diff options
author | Nicolás Reynolds <fauno@endefensadelsl.org> | 2013-10-08 22:20:37 -0300 |
---|---|---|
committer | Nicolás Reynolds <fauno@endefensadelsl.org> | 2013-10-08 22:20:37 -0300 |
commit | fccf9769e2c26f577f6214ed9d0dbb30cb8c51bd (patch) | |
tree | cc5312eeed95e18d8e2c6009c568f3d32501bc01 /extra/rtkit | |
parent | 69962c022fb4ed68b9163e60183fff714308e4e3 (diff) | |
parent | 3a0ad5dc35d5cff379cdfc736b9cae856416fe6a (diff) |
Merge branch 'master' of ssh://vparabola/home/parabola/abslibre-pre-mips64el
Conflicts:
community/abe/PKGBUILD
community/account-plugins/PKGBUILD
community/adesklets/PKGBUILD
community/aircrack-ng/PKGBUILD
community/audit/PKGBUILD
community/bchunk/PKGBUILD
community/bibutils/PKGBUILD
community/cantata/PKGBUILD
community/cdck/PKGBUILD
community/cinnamon-control-center/PKGBUILD
community/clusterssh/PKGBUILD
community/consonance/PKGBUILD
community/credentials-preferences/PKGBUILD
community/dee/PKGBUILD
community/dosbox/PKGBUILD
community/drbd/PKGBUILD
community/dvdisaster/PKGBUILD
community/ekg/PKGBUILD
community/ekg2/PKGBUILD
community/emelfm2/PKGBUILD
community/erlang/PKGBUILD
community/ettercap/PKGBUILD
community/evilwm/PKGBUILD
community/fatrat/PKGBUILD
community/fcitx-mozc/PKGBUILD
community/fcrackzip/PKGBUILD
community/ffmpegsource/PKGBUILD
community/fssos-nsvs/PKGBUILD
community/geda-gaf/PKGBUILD
community/gnome-applets/PKGBUILD
community/gnome-panel/PKGBUILD
community/gnustep-make/PKGBUILD
community/gwibber/PKGBUILD
community/html2text/PKGBUILD
community/intellij-idea-libs/PKGBUILD
community/libcgns2/PKGBUILD
community/libmatio/PKGBUILD
community/librcc/PKGBUILD
community/libsignon-glib/PKGBUILD
community/linux-tools/PKGBUILD
community/minitube/PKGBUILD
community/mpdscribble/PKGBUILD
community/mplayer2/PKGBUILD
community/musepack-tools/PKGBUILD
community/nginx/PKGBUILD
community/pam_pwcheck/PKGBUILD
community/portaudio/PKGBUILD
community/portaudio_cpp/PKGBUILD
community/prelink/PKGBUILD
community/projectm/PKGBUILD
community/prosody/PKGBUILD
community/python-basemap/PKGBUILD
community/qgit/PKGBUILD
community/raptor1/PKGBUILD
community/sensors-applet/PKGBUILD
community/signon-keyring-extension/PKGBUILD
community/signon-plugin-oauth2/PKGBUILD
community/signon-ui/PKGBUILD
community/sshguard/PKGBUILD
community/tea/PKGBUILD
community/tint2/PKGBUILD
community/tremulous/PKGBUILD
community/vobcopy/PKGBUILD
community/windowlab/PKGBUILD
community/xdelta/PKGBUILD
community/xmms2/PKGBUILD
community/xosd/PKGBUILD
core/gdbm/PKGBUILD
core/heirloom-mailx/PKGBUILD
core/libffi/PKGBUILD
core/procps-ng/PKGBUILD
core/systemd/PKGBUILD
core/tar/PKGBUILD
cross/mips64el-unknown-linux-gnu-linux-libre-api-headers/PKGBUILD
extra/arj/PKGBUILD
extra/audacity/PKGBUILD
extra/cdparanoia/PKGBUILD
extra/elfutils/PKGBUILD
extra/fltk/PKGBUILD
extra/gnome-python-desktop/PKGBUILD
extra/gstreamer/PKGBUILD
extra/gtk2/PKGBUILD
extra/gvfs/PKGBUILD
extra/imagemagick/PKGBUILD
extra/indent/PKGBUILD
extra/kdepim/PKGBUILD
extra/lcms/PKGBUILD
extra/lesstif/PKGBUILD
extra/libchewing/PKGBUILD
extra/libdrm/PKGBUILD
extra/libmodplug/PKGBUILD
extra/libnotify/PKGBUILD
extra/libsm/PKGBUILD
extra/libxmu/PKGBUILD
extra/libxpm/PKGBUILD
extra/mariadb/PKGBUILD
extra/mesa/PKGBUILD
extra/mkvtoolnix/PKGBUILD
extra/neon/PKGBUILD
extra/ocaml/PKGBUILD
extra/phonon-vlc/PKGBUILD
extra/php-xcache/PKGBUILD
extra/polkit/PKGBUILD
extra/pycups/PKGBUILD
extra/python-cairo/PKGBUILD
extra/python/PKGBUILD
extra/ruby/PKGBUILD
extra/sqlite/PKGBUILD
extra/talloc/PKGBUILD
extra/thunar-archive-plugin/PKGBUILD
extra/totem-plparser/PKGBUILD
extra/totem/PKGBUILD
extra/vinagre/PKGBUILD
extra/vino/PKGBUILD
extra/vlc/PKGBUILD
extra/wget/PKGBUILD
extra/xine-lib/PKGBUILD
extra/xorg-server/PKGBUILD
extra/xorg-twm/PKGBUILD
extra/xorg-xclipboard/PKGBUILD
extra/xorg-xclock/PKGBUILD
extra/xorg-xkill/PKGBUILD
extra/xorg-xlsclients/PKGBUILD
extra/xorg-xman/PKGBUILD
extra/xorg-xrdb/PKGBUILD
extra/xpdf/PKGBUILD
extra/xvidcore/PKGBUILD
extra/yelp/PKGBUILD
libre/audacious-plugins-libre/PKGBUILD
libre/mc-libre/PKGBUILD
libre/python2-reportlab-libre/PKGBUILD
Diffstat (limited to 'extra/rtkit')
-rw-r--r-- | extra/rtkit/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch | 48 | ||||
