gentoo resync : 02.02.2022

7 files changed, 410 insertions, 2 deletions

diff --git a/sys-auth/polkit/Manifest b/sys-auth/polkit/Manifest
index e946af257bfb..b37c4eefd3fa 100644
--- a/sys-auth/polkit/Manifest
+++ b/sys-auth/polkit/Manifest
@@ -1,8 +1,13 @@
 AUX polkit-0.115-elogind.patch 1069 BLAKE2B 6c5a3d7d3e716a994b951181808f64d864e6ca58b3a018a5354022f08c6e7c1d8987366c9777f47cc970916ad9fe39f288a1b1643113fc99745f333e02dab56f SHA512 06432fa56788699762c6978484640554f91728a1cb40679eb47b8514b3c7aa23aac5b9c26586eb4d7043a0af1b319bbe7f869d24844d9151317299b74a8e8f7f
+AUX polkit-0.117-CVE-2021-3560.patch 909 BLAKE2B a912312e60fc442645a94a93795912220019a668f18a6a0d4e3c34ea23ea4155b37673b5e8db516cbe389b49423ef6008006823897dc41795ee5ac5def3e2708 SHA512 e62f362a4486e5eab04a0acd582d5cb9c1def19dd1707a9e1c861bdea6f576e6c24838c722526908de9cad63a699b513e4f56d1d5bbb0fcb9578f542d65b2953
+AUX polkit-0.120-CVE-2021-4034.patch 1933 BLAKE2B f125b6c55428c2c12dbb89e7bc8619400d914f5b2b955d4e6ec24c4ac2cb02ba8e624f5c1a61dda74b1c24cd5c81a3f2985b9f4cf828bd801d940e707d62bec7 SHA512 cd32461e95297e29d7a5b7ba999b4f27c8296c964eb41c94b4511dc5181538ad0a50554340dae3c5a87629e07b8b22477478ffbf478f0fc16de856f8efb791d6
+AUX polkit-0.120-meson.patch 1201 BLAKE2B cae66df3db2c92392a07d3b39219a3c16819a9c2393b2bbfc65a32e4beac921e17bb09220cbfe2622edc21c7f81c64058cf60c315d48b8d80ba643d8336d5171 SHA512 f3a4feafae83dcc8bd665557cfc755c08888a78575313d510ec5ff140a2174a709755aa5e23081291ade6b2d333887a10848ae5c7a99b700a2e18476af21844d
 DIST polkit-0.117.tar.gz 1554536 BLAKE2B 1cf7e0ff9db19a29be626f4bea96c9e2ef8b1eab4b8287a5f1f4d2a818b86d58c1c4c4a41849d95e31559dba1b18853a31e934ebbadd8e07f94dfd58b45240e0 SHA512 c10ea984f2386fe436e58a2866e5323afc80d24f744f0ee61d966941259aa491bd96b07d911434aa731b300c3cca25b647804b396501175ab5b3c53384e94c70
 DIST polkit-0.119.tar.gz 1387409 BLAKE2B aeb605598393d1cab40f7c77954008a0392600584c5fe8cc9acaa0e122418ee48b9cce0b6839189ea415277ff0ae4dbd5b7c71cb910aa349dcaf7e1f3f70ef06 SHA512 0260fb15da1c4c1f429e8223260981e64e297f1be8ced42f6910f09ea6581b8205aca06c9c601eb4a128acba2f468de0223118f96862ba769f95721894cf1578
 DIST polkit-0.120.tar.gz 1626659 BLAKE2B 745727445b4946d44b8ea470d21ac131ca7706e83f5dbaf85cf3541ac60a1bbe23b3bf3172a62d9256ebb3dae02d2b2d476e3e0f7fe79a80c47864a120e62ed9 SHA512 db072769439d5e17d0eed681e7b94251b77828c1474b40fe40b94293903a64333e7fa17515a3270648691f04a1374d8b404405ead6abf292a8eb8483164adc46
 EBUILD polkit-0.117-r2.ebuild 3330 BLAKE2B 844d327d9f6c391ea89b305677adf98e823718f620c307586bf96172678dc94a4b1a5ad870e6ebacf0fd579839b73359de33fa0173f46c425e0f7cd0228c6bd3 SHA512 99673f56722f4e105eaad28a3f8e1a9aee1664e5552e940bf286bf84a76a52145745905f080f859ce4991a29ce6f3e47f6ab3d59a012e69ffd71de98557ca8bd
+EBUILD polkit-0.117-r3.ebuild 3427 BLAKE2B 3725159a592d2072fde8f5e4d6ae6a12dfd24f86e81b8c84a7d36beda89e22588d87b63c1e6b96c65533423b383a1ad1f9a68462b95fa5068fdb238d446afd9a SHA512 44065ebcdf8b6bafc4b87a9841526ed72e6b27490d3ca550383b38b4d5c98f370e9feac3c13617acf3c760dbc8b91ac47454e62a052b0c674af71d73c088d6e5
