gardesk/garcard / 1b4a165

+// Temporary validation override for Sprint 03 NetworkManager challenge testing.

+//

+// Install as:

+//   sudo install -m644 examples/force-networkmanager-auth-admin.rules \

+//     /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules

+//   sudo systemctl restart polkit

+//

+// Remove after validation:

+//   sudo rm -f /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules

+//   sudo systemctl restart polkit

+//

+// This rule forces admin authentication for NetworkManager actions even when

+// host rules would otherwise auto-authorize networkmanager-group members.

+polkit.addRule(function(action, subject) {

+  if (action.id.indexOf("org.freedesktop.NetworkManager.") === 0) {

+    return polkit.Result.AUTH_ADMIN_KEEP;

+  }

+});

+5. Host policy root-cause confirmation:

+   - `/etc/static/polkit-1/rules.d/10-nixos.rules` contains:

+     - `subject.isInGroup("networkmanager")` + `org.freedesktop.NetworkManager.*` -> `polkit.Result.YES`

+   - session user groups include `networkmanager` (`id` output), so NetworkManager probes bypass challenge by design.

+

+## Deferred Caveat Closure Plan

+1. Use `examples/force-networkmanager-auth-admin.rules` as temporary override.

+2. Install and reload policy:

+   - `sudo install -m644 examples/force-networkmanager-auth-admin.rules /etc/polkit-1/rules.d/00-garcard-networkmanager-auth.rules`

+   - `sudo systemctl restart polkit`

+3. Re-run probe while daemon is active:

+   - `pkcheck --allow-user-interaction --process $$ --action-id org.freedesktop.NetworkManager.settings.modify.system`

+4. Expect callback logs from `garcard` auth request processing path.

+5. Remove override and restart polkit after validation.

+3. NetworkManager challenge suppression cause is identified and reproducible.

+4. A deterministic override path is documented to force and validate the callback path on this host.