[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

Other changes:
  - Add spidermonkey as a dependency.
  - Add 0001-make-netgroup-support-optional.patch to allow building on musl.
  - Add a runtime dependency on dbus.
  - Add --disable-libelongind.
  - Add --disable-libsystemd-login.
  - Update dependencies for systemd pam support.
  - Update dependencies for udisks.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
changes v1 -> v6:
  - Add depends on BR2_HOST_GCC_AT_LEAST_4_9 to the following:
    - package/polkit/Config.in
    - package/systemd/Config.in
    - package/udisks/Config.in

 DEVELOPERS                                    |   1 +
 .../0001-make-netgroup-support-optional.patch | 232 ++++++++++++++++++
 package/polkit/Config.in                      |  25 +-
 package/polkit/polkit.hash                    |   2 +-
 package/polkit/polkit.mk                      |   8 +-
 package/systemd/Config.in                     |  16 +-
 package/udisks/Config.in                      |  27 +-
 7 files changed, 293 insertions(+), 18 deletions(-)
 create mode 100644 package/polkit/0001-make-netgroup-support-optional.patch

diff --git a/DEVELOPERS b/DEVELOPERS
index e9546a7299..d5fd6e0e93 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -53,6 +53,7 @@ F:	package/openjdk/
 F:	package/openjdk-bin/
 F:	package/php/
 F:	package/policycoreutils/
+F:	package/polkit/
 F:	package/python3/
 F:	package/python-aioredis/
 F:	package/python-asgiref/
diff --git a/package/polkit/0001-make-netgroup-support-optional.patch b/package/polkit/0001-make-netgroup-support-optional.patch
new file mode 100644
index 0000000000..f96738c910
--- /dev/null
+++ b/package/polkit/0001-make-netgroup-support-optional.patch
@@ -0,0 +1,232 @@
+From 21aa2747e8f0048759aab184b07dd6389666d5e6 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 22 May 2019 13:18:55 -0700
+Subject: [PATCH] make netgroup support optional
+
+On at least Linux/musl and Linux/uclibc, netgroup
+support is not available.  PolKit fails to compile on these systems
+for that reason.
+
+This change makes netgroup support conditional on the presence of the
+setnetgrent(3) function which is required for the support to work.  If
+that function is not available on the system, an error will be returned
+to the administrator if unix-netgroup: is specified in configuration.
+
+Fixes bug 50145.
+
+Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Adam Duskett <aduskett@gmail.com>
+---
+ configure.ac                                     |  2 +-
+ src/polkit/polkitidentity.c                      | 16 ++++++++++++++++
+ src/polkit/polkitunixnetgroup.c                  |  3 +++
+ .../polkitbackendinteractiveauthority.c          | 14 ++++++++------
+ src/polkitbackend/polkitbackendjsauthority.cpp   |  2 ++
+ test/polkit/polkitidentitytest.c                 |  9 ++++++++-
+ test/polkit/polkitunixnetgrouptest.c             |  3 +++
+ .../test-polkitbackendjsauthority.c              |  2 ++
+ 8 files changed, 43 insertions(+), 8 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXP
+ 	     [AC_MSG_ERROR([Can't find expat library. Please install expat.])])
+ AC_SUBST(EXPAT_LIBS)
+ 
+-AC_CHECK_FUNCS(clearenv fdatasync)
++AC_CHECK_FUNCS(clearenv fdatasync setnetgrent)
+ 
+ if test "x$GCC" = "xyes"; then
+   LDFLAGS="-Wl,--as-needed $LDFLAGS"
+--- a/src/polkit/polkitidentity.c
++++ b/src/polkit/polkitidentity.c
+@@ -182,7 +182,15 @@ polkit_identity_from_string  (const gcha
+     }
+   else if (g_str_has_prefix (str, "unix-netgroup:"))
+     {
++#ifndef HAVE_SETNETGRENT
++      g_set_error (error,
++                   POLKIT_ERROR,
++                   POLKIT_ERROR_FAILED,
++                   "Netgroups are not available on this machine ('%s')",
++                   str);
++#else
+       identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
++#endif
+     }
+ 
+   if (identity == NULL && (error != NULL && *error == NULL))
+@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVaria
+       GVariant *v;
+       const char *name;
+ 
++#ifndef HAVE_SETNETGRENT
++      g_set_error (error,
++                   POLKIT_ERROR,
++                   POLKIT_ERROR_FAILED,
++                   "Netgroups are not available on this machine");
++      goto out;
++#else
+       v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
+       if (v == NULL)
+         {
+@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVaria
+       name = g_variant_get_string (v, NULL);
+       ret = polkit_unix_netgroup_new (name);
+       g_variant_unref (v);
++#endif
+     }
+   else
+     {
+--- a/src/polkit/polkitunixnetgroup.c
++++ b/src/polkit/polkitunixnetgroup.c
+@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUni
+ PolkitIdentity *
+ polkit_unix_netgroup_new (const gchar *name)
+ {
++#ifndef HAVE_SETNETGRENT
++  g_assert_not_reached();
++#endif
+   g_return_val_if_fail (name != NULL, NULL);
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
+                                        "name", name,
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity
+   GList *ret;
+ 
+   ret = NULL;
++#ifdef HAVE_SETNETGRENT
+   name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
+ 
+-#ifdef HAVE_SETNETGRENT_RETURN
++# ifdef HAVE_SETNETGRENT_RETURN
+   if (setnetgrent (name) == 0)
+     {
+       g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
+       goto out;
+     }
+-#else
++# else
+   setnetgrent (name);
+-#endif
++# endif /* HAVE_SETNETGRENT_RETURN */
+ 
+   for (;;)
+     {
+-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
++# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
+       const char *hostname, *username, *domainname;
+-#else
++# else
+       char *hostname, *username, *domainname;
+-#endif
++# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */
+       PolkitIdentity *user;
+       GError *error = NULL;
+ 
+@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity
+ 
+  out:
+   endnetgrent ();
++#endif /* HAVE_SETNETGRENT */
+   return ret;
+ }
+ 
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext
+ 
+   JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
+ 
++#ifdef HAVE_SETNETGRENT
+   JS::RootedString usrstr (authority->priv->cx);
+   usrstr = args[0].toString();
+   user = JS_EncodeStringToUTF8 (cx, usrstr);
+@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext
+ 
+   JS_free (cx, netgroup);
+   JS_free (cx, user);
++#endif
+ 
+   ret = true;
+ 
+--- a/test/polkit/polkitidentitytest.c
++++ b/test/polkit/polkitidentitytest.c
+@@ -19,6 +19,7 @@
+  * Author: Nikki VonHollen <vonhollen@google.com>
+  */
+ 
++#include "config.h"
+ #include "glib.h"
+ #include <polkit/polkit.h>
+ #include <polkit/polkitprivate.h>
+@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_tes
+   {"unix-group:root", "unix-group:jane", FALSE},
+   {"unix-group:jane", "unix-group:jane", TRUE},
+ 
++#ifdef HAVE_SETNETGRENT
+   {"unix-netgroup:foo", "unix-netgroup:foo", TRUE},
+   {"unix-netgroup:foo", "unix-netgroup:bar", FALSE},
++#endif
+ 
+   {"unix-user:root", "unix-group:root", FALSE},
++#ifdef HAVE_SETNETGRENT
+   {"unix-user:jane", "unix-netgroup:foo", FALSE},
++#endif
+ 
+   {NULL},
+ };
+@@ -181,11 +186,13 @@ main (int argc, char *argv[])
+   g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string);
+   g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string);
+ 
++#ifdef HAVE_SETNETGRENT
+   g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string);
++  g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
++#endif
+ 
+   g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant);
+   g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant);
+-  g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
+ 
+   add_comparison_tests ();
+ 
+--- a/test/polkit/polkitunixnetgrouptest.c
++++ b/test/polkit/polkitunixnetgrouptest.c
+@@ -19,6 +19,7 @@
+  * Author: Nikki VonHollen <vonhollen@google.com>
+  */
+ 
++#include "config.h"
+ #include "glib.h"
+ #include <polkit/polkit.h>
+ #include <string.h>
+@@ -69,7 +70,9 @@ int
+ main (int argc, char *argv[])
+ {
+   g_test_init (&argc, &argv, NULL);
++#ifdef HAVE_SETNETGRENT
+   g_test_add_func ("/PolkitUnixNetgroup/new", test_new);
+   g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name);
++#endif
+   return g_test_run ();
+ }
+--- a/test/polkitbackend/test-polkitbackendjsauthority.c
++++ b/test/polkitbackend/test-polkitbackendjsauthority.c
+@@ -137,12 +137,14 @@ test_get_admin_identities (void)
+         "unix-group:users"
+       }
+     },
++#ifdef HAVE_SETNETGRENT
+     {
+       "net.company.action3",
+       {
+         "unix-netgroup:foo"
+       }
+     },
++#endif
+   };
+   guint n;
+ 
diff --git a/package/polkit/Config.in b/package/polkit/Config.in
index ac17cb4dc3..cc7cb03c40 100644
--- a/package/polkit/Config.in
+++ b/package/polkit/Config.in
@@ -1,11 +1,18 @@
 config BR2_PACKAGE_POLKIT
 	bool "polkit"
+	depends on BR2_HOST_GCC_AT_LEAST_4_9 # spidermonkey
+	depends on BR2_INSTALL_LIBSTDCPP # spidermonkey
+	depends on BR2_PACKAGE_DBUS # runtime
+	depends on BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS # spidermonkey
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # spidermonkey
+	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # spidermonkey
 	depends on BR2_USE_MMU # libglib2
-	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
-	depends on BR2_TOOLCHAIN_USES_GLIBC
 	depends on BR2_USE_WCHAR # libglib2
-	select BR2_PACKAGE_LIBGLIB2
+	depends on !BR2_STATIC_LIBS # spidermonkey
+	depends on !BR2_TOOLCHAIN_USES_UCLIBC # spidermonkey
 	select BR2_PACKAGE_EXPAT
+	select BR2_PACKAGE_LIBGLIB2
+	select BR2_PACKAGE_SPIDERMONKEY
 	help
 	  PolicyKit is a toolkit for defining and handling
 	  authorizations. It is used for allowing unprivileged
@@ -13,6 +20,14 @@ config BR2_PACKAGE_POLKIT
 
