1 files changed, 74 insertions, 31 deletions

diff --git a/data/50-org.Arctica-Project.arctica-greeter.rules b/data/50-org.Arctica-Project.arctica-greeter.rules
index b194628..ddd666a 100644
--- a/data/50-org.Arctica-Project.arctica-greeter.rules
+++ b/data/50-org.Arctica-Project.arctica-greeter.rules
@@ -1,33 +1,76 @@
-polkit.addRule (function (action, subject) {
-  if (subject.user == "lightdm") {
-    switch (action.id) {
-      // Disable Controlling of Network Devices
-      case 'org.freedesktop.NetworkManager.enable-disable-network':
-      case 'org.freedesktop.NetworkManager.enable-disable-wifi':
-      case 'org.freedesktop.NetworkManager.enable-disable-wwan':
-      case 'org.freedesktop.NetworkManager.enable-disable-wimax':
-      // Disable Sleep and Wake
-      case 'org.freedesktop.NetworkManager.sleep-wake':
-      // Disable WiFi Sharing
-      case 'org.freedesktop.NetworkManager.wifi.share.protected':
-      case 'org.freedesktop.NetworkManager.wifi.share.open':
-      // Disable Settings Modifications
-      case 'org.freedesktop.NetworkManager.settings.modify.own':
-      case 'org.freedesktop.NetworkManager.settings.modify.system':
-      case 'org.freedesktop.NetworkManager.settings.modify.hostname':
-      // Disable User Connections
-      case 'org.freedesktop.NetworkManager.use-user-connections':
-      // Enable Controlling of Network Connections
-      case 'org.freedesktop.NetworkManager.network-control':
+// Allow enabling/disabling of Network Devices in arctica-greeter / LightDM
+polkit.addRule(function(action, subject) {
+    if (subject.user !== 'lightdm') {
+        return undefined;
+    }
+
+    if (action.id == "org.freedesktop.NetworkManager.enable-disable-network" ||
+         action.id == "org.freedesktop.NetworkManager.enable-disable-wifi" ||
+         action.id == "org.freedesktop.NetworkManager.enable-disable-wwan" ||
+         action.id == "org.freedesktop.NetworkManager.enable-disable-wimax") {
+        return polkit.Result.YES;
+    }
+});
+
+// Allow Sleep and Wake in LightDM (for power management purposes)
+polkit.addRule(function(action, subject) {
+    if (subject.user !== 'lightdm') {
+        return undefined;
+    }
+
+    if (action.id == "org.freedesktop.NetworkManager.sleep-wake") {
+        return polkit.Result.YES;
+    }
+});
+
+// Disable WiFi Sharing in LightDM
+polkit.addRule(function(action, subject) {
+    if (subject.user !== 'lightdm') {
+        return undefined;
+    }
+
+    if ((action.id == "org.freedesktop.NetworkManager.wifi.share.protected" ||
+         action.id == "org.freedesktop.NetworkManager.wifi.share.open")) {
+        return polkit.Result.NO;
+    }
+});
+
+// Allow system settings modifications via arctica-greeter / LightDM
+// This leads to the greeter's nm-applet creating non-private WiFi connection profiles
+// by default, see:
+// https://gitlab.gnome.org/GNOME/network-manager-applet/-/commit/a0f95d83ff946ba854143414c97c4ed7af19b7fa
+//
+// As a result, all users can use WiFi connection profiles that were originally configured
+// in the greeter. Security implications are that all users with access to the greeter can
+// via WiFi credentials that other users configured previously via the greeter.
+polkit.addRule(function(action, subject) {
+    if (subject.user !== 'lightdm') {
+        return undefined;
+    }
+
+    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system") {
+        return polkit.Result.YES;
+    }
+});
+
+// Allow users to create new WiFi connection profiles via arctica-greeter / LightDM
+polkit.addRule(function(action, subject) {
+    if (subject.user !== 'lightdm')
+        return undefined;
+
+    if (action.id == "org.freedesktop.NetworkManager.settings.modify.own" ||
+        action.id == "org.freedesktop.NetworkManager.settings.modify.hostname") {
         return polkit.Result.NO;
-        break;
-      default:
-        /*
-         * Do nothing... for now.
-         *
-         * This means that polkit will continue scanning for other rules.
-         */
-        break;
-    }
-  }
+    }
+});
+
+// Enable Controlling of Network Connections in LightDM
+polkit.addRule(function(action, subject) {
+    if (subject.user !== 'lightdm')
+        return undefined;
+
+    if (action.id.match("org.freedesktop.NetworkManager.network-control")) &&
+        subject.active == true) {
+        return polkit.Result.YES;
+    }
 });