-rw-r--r-- | extra/rtkit/PKGBUILD | 13 | ||||
-rw-r--r-- | extra/rtkit/systemd205.patch | 16 |
3 files changed, 73 insertions, 4 deletions
diff --git a/extra/rtkit/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch b/extra/rtkit/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch new file mode 100644 index 000000000..92e54b950 --- /dev/null +++ b/extra/rtkit/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch @@ -0,0 +1,48 @@ +From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001 +From: Colin Walters <walters@verbum.org> +Date: Thu, 22 Aug 2013 16:05:22 -0400 +Subject: [PATCH] [SECURITY] Pass uid of caller to polkit + +Otherwise, we force polkit to look up the uid itself in /proc, which +is racy if they execve() a setuid binary. +--- + rtkit-daemon.c | 11 ++++++++++- + 1 files changed, 10 insertions(+), 1 deletions(-) + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 2ebe673..3ecc1f7 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + DBusMessage *m = NULL, *r = NULL; + const char *unix_process = "unix-process"; + const char *pid = "pid"; ++ const char *uid = "uid"; + const char *start_time = "start-time"; + const char *cancel_id = ""; + uint32_t flags = 0; + uint32_t pid_u32 = p->pid; +- uint64_t start_time_u64 = p->starttime; ++ uint32_t uid_u32 = (uint32_t)u->uid; + DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant; ++ uint64_t start_time_u64 = p->starttime; + int ret; + dbus_bool_t authorized = FALSE; + +@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); + assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + ++ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict)); ++ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid)); ++ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant)); ++ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32)); ++ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); ++ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); ++ + assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array)); + assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct)); + +-- +1.7.1 + diff --git a/extra/rtkit/PKGBUILD b/extra/rtkit/PKGBUILD index b0aeb467b..d81cbd75b 100644 --- a/extra/rtkit/PKGBUILD +++ b/extra/rtkit/PKGBUILD @@ -1,10 +1,10 @@ -# $Id: PKGBUILD 185307 2013-05-13 06:17:53Z heftig $ +# $Id: PKGBUILD 195870 2013-10-02 22:42:11Z heftig $ # Maintainer: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com> # Contributor: Corrado Primier <bardo@aur.archlinux.org> pkgname=rtkit pkgver=0.11 -pkgrel=2 +pkgrel=4 pkgdesc="Realtime Policy and Watchdog Daemon" arch=('i686' 'x86_64' 'mips64el') url="http://git.0pointer.de/?p=rtkit.git" @@ -12,13 +12,18 @@ license=(GPL 'custom:BSD') depends=(dbus polkit systemd) install=rtkit.install source=(http://0pointer.de/public/$pkgname-$pkgver.tar.xz - libsystemd.patch) + libsystemd.patch systemd205.patch + 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch) md5sums=('a96c33b9827de66033d2311f82d79a5d' - '35089c0a284005f4abcf45168415857e') + '35089c0a284005f4abcf45168415857e' + '95195a70551057aca833da6bdbf2e35b' + '70df212cba2a6366ff960b60d55858d3') prepare() { cd $pkgname-$pkgver patch -Np1 -i ../libsystemd.patch + patch -Np1 -i ../systemd205.patch + patch -Np1 -i ../0001-SECURITY-Pass-uid-of-caller-to-polkit.patch autoreconf -fi } diff --git a/extra/rtkit/systemd205.patch b/extra/rtkit/systemd205.patch new file mode 100644 index 000000000..3f17b2ddb --- /dev/null +++ b/extra/rtkit/systemd205.patch @@ -0,0 +1,16 @@ +diff -u -r rtkit-0.11/rtkit-daemon.service.in rtkit-0.11-sd205/rtkit-daemon.service.in +--- rtkit-0.11/rtkit-daemon.service.in 2012-05-15 15:25:40.000000000 +0200 ++++ rtkit-0.11-sd205/rtkit-daemon.service.in 2013-07-25 10:27:37.790884664 +0200 +@@ -24,12 +24,7 @@ + BusName=org.freedesktop.RealtimeKit1 + NotifyAccess=main + CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CHROOT CAP_SETGID CAP_SETUID +-PrivateTmp=yes + PrivateNetwork=yes + +-# Work around the fact that the Linux currently doesn't assign any RT +-# budget to CPU control groups that have none configured explicitly +-ControlGroup=cpu:/ +- + [Install] + WantedBy=graphical.target |