Tag Archive for 'policykit'

PolicyKit Javascript rules with catchall

So the desktop is ruled by PolicyKit which is awesome. It includes sets of rules about who can run certain actions (such as mounting an internal drive).

The rules are read in lexical order from the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d directories.

You can get a list of available actions with the command:
$ pkaction

There may come a time when you want to tweak those rules though, to make management of your system easier. For example, managing virt-manager without a password if you’re in the wheel group (the rule is org.libvirt.unix.manage). If so, you can create one with a name like “10-my-policy.rules” in either directory above.

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;
}
});

Some related tasks have several actions, like configuring cups:
$ pkaction |grep cups
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings

Previously, before the new javascript format, one could match all those actions with:
org.opensuse.cupspkhelper.mechanism.*

That doesn’t work with js though, so this is how you can do it:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.opensuse.cupspkhelper.mechanism") == 0 &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;
}
});

Changes are picked up straight away, so just save the file and test!