Replace some more occurrences of ‘setuid-programs’.

* gnu/packages/containers.scm (podman, buildah)[arguments]:
Substitute /run/privileged/bin for /run/setuid-programs.
* gnu/packages/mail.scm (opensmtpd)[arguments]: Likewise.
* gnu/packages/spice.scm (spice-gtk)[arguments]: Likewise.
* gnu/packages/patches/enlightenment-fix-setuid-path.patch: Likewise.
* gnu/packages/xdisorg.scm (xsecurelock)[description]: Rewrite
example code to use the ‘privileged-program(s)’ terminology.
* doc/guix-cookbook.texi (Network bridge for QEMU): Likewise.
* gnu/packages/disk.scm (udevil)[arguments]: Update a comment.

Change-Id: I7f467e8743a3ef556cd89bac41509bf51d9edb30

doc/guix-cookbook.texi

@@ -3791,13 +3791,15 @@ QEMU comes with a helper program to conveniently make use of a network
 bridge interface as an unprivileged user @pxref{Network options,,, QEMU,
 QEMU Documentation}.  The binary must be made setuid root for proper
 operation; this can be achieved by adding it to the
-@code{setuid-programs} field of your (host) @code{operating-system}
+@code{privileged-programs} field of your (host) @code{operating-system}
 definition, as shown below:
 
 @example lisp
-(setuid-programs
+(privileged-programs
- (cons (file-append qemu "/libexec/qemu-bridge-helper")
+ (cons (privileged-program
-       %setuid-programs))
+         (program (file-append qemu "/libexec/qemu-bridge-helper"))
+         (setuid? #t))
+       %default-privileged-programs))
 @end example
 
 The file @file{/etc/qemu/bridge.conf} must also be made to allow the

gnu/packages/containers.scm

@@ -536,7 +536,7 @@ Its main purpose is to support the key usage by @code{docker-init}:
                    ,(string-append #$iptables       "/sbin")
                    ,(string-append #$passt          "/bin")
                    ,(string-append #$procps         "/bin") ; ps
-                   "/run/setuid-programs")))))
+                   "/run/privileged/bin")))))
           (add-after 'install 'install-completions
             (lambda _
               (invoke "make" "install.completions"
@@ -669,7 +669,7 @@ being rootless and not requiring any daemon to be running.")
                   (,(string-append #$crun           "/bin")
                    ,(string-append #$gcc            "/bin") ; cpp
                    ,(string-append #$passt          "/bin")
-                   "/run/setuid-programs")))))
+                   "/run/privileged/bin")))))
           (add-after 'install 'install-completions
             (lambda _
               (invoke "make" "install.completions"

gnu/packages/disk.scm

@@ -209,9 +209,9 @@ and write-back caching.")
         (string-append "--sysconfdir="
                        (assoc-ref %outputs "out")
                        "/etc")
-        ;; udevil expects these programs to be run with uid set as root.
+        ;; udevil expects these programs to be run with an UID of root.
-        ;; user has to manually add these programs to setuid-programs.
+        ;; mount and umount are %default-privileged-programs on Guix System;
-        ;; mount and umount are default setuid-programs in guix system.
+        ;; the others must be explicitly added if desired.
         "--with-mount-prog=/run/privileged/bin/mount"
         "--with-umount-prog=/run/privileged/bin/umount"
         "--with-losetup-prog=/run/privileged/bin/losetup"

gnu/packages/mail.scm

@@ -3327,7 +3327,7 @@ from the Cyrus IMAP project.")
              ;; avoids warning smtpd: couldn't enqueue offline message
              ;; smtpctl exited abnormally
              (substitute* "usr.sbin/smtpd/smtpd.h"
-               (("/usr/bin/smtpctl") "/run/setuid-programs/smtpctl"))
+               (("/usr/bin/smtpctl") "/run/privileged/bin/smtpctl"))
              (substitute* "usr.sbin/smtpd/smtpctl.c"
                ;; ‘gzcat’ is auto-detected at compile time, but ‘cat’ isn't.
                (("/bin/cat" file) (search-input-file inputs file)))

gnu/packages/patches/enlightenment-fix-setuid-path.patch

@@ -10,7 +10,7 @@ index 6d07a0ac3..31e0e728f 100644
     snprintf(buf, sizeof(buf),
 -            "%s/enlightenment/utils/enlightenment_ckpasswd pw",
 -            e_prefix_lib_get());
-+            "/run/setuid-programs/enlightenment_ckpasswd pw");
++            "/run/privileged/bin/enlightenment_ckpasswd pw");
     exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL);
     if (!exe) goto out;
     snprintf(buf, sizeof(buf), "pw %s", passwd);
@@ -20,7 +20,7 @@ index 6d07a0ac3..31e0e728f 100644
     snprintf(buf, sizeof(buf),
 -            "%s/enlightenment/utils/enlightenment_ckpasswd pk",
 -            e_prefix_lib_get());
-+            "/run/setuid-programs/enlightenment_ckpasswd pk");
++            "/run/privileged/bin/enlightenment_ckpasswd pk");
     exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL);
     if (!exe) goto out;
     snprintf(buf, sizeof(buf), "%s %u %s", cookie, uid, passwd);
@@ -33,7 +33,7 @@ index 9b10b3117..74e6b72ad 100644
          char buf[PATH_MAX];
  
