Add polkit support

This allows non-root users access to the rpm-ostree daemon, which is
a pre-requirement for gnome-software rpm-ostree support.

Closes: #745

Closes: #825
Approved by: cgwalters

Makefile-daemon.am

@@ -105,8 +105,12 @@ servicedir       = $(dbusservicedir)
 %.service: %.service.in Makefile
 	$(SED_SUBST) $@.in > $@.tmp && mv $@.tmp $@
 
+polkit_policy_DATA = $(srcdir)/src/daemon/org.projectatomic.rpmostree1.policy
+polkit_policydir = $(datadir)/polkit-1/actions
+
 EXTRA_DIST += \
 	$(dbusservice_DATA) \
+	$(polkit_policy_DATA) \
 	$(service_in_files) \
 	$(systemdunit_in_files) \
 	$(NULL)

configure.ac

@@ -88,6 +88,7 @@ PKG_CHECK_MODULES(PKGDEP_GIO_UNIX, [gio-unix-2.0])
 PKG_CHECK_MODULES(PKGDEP_RPMOSTREE, [gio-unix-2.0 >= 2.40.0 json-glib-1.0
 				     ostree-1 >= 2017.4
 				     libsystemd
+				     polkit-gobject-1
 				     rpm librepo
 				     libarchive])
 dnl bundled libdnf

packaging/rpm-ostree.spec.in

@@ -21,6 +21,7 @@ BuildRequires: pkgconfig(json-glib-1.0)
 BuildRequires: pkgconfig(rpm)
 BuildRequires: pkgconfig(libarchive)
 BuildRequires: pkgconfig(libsystemd)
+BuildRequires: pkgconfig(polkit-gobject-1)
 BuildRequires: libcap-devel
 BuildRequires: libattr-devel
 
@@ -115,7 +116,8 @@ python autofiles.py > files \
   '%{_sysconfdir}/dbus-1/system.d/*' \
   '%{_prefix}/lib/systemd/system/*' \
   '%{_libexecdir}/rpm-ostree*' \
-  '%{_datadir}/dbus-1/system-services'
+  '%{_datadir}/dbus-1/system-services' \
+  '%{_datadir}/polkit-1/actions/org.projectatomic.rpmostree1.policy'
 python autofiles.py > files.devel \
   '%{_libdir}/lib*.so' \
   '%{_includedir}/*' \

src/daemon/org.projectatomic.rpmostree1.conf

@@ -10,12 +10,16 @@
     <allow send_destination="org.projectatomic.rpmostree1"/>
   </policy>
 
+  <!-- Allow anyone to call into the service - we'll reject callers using PolicyKit -->
   <policy context="default">
     <deny send_destination="org.projectatomic.rpmostree1"/>
 
     <allow send_destination="org.projectatomic.rpmostree1"
            send_interface="org.freedesktop.DBus.Introspectable"/>
 
+    <allow send_destination="org.projectatomic.rpmostree1"
+           send_interface="org.freedesktop.DBus.ObjectManager"/>
+
     <allow send_destination="org.projectatomic.rpmostree1"
            send_interface="org.freedesktop.DBus.Peer"/>
 
@@ -27,6 +31,9 @@
            send_interface="org.freedesktop.DBus.Properties"
            send_member="GetAll"/>
 
+    <allow send_destination="org.projectatomic.rpmostree1"
+           send_interface="org.projectatomic.rpmostree1.OS"/>
+
     <allow send_destination="org.projectatomic.rpmostree1"
            send_interface="org.projectatomic.rpmostree1.Sysroot"
            send_member="GetOS"/>

src/daemon/org.projectatomic.rpmostree1.policy

@@ -0,0 +1,120 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
+<policyconfig>
+
+  <vendor>Project Atomic</vendor>
+  <vendor_url>https://www.projectatomic.io/</vendor_url>
+  <icon_name>package-x-generic</icon_name>
+
+  <action id="org.projectatomic.rpmostree1.install-uninstall-packages">
+    <description>Install and remove packages</description>
+    <message>Authentication is required to install and remove software</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.install-local-packages">
+    <description>Install local packages</description>
+    <message>Authentication is required to install software</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.override">
+    <description>Override packages</description>
+    <message>Authentication is required to override base OS software</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.deploy">
+    <description>Update base OS</description>
+    <message>Authentication is required to update software</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.upgrade">
+    <description>Update base OS</description>
+    <message>Authentication is required to update software</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.rebase">
+    <description>Switch to a different base OS</description>
+    <message>Authentication is required to switch to a different base OS</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.rollback">
+    <description>Rollback OS updates</description>
+    <message>Authentication is required to roll back software updates</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.bootconfig">
+    <description>Change boot configuration</description>
+    <message>Authentication is required to change boot configuration</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.cleanup">
+    <description>Clear cache</description>
+    <message>Authentication is required to clear cache / pending data</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+
+  <action id="org.projectatomic.rpmostree1.repo-refresh">
+    <description>Refresh repository metadata</description>
+    <message>Authentication is required to check available updates</message>
+    <icon_name>package-x-generic</icon_name>
+    <defaults>
+      <allow_any>auth_admin</allow_any>
+      <allow_inactive>auth_admin</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
+    </defaults>
+  </action>
+</policyconfig>