File 0011-whitelist-polkit-untracked-privilege.diff of Package polkit-default-privs

Overview Repositories Revisions Requests Users Attributes Meta

File 0011-whitelist-polkit-untracked-privilege.diff of Package polkit-default-privs

From 2774d489eb03a855af3f196fc151f78c61e6ad1e Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Mon, 12 Mar 2018 12:01:24 +0100
Subject: [PATCH 1/6] polkit-default-privs: mass whitelisting of untracked
 privileges

rpmlint-Factory rules are about to be tightened (sr#579618). The
"untracked-privileges" are now also an error. See

https://lists.opensuse.org/opensuse-factory/2018-02/msg01044.html

for the rationale.

To keep things working for packages already accepted to Factory we are
doing this amnesty whitelisting ahead of the code reviews.
---
 polkit-default-privs.restrictive | 49 ++++++++++++++++++++++++++++++++
 polkit-default-privs.standard    | 49 ++++++++++++++++++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 5173320..3b09116 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -401,6 +401,9 @@ org.xfce.power.backlight-helper                                 auth_admin:auth_
 org.cinnamon.settings-daemon.plugins.power.backlight-helper	no:no:yes
 org.cinnamon.settingsdaemon.datetimemechanism.configure		no:no:auth_admin_keep
 
+# cinnamon settings-daemon (bsc#1083067)
+org.cinnamon.settings-users					auth_admin
+
 
 # hp-drive-guard
 com.hp.driveguard.toggle                                        auth_admin
@@ -461,6 +464,9 @@ org.freedesktop.packagekit.clear-offline-update                 auth_admin_keep
 org.freedesktop.packagekit.package-reinstall			auth_admin:auth_admin:auth_admin_keep
 org.freedesktop.packagekit.package-downgrade			auth_admin:auth_admin:auth_admin_keep
 
+# PackageKit (bnc#993505)
+org.freedesktop.packagekit.trigger-offline-upgrade		no:auth_admin:auth_admin
+
 #
 # gparted (bnc#810888)
 #
@@ -755,6 +761,9 @@ org.a11y.brlapi.write-display				auth_admin_keep
 # sysprof (bsc#996111)
 org.gnome.sysprof2.perf-event-open			auth_admin_keep
 
+# sysprof (bsc#1083055)
+org.gnome.sysprof2.get-kernel-symbols			auth_admin_keep
+
 # flatpak (bsc#984817)
 org.freedesktop.Flatpak.app-install 		auth_admin:auth_admin:auth_admin_keep
 org.freedesktop.Flatpak.runtime-install 	auth_admin:auth_admin:auth_admin_keep
@@ -781,6 +790,9 @@ org.blueman.dhcp.client				auth_admin:auth_admin_keep:auth_admin_keep
 org.blueman.pppd.pppconnect			auth_admin:auth_admin_keep:auth_admin_keep
 org.blueman.rfkill.setstate			auth_admin:auth_admin_keep:auth_admin_keep
 
+# blueman (bsc#1083066)
+org.blueman.bluez.config			no:no:auth_admin_keep
+
 # tuned (bsc#1007279)
 com.redhat.tuned.gui.run			auth_admin
 com.redhat.tuned.active_profile			yes
@@ -814,6 +826,9 @@ org.freedesktop.fwupd.verify-update		auth_admin:no:auth_admin_keep
 org.freedesktop.fwupd.update-internal-trusted	auth_admin:no:auth_admin_keep
 org.freedesktop.fwupd.update-hotplug-trusted	auth_admin:no:auth_admin_keep
 
+# fwupd (bsc#1083022)
+org.freedesktop.fwupd.modify-remote		auth_admin:no:auth_admin_keep
+
 # deja-dup (bsc#1058935)
 org.gnome.DejaDup.duplicity			no:no:auth_admin
 
@@ -821,4 +836,38 @@ org.gnome.DejaDup.duplicity			no:no:auth_admin
 net.connman.modify				auth_admin_keep
 net.connman.vpn.modify				auth_admin_keep
 
