I don’t think the
flatpakgroup does what you said it does.
true, my mistake.
>> cat /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.Flatpak.app-install" ||
action.id == "org.freedesktop.Flatpak.runtime-install"||
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
action.id == "org.freedesktop.Flatpak.modify-repo") &&
subject.active == true && subject.local == true && (
subject.isInGroup("wheel") || subject.isInGroup("flatpak") )) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
return polkit.Result.AUTH_ADMIN;
}
return polkit.Result.NOT_HANDLED;
});
With this rule it would work, I think that would be a good addition?
I think this is pretty problematic for restricted systems? Imagine a school laptop where you dont want the students to install Steam as user Flatpak for example, and run any game from there.
Can user Flatpaks be blocked somehow?
Thanks for the heads up, very hacky method.