Polkit rules to fix #1201 and improve network permissions avoiding the nm workaround (#1205)

* installer: use polkit for permissions

* update dependencies

* docs update

docs/Troubleshooting/Network.md

@@ -30,26 +30,30 @@ this line may appear in KlipperScreen.log:
     [wifi_nm.py:rescan()] [...] NetworkManager.wifi.scan request failed: not authorized
     ```
 
+if version of KlipperScreen installed was previous than v0.3.8, then re-run the installer and reboot
 
-in order to fix this polkit needs to be configured or disabled:
 
-here is how to disable polkit for network-manager:
+??? Alternative workaround for network-manager
 
-```sh
+    in order to fix this polkit needs to be configured or disabled:
-mkdir -p /etc/NetworkManager/conf.d
-sudo nano /etc/NetworkManager/conf.d/any-user.conf
-```
 
-in the editor paste this:
+    here is how to disable polkit for network-manager:
 
-```ini
+    ```sh
-[main]
+    mkdir -p /etc/NetworkManager/conf.d
-auth-polkit=false
+    sudo nano /etc/NetworkManager/conf.d/any-user.conf
-```
+    ```
 
-Then restart the service (or reboot):
+    in the editor paste this:
 
-```sh
+    ```ini
-systemctl restart NetworkManager.service
+    [main]
-systemctl restart KlipperScreen.service
+    auth-polkit=false
-```
+    ```
+
+    Then restart the service (or reboot):
+
+    ```sh
+    systemctl restart NetworkManager.service
+    systemctl restart KlipperScreen.service
+    ```

scripts/KlipperScreen-install.sh

@@ -9,7 +9,7 @@ FBDEV="xserver-xorg-video-fbdev"
 PYTHON="python3-virtualenv virtualenv python3-distutils"
 PYGOBJECT="libgirepository1.0-dev gcc libcairo2-dev pkg-config python3-dev gir1.2-gtk-3.0"
 MISC="librsvg2-common libopenjp2-7 wireless-tools libdbus-glib-1-dev autoconf"
-OPTIONAL="xserver-xorg-legacy fonts-nanum fonts-ipafont libmpv-dev"
+OPTIONAL="xserver-xorg-legacy fonts-nanum fonts-ipafont libmpv-dev policykit-1 network-manager"
 
 Red='\033[0;31m'
 Green='\033[0;32m'
@@ -152,9 +152,82 @@ install_systemd_service()
     sudo systemctl enable KlipperScreen
 }
 
-modify_user()
+create_policy()
 {
-    sudo usermod -a -G tty $USER
+    POLKIT_DIR="/etc/polkit-1/rules.d"
+    POLKIT_USR_DIR="/usr/share/polkit-1/rules.d"
+
+    echo_text "Installing KlipperScreen PolicyKit Rules"
+    sudo groupadd -f klipperscreen
+    sudo groupadd -f tty
+    if [ ! -x "$(command -v pkaction)" ]; then
+        echo "PolicyKit not installed"
+        return
+    fi
+
+    POLKIT_VERSION="$( pkaction --version | grep -Po "(\d+\.?\d*)" )"
+    echo_text "PolicyKit Version ${POLKIT_VERSION} Detected"
+    if [ "$POLKIT_VERSION" = "0.105" ]; then
+        # install legacy pkla
+        create_policy_legacy
+        return
+    fi
+
+    RULE_FILE=""
+    if [ -d $POLKIT_USR_DIR ]; then
+        RULE_FILE="${POLKIT_USR_DIR}/KlipperScreen.rules"
+    elif [ -d $POLKIT_DIR ]; then
+        RULE_FILE="${POLKIT_DIR}/KlipperScreen.rules"
+    else
+        echo "PolicyKit rules folder not detected"
+        exit 1
+    fi
+    echo_text "Installing PolicyKit Rules to ${RULE_FILE}..."
+
+    KS_GID=$( getent group klipperscreen | awk -F: '{printf "%d", $3}' )
+    sudo /bin/sh -c "cat > ${RULE_FILE}" << EOF
+// Allow KlipperScreen to reboot, shutdown, etc
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.login1.power-off" ||
+         action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.reboot" ||
+         action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
+         action.id == "org.freedesktop.login1.halt" ||
+         action.id == "org.freedesktop.login1.halt-multiple-sessions" ||
+         action.id == "org.freedesktop.NetworkManager.wifi.scan" ||
+         action.id.startsWith("org.freedesktop.packagekit.")) &&
+        subject.user == "$USER") {
+        // Only allow processes with the "klipperscreen" supplementary group
+        // access
+        var regex = "^Groups:.+?\\\s$KS_GID[\\\s\\\0]";
+        var cmdpath = "/proc/" + subject.pid.toString() + "/status";
+        try {
+            polkit.spawn(["grep", "-Po", regex, cmdpath]);
+            return polkit.Result.YES;
+        } catch (error) {
+            return polkit.Result.NOT_HANDLED;
+        }
+    }
+});
+EOF
+}
+
+create_policy_legacy()
+{
+    RULE_FILE="/etc/polkit-1/localauthority/50-local.d/20-klipperscreen.pkla"
+    ACTIONS="org.freedesktop.login1.power-off"
+    ACTIONS="${ACTIONS};org.freedesktop.login1.power-off-multiple-sessions"
+    ACTIONS="${ACTIONS};org.freedesktop.login1.reboot"
+    ACTIONS="${ACTIONS};org.freedesktop.login1.reboot-multiple-sessions"
+    ACTIONS="${ACTIONS};org.freedesktop.login1.halt"
+    ACTIONS="${ACTIONS};org.freedesktop.login1.halt-multiple-sessions"
+    ACTIONS="${ACTIONS};org.freedesktop.NetworkManager.wifi.scan"
+    sudo /bin/sh -c "cat > ${RULE_FILE}" << EOF
+[KlipperScreen]
+Identity=unix-user:$USER
+Action=$ACTIONS
+ResultAny=yes
+EOF
 }
 
 update_x11()
@@ -190,7 +263,7 @@ fi
 install_packages
 check_requirements
 create_virtualenv
-modify_user
+create_policy
 install_systemd_service
 update_x11
 echo_ok "KlipperScreen was installed"

scripts/KlipperScreen.service

@@ -8,6 +8,7 @@ Type=simple
 Restart=always
 RestartSec=1
 User=KS_USER
+SupplementaryGroups=klipperscreen
 WorkingDirectory=KS_DIR
 Environment="KS_XCLIENT=KS_ENV/bin/python KS_DIR/screen.py"
 ExecStart="KS_DIR/scripts/KlipperScreen-start.sh"

scripts/system-dependencies.json

@@ -23,6 +23,8 @@
         "libopenjp2-7",
         "wireless-tools",
         "libdbus-glib-1-dev",
+        "policykit-1",
+        "network-manager",
         "autoconf"
     ],
     "arch": [
@@ -42,6 +44,8 @@
         "librsvg",
         "openjpeg2",
         "dbus-glib",
+         "polkit",
+         "networkmanager",
         "autoconf"
     ]
 }