- Aug 08, 2024
-
-
Luca Boccassi authored
-
Luca Boccassi authored
-
Luca Boccassi authored
Core files will contain package metadata and can be identified offline, without access to binaries https://systemd.io/ELF_PACKAGE_METADATA/
-
Luca Boccassi authored
Since pkla support was dropped we don't need to support /var/lib/polkit-1 anymore
-
Luca Boccassi authored
-
Luca Boccassi authored
systemd has been patched, in stable too, to detect the apparmor denial and gracefully fallback instead of hard failing, so drop this patch
-
Luca Boccassi authored
-
Luca Boccassi authored
Update to upstream version '125' with Debian dir 3c8120d9eb8a752e92a8eff6d369330a63869d67
-
Luca Boccassi authored
-
Jan Rybar authored
-
- Aug 07, 2024
- Jul 19, 2024
-
-
heather7283 authored
-
- Jul 18, 2024
-
-
Luca Boccassi authored
Session tracking build options are about whether logind or other APIs are used in the polkit code, at compilation and linking time. units, sysusers and tmpfiles files have nothing to do with code changes or APIs, they simply install config files, that can just be ignored if they are not needed. Use pkg-config if available, but otherwise have a hard-coded fallback with the well-known defaults. This also fixes another bug, 'systemdsystemunitdir' is specified as an option the systemd_dep variable is not defined, but the sysusers.d directory lookup uses it, causing a build failure: dh_auto_configure -- \ -Dexamples=false \ -Dintrospection=true \ -Dman=true \ -Dsystemdsystemunitdir=/usr/lib/systemd/system \ -Dtests=true \ -Dgtk_doc=true -Dsession_tracking=libsystemd-login cd obj-x86_64-linux-gnu && DEB_PYTHON_INSTALL_LAYOUT=deb LC_ALL=C.UTF-8 meson setup .. --wrap-mode=nodownload --buildtype=plain --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=lib/x86_64-linux-gnu -Dpython.bytecompile=-1 -Dexamples=false -Dintrospection=true -Dman=true -Dsystemdsystemunitdir=/usr/lib/systemd/system -Dtests=true -Dgtk_doc=true -Dsession_tracking=libsystemd-login The Meson build system Version: 1.3.1 Source dir: /builds/bluca/polkit/debian/output/source_dir Build dir: /builds/bluca/polkit/debian/output/source_dir/obj-x86_64-linux-gnu Build type: native build Project name: polkit Project version: 124 <...> Run-time dependency libsystemd found: YES 255 Checking for function "sd_uid_get_display" with dependency libsystemd: YES Checking for function "sd_pidfd_get_session" with dependency libsystemd: YES ../meson.build:222:37: ERROR: Unknown variable "systemd_dep". Follow-up for 24f1e0af
-
- Jul 04, 2024
-
-
Michael Biebl authored
Gbp-Dch: Ignore
-
- Jul 03, 2024
-
-
Michael Biebl authored
Follow-up for 3c5afed8 Gbp-Dch: Ignore
-
Michael Biebl authored
-
Michael Biebl authored
Follow up for 41803390 Gbp-Dch: Ignore
-
Michael Biebl authored
Gbp-Dch: Ignore
-
Michael Biebl authored
-
Michael Biebl authored
Drop the legacy polkitd-pkla package. It is no longer maintained upstream and was only meant as a temporary measure to ease the migration from .pkla to JS based rules files.
