4 files changed, 235 insertions, 283 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch b/meta-oe/recipes-extended/polkit/polkit/0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch
deleted file mode 100644
index ae314e3c17..0000000000
--- a/meta-oe/recipes-extended/polkit/polkit/0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch
+++ /dev/null
@@ -1,186 +0,0 @@
-From eb1f1336e8e49b4db6243b543e0a71f7c0c9b5b1 Mon Sep 17 00:00:00 2001
-From: Colin Walters <walters@verbum.org>
-Date: Fri, 4 Jan 2019 14:24:48 -0500
-Subject: [PATCH] backend: Compare PolkitUnixProcess uids for temporary
- authorizations
-It turns out that the combination of `(pid, start time)` is not
-enough to be unique.  For temporary authorizations, we can avoid
-separate users racing on pid reuse by simply comparing the uid.
-https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
-And the above original email report is included in full in a new comment.
-Reported-by: Jann Horn <jannh@google.com>
-Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75
-Upstream-Status: Backport
-CVE: CVE-2019-6133
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
- src/polkit/polkitsubject.c                         |  2 +
- src/polkit/polkitunixprocess.c                     | 71 +++++++++++++++++++++-
- .../polkitbackendinteractiveauthority.c            | 39 +++++++++++-
- 3 files changed, 110 insertions(+), 2 deletions(-)
-diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
-index d4c1182..ccabd0a 100644
--- a/src/polkit/polkitsubject.c
-+++ b/src/polkit/polkitsubject.c
-@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject)
-  * @b: A #PolkitSubject.
-  *
-  * Checks if @a and @b are equal, ie. represent the same subject.
-+ * However, avoid calling polkit_subject_equal() to compare two processes;
-+ * for more information see the `PolkitUnixProcess` documentation.
-  *
-  * This function can be used in e.g. g_hash_table_new().
-  *
-diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
-index 972b777..7a6d48b 100644
--- a/src/polkit/polkitunixprocess.c
-+++ b/src/polkit/polkitunixprocess.c
-@@ -51,7 +51,10 @@
-  * @title: PolkitUnixProcess
-  * @short_description: Unix processs
-  *
- * An object for representing a UNIX process.
-+ * An object for representing a UNIX process.  NOTE: This object as
-+ * designed is now known broken; a mechanism to exploit a delay in
-+ * start time in the Linux kernel was identified.  Avoid
-+ * calling polkit_subject_equal() to compare two processes.
-  *
-  * To uniquely identify processes, both the process id and the start
-  * time of the process (a monotonic increasing value representing the
-@@ -66,6 +69,72 @@
-  * polkit_unix_process_new_for_owner() with trusted data.
-  */
- 
-+/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75
-+
-+  But quoting the original email in full here to ensure it's preserved:
-+
-+  From: Jann Horn <jannh@google.com>
-+  Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork
-+  Date: Wednesday, October 10, 2018 5:34 PM
-+
-+When a (non-root) user attempts to e.g. control systemd units in the system
-+instance from an active session over DBus, the access is gated by a polkit
-+policy that requires "auth_admin_keep" auth. This results in an auth prompt
-+being shown to the user, asking the user to confirm the action by entering the
-+password of an administrator account.
-+
-+After the action has been confirmed, the auth decision for "auth_admin_keep" is
-+cached for up to five minutes. Subject to some restrictions, similar actions can
-+then be performed in this timespan without requiring re-auth:
-+
-+ - The PID of the DBus client requesting the new action must match the PID of
-+   the DBus client requesting the old action (based on SO_PEERCRED information
-+   forwarded by the DBus daemon).
-+ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22)
-+   must not have changed. The granularity of this timestamp is in the
-+   millisecond range.
-+ - polkit polls every two seconds whether a process with the expected start time
-+   still exists. If not, the temporary auth entry is purged.
-+
-+Without the start time check, this would obviously be buggy because an attacker
-+could simply wait for the legitimate client to disappear, then create a new
-+client with the same PID.
-+
-+Unfortunately, the start time check is bypassable because fork() is not atomic.
-+Looking at the source code of copy_process() in the kernel:
-+
-+        p->start_time = ktime_get_ns();
-+        p->real_start_time = ktime_get_boot_ns();
-+        [...]
-+        retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls);
-+        if (retval)
-+                goto bad_fork_cleanup_io;
-+
-+        if (pid != &init_struct_pid) {
-+                pid = alloc_pid(p->nsproxy->pid_ns_for_children);
-+                if (IS_ERR(pid)) {
-+                        retval = PTR_ERR(pid);
-+                        goto bad_fork_cleanup_thread;
-+                }
-+        }
-+
-+The ktime_get_boot_ns() call is where the "start time" of the process is
-+recorded. The alloc_pid() call is where a free PID is allocated. In between
-+these, some time passes; and because the copy_thread_tls() call between them can
-+access userspace memory when sys_clone() is invoked through the 32-bit syscall
-+entry point, an attacker can even stall the kernel arbitrarily long at this
-+point (by supplying a pointer into userspace memory that is associated with a
-+userfaultfd or is backed by a custom FUSE filesystem).
