From 4eb78554dd4f480ec258eea862ee5b78c47bae3e Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Mon, 15 Apr 2024 22:57:39 +0200
Subject: [PATCH] Log all actions polkit actions

---
 system/shared/security/default.nix |  1 +
 system/shared/security/polkit.nix  | 14 ++++++++++++++
 2 files changed, 15 insertions(+)
 create mode 100644 system/shared/security/polkit.nix

diff --git a/system/shared/security/default.nix b/system/shared/security/default.nix
index c7c2b61..f2f6476 100644
--- a/system/shared/security/default.nix
+++ b/system/shared/security/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./apparmor.nix
     ./auditd.nix
+    ./polkit.nix
   ];
 }
diff --git a/system/shared/security/polkit.nix b/system/shared/security/polkit.nix
new file mode 100644
index 0000000..ac8d279
--- /dev/null
+++ b/system/shared/security/polkit.nix
@@ -0,0 +1,14 @@
+{ config, lib, ... }: {
+  security.polkit = {
+    enable = true;
+    debug = lib.mkDefault true;
+
+    # Have polkit log all actions, if debug is enabled
+    extraConfig = lib.mkIf config.security.polkit.debug ''
+      /* Log authorization checks. */
+      polkit.addRule(function(action, subject) {
+        polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
+      });
+    '';
+  };
+}