 	  http://www.freedesktop.org/wiki/Software/polkit
 
-comment "polkit needs a toolchain w/ wchar, threads"
+comment "polkit needs a glibc or musl toolchain with C++, wchar, dynamic library, NPTL, gcc >= 4.9"
 	depends on BR2_USE_MMU
-	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_PACKAGE_DBUS
+	depends on BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS
+	depends on BR2_TOOLCHAIN_USES_UCLIBC || \
+		!BR2_INSTALL_LIBSTDCPP || \
+		BR2_STATIC_LIBS || \
+		!BR2_TOOLCHAIN_HAS_THREADS_NPTL || \
+		!BR2_HOST_GCC_AT_LEAST_4_9 || \
+		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+		!BR2_USE_WCHAR
diff --git a/package/polkit/polkit.hash b/package/polkit/polkit.hash
index 6368091c4a..bacd682139 100644
--- a/package/polkit/polkit.hash
+++ b/package/polkit/polkit.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-sha256	8fdc7cc8ba4750fcce1a4db9daa759c12afebc7901237e1c993c38f08985e1df	polkit-0.105.tar.gz
+sha256	88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1	polkit-0.116.tar.gz
 
 # Locally calculated
 sha256	d2e2aa973e29c75e1b492e67ea7b7da9de2d501d49a934657971fd74f9a0b0a8	COPYING
diff --git a/package/polkit/polkit.mk b/package/polkit/polkit.mk
index fb4c171c52..507d1865fa 100644
--- a/package/polkit/polkit.mk
+++ b/package/polkit/polkit.mk
@@ -4,20 +4,22 @@
 #
 ################################################################################
 
-POLKIT_VERSION = 0.105
+POLKIT_VERSION = 0.116
 POLKIT_SITE = http://www.freedesktop.org/software/polkit/releases
 POLKIT_LICENSE = GPL-2.0
 POLKIT_LICENSE_FILES = COPYING
 
 POLKIT_INSTALL_STAGING = YES
 
-POLKIT_DEPENDENCIES = libglib2 host-intltool expat
+POLKIT_DEPENDENCIES = libglib2 host-intltool expat spidermonkey
 
 # We could also support --with-authfw=pam
 POLKIT_CONF_OPTS = \
 	--with-authfw=shadow \
 	--with-os-type=unknown \
 	--disable-man-pages \
-	--disable-examples
+	--disable-examples \
+	--disable-libelogind \
+	--disable-libsystemd-login
 
 $(eval $(autotools-package))
diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index aef39abe27..356c9bbbb3 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -275,7 +275,12 @@ config BR2_PACKAGE_SYSTEMD_NETWORKD
 
 config BR2_PACKAGE_SYSTEMD_POLKIT
 	bool "enable polkit support"
-	depends on BR2_TOOLCHAIN_USES_GLIBC # polkit
+	depends on BR2_HOST_GCC_AT_LEAST_4_9 # spidermonkey
+	depends on BR2_INSTALL_LIBSTDCPP # polkit -> spidermonkey
+	depends on BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS # polkit -> spidermonkey
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # polkit -> spidermonkey
+	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # polkit -> spidermonkey
+	depends on BR2_USE_WCHAR # libglib2
 	select BR2_PACKAGE_POLKIT
 	help
 	  If enabled, systemd is built with polkit support and policy
@@ -285,8 +290,13 @@ config BR2_PACKAGE_SYSTEMD_POLKIT
 
 	  http://wiki.freedesktop.org/www/Software/polkit/
 
-comment "polkit support needs a glibc toolchain"
-	depends on !BR2_TOOLCHAIN_USES_GLIBC
+comment "polkit support needs a toolchain with C++, wchar, NPTL, gcc >= 4.9"
+	depends on BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS
+	depends on !BR2_INSTALL_LIBSTDCPP || \
+		!BR2_TOOLCHAIN_HAS_THREADS_NPTL || \
+		!BR2_HOST_GCC_AT_LEAST_4_9 || \
+		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+		!BR2_USE_WCHAR
 
