File 0011-whitelist-polkit-untracked-privilege.diff of Package polkit-default-privs.12406
From 2774d489eb03a855af3f196fc151f78c61e6ad1e Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Mon, 12 Mar 2018 12:01:24 +0100
Subject: [PATCH 1/6] polkit-default-privs: mass whitelisting of untracked
privileges
rpmlint-Factory rules are about to be tightened (sr#579618). The
"untracked-privileges" are now also an error. See
https://lists.opensuse.org/opensuse-factory/2018-02/msg01044.html
for the rationale.
To keep things working for packages already accepted to Factory we are
doing this amnesty whitelisting ahead of the code reviews.
---
polkit-default-privs.restrictive | 49 ++++++++++++++++++++++++++++++++
polkit-default-privs.standard | 49 ++++++++++++++++++++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 5173320..3b09116 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -401,6 +401,9 @@ org.xfce.power.backlight-helper auth_admin:auth_
org.cinnamon.settings-daemon.plugins.power.backlight-helper no:no:yes
org.cinnamon.settingsdaemon.datetimemechanism.configure no:no:auth_admin_keep
+# cinnamon settings-daemon (bsc#1083067)
+org.cinnamon.settings-users auth_admin
+
# hp-drive-guard
com.hp.driveguard.toggle auth_admin
@@ -461,6 +464,9 @@ org.freedesktop.packagekit.clear-offline-update auth_admin_keep
org.freedesktop.packagekit.package-reinstall auth_admin:auth_admin:auth_admin_keep
org.freedesktop.packagekit.package-downgrade auth_admin:auth_admin:auth_admin_keep
+# PackageKit (bnc#993505)
+org.freedesktop.packagekit.trigger-offline-upgrade no:auth_admin:auth_admin
+
#
# gparted (bnc#810888)
#
@@ -755,6 +761,9 @@ org.a11y.brlapi.write-display auth_admin_keep
# sysprof (bsc#996111)
org.gnome.sysprof2.perf-event-open auth_admin_keep
+# sysprof (bsc#1083055)
+org.gnome.sysprof2.get-kernel-symbols auth_admin_keep
+
# flatpak (bsc#984817)
org.freedesktop.Flatpak.app-install auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.runtime-install auth_admin:auth_admin:auth_admin_keep
@@ -781,6 +790,9 @@ org.blueman.dhcp.client auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.pppd.pppconnect auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.rfkill.setstate auth_admin:auth_admin_keep:auth_admin_keep
+# blueman (bsc#1083066)
+org.blueman.bluez.config no:no:auth_admin_keep
+
# tuned (bsc#1007279)
com.redhat.tuned.gui.run auth_admin
com.redhat.tuned.active_profile yes
@@ -814,6 +826,9 @@ org.freedesktop.fwupd.verify-update auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.update-internal-trusted auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.update-hotplug-trusted auth_admin:no:auth_admin_keep
+# fwupd (bsc#1083022)
+org.freedesktop.fwupd.modify-remote auth_admin:no:auth_admin_keep
+
# deja-dup (bsc#1058935)
org.gnome.DejaDup.duplicity no:no:auth_admin
@@ -821,4 +836,38 @@ org.gnome.DejaDup.duplicity no:no:auth_admin
net.connman.modify auth_admin_keep
net.connman.vpn.modify auth_admin_keep
+# connman (bsc#1083069)
+net.connman.secret no:no:auth_admin_keep
+net.connman.vpn.secret no:no:auth_admin_keep
+
+# gsmartcontrol (bsc#1084693)
+org.gsmartcontrol auth_admin
+
+# gvfs (bsc#1073214)
+org.gtk.vfs.file-operations no:no:auth_admin_keep
+org.gtk.vfs.file-operations-helper no:no:auth_admin_keep
+
+# laptop-mode-tools (bsc#1084695)
+org.linux.lmt.gui.policy auth_admin
+
+# mate-system-monitor (bsc#1084701)
+org.mate.mate-system-monitor.kill no:no:auth_admin
+org.mate.mate-system-monitor.renice no:no:auth_admin
+
+# nemo (bsc#1084702)
+org.nemo.root no:no:auth_admin_keep
+
+# nemo-extensions (bsc#1084703)
+org.nemo-share.samba_install no:no:auth_admin_keep
+
+# pantheon-files (bsc#1084704)
+org.freedesktop.policykit.pkexec.pantheon-files auth_admin:auth_admin:auth_admin