+# connman (bsc#1083069)
+net.connman.secret				no:no:auth_admin_keep
+net.connman.vpn.secret				no:no:auth_admin_keep
+
+# gsmartcontrol (bsc#1084693)
+org.gsmartcontrol				auth_admin
+
+# gvfs (bsc#1073214)
+org.gtk.vfs.file-operations			no:no:auth_admin_keep
+org.gtk.vfs.file-operations-helper		no:no:auth_admin_keep
+
+# laptop-mode-tools (bsc#1084695)
+org.linux.lmt.gui.policy			auth_admin
+
+# mate-system-monitor (bsc#1084701)
+org.mate.mate-system-monitor.kill		no:no:auth_admin
+org.mate.mate-system-monitor.renice		no:no:auth_admin
+
+# nemo (bsc#1084702)
+org.nemo.root					no:no:auth_admin_keep
+
+# nemo-extensions (bsc#1084703)
+org.nemo-share.samba_install			no:no:auth_admin_keep
+
+# pantheon-files (bsc#1084704)
+org.freedesktop.policykit.pkexec.pantheon-files	auth_admin:auth_admin:auth_admin
+org.freedesktop.policykit.pkexec.io.elementary.files auth_admin:auth_admin:auth_admin
+
+# scap-workbench (bsc#1084706)
+scap-workbench-oscap.run			auth_admin:auth_admin:auth_admin
+
+# spice-gtk (bsc#1083025)
+org.spice-space.lowlevelusbaccess		no:no:auth_admin
+
 ###
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index c5d2de9..9cd9f80 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -420,6 +420,9 @@ org.xfce.power.backlight-helper                                 no:no:yes
 org.cinnamon.settings-daemon.plugins.power.backlight-helper	no:no:yes
 org.cinnamon.settingsdaemon.datetimemechanism.configure		no:no:auth_admin_keep
 
+# blueman (bsc#1083066)
+org.cinnamon.settings-users					auth_admin
+
 # hp-drive-guard
 com.hp.driveguard.toggle                                        auth_admin
 com.hp.driveguard.install-setup                                 auth_admin
@@ -478,6 +481,9 @@ org.freedesktop.packagekit.clear-offline-update			auth_admin_keep:auth_admin_kee
 org.freedesktop.packagekit.package-reinstall			auth_admin:auth_admin:auth_admin_keep
 org.freedesktop.packagekit.package-downgrade			auth_admin:auth_admin:auth_admin_keep
 
+# PackageKit (bnc#993505)
+org.freedesktop.packagekit.trigger-offline-upgrade		auth_admin:auth_admin:auth_admin
+
 #
 # gparted (bnc#810888)
 #
@@ -818,6 +824,9 @@ org.a11y.brlapi.write-display				no:no:yes
 # sysprof (bsc#996111)
 org.gnome.sysprof2.perf-event-open			auth_admin_keep
 
+# sysprof (bsc#1083055)
+org.gnome.sysprof2.get-kernel-symbols			auth_admin_keep
+
 # flatpak (bsc#984817)
 org.freedesktop.Flatpak.app-install 		auth_admin:auth_admin:auth_admin_keep
 org.freedesktop.Flatpak.runtime-install 	auth_admin:auth_admin:auth_admin_keep
@@ -844,6 +853,9 @@ org.blueman.dhcp.client				auth_admin:auth_admin_keep:yes
 org.blueman.pppd.pppconnect			auth_admin:auth_admin_keep:yes
 org.blueman.rfkill.setstate			auth_admin:auth_admin_keep:yes
 
+# blueman (bsc#1083066)
+org.blueman.bluez.config			no:no:auth_admin_keep
+
 # tuned (bsc#1007279)
 com.redhat.tuned.gui.run			auth_admin
 com.redhat.tuned.active_profile			yes
@@ -882,6 +894,9 @@ org.freedesktop.fwupd.verify-update		auth_admin:no:auth_admin_keep
 org.freedesktop.fwupd.update-internal-trusted	auth_admin:no:yes
 org.freedesktop.fwupd.update-hotplug-trusted	auth_admin:no:yes
 
+# fwupd (bsc#1083022)
+org.freedesktop.fwupd.modify-remote		auth_admin:no:auth_admin_keep
+
 # deja-dup (bsc#1058935)
 org.gnome.DejaDup.duplicity			no:no:auth_admin
 
@@ -889,4 +904,38 @@ org.gnome.DejaDup.duplicity			no:no:auth_admin
 net.connman.modify				auth_admin_keep
 net.connman.vpn.modify				auth_admin_keep
 
+# connman (bsc#1083069)
+net.connman.secret				no:no:auth_admin_keep
+net.connman.vpn.secret				no:no:auth_admin_keep_session
+
+# gsmartcontrol (bsc#1084693)
+org.gsmartcontrol				auth_admin
+
+# gvfs (bsc#1073214)
+org.gtk.vfs.file-operations			no:no:auth_admin_keep
+org.gtk.vfs.file-operations-helper		no:no:auth_admin_keep
+
+# laptop-mode-tools (bsc#1084695)
+org.linux.lmt.gui.policy			auth_admin
+
+# mate-system-monitor (bsc#1084701)
+org.mate.mate-system-monitor.kill		no:no:auth_admin_keep
+org.mate.mate-system-monitor.renice		no:no:auth_admin_keep
+
+# nemo (bsc#1084702)
+org.nemo.root					no:no:auth_admin_keep
+
+# nemo-extensions (bsc#1084703)
+org.nemo-share.samba_install			no:no:auth_admin_keep
+
+# pantheon-files (bsc#1084704)
+org.freedesktop.policykit.pkexec.pantheon-files	auth_admin:auth_admin:auth_admin
+org.freedesktop.policykit.pkexec.io.elementary.files auth_admin:auth_admin:auth_admin
+
+# scap-workbench (bsc#1084706)
+scap-workbench-oscap.run			auth_admin_keep:auth_admin_keep:auth_admin_keep
+
+# spice-gtk (bsc#1083025)
+org.spice-space.lowlevelusbaccess		auth_admin:no:auth_admin
+
 ###
-- 
2.21.0

From cbfcb086ca65742e8862f80fee488de741a3521c Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 15 Nov 2018 18:22:26 +0100
Subject: [PATCH 2/6] spice-gtk: relax lowlevelusbaccess requirements

The spice-gtk setuid helper binary is already only accessible to members
of the kvm group. So we skip the password prompt for locally logged in
users in the standard profile.
---
 polkit-default-privs.standard | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index 9cd9f80..a023cc0 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -936,6 +936,6 @@ org.freedesktop.policykit.pkexec.io.elementary.files auth_admin:auth_admin:auth_
 scap-workbench-oscap.run			auth_admin_keep:auth_admin_keep:auth_admin_keep
 
 # spice-gtk (bsc#1083025)
-org.spice-space.lowlevelusbaccess		auth_admin:no:auth_admin
+org.spice-space.lowlevelusbaccess		auth_admin:no:yes
 
 ###
-- 
2.21.0

From ac162371c5853c1bf4a3e36e7cfa75467c26080f Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 28 Mar 2018 17:41:45 +0200
Subject: [PATCH 3/6] polkit-default-privs: some more amnesty whitelisting of
 untracked privileges

systemd and bleachbit are still affected by the more picky rpmlint
rules.
---
 polkit-default-privs.restrictive | 8 ++++++++
 polkit-default-privs.standard    | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 3b09116..0795331 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -870,4 +870,12 @@ scap-workbench-oscap.run			auth_admin:auth_admin:auth_admin
 # spice-gtk (bsc#1083025)
 org.spice-space.lowlevelusbaccess		no:no:auth_admin
 
+# bleachbit (bsc#1087326)
+org.bleachbit					auth_admin
+
+# systemd, systemd-mini (bsc#1087328)
+org.freedesktop.login1.halt			auth_admin_keep
+org.freedesktop.login1.halt-ignore-inhibit	auth_admin_keep
+org.freedesktop.login1.halt-multiple-sessions	auth_admin_keep
+
 ###
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index a023cc0..209210a 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -938,4 +938,12 @@ scap-workbench-oscap.run			auth_admin_keep:auth_admin_keep:auth_admin_keep
 # spice-gtk (bsc#1083025)
 org.spice-space.lowlevelusbaccess		auth_admin:no:yes
 
+# bleachbit (bsc#1087326)
+org.bleachbit					auth_admin
+
+# systemd, systemd-mini (bsc#1087328)
+org.freedesktop.login1.halt			auth_admin_keep
+org.freedesktop.login1.halt-ignore-inhibit	auth_admin_keep
+org.freedesktop.login1.halt-multiple-sessions	auth_admin_keep
+
 ###
-- 
2.21.0

From 6c09069f1c9001063ea2ed95cbfae4d2808ff648 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 3 Jan 2019 17:28:23 +0100
Subject: [PATCH 4/6] luckybackup: initial whitelisting of polkit pkexec action
 (bsc#1120403)

