feat(polkit): restrict systemd + udisks system actions to active local sessions

Two narrow defence-in-depth rules:

- 52-systemd-local-only: org.freedesktop.systemd1.* requires both
  subject.local and subject.active. Wheel-via-sudo-rs is on a different
  path (sudoers) and is not affected. Stops a non-active or remote
  polkit caller from start/stop/restart of system units.

- 53-udisks-system-mount: filesystem-mount-system and modify-system
  require subject.active. The everyday USB auto-mount path uses
  filesystem-mount (no -system suffix) and is unaffected.

Audited against current workflow (virt-manager, networkctl, USB mount,
bluetoothctl, fwupdmgr) — none of these break.

1 files changed, 14 insertions, 0 deletions

diff --git a/etc/polkit-1/rules.d/53-udisks-system-mount.rules b/etc/polkit-1/rules.d/53-udisks-system-mount.rules
new file mode 100644
index 0000000..64c5517
--- /dev/null
+++ b/etc/polkit-1/rules.d/53-udisks-system-mount.rules
@@ -0,0 +1,14 @@
+// Require an active session to mount system filesystems or modify
+// system devices via udisks2. Normal USB-stick auto-mount uses the
+// `filesystem-mount` action (not `*-system`) and is not affected; the
+// gate is on /etc/fstab system mounts and disk-level operations.
+polkit.addRule(function (action, subject) {
+  if (
+    action.id === "org.freedesktop.udisks2.filesystem-mount-system" ||
+    action.id === "org.freedesktop.udisks2.modify-system"
+  ) {
+    if (!subject.active) {
+      return polkit.Result.NO;
+    }
+  }
+});