-
Michael Biebl authored
Patch cherry-picked from upstream Git. Closes: #1068652
-
Michael Biebl authored
Closes: #1070448
-
Michael Biebl authored
Closes: #1025540
-
Jan Rybar authored
-
- Jul 02, 2024
-
-
peelz authored
-
- Jun 27, 2024
-
-
peelz authored
-
Frantisek Sumsal authored
There's no matrix.ref, only github.ref. Use that to make sure we don't kill workflow jobs from other PRs. Followup for b3a3a256. Resolves: #467
-
- Jun 26, 2024
-
-
Frantisek Sumsal authored
* test: drop mocklibc Let's get rid of mocklibc and replace it with a simple combination of mount & user namespaces + bind mount to replace the host's /etc with our own version. This means we don't $LD_PRELOAD the mocklibc DSO, but instead run each unit test through a very simple python wrapper that sets up a temporary user & mount namespace through the unshare() syscall, gains "fake" root using uid_map and gid_map, overmounts /etc in this new namespace (with our own custom test files), and then executes the test binary itself. Check user_namespaces(7) for more information about the namespace shenanigans. * Replace duk_error() with duk_push_error_object() + duk_throw() duk_error() never returns, so the error string gets leaked every time an error is thrown. Let's avoid this by creating the error object first without throwing it, freeing the original error string (we don't need it anymore since it gets sprintf-ed into the error object), and then throwing the error object from top of the current context stack. ================================================================= ==1270==ERROR: LeakSanitizer: detected memory leaks Direct leak of 231 byte(s) in 2 object(s) allocated from: #0 0x7f3a489258b7 in malloc (/lib64/libasan.so.8+0xf68b7) (BuildId: 388cbb99455c2e2eaec79bd8db6d9a78eb39f80d) #1 0x7f3a47b27487 in __vasprintf_internal (/lib64/libc.so.6+0x8a487) (BuildId: 4a92fcedbba6d6d2629ce066a2970017faa9995e) #2 0x7f3a484b06a2 in g_vasprintf (/lib64/libglib-2.0.so.0+0xb16a2) (BuildId: 795136df3faa85587229ddc59d709f81d6f697df) #3 0x7f3a48480a92 in g_strdup_vprintf (/lib64/libglib-2.0.so.0+0x81a92) (BuildId: 795136df3faa85587229ddc59d709f81d6f697df) #4 0x7f3a48480b50 in g_strdup_printf (/lib64/libglib-2.0.so.0+0x81b50) (BuildId: 795136df3faa85587229ddc59d709f81d6f697df) #5 0x41fcec in js_polkit_spawn ../src/polkitbackend/polkitbackendduktapeauthority.c:1090 #6 0x7f3a483b31b8 in duk__handle_call_raw.lto_priv.0 (/lib64/libduktape.so.207+0x2a1b8) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #7 0x7f3a483962e1 in duk__js_execute_bytecode_inner.lto_priv.0 (/lib64/libduktape.so.207+0xd2e1) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #8 0x7f3a483b33eb in duk_js_execute_bytecode (/lib64/libduktape.so.207+0x2a3eb) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #9 0x7f3a483b319d in duk__handle_call_raw.lto_priv.0 (/lib64/libduktape.so.207+0x2a19d) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #10 0x7f3a48399ab0 in duk__pcall_prop_raw (/lib64/libduktape.so.207+0x10ab0) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #11 0x7f3a483b23cc in duk_handle_safe_call.lto_priv.0 (/lib64/libduktape.so.207+0x293cc) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #12 0x7f3a483972e8 in duk_pcall_prop (/lib64/libduktape.so.207+0xe2e8) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #13 0x41d048 in runaway_killer_thread_call_js ../src/polkitbackend/polkitbackendduktapeauthority.c:682 #14 0x7f3a4888cb45 in asan_thread_start(void*) (/lib64/libasan.so.8+0x5db45) (BuildId: 388cbb99455c2e2eaec79bd8db6d9a78eb39f80d) Direct leak of 128 byte(s) in 1 object(s) allocated from: #0 0x7f3a489247b8 in realloc.part.0 (/lib64/libasan.so.8+0xf57b8) (BuildId: 388cbb99455c2e2eaec79bd8db6d9a78eb39f80d) #1 0x7f3a4846304a in g_realloc (/lib64/libglib-2.0.so.0+0x6404a) (BuildId: 795136df3faa85587229ddc59d709f81d6f697df) #2 0x7f3a48481b19 in g_string_expand (/lib64/libglib-2.0.so.0+0x82b19) (BuildId: 795136df3faa85587229ddc59d709f81d6f697df) #3 0x7f3a48481b90 in g_string_sized_new (/lib64/libglib-2.0.so.0+0x82b90) (BuildId: 795136df3faa85587229ddc59d709f81d6f697df) #4 0x41fb0f in js_polkit_spawn ../src/polkitbackend/polkitbackendduktapeauthority.c:1099 #5 0x7f3a483b31b8 in duk__handle_call_raw.lto_priv.0 (/lib64/libduktape.so.207+0x2a1b8) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #6 0x7f3a483962e1 in duk__js_execute_bytecode_inner.lto_priv.0 (/lib64/libduktape.so.207+0xd2e1) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #7 0x7f3a483b33eb in duk_js_execute_bytecode (/lib64/libduktape.so.207+0x2a3eb) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #8 0x7f3a483b319d in duk__handle_call_raw.lto_priv.0 (/lib64/libduktape.so.207+0x2a19d) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #9 0x7f3a48399ab0 in duk__pcall_prop_raw (/lib64/libduktape.so.207+0x10ab0) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #10 0x7f3a483b23cc in duk_handle_safe_call.lto_priv.0 (/lib64/libduktape.so.207+0x293cc) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #11 0x7f3a483972e8 in duk_pcall_prop (/lib64/libduktape.so.207+0xe2e8) (BuildId: a9f661ee1766489794e9ece7cfd0d6a7fb420ccb) #12 0x41d048 in runaway_killer_thread_call_js ../src/polkitbackend/polkitbackendduktapeauthority.c:682 #13 0x7f3a4888cb45 in asan_thread_start(void*) (/lib64/libasan.so.8+0x5db45) (BuildId: 388cbb99455c2e2eaec79bd8db6d9a78eb39f80d) SUMMARY: AddressSanitizer: 359 byte(s) leaked in 3 allocation(s). * packit: run unit tests during package build
-
peelz authored
* Include config.h globally via compiler options * Clean up trailing whitespace
-
- Jun 25, 2024
-
-
Tobias Stoeckmann authored
Reading /etc/shells file directly has the effect that comments are parsed as well. If a user sets environment variable SHELL to a value which matches one of these comments, it is passed through pkexec. The shadow tools would not allow such a login shell, so be as strict as shadow when it comes to parsing /etc/shell. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-
Jan Rybar authored
-
Frantisek Sumsal authored
-
Luca Boccassi authored
Currently if the subject has uid 0 a shortcut is taken and authorization is immediately granted, without checking against policies and rules. Add a flag that allows skipping this shortcut. uid 0 can of course alter polkit's behaviour directly, so this is not so much a security feature, but more useful as a safety feature, so that when an action is disabled it cannot be accidentally performed by root, unless they really mean it and bypass polkit.
-
Vincent Mihalkovic authored
-
Gleb Popov authored
Co-authored-by: Olivier Duchateau <duchateau.olivier@gmail.com>
-
- Jun 10, 2024
-
-
Frantisek Sumsal authored
* ci: build on alt-archs as well * test: introduce an integration test suite Since we already use Packit, let's utilize its second part as well and add a TMT [0] based integration test suite. This PR add a second job to the existing Packit configuration, which then sends the just built RPMs to Testing Farm [1] that executes all selected tests (which currently means all discovered tests). To demonstrate the functionality a bit, this PR also adds a simple test case for #439. [0] https://tmt.readthedocs.io/en/stable/overview.html [1] https://docs.testing-farm.io/Testing%20Farm/0.1/index.html
-
- Jun 06, 2024
-
-
Frantisek Sumsal authored
* ci: bump the CodeQL GH Actions worker to Ubuntu Noble So we get newer meson, which is required since 60673b86: * ci: fix enabling of source repositories in deb822 format Ubuntu Noble started shipping repositories in the deb822 format which (ATTOW) doesn't work with `add-apt-repository --enable-source`. Let's edit the repo files manually to mitigate this for the time being.
-