You are not logged in.
I've spent considerable time setting up grsecurity (in a custom kernel) and hardening a laptop running arch with gnome. I've had some problems getting polkit going. It was odd, it was following the actions and rules, but never prompted for passwords, I couldn't really find an answer online, either. After what has to be hundreds of hours of googling, I think I've found the issue. I think it could best be called a bug in Gnome, but before I file a report, I thought I'd post here to see if there was any further insight or input.
Using hidepid (or grsecurity with same features) can break polkit. The hidepid package creates a group "proc" and adds the polkitd user to that group, then creates the necessary systemd and fstab entry to mitigate the break, with both having the mount option gid=gid_of_proc_group. This effectively fixes polkit, and the rest of the system that needs full access to /proc. However, anytime polkit needs a password in Gnome, it calls Gnome's polkit agent. In recent releases (I know much of gnome3, but the exact release of the switch is unclear to me), Gnome's polkit agent is entirely integrated into gnome-shell, which is the gnome desktop. Using a DE with a separate polkit agent, one could potentially have the polkit agent called by the proc group, and once again, mitigate the break. However, now that gnome-shell IS the polkit agent, this would mean that the entire desktop would have to be run without the hidepid protections.
The only reasonable fix would be to somehow add polkit agents to the proc group. This means polkit agents must be independent, and not a part of the shell.
Am I missing something, or is this an accurate assessment of the situation of hidepid, polkit, and polkit agents?
Looking forward to feedback.
Thanks!
Offline