---
 polkit-default-privs.restrictive | 4 ++++
 polkit-default-privs.standard    | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 0795331..f2d4676 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -878,4 +878,8 @@ org.freedesktop.login1.halt			auth_admin_keep
 org.freedesktop.login1.halt-ignore-inhibit	auth_admin_keep
 org.freedesktop.login1.halt-multiple-sessions	auth_admin_keep
 
+# luckybackup (bsc#1120403)
+# Don't relax this, it runs rsync with arbitrary parameters
+net.luckybackup.su auth_admin
+
 ###
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index 209210a..6c71f06 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -946,4 +946,8 @@ org.freedesktop.login1.halt			auth_admin_keep
 org.freedesktop.login1.halt-ignore-inhibit	auth_admin_keep
 org.freedesktop.login1.halt-multiple-sessions	auth_admin_keep
 
+# luckybackup (bsc#1120403)
+# Don't relax this, it runs rsync with arbitrary parameters
+net.luckybackup.su auth_admin
+
 ###
-- 
2.21.0

From 7e71b1f1efd8fda5a47dc26b8c99c566028fb2fd Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 15 Nov 2018 16:17:28 +0100
Subject: [PATCH 5/6] blueman: relax standard profile rules, drop unneeded
 bluez.config rule (bsc#1083066)

The bluez.config rule was never used and with upstream version 2.0.6 it
has also been formally dropped.

The other blueman rules need to be more relaxed as users are complaining
about multiple root password prompts right after login.
---
 polkit-default-privs.restrictive | 3 ---
 polkit-default-privs.standard    | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index f2d4676..89f7bad 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -790,9 +790,6 @@ org.blueman.dhcp.client				auth_admin:auth_admin_keep:auth_admin_keep
 org.blueman.pppd.pppconnect			auth_admin:auth_admin_keep:auth_admin_keep
 org.blueman.rfkill.setstate			auth_admin:auth_admin_keep:auth_admin_keep
 
-# blueman (bsc#1083066)
-org.blueman.bluez.config			no:no:auth_admin_keep
-
 # tuned (bsc#1007279)
 com.redhat.tuned.gui.run			auth_admin
 com.redhat.tuned.active_profile			yes
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index 6c71f06..c50423c 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -853,9 +853,6 @@ org.blueman.dhcp.client				auth_admin:auth_admin_keep:yes
 org.blueman.pppd.pppconnect			auth_admin:auth_admin_keep:yes
 org.blueman.rfkill.setstate			auth_admin:auth_admin_keep:yes
 
-# blueman (bsc#1083066)
-org.blueman.bluez.config			no:no:auth_admin_keep
-
 # tuned (bsc#1007279)
 com.redhat.tuned.gui.run			auth_admin
 com.redhat.tuned.active_profile			yes
-- 
2.21.0

From edbe7f6f2b9574e1369abe91a83d9f79fb486773 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Tue, 24 Apr 2018 15:05:21 +0200
Subject: [PATCH 6/6] polkit-default-privs: whitelisting renamed kalarm polkit
 actions

---
 polkit-default-privs.restrictive | 2 ++
 polkit-default-privs.standard    | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 89f7bad..891d0fc 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -324,6 +324,8 @@ org.kde.powerdevil.discretegpuhelper.hasdualgpu			no:no:yes
 
 # kdepim4/kalarm (bnc#707723)
 org.kde.kalarmrtcwake.settimer                                  auth_admin_keep
+# kalarm (bnc#1087714, renamed from kalarmrtcwake)
+org.kde.kalarm.rtcwake.settimer                                 auth_admin_keep
 
 # sddm kcm oepration (bnc#904313)
 org.kde.kcontrol.kcmsddm.save                                   auth_admin
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index c50423c..aca1738 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -337,6 +337,8 @@ org.kde.powerdevil.discretegpuhelper.hasdualgpu			yes
 
 # kdepim4/kalarm (bnc#707723)
 org.kde.kalarmrtcwake.settimer                                  auth_admin_keep
+# kalarm (bnc#1087714, renamed from kalarmrtcwake)
+org.kde.kalarm.rtcwake.settimer                                 auth_admin_keep
 
 # sddm kcm oepration (bnc#904313)
 org.kde.kcontrol.kcmsddm.save                                   auth_admin
-- 
2.21.0

Places

File 0011-whitelist-polkit-untracked-privilege.diff of Package polkit-default-privs

Places