## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Please use "/etc/permission-hardener.d/20_user.conf" or
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc-shared is updated, this file may be
## overwritten.

## user-sysmaint-split hardens this further.
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist

## Required for PolicyKit (Polkit) to function.
##
## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid#
## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168
## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93
##
## Changing permissions here may break more than just normal privilege escalation.
## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo,
## however even that might not be safe.
##
## matches both:
## - /usr/lib/policykit-1/polkit-agent-helper-1
## - /lib/policykit-1/polkit-agent-helper-1
##
## user-sysmaint-split hardens this further.
polkit-agent-helper-1 matchwhitelist