polkit rules to prevent shutdown / reboot does not work

Question

I am trying to prevent reboot a Debian 11 machine from the KDE start menu. However the following policy does not work:

[michael@vps /etc/polkit-1/rules.d]> cat /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules 
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.set-reboot-parameter" ||
        action.id == "org.freedesktop.login1.set-reboot-to-firmware-setup" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-menu" ||
        action.id == "org.freedesktop.login1.set-reboot-to-boot-loader-entry" ||
        action.id == "org.freedesktop.login1.suspend" ||
        action.id == "org.freedesktop.login1.suspend-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
        action.id == "org.freedesktop.login1.hibernate" ||
        action.id == "org.freedesktop.login1.hibernate-ignore-inhibit" ||
        action.id == "org.freedesktop.login1.hibernate-multiple-sessions"
    ) {
        return polkit.Result.AUTH_ADMIN;
    }
});

pkcheck -u -p $$ -a org.freedesktop.login1.reboot; echo $? returns 2 if run on an ssh session (expected), but 0 if on the physical machine logged in via SDDM. What's wrong with my configuration?

Answer 1

The polkit package in Debian 11 and earlier does not support JavaScript-based rules. Debian maintains a patch that replaces the JS-format rules engine with the older .pkla configuration format.

In this format, the rules would look like this:

[Require authentication for shutdown]
Identity=unix-user:*
Action=org.freedesktop.login1.power-off*;org.freedesktop.login1.reboot*
ResultAny=auth_admin
ResultInactive=auth_admin
ResultActive=auth_admin

See pklocalauthority(8) for the format documentation.

Answer 2

The hanging GUI seems to come from a missing authentication agent. I use return polkit.Result.NO; and it works as expected. Also removed packages pkexec, policykit-1, and polkitd-pkla.