The polkit-agent interface

The polkit-agent interface is a low level interface that permits applications to register with the polkit authorisation manager, polkitd, as a polkit agent. It’s primarily intended for systems running Ubuntu Core.

This interface enables the higher level polkit interface to make access control decisions for requests from unprivileged clients.

Developer details

Auto-connect: no
Super-privileged: yes

This interface primarily intended for systems running Ubuntu Core. This is because polkit agents make use of a setuid executable, polkit-agent-helper-1, which uses PAM. Outside of Ubuntu Core, the PAM environment inside the sandbox is unlikely to match that of the host system on classic. The only Ubuntu Core system currently shipping polkitd is the Ubuntu Core Desktop.

See Proposal: add polkit and polkit-agent interfaces to snapd for the original interface proposal and reasoning.

Code examples

The test code can be found in the snapd repository: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/polkit_agent_test.go

The source code for the interface is in the snapd repository: https://github.com/snapcore/snapd/blob/master/interfaces/builtin/polkit_agent.go

Some things worth noting about the interface:

1. It’s super-privileged, so you’ll need a store assertion to publish a snap with the plug.
2. Due to the way Polkit works, it probably only makes sense to use on Ubuntu Core. Agents make use of a setuid executable polkit-agent-helper-1 that uses PAM. The PAM environment inside the sandbox is unlikely to match the host system on classic.
3. The only Ubuntu Core system shipping polkitd at the moment is Ubuntu Core Desktop. This might expand to more boot base snaps in future, but for now that’s it.

Thank you so much for the added context. I’ve updated the document.