Merge pull request #2130 from flatcar-linux/krnowak/polkit

sys-auth/polkit: Update to 121

sdk_container/src/third_party/coreos-overlay/changelog/security/2022-09-06-polkit.md

@@ -0,0 +1 @@
+- polkit ([CVE-2021-4115](https://nvd.nist.gov/vuln/detail/CVE-2021-4115))

sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-09-06-polkit.md

@@ -0,0 +1 @@
+- polkit ([121](https://gitlab.freedesktop.org/polkit/polkit/-/commit/827b0ddac5b1ef00a47fca4526fcf057bee5f1db))

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords

@@ -43,9 +43,6 @@
 =app-editors/vim-8.2.5066-r1 ~amd64 ~arm64
 =app-editors/vim-core-8.2.5066-r1 ~amd64 ~arm64
 
-# Duktape is not yet stable
-=dev-lang/duktape-2.7.0-r1 ~amd64 ~arm64
-
 # FIPS support is still being tested
 =sys-fs/cryptsetup-2.4.3-r1 ~amd64 ~arm64
 

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/Manifest

@@ -1 +1 @@
-DIST polkit-0.120.tar.gz 1626659 BLAKE2B 745727445b4946d44b8ea470d21ac131ca7706e83f5dbaf85cf3541ac60a1bbe23b3bf3172a62d9256ebb3dae02d2b2d476e3e0f7fe79a80c47864a120e62ed9 SHA512 db072769439d5e17d0eed681e7b94251b77828c1474b40fe40b94293903a64333e7fa17515a3270648691f04a1374d8b404405ead6abf292a8eb8483164adc46
+DIST polkit-121.tar.gz 743287 BLAKE2B 6ebda8fc866ef960281ef912a3d3c45572da3ba90a84026e386b78ced8eaadc6cfc0e88d6e5a75133bf99e28041f8b29b236bb0e9666dd1ffc43af2227a5cb2d SHA512 f565027b80f32833c558900b612e089ab25027da5bf9a90c421a292467d4db9a291f6dc9850c4bca8f9ee890d476fd064a643a5f7e28497661ba1e31d4227624

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120-CVE-2021-4034.patch

@@ -1,72 +0,0 @@
-https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
-https://bugs.gentoo.org/832057
-https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
-
-From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
-From: Jan Rybar <jrybar@redhat.com>
-Date: Tue, 25 Jan 2022 17:21:46 +0000
-Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
-
---- a/src/programs/pkcheck.c
-+++ b/src/programs/pkcheck.c
-@@ -363,6 +363,11 @@ main (int argc, char *argv[])
-   local_agent_handle = NULL;
-   ret = 126;
- 
-+  if (argc < 1)
-+    {
-+      exit(126);
-+    }
-+
-   /* Disable remote file access from GIO. */
-   setenv ("GIO_USE_VFS", "local", 1);
- 
---- a/src/programs/pkexec.c
-+++ b/src/programs/pkexec.c
-@@ -488,6 +488,15 @@ main (int argc, char *argv[])
-   pid_t pid_of_caller;
-   gpointer local_agent_handle;
- 
-+
-+  /*
-+   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
-+   */
-+  if (argc<1)
-+    {
-+      exit(127);
-+    }
-+
-   ret = 127;
-   authority = NULL;
-   subject = NULL;
-@@ -614,10 +623,10 @@ main (int argc, char *argv[])
- 
-       path = g_strdup (pwstruct.pw_shell);
-       if (!path)
--	{
-+        {
-           g_printerr ("No shell configured or error retrieving pw_shell\n");
-           goto out;
--	}
-+        }
-       /* If you change this, be sure to change the if (!command_line)
- 	 case below too */
-       command_line = g_strdup (path);
-@@ -636,7 +645,15 @@ main (int argc, char *argv[])
-           goto out;
-         }
-       g_free (path);
--      argv[n] = path = s;
-+      path = s;
-+
-+      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
-+       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
-+       */
-+      if (argv[n] != NULL)
-+      {
-+        argv[n] = path;
-+      }
-     }
-   if (access (path, F_OK) != 0)
-     {
-GitLab

