Scope polkit actions to require the privileged group

This commit is contained in:
Kira Bruneau
2022-07-27 19:32:18 -04:00
committed by afayaz-feral
parent 898ab01924
commit 337f1b8a8e
4 changed files with 32 additions and 10 deletions

View File

@@ -54,13 +54,21 @@ configure_file(
)
# Install the Polkit action file in all cases
configure_file(
input: 'polkit/actions/com.feralinteractive.GameMode.policy.in',
output: 'com.feralinteractive.GameMode.policy',
configuration: data_conf,
install_dir: path_polkit_action_dir,
)
# Install the Polkit action & rule files for the privileged gamemode group
if with_privileged_group != ''
configure_file(
input: 'polkit/actions/com.feralinteractive.GameMode.policy.in',
output: 'com.feralinteractive.GameMode.policy',
configuration: data_conf,
install_dir: path_polkit_action_dir,
)
configure_file(
input: 'polkit/rules.d/gamemode.rules.in',
output: 'gamemode.rules',
configuration: data_conf,
install_dir: path_polkit_rule_dir,
)
endif
# Install the helper run script
install_data(

View File

@@ -18,7 +18,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
<allow_active>no</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">@LIBEXECDIR@/cpugovctl</annotate>
</action>
@@ -29,7 +29,7 @@
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
<allow_active>no</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">@LIBEXECDIR@/gpuclockctl</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>

View File

@@ -0,0 +1,12 @@
/*
* Allow users in privileged gamemode group to run cpugovctl &
* gpuclockctl without authentication
*/
polkit.addRule(function (action, subject) {
if ((action.id == "com.feralinteractive.GameMode.governor-helper" ||
action.id == "com.feralinteractive.GameMode.gpu-helper") &&
subject.isInGroup("@GAMEMODE_PRIVILEGED_GROUP@"))
{
return polkit.Result.YES;
}
});