Translate Polkit permissions/rules from pkla into JS-rules

Simon McVittie smcv at collabora.com
Wed Jan 8 14:43:59 UTC 2025 

On Wed, 08 Jan 2025 at 12:22:57 +0000, c.buhtz at posteo.jp wrote:
> I never understood polkit and only used code snippets copied from the web to
> configure it. With migrating to Trixie I realized that the format of the
> polkit rules changed and now is using a JavaScript like syntax.

The rules file syntax is documented in polkit(8), with examples.
Assuming you mean Debian trixie, you can also find some working examples of
in /usr/share/doc/polkitd/examples/.

(It is not just Javascript-like, it is literally Javascript.)

What you seem to be trying to achieve here looks very similar to:
https://sources.debian.org/src/packagekit/1.3.0-2/policy/org.freedesktop.packagekit.rules/

> On Bookworm I used this rule to allow
> the action without being asked for a password:
> 
> 
> [Color Manager All Users]
> Identity=unix-user:*
> Action=org.freedesktop.color-manager.settings.modify.system;org.freedesktop.color-manager.create-device
> ResultAny=no
> ResultInactive=no
> ResultActive=yes
...
> On Trixie I translated that into this:
> 
> /* org.freedesktop.color-manager.create-device */
> polkit.addRule(function(action, subject) {
>     if (action.id == "org.freedesktop.color-manager.create-device") {
>         return polkit.Result.YES;
>     }
>     return polkit.Result.NO;
> });

There are three big differences between with this and your previous rule:

* It doesn't match org.freedesktop.color-manager.settings.modify.system

* It isn't checking for an active local session: if you want to do that,
  use "... && subject.active && subject.local", similar to
  for example
  https://sources.debian.org/src/packagekit/1.3.0-2/policy/org.freedesktop.packagekit.rules/
  and
  https://sources.debian.org/src/network-manager/1.50.1-1/debian/org.freedesktop.NetworkManager.rules/

* If the action doesn't match the ID you expect, you are telling polkit to
  deny permission, but I think what you want is more like
  "I have no opinion on this, try the next rule"

> I do unterstand that this problems happen because I do "return
> polkit.Result.NO;" in the else branch. But without understanding the whole
> polkit-JS-rule-logic I don't know what else I can put into the else-branch
> to make it work.

If you want the equivalent of your old .pkla file, you should probably
return polkit.Result.NOT_HANDLED (or equivalently, return null, or just
don't return anything and let the function exit).

    smcv

More information about the polkit-devel mailing list