File 20-machined.rules of Package systemd-machined-userpolicy
/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
polkit.addRule(function(action, subject) {
user = subject.user;
if (action.id == 'org.freedesktop.machine1.manage-images') {
image = action.lookup('image');
verb = action.lookup('verb');
if (image.startsWith("user-" + user + "-")) {
if (verb == 'rename' || verb == 'clone') {
new_name = action.lookup('new_name');
if (new_name.startsWith("user-" + user + "-")) {
polkit.log(user + ': ' + verb + ' ' + image + ' ' + new_name);
return polkit.Result.YES;
}
} else {
polkit.log(user + ': ' + image + ' ' + verb);
return polkit.Result.YES;
}
}
} else if (action.id == 'org.freedesktop.systemd1.manage-units') {
unit = action.lookup('unit');
verb = action.lookup('verb');
if (unit.startsWith("systemd-nspawn@user-" + user + "-")) {
polkit.log(user + ': ' + unit + ' ' + verb);
return polkit.Result.YES;
}
} else if (action.id == 'org.freedesktop.machine1.shell') {
machine = action.lookup('machine');
if (machine.startsWith("user-" + user + "-")) {
polkit.log(user + ': ' + machine + ' shell');
return polkit.Result.YES;
}
} else if (action.id == 'org.freedesktop.machine1.manage-machines') {
machine = action.lookup('machine');
verb = action.lookup('verb');
if (machine.startsWith("user-" + user + "-")) {
if (verb == 'copy' || verb == 'bind') {
// machined opens the source file as root
return polkit.Result.NOT_HANDLED;
} else {
polkit.log(user + ': ' + machine + ' ' + verb);
return polkit.Result.YES;
}
}
}
return polkit.Result.NOT_HANDLED;
});
// vim: syntax=javascript sw=4 et