+org.freedesktop.policykit.pkexec.io.elementary.files auth_admin:auth_admin:auth_admin
+
+# scap-workbench (bsc#1084706)
+scap-workbench-oscap.run auth_admin:auth_admin:auth_admin
+
+# spice-gtk (bsc#1083025)
+org.spice-space.lowlevelusbaccess no:no:auth_admin
+
###
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index c5d2de9..9cd9f80 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -420,6 +420,9 @@ org.xfce.power.backlight-helper no:no:yes
org.cinnamon.settings-daemon.plugins.power.backlight-helper no:no:yes
org.cinnamon.settingsdaemon.datetimemechanism.configure no:no:auth_admin_keep
+# blueman (bsc#1083066)
+org.cinnamon.settings-users auth_admin
+
# hp-drive-guard
com.hp.driveguard.toggle auth_admin
com.hp.driveguard.install-setup auth_admin
@@ -478,6 +481,9 @@ org.freedesktop.packagekit.clear-offline-update auth_admin_keep:auth_admin_kee
org.freedesktop.packagekit.package-reinstall auth_admin:auth_admin:auth_admin_keep
org.freedesktop.packagekit.package-downgrade auth_admin:auth_admin:auth_admin_keep
+# PackageKit (bnc#993505)
+org.freedesktop.packagekit.trigger-offline-upgrade auth_admin:auth_admin:auth_admin
+
#
# gparted (bnc#810888)
#
@@ -818,6 +824,9 @@ org.a11y.brlapi.write-display no:no:yes
# sysprof (bsc#996111)
org.gnome.sysprof2.perf-event-open auth_admin_keep
+# sysprof (bsc#1083055)
+org.gnome.sysprof2.get-kernel-symbols auth_admin_keep
+
# flatpak (bsc#984817)
org.freedesktop.Flatpak.app-install auth_admin:auth_admin:auth_admin_keep
org.freedesktop.Flatpak.runtime-install auth_admin:auth_admin:auth_admin_keep
@@ -844,6 +853,9 @@ org.blueman.dhcp.client auth_admin:auth_admin_keep:yes
org.blueman.pppd.pppconnect auth_admin:auth_admin_keep:yes
org.blueman.rfkill.setstate auth_admin:auth_admin_keep:yes
+# blueman (bsc#1083066)
+org.blueman.bluez.config no:no:auth_admin_keep
+
# tuned (bsc#1007279)
com.redhat.tuned.gui.run auth_admin
com.redhat.tuned.active_profile yes
@@ -882,6 +894,9 @@ org.freedesktop.fwupd.verify-update auth_admin:no:auth_admin_keep
org.freedesktop.fwupd.update-internal-trusted auth_admin:no:yes
org.freedesktop.fwupd.update-hotplug-trusted auth_admin:no:yes
+# fwupd (bsc#1083022)
+org.freedesktop.fwupd.modify-remote auth_admin:no:auth_admin_keep
+
# deja-dup (bsc#1058935)
org.gnome.DejaDup.duplicity no:no:auth_admin
@@ -889,4 +904,38 @@ org.gnome.DejaDup.duplicity no:no:auth_admin
net.connman.modify auth_admin_keep
net.connman.vpn.modify auth_admin_keep
+# connman (bsc#1083069)
+net.connman.secret no:no:auth_admin_keep
+net.connman.vpn.secret no:no:auth_admin_keep_session
+
+# gsmartcontrol (bsc#1084693)
+org.gsmartcontrol auth_admin
+
+# gvfs (bsc#1073214)
+org.gtk.vfs.file-operations no:no:auth_admin_keep
+org.gtk.vfs.file-operations-helper no:no:auth_admin_keep
+
+# laptop-mode-tools (bsc#1084695)
+org.linux.lmt.gui.policy auth_admin
+
+# mate-system-monitor (bsc#1084701)
+org.mate.mate-system-monitor.kill no:no:auth_admin_keep
+org.mate.mate-system-monitor.renice no:no:auth_admin_keep
+
+# nemo (bsc#1084702)
+org.nemo.root no:no:auth_admin_keep
+
+# nemo-extensions (bsc#1084703)
+org.nemo-share.samba_install no:no:auth_admin_keep
+
+# pantheon-files (bsc#1084704)
+org.freedesktop.policykit.pkexec.pantheon-files auth_admin:auth_admin:auth_admin
+org.freedesktop.policykit.pkexec.io.elementary.files auth_admin:auth_admin:auth_admin
+
+# scap-workbench (bsc#1084706)
+scap-workbench-oscap.run auth_admin_keep:auth_admin_keep:auth_admin_keep
+
+# spice-gtk (bsc#1083025)
+org.spice-space.lowlevelusbaccess auth_admin:no:auth_admin
+
###
--
2.21.0
From cbfcb086ca65742e8862f80fee488de741a3521c Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 15 Nov 2018 18:22:26 +0100
Subject: [PATCH 2/6] spice-gtk: relax lowlevelusbaccess requirements