-+
-+This means that an attacker can immediately call sys_clone() when the victim
-+process is created, often resulting in a process that has the exact same start
-+time reported in procfs; and then the attacker can delay the alloc_pid() call
-+until after the victim process has died and the PID assignment has cycled
-+around. This results in an attacker process that polkit can't distinguish from
-+the victim process.
-+*/
-+
-+
- /**
-  * PolkitUnixProcess:
-  *
-diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
-index de3f752..098d343 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
-+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
-@@ -3035,6 +3035,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store)
-   g_free (store);
- }
- 
-+/* See the comment at the top of polkitunixprocess.c */
-+static gboolean
-+subject_equal_for_authz (PolkitSubject *a,
-+                         PolkitSubject *b)
-+{
-+  if (!polkit_subject_equal (a, b))
-+    return FALSE;
-+
-+  /* Now special case unix processes, as we want to protect against
-+   * pid reuse by including the UID.
-+   */
-+  if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) {
-+    PolkitUnixProcess *ap = (PolkitUnixProcess*)a;
-+    int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a);
-+    PolkitUnixProcess *bp = (PolkitUnixProcess*)b;
-+    int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b);
-+
-+    if (uid_a != -1 && uid_b != -1)
-+      {
-+        if (uid_a == uid_b)
-+          {
-+            return TRUE;
-+          }
-+        else
-+          {
-+            g_printerr ("denying slowfork; pid %d uid %d != %d!\n",
-+                        polkit_unix_process_get_pid (ap),
-+                        uid_a, uid_b);
-+            return FALSE;
-+          }
-+      }
-+    /* Fall through; one of the uids is unset so we can't reliably compare */
-+  }
-+
-+  return TRUE;
-+}
-+
- static gboolean
- temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store,
-                                                  PolkitSubject               *subject,
-@@ -3077,7 +3114,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st
-     TemporaryAuthorization *authorization = l->data;
- 
-     if (strcmp (action_id, authorization->action_id) == 0 &&
-        polkit_subject_equal (subject_to_use, authorization->subject))
-+        subject_equal_for_authz (subject_to_use, authorization->subject))
-       {
-         ret = TRUE;
-         if (out_tmp_authz_id != NULL)
diff --git a/meta-oe/recipes-extended/polkit/polkit/0001-make-netgroup-support-configurable.patch b/meta-oe/recipes-extended/polkit/polkit/0001-make-netgroup-support-configurable.patch
deleted file mode 100644
index 3b0ef5e5a3..0000000000
--- a/meta-oe/recipes-extended/polkit/polkit/0001-make-netgroup-support-configurable.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 7d5e205aa58a10e7b1ccc2fa75b443508a5c3e18 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 20 Jan 2016 04:31:59 +0000
-Subject: [PATCH] make netgroup support configurable
-Disable using innetgr and *netigrent function if not available
-These functions are not available on all libc implementations e.g. musl
-doesnt have them.
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
-Upstream-Status: Pending
-Rebase to 0.115
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- configure.ac                                          | 2 +-
- src/polkitbackend/polkitbackendinteractiveauthority.c | 6 +++++-
- src/polkitbackend/polkitbackendjsauthority.cpp        | 2 ++
- 3 files changed, 8 insertions(+), 2 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 8b3e1b1..1c392df 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"],
-             [AC_MSG_ERROR([Can't find expat library. Please install expat.])])
- AC_SUBST(EXPAT_LIBS)
- 
-AC_CHECK_FUNCS(clearenv fdatasync)
-+AC_CHECK_FUNCS(clearenv fdatasync getnetgrent innetgr)
- 
- if test "x$GCC" = "xyes"; then
-   LDFLAGS="-Wl,--as-needed $LDFLAGS"
-diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
-index cb6fdab..de3f752 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
-+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
-@@ -2224,7 +2224,7 @@ get_users_in_group (PolkitIdentity                    *group,
-  out:
-   return ret;
- }
-
-+#if defined HAVE_GETNETGRENT
- static GList *
- get_users_in_net_group (PolkitIdentity                    *group,
-                         gboolean                           include_root)
-@@ -2285,6 +2285,8 @@ get_users_in_net_group (PolkitIdentity                    *group,
-   return ret;
- }
- 
-+#endif
-+
- /* ---------------------------------------------------------------------------------------------------- */
- 
- static void
-@@ -2369,10 +2371,12 @@ authentication_agent_initiate_challenge (AuthenticationAgent         *agent,
-         {
-           user_identities = g_list_concat (user_identities, get_users_in_group (identity, FALSE));
-         }
-+#if defined HAVE_GETNETGRENT
-       else if (POLKIT_IS_UNIX_NETGROUP (identity))
-         {
-           user_identities =  g_list_concat (user_identities, get_users_in_net_group (identity, FALSE));
-         }
-+#endif
-       else
-         {
-           g_warning ("Unsupported identity");
-diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
-index 517f3c6..6042dd2 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
-+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
-@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
-   user = JS_EncodeString (cx, args[0].toString());
-   netgroup = JS_EncodeString (cx, args[1].toString());
- 
-+#if defined HAVE_INNETGR
-   if (innetgr (netgroup,
-                NULL,  /* host */
-                user,
-@@ -1509,6 +1510,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
-     {
-       is_in_netgroup =  true;
-     }
-+#endif
- 
-   JS_free (cx, netgroup);
-   JS_free (cx, user);
-- 
-2.7.4
diff --git a/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
new file mode 100644
index 0000000000..fd7251369e
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
@@ -0,0 +1,232 @@
+From 21aa2747e8f0048759aab184b07dd6389666d5e6 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 22 May 2019 13:18:55 -0700
+Subject: [PATCH] make netgroup support optional
+On at least Linux/musl and Linux/uclibc, netgroup
+support is not available.  PolKit fails to compile on these systems
+for that reason.
