The polkit
interface provides daemons with the permission to use the polkit authorisation manager (polkitd) to make access control decisions for requests from unprivileged clients.
See Interface management and Supported interfaces for further details on how interfaces are used.
Auto-connect: no
Super-privileged: yes
Attributes:
${action-prefix}.*
.To perform polkit authorisation checks, a daemon needs to do two things:
$SNAP/meta/polkit/${plug_name}.*.policy
describing the actions it will use (codifying the type of administrative access a user might be granted). Snapd will install the policy file when the plug is connected.CheckAuthorization
D-Bus call to polkitd to ask if they have access. The D-Bus call passes a string action ID describing the access, and a “subject” struct describing the client application.There are two primary ways a daemon can describe the subject of the check:
system-bus-name
subject, sending the unique bus name of the client app.unix-process
subject, sending the process ID (as retrieved through SO_PEERCRED
or SCM_CREDENTIALS
).See Proposal: add polkit and polkit-agent interfaces to snapd for the original interface proposal and reasoning.
plugs:
polkit:
action-prefix: org.example.foo
apps:
app:
command: foo
plugs: [polkit]
The test code can be found in the snapd repository: snapd/interfaces/builtin/polkit_test.go at master · canonical/snapd · GitHub
The source code for the interface is in the snapd repository: snapd/interfaces/builtin/polkit.go at master · canonical/snapd · GitHub
Last updated 2 months ago.