The spice-gtk setuid helper binary is already only accessible to members
of the kvm group. So we skip the password prompt for locally logged in
users in the standard profile.
---
polkit-default-privs.standard | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index 9cd9f80..a023cc0 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -936,6 +936,6 @@ org.freedesktop.policykit.pkexec.io.elementary.files auth_admin:auth_admin:auth_
scap-workbench-oscap.run auth_admin_keep:auth_admin_keep:auth_admin_keep
# spice-gtk (bsc#1083025)
-org.spice-space.lowlevelusbaccess auth_admin:no:auth_admin
+org.spice-space.lowlevelusbaccess auth_admin:no:yes
###
--
2.21.0
From ac162371c5853c1bf4a3e36e7cfa75467c26080f Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Wed, 28 Mar 2018 17:41:45 +0200
Subject: [PATCH 3/6] polkit-default-privs: some more amnesty whitelisting of
untracked privileges
systemd and bleachbit are still affected by the more picky rpmlint
rules.
---
polkit-default-privs.restrictive | 8 ++++++++
polkit-default-privs.standard | 8 ++++++++
2 files changed, 16 insertions(+)
diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 3b09116..0795331 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -870,4 +870,12 @@ scap-workbench-oscap.run auth_admin:auth_admin:auth_admin
# spice-gtk (bsc#1083025)
org.spice-space.lowlevelusbaccess no:no:auth_admin
+# bleachbit (bsc#1087326)
+org.bleachbit auth_admin
+
+# systemd, systemd-mini (bsc#1087328)
+org.freedesktop.login1.halt auth_admin_keep
+org.freedesktop.login1.halt-ignore-inhibit auth_admin_keep
+org.freedesktop.login1.halt-multiple-sessions auth_admin_keep
+
###
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index a023cc0..209210a 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -938,4 +938,12 @@ scap-workbench-oscap.run auth_admin_keep:auth_admin_keep:auth_admin_keep
# spice-gtk (bsc#1083025)
org.spice-space.lowlevelusbaccess auth_admin:no:yes
+# bleachbit (bsc#1087326)
+org.bleachbit auth_admin
+
+# systemd, systemd-mini (bsc#1087328)
+org.freedesktop.login1.halt auth_admin_keep
+org.freedesktop.login1.halt-ignore-inhibit auth_admin_keep
+org.freedesktop.login1.halt-multiple-sessions auth_admin_keep
+
###
--
2.21.0
From 6c09069f1c9001063ea2ed95cbfae4d2808ff648 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 3 Jan 2019 17:28:23 +0100
Subject: [PATCH 4/6] luckybackup: initial whitelisting of polkit pkexec action
(bsc#1120403)
---
polkit-default-privs.restrictive | 4 ++++
polkit-default-privs.standard | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 0795331..f2d4676 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -878,4 +878,8 @@ org.freedesktop.login1.halt auth_admin_keep
org.freedesktop.login1.halt-ignore-inhibit auth_admin_keep
org.freedesktop.login1.halt-multiple-sessions auth_admin_keep
+# luckybackup (bsc#1120403)
+# Don't relax this, it runs rsync with arbitrary parameters
+net.luckybackup.su auth_admin
+
###
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index 209210a..6c71f06 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -946,4 +946,8 @@ org.freedesktop.login1.halt auth_admin_keep
org.freedesktop.login1.halt-ignore-inhibit auth_admin_keep
org.freedesktop.login1.halt-multiple-sessions auth_admin_keep
+# luckybackup (bsc#1120403)
+# Don't relax this, it runs rsync with arbitrary parameters
+net.luckybackup.su auth_admin
+
###
--
2.21.0
From 7e71b1f1efd8fda5a47dc26b8c99c566028fb2fd Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 15 Nov 2018 16:17:28 +0100
Subject: [PATCH 5/6] blueman: relax standard profile rules, drop unneeded
bluez.config rule (bsc#1083066)
The bluez.config rule was never used and with upstream version 2.0.6 it
has also been formally dropped.
