diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml index 99e20e987..2ee82d3b9 100644 --- a/.github/workflows/cla-check.yaml +++ b/.github/workflows/cla-check.yaml @@ -5,7 +5,7 @@ on: jobs: cla-check: name: Check if CLA is signed - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - name: Check if CLA signed uses: canonical/has-signed-canonical-cla@v1 diff --git a/.github/workflows/e2e-build-images.yaml b/.github/workflows/e2e-build-images.yaml index 557a5a605..371659eb7 100644 --- a/.github/workflows/e2e-build-images.yaml +++ b/.github/workflows/e2e-build-images.yaml @@ -17,7 +17,7 @@ on: jobs: supported-releases: name: Build matrix for supported ADSys and Ubuntu releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: matrix: ${{ steps.set-supported-releases.outputs.matrix }} versions: ${{ steps.set-supported-releases.outputs.versions }} @@ -61,7 +61,7 @@ jobs: build-template: name: Build VM template - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} concurrency: group: template-build-${{ matrix.codename }} needs: diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml index 8d0593e2a..6790df271 100644 --- a/.github/workflows/e2e-tests.yaml +++ b/.github/workflows/e2e-tests.yaml @@ -25,7 +25,7 @@ on: jobs: supported-releases: name: Build matrix for supported ADSys and Ubuntu releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: matrix: ${{ steps.set-supported-releases.outputs.matrix }} steps: @@ -77,7 +77,7 @@ jobs: tests: name: Tests - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: - supported-releases strategy: diff --git a/.github/workflows/patch-vendored-samba.yaml b/.github/workflows/patch-vendored-samba.yaml index 612977131..ad4adf24e 100644 --- a/.github/workflows/patch-vendored-samba.yaml +++ b/.github/workflows/patch-vendored-samba.yaml @@ -14,7 +14,7 @@ env: jobs: check-for-changes: name: Check for changes in vendored code - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: changed: ${{ steps.compute-diff.outputs.changed }} samba-ref: ${{ steps.compute-diff.outputs.samba-ref }} @@ -48,7 +48,7 @@ jobs: patch-vendored-code: name: Patch vendored code - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: check-for-changes if: ${{ needs.check-for-changes.outputs.changed == 'true' }} steps: diff --git a/.github/workflows/policy-builds.yaml b/.github/workflows/policy-builds.yaml index 8ad6be9c5..62c812613 100644 --- a/.github/workflows/policy-builds.yaml +++ b/.github/workflows/policy-builds.yaml @@ -13,7 +13,7 @@ on: jobs: build-admxgen: name: Build admxgen static binary - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 @@ -33,7 +33,7 @@ jobs: supported-releases: name: Build matrix for supported ADSys, Ubuntu, and docker releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: matrix: ${{ steps.set-supported-releases.outputs.matrix }} needs: build-admxgen @@ -80,7 +80,7 @@ jobs: collect-releases: name: Collect supported keys on each releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: - build-admxgen - supported-releases @@ -119,7 +119,7 @@ jobs: generate-ad: name: Merge keys to generated admx/adml - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: collect-releases strategy: matrix: @@ -165,7 +165,7 @@ jobs: generate-doc: name: Merge keys to generated documentation - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: collect-releases steps: - name: Install needed binaries @@ -202,7 +202,7 @@ jobs: integrate: name: Integrate policy changes in current git tree - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: - generate-ad - generate-doc @@ -243,7 +243,7 @@ jobs: open-issue-on-fail: name: Open issue on failure - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: integrate if: ${{ failure() }} steps: diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml index 8435a3b28..7254ea5cc 100644 --- a/.github/workflows/qa.yaml +++ b/.github/workflows/qa.yaml @@ -16,7 +16,7 @@ env: jobs: sanity: name: Code sanity - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - name: Install dependencies run: | @@ -43,7 +43,7 @@ jobs: tests: name: Tests - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 diff --git a/.github/workflows/sync-gh-jira.yaml b/.github/workflows/sync-gh-jira.yaml index 834035f1e..2a7c3be4a 100644 --- a/.github/workflows/sync-gh-jira.yaml +++ b/.github/workflows/sync-gh-jira.yaml @@ -4,7 +4,7 @@ on: [issues, issue_comment] jobs: sync-issues: name: Sync issues to Jira - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: canonical/sync-issues-github-jira@v1 with: diff --git a/.github/workflows/tics-report-daily.yaml b/.github/workflows/tics-report-daily.yaml index 19abb3cbd..b131673fd 100644 --- a/.github/workflows/tics-report-daily.yaml +++ b/.github/workflows/tics-report-daily.yaml @@ -14,7 +14,7 @@ env: jobs: tics: name: TIOBE TiCS Framework - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 diff --git a/cmd/adsysd/integration_tests/adsys_test.go b/cmd/adsysd/integration_tests/adsys_test.go index 42d8d0dea..257c41f42 100644 --- a/cmd/adsysd/integration_tests/adsys_test.go +++ b/cmd/adsysd/integration_tests/adsys_test.go @@ -412,7 +412,10 @@ func runDaemons() (teardown func()) { go func() { defer wg.Done() - if err := os.MkdirAll(socketDir, 0750); err != nil { + // 24.04 introduced some polkit changes that make the daemon drop root privileges before executing. In order + // to be able to connect to the bus and run polkitd, we need more permissions in the socket directory. + //nolint:gosec + if err := os.MkdirAll(socketDir, 0755); err != nil { log.Fatalf("Setup: can’t create %s socket directory: %v", answer, err) } diff --git a/cmd/adsysd/integration_tests/systemdaemons/Dockerfile b/cmd/adsysd/integration_tests/systemdaemons/Dockerfile index b73cda084..3a55089af 100644 --- a/cmd/adsysd/integration_tests/systemdaemons/Dockerfile +++ b/cmd/adsysd/integration_tests/systemdaemons/Dockerfile @@ -3,10 +3,7 @@ FROM ubuntu ENV DEBIAN_FRONTEND=noninteractive # we need at least dbusmock 0.25 to use systemd template -RUN \ - apt-get update && \ - apt-get install -y policykit-1 dbus libglib2.0-bin python3-pip python3-gi python3-dbus && \ - pip install python-dbusmock +RUN apt update && apt install -y polkitd dbus libglib2.0-bin python3-gi python3-dbus python3-dbusmock COPY cmd/adsysd/integration_tests/systemdaemons/*.py / COPY cmd/adsysd/integration_tests/systemdaemons/run_daemons / diff --git a/cmd/adsysd/integration_tests/systemdaemons/run_daemons b/cmd/adsysd/integration_tests/systemdaemons/run_daemons index fa5b5b2be..d68670837 100755 --- a/cmd/adsysd/integration_tests/systemdaemons/run_daemons +++ b/cmd/adsysd/integration_tests/systemdaemons/run_daemons @@ -14,7 +14,7 @@ from gi.repository import GLib from session_daemons import start_session_bus, run_session_mocks from system_daemons import start_system_bus, run_system_mocks -POLKIT_PATH = "/usr/libexec/polkitd" +POLKIT_PATH = "/usr/lib/polkit-1/polkitd" ADSYS_POLICY_PATH_SRC = "/usr/share/polkit-1/actions.orig/com.ubuntu.adsys.policy" ADSYS_POLICY_PATH_DST = "/usr/share/polkit-1/actions/com.ubuntu.adsys.policy" diff --git a/debian/control b/debian/control index c4cfc948b..dc3658eb6 100644 --- a/debian/control +++ b/debian/control @@ -47,6 +47,7 @@ Recommends: ${misc:Recommends}, Suggests: curlftpfs, ubuntu-proxy-manager, python3-cepces, + polkitd-pkla, Description: ${source:Synopsis} ${source:Extended-Description} diff --git a/internal/ad/krb5.go b/internal/ad/krb5.go index 35a8ace1a..3f3eb7a1f 100644 --- a/internal/ad/krb5.go +++ b/internal/ad/krb5.go @@ -15,6 +15,9 @@ char *get_ticket_path() { errno = ret; return NULL; } + // We need to reset the errno to 0, because krb5_init_context() + // can alter it, even if it succeeds. + errno = 0; const char* cc_name = krb5_cc_default_name(context); if (cc_name == NULL) {