Polkit policy pkexec annotation contains ineffective argv2 specification

[mgerstner]

Your repository contains a polkit policy file that defines a polkit annotation for org.freedesktop.policykit.exec.argv2. This annotation is found here.

In the course of doing a security review of polkit policies in SUSE Linux distributions I came across this usage in a couple of packages. It turns out that while specifying argv1, argv2, etc. restrictions feels natural it isn't supported by polkit. It only supports the specification of an argv1 and that's it. It was probably implemented as a special case to support script parameters for interpreters.

The polkit documentation only explicitly mentions argv1 and also the code only explicitly checks for this annotation.

I suggest to remove this annotation to avoid a false sense of security to developers or users/integrators of your project. In case of fbuild probably a wrapper script will be required to make the pkexec annotation work with only argv1.

[refi64]

Goshdangit, I remember figuring this out in another project but completely forgot I did this in Fbuild. 🤦 I believe I can just pass the full path to the install helper instead of using -m.