sys-auth/polkit: backport some fixes to 126

* Backport build fix for elogind * Backport musl build fix * ... which needs another fix for realpath / PATH order Signed-off-by: Sam James <sam@gentoo.org>
2026-01-06 02:17:34 -08:00 · 2025-03-25 05:32:40 +00:00 · 2025-03-25 05:32:40 +00:00 · 21c9a61e14
commit 21c9a61e14
parent 744be65431
4 changed files with 367 additions and 0 deletions
--- a/sys-auth/polkit/files/polkit-126-elogind.patch
+++ b/sys-auth/polkit/files/polkit-126-elogind.patch
@ -0,0 +1,37 @@
+https://github.com/polkit-org/polkit/commit/55ee1b70456eca8281dda9612c485c619122f202
+
+From 55ee1b70456eca8281dda9612c485c619122f202 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 14 Jan 2025 13:47:54 +0100
+Subject: [PATCH] meson: fix unused dependency, fixes elogind FTBFS
+
+polkit-126 could not be built from source with elogind session service due
+to wrong dependencies in meson.build.
+
+Author: @markhindley
+---
+ src/polkitbackend/meson.build | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/polkitbackend/meson.build b/src/polkitbackend/meson.build
+index fc35e195..a807b41b 100644
+--- a/src/polkitbackend/meson.build
+++ b/src/polkitbackend/meson.build
+@@ -37,7 +37,6 @@ deps += thread_dep
+ 
+ if enable_logind
+   sources += files('polkitbackendsessionmonitor-systemd.c')
+-
+   deps += logind_dep
+ else
+   sources += files('polkitbackendsessionmonitor.c')
+@@ -73,7 +72,7 @@ executable(
+   program,
+   program + '.c',
+   include_directories: top_inc,
+-  dependencies: libpolkit_gobject_dep,
+  dependencies: deps,
+   c_args: c_flags,
+   link_with: libpolkit_backend,
+   install: true,
+
--- a/sys-auth/polkit/files/polkit-126-musl.patch
+++ b/sys-auth/polkit/files/polkit-126-musl.patch
@ -0,0 +1,34 @@
+https://github.com/polkit-org/polkit/commit/074ad836836167190cfe5649f9fc50da2e79a0ab
+
+From 074ad836836167190cfe5649f9fc50da2e79a0ab Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 19 Feb 2025 14:20:22 +0100
+Subject: [PATCH] Fix musl compilation error on Alpine
+
+Disruptions between glibc and musl-(not-)predefined feature-test macros led to
+a decision to remove a check for POSIX standards older than 17 years. It makes no
+sense to test the existence of a macro that we explicitly define in
+meson.build either (shall we test for _GNU_SOURCE).
+---
+ src/programs/pkexec.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index b439475f..4274c92b 100644
+--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
+@@ -674,12 +674,8 @@ main (int argc, char *argv[])
+           argv[n] = path_abs;
+       }
+     }
+-#if _POSIX_C_SOURCE >= 200809L
+
+   s = realpath(path, NULL);
+-#else
+-  s = NULL;
+-# error We have to deal with realpath(3) PATH_MAX madness
+-#endif
+   if (s != NULL)
+     {
+       /* The called program resolved to the canonical location. We don't update
+
--- a/sys-auth/polkit/files/polkit-126-realpath.patch
+++ b/sys-auth/polkit/files/polkit-126-realpath.patch
@ -0,0 +1,133 @@
+https://github.com/polkit-org/polkit/commit/9aa43e089d870a8ee695e625237c5b731b250678
+
+From 9aa43e089d870a8ee695e625237c5b731b250678 Mon Sep 17 00:00:00 2001
+From: Walter Doekes <walter+github@wjd.nu>
+Date: Fri, 25 Oct 2024 23:18:16 +0200
+Subject: [PATCH] pkexec: Use realpath when comparing
+ org.freedesktop.policykit.exec.path
+
+This changes the pkexec path that is compared from the original supplied
+path to the path resolved by realpath(3).
+
+That means that "/bin/something" might now be matched as
+"/usr/bin/something", a review of your
+  <annotate key="org.freedesktop.policykit.exec.path">
+actions might be in order.
