My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/etc/polkit-1/rules.d/53-udisks-system-mount.rules?h=master 2026-05-29T10:18:12Z 2026-05-29T10:18:12Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:12Z urn:sha1:cdf6350a7ad530feee509c63675ff6cc74cb7ced Two narrow defence-in-depth rules: - 52-systemd-local-only: org.freedesktop.systemd1.* requires both subject.local and subject.active. Wheel-via-sudo-rs is on a different path (sudoers) and is not affected. Stops a non-active or remote polkit caller from start/stop/restart of system units. - 53-udisks-system-mount: filesystem-mount-system and modify-system require subject.active. The everyday USB auto-mount path uses filesystem-mount (no -system suffix) and is unaffected. Audited against current workflow (virt-manager, networkctl, USB mount, bluetoothctl, fwupdmgr) — none of these break.