build: new strict & permissive polkit policies in '--with-polkit'

The '--with-polkit' configure switch now supports more options than just yes
or no:

 * strict: Active user needs to explicitly authenticate when peforming an
   operation defined in the Device.Control, Messaging, Location or Contacts
   interfaces. Polkit policy is set to 'auth_self_keep'.

 * permissive: Active user doesn't need to explicitly authenticate when
   peforming an operation defined in the Device.Control, Messaging, Location or
   Contacts interfaces. Polkit policy is set to 'yes'.

 * none: don't use polkit.

If '--with-polkit' is not given, usage will be automatically decided based on
the presence of the Polkit headers in the system (if headers found, strict
policy will be applied, otherwise none).

Also:
 * '--with-polkit' is equivalent to '--with-polkit=strict'
 * '--with-polkit=yes' is equivalent to '--with-polkit=strict'
 * '--with-polkit=no' is equivalent to '--with-polkit=none'
 * '--without-polkit' is equivalent to '--with-polkit=none'

By default, ModemManager will always apply the strict policy, in order to
protect the user from unwanted operations in the modem (e.g. getting the PIN
locked forever after wrong PIN/PUK unlock attempts).

https://bugzilla.gnome.org/show_bug.cgi?id=701740

6 files changed, 57 insertions, 25 deletions

diff --git a/.gitignore b/.gitignore
index 43025510..6347d3a4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,6 +57,7 @@ libwmc/tests/test-wmc
 data/org.freedesktop.ModemManager1.conf
 data/org.freedesktop.ModemManager1.service
 data/org.freedesktop.ModemManager1.policy
+data/org.freedesktop.ModemManager1.policy.in
 data/ModemManager.service
 data/ModemManager.pc
 data/mm-common.pc
diff --git a/configure.ac b/configure.ac
index e3656361..ed63832d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -99,22 +99,51 @@ fi
 AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$SYSTEMD_UNIT_DIR" -a "$SYSTEMD_UNIT_DIR" != xno ])
 
 # PolicyKit
-AC_ARG_WITH(polkit, AS_HELP_STRING([--with-polkit], [Build with PolicyKit support]))
-AM_CONDITIONAL(WITH_POLKIT, test "x$with_polkit" = "xyes")
-case $with_polkit in
-    yes)
-        with_polkit=yes
-	PKG_CHECK_MODULES(POLKIT, polkit-gobject-1 >= 0.97)
-	AC_DEFINE(WITH_POLKIT, 1, [Define if you want to use PolicyKit])
-	AC_SUBST(POLKIT_CFLAGS)
-	AC_SUBST(POLKIT_LIBS)
+PKG_CHECK_MODULES(POLKIT, [polkit-gobject-1 >= 0.97], [have_polkit=yes],[have_polkit=no])
+AC_ARG_WITH(polkit,
+            AS_HELP_STRING([--with-polkit=(strict|permissive|none)],
+                           [Enable PolicyKit support [[default=auto]]]),,
+            [with_polkit=auto])
+# Handle 'auto' ('strict' if polkit found, 'none' otherwise),
+#  'yes' ('strict') and 'no' ('none')
+if test "x$with_polkit" = "xauto"; then
+	if test "x$have_polkit" = "xno"; then
+        with_polkit="none"
+    else
+        with_polkit="strict"
+    fi
+elif test "x$with_polkit" = "xno"; then
+    with_polkit=none
+elif test "x$with_polkit" = "xyes"; then
+    with_polkit=strict
+fi
+# Build policies context
+if test "x$with_polkit" = "xnone"; then
+    AC_DEFINE(WITH_POLKIT, 0, [Define if you have PolicyKit support])
+else
+	if test "x$have_polkit" = "xno"; then
+		AC_MSG_ERROR(PolicyKit development headers are required)
+	fi
+
+    case "x$with_polkit" in
+        "xpermissive")
+            MM_DEFAULT_USER_POLICY="yes"
+            ;;
+        "xstrict")
+            MM_DEFAULT_USER_POLICY="auth_self_keep"
+            ;;
+        *)
+            AC_MSG_ERROR([Wrong value for --with-polkit: $with_polkit])
+            ;;
+    esac
+
+    AC_DEFINE(WITH_POLKIT, 1, [Define if you have PolicyKit support])
+    AC_SUBST(POLKIT_CFLAGS)
+    AC_SUBST(POLKIT_LIBS)
+    AC_SUBST(MM_DEFAULT_USER_POLICY)
+fi
 
-	AM_GLIB_GNU_GETTEXT
-        ;;
-    *)
-        with_polkit=no
-        ;;
-esac
+AM_CONDITIONAL(WITH_POLKIT, [test "x$with_polkit" != "xnone" ])
 
 # PPPD
 AC_CHECK_HEADERS(pppd/pppd.h, have_pppd_headers="yes", have_pppd_headers="no")
@@ -234,7 +263,7 @@ Makefile
 data/Makefile
 data/ModemManager.pc
 data/mm-glib.pc
-data/org.freedesktop.ModemManager1.policy
+data/org.freedesktop.ModemManager1.policy.in
 include/Makefile
 build-aux/Makefile
 libqcdm/Makefile
diff --git a/data/Makefile.am b/data/Makefile.am
index fceb1b4a..0e0c391e 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -58,10 +58,10 @@ diagrams = \
 
 
 # Polkit
-dist_polkit_policy_in_files = org.freedesktop.ModemManager1.policy.in
+polkit_policy_in_in_files = org.freedesktop.ModemManager1.policy.in.in
 if WITH_POLKIT
 polkit_policydir = $(datadir)/polkit-1/actions
-dist_polkit_policy_DATA = $(dist_polkit_policy_in_files:.policy.in=.policy)
+polkit_policy_DATA = $(polkit_policy_in_in_files:.policy.in.in=.policy)
 @INTLTOOL_POLICY_RULE@
 endif
 
@@ -75,7 +75,8 @@ pkgconfig_DATA = \
 
 DISTCLEANFILES = \
 	$(dbusactivation_DATA) \
-	$(dbusservice_DATA)
+	$(dbusservice_DATA) \
+	$(polkit_policy_DATA)
 
 if HAVE_SYSTEMD
 DISTCLEANFILES += $(systemdsystemunit_DATA)
@@ -88,6 +89,6 @@ EXTRA_DIST = \
 	$(dbusservice_file_polkit) \
 	$(dbusservice_file_nopolkit) \
 	$(icon_DATA) \
-	$(dist_polkit_policy_in_files) \
+	$(polkit_policy_in_in_files) \
 	$(logos) \
 	$(diagrams)
diff --git a/data/org.freedesktop.ModemManager1.policy.in b/data/org.freedesktop.ModemManager1.policy.in.in
index 9f58e6a0..7b3a22a3 100644
--- a/data/org.freedesktop.ModemManager1.policy.in
+++ b/data/org.freedesktop.ModemManager1.policy.in.in
@@ -23,7 +23,7 @@
     <_message>System policy prevents unlocking or controlling the mobile broadband device.</_message>
     <defaults>
       <allow_inactive>no</allow_inactive>
-      <allow_active>auth_self_keep</allow_active>
+      <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
     </defaults>
   </action>
 
@@ -32,7 +32,7 @@
     <_message>System policy prevents adding, modifying, or deleting this device's contacts.</_message>
     <defaults>
       <allow_inactive>no</allow_inactive>
-      <allow_active>auth_self_keep</allow_active>
+      <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
     </defaults>
   </action>
 
@@ -41,7 +41,7 @@
     <_message>System policy prevents sending or maniuplating this device's text messages.</_message>
     <defaults>
       <allow_inactive>no</allow_inactive>
-      <allow_active>auth_self_keep</allow_active>
+      <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
     </defaults>
   </action>
 
@@ -50,7 +50,7 @@
     <_message>System policy prevents enabling or viewing geographic location information.</_message>
     <defaults>
       <allow_inactive>no</allow_inactive>
-      <allow_active>auth_self_keep</allow_active>
+      <allow_active>@MM_DEFAULT_USER_POLICY@</allow_active>
     </defaults>
   </action>
 
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 44769579..9725a1e5 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -1,4 +1,4 @@
 [encoding: UTF-8]
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.ModemManager1.policy.in
+data/org.freedesktop.ModemManager1.policy.in.in
diff --git a/po/POTFILES.skip b/po/POTFILES.skip
new file mode 100644
index 00000000..551c836c
--- /dev/null
+++ b/po/POTFILES.skip
@@ -0,0 +1 @@
+data/org.freedesktop.ModemManager1.policy.in