[security review] Sync policykit-1 121+compat0.1-5 (main) from Debian unstable

We do not want policykit to use the unmaintainable mozjs backend. That would be a hard NACK from the Security Team.

The duktape backend has been merged upstream. So in order to sync this to Ubuntu, the following must be done:

1- Get Debian to switch to the duktape backend
2- Get Debian to transition all packages in the archive from PKLA policy files to JS policy files
3- Transition Ubuntu packages not in Debian from PKLA policy files to JS policy files
4- Investigate Snap policykit support, and if required, transition Snaps from PKLA policy files to JS policy files.

Once the transition has been done for all software, policykit can be switched to the duktape policykit backend by syncing the package from Debian. Hopefully at that point it will be in Unstable, and not in experimental.

Marc, the current Debian experimental version supports both PKLA and JS policy files. Are you saying that you only want one style to be supported in an Ubuntu release?

My understanding is the Debian experimental version doesn't support both at the same time, it's one or the other depending on which binary package you install. We definitely don't want that.

> There was a proposal to use duktape instead of mozjs for the JavaScript
> interpreter but I don't think that's been merged yet.

This was merged upstream, but unfortunately there has not yet been a release that contains this change.

I don't really want to use an arbitrary git snapshot for security-sensitive software; but then again, all releases of polkit have security vulnerabilities (CVE-2021-4115 and CVE-2021-4034 were both fixed since 0.120) so in some ways an arbitrary git snapshot would be safer.

I was surprised to see that Fedora is currently patching polkit to use mozjs91 (also merged upstream but not released), rather than patching it to use duktape.

> My understanding is the Debian experimental version doesn't support both at the same
> time, it's one or the other depending on which binary package you install.

That is correct. You can have the old PKLA policies with no runtime dependency on mozjs by installing polkitd-pkla, or you can have the JS policies with a runtime dependency on mozjs (which will switch to duktape in future) by installing polkitd-javascript, but you can't have both simultaneously.

There is a separate package in e.g. Fedora that extends the JS backend to also read PKLA policies, but that's not currently in Debian or Ubuntu, and it isn't clear to me that it should be.

I have also been very tempted to modify 0.120 so it only builds polkitd-pkla (dropping the JS dependency) and upload that to unstable, versioned 0.105+really0.120 or something, as a way to get a PKLA backend that isn't in a codebase from the distant past (look at the debian/patches of 0.105 and despair).

More discussion here: https://salsa.debian.org/utopia-team/polkit/-/merge_requests/6

As of version 121+compat0.1-1, the relationship between packages has changed to this:

* polkitd always requires polkitd-javascript and duktape, and always interprets JavaScript policies

* polkitd-pkla is now an optional addon (the upstream polkit-pkla-compat project, as shipped in e.g. Fedora) which evaluates legacy .pkla files and reports their results via a JavaScript policy

polkitd currently Suggests polkitd-pkla, but this might change to either a stronger or weaker dependency.

> Get Debian to transition all packages in the archive from PKLA policy files to JS policy files

I've reported bugs which are collected in <https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=pkg-utopia-maintainers%40lists.alioth.debian.org&tag=pkla-without-js>.

I do not intend to take further action to modify those packages. If it is a blocker for Ubuntu that they are fixed, then someone from Ubuntu will need to do that work.

> I do not intend to take further action to modify those packages. If it is a blocker for Ubuntu
> that they are fixed, then someone from Ubuntu will need to do that work.

Given the relationship between the packages has now changed - ie. polkitd-pkla is not mutually exclusive from the javascript backend and then allows both legacy pkla policies as well as the "new" javascript policies to be handled - then this is not a blocker anymore from my point of view. I suspect Marc may also agree (especially given the relatively small number of packages in this category).

I also don't think this is a blocker anymore, as long as polkitd-pkla is a strong dependency in Ubuntu, so we don't inadvertently stop shipping it. It would be nice to get a similar list of packages in Ubuntu, as I suspect we have many more than Debian. We may also need to update the policykit-desktop-privileges package to ensure it still applies appropriate policy.

policykit-1 121+compat0.1-5 is now in Debian Unstable.

Could I get a clear answer from the Ubuntu Security Team if this is acceptable to autosync when Ubuntu 23.04 development opens?

ACK from the security team to sync from unstable.

Please make sure the policy overrides in policykit-desktop-privileges still work or are converted to their equivalent JS before doing so.

Update of the policykit-desktop-privileges rules up for review now as https://code.launchpad.net/~seb128/ubuntu/+source/policykit-desktop-privileges/+git/policykit-desktop-privileges/+merge/443877

Is this going to happen in 23.10? It seems to have been stalled in -proposed since May.

After the imminent Debian 12 release (which includes polkit 122), I intend to start removing legacy polkit 0.105 support, with my goal being polkitd-pkla no longer existing in Debian 13, and packages no longer shipping legacy polkitd-pkla configuration in /var/lib.

If Ubuntu still needs this after that point, then you'll have to patch it back in where necessary.

@Simon, yes, I've been working on it in mantic. The new version is in proposed atm. I ported our Ubuntu specifics rules some days ago, https://launchpad.net/ubuntu/+source/policykit-desktop-privileges/0.22.

The remaining blocker at this point is that currently duktape has no autopkgtest which is a requirement for the MIR (lp: #1997417). Upstream have tests but they are not included in the tarball. We started by looking at adding those but then hit an issue than the tests matching the current release rely on python2 which isn't available in the archive. The tests have been ported to python3 upstream so we are looking at including a newer version of those now. It doesn't help that the upstream project doesn't seem active at this point (no commit since Novembre, no reply to https://github.com/svaarala/duktape/issues/2536 asking for a new release)

Anyway, those details aside I think it's fine for Ubuntu if you go ahead and start remove pkla files in Debian, thanks for letting us know!

The new version is in mantic now