From 8d14c7baa6b293b3b48741b203400116ed9882ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 9 Nov 2013 16:29:18 +0100
Subject: [PATCH] polkit: major update 0.105 -> 0.112

- It now uses JavaScript for configuration (only),
  so I had to "convert" config for NetworkManager.
- I tested suspend/restart/(un)mount on KDE/Xfce,
  Phreedom tested NetworkManager config conversion.
---
 nixos/modules/misc/ids.nix                    |  2 +-
 nixos/modules/security/polkit.nix             | 77 ++++++++-----------
 .../services/networking/networkmanager.nix    | 15 +++-
 .../interpreters/spidermonkey/185-1.0.0.nix   |  6 +-
 pkgs/development/libraries/polkit/default.nix | 54 +++++++------
 pkgs/top-level/all-packages.nix               |  4 +-
 6 files changed, 81 insertions(+), 77 deletions(-)

diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index e3edc9dda6b6..29a29834e973 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -140,7 +140,7 @@
       tape = 25;
       video = 26;
       dialout = 27;
-      polkituser = 28;
+      #polkituser = 28; # currently unused, polkitd doesn't need a group
       utmp = 29;
       davfs2 = 31;
       privoxy = 32;
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index cafa9f82d5e4..940e87e0b024 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -18,35 +18,17 @@ in
       description = "Whether to enable PolKit.";
     };
 
-    security.polkit.permissions = mkOption {
+    security.polkit.extraConfig = mkOption {
       type = types.lines;
       default = "";
       example =
         ''
-          [Disallow Users To Suspend]
-          Identity=unix-group:users
-          Action=org.freedesktop.upower.*
-          ResultAny=no
-          ResultInactive=no
-          ResultActive=no
-
-          [Allow Anybody To Eject Disks]
-          Identity=unix-user:*
-          Action=org.freedesktop.udisks.drive-eject
-          ResultAny=yes
-          ResultInactive=yes
-          ResultActive=yes
-
-          [Allow Alice To Mount Filesystems After Admin Authentication]
-          Identity=unix-user:alice
-          Action=org.freedesktop.udisks.filesystem-mount
-          ResultAny=auth_admin
-          ResultInactive=auth_admin
-          ResultActive=auth_admin
+          TODO
         '';
       description =
         ''
-          Allows the default permissions of privileged actions to be overridden.
+          Any polkit rules to be added to config (in JavaScript ;-). See:
+          http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules
         '';
     };
 
@@ -71,29 +53,23 @@ in
 
     environment.systemPackages = [ pkgs.polkit ];
 
-    # The polkit daemon reads action files
-    environment.pathsToLink = [ "/share/polkit-1/actions" ];
+    systemd.packages = [ pkgs.polkit ];
 
-    environment.etc =
-      [ # No idea what the "null backend" is, but it seems to need this.
-        { source = "${pkgs.polkit}/etc/polkit-1/nullbackend.conf.d";
-          target = "polkit-1/nullbackend.conf.d";
-        }
+    # The polkit daemon reads action/rule files
+    environment.pathsToLink = [ "/share/polkit-1" ];
 
-        # This file determines what users are considered
-        # "administrators".
-        { source = pkgs.writeText "10-nixos.conf"
-            ''
-              [Configuration]
-              AdminIdentities=${cfg.adminIdentities}
-            '';
-          target = "polkit-1/localauthority.conf.d/10-nixos.conf";
-        }
+    # PolKit rules for NixOS
+    environment.etc = [ {
+      source = pkgs.writeText "10-nixos.conf"
+        ''
+          polkit.addAdminRule(function(action, subject) {
+            return ["${cfg.adminIdentities}"];
+          });
 
-        { source = pkgs.writeText "org.nixos.pkla" cfg.permissions;
-          target = "polkit-1/localauthority/10-vendor.d/org.nixos.pkla";
-        }
-      ];
+          ${cfg.extraConfig}
+        ''; #TODO: validation on compilation (at least against typos)
+      target = "polkit-1/rules.d/10-nixos.conf";
+    } ];
 
     services.dbus.packages = [ pkgs.polkit ];
 