+
+Fixes: polkit-org/polkit#194
+
+See also: systemd/systemd#34714
+---
+ src/programs/pkexec.c           | 29 +++++++++++++++++++++++++++--
+ test/integration/pkexec/test.sh | 23 +++++++++++++++++++++++
+ 2 files changed, 50 insertions(+), 2 deletions(-)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 65c13090..b439475f 100644
+--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
+@@ -452,6 +452,7 @@ main (int argc, char *argv[])
+   gchar *action_id;
+   gboolean allow_gui;
+   gchar **exec_argv;
+  gchar *path_abs;
+   gchar *path;
+   struct passwd pwstruct;
+   gchar pwbuf[8192];
+@@ -508,6 +509,7 @@ main (int argc, char *argv[])
+   result = NULL;
+   action_id = NULL;
+   saved_env = NULL;
+  path_abs = NULL;
+   path = NULL;
+   exec_argv = NULL;
+   command_line = NULL;
+@@ -624,6 +626,8 @@ main (int argc, char *argv[])
+    * but do check this is the case.
+    *
+    * We also try to locate the program in the path if a non-absolute path is given.
+   *
+   * And then we resolve the real path of the program.
+    */
+   g_assert (argv[argc] == NULL);
+   path = g_strdup (argv[n]);
+@@ -647,7 +651,7 @@ main (int argc, char *argv[])
+     }
+   if (path[0] != '/')
+     {
+-      /* g_find_program_in_path() is not suspectible to attacks via the environment */
+      /* g_find_program_in_path() is not susceptible to attacks via the environment */
+       s = g_find_program_in_path (path);
+       if (s == NULL)
+         {
+@@ -662,9 +666,29 @@ main (int argc, char *argv[])
+        */
+       if (argv[n] != NULL)
+       {
+-        argv[n] = path;
+        /* Must copy because we might replace path later on. */
+        path_abs = g_strdup(path);
+        /* argv[n:] is used as argv arguments to execv(). The called program
+         * sees the original called path, but we make sure it's absolute. */
+        if (path_abs != NULL)
+          argv[n] = path_abs;
+       }
+     }
+#if _POSIX_C_SOURCE >= 200809L
+  s = realpath(path, NULL);
+#else
+  s = NULL;
+# error We have to deal with realpath(3) PATH_MAX madness
+#endif
+  if (s != NULL)
+    {
+      /* The called program resolved to the canonical location. We don't update
+       * argv[n] this time. The called program still sees the original
+       * called path. This is very important for multi-call binaries like
+       * busybox. */
+      g_free (path);
+      path = s;
+    }
+   if (access (path, F_OK) != 0)
+     {
+       g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
+@@ -1084,6 +1108,7 @@ main (int argc, char *argv[])
+     }
+ 
+   g_free (original_cwd);
+  g_free (path_abs);
+   g_free (path);
+   g_free (command_line);
+   g_free (cmdline_short);
+diff --git a/test/integration/pkexec/test.sh b/test/integration/pkexec/test.sh
+index 4c76687b..e57b948f 100755
+--- a/test/integration/pkexec/test.sh
+++ b/test/integration/pkexec/test.sh
+@@ -142,3 +142,26 @@ sudo -u "$TEST_USER" expect "$TMP_DIR/SIGTRAP-on-EOF.exp" | tee "$TMP_DIR/SIGTRA
+ grep -q "AUTHENTICATION FAILED" "$TMP_DIR/SIGTRAP-on-EOF.log"
+ grep -q "Not authorized" "$TMP_DIR/SIGTRAP-on-EOF.log"
+ rm -f "$TMP_DIR/SIGTRAP-on-EOF.log"
+
+: "Check absolute (but not canonicalized) path"
+BASH_ABS=$(command -v bash)
+ln -s "$BASH_ABS" ./my-bash
+sudo -u "$TEST_USER" expect "$TMP_DIR/basic-auth.exp" "$TEST_USER_PASSWORD" ./my-bash -c true | tee "$TMP_DIR/absolute-path.log"
+grep -Eq "Authentication is needed to run \`/.*/${PWD##*/}/./my-bash -c true' as the super user" "$TMP_DIR/absolute-path.log"
+grep -q "AUTHENTICATION COMPLETE" "$TMP_DIR/absolute-path.log"
+rm -f "$TMP_DIR/absolute-path.log"
+rm -f "./my-bash"
+
+: "Check canonicalized path"
+if command -v strace; then
+    BASH_ABS=$(command -v bash)
+    ln -s "$BASH_ABS" ./my-bash
+    sudo -u "$TEST_USER" strace -s 512 -o "$TMP_DIR/canonical-path.strace" -feexecve \
+	expect "$TMP_DIR/basic-auth.exp" "$TEST_USER_PASSWORD" ./my-bash -c true | tee "$TMP_DIR/canonical-path.log"
+    cat "$TMP_DIR/canonical-path.strace"
+    grep -qF "execve(\"$BASH_ABS\", [\"$PWD/./my-bash\"," "$TMP_DIR/canonical-path.strace"
+    grep -q "AUTHENTICATION COMPLETE" "$TMP_DIR/canonical-path.log"
+    rm -f "$TMP_DIR/canonical-path.log" "$TMP_DIR/canonical-path.strace"
+    rm -f "./my-bash"
+    rm -f "$TMP_DIR/preload.c" "$TMP_DIR/preload.so"
+fi
+
--- a/sys-auth/polkit/polkit-126-r1.ebuild
+++ b/sys-auth/polkit/polkit-126-r1.ebuild
@ -0,0 +1,163 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+inherit meson pam pax-utils python-any-r1 systemd tmpfiles xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://github.com/polkit-org/polkit"
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/polkit-org/polkit"
+	inherit git-r3
+elif [[ ${PV} == *_p* ]] ; then
+	# Upstream don't make releases very often. Test snapshots throughly
+	# and review commits, but don't shy away if there's useful stuff there
+	# we want.
