From a16208d53f5b213bec0bd0d4b74ab44239df78c9 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Thu, 7 Dec 2023 18:49:03 +0100 Subject: data: add 50-org.Arctica-Project.arctica-greeter.rules. This message is adapted from ayatana-indicator-sound. Note that while it is Debian-centric, other distributions (e.g., *SuSE) have long upgraded to polkit versions > 0.105, so are affected by this even more. arctica-greeter currently ships polkit 0.105 configuration fragments at ${LOCALSTATEDIR}/polkit-1/localauthority/10-vendor.d/arctica-greeter.pkla but does not seem to have a polkit >= 0.106 equivalent in ${DATADIR}/polkit-1/rules.d. This means the customizations to the default polkit policies that are made by this package will not be taken into account when running polkit >= 0.106. Debian and Ubuntu are currently using polkit 0.105 with the old .pkla rules (and an increasingly large patch series to fix 9 years' worth of bugs and security vulnerabilities), but it has become clear that this is not sustainable, and I (Mike Gabriel) am looking at whether we can replace polkit 0.105 with version 121 or newer for Debian 12. You can try these newer versions by installing the polkitd and polkitd-javascript packages from experimental. To make this transition go smoothly, packages that ship a .pkla file should also provide an equivalent JavaScript file ${DATADIR}/polkit-1/rules.d/*.rules which will be used by newer versions of polkit. Most already do, but this is one of a few that do not. It is appropriate to contribute these .rules files upstream. System administrators can override the rules in ${DATADIR}/polkit-1/rules.d by creating a file of the same name in ${SYSCONFDIR}/polkit-1/rules.d, or add local rules by creating a file with a different name in ${SYSCONFDIR}/polkit-1/rules.d. Please don't remove the .pkla file when adding the .rules file: keep the .pkla file in place until this transition has finished. ${DATADIR}/polkit-1/actions/*.policy files are not affected by this transition: they are used by both the old and new versions of polkit. For example, here's the .pkla file for systemd-networkd in stable, which allows the systemd-network user to take some privileged actions: https://sources.debian.org/src/systemd/247.3-7/src/network/systemd-networkd.pkla/ and here's the JavaScript equivalent: https://sources.debian.org/src/systemd/247.3-7/src/network/systemd-networkd.rules/ flatpak, fwupd and network-manager have other good examples. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015156 --- data/50-org.Arctica-Project.arctica-greeter.rules | 33 +++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 data/50-org.Arctica-Project.arctica-greeter.rules diff --git a/data/50-org.Arctica-Project.arctica-greeter.rules b/data/50-org.Arctica-Project.arctica-greeter.rules new file mode 100644 index 0000000..b194628 --- /dev/null +++ b/data/50-org.Arctica-Project.arctica-greeter.rules @@ -0,0 +1,33 @@ +polkit.addRule (function (action, subject) { + if (subject.user == "lightdm") { + switch (action.id) { + // Disable Controlling of Network Devices + case 'org.freedesktop.NetworkManager.enable-disable-network': + case 'org.freedesktop.NetworkManager.enable-disable-wifi': + case 'org.freedesktop.NetworkManager.enable-disable-wwan': + case 'org.freedesktop.NetworkManager.enable-disable-wimax': + // Disable Sleep and Wake + case 'org.freedesktop.NetworkManager.sleep-wake': + // Disable WiFi Sharing + case 'org.freedesktop.NetworkManager.wifi.share.protected': + case 'org.freedesktop.NetworkManager.wifi.share.open': + // Disable Settings Modifications + case 'org.freedesktop.NetworkManager.settings.modify.own': + case 'org.freedesktop.NetworkManager.settings.modify.system': + case 'org.freedesktop.NetworkManager.settings.modify.hostname': + // Disable User Connections + case 'org.freedesktop.NetworkManager.use-user-connections': + // Enable Controlling of Network Connections + case 'org.freedesktop.NetworkManager.network-control': + return polkit.Result.NO; + break; + default: + /* + * Do nothing... for now. + * + * This means that polkit will continue scanning for other rules. + */ + break; + } + } +}); -- cgit v1.2.3