+This change makes netgroup support conditional on the presence of the
+setnetgrent(3) function which is required for the support to work.  If
+that function is not available on the system, an error will be returned
+to the administrator if unix-netgroup: is specified in configuration.
+Fixes bug 50145.
+Closes polkit/polkit#14.
+Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.ac                                     |  2 +-
+ src/polkit/polkitidentity.c                      | 16 ++++++++++++++++
+ src/polkit/polkitunixnetgroup.c                  |  3 +++
+ .../polkitbackendinteractiveauthority.c          | 14 ++++++++------
+ src/polkitbackend/polkitbackendjsauthority.cpp   |  2 ++
+ test/polkit/polkitidentitytest.c                 |  9 ++++++++-
+ test/polkit/polkitunixnetgrouptest.c             |  3 +++
+ .../test-polkitbackendjsauthority.c              |  2 ++
+ 8 files changed, 43 insertions(+), 8 deletions(-)
+--- a/configure.ac
+++ b/configure.ac
+@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXP
+             [AC_MSG_ERROR([Can't find expat library. Please install expat.])])
+ AC_SUBST(EXPAT_LIBS)
+ 
+-AC_CHECK_FUNCS(clearenv fdatasync)
+AC_CHECK_FUNCS(clearenv fdatasync setnetgrent)
+ 
+ if test "x$GCC" = "xyes"; then
+   LDFLAGS="-Wl,--as-needed $LDFLAGS"
+--- a/src/polkit/polkitidentity.c
+++ b/src/polkit/polkitidentity.c
+@@ -182,7 +182,15 @@ polkit_identity_from_string  (const gcha
+     }
+   else if (g_str_has_prefix (str, "unix-netgroup:"))
+     {
+#ifndef HAVE_SETNETGRENT
+      g_set_error (error,
+                   POLKIT_ERROR,
+                   POLKIT_ERROR_FAILED,
+                   "Netgroups are not available on this machine ('%s')",
+                   str);
+#else
+       identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
+#endif
+     }
+ 
+   if (identity == NULL && (error != NULL && *error == NULL))
+@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVaria
+       GVariant *v;
+       const char *name;
+ 
+#ifndef HAVE_SETNETGRENT
+      g_set_error (error,
+                   POLKIT_ERROR,
+                   POLKIT_ERROR_FAILED,
+                   "Netgroups are not available on this machine");
+      goto out;
+#else
+       v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
+       if (v == NULL)
+         {
+@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVaria
+       name = g_variant_get_string (v, NULL);
+       ret = polkit_unix_netgroup_new (name);
+       g_variant_unref (v);
+#endif
+     }
+   else
+     {
+--- a/src/polkit/polkitunixnetgroup.c
+++ b/src/polkit/polkitunixnetgroup.c
+@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUni
+ PolkitIdentity *
+ polkit_unix_netgroup_new (const gchar *name)
+ {
+#ifndef HAVE_SETNETGRENT
+  g_assert_not_reached();
+#endif
+   g_return_val_if_fail (name != NULL, NULL);
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
+                                        "name", name,
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity
+   GList *ret;
+ 
+   ret = NULL;
+#ifdef HAVE_SETNETGRENT
+   name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
+ 
+-#ifdef HAVE_SETNETGRENT_RETURN
+# ifdef HAVE_SETNETGRENT_RETURN
+   if (setnetgrent (name) == 0)
+     {
+       g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
+       goto out;
+     }
+-#else
+# else
+   setnetgrent (name);
+-#endif
+# endif /* HAVE_SETNETGRENT_RETURN */
+ 
+   for (;;)
+     {
+-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
+# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
+       const char *hostname, *username, *domainname;
+-#else
+# else
+       char *hostname, *username, *domainname;
+-#endif
+# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */
+       PolkitIdentity *user;
+       GError *error = NULL;
+ 
+@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity
+ 
+  out:
+   endnetgrent ();
+#endif /* HAVE_SETNETGRENT */
+   return ret;
+ }
+ 
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext
+ 
+   JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
+ 
+#ifdef HAVE_SETNETGRENT
+   JS::RootedString usrstr (authority->priv->cx);
+   usrstr = args[0].toString();
+   user = JS_EncodeStringToUTF8 (cx, usrstr);
+@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext
+ 
+   JS_free (cx, netgroup);
+   JS_free (cx, user);
+#endif
+ 
+   ret = true;
+ 
+--- a/test/polkit/polkitidentitytest.c
+++ b/test/polkit/polkitidentitytest.c
+@@ -19,6 +19,7 @@
+  * Author: Nikki VonHollen <vonhollen@google.com>
+  */
+ 
+#include "config.h"
+ #include "glib.h"
+ #include <polkit/polkit.h>
+ #include <polkit/polkitprivate.h>
