From de9c25ba64a7c32f05297a26c6ee4308ee07cf0a Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Thu, 7 Dec 2023 18:01:51 +0100 Subject: data/arctica-greeter.pkla: fix Results* keys. These were never supported in the first place. This is probably also why we define all three result keys - ResultsAny [sic!] never triggered, so ResultActive and ResultInactive were added instead. --- data/arctica-greeter.pkla | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/data/arctica-greeter.pkla b/data/arctica-greeter.pkla index 99235c2..072c1db 100644 --- a/data/arctica-greeter.pkla +++ b/data/arctica-greeter.pkla @@ -6,39 +6,39 @@ Identity=unix-user:lightdm Action=org.freedesktop.NetworkManager.enable-disable-network;org.freedesktop.NetworkManager.enable-disable-wifi;org.freedesktop.NetworkManager.enable-disable-wwan;org.freedesktop.NetworkManager.enable-disable-wimax; ResultActive=no ResultInactive=no -ResultsAny=no +ResultAny=no [Disable Sleep and Wake] Identity=unix-user:lightdm Action=org.freedesktop.NetworkManager.sleep-wake ResultActive=no ResultInactive=no -ResultsAny=no +ResultAny=no [Disable WiFi Sharing] Identity=unix-user:lightdm Action=org.freedesktop.NetworkManager.wifi.share.protected;org.freedesktop.NetworkManager.wifi.share.open ResultActive=no ResultInactive=no -ResultsAny=no +ResultAny=no [Disable Settings Modifications] Identity=unix-user:lightdm Action=org.freedesktop.NetworkManager.settings.modify.own;org.freedesktop.NetworkManager.settings.modify.system;org.freedesktop.NetworkManager.settings.modify.hostname ResultActive=no ResultInactive=no -ResultsAny=no +ResultAny=no [Disable User Connections] Identity=unix-user:lightdm Action=org.freedesktop.NetworkManager.use-user-connections ResultActive=no ResultInactive=no -ResultsAny=no +ResultAny=no [Enable Controlling of Network Connections] Identity=unix-user:lightdm Action=org.freedesktop.NetworkManager.network-control ResultActive=yes ResultInactive=no -ResultsAny=no +ResultAny=no -- cgit v1.2.3 From a16208d53f5b213bec0bd0d4b74ab44239df78c9 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Thu, 7 Dec 2023 18:49:03 +0100 Subject: data: add 50-org.Arctica-Project.arctica-greeter.rules. This message is adapted from ayatana-indicator-sound. Note that while it is Debian-centric, other distributions (e.g., *SuSE) have long upgraded to polkit versions > 0.105, so are affected by this even more. arctica-greeter currently ships polkit 0.105 configuration fragments at ${LOCALSTATEDIR}/polkit-1/localauthority/10-vendor.d/arctica-greeter.pkla but does not seem to have a polkit >= 0.106 equivalent in ${DATADIR}/polkit-1/rules.d. This means the customizations to the default polkit policies that are made by this package will not be taken into account when running polkit >= 0.106. Debian and Ubuntu are currently using polkit 0.105 with the old .pkla rules (and an increasingly large patch series to fix 9 years' worth of bugs and security vulnerabilities), but it has become clear that this is not sustainable, and I (Mike Gabriel) am looking at whether we can replace polkit 0.105 with version 121 or newer for Debian 12. You can try these newer versions by installing the polkitd and polkitd-javascript packages from experimental. To make this transition go smoothly, packages that ship a .pkla file should also provide an equivalent JavaScript file ${DATADIR}/polkit-1/rules.d/*.rules which will be used by newer versions of polkit. Most already do, but this is one of a few that do not. It is appropriate to contribute these .rules files upstream. System administrators can override the rules in ${DATADIR}/polkit-1/rules.d by creating a file of the same name in ${SYSCONFDIR}/polkit-1/rules.d, or add local rules by creating a file with a different name in ${SYSCONFDIR}/polkit-1/rules.d. Please don't remove the .pkla file when adding the .rules file: