex pam pam shadow)"
+		-Dexamples=false
+		-Dgtk_doc=false
+		-Dman=true
+		-Dos_type=gentoo
+		-Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+		-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(meson_use introspection)
+		$(meson_use test tests)
+		$(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+	)
+	meson_src_configure
+}
+
+src_compile() {
+	meson_src_compile
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	meson_src_install
+
+	if use examples ; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	# meson does not install required files with SUID bit. See
+	#  https://bugs.gentoo.org/816393
+	# Remove the following lines once this has been fixed by upstream
+	fperms u+s /usr/bin/pkexec
+	fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.120-r2.ebuild

@@ -0,0 +1,121 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm arm64 ~mips ppc64 ~riscv ~s390 x86"
+IUSE="examples gtk +introspection kde pam selinux systemd test"
+#RESTRICT="!test? ( test )"
+# Tests currently don't work with meson. See
+#   https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+RESTRICT="test"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:78[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+	!systemd? ( sys-auth/elogind )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/polkit-0.120-meson.patch"
+		"${FILESDIR}/polkit-0.120-CVE-2021-4043.patch"
+	)
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local emesonargs=(
+		--localstatedir="${EPREFIX}"/var
+		-Dauthfw="$(usex pam pam shadow)"
+		-Dexamples=false
+		-Dgtk_doc=false
+		-Dman=true
+		-Dos_type=gentoo
+		-Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+		-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(meson_use introspection)
+		$(meson_use test tests)
+		$(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+	)
+	meson_src_configure
+}
+
+src_compile() {
+	meson_src_compile
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	meson_src_install
+
+	if use examples ; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	# meson does not install required files with SUID bit. See
+	#  https://bugs.gentoo.org/816393
+	# Remove the following lines once this has been fixed by upstream
+	# (should be fixed in next release: https://gitlab.freedesktop.org/polkit/polkit/-/commit/4ff1abe4a4c1f8c8378b9eaddb0346ac6448abd8)
+	fperms u+s /usr/bin/pkexec
+	fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}