From cdf6350a7ad530feee509c63675ff6cc74cb7ced Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 29 May 2026 11:18:12 +0100 Subject: feat(polkit): restrict systemd + udisks system actions to active local sessions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two narrow defence-in-depth rules: - 52-systemd-local-only: org.freedesktop.systemd1.* requires both subject.local and subject.active. Wheel-via-sudo-rs is on a different path (sudoers) and is not affected. Stops a non-active or remote polkit caller from start/stop/restart of system units. - 53-udisks-system-mount: filesystem-mount-system and modify-system require subject.active. The everyday USB auto-mount path uses filesystem-mount (no -system suffix) and is unaffected. Audited against current workflow (virt-manager, networkctl, USB mount, bluetoothctl, fwupdmgr) — none of these break. --- etc/polkit-1/rules.d/53-udisks-system-mount.rules | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 etc/polkit-1/rules.d/53-udisks-system-mount.rules (limited to 'etc/polkit-1/rules.d/53-udisks-system-mount.rules') diff --git a/etc/polkit-1/rules.d/53-udisks-system-mount.rules b/etc/polkit-1/rules.d/53-udisks-system-mount.rules new file mode 100644 index 0000000..64c5517 --- /dev/null +++ b/etc/polkit-1/rules.d/53-udisks-system-mount.rules @@ -0,0 +1,14 @@ +// Require an active session to mount system filesystems or modify +// system devices via udisks2. Normal USB-stick auto-mount uses the +// `filesystem-mount` action (not `*-system`) and is not affected; the +// gate is on /etc/fstab system mounts and disk-level operations. +polkit.addRule(function (action, subject) { + if ( + action.id === "org.freedesktop.udisks2.filesystem-mount-system" || + action.id === "org.freedesktop.udisks2.modify-system" + ) { + if (!subject.active) { + return polkit.Result.NO; + } + } +}); -- cgit v1.3.1