diff options
author | Mihai Moldovan <ionic@ionic.de> | 2023-12-07 18:49:03 +0100 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2024-02-06 14:03:59 +0100 |
commit | a16208d53f5b213bec0bd0d4b74ab44239df78c9 (patch) | |
tree | 0ea44ad8605da046f9a067d3d0456039fb8dd69c | |
parent | de9c25ba64a7c32f05297a26c6ee4308ee07cf0a (diff) | |
download | arctica-greeter-a16208d53f5b213bec0bd0d4b74ab44239df78c9.tar.gz arctica-greeter-a16208d53f5b213bec0bd0d4b74ab44239df78c9.tar.bz2 arctica-greeter-a16208d53f5b213bec0bd0d4b74ab44239df78c9.zip |
data: add 50-org.Arctica-Project.arctica-greeter.rules.
This message is adapted from ayatana-indicator-sound. Note that while it
is Debian-centric, other distributions (e.g., *SuSE) have long upgraded
to polkit versions > 0.105, so are affected by this even more.
arctica-greeter currently ships polkit 0.105 configuration fragments at
${LOCALSTATEDIR}/polkit-1/localauthority/10-vendor.d/arctica-greeter.pkla
but does not seem to have a polkit >= 0.106 equivalent in
${DATADIR}/polkit-1/rules.d. This means the customizations to the
default polkit policies that are made by this package will not be taken
into account when running polkit >= 0.106.
Debian and Ubuntu are currently using polkit 0.105 with the old .pkla
rules (and an increasingly large patch series to fix 9 years' worth of
bugs and security vulnerabilities), but it has become clear that this is
not sustainable, and I (Mike Gabriel) am looking at whether we can
replace polkit 0.105 with version 121 or newer for Debian 12. You can
try these newer versions by installing the polkitd and
polkitd-javascript packages from experimental.
To make this transition go smoothly, packages that ship a .pkla file
should also provide an equivalent JavaScript file
${DATADIR}/polkit-1/rules.d/*.rules which will be used by newer versions
of polkit. Most already do, but this is one of a few that do not. It is
appropriate to contribute these .rules files upstream.
System administrators can override the rules in
${DATADIR}/polkit-1/rules.d by creating a file of the same name in
${SYSCONFDIR}/polkit-1/rules.d, or add local rules by creating a file
with a different name in ${SYSCONFDIR}/polkit-1/rules.d.
Please don't remove the .pkla file when adding the .rules file: keep the
.pkla file in place until this transition has finished.
${DATADIR}/polkit-1/actions/*.policy files are not affected by this
transition: they are used by both the old and new versions of polkit.
For example, here's the .pkla file for systemd-networkd in stable, which
allows the systemd-network user to take some privileged actions:
https://sources.debian.org/src/systemd/247.3-7/src/network/systemd-networkd.pkla/
and here's the JavaScript equivalent:
https://sources.debian.org/src/systemd/247.3-7/src/network/systemd-networkd.rules/
flatpak, fwupd and network-manager have other good examples.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015156
-rw-r--r-- | data/50-org.Arctica-Project.arctica-greeter.rules | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/data/50-org.Arctica-Project.arctica-greeter.rules b/data/50-org.Arctica-Project.arctica-greeter.rules new file mode 100644 index 0000000..b194628 --- /dev/null +++ b/data/50-org.Arctica-Project.arctica-greeter.rules @@ -0,0 +1,33 @@ +polkit.addRule (function (action, subject) { + if (subject.user == "lightdm") { + switch (action.id) { + // Disable Controlling of Network Devices + case 'org.freedesktop.NetworkManager.enable-disable-network': + case 'org.freedesktop.NetworkManager.enable-disable-wifi': + case 'org.freedesktop.NetworkManager.enable-disable-wwan': + case 'org.freedesktop.NetworkManager.enable-disable-wimax': + // Disable Sleep and Wake + case 'org.freedesktop.NetworkManager.sleep-wake': + // Disable WiFi Sharing + case 'org.freedesktop.NetworkManager.wifi.share.protected': + case 'org.freedesktop.NetworkManager.wifi.share.open': + // Disable Settings Modifications + case 'org.freedesktop.NetworkManager.settings.modify.own': + case 'org.freedesktop.NetworkManager.settings.modify.system': + case 'org.freedesktop.NetworkManager.settings.modify.hostname': + // Disable User Connections + case 'org.freedesktop.NetworkManager.use-user-connections': + // Enable Controlling of Network Connections + case 'org.freedesktop.NetworkManager.network-control': + return polkit.Result.NO; + break; + default: + /* + * Do nothing... for now. + * + * This means that polkit will continue scanning for other rules. + */ + break; + } + } +}); |