+@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_tes
+   {"unix-group:root", "unix-group:jane", FALSE},
+   {"unix-group:jane", "unix-group:jane", TRUE},
+ 
+#ifdef HAVE_SETNETGRENT
+   {"unix-netgroup:foo", "unix-netgroup:foo", TRUE},
+   {"unix-netgroup:foo", "unix-netgroup:bar", FALSE},
+#endif
+ 
+   {"unix-user:root", "unix-group:root", FALSE},
+#ifdef HAVE_SETNETGRENT
+   {"unix-user:jane", "unix-netgroup:foo", FALSE},
+#endif
+ 
+   {NULL},
+ };
+@@ -181,11 +186,13 @@ main (int argc, char *argv[])
+   g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string);
+   g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string);
+ 
+#ifdef HAVE_SETNETGRENT
+   g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string);
+  g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
+#endif
+ 
+   g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant);
+   g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant);
+-  g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
+ 
+   add_comparison_tests ();
+ 
+--- a/test/polkit/polkitunixnetgrouptest.c
+++ b/test/polkit/polkitunixnetgrouptest.c
+@@ -19,6 +19,7 @@
+  * Author: Nikki VonHollen <vonhollen@google.com>
+  */
+ 
+#include "config.h"
+ #include "glib.h"
+ #include <polkit/polkit.h>
+ #include <string.h>
+@@ -69,7 +70,9 @@ int
+ main (int argc, char *argv[])
+ {
+   g_test_init (&argc, &argv, NULL);
+#ifdef HAVE_SETNETGRENT
+   g_test_add_func ("/PolkitUnixNetgroup/new", test_new);
+   g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name);
+#endif
+   return g_test_run ();
+ }
+--- a/test/polkitbackend/test-polkitbackendjsauthority.c
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
+@@ -137,12 +137,14 @@ test_get_admin_identities (void)
+         "unix-group:users"
+       }
+     },
+#ifdef HAVE_SETNETGRENT
+     {
+       "net.company.action3",
+       {
+         "unix-netgroup:foo"
+       }
+     },
+#endif
+   };
+   guint n;
+ 
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.115.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
index 562a754b21..8754383efa 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.115.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
@@ -23,12 +23,11 @@ PACKAGECONFIG[consolekit] = ",,,consolekit"
 PAM_SRC_URI = "file://polkit-1_pam.patch"
 SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
-           file://0001-make-netgroup-support-configurable.patch \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           file://0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch \
+           file://0003-make-netgroup-support-optional.patch \
           "
-SRC_URI[md5sum] = "f03b055d6ae5fc8eac76838c7d83d082"
+SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
-SRC_URI[sha256sum] = "2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131"
+SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
 EXTRA_OECONF = "--with-os-type=moblin \
                --disable-man-pages \

diff --git a/meta-oe/recipes-extended/polkit/polkit/0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch b/meta-oe/recipes-extended/polkit/polkit/0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch deleted file mode 100644 index ae314e3c17..0000000000 --- a/meta-oe/recipes-extended/polkit/polkit/0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch +++ /dev/null
@@ -1,186 +0,0 @@
1	From eb1f1336e8e49b4db6243b543e0a71f7c0c9b5b1 Mon Sep 17 00:00:00 2001
2	From: Colin Walters <walters@verbum.org>
3	Date: Fri, 4 Jan 2019 14:24:48 -0500
4	Subject: [PATCH] backend: Compare PolkitUnixProcess uids for temporary
5	authorizations
6
7	It turns out that the combination of `(pid, start time)` is not
8	enough to be unique. For temporary authorizations, we can avoid
9	separate users racing on pid reuse by simply comparing the uid.
10
11	https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
12
13	And the above original email report is included in full in a new comment.
14
15	Reported-by: Jann Horn <jannh@google.com>
16
17	Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75
18
19	Upstream-Status: Backport
20	CVE: CVE-2019-6133
21	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
22	---
23	src/polkit/polkitsubject.c \| 2 +
24	src/polkit/polkitunixprocess.c \| 71 +++++++++++++++++++++-
25	.../polkitbackendinteractiveauthority.c \| 39 +++++++++++-
26	3 files changed, 110 insertions(+), 2 deletions(-)
27
28	diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
29	index d4c1182..ccabd0a 100644
30	--- a/src/polkit/polkitsubject.c
31	+++ b/src/polkit/polkitsubject.c
32	@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject)
33	* @b: A #PolkitSubject.
