x11-misc/colord: backport systemd permission fixes

Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 181 insertions, 0 deletions

diff --git a/x11-misc/colord/colord-1.4.7-r1.ebuild b/x11-misc/colord/colord-1.4.7-r1.ebuild
new file mode 100644
index 000000000000..e6bb102d0a39
--- /dev/null
+++ b/x11-misc/colord/colord-1.4.7-r1.ebuild
@@ -0,0 +1,130 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+VALA_USE_DEPEND="vapigen"
+
+inherit bash-completion-r1 meson-multilib tmpfiles udev vala
+
+DESCRIPTION="System service to accurately color manage input and output devices"
+HOMEPAGE="https://www.freedesktop.org/software/colord/"
+SRC_URI="https://www.freedesktop.org/software/colord/releases/${P}.tar.xz"
+
+LICENSE="GPL-2+"
+SLOT="0/2" # subslot = libcolord soname version
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+
+IUSE="gtk-doc argyllcms examples extra-print-profiles +introspection scanner selinux systemd test vala"
+RESTRICT="!test? ( test ) test" # Tests try to read and write files in /tmp
+REQUIRED_USE="vala? ( introspection )"
+
+DEPEND="
+	>=dev-libs/glib-2.58.0:2[${MULTILIB_USEDEP}]
+	>=media-libs/lcms-2.6:2=[${MULTILIB_USEDEP}]
+	dev-db/sqlite:3=[${MULTILIB_USEDEP}]
+	>=dev-libs/libgusb-0.2.7[introspection?,${MULTILIB_USEDEP}]
+
+	dev-libs/libgudev:=[${MULTILIB_USEDEP}]
+	virtual/libudev:=[${MULTILIB_USEDEP}]
+	virtual/udev
+
+	systemd? ( >=sys-apps/systemd-44:0= )
+	scanner? (
+		media-gfx/sane-backends
+		sys-apps/dbus
+	)
+	>=sys-auth/polkit-0.114
+	argyllcms? ( media-gfx/argyllcms )
+	introspection? ( >=dev-libs/gobject-introspection-1.56:= )
+"
+RDEPEND="${DEPEND}
+	acct-group/colord
+	acct-user/colord
+	selinux? ( sec-policy/selinux-colord )
+"
+BDEPEND="
+	acct-group/colord
+	acct-user/colord
+	app-text/docbook-xsl-ns-stylesheets
+	dev-libs/libxslt
+	>=sys-devel/gettext-0.17
+	virtual/pkgconfig
+	extra-print-profiles? ( media-gfx/argyllcms )
+	gtk-doc? (
+		dev-util/gtk-doc
+		app-text/docbook-xml-dtd:4.1.2
+	)
+	vala? ( $(vala_depend) )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.4.7-systemd-permissions.patch
+)
+
+pkg_setup() {
+	use vala && vala_setup
+}
+
+src_prepare() {
+	default
+
+	# Test requires a running session
+	# https://github.com/hughsie/colord/issues/94
+	sed -i -e "/test('colord-test-daemon'/d" lib/colord/meson.build || die
+
+	# Adapt to Gentoo paths
+	sed -i \
+		-e "s|find_program('spotread'|find_program('argyll-spotread'|" \
+		-e "s|find_program('colprof'|find_program('argyll-colprof'|" \
+		meson.build || die
+
+	# meson gnome.generate_vapi properly handles VAPIGEN and other vala
+	# environment variables. It is counter-productive to check for an
+	# unversioned vapigen, as that breaks versioned VAPIGEN usages.
+	sed -i -e "/find_program('vapigen')/d" meson.build || die
+}
+
+multilib_src_configure() {
+	local emesonargs=(
+		$(meson_native_true daemon)
+		-Dbash_completion=false
+		$(meson_native_true udev_rules) # Install udev rules only from native build
+		$(meson_native_use_bool systemd)
+		-Dlibcolordcompat=true
+		$(meson_native_use_bool argyllcms argyllcms_sensor)
+		$(meson_native_use_bool scanner sane)
+		$(meson_native_use_bool introspection)
+		$(meson_native_use_bool vala vapi)
+		$(meson_native_use_bool extra-print-profiles print_profiles)
+		$(meson_use test tests)
+		-Dinstalled_tests=false
+		-Ddaemon_user=colord
+		$(meson_native_true man)
+		$(meson_use gtk-doc docs)
+		--localstatedir="${EPREFIX}"/var
+	)
+	meson_src_configure
+}
+
+multilib_src_install_all() {
+	newbashcomp data/colormgr colormgr
+
+	# Ensure config and profile directories exist and /var/lib/colord/*
+	# is writable by colord user
+	keepdir /var/lib/color{,d}/icc
+	fowners colord:colord /var/lib/colord{,/icc}
+
+	if use examples; then
+		docinto examples
+		dodoc examples/*.c
+	fi
+}
+
+pkg_postinst() {
+	udev_reload
+	tmpfiles_process colord.conf
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/x11-misc/colord/files/colord-1.4.7-systemd-permissions.patch b/x11-misc/colord/files/colord-1.4.7-systemd-permissions.patch
new file mode 100644
index 000000000000..0a97d8ac579d
--- /dev/null
+++ b/x11-misc/colord/files/colord-1.4.7-systemd-permissions.patch
@@ -0,0 +1,51 @@
+https://github.com/hughsie/colord/commit/08a32b2379fb5582f4312e59bf51a2823df56276
+https://github.com/hughsie/colord/commit/9283abd9c00468edb94d2a06d6fa3681cae2700d
+
+From 08a32b2379fb5582f4312e59bf51a2823df56276 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 29 Jan 2024 10:37:11 +0000
+Subject: [PATCH] Fix writing to the database with ProtectSystem=strict
+
+Fixes https://github.com/hughsie/colord/issues/166
+--- a/data/colord.service.in
++++ b/data/colord.service.in
+@@ -17,6 +17,10 @@ ProtectControlGroups=true
+ RestrictRealtime=true
+ RestrictAddressFamilies=AF_UNIX
+ 
++ConfigurationDirectory=colord
++StateDirectory=colord
++CacheDirectory=colord
++
+ # drop all capabilities
+ CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_SYS_RAWIO CAP_SYS_TIME CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_RESOURCE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
+ 
+
+From 9283abd9c00468edb94d2a06d6fa3681cae2700d Mon Sep 17 00:00:00 2001
+From: Ferdinand Bachmann <ferdinand.bachmann@yrlf.at>
+Date: Tue, 30 Jan 2024 12:44:18 +0100
+Subject: [PATCH] Fix USB scanners not working with RestrictAddressFamilies
+
+colord-sane scanner drivers using libusb can't initialize properly with
+RestrictAddressFamilies set to AF_UNIX. Remove that line to ensure those
+can work properly.
+
+This also avoids a crash in HPLIP due to unchecked calls to libusb_init().
+
+Fixes #165
+---
+ data/colord.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/data/colord.service.in b/data/colord.service.in
+index c358dc4b..45ec5811 100644
+--- a/data/colord.service.in
++++ b/data/colord.service.in
+@@ -15,7 +15,6 @@ ProtectKernelModules=true
+ ProtectKernelLogs=true
+ ProtectControlGroups=true
+ RestrictRealtime=true
+-RestrictAddressFamilies=AF_UNIX
+ 
+ ConfigurationDirectory=colord
+ StateDirectory=colord