 config BR2_PACKAGE_SYSTEMD_QUOTACHECK
 	bool "enable quotacheck tools"
diff --git a/package/udisks/Config.in b/package/udisks/Config.in
index c1e5538fb5..4037f0ba9e 100644
--- a/package/udisks/Config.in
+++ b/package/udisks/Config.in
@@ -1,11 +1,15 @@
 config BR2_PACKAGE_UDISKS
 	bool "udisks"
+	depends on BR2_HOST_GCC_AT_LEAST_4_9 # spidermonkey
+	depends on BR2_INSTALL_LIBSTDCPP # spidermonkey
 	depends on BR2_PACKAGE_HAS_UDEV
-	depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-glib -> glib2
-	depends on BR2_TOOLCHAIN_USES_GLIBC # polkit, lvm2
+	depends on BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS # spidermonkey
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # spidermonkey
+	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # polkit
 	depends on BR2_USE_MMU # lvm2
-	depends on !BR2_STATIC_LIBS # lvm2
 	depends on BR2_USE_WCHAR # dbus-glib -> glib2
+	depends on !BR2_TOOLCHAIN_USES_UCLIBC # polkit, lvm2
+	depends on !BR2_STATIC_LIBS # lvm2, spidermonkey
 	select BR2_PACKAGE_DBUS
 	select BR2_PACKAGE_DBUS_GLIB
 	select BR2_PACKAGE_SG3_UTILS
@@ -30,17 +34,28 @@ if BR2_PACKAGE_UDISKS
 
 config BR2_PACKAGE_UDISKS_LVM2
 	bool "lvm2 support"
+	# The lvm app library can't compile agianst musl
+	depends on BR2_TOOLCHAIN_USES_GLIBC
 	select BR2_PACKAGE_LVM2_APP_LIBRARY
 	help
 	  Enable LVM2 support
 
+comment "lvm2 support needs a glibc toolchain"
+	depends on !BR2_TOOLCHAIN_USES_GLIBC
+
 endif
 
 comment "udisks needs udev /dev management"
 	depends on BR2_USE_MMU
 	depends on !BR2_PACKAGE_HAS_UDEV
 
-comment "udisks needs a glibc toolchain w/ wchar, threads, dynamic library"
+comment "udisks needs a glibc or musl toolchain with C++, wchar, dynamic library, NPTL, gcc >= 4.9"
 	depends on BR2_USE_MMU
-	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
-		BR2_STATIC_LIBS || !BR2_TOOLCHAIN_USES_GLIBC
+	depends on BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS
+	depends on BR2_TOOLCHAIN_USES_UCLIBC || \
+		!BR2_INSTALL_LIBSTDCPP || \
+		BR2_STATIC_LIBS || \
+		!BR2_TOOLCHAIN_HAS_THREADS_NPTL || \
+		!BR2_HOST_GCC_AT_LEAST_4_9 || \
+		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 || \
+		!BR2_USE_WCHAR
-- 
2.23.0

[Buildroot] [PATCH v6 2/6] package/polkit: support different authentication frameworks

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

Use pam if available, otherwise use shadow.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/polkit/polkit.mk | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/package/polkit/polkit.mk b/package/polkit/polkit.mk
index 507d1865fa..7791d23d19 100644
--- a/package/polkit/polkit.mk
+++ b/package/polkit/polkit.mk
@@ -13,13 +13,17 @@ POLKIT_INSTALL_STAGING = YES
 
 POLKIT_DEPENDENCIES = libglib2 host-intltool expat spidermonkey
 
-# We could also support --with-authfw=pam
 POLKIT_CONF_OPTS = \
-	--with-authfw=shadow \
 	--with-os-type=unknown \
 	--disable-man-pages \
 	--disable-examples \
 	--disable-libelogind \
 	--disable-libsystemd-login
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+POLKIT_CONF_OPTS += --with-authfw=pam
+else
+POLKIT_CONF_OPTS += --with-authfw=shadow
+endif
+
 $(eval $(autotools-package))
-- 
2.23.0

[Buildroot] [PATCH v6 3/6] package/polkit: add systemd service file.

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

- Add polkit.service for systemd based systems.
- Add a polkitd user upon which /usr/lib/polkit-1/polkitd relies.
- Set appropriate directory permissions to allow the polkitd user to
  access rules and actions.
- Set appropriate default attributes for the pkexec binary.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
Changes v1 -> v5:
  - Add a [install] section to the servie file (J?r?my)

 package/polkit/polkit.mk      | 18 ++++++++++++++++++
 package/polkit/polkit.service | 10 ++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 package/polkit/polkit.service

diff --git a/package/polkit/polkit.mk b/package/polkit/polkit.mk
index 7791d23d19..b440cd2f1c 100644
--- a/package/polkit/polkit.mk
+++ b/package/polkit/polkit.mk
@@ -26,4 +26,22 @@ else
 POLKIT_CONF_OPTS += --with-authfw=shadow
 endif
 
+define POLKIT_USERS
+	polkitd -1 polkitd -1 * - - - Polkit Daemon
+endef
+
+define POLKIT_PERMISSIONS
+	/etc/polkit-1 r 750 root polkitd - - - - -
+	/usr/share/polkit-1 r 750 root polkitd - - - - -
+	/usr/bin/pkexec f 4755 root root - - - - -
+endef
+
+define POLKIT_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 644 package/polkit/polkit.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/polkit.service
+	mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
+	ln -sf ../../../../usr/lib/systemd/system/polkit.service \
+		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/polkit.service
+endef
+
 $(eval $(autotools-package))
diff --git a/package/polkit/polkit.service b/package/polkit/polkit.service
new file mode 100644
index 0000000000..977b4acc5f
--- /dev/null
+++ b/package/polkit/polkit.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Authorization Manager
+
+[Service]
+Type=dbus
+BusName=org.freedesktop.PolicyKit1
+ExecStart=/usr/lib/polkit-1/polkitd --no-debug
+
+[Install]
+WantedBy=multi-user.target
-- 
2.23.0

[Buildroot] [PATCH v6 4/6] support/testing: add polkit systemd test

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

This test is a simple integration test of the polkit package on systems
running systemd.

It consists of the following:
- The brtest user attempts to restart the systemd-timesyncd service and is
  denied.

- A systemd-timesyncd-restart.rules file provided by polkit-rules-test-systemd
  is copied from /root/ to /etc/polkit-1/rules.d

- The brtest user attempts to restart the systemd-timesyncd service and should
  now succeed.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
Changes v1 -> v5:
 - Reorder this patch in the series.
 - Add test to .gitlab-ci.yml
 - Instead of a seperate test file for both systemd and initd, use just a single
   file called test_polkit.py.

Changes v5 -> v6:
  - Use self.assertRunOk in test_polkit.py
  - Flake8 cleanup.

 .gitlab-ci.yml                                |  1 +
 DEVELOPERS                                    |  2 +
 .../package/br2-external/polkit/Config.in     |  1 +
 .../package/br2-external/polkit/external.desc |  1 +
 .../package/br2-external/polkit/external.mk   |  1 +
 .../polkit-rules-test-systemd/Config.in       |  6 +++
 .../polkit-rules-test-systemd.mk              | 20 ++++++++
 .../systemd-timesyncd-restart.rules           |  7 +++
 support/testing/tests/package/test_polkit.py  | 48 +++++++++++++++++++
 9 files changed, 87 insertions(+)
 create mode 100644 support/testing/tests/package/br2-external/polkit/Config.in
 create mode 100644 support/testing/tests/package/br2-external/polkit/external.desc
 create mode 100644 support/testing/tests/package/br2-external/polkit/external.mk
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/Config.in
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/polkit-rules-test-systemd.mk
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/systemd-timesyncd-restart.rules
 create mode 100644 support/testing/tests/package/test_polkit.py

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6deb97351b..475d205d4a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -425,6 +425,7 @@ tests.package.test_perl_libwww_perl.TestPerllibwwwperl: { extends: .runtime_test
 tests.package.test_perl_mail_dkim.TestPerlMailDKIM: { extends: .runtime_test }
 tests.package.test_perl_x10.TestPerlX10: { extends: .runtime_test }
 tests.package.test_perl_xml_libxml.TestPerlXMLLibXML: { extends: .runtime_test }
+tests.package.test_polkit.TestPolkitSystemd: { extends: .runtime_test }
 tests.package.test_prosody.TestProsodyLua51: { extends: .runtime_test }
 tests.package.test_prosody.TestProsodyLuajit: { extends: .runtime_test }
 tests.package.test_python.TestPython2: { extends: .runtime_test }
diff --git a/DEVELOPERS b/DEVELOPERS
index d5fd6e0e93..e63773c261 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -76,6 +76,8 @@ F:	package/setools/
 F:	package/sngrep/
 F:	package/spidermonkey/
 F:	package/systemd/
+F:	support/testing/tests/package/br2-external/polkit/
+F:	support/testing/tests/package/test_polkit.py
 F:	support/testing/tests/package/test_python_gobject.py
 
 N:	Adam Heinrich <adam@adamh.cz>
diff --git a/support/testing/tests/package/br2-external/polkit/Config.in b/support/testing/tests/package/br2-external/polkit/Config.in
new file mode 100644
index 0000000000..bb555b5097
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/Config.in
@@ -0,0 +1 @@
+source "$BR2_EXTERNAL_POLKIT_PATH/package/polkit-rules-test-systemd/Config.in"
diff --git a/support/testing/tests/package/br2-external/polkit/external.desc b/support/testing/tests/package/br2-external/polkit/external.desc
new file mode 100644
index 0000000000..ecef48692b
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/external.desc
@@ -0,0 +1 @@
+name: POLKIT
diff --git a/support/testing/tests/package/br2-external/polkit/external.mk b/support/testing/tests/package/br2-external/polkit/external.mk
new file mode 100644
index 0000000000..64e369cce4
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/external.mk
@@ -0,0 +1 @@
+include $(sort $(wildcard $(BR2_EXTERNAL_POLKIT_PATH)/package/*/*.mk))
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/Config.in b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/Config.in
new file mode 100644
index 0000000000..662b991d3b
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/Config.in
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_POLKIT_RULES_TEST_SYSTEMD
+	bool "polkit rules test for systemd"
+	depends on BR2_PACKAGE_POLKIT
+	help
+	  Simple test to ensure polkit is loading and enforcing rules
+	  correctly using a rules file meant for systemd.
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/polkit-rules-test-systemd.mk b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/polkit-rules-test-systemd.mk
new file mode 100644
index 0000000000..19a6be2b2f
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/polkit-rules-test-systemd.mk
@@ -0,0 +1,20 @@
+################################################################################
+#
+# polkit-rules-test-systemd
+#
+################################################################################
+
+POLKIT_RULES_TEST_SYSTEMD_DEPENDENCIES = polkit
+
+define POLKIT_RULES_TEST_SYSTEMD_USERS
+	brtest  -1  brtest  -1   =password  /home/brtest /bin/sh brtest
+endef
+
+define POLKIT_RULES_TEST_SYSTEMD_INSTALL_TARGET_CMDS
+	mkdir -p $(TARGET_DIR)/etc/polkit-1/rules.d
+
+	$(INSTALL) -D $(POLKIT_RULES_TEST_SYSTEMD_PKGDIR)/systemd-timesyncd-restart.rules \
+		$(TARGET_DIR)/root/systemd-timesyncd-restart.rules
+endef
+
+$(eval $(generic-package))
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/systemd-timesyncd-restart.rules b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/systemd-timesyncd-restart.rules
new file mode 100644
index 0000000000..9461195091
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-systemd/systemd-timesyncd-restart.rules
@@ -0,0 +1,7 @@
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.systemd1.manage-units" &&
+        action.lookup("unit") == "systemd-timesyncd.service" &&
+        subject.user == "brtest") {
+        return polkit.Result.YES;
+    }
+});
diff --git a/support/testing/tests/package/test_polkit.py b/support/testing/tests/package/test_polkit.py
new file mode 100644
index 0000000000..3ee06958a6
--- /dev/null
+++ b/support/testing/tests/package/test_polkit.py
@@ -0,0 +1,48 @@
+import os
+import infra.basetest
+
+
+class TestPolkitSystemd(infra.basetest.BRTest):
+    br2_external = [infra.filepath("tests/package/br2-external/polkit")]
+    config = \
+        """
+        BR2_aarch64=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_INIT_SYSTEMD=y
+        BR2_JLEVEL=10
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.86"
+        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
+        BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+        BR2_PACKAGE_POLKIT=y
+        BR2_PACKAGE_SYSTEMD_POLKIT=y
+        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_CPIO_GZIP=y
+        BR2_PACKAGE_POLKIT_RULES_TEST_SYSTEMD=y
+        """
+
+    def login(self):
+        img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
+        kern = os.path.join(self.builddir, "images", "Image")
+        self.emulator.boot(arch="aarch64",
+                           kernel=kern,
+                           kernel_cmdline=["console=ttyAMA0"],
+                           options=[
+                               "-M", "virt", "-cpu", "cortex-a57", "-m", "512M", "-initrd", img
+                           ])
+        self.emulator.login()
+
+    def test_run(self):
+        self.login()
+
+        cmd = "su brtest -c '/bin/systemctl restart systemd-timesyncd.service'"
+        self.assertRunOk(cmd, timeout=10)
+
+        cmd = "mv /root/systemd-timesyncd-restart.rules /etc/polkit-1/rules.d"
+        self.assertRunOk(cmd, timeout=10)
+
+        cmd = "su brtest -c '/bin/systemctl restart systemd-timesyncd.service'"
+        self.assertRunOk(cmd, timeout=10)
-- 
2.23.0

[Buildroot] [PATCH v6 5/6] package/polkit: add init service file

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

Add a S50polkit file which starts polkit for non-systemd based systems.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
Changes v1 -> v5:
 - Use start-stop-daemon in the init file. (Thomas)
 - Reorder this patch in the series.

