Bug 25367 — Also read local authority configuration data from /etc

Turns out some people would rather edit local files in /etc rather
than shipping them in a package (as e.g. Fedora does with the
polkit-desktop-policy RPM).

This also drops the hard-coded list of directory names such as
10-vendor.d, 20-org.d - we now monitor the
/var/lib/polkit-1/localauthority and /etc/polkit-1/localauthority
directories for changes - whenever we see a subdirectory in any of
these directories, we create an AuthorizationStore object that looks
for .pkla files.

Signed-off-by: David Zeuthen <davidz@redhat.com>

1 files changed, 106 insertions, 16 deletions

diff --git a/docs/man/pklocalauthority.xml b/docs/man/pklocalauthority.xml
index 5ba01a6..f0343f3 100644
--- a/docs/man/pklocalauthority.xml
+++ b/docs/man/pklocalauthority.xml
@@ -91,7 +91,22 @@
     <title>DIRECTORY STRUCTURE</title>
     <para>
       The Local Authority reads files with <filename>.pkla</filename>
-      extension from the following directories
+      extension from all directories located inside the
+      <filename>/etc/polkit-1/localauthority</filename>
+      and <filename>/var/lib/polkit-1/localauthority</filename>
+      directories. By default, the following sub-directories are installed.
+    </para>
+    <programlisting>
+/etc/polkit-1/
+`-- localauthority
+    |-- 10-vendor.d
+    |-- 20-org.d
+    |-- 30-site.d
+    |-- 50-local.d
+    `-- 90-mandatory.d
+    </programlisting>
+    <para>
+      and
     </para>
     <programlisting>
 /var/lib/polkit-1/
@@ -103,6 +118,12 @@
     `-- 90-mandatory.d
     </programlisting>
     <para>
+      The <filename>/etc/polkit-1/localauthority</filename> hierarchy
+      is inteded for local configuration and
+      the <filename>/var/lib/polkit-1/localauthority</filename> is
+      intended for 3rd party packages.
+    </para>
+    <para>
       Each <filename>.pkla</filename> file contains one or more
       authorization entries. If the underlying filesystem supports
       file monitoring, the Local Authority will reload information
@@ -117,7 +138,7 @@
         <term><emphasis>10-vendor.d</emphasis></term>
         <listitem>
           <para>
-            Reserved for the Operating System vendor.
+            Intended for use by the OS vendor.
           </para>
         </listitem>
       </varlistentry>
@@ -125,7 +146,7 @@
         <term><emphasis>20-org.d</emphasis></term>
         <listitem>
           <para>
-            Reserved for the organization deploying the system.
+            Intended for the organization deploying the OS.
           </para>
         </listitem>
       </varlistentry>
@@ -133,7 +154,7 @@
         <term><emphasis>30-site.d</emphasis></term>
         <listitem>
           <para>
-            Reserved for site deploying the system.
+            Intended for the site deploying the system.
           </para>
         </listitem>
       </varlistentry>
@@ -141,7 +162,7 @@
         <term><emphasis>50-local.d</emphasis></term>
         <listitem>
           <para>
-            Reserved for local usage.
+            Intended for local usage.
           </para>
         </listitem>
       </varlistentry>
@@ -149,15 +170,19 @@
         <term><emphasis>90-mandatory.d</emphasis></term>
         <listitem>
           <para>
-            Reserved for the organization deploying the system.
+            Intended for the organization deploying the OS.
           </para>
         </listitem>
       </varlistentry>
     </variablelist>
     <para>
-      Each <filename>.pkla</filename> file is a standard <emphasis>key
-      file</emphasis> and contains key/value pairs in one or more
-      groups with each group representing an authorization entry.
+      and new directories can be added/removed as needed.
+    </para>
+    <para>
+      As to regards to the content, each <filename>.pkla</filename>
+      file is a standard <emphasis>key file</emphasis> and contains
+      key/value pairs in one or more groups with each group
+      representing an authorization entry.
       A <filename>.pkla</filename> file MUST be named by using a
       scheme to ensure that the name is unique, e.g. reverse DNS
       notation or similar. For example, if the organization is
@@ -261,13 +286,78 @@
       following algorithm.
     </para>
     <para>
-      First, the user of the Subject is determined and the groups that
-      the user belongs are looked up. For each group identity, the
-      authorization entries are consulted in the lexigraphical order
-      (using standard lexicographical sorting (using the standard C
-      locale) of file names and appearance of each group in each
-      file). If the authorization check matches the data from the
-      authorization check, then the authorization result
+      The authorization entries from all .pkla files are ordered using
+      the following rules. First all the basename of all
+      sub-directories (e.g. <emphasis>30-site.d</emphasis>) from both
+      the <filename>/etc/polkit-1/localauthority</filename>
+      and <filename>/var/lib/polkit-1/localauthority</filename>
+      directories are enumerated and sorted (using the C locale). If a
+      name exists in both <filename>/etc</filename>
+      and <filename>/var</filename>, the one
+      in <filename>/etc</filename> takes precedence. Then
+      all <filename>.pkla</filename> files are read in order from this
+      list of sub-directories. For each <filename>.pkla</filename>
+      file, authorizations from each file are appended in order resulting
+      in an ordered list of authorization entries.
+    </para>
+    <para>
+      For example, given the following files
+    </para>
+    <programlisting>
+/var/lib/polkit-1
+└── localauthority
+    ├── 10-vendor.d
+    │   └── 10-desktop-policy.pkla
+    ├── 20-org.d
+    ├── 30-site.d
+    ├── 50-local.d
+    ├── 55-org.my.company.d
+    │   └── 10-org.my.company.product.pkla
+    └── 90-mandatory.d
+
+/etc/polkit-1
+└── localauthority
+    ├── 10-vendor.d
+    │   └── 01-some-changes-from-a-subvendor.pkla
+    ├── 20-org.d
+    ├── 30-site.d
+    ├── 50-local.d
+    ├── 55-org.my.company.d
+    │   └── 10-org.my.company.product.pkla
+    └── 90-mandatory.d
+    </programlisting>
+    <para>
+      the evaluation order of the <filename>.pkla</filename> files is:
+    </para>
+    <orderedlist>
+      <listitem>
+	<para>
+          <filename>10-desktop-policy.pkla</filename>
+        </para>
+      </listitem>
+      <listitem>
+	<para>
+          <filename>01-some-changes-from-a-subvendor.pkla</filename>
+        </para>
+      </listitem>
+      <listitem>
+	<para>
+          <filename>10-org.my.company.product.pkla</filename> (the <filename>/var</filename> one)
+        </para>
+      </listitem>
+      <listitem>
+	<para>
+          <filename>10-org.my.company.product.pkla</filename> (the <filename>/etc</filename> one)
+        </para>
+      </listitem>
+    </orderedlist>
+    <para>
+      When the list of authorization entries has been calculated, the
+      authorization check can be made. First, the user of the Subject
+      is determined and the groups that the user belongs are looked
+      up. For each group identity, the authorization entries are
+      consulted in order. If the authorization check matches the data
+      from the authorization check, then the authorization result
       from <emphasis>RequireAny</emphasis>, <emphasis>RequireInactive</emphasis>
       or <emphasis>RequireActive</emphasis> is used
       and <emphasis>ReturnValue</emphasis> is added to the