I'm trying to figure out how to write a polkit rule for a systemd template file. The rule is triggered when I use the actual service that will be instantiated ([email protected]) but not when I leave out the instance identifier string ([email protected]).
Here is the complete working rule:
polkit.addRule(function(action, subject) {
if ( action.id == "org.freedesktop.systemd1.manage-units") {
if (action.lookup("unit") == "[email protected]" && subject.isInGroup("wheel")) {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
return polkit.Result.YES;
}
}
}
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
My hunch is that I could use javascript regex to just glob the string between "@" and ".service" but I can't quite figure it out.
My vpn provider has many possible servers, each with its own config (referenced by the [email protected] template unit file), so I'd really like to not have to write a polkit rule for each instance of the template. Thanks a lot!
Update:
I solved this according to my hunch above, using regex to test for template file. This is maybe unsafe?
polkit.addRule(function(action, subject) {
if ( action.id == "org.freedesktop.systemd1.manage-units") {
var instance = /openvpn-client@[a-z]+.service/.test(action.lookup("unit"));
if ( instance === true && subject.isInGroup("wheel")) {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
return polkit.Result.YES;
}
}
}
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
