On Wed, 08 Jan 2025 at 12:22:57 +0000, c.bu...@posteo.jp wrote: > I never understood polkit and only used code snippets copied from the web to > configure it. With migrating to Trixie I realized that the format of the > polkit rules changed and now is using a JavaScript like syntax.
The rules file syntax is documented in polkit(8), with examples. Assuming you mean Debian trixie, you can also find some working examples of in /usr/share/doc/polkitd/examples/. (It is not just Javascript-like, it is literally Javascript.) What you seem to be trying to achieve here looks very similar to: https://sources.debian.org/src/packagekit/1.3.0-2/policy/org.freedesktop.packagekit.rules/ > On Bookworm I used this rule to allow > the action without being asked for a password: > > > [Color Manager All Users] > Identity=unix-user:* > Action=org.freedesktop.color-manager.settings.modify.system;org.freedesktop.color-manager.create-device > ResultAny=no > ResultInactive=no > ResultActive=yes ... > On Trixie I translated that into this: > > /* org.freedesktop.color-manager.create-device */ > polkit.addRule(function(action, subject) { > if (action.id == "org.freedesktop.color-manager.create-device") { > return polkit.Result.YES; > } > return polkit.Result.NO; > }); There are three big differences between with this and your previous rule: * It doesn't match org.freedesktop.color-manager.settings.modify.system * It isn't checking for an active local session: if you want to do that, use "... && subject.active && subject.local", similar to for example https://sources.debian.org/src/packagekit/1.3.0-2/policy/org.freedesktop.packagekit.rules/ and https://sources.debian.org/src/network-manager/1.50.1-1/debian/org.freedesktop.NetworkManager.rules/ * If the action doesn't match the ID you expect, you are telling polkit to deny permission, but I think what you want is more like "I have no opinion on this, try the next rule" > I do unterstand that this problems happen because I do "return > polkit.Result.NO;" in the else branch. But without understanding the whole > polkit-JS-rule-logic I don't know what else I can put into the else-branch > to make it work. If you want the equivalent of your old .pkla file, you should probably return polkit.Result.NOT_HANDLED (or equivalently, return null, or just don't return anything and let the function exit). smcv