34	*
35	* Checks if @a and @b are equal, ie. represent the same subject.
36	+ * However, avoid calling polkit_subject_equal() to compare two processes;
37	+ * for more information see the `PolkitUnixProcess` documentation.
38	*
39	* This function can be used in e.g. g_hash_table_new().
40	*
41	diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
42	index 972b777..7a6d48b 100644
43	--- a/src/polkit/polkitunixprocess.c
44	+++ b/src/polkit/polkitunixprocess.c
45	@@ -51,7 +51,10 @@
46	* @title: PolkitUnixProcess
47	* @short_description: Unix processs
48	*
49	- * An object for representing a UNIX process.
50	+ * An object for representing a UNIX process. NOTE: This object as
51	+ * designed is now known broken; a mechanism to exploit a delay in
52	+ * start time in the Linux kernel was identified. Avoid
53	+ * calling polkit_subject_equal() to compare two processes.
54	*
55	* To uniquely identify processes, both the process id and the start
56	* time of the process (a monotonic increasing value representing the
57	@@ -66,6 +69,72 @@
58	* polkit_unix_process_new_for_owner() with trusted data.
59	*/
60
61	+/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75
62	+
63	+ But quoting the original email in full here to ensure it's preserved:
64	+
65	+ From: Jann Horn <jannh@google.com>
66	+ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork
67	+ Date: Wednesday, October 10, 2018 5:34 PM
68	+
69	+When a (non-root) user attempts to e.g. control systemd units in the system
70	+instance from an active session over DBus, the access is gated by a polkit
71	+policy that requires "auth_admin_keep" auth. This results in an auth prompt
72	+being shown to the user, asking the user to confirm the action by entering the
73	+password of an administrator account.
74	+
75	+After the action has been confirmed, the auth decision for "auth_admin_keep" is
76	+cached for up to five minutes. Subject to some restrictions, similar actions can
77	+then be performed in this timespan without requiring re-auth:
78	+
79	+ - The PID of the DBus client requesting the new action must match the PID of
80	+ the DBus client requesting the old action (based on SO_PEERCRED information
81	+ forwarded by the DBus daemon).
82	+ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22)
83	+ must not have changed. The granularity of this timestamp is in the
84	+ millisecond range.
85	+ - polkit polls every two seconds whether a process with the expected start time
86	+ still exists. If not, the temporary auth entry is purged.
87	+
88	+Without the start time check, this would obviously be buggy because an attacker
89	+could simply wait for the legitimate client to disappear, then create a new
90	+client with the same PID.
91	+
92	+Unfortunately, the start time check is bypassable because fork() is not atomic.
93	+Looking at the source code of copy_process() in the kernel:
94	+
95	+ p->start_time = ktime_get_ns();
96	+ p->real_start_time = ktime_get_boot_ns();
97	+ [...]
98	+ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls);
99	+ if (retval)
100	+ goto bad_fork_cleanup_io;
101	+
102	+ if (pid != &init_struct_pid) {
103	+ pid = alloc_pid(p->nsproxy->pid_ns_for_children);
104	+ if (IS_ERR(pid)) {
105	+ retval = PTR_ERR(pid);
106	+ goto bad_fork_cleanup_thread;
107	+ }
108	+ }
109	+
110	+The ktime_get_boot_ns() call is where the "start time" of the process is
111	+recorded. The alloc_pid() call is where a free PID is allocated. In between
112	+these, some time passes; and because the copy_thread_tls() call between them can
113	+access userspace memory when sys_clone() is invoked through the 32-bit syscall
114	+entry point, an attacker can even stall the kernel arbitrarily long at this
115	+point (by supplying a pointer into userspace memory that is associated with a
116	+userfaultfd or is backed by a custom FUSE filesystem).
117	+
118	+This means that an attacker can immediately call sys_clone() when the victim
119	+process is created, often resulting in a process that has the exact same start
120	+time reported in procfs; and then the attacker can delay the alloc_pid() call
121	+until after the victim process has died and the PID assignment has cycled
122	+around. This results in an attacker process that polkit can't distinguish from
123	+the victim process.
124	+*/
125	+
126	+
127	/**
128	* PolkitUnixProcess:
129	*
130	diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
131	index de3f752..098d343 100644
132	--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
133	+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
134	@@ -3035,6 +3035,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store)
135	g_free (store);
136	}
137
138	+/* See the comment at the top of polkitunixprocess.c */
139	+static gboolean
140	+subject_equal_for_authz (PolkitSubject *a,
141	+ PolkitSubject *b)
142	+{
143	+ if (!polkit_subject_equal (a, b))
144	+ return FALSE;
145	+
146	+ /* Now special case unix processes, as we want to protect against
147	+ * pid reuse by including the UID.
