Web lists-archives.com

How to limit udisks2 rules to a specific device?




I've never been using udisks/udisks2 before because I didn't really need it, but
now I thought I could see what the tool is capable of and give it a chance.

When it comes to mounting devices, I have two simple rules:
1) only root can do it.
2) in some cases only defined users can mount some specific devices.

So I want to forbid all users (except root) to access all devices that people
can possibly plug into a USB port. But devices can be distinguished by, for
instance, some serial number (or something else). I have a USB drive, and I want
it to be accessed and mounted by my regular user without asking me for password
each time I do so.

So far, I created two UDEV rules:
-------------------------------------
SUBSYSTEMS=="usb", \
  ENV{UDISKS_IGNORE}="1", \
  ENV{UDISKS_AUTO}="0", \
  ENV{UDISKS_SYSTEM}="1"

ATTRS{serial}=="some-serial-number", \
  ENV{UDISKS_IGNORE}="1", \
  ENV{UDISKS_AUTO}="0", \
  ENV{UDISKS_SYSTEM}="0"
-------------------------------------
The two rules do their job. Basically, the first rule marks all USB devices as
internal/system, and the second rule allows only the specific device to be
accessed by a regular user (later on in udisks). This, of course, allow all
regular users (not just me) to mount the device, so it's not really what I want,
but it's close enough to use it in this form.

I've seen that people use something similar to the following rule:
-----------------------------------------
/etc/polkit-1/localauthority/50-local.d/20-udisks2.pkla
-----------------------------------------
[Allow morfik to mount devices]
Identity=unix-user:morfik;
Action=org.freedesktop.udisks2.*;
ResultAny=no
ResultInactive=no
ResultActive=yes
-----------------------------------------
And this is a little bit better than the previous solution because it gives me
the ability to specify users/groups , and only the parties can do some actions,
like for instance mounting a device (to be viewed via pkaction). The problem
here is that I can't choose which devices should be accessed by the identity --
I'm able only to set which actions can be allowed.

In the polkit manual[1], there's an example that would do exactly what I want.
I'm speaking about this:
----------------------------------------------------------------------
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
        action.lookup("drive.vendor") == "SEAGATE" &&
        action.lookup("drive.model") == "ST3300657SS" &&
        subject.isInGroup("engineers")) {
            return polkit.Result.YES;
        }
    }
});
----------------------------------------------------------------------
I bet there's also probably something like:
  action.lookup("drive.serial")
but I don't really know how to get those values yet.

Anyways, I don't think the above rule can be used with the polkit version that's
currently in Debian, which is 0.105 . That rule can be used when you deal with
0.106+ , and 0.113 is available in the experimental branch, but unfortunately it
can't be installed due to dependencies problems.

Is there a way to convert that rule somewhat or is this functionality specific
to the polkit v0.106+?  Or maybe is there another way to achieve what I want?

-- Morfik

[1] https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

Attachment: signature.asc
Description: OpenPGP digital signature