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120-meson.patch

@@ -1,42 +0,0 @@
-From e7f3d9e8341df64e2abc3910dafb1113a84bff07 Mon Sep 17 00:00:00 2001
-From: Simon McVittie <smcv@debian.org>
-Date: Mon, 25 Oct 2021 20:21:27 +0100
-Subject: [PATCH] Don't pass positional parameters to i18n.merge_file
-
-These were always ignored, and Meson 0.60.0 disallowed them.
-
-Resolves: https://gitlab.freedesktop.org/polkit/polkit/-/issues/160
-Reference: https://github.com/mesonbuild/meson/pull/9445
-Signed-off-by: Simon McVittie <smcv@debian.org>
----
- actions/meson.build      | 1 -
- src/examples/meson.build | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/actions/meson.build b/actions/meson.build
-index 2abaaf3..1e3f370 100644
---- a/actions/meson.build
-+++ b/actions/meson.build
-@@ -1,7 +1,6 @@
- policy = 'org.freedesktop.policykit.policy'
- 
- i18n.merge_file(
--  policy,
-   input: policy + '.in',
-   output: '@BASENAME@',
-   po_dir: po_dir,
-diff --git a/src/examples/meson.build b/src/examples/meson.build
-index c6305ab..8c18de5 100644
---- a/src/examples/meson.build
-+++ b/src/examples/meson.build
-@@ -1,7 +1,6 @@
- policy = 'org.freedesktop.policykit.examples.pkexec.policy'
- 
- i18n.merge_file(
--  policy,
-   input: policy + '.in',
-   output: '@BASENAME@',
-   po_dir: po_dir,
--- 
-GitLab
-

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120_p20220509-make-netgroup-support-optional.patch

