diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-29 11:18:12 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-29 11:18:12 +0100 |
| commit | cdf6350a7ad530feee509c63675ff6cc74cb7ced (patch) | |
| tree | d5e39199a47a4b4b9c30e3e9b2c1065f4896ce55 | |
| parent | 75e84558ea71f14adbaa1a461cd5f6e8793b0470 (diff) | |
| download | dotfiles-cdf6350a7ad530feee509c63675ff6cc74cb7ced.tar.gz dotfiles-cdf6350a7ad530feee509c63675ff6cc74cb7ced.tar.bz2 dotfiles-cdf6350a7ad530feee509c63675ff6cc74cb7ced.zip | |
feat(polkit): restrict systemd + udisks system actions to active local sessions
Two narrow defence-in-depth rules:
- 52-systemd-local-only: org.freedesktop.systemd1.* requires both
subject.local and subject.active. Wheel-via-sudo-rs is on a different
path (sudoers) and is not affected. Stops a non-active or remote
polkit caller from start/stop/restart of system units.
- 53-udisks-system-mount: filesystem-mount-system and modify-system
require subject.active. The everyday USB auto-mount path uses
filesystem-mount (no -system suffix) and is unaffected.
Audited against current workflow (virt-manager, networkctl, USB mount,
bluetoothctl, fwupdmgr) — none of these break.
| -rw-r--r-- | etc/polkit-1/rules.d/52-systemd-local-only.rules | 12 | ||||
| -rw-r--r-- | etc/polkit-1/rules.d/53-udisks-system-mount.rules | 14 |
2 files changed, 26 insertions, 0 deletions
diff --git a/etc/polkit-1/rules.d/52-systemd-local-only.rules b/etc/polkit-1/rules.d/52-systemd-local-only.rules new file mode 100644 index 0000000..bcfd347 --- /dev/null +++ b/etc/polkit-1/rules.d/52-systemd-local-only.rules @@ -0,0 +1,12 @@ +// Restrict systemd unit management via polkit to active local sessions. +// Wheel-via-sudo-rs is unaffected (sudoers is a separate authorisation +// path). Stops a remote SSH session (no `subject.local`) or a background +// non-active session from start/stop/restart/reload of system units via +// the polkit gate. +polkit.addRule(function (action, subject) { + if (action.id.indexOf("org.freedesktop.systemd1.") === 0) { + if (!subject.local || !subject.active) { + return polkit.Result.NO; + } + } +}); diff --git a/etc/polkit-1/rules.d/53-udisks-system-mount.rules b/etc/polkit-1/rules.d/53-udisks-system-mount.rules new file mode 100644 index 0000000..64c5517 --- /dev/null +++ b/etc/polkit-1/rules.d/53-udisks-system-mount.rules @@ -0,0 +1,14 @@ +// Require an active session to mount system filesystems or modify +// system devices via udisks2. Normal USB-stick auto-mount uses the +// `filesystem-mount` action (not `*-system`) and is not affected; the +// gate is on /etc/fstab system mounts and disk-level operations. +polkit.addRule(function (action, subject) { + if ( + action.id === "org.freedesktop.udisks2.filesystem-mount-system" || + action.id === "org.freedesktop.udisks2.modify-system" + ) { + if (!subject.active) { + return polkit.Result.NO; + } + } +}); |