keep the .pkla file in place until this transition has finished. ${DATADIR}/polkit-1/actions/*.policy files are not affected by this transition: they are used by both the old and new versions of polkit. For example, here's the .pkla file for systemd-networkd in stable, which allows the systemd-network user to take some privileged actions: https://sources.debian.org/src/systemd/247.3-7/src/network/systemd-networkd.pkla/ and here's the JavaScript equivalent: https://sources.debian.org/src/systemd/247.3-7/src/network/systemd-networkd.rules/ flatpak, fwupd and network-manager have other good examples. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015156 --- data/50-org.Arctica-Project.arctica-greeter.rules | 33 +++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 data/50-org.Arctica-Project.arctica-greeter.rules diff --git a/data/50-org.Arctica-Project.arctica-greeter.rules b/data/50-org.Arctica-Project.arctica-greeter.rules new file mode 100644 index 0000000..b194628 --- /dev/null +++ b/data/50-org.Arctica-Project.arctica-greeter.rules @@ -0,0 +1,33 @@ +polkit.addRule (function (action, subject) { + if (subject.user == "lightdm") { + switch (action.id) { + // Disable Controlling of Network Devices + case 'org.freedesktop.NetworkManager.enable-disable-network': + case 'org.freedesktop.NetworkManager.enable-disable-wifi': + case 'org.freedesktop.NetworkManager.enable-disable-wwan': + case 'org.freedesktop.NetworkManager.enable-disable-wimax': + // Disable Sleep and Wake + case 'org.freedesktop.NetworkManager.sleep-wake': + // Disable WiFi Sharing + case 'org.freedesktop.NetworkManager.wifi.share.protected': + case 'org.freedesktop.NetworkManager.wifi.share.open': + // Disable Settings Modifications + case 'org.freedesktop.NetworkManager.settings.modify.own': + case 'org.freedesktop.NetworkManager.settings.modify.system': + case 'org.freedesktop.NetworkManager.settings.modify.hostname': + // Disable User Connections + case 'org.freedesktop.NetworkManager.use-user-connections': + // Enable Controlling of Network Connections + case 'org.freedesktop.NetworkManager.network-control': + return polkit.Result.NO; + break; + default: + /* + * Do nothing... for now. + * + * This means that polkit will continue scanning for other rules. + */ + break; + } + } +}); -- cgit v1.2.3 From 17331af5b12a5f2b7e448c9501b688395348f5a3 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Thu, 7 Dec 2023 18:57:56 +0100 Subject: data/Makefile.am: install 50-org.Arctica-Project.arctica-greeter.rules. --- data/Makefile.am | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/data/Makefile.am b/data/Makefile.am index c06a300..8975d24 100644 --- a/data/Makefile.am +++ b/data/Makefile.am @@ -26,6 +26,11 @@ pkla_policy_DATA = \ arctica-greeter.pkla \ $(NULL) +rules_policydir = $(datadir)/polkit-1/rules.d/ +rules_policy_DATA = \ + 50-org.Arctica-Project.arctica-greeter.rules \ + $(NULL) + arctica-greeter-guest-session-startup.desktop: arctica-greeter-guest-session-startup.desktop.in $(AM_V_GEN) sed -e "s|\@pkglibexecdir\@|$(pkglibexecdir)|" $< > $@ -- cgit v1.2.3 From 0db687fa2d86a5dee9a9a25eac9342acf260ab87 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Fri, 8 Dec 2023 18:20:04 +0100 Subject: debian/arctica-greeter.install: add polkit JS rules file. --- debian/arctica-greeter.install | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/arctica-greeter.install b/debian/arctica-greeter.install index 6ccf84f..9caa00f 100644 --- a/debian/arctica-greeter.install +++ b/debian/arctica-greeter.install @@ -7,6 +7,7 @@ usr/share/glib-2.0/ usr/share/lightdm/lightdm.conf.d/50-arctica-greeter.conf usr/share/locale/ usr/share/man/man1/ +usr/share/polkit-1/rules.d/50-org.Arctica-Project.arctica-greeter.rules usr/share/sounds/ usr/share/xgreeters/ usr/libexec/arctica-greeter/lightdm-arctica-greeter-session -- cgit v1.2.3