backport of removal of IPAddressDeny sandboxing option

Resolves: bz#2248838
2023-11-20 16:01:12 +01:00 · 2023-11-20 16:01:12 +01:00 · 03630211cb
commit 03630211cb
parent 26611402a3
2 changed files with 29 additions and 1 deletions
--- a/polkit.spec
+++ b/polkit.spec
@ -4,12 +4,14 @@
 Summary: An authorization framework
 Name: polkit
 Version: 123
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPL-2.0-or-later
 URL: http://www.freedesktop.org/wiki/Software/polkit
 Source0: https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/%{name}-%{version}.tar.gz
 Source1: polkit.sysusers
 Patch1: remove-IPAddressDeny.patch
 BuildRequires: gcc-c++
 BuildRequires: glib2-devel >= 2.30.0
 BuildRequires: expat-devel
@ -159,6 +161,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_libdir}/girepository-1.0/*.typelib
 %changelog
 * Mon Nov 20 2023 Jan Rybar <jrybar@redhat.com> - 123-3
 - backport of removal of IPAddressDeny sandboxing option
 - Resolves: bz#2248838
 * Thu Sep 21 2023 Christian Glombek <cglombek@redhat.com> - 123-2
 - Provide a sysusers.d file to get user() and group() provides
  (see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format).
--- a/remove-IPAddressDeny.patch
+++ b/remove-IPAddressDeny.patch
@ -0,0 +1,22 @@
 commit 597d3e0d2643c96cbb1c8282066f0b0bc8534b5c
 Author: Luca Boccassi <bluca@debian.org>
 Date:   Sun Oct 8 19:34:41 2023 +0100
    unit: drop IPAddressDeny=any
    It is not useful, as only AF_UNIX sockets are permitted anyway, and
    a network namespace it is used. It requires loading a BPF program
    which might not work everywhere.
 diff --git a/data/polkit.service.in b/data/polkit.service.in
 index 4b44a80..539a25d 100644
 --- a/data/polkit.service.in
 +++ b/data/polkit.service.in
@@ -11,7 +11,6 @@ DevicePolicy=strict
 ExecStart=@libprivdir@/polkitd --no-debug
 User=@polkitd_user@
 Group=@polkitd_user@
 -IPAddressDeny=any
 LimitMEMLOCK=0
 LockPersonality=yes
 MemoryDenyWriteExecute=yes