 -        snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
-+        snprintf(buf, sizeof(buf), "/run/setuid-programs/enlightenment_sys");
++        snprintf(buf, sizeof(buf), "/run/privileged/bin/enlightenment_sys");
          eeze_disk_mount_wrapper_set(v->disk, buf);
       }
     v->guard = ecore_timer_loop_add(E_FM_EJECT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_eject_timeout, v);
@@ -42,7 +42,7 @@ index 9b10b3117..74e6b72ad 100644
          char buf[PATH_MAX];
  
 -        snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
-+        snprintf(buf, sizeof(buf), "/run/setuid-programs/enlightenment_sys");
++        snprintf(buf, sizeof(buf), "/run/privileged/bin/enlightenment_sys");
          eeze_disk_mount_wrapper_set(v->disk, buf);
       }
     v->guard = ecore_timer_loop_add(E_FM_UNMOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_unmount_timeout, v);
@@ -51,7 +51,7 @@ index 9b10b3117..74e6b72ad 100644
          char buf2[PATH_MAX];
  
 -        snprintf(buf2, sizeof(buf2), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
-+        snprintf(buf2, sizeof(buf2), "/run/setuid-programs/enlightenment_sys");
++        snprintf(buf2, sizeof(buf2), "/run/privileged/bin/enlightenment_sys");
          eeze_disk_mount_wrapper_set(v->disk, buf2);
       }
     v->guard = ecore_timer_loop_add(E_FM_MOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_mount_timeout, v);
@@ -65,7 +65,7 @@ index 722063339..2da2d5a23 100644
     myasprintf(&buf3,
 -              "E_ALERT_SYSTEM_BIN=%s/enlightenment/utils/enlightenment_system",
 -              eina_prefix_lib_get(pfx));
-+              "E_ALERT_SYSTEM_BIN=/run/setuid-programs/enlightenment_system");
++              "E_ALERT_SYSTEM_BIN=/run/privileged/bin/enlightenment_system");
     putenv(buf3);
  
     home = getenv("HOME");
@@ -78,7 +78,7 @@ index bfd43e7e2..45d78b7ed 100644
     if (_respawn_count > 5) return;
     snprintf(buf, sizeof(buf),
 -            "%s/enlightenment/utils/enlightenment_system", e_prefix_lib_get());
-+            "/run/setuid-programs/enlightenment_system");
++            "/run/privileged/bin/enlightenment_system");
     _system_exe = ecore_exe_pipe_run
       (buf, ECORE_EXE_NOT_LEADER | ECORE_EXE_TERM_WITH_PARENT |
        ECORE_EXE_PIPE_READ | ECORE_EXE_PIPE_WRITE, NULL);

gnu/packages/spice.scm

@@ -172,7 +172,7 @@ which allows users to view a desktop computing environment.")
               ;; variable.
               (substitute* "src/usb-acl-helper.c"
                 (("ACL_HELPER_PATH\"/spice-client-glib-usb-acl-helper\"")
-                 "\"/run/setuid-programs/spice-client-glib-usb-acl-helper\""))))
+                 "\"/run/privileged/bin/spice-client-glib-usb-acl-helper\""))))
           (add-before 'configure 'correct-polkit-dir
             (lambda _
               (substitute* "meson.build"

gnu/packages/xdisorg.scm

@@ -17,7 +17,7 @@
 ;;; Copyright © 2016 Petter <petter@mykolab.ch>
 ;;; Copyright © 2017 Mekeor Melire <mekeor.melire@gmail.com>
 ;;; Copyright © 2017 Nikita <nikita@n0.is>
-;;; Copyright © 2017–2021 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017–2021, 2024 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Marek Benc <dusxmt@gmx.com>
 ;;; Copyright © 2017 Mike Gerwitz <mtg@gnu.org>
 ;;; Copyright © 2018 Thomas Sigurdsen <tonton@riseup.net>
@@ -2730,15 +2730,17 @@ temperature of the screen.")
     (description "@code{xsecurelock} is an X11 screen locker which uses
 a modular design to avoid the usual pitfalls of screen locking utility design.
 
-As a consequence of the modular design, the usual screen locker service
+As a consequence of this design, you shouldn't use the usual screen locker
-shouldn't be used with @code{xsecurelock}.  Instead, you need to add a helper
+service with @code{xsecurelock}.  Instead, add a helper binary to your
-binary to setuid-binaries:
+@code{operating-system}'s @code{privileged-programs} field:
+
 @example
-(setuid-programs
+(privileged-programs
  (cons*
-  (setuid-program
+  (privileged-program
-   (program (file-append xsecurelock \"/libexec/xsecurelock/authproto_pam\")))
+   (program (file-append xsecurelock \"/libexec/xsecurelock/authproto_pam\"))
-  %setuid-programs))
+   (setuid? #t))
+  %default-privileged-programs))
 @end example")
     (license license:asl2.0)))