From 03630211cb0b36113f9d82e9df69fb5b9d999d17 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Mon, 20 Nov 2023 16:01:12 +0100
Subject: [PATCH] backport of removal of IPAddressDeny sandboxing option
 Resolves: bz#2248838

---
 polkit.spec                |  8 +++++++-
 remove-IPAddressDeny.patch | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 remove-IPAddressDeny.patch

diff --git a/polkit.spec b/polkit.spec
index 34a071e..9c0e9ad 100644
--- a/polkit.spec
+++ b/polkit.spec
@@ -4,12 +4,14 @@
 Summary: An authorization framework
 Name: polkit
 Version: 123
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPL-2.0-or-later
 URL: http://www.freedesktop.org/wiki/Software/polkit
 Source0: https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/%{name}-%{version}.tar.gz
 Source1: polkit.sysusers
 
+Patch1: remove-IPAddressDeny.patch
+
 BuildRequires: gcc-c++
 BuildRequires: glib2-devel >= 2.30.0
 BuildRequires: expat-devel
@@ -159,6 +161,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/girepository-1.0/*.typelib
 
 %changelog
+* Mon Nov 20 2023 Jan Rybar <jrybar@redhat.com> - 123-3
+- backport of removal of IPAddressDeny sandboxing option
+- Resolves: bz#2248838
+
 * Thu Sep 21 2023 Christian Glombek <cglombek@redhat.com> - 123-2
 - Provide a sysusers.d file to get user() and group() provides
   (see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format).
diff --git a/remove-IPAddressDeny.patch b/remove-IPAddressDeny.patch
new file mode 100644
index 0000000..c8436bf
--- /dev/null
+++ b/remove-IPAddressDeny.patch
@@ -0,0 +1,22 @@
+commit 597d3e0d2643c96cbb1c8282066f0b0bc8534b5c
+Author: Luca Boccassi <bluca@debian.org>
+Date:   Sun Oct 8 19:34:41 2023 +0100
+
+    unit: drop IPAddressDeny=any
+    
+    It is not useful, as only AF_UNIX sockets are permitted anyway, and
+    a network namespace it is used. It requires loading a BPF program
+    which might not work everywhere.
+
+diff --git a/data/polkit.service.in b/data/polkit.service.in
+index 4b44a80..539a25d 100644
+--- a/data/polkit.service.in
++++ b/data/polkit.service.in
+@@ -11,7 +11,6 @@ DevicePolicy=strict
+ ExecStart=@libprivdir@/polkitd --no-debug
+ User=@polkitd_user@
+ Group=@polkitd_user@
+-IPAddressDeny=any
+ LimitMEMLOCK=0
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes