mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-26 22:36:59 -05:00
335 lines
16 KiB
XML
335 lines
16 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
|
<policyconfig>
|
|
<!--
|
|
Policy definitions for Flatpak system actions.
|
|
Copyright (c) 2016 Alexander Larsson <alexl@redhat.com>
|
|
|
|
Modified by Kicksecure.
|
|
Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
|
See the file COPYING for copying conditions.
|
|
-->
|
|
<vendor>The Flatpak Project</vendor>
|
|
<vendor_url>https://github.com/flatpak/flatpak</vendor_url>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<action id="org.freedesktop.Flatpak.app-install">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to install software
|
|
system-wide.
|
|
- Note that we install polkit rules that allow local users
|
|
in the wheel group to install without authenticating.
|
|
- KICKSECURE: The polkit rules mentioned above are intentionally
|
|
removed so as to require authorization.
|
|
-->
|
|
<description>Install signed application</description>
|
|
<message>Authentication is required to install software</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.app-update org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.runtime-install">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to install software
|
|
system-wide.
|
|
- Note that we install polkit rules that allow local users
|
|
in the wheel group to install without authenticating.
|
|
- KICKSECURE: The polkit rules mentioned above are intentionally
|
|
removed so as to require authorization.
|
|
-->
|
|
<description>Install signed runtime</description>
|
|
<message>Authentication is required to install software</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-update</annotate>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.app-update">
|
|
<!-- SECURITY:
|
|
- Normal users do not require admin authentication to update an
|
|
app as the commit will be signed, and the action is required
|
|
to update the system when unattended.
|
|
- Changing this to anything other than 'yes' will break unattended
|
|
updates.
|
|
- KICKSECURE: Intentionally breaking unattended updates and setting
|
|
this to 'auth_admin_keep'. Updates should be installed manually,
|
|
using a sysmaint session if applicable.
|
|
-->
|
|
<description>Update signed application</description>
|
|
<message>Authentication is required to update software</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.runtime-update">
|
|
<!-- SECURITY:
|
|
- Normal users do not require admin authentication to update a
|
|
runtime as the commit will be signed, and the action is required
|
|
to update the system when unattended.
|
|
- Changing this to anything other than 'yes' will break unattended
|
|
updates.
|
|
- KICKSECURE: Intentionally breaking unattended updates and setting
|
|
this to 'auth_admin_keep'. Updates should be installed manually,
|
|
using a sysmaint session if applicable.
|
|
-->
|
|
<description>Update signed runtime</description>
|
|
<message>Authentication is required to update software</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.update-remote">
|
|
<!-- SECURITY:
|
|
- Normal users do not need authentication to update metadata
|
|
from signed repositories.
|
|
- KICKSECURE: Requiring authorization to update metadata even from
|
|
signed repositories.
|
|
-->
|
|
<description>Update remote metadata</description>
|
|
<message>Authentication is required to update remote info</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.modify-repo">
|
|
<!-- SECURITY:
|
|
- Normal users do not need authentication to modify the
|
|
OSTree repository
|
|
- Note that we install polkit rules that allow local users
|
|
in the wheel group to modify repos without authenticating.
|
|
- KICKSECURE: The polkit rules mentioned above are intentionally
|
|
removed so as to require authorization.
|
|
- KICKSECURE: Requiring authorization to modify the OSTree
|
|
repository.
|
|
-->
|
|
<description>Update system repository</description>
|
|
<message>Authentication is required to modify a system repository</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.install-bundle">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to install software
|
|
system-wide.
|
|
-->
|
|
<description>Install bundle</description>
|
|
<message>Authentication is required to install software from $(path)</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.runtime-uninstall">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to uninstall software
|
|
system-wide.
|
|
- Note that we install polkit rules that allow local users
|
|
in the wheel group to uninstall without authenticating.
|
|
- KICKSECURE: The polkit rules mentioned above are intentionally
|
|
removed so as to require authorization.
|
|
-->
|
|
<description>Uninstall runtime</description>
|
|
<message>Authentication is required to uninstall software</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.app-uninstall">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to uninstall software
|
|
system-wide.
|
|
- Note that we install polkit rules that allow local users
|
|
in the wheel group to uninstall without authenticating.
|
|
- KICKSECURE: The polkit rules mentioned above are intentionally
|
|
removed so as to require authorization.
|
|
-->
|
|
<description>Uninstall app</description>
|
|
<message>Authentication is required to uninstall $(ref)</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-uninstall</annotate>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.configure-remote">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to configure system-wide
|
|
software repositories.
|
|
-->
|
|
<description>Configure Remote</description>
|
|
<message>Authentication is required to configure software repositories</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.configure">
|
|
<!-- SECURITY:
|
|
- Normal users need admin authentication to configure the system-wide
|
|
Flatpak installation.
|
|
-->
|
|
<description>Configure</description>
|
|
<message>Authentication is required to configure software installation</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.appstream-update">
|
|
<!-- SECURITY:
|
|
- Normal users do not require admin authentication to update
|
|
appstream data as it will be signed, and the action is required
|
|
to update the system when unattended.