 EBUILD polkit-0.119-r2.ebuild 3302 BLAKE2B e56f5505dfdfa245ed3dd78199de5439d7ff6d5ddb8778d785c69e3900dfdc7f9d4aa46e101bab2eee7ebdb4097eecfda0f9d29be97dbd348629cc218a988d87 SHA512 32e836e9c17bb7aae519031beaf35a3cba4da983bb29e875b7dcbc8ffae5d0a15218147904d0d942557210e240ffb252d9d548c6bf508027be337feba9e61923
-EBUILD polkit-0.120-r1.ebuild 2929 BLAKE2B 26c0521d065a3ec363876a1e7dad8f76063a2255da89755b892cdba7f343f942866fed290a89ea471188f38ad5ae3eaed59e1805ea06caccc984bcb0d46af9c1 SHA512 3712df9a5233ad467493dead6ad46b4919b527576191aea4c9c88825c3f39422f63051b3b8b983379936f1753518744bd63606b5f811068dc6402c8ba2393b4f
+EBUILD polkit-0.120-r1.ebuild 2990 BLAKE2B c8a385dc9199099fc966388d918c25a7a154aa76b4cc58020a202d84680a0b2ee9a437f3ab21a8f5bd4be2fe5610becb13a98a14ed7e8e6ee6f06a5db629f558 SHA512 b9d8356a7d5eeb555912f8598a5dafa90d9adae6210dabf12d87c49aea2bf1a59282891cf9d5877c170fc3ec77c45f428390066da0b485ebe3c0d4e37f877635
+EBUILD polkit-0.120-r2.ebuild 3172 BLAKE2B 2c007462e5a72cd8a7b0ff3d47b1292e161e2354ef981f0096b9208f07593d195e38cd31cb5674cb5c0988848913032b8c3a556866dd5725cadb720e47a05f2f SHA512 4e19152d5f873e3265020c025ea341d52e9592d9d6fcc7c0b4160a7f9b36287d3ee86f339fbf889afbcd3d68d7fa4b00c119624b45f9337fd31c24e21422fa2c
 MISC metadata.xml 410 BLAKE2B 5b1bae6f1252bbafdc0ddd0eefeaca74f93ed183f46a2e4f22f36656c681d87acdd6ea86807a4b68350c1c8197cb97b6b421a88f5f0a2322b1fd85c599c09b39 SHA512 9b097838f0e0dfdbb788e4794e667d43ba3f3a08de45fffa5826142b8416afde68ec0202c429f1cd6f79ad9681b050c8aef736a8399d9551ea8784c97c123766
diff --git a/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch b/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch
new file mode 100644
index 000000000000..9c3ce20cf574
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch
@@ -0,0 +1,29 @@
+https://bugs.gentoo.org/794052
+
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+     g_main_context_iteration (tmp_context, TRUE);
+ 
++  if (data.caught_error)
++    goto out;
++
+   if (out_uid)
+     *out_uid = data.uid;
+   if (out_pid)
+-- 
+GitLab
+
diff --git a/sys-auth/polkit/files/polkit-0.120-CVE-2021-4034.patch b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4034.patch
new file mode 100644
index 000000000000..22bb71d14204
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4034.patch
@@ -0,0 +1,72 @@
+https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+https://bugs.gentoo.org/832057
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
+
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+GitLab
diff --git a/sys-auth/polkit/files/polkit-0.120-meson.patch b/sys-auth/polkit/files/polkit-0.120-meson.patch
new file mode 100644
index 000000000000..5e144688d374
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.120-meson.patch
@@ -0,0 +1,42 @@
+From e7f3d9e8341df64e2abc3910dafb1113a84bff07 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Mon, 25 Oct 2021 20:21:27 +0100
+Subject: [PATCH] Don't pass positional parameters to i18n.merge_file
+
+These were always ignored, and Meson 0.60.0 disallowed them.