148	+ */
149	+ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) {
150	+ PolkitUnixProcess ap = (PolkitUnixProcess)a;
151	+ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a);
152	+ PolkitUnixProcess bp = (PolkitUnixProcess)b;
153	+ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b);
154	+
155	+ if (uid_a != -1 && uid_b != -1)
156	+ {
157	+ if (uid_a == uid_b)
158	+ {
159	+ return TRUE;
160	+ }
161	+ else
162	+ {
163	+ g_printerr ("denying slowfork; pid %d uid %d != %d!\n",
164	+ polkit_unix_process_get_pid (ap),
165	+ uid_a, uid_b);
166	+ return FALSE;
167	+ }
168	+ }
169	+ /* Fall through; one of the uids is unset so we can't reliably compare */
170	+ }
171	+
172	+ return TRUE;
173	+}
174	+
175	static gboolean
176	temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store,
177	PolkitSubject *subject,
178	@@ -3077,7 +3114,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st
179	TemporaryAuthorization *authorization = l->data;
180
181	if (strcmp (action_id, authorization->action_id) == 0 &&
182	- polkit_subject_equal (subject_to_use, authorization->subject))
183	+ subject_equal_for_authz (subject_to_use, authorization->subject))
184	{
185	ret = TRUE;
186	if (out_tmp_authz_id != NULL)


diff --git a/meta-oe/recipes-extended/polkit/polkit/0001-make-netgroup-support-configurable.patch b/meta-oe/recipes-extended/polkit/polkit/0001-make-netgroup-support-configurable.patch deleted file mode 100644 index 3b0ef5e5a3..0000000000 --- a/meta-oe/recipes-extended/polkit/polkit/0001-make-netgroup-support-configurable.patch +++ /dev/null
@@ -1,93 +0,0 @@
1	From 7d5e205aa58a10e7b1ccc2fa75b443508a5c3e18 Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Wed, 20 Jan 2016 04:31:59 +0000
4	Subject: [PATCH] make netgroup support configurable
5
6	Disable using innetgr and *netigrent function if not available
7
8	These functions are not available on all libc implementations e.g. musl
9	doesnt have them.
10
11	Signed-off-by: Khem Raj <raj.khem@gmail.com>
12	---
13	Upstream-Status: Pending
14
15	Rebase to 0.115
16	Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
17	---
18	configure.ac \| 2 +-
19	src/polkitbackend/polkitbackendinteractiveauthority.c \| 6 +++++-
20	src/polkitbackend/polkitbackendjsauthority.cpp \| 2 ++
21	3 files changed, 8 insertions(+), 2 deletions(-)
22
23	diff --git a/configure.ac b/configure.ac
24	index 8b3e1b1..1c392df 100644
25	--- a/configure.ac
26	+++ b/configure.ac
27	@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"],
28	[AC_MSG_ERROR([Can't find expat library. Please install expat.])])
29	AC_SUBST(EXPAT_LIBS)
30
31	-AC_CHECK_FUNCS(clearenv fdatasync)
32	+AC_CHECK_FUNCS(clearenv fdatasync getnetgrent innetgr)
33
34	if test "x$GCC" = "xyes"; then
35	LDFLAGS="-Wl,--as-needed $LDFLAGS"
36	diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
37	index cb6fdab..de3f752 100644
38	--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
39	+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
40	@@ -2224,7 +2224,7 @@ get_users_in_group (PolkitIdentity *group,
41	out:
42	return ret;
43	}
44	-
45	+#if defined HAVE_GETNETGRENT
46	static GList *
47	get_users_in_net_group (PolkitIdentity *group,
48	gboolean include_root)
49	@@ -2285,6 +2285,8 @@ get_users_in_net_group (PolkitIdentity *group,
50	return ret;
51	}
52
53	+#endif
54	+
55	/* ---------------------------------------------------------------------------------------------------- */
56
57	static void
58	@@ -2369,10 +2371,12 @@ authentication_agent_initiate_challenge (AuthenticationAgent *agent,
59	{
60	user_identities = g_list_concat (user_identities, get_users_in_group (identity, FALSE));
61	}
62	+#if defined HAVE_GETNETGRENT
63	else if (POLKIT_IS_UNIX_NETGROUP (identity))
64	{
65	user_identities = g_list_concat (user_identities, get_users_in_net_group (identity, FALSE));
66	}
67	+#endif
68	else
69	{
70	g_warning ("Unsupported identity");
71	diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
72	index 517f3c6..6042dd2 100644
73	--- a/src/polkitbackend/polkitbackendjsauthority.cpp
74	+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
75	@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
76	user = JS_EncodeString (cx, args[0].toString());
77	netgroup = JS_EncodeString (cx, args[1].toString());
78
79	+#if defined HAVE_INNETGR
80	if (innetgr (netgroup,
81	NULL, /* host */
82	user,
83	@@ -1509,6 +1510,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
84	{
85	is_in_netgroup = true;
86	}
87	+#endif
88
89	JS_free (cx, netgroup);
90	JS_free (cx, user);
91	--
92	2.7.4
93


diff --git a/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch new file mode 100644 index 0000000000..fd7251369e --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
@@ -0,0 +1,232 @@
		1	From 21aa2747e8f0048759aab184b07dd6389666d5e6 Mon Sep 17 00:00:00 2001
		2	From: Khem Raj <raj.khem@gmail.com>
		3	Date: Wed, 22 May 2019 13:18:55 -0700
		4	Subject: [PATCH] make netgroup support optional
		5
		6	On at least Linux/musl and Linux/uclibc, netgroup
		7	support is not available. PolKit fails to compile on these systems
		8	for that reason.
		9
		10	This change makes netgroup support conditional on the presence of the
		11	setnetgrent(3) function which is required for the support to work. If
		12	that function is not available on the system, an error will be returned
		13	to the administrator if unix-netgroup: is specified in configuration.
		14
		15	Fixes bug 50145.
		16
		17	Closes polkit/polkit#14.
		18	Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
		19	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		20	---
		21	configure.ac \| 2 +-
		22	src/polkit/polkitidentity.c \| 16 ++++++++++++++++
		23	src/polkit/polkitunixnetgroup.c \| 3 +++
		24	.../polkitbackendinteractiveauthority.c \| 14 ++++++++------
		25	src/polkitbackend/polkitbackendjsauthority.cpp \| 2 ++
		26	test/polkit/polkitidentitytest.c \| 9 ++++++++-
		27	test/polkit/polkitunixnetgrouptest.c \| 3 +++
		28	.../test-polkitbackendjsauthority.c \| 2 ++
		29	8 files changed, 43 insertions(+), 8 deletions(-)
		30
		31	--- a/configure.ac
		32	+++ b/configure.ac
		33	@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXP
		34	[AC_MSG_ERROR([Can't find expat library. Please install expat.])])
		35	AC_SUBST(EXPAT_LIBS)
		36
		37	-AC_CHECK_FUNCS(clearenv fdatasync)
		38	+AC_CHECK_FUNCS(clearenv fdatasync setnetgrent)
		39
		40	if test "x$GCC" = "xyes"; then
		41	LDFLAGS="-Wl,--as-needed $LDFLAGS"
		42	--- a/src/polkit/polkitidentity.c
		43	+++ b/src/polkit/polkitidentity.c
		44	@@ -182,7 +182,15 @@ polkit_identity_from_string (const gcha
		45	}
		46	else if (g_str_has_prefix (str, "unix-netgroup:"))
		47	{
		48	+#ifndef HAVE_SETNETGRENT
		49	+ g_set_error (error,
		50	+ POLKIT_ERROR,
		51	+ POLKIT_ERROR_FAILED,
		52	+ "Netgroups are not available on this machine ('%s')",
		53	+ str);
		54	+#else
		55	identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1);
		56	+#endif
		57	}
		58
		59	if (identity == NULL && (error != NULL && *error == NULL))
		60	@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVaria
		61	GVariant *v;
		62	const char *name;
		63
		64	+#ifndef HAVE_SETNETGRENT
		65	+ g_set_error (error,
		66	+ POLKIT_ERROR,
		67	+ POLKIT_ERROR_FAILED,
		68	+ "Netgroups are not available on this machine");
		69	+ goto out;
		70	+#else
		71	v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
		72	if (v == NULL)
		73	{
		74	@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVaria
		75	name = g_variant_get_string (v, NULL);
		76	ret = polkit_unix_netgroup_new (name);
		77	g_variant_unref (v);
		78	+#endif
		79	}
		80	else
		81	{
		82	--- a/src/polkit/polkitunixnetgroup.c
		83	+++ b/src/polkit/polkitunixnetgroup.c
		84	@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUni
		85	PolkitIdentity *
		86	polkit_unix_netgroup_new (const gchar *name)
		87	{
		88	+#ifndef HAVE_SETNETGRENT
		89	+ g_assert_not_reached();
		90	+#endif
		91	g_return_val_if_fail (name != NULL, NULL);
		92	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
		93	"name", name,
		94	--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
		95	+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
		96	@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity
		97	GList *ret;
		98
		99	ret = NULL;
		100	+#ifdef HAVE_SETNETGRENT
		101	name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group));
		102
		103	-#ifdef HAVE_SETNETGRENT_RETURN
		104	+# ifdef HAVE_SETNETGRENT_RETURN
		105	if (setnetgrent (name) == 0)
		106	{
		107	g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno));
		108	goto out;
		109	}
		110	-#else
		111	+# else
		112	setnetgrent (name);
		113	-#endif
		114	+# endif /* HAVE_SETNETGRENT_RETURN */
		115
		116	for (;;)
		117	{
		118	-#if defined(HAVE_NETBSD) \|\| defined(HAVE_OPENBSD)
		119	+# if defined(HAVE_NETBSD) \|\| defined(HAVE_OPENBSD)
		120	const char hostname, username, *domainname;
		121	-#else
		122	+# else
		123	char hostname, username, *domainname;
		124	-#endif
		125	+# endif /* defined(HAVE_NETBSD) \|\| defined(HAVE_OPENBSD) */
		126	PolkitIdentity *user;
		127	GError *error = NULL;
		128
		129	@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity
		130
		131	out:
		132	endnetgrent ();
		133	+#endif /* HAVE_SETNETGRENT */
		134	return ret;
		135	}
		136
		137	--- a/src/polkitbackend/polkitbackendjsauthority.cpp