@@ -101,24 +77,31 @@ in
 
     security.setuidPrograms = [ "pkexec" ];
 
-    security.setuidOwners = singleton
+    security.setuidOwners = [
       { program = "polkit-agent-helper-1";
         owner = "root";
         group = "root";
         setuid = true;
-        source = "${pkgs.polkit}/libexec/polkit-1/polkit-agent-helper-1";
-      };
+        source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
+      }
+    ];
 
     system.activationScripts.polkit =
       ''
-        mkdir -p /var/lib/polkit-1/localauthority
-        chmod 700 /var/lib/polkit-1{/localauthority,}
+        # Probably no more needed, clean up
+        rm -rf /var/lib/{polkit-1,PolicyKit}
 
         # Force polkitd to be restarted so that it reloads its
         # configuration.
         ${pkgs.procps}/bin/pkill -INT -u root -x polkitd
       '';
 
+    users.extraUsers.polkituser = {
+      description = "PolKit daemon";
+      uid = config.ids.uids.polkituser;
+    };
+
   };
 
 }
+
diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix
index ad6f9858aaf6..2e8d17d872d2 100644
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@@ -21,7 +21,7 @@ let
     level=WARN
   '';
 
-  polkitConf = ''
+  /*
     [network-manager]
     Identity=unix-group:networkmanager
     Action=org.freedesktop.NetworkManager.*
@@ -35,6 +35,17 @@ let
     ResultAny=yes
     ResultInactive=no
     ResultActive=yes
+  */
+  polkitConf = ''
+    polkit.addRule(function(action, subject) {
+      if (
+        subject.isInGroup("networkmanager")
+        && subject.active
+        && (action.id.indexOf("org.freedesktop.NetworkManager.") == 0
+            || action.id.indexOf("org.freedesktop.ModemManager.")  == 0
+        ))
+          { return polkit.Result.YES; }
+    });
   '';
 
   ipUpScript = writeScript "01nixos-ip-up" ''
@@ -179,7 +190,7 @@ in {
       systemctl restart NetworkManager
     '';
 
-    security.polkit.permissions = polkitConf;
+    security.polkit.extraConfig = polkitConf;
 
     # openvpn plugin has only dbus interface
     services.dbus.packages = cfg.packages ++ [
diff --git a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
index 55e0dada71e0..1c0d77345b73 100644
--- a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
+++ b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, autoconf213, nspr, perl, python, readline, zip }:
+{ stdenv, fetchurl, pkgconfig, autoconf213, nspr, perl, python, readline, zip }:
 
 stdenv.mkDerivation rec {
   version = "185-1.0.0";
@@ -9,7 +9,9 @@ stdenv.mkDerivation rec {
     sha256 = "5d12f7e1f5b4a99436685d97b9b7b75f094d33580227aa998c406bbae6f2a687";
   };
 
-  buildInputs = [ autoconf213 nspr perl python readline zip ];
+  propagatedBuildInputs = [ nspr ];
+
+  buildInputs = [ pkgconfig autoconf213 perl python readline zip ];
 
   postUnpack = "sourceRoot=\${sourceRoot}/js/src";
 
diff --git a/pkgs/development/libraries/polkit/default.nix b/pkgs/development/libraries/polkit/default.nix
index 9d1f0d18c1ad..821e66ea0b30 100644
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@@ -1,48 +1,59 @@
-{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, gettext
-, gobjectIntrospection
+{ stdenv, fetchurl, pkgconfig, glib, expat, pam, intltool, spidermonkey
+, gobjectIntrospection, libxslt, docbook_xsl
 , useSystemd ? stdenv.isLinux, systemd }:
 
 let
 
   system = "/var/run/current-system/sw";
+  setuid = "/var/setuid-wrappers"; #TODO: from <nixos> config.security.wrapperDir;
 
   foolVars = {
-    LOCALSTATE = "/var";
     SYSCONF = "/etc";
-    LIB = "${system}/lib";
-    DATA = "${system}/share";
+    DATA = "${system}/share"; # to find share/polkit-1/actions of other apps at runtime
   };
 
 in
 
 stdenv.mkDerivation rec {
-  name = "polkit-0.105";
+  name = "polkit-0.112";
 
   src = fetchurl {
     url = "http://www.freedesktop.org/software/polkit/releases/${name}.tar.gz";
-    sha256 = "1pz1hn4z0f1wk4f7w8q1g6ygwan1b6kxmfad3b7gql27pb47rp4g";
+    sha256 = "1xkary7yirdcjdva950nqyhmsz48qhrdsr78zciahj27p8yg95fn";
   };
 
   buildInputs =
-    [ pkgconfig glib expat pam intltool gobjectIntrospection ]
+    [ pkgconfig glib expat pam intltool spidermonkey gobjectIntrospection ]
+    ++ [ libxslt docbook_xsl ] # man pages
     ++ stdenv.lib.optional useSystemd systemd;
 
-  configureFlags = "--libexecdir=$(out)/libexec/polkit-1";
-
   # Ugly hack to overwrite hardcoded directories
   # TODO: investigate a proper patch which will be accepted upstream
+  # After update it's good to check the sources via:
+  #   grep '\<PACKAGE_' '--include=*.[ch]' -R
   CFLAGS = stdenv.lib.concatStringsSep " "
     ( map (var: ''-DPACKAGE_${var}_DIR=\""${builtins.getAttr var foolVars}"\"'')
         (builtins.attrNames foolVars) );
 
-  preBuild =
-    ''
-      # ‘libpolkit-agent-1.so’ should call the setuid wrapper on
-      # NixOS.  Hard-coding the path is kinda ugly.  Maybe we can just
-      # call through $PATH, but that might have security implications.
-      substituteInPlace src/polkitagent/polkitagentsession.c \
-        --replace PACKAGE_LIBEXEC_DIR '"/var/setuid-wrappers"'
-    '';
+  preConfigure = ''
+    patchShebangs .
+  '' + stdenv.lib.optionalString useSystemd /* bogus chroot detection */ ''
+    sed '/libsystemd-login autoconfigured, but system does not appear to use systemd/s/.*/:/' -i configure
+  ''
+    # ‘libpolkit-agent-1.so’ should call the setuid wrapper on
+    # NixOS.  Hard-coding the path is kinda ugly.  Maybe we can just
+    # call through $PATH, but that might have security implications.
+  + ''
+    substituteInPlace src/polkitagent/polkitagentsession.c \
+      --replace   'PACKAGE_PREFIX "/lib/polkit-1/'   '"${setuid}/'
+  '';
+
+  configureFlags = [
+    #"--libexecdir=$(out)/libexec/polkit-1" # this and localstatedir are ignored by configure
+    "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
+    "--with-polkitd-user=polkituser" #TODO? <nixos> config.ids.uids.polkituser
+    "--with-os-type=NixOS" # not recognized but prevents impurities on non-NixOS
+  ];
 
   makeFlags =
     ''
@@ -50,12 +61,7 @@ stdenv.mkDerivation rec {
       INTROSPECTION_TYPELIBDIR=$(out)lib/girepository-1.0
     '';
 
-  postInstall =
-    ''
-      # Allow some files with paranoid permissions to be stripped in
-      # the fixup phase.
-      chmod a+rX -R $out
-    '';
+  #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
 
   meta = with stdenv.lib; {
     homepage = http://www.freedesktop.org/wiki/Software/polkit;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b5737918cff8..9a4118098a5f 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5400,7 +5400,9 @@ let
 
   podofo = callPackage ../development/libraries/podofo { };
 
-  polkit = callPackage ../development/libraries/polkit { };
+  polkit = callPackage ../development/libraries/polkit {
+    spidermonkey = spidermonkey_185;
+  };
 
   polkit_qt_1 = callPackage ../development/libraries/polkit-qt-1 { };