run0: Never ask --empower sessions for polkit auth

A --empower session is effectively root without being UID 0, so it
doesn't make sense to enforce polkit authentication in those. Let's
add the empower group, add --empower sessions to that group and ship
a polkit rule to skip authentication for all users in the empower
group.

(As a side-effect this will also allow users to add themselves to this
group outside of 'run0 --empower' to mimick NOPASSWD from sudo)

man/run0.xml

@@ -295,8 +295,9 @@
 
         <listitem><para>If specified, run0 will elevate the privileges of the selected user (using
         <option>--user=</option>) or the current user if no user is explicitly selected. Currently this means
-        we give the user all available capabilities, but other privileges may be granted in the future as
-        well when using this option.</para>
+        we give the invoked process all available capabilities and add the the <literal>empower</literal>
+        group as a supplemental group (for which all polkit actions are allowed by default), but other
+        privileges may be granted in the future as well when using this option.</para>
 
         <xi:include href="version-info.xml" xpointer="v259"/></listitem>
       </varlistentry>

meson.build

@@ -886,6 +886,7 @@ foreach option : ['adm-gid',
                   'clock-gid',
                   'dialout-gid',
                   'disk-gid',
+                  'empower-gid',
                   'input-gid',
                   'kmem-gid',
                   'kvm-gid',

meson_options.txt

@@ -295,6 +295,8 @@ option('dialout-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "dialout" group')
 option('disk-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "disk" group')
+option('empower-gid', type : 'integer', value : 0,
+       description : 'soft-static allocation for the "empower" group')
 option('input-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "input" group')
 option('kmem-gid', type : 'integer', value : 0,

src/run/empower.rules

@@ -0,0 +1,8 @@
+// Allow all actions for users who are in the "empower" group. Users are added to the
+// "empower" group by running run0 --empower.
+
+polkit.addRule(function(action, subject) {
+    if (subject.isInGroup("empower")) {
+        return polkit.Result.YES;
+    }
+});

src/run/meson.build

@@ -18,3 +18,8 @@ custom_target(
         command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
         install : pamconfdir != 'no',
         install_dir : pamconfdir)
+
+if install_polkit
+        install_data('empower.rules',
+                     install_dir : polkitrulesdir)
+endif

src/run/run.c

@@ -1420,6 +1420,15 @@ static int transient_service_set_properties(sd_bus_message *m, const char *pty_p
                 r = sd_bus_message_append(m, "(sv)", "AmbientCapabilities", "t", CAP_MASK_ALL);
                 if (r < 0)
                         return bus_log_create_error(r);
+
+                r = getgrnam_malloc("empower", /* ret= */ NULL);
+                if (r < 0 && r != -ESRCH)
+                        return log_error_errno(r, "Failed to look up group 'empower' via NSS: %m");
+                if (r >= 0) {
+                        r = sd_bus_message_append(m, "(sv)", "SupplementaryGroups", "as", 1, "empower");
+                        if (r < 0)
+                                return bus_log_create_error(r);
+                }
         }
 
         if (arg_nice_set) {

sysusers.d/basic.conf.in

@@ -16,8 +16,9 @@ u! {{NOBODY_USER_NAME}} 65534:65534 "Kernel Overflow User"     -
 # Administrator group: can *see* more than normal users
 g adm     {{ADM_GID    }}     -            -
 
-# Administrator group: can *do* more than normal users
+# Administrator groups: can *do* more than normal users
 g wheel   {{WHEEL_GID  }}     -            -
+g empower {{EMPOWER_GID}}     -            -
 
 # Access to shared database of users on the system
 g utmp    {{UTMP_GID   }}     -            -