File 0010-libvirt-polkit-actions-whitelisting-of-incremental-n.patch of Package polkit-default-privs.12276
From 2f6462c868d8b9b4ca13e4c532a6a4ec443d4517 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Wed, 3 Jul 2019 15:39:14 +0200 Subject: [PATCH 1/2] libvirt polkit actions: whitelisting of incremental no:no:no actions (bsc#1140151) --- polkit-default-privs.restrictive | 6 ++++++ polkit-default-privs.standard | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive index adeda1a..212d9f0 100644 --- a/polkit-default-privs.restrictive +++ b/polkit-default-privs.restrictive @@ -642,6 +642,12 @@ org.libvirt.api.nwfilter-binding.read auth_admin_keep org.libvirt.api.nwfilter-binding.create no org.libvirt.api.nwfilter-binding.delete no +# libvirt (bsc#1140151) +# addition of all no:no:no actions +org.libvirt.api.network-port.create no +org.libvirt.api.network-port.delete no +org.libvirt.api.network-port.write no + # MATE settings-daemon (bnc#831404) org.mate.settingsdaemon.datetimemechanism.settimezone auth_admin_keep org.mate.settingsdaemon.datetimemechanism.settime auth_admin_keep diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard index c548e22..db0b2ea 100644 --- a/polkit-default-privs.standard +++ b/polkit-default-privs.standard @@ -705,6 +705,12 @@ org.libvirt.api.nwfilter-binding.read auth_admin_keep org.libvirt.api.nwfilter-binding.create no org.libvirt.api.nwfilter-binding.delete no +# libvirt (bsc#1140151) +# addition of all no:no:no actions +org.libvirt.api.network-port.create no +org.libvirt.api.network-port.delete no +org.libvirt.api.network-port.write no + # MATE settings-daemon (bnc#831404) org.mate.settingsdaemon.datetimemechanism.settimezone auth_admin_keep org.mate.settingsdaemon.datetimemechanism.settime auth_admin_keep -- 2.21.0 From 26f38764899f239f593e33e0087d83de8d46ffdc Mon Sep 17 00:00:00 2001 From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Thu, 11 Jul 2019 15:23:15 +0200 Subject: [PATCH 2/2] libvirt: add a couple of additional polkit actions (bsc#1140151) In commit 9a076dcb084f413265b28f0716c59d752abb5a0a I failed to consider a few more rules. These are them. --- polkit-default-privs.restrictive | 5 ++++- polkit-default-privs.standard | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/polkit-default-privs.restrictive b/polkit-default-privs.restrictive index 212d9f0..5173320 100644 --- a/polkit-default-privs.restrictive +++ b/polkit-default-privs.restrictive @@ -643,10 +643,13 @@ org.libvirt.api.nwfilter-binding.create no org.libvirt.api.nwfilter-binding.delete no # libvirt (bsc#1140151) -# addition of all no:no:no actions +# addition of all no:no:no actions and two read-only actions org.libvirt.api.network-port.create no org.libvirt.api.network-port.delete no org.libvirt.api.network-port.write no +org.libvirt.api.network.search-ports no +org.libvirt.api.network-port.getattr auth_self:yes:yes +org.libvirt.api.network-port.read auth_self:yes:yes # MATE settings-daemon (bnc#831404) org.mate.settingsdaemon.datetimemechanism.settimezone auth_admin_keep diff --git a/polkit-default-privs.standard b/polkit-default-privs.standard index db0b2ea..c5d2de9 100644 --- a/polkit-default-privs.standard +++ b/polkit-default-privs.standard @@ -706,10 +706,13 @@ org.libvirt.api.nwfilter-binding.create no org.libvirt.api.nwfilter-binding.delete no # libvirt (bsc#1140151) -# addition of all no:no:no actions +# addition of all no:no:no actions and two read-only actions org.libvirt.api.network-port.create no org.libvirt.api.network-port.delete no org.libvirt.api.network-port.write no +org.libvirt.api.network.search-ports no +org.libvirt.api.network-port.getattr yes +org.libvirt.api.network-port.read yes # MATE settings-daemon (bnc#831404) org.mate.settingsdaemon.datetimemechanism.settimezone auth_admin_keep -- 2.21.0