|
|
- Changing this to anything other than 'yes' will break unattended
|
|
updates.
|
|
- KICKSECURE: Intentionally breaking unattended updates and setting
|
|
this to 'auth_admin_keep'. Updates should be installed manually,
|
|
using a sysmaint session if applicable.
|
|
-->
|
|
<description>Update appstream</description>
|
|
<message>Authentication is required to update information about software</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.metadata-update">
|
|
<!-- SECURITY:
|
|
- Normal users do not require admin authentication to update
|
|
metadata as it will be signed, and the action is required
|
|
to update the system when unattended.
|
|
- Changing this to anything other than 'yes' will break unattended
|
|
updates.
|
|
- KICKSECURE: Intentionally breaking unattended updates and setting
|
|
this to 'auth_admin_keep'. Updates should be installed manually,
|
|
using a sysmaint session if applicable.
|
|
-->
|
|
<description>Update metadata</description>
|
|
<message>Authentication is required to update metadata</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.override-parental-controls">
|
|
<!-- SECURITY:
|
|
- Authorisation to actually install software is controlled by
|
|
org.freedesktop.Flatpak.app-install.
|
|
- This action is checked after app-install, as it can only be done
|
|
once the app___s data (including its content rating) has been
|
|
downloaded.
|
|
- This action is checked to see if the installation should be allowed
|
|
based on whether the app being installed has content which doesn___t
|
|
comply with the user___s parental controls policy (the content is
|
|
___too extreme___).
|
|
- It is checked only if an app has too extreme content for the user
|
|
who is trying to install it (in which case, the app is ___unsafe___).
|
|
- Typically, normal users will need admin permission to install apps
|
|
with extreme content; admins will be able to install it without
|
|
additional checks.
|
|
- In order to configure the policy so that admins can install safe and
|
|
unsafe software anywhere without authorisation, and non-admins can
|
|
install safe software in their user or system dirs without
|
|
authorisation, but need authorisation to install unsafe software
|
|
anywhere:
|
|
* Unconditionally return `yes` from `app-install`.
|
|
* Return `auth_admin` from `override-parental-controls` for users
|
|
not in `@privileged_group@`, and `yes` for users in it.
|
|
* Set the malcontent `is-{user,system}-installation-allowed`
|
|
properties of all non-admins___ parental controls policies to true.
|
|
- In order to configure the policy so that admins can install safe and
|
|
unsafe software anywhere without authorisation, and non-admins can
|
|
install safe software in their user dir without authorisation, but
|
|
need authorisation to install safe software in the system dir or to
|
|
install unsafe software anywhere:
|
|
* Unconditionally return `yes` from `app-install`.
|
|
* Return `auth_admin` from `override-parental-controls` for users
|
|
not in `@privileged_group@`, and `yes` for users in it.
|
|
* Set the malcontent `is-user-installation-allowed` property of all
|
|
non-admins___ parental controls policies to true.
|
|
* Set the malcontent `is-system-installation-allowed` property of
|
|
all non-admins___ parental controls policies to false.
|
|
- In order to configure the policy so that all users (including
|
|
admins) can install safe software anywhere without authorisation,
|
|
but need authorisation to install unsafe software anywhere (i.e.
|
|
applying parental controls to admins too):
|
|
* Unconditionally return `yes` from `app-install`.
|
|
* Unconditionally return `auth_admin` from `override-parental-controls`.
|
|
* Set the malcontent `is-user-installation-allowed` property of all
|
|
users___ parental controls policies to true.
|
|
* Set the malcontent `is-system-installation-allowed` property of
|
|
all users___ parental controls policies to true.
|
|
-->
|
|
<description>Override parental controls for installs</description>
|
|
<message>Authentication is required to install software which is restricted by your parental controls policy</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin</allow_active>
|
|
</defaults>
|
|
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.override-parental-controls-update</annotate>
|
|
</action>
|
|
<action id="org.freedesktop.Flatpak.override-parental-controls-update">
|
|
<!-- SECURITY:
|
|
- This is like org.freedesktop.Flatpak.override-parental-controls, but
|
|
it___s queried for app updates, whereas the former is queried for app
|
|
installs.
|
|
- As with the above action, this one is only queried if
|
|
org.freedesktop.Flatpak.app-update has allowed the app update, and
|
|
only if the app being updated has too extreme content for the user
|
|
who is trying to update it.
|
|
- The default policy for this is to *allow* updates to ___too extreme___
|
|
apps by default, on the basis that having an out-of-date (i.e.
|
|
insecure or unsupported) app is a worse outcome than automatically
|
|
installing an update which has radically different content from the
|
|
version of the app which the parent originally vetted and installed.
|
|
- KICKSECURE: Setting to 'auth_admin_keep' for the sake of always
|
|
requiring authorization to modify the system's software.
|
|
-->
|
|
<description>Override parental controls for updates</description>
|
|
<message>Authentication is required to update software which is restricted by your parental controls policy</message>
|
|
<icon_name>package-x-generic</icon_name>
|
|
<defaults>
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep</allow_active>
|
|
</defaults>
|
|
</action>
|
|
</policyconfig>
|