Bug#1036917: lintian: add checks for polkit rules

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1036917: lintian: add checks for polkit rules
From: Simon McVittie <smcv@debian.org>
Date: Mon, 29 May 2023 12:38:37 +0100
Message-id: <[🔎] ZHSOvUvWdvWFg0OE@tautology.pseudorandom.co.uk>
Reply-to: Simon McVittie <smcv@debian.org>, 1036917@bugs.debian.org

Package: lintian
Version: 2.116.3
Severity: wishlist

It would be useful for Lintian to have some checks for the policy rules
used by polkit (formerly PolicyKit) to decide whether to allow privileged
actions to be done on behalf of unprivileged users:

* packages with JavaScript polkit rules should install them into
  /usr/share/polkit-1/rules.d/*.rules, and not into
  /etc/polkit-1/rules.d/*.rules which is reserved for the sysadmin

  - very similar to udev-rule-in-etc
  - pseudocode: foreach $path (/etc/polkit-1/rules.d/*.rules) {
        emit polkit-rule-in-etc $path
    }
  - possible text:
    This package ships polkit rules and installs them under /etc/polkit-1,
    which is reserved for user-installed files. The correct location for
    system rules is /usr/share/polkit-1/rules.d/*.rules for JavaScript
    rules, or /var/lib/polkit-1/localauthority/10-vendor.d/*.pkla for
    legacy .pkla rules.

* similarly packages should not have legacy .pkla rules in
  /etc/polkit-1/localauthority/*.d/*.pkla

  - very similar to udev-rule-in-etc
  - pseudocode: foreach $path (/etc/polkit-1/localauthority/*.d/*.pkla)
        emit polkit-rule-in-etc $path
    }
  - same text as above

* if a package ships legacy .pkla rules then it should ship a JavaScript
  equivalent, so that it will work as intended without installing
  polkitd-pkla

  - pseudocode: foreach $path (
       /var/lib/polkit-1/localauthority/*.d/*.pkla
       /etc/polkit-1/localauthority/*.d/*.pkla
    ) {
        if package does not contain /etc/polkit-1/rules.d/*.rules
        or /usr/share/polkit-1/rules.d/*.rules {
            emit polkit-rule-without-js-equivalent $path
        }
    }
  - possible text:
    This package ships legacy polkit rules in .pkla format, but does not
    provide an equivalent in the newer JavaScript rules format. Rules
    in .pkla format will be ignored if the polkitd-pkla package is
    not installed. The package should install a JavaScript equivalent
    of the legacy rules into /usr/share/polkit-1/rules.d/*.rules.
    Reference: https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/170
               (or the actual release notes after that MR is merged)
    Reference: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/66

* emit a classification or info tag for packages with legacy polkit rules
  (still necessary if the package should be backported to Debian 11
  or Ubuntu 23.04, unnecessary since Debian 12, will hopefully become
  unnecessary in Ubuntu 23.10 at which point this can become a warning)

  - pseudocode: foreach $path (
       /var/lib/polkit-1/localauthority/*.d/*.pkla
       /etc/polkit-1/localauthority/*.d/*.pkla
    ) {
        emit polkit-rule-in-pkla-format $path
    }
  - possible text:
    This package ships legacy polkit rules in .pkla format, which have
    been superseded by the newer JavaScript rules format.

Thanks,
    smcv

Reply to:

Prev by Date: Bug#1036769: lintian: Check for certificates .pem/.crt/.pkcs12 with expiry set
Next by Date: Bug#1036674: lintian: No line ending checks for CR or CRLF for type script, files or artifacts located under /debian
Previous by thread: Bug#1036769: lintian: Check for certificates .pem/.crt/.pkcs12 with expiry set
Index(es):
- Date
- Thread