 package/polkit/S50polkit | 15 +++++++++++++++
 package/polkit/polkit.mk |  5 +++++
 2 files changed, 20 insertions(+)
 create mode 100644 package/polkit/S50polkit

diff --git a/package/polkit/S50polkit b/package/polkit/S50polkit
new file mode 100644
index 0000000000..55c10e99ae
--- /dev/null
+++ b/package/polkit/S50polkit
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# start polkitd
+#
+
+case "$1" in
+	start)
+		start-stop-daemon -q -S -x /usr/lib/polkit-1/polkitd -- --no-debug &
+		;;
+	*)
+  echo "Usage: $0 {start}"
+		exit 1
+esac
+
+exit $?
diff --git a/package/polkit/polkit.mk b/package/polkit/polkit.mk
index b440cd2f1c..8bb4512aee 100644
--- a/package/polkit/polkit.mk
+++ b/package/polkit/polkit.mk
@@ -44,4 +44,9 @@ define POLKIT_INSTALL_INIT_SYSTEMD
 		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/polkit.service
 endef
 
+define POLKIT_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 0755 package/polkit/S50polkit \
+		$(TARGET_DIR)/etc/init.d/S50polkit
+endef
+
 $(eval $(autotools-package))
-- 
2.23.0

[Buildroot] [PATCH v6 6/6] support/testing: add polkit initd test

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

This test is a simple integration test of the polkit package on systems
running systemd.

It consists of the following:
- The brtest user attempts to restart the systemd-timesyncd service and is
  denied.

- A systemd-timesyncd-restart.rules file provided by polkit-rules-test-systemd
  is copied from /root/ to /etc/polkit-1/rules.d

- The brtest user attempts to restart the systemd-timesyncd service and should
  now succeed.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
Changes v1 -> v5:
 - Reorder this patch in the series.
 - Add test to .gitlab-ci.yml
 - Instead of a seperate test file, add the test to test_polkit.py in another
   class.

Changes v5 -> v6:
  - Use self.assertRunOk in test_polkit.py
  - Flake8 cleanup.

 .gitlab-ci.yml                                |  1 +
 .../package/br2-external/polkit/Config.in     |  1 +
 .../package/polkit-rules-test-initd/Config.in |  6 +++
 .../polkit-rules-test-initd/hello-polkit.c    |  6 +++
 .../hello-polkit.policy                       | 14 +++++
 .../hello-polkit.rules                        |  6 +++
 .../polkit-rules-test-initd.mk                | 31 +++++++++++
 support/testing/tests/package/test_polkit.py  | 51 +++++++++++++++++++
 8 files changed, 116 insertions(+)
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/Config.in
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.c
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.policy
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.rules
 create mode 100644 support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/polkit-rules-test-initd.mk

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 475d205d4a..448ba140ae 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -426,6 +426,7 @@ tests.package.test_perl_mail_dkim.TestPerlMailDKIM: { extends: .runtime_test }
 tests.package.test_perl_x10.TestPerlX10: { extends: .runtime_test }
 tests.package.test_perl_xml_libxml.TestPerlXMLLibXML: { extends: .runtime_test }
 tests.package.test_polkit.TestPolkitSystemd: { extends: .runtime_test }
+tests.package.test_polkit.TestPolkitInitd: { extends: .runtime_test }
 tests.package.test_prosody.TestProsodyLua51: { extends: .runtime_test }
 tests.package.test_prosody.TestProsodyLuajit: { extends: .runtime_test }
 tests.package.test_python.TestPython2: { extends: .runtime_test }
diff --git a/support/testing/tests/package/br2-external/polkit/Config.in b/support/testing/tests/package/br2-external/polkit/Config.in
index bb555b5097..97309b9fca 100644
--- a/support/testing/tests/package/br2-external/polkit/Config.in
+++ b/support/testing/tests/package/br2-external/polkit/Config.in
@@ -1 +1,2 @@
+source "$BR2_EXTERNAL_POLKIT_PATH/package/polkit-rules-test-initd/Config.in"
 source "$BR2_EXTERNAL_POLKIT_PATH/package/polkit-rules-test-systemd/Config.in"
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/Config.in b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/Config.in
new file mode 100644
index 0000000000..f19fc2660d
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/Config.in
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_POLKIT_RULES_TEST_INITD
+	bool "polkit rules test for initd"
+	depends on BR2_PACKAGE_POLKIT
+	help
+	  Simple test to ensure polkit is loading and enforcing rules
+	  correctly using initd.
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.c b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.c
new file mode 100644
index 0000000000..cf5343cd75
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.c
@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+int main(void){
+    printf("Hello polkit!\n");
+    return 0;
+}
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.policy b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.policy
new file mode 100644
index 0000000000..8220293175
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.policy
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
+<policyconfig>
+  <action id="org.freedesktop.policykit.pkexec.hello-polkit">
+    <message>Authentication is required to run the hello world test program</message>
+    <defaults>
+      <allow_inactive>no</allow_inactive>
+      <allow_active>no</allow_active>
+    </defaults>
+    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/hello-polkit</annotate>
+  </action>
+</policyconfig>
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.rules b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.rules
new file mode 100644
index 0000000000..a0a66f644d
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/hello-polkit.rules
@@ -0,0 +1,6 @@
+polkit.addRule(function(action, subject) {
+   if (action.id == "org.freedesktop.policykit.pkexec.hello-polkit" &&
+       subject.user == "brtest") {
+       return polkit.Result.YES;
+   }
+});
diff --git a/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/polkit-rules-test-initd.mk b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/polkit-rules-test-initd.mk
new file mode 100644
index 0000000000..394c3e4405
--- /dev/null
+++ b/support/testing/tests/package/br2-external/polkit/package/polkit-rules-test-initd/polkit-rules-test-initd.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# polkit-rules-test-initd
+#
+################################################################################
+
+POLKIT_RULES_TEST_INITD_DEPENDENCIES = polkit
+
+define POLKIT_RULES_TEST_INITD_USERS
+	brtest  -1  brtest  -1   =password  /home/brtest /bin/sh brtest
+endef
+
+define POLKIT_RULES_TEST_INITD_BUILD_CMDS
+	$(INSTALL) -D $(POLKIT_RULES_TEST_INITD_PKGDIR)/hello-polkit.c $(@D)/hello-polkit.c
+	$(TARGET_CC) $(@D)/hello-polkit.c -o $(@D)/hello-polkit
+endef
+
+
+define POLKIT_RULES_TEST_INITD_INSTALL_TARGET_CMDS
+	mkdir -p $(TARGET_DIR)/usr/share/polkit-1/actions/
+	$(INSTALL) -D $(@D)/hello-polkit $(TARGET_DIR)/usr/bin/hello-polkit
+
+	$(INSTALL) -D $(POLKIT_RULES_TEST_INITD_PKGDIR)/hello-polkit.policy \
+		$(TARGET_DIR)/usr/share/polkit-1/actions/hello-polkit.policy
+
+	$(INSTALL) -D $(POLKIT_RULES_TEST_INITD_PKGDIR)/hello-polkit.rules \
+		$(TARGET_DIR)/root/hello-polkit.rules
+
+endef
+
+$(eval $(generic-package))
diff --git a/support/testing/tests/package/test_polkit.py b/support/testing/tests/package/test_polkit.py
index 3ee06958a6..448a55127e 100644
--- a/support/testing/tests/package/test_polkit.py
+++ b/support/testing/tests/package/test_polkit.py
@@ -46,3 +46,54 @@ class TestPolkitSystemd(infra.basetest.BRTest):
 
         cmd = "su brtest -c '/bin/systemctl restart systemd-timesyncd.service'"
         self.assertRunOk(cmd, timeout=10)
+
+
+class TestPolkitInitd(infra.basetest.BRTest):
+    br2_external = [infra.filepath("tests/package/br2-external/polkit")]
+    config = \
+        """
+        BR2_aarch64=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_JLEVEL=10
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.86"
+        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
+        BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+        BR2_PACKAGE_DBUS=y
+        BR2_PACKAGE_POLKIT=y
+        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_CPIO_GZIP=y
+        BR2_PACKAGE_POLKIT_RULES_TEST_INITD=y
+        """
+
+    def login(self):
+        img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
+        kern = os.path.join(self.builddir, "images", "Image")
+        self.emulator.boot(arch="aarch64",
+                           kernel=kern,
+                           kernel_cmdline=["console=ttyAMA0"],
+                           options=[
+                               "-M", "virt", "-cpu", "cortex-a57", "-m", "512M", "-initrd", img
+                           ])
+        self.emulator.login()
+
+    def test_run(self):
+        self.login()
+
+        cmd = "su brtest -c 'pkexec hello-polkit'"
+        output, exit_code = self.emulator.run(cmd, 10)
+        print(output)
+        self.assertEqual(exit_code, 127)
+        self.assertEqual(output[0], "Error executing command as another user: Not authorized")
+
+        cmd = "mv /root/hello-polkit.rules /etc/polkit-1/rules.d/hello-polkit.rules"
+        self.assertRunOk(cmd, timeout=10)
+
+        cmd = "su brtest -c 'pkexec hello-polkit'"
+        output, exit_code = self.emulator.run(cmd, 10)
+        print(output)
+        self.assertEqual(exit_code, 0)
+        self.assertEqual(output[0], "Hello polkit!")
-- 
2.23.0

[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[Thomas Petazzoni]

On Fri,  6 Dec 2019 15:46:44 -0800
aduskett at gmail.com wrote:

> From: Adam Duskett <Aduskett@gmail.com>
> 
> Other changes:
>   - Add spidermonkey as a dependency.
>   - Add 0001-make-netgroup-support-optional.patch to allow building on musl.
>   - Add a runtime dependency on dbus.
>   - Add --disable-libelongind.
>   - Add --disable-libsystemd-login.
>   - Update dependencies for systemd pam support.
>   - Update dependencies for udisks.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> ---
> changes v1 -> v6:
>   - Add depends on BR2_HOST_GCC_AT_LEAST_4_9 to the following:
>     - package/polkit/Config.in
>     - package/systemd/Config.in
>     - package/udisks/Config.in

To do the same as systemd, I changed the "depends on BR2_PACKAGE_DBUS"
to a "select BR2_PACKAGE_DBUS", made a few minor tweaks, and applied to
master. Thanks a lot for taking care of this difficult package!

One direction that would be nice to look at is to enable spidermonkey
and then polkit on uClibc. Regarding the fenv issue, perhaps we could
have a boolean that says whether uClibc provides fenv support for the
current architecture, and then treat this as an architecture dependency
inside BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS ? How many architectures
have sufficient fenv support in uClibc for spidermonkey ?

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 2/6] package/polkit: support different authentication frameworks

[Thomas Petazzoni]

On Fri,  6 Dec 2019 15:46:45 -0800
aduskett at gmail.com wrote:

> From: Adam Duskett <Aduskett@gmail.com>
> 
> Use pam if available, otherwise use shadow.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> ---
>  package/polkit/polkit.mk | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 3/6] package/polkit: add systemd service file.

[Thomas Petazzoni]

On Fri,  6 Dec 2019 15:46:46 -0800
aduskett at gmail.com wrote:

> From: Adam Duskett <Aduskett@gmail.com>
> 
> - Add polkit.service for systemd based systems.

Why aren't you using the one from polkit itself? There is one in
data/polkit.service.in, which gets compiled to polkit.service, and
apparently installed if HAVE_SYSTEMD is enabled. There also a D-Bus
service file at data/org.freedesktop.PolicyKit1.service.in.

> - Add a polkitd user upon which /usr/lib/polkit-1/polkitd relies.
> - Set appropriate directory permissions to allow the polkitd user to
>   access rules and actions.
> - Set appropriate default attributes for the pkexec binary.

These could be done separately from the systemd service file addition.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 4/6] support/testing: add polkit systemd test

[Thomas Petazzoni]

On Fri,  6 Dec 2019 15:46:47 -0800
aduskett at gmail.com wrote:

> +class TestPolkitSystemd(infra.basetest.BRTest):
> +    br2_external = [infra.filepath("tests/package/br2-external/polkit")]
> +    config = \
> +        """
> +        BR2_aarch64=y
> +        BR2_TOOLCHAIN_EXTERNAL=y
> +        BR2_INIT_SYSTEMD=y
> +        BR2_JLEVEL=10
> +        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
> +        BR2_LINUX_KERNEL=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.86"
> +        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
> +        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"

This requires building the kernel, while the test infrastructure
provides two pre-compiled kernels, one for ARMv7 and one for ARMv5.
Isn't it possible to use them ?

> +    def test_run(self):
> +        self.login()
> +
> +        cmd = "su brtest -c '/bin/systemctl restart systemd-timesyncd.service'"
> +        self.assertRunOk(cmd, timeout=10)

I'm confused, shouldn't this command fail, since it's executed before
you copy the rule at the right place ?

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 5/6] package/polkit: add init service file

[Thomas Petazzoni]

Hello,

+Carlos in Cc for the review of the init script.

On Fri,  6 Dec 2019 15:46:48 -0800
aduskett at gmail.com wrote:

> diff --git a/package/polkit/S50polkit b/package/polkit/S50polkit
> new file mode 100644
> index 0000000000..55c10e99ae
> --- /dev/null
> +++ b/package/polkit/S50polkit
> @@ -0,0 +1,15 @@
> +#!/bin/sh
> +#
> +# start polkitd
> +#
> +
> +case "$1" in
> +	start)
> +		start-stop-daemon -q -S -x /usr/lib/polkit-1/polkitd -- --no-debug &

Why is the & necessary at this end ?

I think this init script deserves a comment that explains why it
doesn't follow the traditional pattern for init scripts.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 3/6] package/polkit: add systemd service file.