@@ -0,0 +1,231 @@
+Pulled in from https://github.com/gentoo/musl/blob/master/sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch.
+
+https://bugs.gentoo.org/833753
+https://bugs.gentoo.org/561672
+https://bugs.freedesktop.org/show_bug.cgi?id=50145
+https://gitlab.freedesktop.org/polkit/polkit/-/issues/14
+
+Patch has been rebased a bit since but keeping original headers.
+
+From c7ad7cb3ca8fca32b9b64b0fc33867b98935b76b Mon Sep 17 00:00:00 2001
+From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
+Date: Wed, 11 Jul 2018 04:54:26 -0500
+Subject: [PATCH] make netgroup support optional
+
+On at least Linux/musl and Linux/uclibc, netgroup support is not
+available.  PolKit fails to compile on these systems for that reason.
+
+This change makes netgroup support conditional on the presence of the
+setnetgrent(3) function which is required for the support to work.  If
+that function is not available on the system, an error will be returned
+to the administrator if unix-netgroup: is specified in configuration.
+
+Fixes bug 50145.
+
+Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
+--- a/meson.build
++++ b/meson.build
+@@ -89,6 +89,7 @@ config_h.set('_GNU_SOURCE', true)
+ check_functions = [
+   'clearenv',
+   'fdatasync',
++  'setnetgrent',
+ ]
+ 
+ foreach func: check_functions
+--- a/src/polkit/polkitidentity.c
++++ b/src/polkit/polkitidentity.c
+@@ -182,7 +182,15 @@ polkit_identity_from_string  (const gchar   *str,
+     }
+   else if (g_str_has_prefix (str, "unix-netgroup:"))
+     {
++#ifndef HAVE_SETNETGRENT
++      g_set_error (error,
++                   POLKIT_ERROR,
++                   POLKIT_ERROR_FAILED,
++                   "Netgroups are not available on this machine ('%s')",
++                   str);
++#else
+       identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
++#endif
+     }
+ 
+   if (identity == NULL && (error != NULL && *error == NULL))
+@@ -344,6 +352,14 @@ polkit_identity_new_for_gvariant (GVariant  *variant,
+       GVariant *v;
+       const char *name;
+ 
++#ifndef HAVE_SETNETGRENT
++      g_set_error (error,
++                   POLKIT_ERROR,
++                   POLKIT_ERROR_FAILED,
++                   "Netgroups are not available on this machine");
++      goto out;
++#else
++
+       v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
+       if (v == NULL)
+         {
+@@ -353,6 +369,7 @@ polkit_identity_new_for_gvariant (GVariant  *variant,
+       name = g_variant_get_string (v, NULL);
+       ret = polkit_unix_netgroup_new (name);
+       g_variant_unref (v);
++#endif
+     }
+   else
+     {
+--- a/src/polkit/polkitunixnetgroup.c
++++ b/src/polkit/polkitunixnetgroup.c
+@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group,
+ PolkitIdentity *
+ polkit_unix_netgroup_new (const gchar *name)
+ {
++#ifndef HAVE_SETNETGRENT
++  g_assert_not_reached();
++#endif
+   g_return_val_if_fail (name != NULL, NULL);
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
+                                        "name", name,
+--- a/src/polkitbackend/polkitbackendduktapeauthority.c
++++ b/src/polkitbackend/polkitbackendduktapeauthority.c
+@@ -1035,7 +1035,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
+ 
+   user = duk_require_string (cx, 0);
+   netgroup = duk_require_string (cx, 1);
+-
++#ifdef HAVE_SETNETGRENT
+   if (innetgr (netgroup,
+                NULL,  /* host */
+                user,
+@@ -1043,7 +1043,7 @@ js_polkit_user_is_in_netgroup (duk_context *cx)
+     {
+       is_in_netgroup = TRUE;
+     }
+-
++#endif
+   duk_push_boolean (cx, is_in_netgroup);
+   return 1;
+ }
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -2248,25 +2248,26 @@ get_users_in_net_group (PolkitIdentity                    *group,
+   GList *ret;
+ 
+   ret = NULL;
++#ifdef HAVE_SETNETGRENT
+   name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
+ 
+-#ifdef HAVE_SETNETGRENT_RETURN
++# ifdef HAVE_SETNETGRENT_RETURN
+   if (setnetgrent (name) == 0)
+     {
+       g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
+       goto out;
+     }
+-#else
++# else
+   setnetgrent (name);
+-#endif
++# endif /* HAVE_SETNETGRENT_RETURN */
+ 
+   for (;;)
+     {
+-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
++# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
+       const char *hostname, *username, *domainname;
+-#else
++# else
+       char *hostname, *username, *domainname;
+-#endif
++# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */
+       PolkitIdentity *user;
+       GError *error = NULL;
+ 
+@@ -2297,6 +2298,7 @@ get_users_in_net_group (PolkitIdentity                    *group,
+ 
+  out:
+   endnetgrent ();
++#endif /* HAVE_SETNETGRENT */
+   return ret;
+ }
+ 
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -1271,6 +1271,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
+ 
+   JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
+ 
++#ifdef HAVE_SETNETGRENT
+   JS::RootedString usrstr (authority->priv->cx);
+   usrstr = args[0].toString();
+   user = JS_EncodeStringToUTF8 (cx, usrstr);
+@@ -1285,6 +1286,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
+     {
+       is_in_netgroup =  true;
+     }
++#endif
+ 
+   ret = true;
+ 
+--- a/test/polkit/polkitidentitytest.c
++++ b/test/polkit/polkitidentitytest.c
+@@ -145,11 +145,15 @@ struct ComparisonTestData comparison_test_data [] = {
+   {"unix-group:root", "unix-group:jane", FALSE},
+   {"unix-group:jane", "unix-group:jane", TRUE},
+ 
++#ifdef HAVE_SETNETGRENT
+   {"unix-netgroup:foo", "unix-netgroup:foo", TRUE},
+   {"unix-netgroup:foo", "unix-netgroup:bar", FALSE},
++#endif
+ 
+   {"unix-user:root", "unix-group:root", FALSE},
++#ifdef HAVE_SETNETGRENT
+   {"unix-user:jane", "unix-netgroup:foo", FALSE},
++#endif
+ 
+   {NULL},
+ };
+@@ -181,11 +185,13 @@ main (int argc, char *argv[])
+   g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string);
+   g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string);
+ 
++#ifdef HAVE_SETNETGRENT
+   g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string);
++  g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
++#endif
+ 
+   g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant);
+   g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant);
+-  g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
+ 
+   add_comparison_tests ();
+ 
+--- a/test/polkit/polkitunixnetgrouptest.c
++++ b/test/polkit/polkitunixnetgrouptest.c
+@@ -69,7 +69,9 @@ int
+ main (int argc, char *argv[])
+ {
+   g_test_init (&argc, &argv, NULL);
++#ifdef HAVE_SETNETGRENT
+   g_test_add_func ("/PolkitUnixNetgroup/new", test_new);
+   g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name);
++#endif
+   return g_test_run ();
+ }
+--- a/test/polkitbackend/test-polkitbackendjsauthority.c
++++ b/test/polkitbackend/test-polkitbackendjsauthority.c
+@@ -137,12 +137,14 @@ test_get_admin_identities (void)
+         "unix-group:users"
+       }
+     },
++#ifdef HAVE_SETNETGRENT
+     {
+       "net.company.action3",
+       {
+         "unix-netgroup:foo"
+       }
+     },
++#endif
+   };
+   guint n;
+ 