+	MY_COMMIT=""
+	SRC_URI="https://github.com/polkit-org/polkit/archive/${MY_COMMIT}.tar.gz -> ${P}.tar.gz"
+
+	S="${WORKDIR}"/${PN}-${MY_COMMIT}
+else
+	SRC_URI="https://github.com/polkit-org/polkit/archive/refs/tags/${PV}.tar.gz -> ${P}.tar.gz"
+fi
+
+LICENSE="LGPL-2"
+SLOT="0"
+if [[ ${PV} != 9999 ]] ; then
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+IUSE="+daemon examples gtk +introspection kde pam nls selinux systemd test"
+RESTRICT="!test? ( test )"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	>=dev-libs/glib-2.32
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	virtual/pkgconfig
+	introspection? ( >=dev-libs/gobject-introspection-0.6.2 )
+	nls? ( sys-devel/gettext )
+	test? (
+		$(python_gen_any_dep '
+			dev-python/dbus-python[${PYTHON_USEDEP}]
+			dev-python/python-dbusmock[${PYTHON_USEDEP}]
+		')
+	)
+"
+DEPEND="
+	>=dev-libs/glib-2.32:2
+	dev-libs/expat
+	daemon? (
+		dev-lang/duktape:=
+	)
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+	!systemd? ( sys-auth/elogind )
+"
+RDEPEND="
+	${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING.md NEWS.md README.md )
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd
+"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-elogind.patch
+	"${FILESDIR}"/${P}-realpath.patch
+	"${FILESDIR}"/${P}-musl.patch
+)
+
+python_check_deps() {
+	python_has_version "dev-python/dbus-python[${PYTHON_USEDEP}]" &&
+	python_has_version "dev-python/python-dbusmock[${PYTHON_USEDEP}]"
+}
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	# bug #401513
+	sed -i -e 's|unix-group:@PRIVILEGED_GROUP@|unix-user:@PRIVILEGED_GROUP@|' src/polkitbackend/*-default.rules.in || die
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local emesonargs=(
+		--localstatedir="${EPREFIX}"/var
+		-Dauthfw="$(usex pam pam shadow)"
+		-Dexamples=false
+		-Dgtk_doc=false
+		-Dman=true
+		-Dos_type=gentoo
+		-Dpam_module_dir=$(getpam_mod_dir)
+		-Dprivileged_group=0
+		-Dsession_tracking="$(usex systemd logind elogind)"
+		-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(meson_use !daemon libs-only)
+		$(meson_use introspection)
+		$(meson_use nls gettext)
+		$(meson_use test tests)
+	)
+	meson_src_configure
+}
+
+src_compile() {
+	meson_src_compile
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	meson_src_install
+
+	# acct-user/polkitd installs its own (albeit with a different filename)
+	rm -rf "${ED}"/usr/lib/sysusers.d || die
+
+	if use examples ; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	if use daemon; then
+		if [[ ${EUID} == 0 ]]; then
+			diropts -m 0700 -o polkitd
+		fi
+		keepdir /etc/polkit-1/rules.d
+	fi
+}
+
+pkg_postinst() {
+	tmpfiles_process polkit-tmpfiles.conf
+
+	if use daemon && [[ ${EUID} == 0 ]]; then
+		chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+		chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	fi
+}