The other blueman rules need to be more relaxed as users are complaining
about multiple root password prompts right after login.
---
polkit-default-privs.restrictive | 3 ---
polkit-default-privs.standard | 3 ---
2 files changed, 6 deletions(-)
diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index f2d4676..89f7bad 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -790,9 +790,6 @@ org.blueman.dhcp.client auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.pppd.pppconnect auth_admin:auth_admin_keep:auth_admin_keep
org.blueman.rfkill.setstate auth_admin:auth_admin_keep:auth_admin_keep
-# blueman (bsc#1083066)
-org.blueman.bluez.config no:no:auth_admin_keep
-
# tuned (bsc#1007279)
com.redhat.tuned.gui.run auth_admin
com.redhat.tuned.active_profile yes
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index 6c71f06..c50423c 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -853,9 +853,6 @@ org.blueman.dhcp.client auth_admin:auth_admin_keep:yes
org.blueman.pppd.pppconnect auth_admin:auth_admin_keep:yes
org.blueman.rfkill.setstate auth_admin:auth_admin_keep:yes
-# blueman (bsc#1083066)
-org.blueman.bluez.config no:no:auth_admin_keep
-
# tuned (bsc#1007279)
com.redhat.tuned.gui.run auth_admin
com.redhat.tuned.active_profile yes
--
2.21.0
From edbe7f6f2b9574e1369abe91a83d9f79fb486773 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Tue, 24 Apr 2018 15:05:21 +0200
Subject: [PATCH 6/6] polkit-default-privs: whitelisting renamed kalarm polkit
actions
---
polkit-default-privs.restrictive | 2 ++
polkit-default-privs.standard | 2 ++
2 files changed, 4 insertions(+)
diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive
index 89f7bad..891d0fc 100644
--- a/polkit-default-privs.restrictive
+++ b/polkit-default-privs.restrictive
@@ -324,6 +324,8 @@ org.kde.powerdevil.discretegpuhelper.hasdualgpu no:no:yes
# kdepim4/kalarm (bnc#707723)
org.kde.kalarmrtcwake.settimer auth_admin_keep
+# kalarm (bnc#1087714, renamed from kalarmrtcwake)
+org.kde.kalarm.rtcwake.settimer auth_admin_keep
# sddm kcm oepration (bnc#904313)
org.kde.kcontrol.kcmsddm.save auth_admin
diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard
index c50423c..aca1738 100644
--- a/polkit-default-privs.standard
+++ b/polkit-default-privs.standard
@@ -337,6 +337,8 @@ org.kde.powerdevil.discretegpuhelper.hasdualgpu yes
# kdepim4/kalarm (bnc#707723)
org.kde.kalarmrtcwake.settimer auth_admin_keep
+# kalarm (bnc#1087714, renamed from kalarmrtcwake)
+org.kde.kalarm.rtcwake.settimer auth_admin_keep
# sddm kcm oepration (bnc#904313)
org.kde.kcontrol.kcmsddm.save auth_admin
--
2.21.0