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/metadata.xml

@@ -5,7 +5,7 @@
 		<email>freedesktop-bugs@gentoo.org</email>
 	</maintainer>
 	<use>
-		<flag name="elogind">Use <pkg>sys-auth/elogind</pkg> for session tracking</flag>
+		<flag name="duktape">Use <pkg>dev-lang/duktape</pkg> instead of <pkg>dev-lang/spidermonkey</pkg> as JavaScript engine</flag>
 		<flag name="systemd">Use <pkg>sys-apps/systemd</pkg> for session tracking</flag>
 	</use>
 </pkgmetadata>

sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-121.ebuild

@@ -1,23 +1,42 @@
 # Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
+PYTHON_COMPAT=( python3_{8..11} )
 TMPFILES_OPTIONAL=1
-inherit meson pam pax-utils systemd xdg-utils tmpfiles
+inherit meson pam pax-utils python-any-r1 systemd tmpfiles xdg-utils
 
 DESCRIPTION="Policy framework for controlling privileges for system-wide services"
 HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
-SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+if [[ ${PV} == *_p* ]] ; then
+	# Upstream don't make releases very often. Test snapshots throughly
+	# and review commits, but don't shy away if there's useful stuff there
+	# we want.
+	MY_COMMIT=""
+	SRC_URI="https://gitlab.freedesktop.org/polkit/polkit/-/archive/${MY_COMMIT}/polkit-${MY_COMMIT}.tar.bz2 -> ${P}.tar.bz2"
+
+	S="${WORKDIR}"/${PN}-${MY_COMMIT}
+else
+	SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+	S="${WORKDIR}"/${PN}-v.${PV}
+fi
 
 LICENSE="LGPL-2"
 SLOT="0"
-KEYWORDS="amd64 arm arm64 ~mips ppc64 ~riscv ~s390 x86"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86"
-IUSE="examples gtk +introspection kde pam selinux systemd test"
+IUSE="+duktape examples gtk +introspection kde pam selinux systemd test"
-#RESTRICT="!test? ( test )"
+RESTRICT="!test? ( test )"
-# Tests currently don't work with meson. See
+
-#   https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+# This seems to be fixed with 121?
-RESTRICT="test"
+#if [[ ${PV} == *_p* ]] ; then
+#	RESTRICT="!test? ( test )"
+#else
+#	# Tests currently don't work with meson in the dist tarballs. See
+#	#  https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+#	RESTRICT="test"
+#fi
 
 BDEPEND="
 	acct-user/polkitd
@@ -30,11 +49,18 @@ BDEPEND="
 	sys-devel/gettext
 	virtual/pkgconfig
 	introspection? ( dev-libs/gobject-introspection )
+	test? (
+		$(python_gen_any_dep '
+			dev-python/dbus-python[${PYTHON_USEDEP}]
+			dev-python/python-dbusmock[${PYTHON_USEDEP}]
+		')
+	)
 "
 DEPEND="
-	dev-lang/duktape:=
 	dev-libs/glib:2
 	dev-libs/expat
+	duktape? ( dev-lang/duktape:= )
+	!duktape? ( dev-lang/spidermonkey:91[-debug] )
 	pam? (
 		sys-auth/pambase
 		sys-libs/pam
@@ -55,23 +81,31 @@ PDEPEND="
 	kde? ( kde-plasma/polkit-kde-agent )
 "
 
-DOCS=( docs/TODO HACKING NEWS README )
+DOCS=( docs/TODO HACKING.md NEWS.md README.md )
 
 QA_MULTILIB_PATHS="
 	usr/lib/polkit-1/polkit-agent-helper-1
 	usr/lib/polkit-1/polkitd"
 
+python_check_deps() {
+	python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" &&
+	python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
 src_prepare() {
 	local PATCHES=(
-		"${FILESDIR}/polkit-0.120-meson.patch"
+		# musl
-		"${FILESDIR}/polkit-0.120-CVE-2021-4034.patch"
+		"${FILESDIR}"/${PN}-0.120_p20220509-make-netgroup-support-optional.patch
-
-		# from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/97
-		"${FILESDIR}/97_Add_duktape_as_javascript_engine.patch"
 	)
+
 	default
 
-	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+	# bug #401513
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die
 }
 
 src_configure() {
@@ -86,6 +120,7 @@ src_configure() {
 		-Dos_type=gentoo
 		-Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
 		-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+		-Djs_engine=$(usex duktape duktape mozjs)
 		$(meson_use introspection)
 		$(meson_use test tests)
 		$(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
@@ -120,11 +155,4 @@ src_install() {
 
 	diropts -m 0700 -o polkitd
 	keepdir /usr/share/polkit-1/rules.d
-
-	# meson does not install required files with SUID bit. See
-	#  https://bugs.gentoo.org/816393
-	# Remove the following lines once this has been fixed by upstream
-	# (should be fixed in next release: https://gitlab.freedesktop.org/polkit/polkit/-/commit/4ff1abe4a4c1f8c8378b9eaddb0346ac6448abd8)
-	fperms u+s /usr/bin/pkexec
-	fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
 }