jsauthority: add 'system_unit' subject attribute (!154) · Merge requests · polkit / polkit

Luca Boccassi requested to merge bluca/polkit:check_unit_pid into master Jan 01, 2023

When building with libsystemd support, query the systemd unit name that the process if part of (if any) and add it as a subject attribute. Allows allow-listing actions based on the systemd unit:

 polkit.addRule(function(action, subject) {
     if (action.id.indexOf("org.foo.bar") == 0) {
         if (subject.system_unit == "test.service") {
             return polkit.Result.YES;
         }
     }
 });

We call it system_unit instead of just unit to make it extra clear that this is about system units, rather than user units. If we ran as root we could also query for the user unit, but we are running as the polkitd user in most cases which means we cannot connect to other D-Bus sessions to perform the query.

Edited Jan 01, 2023 by Luca Boccassi

jsauthority: add 'system_unit' subject attribute

Merge request reports