require that policy files also provide a <message> element
Declaring an action now requires two textual elements (that both are
subject to translation):
description: This is intended to be used in policy editors, for
example "Mount internal volumes".
message: This is to be used in auth dialogs, for example "System
Policy prevents mounting this internal volume".
This is actually needed for security reasons. The idea is that the
desktop environment can provide infrastructure that Callers
(e.g. applications) can use to ask the user to authenticate to gain a
privilege. One such example is PolicyKit-gnome; it's a D-Bus session
based service that applications can use to ask the user to
auth.
Before this change the caller provided the markup, e.g. gnome-mount
would do
action = "hal-storage-mount-fixed";
markup = _("System policy prevents mounting internal drives");
result = org.gnome.PolicyKit.ShowDialog (action, markup);
and the problem here is that any application in the session can spoof
the dialog by providing false information and getting to use to click
through on that.
With this change, where the org.gnome.PolicyKit auth service reads the
message from a system-controlled file, this can't happen. What the
user sees really reflects the action he's asking to consider allowing
to happen.
Especially with things like XACE (previously known as SEX) this is
important as we can make the process providing the D-Bus service
org.gnome.PolicyKit run in a dedicated security context, audit it to
make sure it's secure. Then have the window manager paint trust window
decorations or other things to make the user feel fuzzy, warm and
safe.
Btw, with this change the PolicyKit-gnome API will be simplified to
action = "hal-storage-mount-fixed";
result = org.gnome.PolicyKit.ShowDialog (action);
which is just about as simple as it can get.
Credit goes to Ryan Lortie <desrt@desrt.ca> for pointing this out
on #gnome-hackers earlier this morning.
projects / platform / upstream / polkit.git / commit