		138	+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
		139	@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext
		140
		141	JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
		142
		143	+#ifdef HAVE_SETNETGRENT
		144	JS::RootedString usrstr (authority->priv->cx);
		145	usrstr = args[0].toString();
		146	user = JS_EncodeStringToUTF8 (cx, usrstr);
		147	@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext
		148
		149	JS_free (cx, netgroup);
		150	JS_free (cx, user);
		151	+#endif
		152
		153	ret = true;
		154
		155	--- a/test/polkit/polkitidentitytest.c
		156	+++ b/test/polkit/polkitidentitytest.c
		157	@@ -19,6 +19,7 @@
		158	* Author: Nikki VonHollen <vonhollen@google.com>
		159	*/
		160
		161	+#include "config.h"
		162	#include "glib.h"
		163	#include <polkit/polkit.h>
		164	#include <polkit/polkitprivate.h>
		165	@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_tes
		166	{"unix-group:root", "unix-group:jane", FALSE},
		167	{"unix-group:jane", "unix-group:jane", TRUE},
		168
		169	+#ifdef HAVE_SETNETGRENT
		170	{"unix-netgroup:foo", "unix-netgroup:foo", TRUE},
		171	{"unix-netgroup:foo", "unix-netgroup:bar", FALSE},
		172	+#endif
		173
		174	{"unix-user:root", "unix-group:root", FALSE},
		175	+#ifdef HAVE_SETNETGRENT
		176	{"unix-user:jane", "unix-netgroup:foo", FALSE},
		177	+#endif
		178
		179	{NULL},
		180	};
		181	@@ -181,11 +186,13 @@ main (int argc, char *argv[])
		182	g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string);
		183	g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string);
		184
		185	+#ifdef HAVE_SETNETGRENT
		186	g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string);
		187	+ g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
		188	+#endif
		189
		190	g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant);
		191	g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant);
		192	- g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant);
		193
		194	add_comparison_tests ();
		195
		196	--- a/test/polkit/polkitunixnetgrouptest.c
		197	+++ b/test/polkit/polkitunixnetgrouptest.c
		198	@@ -19,6 +19,7 @@
		199	* Author: Nikki VonHollen <vonhollen@google.com>
		200	*/
		201
		202	+#include "config.h"
		203	#include "glib.h"
		204	#include <polkit/polkit.h>
		205	#include <string.h>
		206	@@ -69,7 +70,9 @@ int
		207	main (int argc, char *argv[])
		208	{
		209	g_test_init (&argc, &argv, NULL);
		210	+#ifdef HAVE_SETNETGRENT
		211	g_test_add_func ("/PolkitUnixNetgroup/new", test_new);
		212	g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name);
		213	+#endif
		214	return g_test_run ();
		215	}
		216	--- a/test/polkitbackend/test-polkitbackendjsauthority.c
		217	+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
		218	@@ -137,12 +137,14 @@ test_get_admin_identities (void)
		219	"unix-group:users"
		220	}
		221	},
		222	+#ifdef HAVE_SETNETGRENT
		223	{
		224	"net.company.action3",
		225	{
		226	"unix-netgroup:foo"
		227	}
		228	},
		229	+#endif
		230	};
		231	guint n;
		232


diff --git a/meta-oe/recipes-extended/polkit/polkit_0.115.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb index 562a754b21..8754383efa 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.115.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
@@ -23,12 +23,11 @@ PACKAGECONFIG[consolekit] = ",,,consolekit"
23		23
24	PAM_SRC_URI = "file://polkit-1_pam.patch"	24	PAM_SRC_URI = "file://polkit-1_pam.patch"
25	SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \	25	SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
26	file://0001-make-netgroup-support-configurable.patch \
27	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	26	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
28	file://0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch \	27	file://0003-make-netgroup-support-optional.patch \
29	"	28	"
30	SRC_URI[md5sum] = "f03b055d6ae5fc8eac76838c7d83d082"	29	SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
31	SRC_URI[sha256sum] = "2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131"	30	SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
32		31
33	EXTRA_OECONF = "--with-os-type=moblin \	32	EXTRA_OECONF = "--with-os-type=moblin \
34	--disable-man-pages \	33	--disable-man-pages \