[Adam Duskett]

Thomas

On Sun, Dec 8, 2019 at 7:04 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Fri,  6 Dec 2019 15:46:46 -0800
> aduskett at gmail.com wrote:
>
> > From: Adam Duskett <Aduskett@gmail.com>
> >
> > - Add polkit.service for systemd based systems.
>
> Why aren't you using the one from polkit itself? There is one in
> data/polkit.service.in, which gets compiled to polkit.service, and
> apparently installed if HAVE_SYSTEMD is enabled. There also a D-Bus
> service file at data/org.freedesktop.PolicyKit1.service.in.
I guess I could.

>
> > - Add a polkitd user upon which /usr/lib/polkit-1/polkitd relies.
> > - Set appropriate directory permissions to allow the polkitd user to
> >   access rules and actions.
> > - Set appropriate default attributes for the pkexec binary.
>
> These could be done separately from the systemd service file addition.
>
No, they can't. The user is required to access those particular
directories during
the service startup.

I explained that in IRC.

> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

I don't have time to make a new patch set, so I am going to just mark the entire
patch series as rejected and move on.

If anybody else wants to resurrect this patch series they may do so.

Adam

[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[Adam Duskett]

Hello;

On Sun, Dec 8, 2019 at 7:02 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Fri,  6 Dec 2019 15:46:44 -0800
> aduskett at gmail.com wrote:
>
> > From: Adam Duskett <Aduskett@gmail.com>
> >
> > Other changes:
> >   - Add spidermonkey as a dependency.
> >   - Add 0001-make-netgroup-support-optional.patch to allow building on musl.
> >   - Add a runtime dependency on dbus.
> >   - Add --disable-libelongind.
> >   - Add --disable-libsystemd-login.
> >   - Update dependencies for systemd pam support.
> >   - Update dependencies for udisks.
> >
> > Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> > ---
> > changes v1 -> v6:
> >   - Add depends on BR2_HOST_GCC_AT_LEAST_4_9 to the following:
> >     - package/polkit/Config.in
> >     - package/systemd/Config.in
> >     - package/udisks/Config.in
>
> To do the same as systemd, I changed the "depends on BR2_PACKAGE_DBUS"
> to a "select BR2_PACKAGE_DBUS", made a few minor tweaks, and applied to
> master. Thanks a lot for taking care of this difficult package!
>
> One direction that would be nice to look at is to enable spidermonkey
> and then polkit on uClibc. Regarding the fenv issue, perhaps we could
> have a boolean that says whether uClibc provides fenv support for the
> current architecture, and then treat this as an architecture dependency
> inside BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS ? How many architectures
> have sufficient fenv support in uClibc for spidermonkey ?
>
Not many, Yann and I had a conversation about this earlier and it
doesn't seem worth it.

Perhaps instead we could put the same effort into a variable that
checks for uclibc fts support.
That way selinux can be enabled with uclibc:

For reference: https://patchwork.ozlabs.org/patch/787786/
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Adam

[Buildroot] [PATCH v6 3/6] package/polkit: add systemd service file.

[Thomas Petazzoni]

Hello,

On Sun, 8 Dec 2019 10:46:58 -0800
Adam Duskett <aduskett@gmail.com> wrote:

> > Why aren't you using the one from polkit itself? There is one in
> > data/polkit.service.in, which gets compiled to polkit.service, and
> > apparently installed if HAVE_SYSTEMD is enabled. There also a D-Bus
> > service file at data/org.freedesktop.PolicyKit1.service.in.  
> I guess I could.
> 
> >  
> > > - Add a polkitd user upon which /usr/lib/polkit-1/polkitd relies.
> > > - Set appropriate directory permissions to allow the polkitd user to
> > >   access rules and actions.
> > > - Set appropriate default attributes for the pkexec binary.  
> >
> > These could be done separately from the systemd service file addition.
> >  
> No, they can't. The user is required to access those particular
> directories during
> the service startup.

They can be added before, as a separate patch. Note that if I hadn't
come up with the systemd unit question, I would have applied as-is.

> I don't have time to make a new patch set, so I am going to just mark the entire
> patch series as rejected and move on.
> 
> If anybody else wants to resurrect this patch series they may do so.

That's a bit said. What you've done is very good, it includes
additional test cases.

I'm surprised you're giving up at v6. polkit was a complicated topic,
other folks tried in the past, and gave up way before they reached the
point where you are now, which is essentially very close to what can be
merged.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[Thomas Petazzoni]

Hello,

On Sun, 8 Dec 2019 11:04:16 -0800
Adam Duskett <aduskett@gmail.com> wrote:

> > One direction that would be nice to look at is to enable spidermonkey
> > and then polkit on uClibc. Regarding the fenv issue, perhaps we could
> > have a boolean that says whether uClibc provides fenv support for the
> > current architecture, and then treat this as an architecture dependency
> > inside BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS ? How many architectures
> > have sufficient fenv support in uClibc for spidermonkey ?
> >  
> Not many, Yann and I had a conversation about this earlier and it
> doesn't seem worth it.

OK.

> Perhaps instead we could put the same effort into a variable that
> checks for uclibc fts support.
> That way selinux can be enabled with uclibc:

SELinux can already be enabled on uClibc. I added the musl-fts package,
and used it in libselinux to make it available for uClibc/musl.

When you're grumpy, please verify your claims :-)

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 3/6] package/polkit: add systemd service file.

[Adam Duskett]

On Sun, Dec 8, 2019 at 11:57 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Sun, 8 Dec 2019 10:46:58 -0800
> Adam Duskett <aduskett@gmail.com> wrote:
>
> > > Why aren't you using the one from polkit itself? There is one in
> > > data/polkit.service.in, which gets compiled to polkit.service, and
> > > apparently installed if HAVE_SYSTEMD is enabled. There also a D-Bus
> > > service file at data/org.freedesktop.PolicyKit1.service.in.
> > I guess I could.
> >
> > >
> > > > - Add a polkitd user upon which /usr/lib/polkit-1/polkitd relies.
> > > > - Set appropriate directory permissions to allow the polkitd user to
> > > >   access rules and actions.
> > > > - Set appropriate default attributes for the pkexec binary.
> > >
> > > These could be done separately from the systemd service file addition.
> > >
> > No, they can't. The user is required to access those particular
> > directories during
> > the service startup.
>
> They can be added before, as a separate patch. Note that if I hadn't
> come up with the systemd unit question, I would have applied as-is.
>
> > I don't have time to make a new patch set, so I am going to just mark the entire
> > patch series as rejected and move on.
> >
> > If anybody else wants to resurrect this patch series they may do so.
>
> That's a bit said. What you've done is very good, it includes
> additional test cases.
>
> I'm surprised you're giving up at v6. polkit was a complicated topic,
> other folks tried in the past, and gave up way before they reached the
> point where you are now, which is essentially very close to what can be
> merged.
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

I appreciate the compliment, however, I do get frustrated because I
tend to submit complicated
patches that sit for weeks, months or even years without any feedback.
Polkit is a pretty big exception
to this rule, and I do appreciate the fairly quick review.

I just fear that if I spend time making a v7, the patch set will sit
for months without any feedback, or if there is
then I will submit a v8 which will include the fixes requested, and
then another maintainer will chime in with
more requested fixes even though they didn't say anything to the
previous patch set when it has been sitting
without feedback for months. This has been a pain point for me for
quite some time.

I understand we are all volunteers with families and lives, however
this also means that more complicated patches
get either zero reviews, sit for very long periods of time, or are
never reviewed at all. This makes me really apprehensive
about submitting anything other than simple fixes and version bumps
that require nothing other than a version/hash update
from now on.

I will see if I can apply your requested fixes in the meantime.

Adam

[Buildroot] [PATCH v6 3/6] package/polkit: add systemd service file.

[Adam Duskett]

On Sun, Dec 8, 2019 at 1:31 PM Adam Duskett <aduskett@gmail.com> wrote:
>
> On Sun, Dec 8, 2019 at 11:57 AM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello,
> >
> > On Sun, 8 Dec 2019 10:46:58 -0800
> > Adam Duskett <aduskett@gmail.com> wrote:
> >
> > > > Why aren't you using the one from polkit itself? There is one in
> > > > data/polkit.service.in, which gets compiled to polkit.service, and
> > > > apparently installed if HAVE_SYSTEMD is enabled. There also a D-Bus
> > > > service file at data/org.freedesktop.PolicyKit1.service.in.
> > > I guess I could.
> > >
> > > >
> > > > > - Add a polkitd user upon which /usr/lib/polkit-1/polkitd relies.
> > > > > - Set appropriate directory permissions to allow the polkitd user to
> > > > >   access rules and actions.
> > > > > - Set appropriate default attributes for the pkexec binary.
> > > >
> > > > These could be done separately from the systemd service file addition.
> > > >
> > > No, they can't. The user is required to access those particular
> > > directories during
> > > the service startup.
> >
> > They can be added before, as a separate patch. Note that if I hadn't
> > come up with the systemd unit question, I would have applied as-is.
> >
> > > I don't have time to make a new patch set, so I am going to just mark the entire
> > > patch series as rejected and move on.
> > >
> > > If anybody else wants to resurrect this patch series they may do so.
> >
> > That's a bit said. What you've done is very good, it includes
> > additional test cases.
> >
> > I'm surprised you're giving up at v6. polkit was a complicated topic,
> > other folks tried in the past, and gave up way before they reached the
> > point where you are now, which is essentially very close to what can be
> > merged.
> >
> > Best regards,
> >
> > Thomas
> > --
> > Thomas Petazzoni, CTO, Bootlin
> > Embedded Linux and Kernel engineering
> > https://bootlin.com
>
> I appreciate the compliment, however, I do get frustrated because I
> tend to submit complicated
> patches that sit for weeks, months or even years without any feedback.
> Polkit is a pretty big exception
> to this rule, and I do appreciate the fairly quick review.
>
> I just fear that if I spend time making a v7, the patch set will sit
> for months without any feedback, or if there is
> then I will submit a v8 which will include the fixes requested, and
> then another maintainer will chime in with
> more requested fixes even though they didn't say anything to the
> previous patch set when it has been sitting
> without feedback for months. This has been a pain point for me for
> quite some time.
>
> I understand we are all volunteers with families and lives, however
> this also means that more complicated patches
> get either zero reviews, sit for very long periods of time, or are
> never reviewed at all. This makes me really apprehensive
> about submitting anything other than simple fixes and version bumps
> that require nothing other than a version/hash update
> from now on.
>
> I will see if I can apply your requested fixes in the meantime.
>
> Adam

As a side note: I know my patches aren't perfect, so I also understand
that not a lot of people even want to review them in the first place.

Adam

[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[Adam Duskett]

Hello;

On Sun, Dec 8, 2019 at 11:58 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Sun, 8 Dec 2019 11:04:16 -0800
> Adam Duskett <aduskett@gmail.com> wrote:
>
> > > One direction that would be nice to look at is to enable spidermonkey
> > > and then polkit on uClibc. Regarding the fenv issue, perhaps we could
> > > have a boolean that says whether uClibc provides fenv support for the
> > > current architecture, and then treat this as an architecture dependency
> > > inside BR2_PACKAGE_SPIDERMONKEY_ARCH_SUPPORTS ? How many architectures
> > > have sufficient fenv support in uClibc for spidermonkey ?
> > >
> > Not many, Yann and I had a conversation about this earlier and it
> > doesn't seem worth it.
>
> OK.
>
> > Perhaps instead we could put the same effort into a variable that
> > checks for uclibc fts support.
> > That way selinux can be enabled with uclibc:
>
> SELinux can already be enabled on uClibc. I added the musl-fts package,
> and used it in libselinux to make it available for uClibc/musl.
>
> When you're grumpy, please verify your claims :-)
>
I'm aware of the option, but I don't agree with it. It's built into
uClibc and requiring
an extra package is not nice in my opinion.

> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Adam

[Buildroot] [PATCH v6 1/6] package/polkit: bump to version 0.116

[Thomas Petazzoni]

On Mon, 9 Dec 2019 11:03:08 -0800
Adam Duskett <aduskett@gmail.com> wrote:

> > SELinux can already be enabled on uClibc. I added the musl-fts package,
> > and used it in libselinux to make it available for uClibc/musl.
> >
> > When you're grumpy, please verify your claims :-)
>
> I'm aware of the option, but I don't agree with it. It's built into
> uClibc and requiring
> an extra package is not nice in my opinion.

The <fts.h> API is deprecated, and very few packages use it. It doesn't
make a lot of sense to force everybody to have it in uClibc, just for
the sake of a few packages.

Alternatively, we could add a separate option to enable FTS support in
uClibc when needed, but this stuff always gets annoying with uClibc
external toolchains that may or may not have FTS support enabled.

The musl-fts solution is easy. It works for musl, it works for uClibc,
regardless of the uClibc configuration.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH v6 5/6] package/polkit: add init service file

[Carlos Santos]

On Sun, Dec 8, 2019 at 12:08 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> +Carlos in Cc for the review of the init script.
>
> On Fri,  6 Dec 2019 15:46:48 -0800
> aduskett at gmail.com wrote:
>
> > diff --git a/package/polkit/S50polkit b/package/polkit/S50polkit
> > new file mode 100644
> > index 0000000000..55c10e99ae
> > --- /dev/null
> > +++ b/package/polkit/S50polkit
> > @@ -0,0 +1,15 @@
> > +#!/bin/sh
> > +#
> > +# start polkitd
> > +#
> > +
> > +case "$1" in
> > +     start)
> > +             start-stop-daemon -q -S -x /usr/lib/polkit-1/polkitd -- --no-debug &
>
> Why is the & necessary at this end ?
>
> I think this init script deserves a comment that explains why it
> doesn't follow the traditional pattern for init scripts.
>
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

Why is a polkitd init script requited if, according to the man page

DESCRIPTION
       polkitd provides the org.freedesktop.PolicyKit1 D-Bus service
       on the system message bus. Users or administrators should never
       need to start this daemon as it will be automatically started
       by dbus-daemon(1) or systemd(1) whenever an application calls
       into the service.

-- 
Carlos Santos <unixmania@gmail.com>