fix(dns): no password prompts on vpn on — ship polkit rule (spec 009)#22
Merged
Conversation
…mpts (spec 009) Rootless akon applies the tunnel DNS via resolvectl, which systemd-resolved gates behind polkit auth_admin — causing 3 password prompts per 'akon vpn on' (plus more on disconnect). This was a severe UX regression in the rootless model and blocked background/lazy mode. Fix: ship a scoped polkit rule (packaging/polkit/49-akon-resolved-dns.rules) granting ONLY the four resolve1 DNS actions (set-dns-servers, set-domains, set-default-route, revert) to LOCAL ACTIVE sessions, without authentication. - Rule installed by deb/rpm packages + make install; removed on uninstall. - make uninstall target added. - DNS apply remains best-effort: without the rule, polkit denies non-interactively (no hang) and the tunnel stays up with a WARN. - 3 static-content tests lock the rule's scope (exactly 4 actions, local+active, no blanket grant). - ADR 0003 records the decision. Verified with pkcheck: the 4 actions are AUTHORIZED without prompt for a local session; unrelated actions (set-dnssec) are still challenged. Spec: specs/009-polkit-dns-no-prompt/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The problem
Since akon became rootless (v2.0.0),
akon vpn onprompts the user for their password multiple times — once for eachresolvectlcall that applies the tunnel DNS. systemd-resolved gatesset-dns-servers,set-domains, andset-default-routebehind polkitauth_admin, so an unprivileged (rootless) user is challenged 3× per connect (plus more on disconnect). This blocks background mode and lazy mode.CAP_NET_ADMINdoesn't help — polkit authorization is independent of process capabilities.The fix
Ship a scoped polkit rule (
packaging/polkit/49-akon-resolved-dns.rules) that grants — without authentication — exactly the four resolve1 DNS actions akon needs, and only for local active sessions:org.freedesktop.resolve1.set-dns-serversorg.freedesktop.resolve1.set-domainsorg.freedesktop.resolve1.set-default-routeorg.freedesktop.resolve1.revertInstalled by the deb/rpm packages and
make install(removed on uninstall), alongside the existingsetcapgrant.Verified (pkcheck)
Safety & robustness
ADR 0003 records the decision. Spec:
specs/009-polkit-dns-no-prompt/.All 37 CI-equivalent test binaries green; fmt + clippy clean on 1.96.