gradm: fix using gradm while the RBAC system is active

The built-in ACL prevents the gradm binary from loading dynamic
libraries from the Nix store.  Thus, once the RBAC system is activated,
the gradm binary cannot be used.

Fix by patching in rules to allow references to the Nix store where
appropriate.
This commit is contained in:
Joachim Fasting 2016-11-26 02:52:41 +01:00
parent a51378c419
commit fdbf7dc8b3
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08
2 changed files with 33 additions and 0 deletions

View File

@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
sha256 = "0y5565rhil5ciprwz7nx4s4ah7dsxx7zrkg42dbq0mcg8m316xrb";
};
patches = [ ./gradm_nix_store.patch ];
nativeBuildInputs = [ bison flex ];
buildInputs = [ pam ];

View File

@ -0,0 +1,31 @@
diff -ruN a/gradm_adm.c b/gradm_adm.c
--- a/gradm_adm.c 2016-08-13 18:56:45.000000000 +0200
+++ b/gradm_adm.c 2016-11-26 02:47:05.829718770 +0100
@@ -166,6 +166,8 @@
ADD_OBJ("/usr/libx32", "rx");
ADD_OBJ("/lib64", "rx");
ADD_OBJ("/usr/lib64", "rx");
+ ADD_OBJ("/nix/store", "h");
+ ADD_OBJ("/nix/store/*/lib", "rx");
ADD_OBJ(gradm_name, "x");
ADD_OBJ(grpam_path, "x");
@@ -286,6 +288,8 @@
ADD_OBJ("/usr/lib32", "rx");
ADD_OBJ("/lib64", "rx");
ADD_OBJ("/usr/lib64", "rx");
+ ADD_OBJ("/nix/store", "h");
+ ADD_OBJ("/nix/store/*/lib", "rx");
ADD_OBJ("/tmp", "");
ADD_OBJ("/tmp/krb5cc_pam*", "rwcd");
ADD_OBJ(grpam_path, "x");
@@ -369,6 +373,9 @@
ADD_OBJ("/lib", "rx");
ADD_OBJ("/lib32", "rx");
ADD_OBJ("/lib64", "rx");
+ ADD_OBJ("/nix/store", "h");
+ ADD_OBJ("/nix/store/*/bin", "rx");
+ ADD_OBJ("/nix/store/*/lib", "rx");
ADD_OBJ("/usr", "rx");
ADD_OBJ("/proc", "r");
ADD_OBJ("/boot", "h");