Bug#1036917: lintian: add checks for polkit rules
Package: lintian
Version: 2.116.3
Severity: wishlist
It would be useful for Lintian to have some checks for the policy rules
used by polkit (formerly PolicyKit) to decide whether to allow privileged
actions to be done on behalf of unprivileged users:
* packages with JavaScript polkit rules should install them into
/usr/share/polkit-1/rules.d/*.rules, and not into
/etc/polkit-1/rules.d/*.rules which is reserved for the sysadmin
- very similar to udev-rule-in-etc
- pseudocode: foreach $path (/etc/polkit-1/rules.d/*.rules) {
emit polkit-rule-in-etc $path
}
- possible text:
This package ships polkit rules and installs them under /etc/polkit-1,
which is reserved for user-installed files. The correct location for
system rules is /usr/share/polkit-1/rules.d/*.rules for JavaScript
rules, or /var/lib/polkit-1/localauthority/10-vendor.d/*.pkla for
legacy .pkla rules.
* similarly packages should not have legacy .pkla rules in
/etc/polkit-1/localauthority/*.d/*.pkla
- very similar to udev-rule-in-etc
- pseudocode: foreach $path (/etc/polkit-1/localauthority/*.d/*.pkla)
emit polkit-rule-in-etc $path
}
- same text as above
* if a package ships legacy .pkla rules then it should ship a JavaScript
equivalent, so that it will work as intended without installing
polkitd-pkla
- pseudocode: foreach $path (
/var/lib/polkit-1/localauthority/*.d/*.pkla
/etc/polkit-1/localauthority/*.d/*.pkla
) {
if package does not contain /etc/polkit-1/rules.d/*.rules
or /usr/share/polkit-1/rules.d/*.rules {
emit polkit-rule-without-js-equivalent $path
}
}
- possible text:
This package ships legacy polkit rules in .pkla format, but does not
provide an equivalent in the newer JavaScript rules format. Rules
in .pkla format will be ignored if the polkitd-pkla package is
not installed. The package should install a JavaScript equivalent
of the legacy rules into /usr/share/polkit-1/rules.d/*.rules.
Reference: https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/170
(or the actual release notes after that MR is merged)
Reference: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/66
* emit a classification or info tag for packages with legacy polkit rules
(still necessary if the package should be backported to Debian 11
or Ubuntu 23.04, unnecessary since Debian 12, will hopefully become
unnecessary in Ubuntu 23.10 at which point this can become a warning)
- pseudocode: foreach $path (
/var/lib/polkit-1/localauthority/*.d/*.pkla
/etc/polkit-1/localauthority/*.d/*.pkla
) {
emit polkit-rule-in-pkla-format $path
}
- possible text:
This package ships legacy polkit rules in .pkla format, which have
been superseded by the newer JavaScript rules format.
Thanks,
smcv
Reply to: