Add unprivileged manipulation of storage devices

piotrcki · Sep 19, 2022 · ce7877c · ce7877c
1 parent 6c8abad
commit ce7877c
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ Here are some typical use-cases where Airgap OS may be useful:
 * Debian bullseye based Linux with MATE Desktop.
 * x86-64 architecture (open an issue if you need another one).
 * LibreOffice, VLC, GIMP and other usual tools.
+* Unprivileged manipulation of storage devices.
 * Only 1G of RAM required.
 * [Keepass2](https://keepass.info/).
 * [steghide](http://steghide.sourceforge.net/).

diff --git a/build-stage2-available.d/74allow-disk-operations.sh b/build-stage2-available.d/74allow-disk-operations.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+#   Copyright (C) 2021 Piotr Chmielnicki
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 3 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software Foundation,
+#   Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301  USA
+
+set -e
+set -x
+
+cd "$(dirname $(readlink -f "${0}"))"/..
+
+if [ "${BUILD_STAGE}" != 2 ]
+then
+    echo "Error: this script should no be run manually." >&2
+    exit -1
+fi
+
+cp conf/udisk-polkit.rules "${USERLAND_ROOT}/etc/polkit-1/localauthority/10-vendor.d/"
diff --git a/build-stage2-enabled.d/74allow-disk-operations.sh b/build-stage2-enabled.d/74allow-disk-operations.sh
@@ -0,0 +1 @@
+../build-stage2-available.d/74allow-disk-operations.sh
diff --git a/conf/udisk-polkit.rules b/conf/udisk-polkit.rules
@@ -0,0 +1,19 @@
+addRule(function(action, subject) {
+    var authorized = ["org.freedesktop.udisks2.filesystem-mount",
+    "org.freedesktop.udisks2.encrypted-unlock",
+    "org.freedesktop.udisks2.encrypted-change-passphrase",
+    "org.freedesktop.udisks2.power-off-drive",
+    "org.freedesktop.udisks2.eject-media",
+    "org.freedesktop.udisks2.modify-device",
+    "org.freedesktop.udisks2.rescan",
+    "org.freedesktop.udisks2.ata-smart-update",
+    "org.freedesktop.udisks2.ata-secure-erase",
+    "org.freedesktop.udisks2.cancel-job"];
+
+    for (var i = 0; i < authorized.length; i++) {
+        if (action.id === authorized[i]) {
+            return polkit.Result.YES;
+        }
+    }
+    return polkit.Result.NOT_HANDLED;
+});
diff --git a/packages.txt b/packages.txt
@@ -4,6 +4,7 @@ caja-seahorse
 console-data
 firmware-linux-nonfree
 git
+gnome-disk-utility
 htop
 hunspell-af
 hunspell-an