From 95f31c3a339037d211a6493e179c540790264efb Mon Sep 17 00:00:00 2001
From: Igor Chudov <nir@altlinux.org>
Date: Tue, 26 Nov 2019 15:21:49 +0400
Subject: [PATCH] Deny_All pokit rule added

---
 .../99-gpoa_disk_permissions.rules.j2         | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 gpoa/templates/99-gpoa_disk_permissions.rules.j2

diff --git a/gpoa/templates/99-gpoa_disk_permissions.rules.j2 b/gpoa/templates/99-gpoa_disk_permissions.rules.j2
new file mode 100644
index 0000000..f818ca0
--- /dev/null
+++ b/gpoa/templates/99-gpoa_disk_permissions.rules.j2
@@ -0,0 +1,23 @@
+{% if deny_all %}
+polkit.addAdminRule(function (action, subject) {
+	if (action.id == "org.freedesktop.udisks2.filesystem-mount-other-seat") {
+        	return polkit.Result.NO;
+	}
+	return ["unix-group:wheel"];
+});
+{% else %}
+polkit.addAdminRule(function (action, subject) {
+        return ["unix-group:wheel"];
+});
+
+polkit.addRule(function (action, subject) {
+	if (action.id == "org.freedesktop.udisks2.filesystem-mount-other-seat" && subject.isInGroup("users")) {
+		polkit.log("Mount action from user: " + subject.user + ", pid: " + subject.id + ": allowed");
+		return polkit.Result.YES;
+	}
+
+	polkit.log("Mount action from user: " + subject.user + ", pid: " + subject.id + ": denied");
+	return polkit.Result.NO;
+});
+{% endif %}
+