+
+Resolves: https://gitlab.freedesktop.org/polkit/polkit/-/issues/160
+Reference: https://github.com/mesonbuild/meson/pull/9445
+Signed-off-by: Simon McVittie <smcv@debian.org>
+---
+ actions/meson.build      | 1 -
+ src/examples/meson.build | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/actions/meson.build b/actions/meson.build
+index 2abaaf3..1e3f370 100644
+--- a/actions/meson.build
++++ b/actions/meson.build
+@@ -1,7 +1,6 @@
+ policy = 'org.freedesktop.policykit.policy'
+ 
+ i18n.merge_file(
+-  policy,
+   input: policy + '.in',
+   output: '@BASENAME@',
+   po_dir: po_dir,
+diff --git a/src/examples/meson.build b/src/examples/meson.build
+index c6305ab..8c18de5 100644
+--- a/src/examples/meson.build
++++ b/src/examples/meson.build
+@@ -1,7 +1,6 @@
+ policy = 'org.freedesktop.policykit.examples.pkexec.policy'
+ 
+ i18n.merge_file(
+-  policy,
+   input: policy + '.in',
+   output: '@BASENAME@',
+   po_dir: po_dir,
+-- 
+GitLab
+
diff --git a/sys-auth/polkit/polkit-0.117-r3.ebuild b/sys-auth/polkit/polkit-0.117-r3.ebuild
new file mode 100644
index 000000000000..61e56bfdcdb3
--- /dev/null
+++ b/sys-auth/polkit/polkit-0.117-r3.ebuild
@@ -0,0 +1,136 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 arm ~arm64 ~hppa ~ia64 ~mips ppc ~ppc64 ~s390 sparc ~x86"
+IUSE="elogind examples gtk +introspection kde nls pam selinux systemd test"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="^^ ( elogind systemd )"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	dev-util/gtk-doc-am
+	dev-util/intltool
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:68[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	elogind? ( sys-auth/elogind )
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+PATCHES=(
+	# bug 660880
+	"${FILESDIR}"/polkit-0.115-elogind.patch
+
+	"${FILESDIR}"/polkit-0.117-CVE-2021-3560.patch
+	"${FILESDIR}"/polkit-0.120-CVE-2021-4034.patch
+)
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+
+	# Workaround upstream hack around standard gtk-doc behavior, bug #552170
+	sed -i -e 's/@ENABLE_GTK_DOC_TRUE@\(TARGET_DIR\)/\1/' \
+		-e '/install-data-local:/,/uninstall-local:/ s/@ENABLE_GTK_DOC_TRUE@//' \
+		-e 's/@ENABLE_GTK_DOC_FALSE@install-data-local://' \
+		docs/polkit/Makefile.in || die
+
+	# disable broken test - bug #624022
+	sed -i -e "/^SUBDIRS/s/polkitbackend//" test/Makefile.am || die
+
+	# Fix cross-building, bug #590764, elogind patch, bug #598615
+	eautoreconf
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local myeconfargs=(
+		--localstatedir="${EPREFIX}"/var
+		--disable-static
+		--enable-man-pages
+		--disable-gtk-doc
+		--disable-examples
+		$(use_enable elogind libelogind)
+		$(use_enable introspection)
+		$(use_enable nls)
+		$(usex pam "--with-pam-module-dir=$(getpam_mod_dir)" '')
+		--with-authfw=$(usex pam pam shadow)
+		$(use_enable systemd libsystemd-login)
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(use_enable test)
+		--with-os-type=gentoo
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+	default
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	default
+
+	if use examples; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}
diff --git a/sys-auth/polkit/polkit-0.120-r1.ebuild b/sys-auth/polkit/polkit-0.120-r1.ebuild
index 0f0f2900683f..3ec998fa6f02 100644
--- a/sys-auth/polkit/polkit-0.120-r1.ebuild
+++ b/sys-auth/polkit/polkit-0.120-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -61,6 +61,9 @@ QA_MULTILIB_PATHS="
 	usr/lib/polkit-1/polkitd"
 
 src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/polkit-0.120-meson.patch"
+	)
 	default
 
 	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
diff --git a/sys-auth/polkit/polkit-0.120-r2.ebuild b/sys-auth/polkit/polkit-0.120-r2.ebuild
new file mode 100644
index 000000000000..952906f5d88e
--- /dev/null
+++ b/sys-auth/polkit/polkit-0.120-r2.ebuild
@@ -0,0 +1,121 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm arm64 ~mips ppc64 ~riscv ~s390 x86"
+IUSE="examples gtk +introspection kde pam selinux systemd test"
+#RESTRICT="!test? ( test )"
+# Tests currently don't work with meson. See
+#   https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+RESTRICT="test"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:78[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+	!systemd? ( sys-auth/elogind )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/polkit-0.120-meson.patch"
+		"${FILESDIR}/polkit-0.120-CVE-2021-4034.patch"
+	)
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local emesonargs=(
+		--localstatedir="${EPREFIX}"/var
+		-Dauthfw="$(usex pam pam shadow)"
+		-Dexamples=false
+		-Dgtk_doc=false
+		-Dman=true
+		-Dos_type=gentoo
+		-Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+		-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(meson_use introspection)
+		$(meson_use test tests)
+		$(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+	)
+	meson_src_configure
+}
+
+src_compile() {
+	meson_src_compile
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	meson_src_install
+
+	if use examples ; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	# meson does not install required files with SUID bit. See
+	#  https://bugs.gentoo.org/816393
+	# Remove the following lines once this has been fixed by upstream
+	# (should be fixed in next release: https://gitlab.freedesktop.org/polkit/polkit/-/commit/4ff1abe4a4c1f8c8378b9eaddb0346ac6448abd8)
+	fperms u+s /usr/bin/pkexec
+	fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}