From fdbf7dc8b38cd523804d342d2c153dfeb10cc83d Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 26 Nov 2016 02:52:41 +0100 Subject: [PATCH] gradm: fix using gradm while the RBAC system is active The built-in ACL prevents the gradm binary from loading dynamic libraries from the Nix store. Thus, once the RBAC system is activated, the gradm binary cannot be used. Fix by patching in rules to allow references to the Nix store where appropriate. --- pkgs/os-specific/linux/gradm/default.nix | 2 ++ .../linux/gradm/gradm_nix_store.patch | 31 +++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 pkgs/os-specific/linux/gradm/gradm_nix_store.patch diff --git a/pkgs/os-specific/linux/gradm/default.nix b/pkgs/os-specific/linux/gradm/default.nix index 7f64ed22771..2beb0709469 100644 --- a/pkgs/os-specific/linux/gradm/default.nix +++ b/pkgs/os-specific/linux/gradm/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0y5565rhil5ciprwz7nx4s4ah7dsxx7zrkg42dbq0mcg8m316xrb"; }; + patches = [ ./gradm_nix_store.patch ]; + nativeBuildInputs = [ bison flex ]; buildInputs = [ pam ]; diff --git a/pkgs/os-specific/linux/gradm/gradm_nix_store.patch b/pkgs/os-specific/linux/gradm/gradm_nix_store.patch new file mode 100644 index 00000000000..c1b7047324b --- /dev/null +++ b/pkgs/os-specific/linux/gradm/gradm_nix_store.patch @@ -0,0 +1,31 @@ +diff -ruN a/gradm_adm.c b/gradm_adm.c +--- a/gradm_adm.c 2016-08-13 18:56:45.000000000 +0200 ++++ b/gradm_adm.c 2016-11-26 02:47:05.829718770 +0100 +@@ -166,6 +166,8 @@ + ADD_OBJ("/usr/libx32", "rx"); + ADD_OBJ("/lib64", "rx"); + ADD_OBJ("/usr/lib64", "rx"); ++ ADD_OBJ("/nix/store", "h"); ++ ADD_OBJ("/nix/store/*/lib", "rx"); + ADD_OBJ(gradm_name, "x"); + ADD_OBJ(grpam_path, "x"); + +@@ -286,6 +288,8 @@ + ADD_OBJ("/usr/lib32", "rx"); + ADD_OBJ("/lib64", "rx"); + ADD_OBJ("/usr/lib64", "rx"); ++ ADD_OBJ("/nix/store", "h"); ++ ADD_OBJ("/nix/store/*/lib", "rx"); + ADD_OBJ("/tmp", ""); + ADD_OBJ("/tmp/krb5cc_pam*", "rwcd"); + ADD_OBJ(grpam_path, "x"); +@@ -369,6 +373,9 @@ + ADD_OBJ("/lib", "rx"); + ADD_OBJ("/lib32", "rx"); + ADD_OBJ("/lib64", "rx"); ++ ADD_OBJ("/nix/store", "h"); ++ ADD_OBJ("/nix/store/*/bin", "rx"); ++ ADD_OBJ("/nix/store/*/lib", "rx"); + ADD_OBJ("/usr", "rx"); + ADD_OBJ("/proc", "r"); + ADD_OBJ("/boot", "h");