mirror of
https://gitdl.cn/https://github.com/chakralinux/core.git
synced 2025-02-03 07:07:12 +08:00
Rebuild rtkit with new dbus group and add some needed patch.
This commit is contained in:
Jeff Huang
parent
7cb99fe7ee
commit
f4b69d4c12
48
rtkit/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
Normal file
48
rtkit/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Walters <walters@verbum.org>
|
||||||
|
Date: Thu, 22 Aug 2013 16:05:22 -0400
|
||||||
|
Subject: [PATCH] [SECURITY] Pass uid of caller to polkit
|
||||||
|
|
||||||
|
Otherwise, we force polkit to look up the uid itself in /proc, which
|
||||||
|
is racy if they execve() a setuid binary.
|
||||||
|
---
|
||||||
|
rtkit-daemon.c | 11 ++++++++++-
|
||||||
|
1 files changed, 10 insertions(+), 1 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/rtkit-daemon.c b/rtkit-daemon.c
|
||||||
|
index 2ebe673..3ecc1f7 100644
|
||||||
|
--- a/rtkit-daemon.c
|
||||||
|
+++ b/rtkit-daemon.c
|
||||||
|
@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
|
||||||
|
DBusMessage *m = NULL, *r = NULL;
|
||||||
|
const char *unix_process = "unix-process";
|
||||||
|
const char *pid = "pid";
|
||||||
|
+ const char *uid = "uid";
|
||||||
|
const char *start_time = "start-time";
|
||||||
|
const char *cancel_id = "";
|
||||||
|
uint32_t flags = 0;
|
||||||
|
uint32_t pid_u32 = p->pid;
|
||||||
|
- uint64_t start_time_u64 = p->starttime;
|
||||||
|
+ uint32_t uid_u32 = (uint32_t)u->uid;
|
||||||
|
DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
|
||||||
|
+ uint64_t start_time_u64 = p->starttime;
|
||||||
|
int ret;
|
||||||
|
dbus_bool_t authorized = FALSE;
|
||||||
|
|
||||||
|
@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
|
||||||
|
assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
|
||||||
|
assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
|
||||||
|
|
||||||
|
+ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
|
||||||
|
+ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
|
||||||
|
+ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
|
||||||
|
+ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
|
||||||
|
+ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
|
||||||
|
+ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
|
||||||
|
+
|
||||||
|
assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
|
||||||
|
assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));
|
||||||
|
|
||||||
|
--
|
||||||
|
1.7.1
|
||||||
|
|
||||||
@ -5,24 +5,33 @@
|
|||||||
|
|
||||||
pkgname=rtkit
|
pkgname=rtkit
|
||||||
pkgver=0.11
|
pkgver=0.11
|
||||||
pkgrel=3
|
pkgrel=4
|
||||||
pkgdesc="Realtime Policy and Watchdog Daemon"
|
pkgdesc="Realtime Policy and Watchdog Daemon"
|
||||||
arch=('i686' 'x86_64')
|
arch=('x86_64')
|
||||||
url="http://git.0pointer.de/?p=rtkit.git"
|
url="http://git.0pointer.de/?p=rtkit.git"
|
||||||
license=('GPL' 'custom:BSD')
|
license=('GPL' 'custom:BSD')
|
||||||
depends=('dbus' 'polkit')
|
depends=('dbus' 'polkit')
|
||||||
install=rtkit.install
|
install=rtkit.install
|
||||||
source=(http://0pointer.de/public/$pkgname-$pkgver.tar.xz
|
source=(http://0pointer.de/public/$pkgname-$pkgver.tar.xz
|
||||||
libsystemd.patch)
|
'libsystemd.patch'
|
||||||
|
'systemd205.patch'
|
||||||
|
'0001-SECURITY-Pass-uid-of-caller-to-polkit.patch')
|
||||||
md5sums=('a96c33b9827de66033d2311f82d79a5d'
|
md5sums=('a96c33b9827de66033d2311f82d79a5d'
|
||||||
'35089c0a284005f4abcf45168415857e')
|
'35089c0a284005f4abcf45168415857e'
|
||||||
|
'95195a70551057aca833da6bdbf2e35b'
|
||||||
|
'70df212cba2a6366ff960b60d55858d3')
|
||||||
|
|
||||||
build() {
|
prepare() {
|
||||||
cd "$srcdir/$pkgname-$pkgver"
|
cd "$srcdir/$pkgname-$pkgver"
|
||||||
|
|
||||||
patch -Np1 -i ../libsystemd.patch
|
patch -Np1 -i ../libsystemd.patch
|
||||||
|
patch -Np1 -i ../systemd205.patch
|
||||||
|
patch -Np1 -i ../0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
|
||||||
autoreconf -fi
|
autoreconf -fi
|
||||||
|
}
|
||||||
|
|
||||||
|
build() {
|
||||||
|
cd "$srcdir/$pkgname-$pkgver"
|
||||||
./configure \
|
./configure \
|
||||||
--prefix=/usr \
|
--prefix=/usr \
|
||||||
--sysconfdir=/etc \
|
--sysconfdir=/etc \
|
||||||
|
|||||||
16
rtkit/systemd205.patch
Normal file
16
rtkit/systemd205.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
diff -u -r rtkit-0.11/rtkit-daemon.service.in rtkit-0.11-sd205/rtkit-daemon.service.in
|
||||||
|
--- rtkit-0.11/rtkit-daemon.service.in 2012-05-15 15:25:40.000000000 +0200
|
||||||
|
+++ rtkit-0.11-sd205/rtkit-daemon.service.in 2013-07-25 10:27:37.790884664 +0200
|
||||||
|
@@ -24,12 +24,7 @@
|
||||||
|
BusName=org.freedesktop.RealtimeKit1
|
||||||
|
NotifyAccess=main
|
||||||
|
CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
|
||||||
|
-PrivateTmp=yes
|
||||||
|
PrivateNetwork=yes
|
||||||
|
|
||||||
|
-# Work around the fact that the Linux currently doesn't assign any RT
|
||||||
|
-# budget to CPU control groups that have none configured explicitly
|
||||||
|
-ControlGroup=cpu:/
|
||||||
|
-
|
||||||
|
[Install]
|
||||||
|
WantedBy=graphical.target
|
||||||
Loading…
Reference in New Issue
Block a user