The polkit
interface provides daemons with the permission to use the polkit authorisation manager (polkitd) to make access control decisions for requests from unprivileged clients.
Interface documentation: See Interface management and Supported interfaces for further details on how interfaces are used.
Auto-connect: no
Attributes:
${action-prefix}.*
.To perform polkit authorisation checks, a daemon needs to do two things:
$SNAP/meta/polkit/${plug_name}.*/policy
describing the actions it will use (codifying the type of administrative access a user might be granted). Snapd will install the policy file when the plug is connected.CheckAuthorization
D-Bus call to polkitd to ask if they have access. The D-Bus call passes a string action ID describing the access, and a “subject” struct describing the client application.There are two primary ways a daemon can describe the subject of the check:
system-bus-name
subject, sending the unique bus name of the client app.unix-process
subject, sending the process ID (as retrieved through SO_PEERCRED
or SCM_CREDENTIALS
).See Proposal: add polkit and polkit-agent interfaces to snapd for the original interface proposal and reasoning.
plugs:
polkit:
action-prefix: org.example.foo
apps:
app:
command: foo
plugs: [polkit]
The test code can be found in the snapd repository: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/polkit.go
The source code for the interface is in the snapd repository: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/polkit.go
Last updated 2 years ago.