2 files changed, 26 insertions, 0 deletions

diff --git a/etc/polkit-1/rules.d/52-systemd-local-only.rules b/etc/polkit-1/rules.d/52-systemd-local-only.rules
new file mode 100644
index 0000000..bcfd347
--- /dev/null
+++ b/etc/polkit-1/rules.d/52-systemd-local-only.rules
@@ -0,0 +1,12 @@
+// Restrict systemd unit management via polkit to active local sessions.
+// Wheel-via-sudo-rs is unaffected (sudoers is a separate authorisation
+// path). Stops a remote SSH session (no `subject.local`) or a background
+// non-active session from start/stop/restart/reload of system units via
+// the polkit gate.
+polkit.addRule(function (action, subject) {
+  if (action.id.indexOf("org.freedesktop.systemd1.") === 0) {
+    if (!subject.local || !subject.active) {
+      return polkit.Result.NO;
+    }
+  }
+});
diff --git a/etc/polkit-1/rules.d/53-udisks-system-mount.rules b/etc/polkit-1/rules.d/53-udisks-system-mount.rules
new file mode 100644
index 0000000..64c5517
--- /dev/null
+++ b/etc/polkit-1/rules.d/53-udisks-system-mount.rules
@@ -0,0 +1,14 @@
+// Require an active session to mount system filesystems or modify
+// system devices via udisks2. Normal USB-stick auto-mount uses the
+// `filesystem-mount` action (not `*-system`) and is not affected; the
+// gate is on /etc/fstab system mounts and disk-level operations.
+polkit.addRule(function (action, subject) {
+  if (
+    action.id === "org.freedesktop.udisks2.filesystem-mount-system" ||
+    action.id === "org.freedesktop.udisks2.modify-system"
+  ) {
+    if (!subject.active) {
+      return polkit.Result.NO;
+    }
+  }
+});