From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Wingo <wingo@pobox.com>
Subject: [PATCH v2 7/7] gnu: Add polkit service.
Date: Tue, 18 Aug 2015 11:57:15 +0200
Message-ID: <dfd1315880b03d2c4a119a6190b0c97ab66a55d9.1440062095.git.wingo@pobox.com>
References: <95cd06d0b1639449fffa2ded823e54d0f26afbb6.1440062095.git.wingo@pobox.com>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50189)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wingo@igalia.com>) id 1ZSM2A-0000GZ-0w
	for guix-devel@gnu.org; Thu, 20 Aug 2015 05:21:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wingo@igalia.com>) id 1ZSM25-0002a2-02
	for guix-devel@gnu.org; Thu, 20 Aug 2015 05:21:17 -0400
Received: from pb-sasl0.int.icgroup.com ([208.72.237.25]:55763
	helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wingo@igalia.com>) id 1ZSM24-0002Zu-1H
	for guix-devel@gnu.org; Thu, 20 Aug 2015 05:21:12 -0400
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1])
	by pb-sasl0.pobox.com (Postfix) with ESMTP id DB9321250B
	for <guix-devel@gnu.org>; Thu, 20 Aug 2015 05:21:11 -0400 (EDT)
Received: from pb-sasl0. (unknown [127.0.0.1])
	by pb-sasl0.pobox.com (Postfix) with ESMTP id D5B5A12509
	for <guix-devel@gnu.org>; Thu, 20 Aug 2015 05:21:11 -0400 (EDT)
Received: from rusty (unknown [88.160.190.192])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pb-sasl0.pobox.com (Postfix) with ESMTPSA id 3C23112502
	for <guix-devel@gnu.org>; Thu, 20 Aug 2015 05:21:06 -0400 (EDT)
In-Reply-To: <95cd06d0b1639449fffa2ded823e54d0f26afbb6.1440062095.git.wingo@pobox.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: guix-devel@gnu.org

* gnu/services/desktop.scm (polkit-service): New function.
  (%desktop-services): Add polkit service.
---
 gnu/services/desktop.scm | 48 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 43 insertions(+), 5 deletions(-)

diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index 4973e82..543b452 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -30,6 +30,7 @@
   #:use-module (gnu packages gnome)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages wicd)
+  #:use-module (gnu packages polkit)
   #:use-module (guix monads)
   #:use-module (guix store)
   #:use-module (guix gexp)
@@ -40,6 +41,7 @@
             geoclue-application
             %standard-geoclue-applications
             geoclue-service
+            polkit-service
             elogind-service
             %desktop-services))
 
@@ -376,6 +378,40 @@ site} for more information."
 
 
 ;;;
+;;; Polkit privilege management service.
+;;;
+
+(define* (polkit-service #:key (polkit polkit))
+  "Return a service that runs the @command{polkit} privilege management
+service.  By querying the @command{polkit} service, a privileged system
+component can know when it should grant additional capabilities to ordinary
+users.  For example, an ordinary user can be granted the capability to suspend
+the system if the user is logged in locally."
+  (with-monad %store-monad
+    (return
+     (service
+      (documentation "Run the polkit privilege management service.")
+      (provision '(polkit-daemon))
+      (requirement '(dbus-system))
+
+      (start #~(make-forkexec-constructor
+                (list (string-append #$polkit "/lib/polkit-1/polkitd"))))
+      (stop #~(make-kill-destructor))
+
+      (user-groups (list (user-group
+                          (name "polkitd")
+                          (system? #t))))
+      (user-accounts (list (user-account
+                            (name "polkitd")
+                            (group "polkitd")
+                            (system? #t)
+                            (comment "Polkit daemon user")
+                            (home-directory "/var/empty")
+                            (shell
+                             "/run/current-system/profile/sbin/nologin"))))))))
+
+
+;;;
 ;;; Elogind login and seat management service.
 ;;;
 
@@ -407,14 +443,16 @@ when they log out."
          (avahi-service)
          (wicd-service)
          (upower-service)
-         ;; FIXME: The colord and geoclue services could all be bus-activated
-         ;; by default, so they don't run at program startup.  However, user
-         ;; creation and /var/lib.colord creation happen at service activation
-         ;; time, so we currently add them to the set of default services.
+         ;; FIXME: The colord, geoclue, and polkit services could all be
+         ;; bus-activated by default, so they don't run at program startup.
+         ;; However, user creation and /var/lib/colord creation happen at
+         ;; service activation time, so we currently add them to the set of
+         ;; default services.
          (colord-service)
          (geoclue-service)
+         (polkit-service)
          (elogind-service)
-         (dbus-service (list avahi wicd upower colord geoclue elogind))
+         (dbus-service (list avahi wicd upower colord geoclue polkit elogind))
 
          (ntp-service)
 
-- 
2.4.3